Skip to main content

Azure Firewall Policy Analytics

· 4 min read
Hasan Gural

Hello Folks, At some point, your organization will retrospectively analyze existing firewall rules due to security and compliance posture. Imagine that you’re using Azure Firewall in your organization to generate analytics reports for existing firewall rules requiring a bespoke solution. There are many ways that you can achieve these types of reports. I used to develop a tailored solution using PowerShell and KQL queries to fit that requirement, but it might be very complex if you would like to apply this solution to large-scale environments. Thankfully, Microsoft has announced a new Azure Firewall feature that allows us to generate that report quickly and natively. We now call that feature Azure Firewall Policy Analytics.

📄Introducing Policy Analytics (preview)

Policy Analytics can provide insight, centralized visibility, and control of Azure Firewall. You might be managing the Firewall Rules via infrastructure as code within Unit Tests, but NetOps teams today are challenged to keep Firewall rules up to date, manage existing rules, and remove unused rules. I believe that the critical thing in enabling that feature is monitoring unused, expired, or duplicated rules in Azure Firewall Policies.

⚡Is this paid service ?

Enabling Policy Analytics on a Firewall Policy associated with more than one firewall is offered at no additional cost, but the cost will be 'Pushing the Diagnostic Logs to Log Analytics Workspace'. Cost calculation can differ based on your organization's retention on Log Analytics Workspace.

🧑‍💻Before you start to use Policy Analytics

Before you start anything for enabling that feature, you must be on the tiers below for Azure Firewalls.

  • An Azure Firewall Standard or Premium
  • An Azure Firewall Standard or Premium policy attached to the Firewall
  • The structured firewall logs feature must be enabled on Firewall Standard or Premium

Azure Firewall should be configured to push Diagnostics Logs to Log Analytics Workspace(LAW). Ensure that the Firewall attached to the policy is logging to Resource Specific tables, and that the following three tables are also selected:

New resource specific tables are now available in Diagnostic setting that allows you to utilize the following newly added categories.

  • Network rule log - Contains all Network Rule log data. Each match between data plane and network rule creates a log entry with the data plane packet and the matched rule's attributes.
  • NAT rule log - Contains all DNAT (Destination Network Address Translation) log data of events. Each match between data plane and DNAT rule creates a log entry with the data plane packet and the matched rule's attributes.
  • Application rule log - Contains all Application rule log data. Each match between data plane and Application rule creates a log entry with the data plane packet and the matched rule's attributes.
  • Threat Intelligence log - Contains all Threat Intelligence events.
  • IDPS log - Contains all data plane packets that were matched with one or more IDPS signatures.
  • DNS proxy log - Contains all DNS Proxy events log data.
  • Internal FQDN resolve failure log - Contains all internal Firewall FQDN resolution requests that resulted in failure.
  • Application rule aggregation log - Contains aggregated Application rule log data for Policy Analytics.
  • Network rule aggregation log - Contains aggregated Network rule log data for Policy Analytics.
  • NAT rule aggregation log - Contains aggregated NAT rule log data for Policy Analytics.
tip

I strongly suggest you to carry on using Resource Spesific Logs going forward. You will be accessing spesific logs table and your query response will be quick.

🔨 How to enable Policy Analyicts capability for Azure Firewall

You need to make sure follow features that have been enabled. Order to enable first and second features, you can execute following Azure PowerShell commands to enable Azure Firewall logs:

  • Network Rule Name Logging
  • Structured Firewall Logs
  • Diagnostic Settings for Azure Firewall

# Please Connect your Azure Subscription
Connect-AzAccount

# Select subscription which you want to enable the Policy Analytics Feature
Select-AzSubscription -Subscription "subscription_id or subscription_name"

# Run below CMDLets order to enable the feature - can take up to 10 minutes to register providers

Register-AzProviderFeature -FeatureName AFWEnableStructuredLogs -ProviderNamespace Microsoft.Network
Register-AzProviderFeature -FeatureName AFWEnableNetworkRuleNameLogging -ProviderNamespace Microsoft.Network

Register-AzResourceProvider -ProviderNamespace Microsoft.Network