Hello @Jessie ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to know how to collect Azure Firewall logs for a specific time period, and what tool is best for analyzing the firewall logs. You also would like to know what license type is needed to implement DDOS protection, and how to verify the license plan or type in the Azure portal. Please find the answers below.
Any idea how to set firewall to collect logs for a specific time period (may be an hour), and what tool is best for analyzing the firewall logs?
To collect Azure Firewall logs, you should enable diagnostic logs for Azure Firewall.
You can access some of these logs through the portal. Logs can be sent to Azure Monitor logs, Storage, and Event Hubs and analyzed in Azure Monitor logs or by different tools such as Excel and Power BI.
Metrics are lightweight and can support near real-time scenarios making them useful for alerting and fast issue detection.
Refer: https://learn.microsoft.com/en-us/azure/firewall/logs-and-metrics
Azure Firewall logs (Legacy) and metrics: https://learn.microsoft.com/en-us/azure/firewall/firewall-diagnostics
Structured firewall logs are available which offers more control over the logs and faster queries.
Refer: https://learn.microsoft.com/en-us/azure/firewall/firewall-structured-logs
You can also monitor the logs using Azure Firewall Workbook.
Refer: https://learn.microsoft.com/en-us/azure/firewall/firewall-workbook
We also have a new feature for Top flows (preview) and Flow trace logs (preview) in Azure Firewall.
Refer: https://learn.microsoft.com/en-us/azure/firewall/enable-top-ten-and-flow-trace
Now, coming to the question how to collect logs for a specific time period, you can enable structured logs in Azure Firewall diagnostics and run a query using the predefined queries available in the Azure portal and setting a time range in the Azure Monitor/log analytics:
https://learn.microsoft.com/en-us/azure/firewall/firewall-structured-logs#enable-structured-logs
https://learn.microsoft.com/en-us/azure/firewall/firewall-structured-logs#structured-log-queries
You can enable a time range when running a query in Azure monitor for Azure Firewall logs.
Refer: https://learn.microsoft.com/en-us/azure/azure-monitor/logs/scope#time-range
Example:
What license type is needed to implement DDOS protection, and how do I verify the license plan or type in the Azure portal?
DDOS protection is available in all Azure subscription types.
Refer: https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview
https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-protection-reference-architectures
https://learn.microsoft.com/en-us/azure/ddos-protection/manage-permissions
https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-faq#how-does-pricing-work-
https://azure.microsoft.com/en-us/pricing/details/ddos-protection/
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.