})
[Azure Firewall](https://learn.microsoft.com/en-us/azure/firewall/overview) is a cloud-native and intelligent network firewall security service that provides threat protection for your cloud workloads running in Azure. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. This integration helps in monitoring firewall health, network rules, application rules, threat intelligence, and IDPS (Intrusion Detection and Prevention System) events.
## Log and metric types
For Azure Firewall, you can collect the following logs and metrics:
* **Azure Firewall Application Rule**. Contains all application rule log data. Each match between the data plane and the application rule creates a log entry with the data plane packet and the matched rule's attributes.
* **Azure Firewall Network Rule Aggregation (Policy Analytics)**. Contains aggregated application rule log data for Policy Analytics.
* **Azure Firewall DNS Flow Trace Log**. Contains all the DNS proxy data between the client, firewall, and DNS server.
* **Azure Firewall DNS query**. Contains all DNS proxy events log data.
* **Azure Firewall Fat Flow Log**. This query returns the top flows across Azure Firewall instances. Log contains flow information, date transmission rate (in megabits per second units), and the time period when the flows were recorded. Follow the documentation to enable Top Flow logging and details on how it is recorded.
* **Azure Firewall Flow Trace Log**. Flow logs across Azure Firewall instances. Log contains flow information, flags, and the time period when the flows were recorded. Please follow the documentation to enable flow trace logging and details on how it is recorded.
* **Azure Firewall FQDN Resolution Failure**. Contains all internal Firewall FQDN resolution requests that resulted in failure.
* **Azure Firewall IDPS Signature**. Contains all data plane packets that were matched with one or more IDPS signatures.
* **Azure Firewall Nat Rule**. Contains all DNAT (Destination Network Address Translation) events log data. Each match between the data plane and the DNAT rule creates a log entry with the data plane packet and the matched rule's attributes.
* **Azure Firewall Nat Rule Aggregation (Policy Analytics)**. Azure Firewall Nat Rule Aggregation (Policy Analytics).
* **Azure Firewall Network Rule**. Contains all Network Rule log data. Each match between the data plane and network rule creates a log entry with the data plane packet and the matched rule's attributes.
* **Azure Firewall Application Rule Aggregation (Policy Analytics)**. Contains aggregated network rule log data for Policy Analytics.
* **Azure Firewall Threat Intelligence**. Contains all Threat Intelligence events.
* **Azure Firewall Metrics**. These metrics are available in [Microsoft.Network/azureFirewalls](https://learn.microsoft.com/en-us/azure/azure-monitor/reference/supported-metrics/microsoft-network-azurefirewalls-metrics) namespace.
For more information on supported metrics and logs schema, refer to [Azure documentation](https://learn.microsoft.com/en-us/azure/firewall/monitor-firewall-reference).
## Setup
Azure service sends monitoring data to Azure Monitor, which can then [stream data to Event Hub](https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/stream-monitoring-data-event-hubs). Sumo Logic supports:
* Logs collection from [Azure Monitor](https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-get-started) using our [Azure Event Hubs source](/docs/send-data/collect-from-other-data-sources/azure-monitoring/ms-azure-event-hubs-source/).
* Metrics collection using our [Azure Metrics Source](/docs/send-data/hosted-collectors/microsoft-source/azure-metrics-source).
You must explicitly enable diagnostic settings for each Azure Firewall you want to monitor. You can forward logs to the same event hub, provided they satisfy the limitations and permissions as described [here](https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=portal#destination-limitations).
When you configure the event hubs source or HTTP source, plan your source category to ease the querying process. A hierarchical approach allows you to make use of wildcards. For example: `Azure/Firewall/Logs` and `Azure/Firewall/Metrics`.
### Configure collector
Create a hosted collector if not already configured and tag the `tenant_name` field. You can get the tenant name using the instructions [here](https://learn.microsoft.com/en-us/azure/active-directory-b2c/tenant-management-read-tenant-name#get-your-tenant-name). Make sure you create the required sources in this collector. })
### Configure metrics collection
import MetricsSource from '../../reuse/metrics-source.md';
})
4. Tag the location field in the source with the right location value. })
#### Activity logs (optional)
import ActivityLogs from '../../reuse/apps/azure-activity-logs.md';
})
### Administrative Operations
The **Azure Firewall - Administrative Operations** dashboard provides visibility into Azure Resource Manager operations performed on the firewall resource.
Use this dashboard to:
- Monitor the distribution of operation types (Read, Write, Delete) and their success rates to ensure proper functioning of your firewall.
- Identify potential issues by analysing the top 10 operations causing errors and correlating them with specific users or applications.
- Track recent write and delete operations to maintain an audit trail of configuration changes made to your firewall resource.
})
### Application Rules
The **Azure Firewall - Application Rules** dashboard provides visibility into application layer (L7) traffic filtering and web content control.
Use this dashboard to:
- Monitor application rule actions (Allow/Deny) and protocol distribution to understand traffic patterns.
- Identify denied requests by location and analyse reasons for troubleshooting connectivity issues.
- Track top source IPs, TLS inspection status, and web categories for comprehensive FQDN-based traffic analysis.
})
### Network Rules
The **Azure Firewall - Network Rules** dashboard provides detailed insights into network layer (L4) traffic filtering.
Use this dashboard to:
- Monitor network rule actions distribution and protocol distribution to understand traffic patterns.
- Identify top denied source/destination IPs and analyze deny reasons to troubleshoot connectivity issues.
- Track critical port access attempts and top rules triggered for security monitoring and rule optimization.
})
### NAT Rules
The **Azure Firewall - NAT Rules** dashboard provides insights into Destination NAT (DNAT) translations for inbound traffic routing.
Use this dashboard to:
- Monitor NAT translations by protocol and track NAT activity over time to understand inbound connectivity patterns.
- Identify top source IPs using NAT and analyze NAT rule details for traffic routing optimisation.
- Track critical port access attempts and visualize source/destination locations for security monitoring.
})
### Threat Intelligence
The **Azure Firewall - Threat Intelligence** dashboard provides visibility into malicious traffic detected by Microsoft's threat intelligence feed.
Use this dashboard to:
- Monitor threat actions distribution and protocol-based threats to assess security posture.
- Identify top threat source/destination IPs and threat FQDNs to investigate security incidents.
- Analyze TLS inspection status and threat descriptions for detailed security analysis and incident response.
})
### IDPS
The **Azure Firewall - IDPS** (Intrusion Detection and Prevention System) dashboard provides comprehensive monitoring of signature-based threat detection.
Use this dashboard to:
- Monitor IDPS events distribution by severity and actions (Alert/Deny) to assess security posture.
- Identify top attack sources, destinations, and signature IDs to investigate security incidents.
- Analyze high-severity alerts (Severity 1-2) and top IDPS categories for critical security monitoring and incident response.
})
### DNS Analysis
The **Azure Firewall - DNS Analysis** dashboard provides insights into DNS proxy activity and resolution patterns.
Use this dashboard to:
- Monitor DNS response codes and protocol distribution (TCP/UDP) to ensure proper DNS resolution.
- Identify top queried domains and failed DNS queries to troubleshoot connectivity issues.
- Analyze DNS queries over time and average request duration to detect anomalies and performance issues.
})
### FQDN Failures
The **Azure Firewall - FQDN Failures** dashboard provides detailed analysis of FQDN resolution failures affecting application rule processing.
Use this dashboard to:
- Monitor DNS servers used and identify top failed FQDNs to troubleshoot resolution issues.
- Analyze failure reasons and correlate failures by rule to identify misconfigured application rules.
- Track FQDN failures over time to detect patterns and resolve connectivity issues.
})
### Fat Flow Analysis
The **Azure Firewall - Fat Flow Analysis** dashboard provides visibility into high-bandwidth connections that may impact firewall performance.
Use this dashboard to:
- Monitor total fat flows detected and track average/maximum flow rates to identify bandwidth-intensive connections.
- Analyze fat flow trends over time and protocol distribution to understand traffic patterns.
- Identify top fat flow sources and destinations with the highest average rates to optimize network performance.
})
### Flow Trace
The **Azure Firewall - Flow Trace** dashboard provides detailed packet-level visibility for advanced troubleshooting and security analysis.
Use this dashboard to:
- Monitor TCP flag distribution and identify protocol violations (invalid TCP flags) for security analysis.
- Analyze action distribution and reasons to understand firewall decisions and troubleshoot issues.
- Detect potential port scans and track DNS flow trace events, including query sources, domains, and status distribution.
})
### Audit Policy
The **Azure Firewall - Audit Policy** dashboard provides details about Azure Policy compliance status for firewall resources.
Use this dashboard to:
- Monitor total success and failed policy events to ensure governance compliance.
- Analyse failed policy event details to identify and remediate non-compliant configurations.
- Track policy compliance trends for regulatory compliance monitoring and audit reporting.
})
## Create monitors for Azure Firewall
import CreateMonitors from '../../reuse/apps/create-monitors.md';
Warning: `< 90` | Critical: `>= 80`
Warning: `>= 90` | | `Azure Firewall - SNAT Port Utilization (%)` | This alert is triggered when the average SNAT port utilization is greater than 80% and triggers a warning if SNAT port utilization is greater than 70%. | Critical: `> 80`
Warning: `> 70` | Critical: `<= 80`
Warning: `<= 70` | | `Azure Firewall - Average Latency Probe (Milliseconds)` | This alert is triggered when the average Latency Probe is greater than 10 milliseconds and triggers a warning when the average Latency Probe is greater than 5 milliseconds. | Critical: `> 10`
Warning: `> 5` | Critical: `<= 10`
Warning: `<= 5` | | `Azure Firewall - Network Rule Hit Count` | This alert is triggered when the total Network rules hit count is greater than 500, and triggersa warning when the Network rules hit count is greater than 300. | Critical: `> 500`
Warning: `> 300` | Critical: `<= 500`
Warning: `<= 300` | | `Azure Firewall - Average Throughput (bits per second)` | This alert is triggered when the average Throughput is greater than 100000 bits/second and triggers a warning when the average Throughput is greater than 50000 bits/second. | Critical: `> 100000`
Warning: `> 50000` | Critical: `<= 100000`
Warning: `<= 50000` | ## Upgrade/Downgrade the Azure Firewall app (Optional) import AppUpdate from '../../reuse/apps/app-update.md';