In my case patched and fixed by Microsoft 05. July 2024
Azure Firewall Policy - Policy Analytics Stopped Working Suddenly
As title says, Policy Analytics suddenly stopped working/indexing the logs, so it no longer show traffic, hits etc. Only can see analytics from about 1 week ago and older now.
No known changes done in the environment either, I tried to disable the Policy Analytics and then reenable it again, still no change. Anyone experienced anything like this? Considering trying to change the workspace to see if new data would get in. But usually we try to keep one LA for everything.
Azure Firewall
-
Rahul Gosavi 166 Reputation points
2024-06-12T09:49:23.23+00:00 When Azure Firewall Policy Analytics stops working suddenly, and you notice that it is no longer indexing logs or showing traffic and hits data, it can be quite frustrating. Since you have already tried disabling and re-enabling Policy Analytics without success, here are several steps you can take to troubleshoot and potentially resolve the issue:
- Verify Data Ingestion into Log Analytics Workspace
First, ensure that the Log Analytics workspace is still receiving data from the Azure Firewall. Check the following:
- Log Analytics Workspace: Go to the Log Analytics workspace associated with your Azure Firewall.
- Logs: Run a query to check if new logs are being ingested.
AzureDiagnostics
| where TimeGenerated > ago(1h)
| where ResourceType == "AZUREFIREWALLS"
Check Diagnostic Settings
Ensure that the diagnostic settings for the Azure Firewall are still correctly configured to send logs to the Log Analytics workspace:
- Azure Firewall Diagnostic Settings:
- Navigate to the Azure Firewall instance.
- Go to Diagnostic settings.
- Ensure that logs are being sent to the correct Log Analytics workspace.
- Verify that all relevant log categories (such as
AzureFirewallApplicationRule
,AzureFirewallNetworkRule
, andAzureFirewallDnsProxy
) are selected.
- Verify that all relevant log categories (such as
- Ensure that logs are being sent to the correct Log Analytics workspace.
- Go to Diagnostic settings.
- Navigate to the Azure Firewall instance.
- Validate Log Analytics Workspace Retention Settings
Make sure that the retention settings on the Log Analytics workspace are configured correctly and that data isn't being purged earlier than expected:
- Retention Settings:
- Go to the Log Analytics workspace.
- Navigate to Usage and estimated costs.
- Check the data retention settings and ensure they are appropriate for your needs.
- Navigate to Usage and estimated costs.
- Go to the Log Analytics workspace.
- Review Azure Policy Analytics Configuration
Double-check the Azure Firewall Policy Analytics configuration to ensure everything is set up correctly:
- Policy Analytics Settings:
- Go to Azure Firewall Manager.
- Verify the configuration settings for Policy Analytics.
- Go to Azure Firewall Manager.
- Check for Resource Quota Issues
Ensure that you are not hitting any resource quota limits that might affect log ingestion or processing:
- Resource Quotas:
- Check the usage and limits of the Log Analytics workspace and Azure Firewall to ensure that you are not exceeding any quotas.
- Review Recent Changes or Updates
Although you mentioned no known changes were made, check if there were any updates or changes that might have affected the functionality:
- Azure Service Health:
- Check Azure Service Health to see if there are any ongoing issues or maintenance activities related to Log Analytics or Azure Firewall.
- Contact Microsoft Support
If none of the above steps resolve the issue, consider reaching out to Microsoft Support for further assistance. Provide them with the following information:
- Details of the issue and steps you've taken to troubleshoot.
- Diagnostic settings configurations.
- Log Analytics workspace information. Check Diagnostic Settings Ensure that the diagnostic settings for the Azure Firewall are still correctly configured to send logs to the Log Analytics workspace:
- Azure Firewall Diagnostic Settings:
- Navigate to the Azure Firewall instance.
- Go to Diagnostic settings.
- Ensure that logs are being sent to the correct Log Analytics workspace.
- Verify that all relevant log categories (such as
AzureFirewallApplicationRule
,AzureFirewallNetworkRule
, andAzureFirewallDnsProxy
) are selected.
- Validate Log Analytics Workspace Retention Settings
- Retention Settings:
- Go to the Log Analytics workspace.
- Navigate to Usage and estimated costs.
- Check the data retention settings and ensure they are appropriate for your needs.
- Review Azure Policy Analytics Configuration
- Policy Analytics Settings:
- Go to Azure Firewall Manager.
- Verify the configuration settings for Policy Analytics.
- Check for Resource Quota Issues
- Resource Quotas:
- Check the usage and limits of the Log Analytics workspace and Azure Firewall to ensure that you are not exceeding any quotas.
- Review Recent Changes or Updates
- Azure Service Health:
- Check Azure Service Health to see if there are any ongoing issues or maintenance activities related to Log Analytics or Azure Firewall.
- Contact Microsoft Support
- Details of the issue and steps you've taken to troubleshoot.
- Diagnostic settings configurations.
- Log Analytics workspace information.
- Azure Firewall Diagnostic Settings:
AzureDiagnostics
| where TimeGenerated > ago(1d)
| where ResourceType == "AZUREFIREWALLS"
| summarize count() by bin(TimeGenerated, 1h)
| order by TimeGenerated desc
-
GitaraniSharma-MSFT 49,591 Reputation points • Microsoft Employee
2024-06-12T10:50:30.1666667+00:00 Hello @Martin Cato Dahl ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that Azure Firewall Policy Analytics suddenly stopped working for you and it no longer shows traffic or hits etc. You are only able to see analytics from about 1 week ago and older now.
You already mentioned that there were no known changes done in the environment, but I would like to validate the below:
- The log analytics workspace used for Policy analytics should be the same workspace configured in the firewall Diagnostic settings.
- Policy Analytics has a dependency on both Log Analytics and Azure Firewall resource specific logging. Verify the Firewall is configured appropriately. You can check logs are configured appropriately by running a log analytics query on the resource specific tables such as AZFWNetworkRuleAggregation, AZFWApplicationRuleAggregation, and AZFWNatRuleAggregation.
Refer: https://learn.microsoft.com/en-us/azure/firewall/policy-analytics#enable-policy-analytics
https://learn.microsoft.com/en-us/azure/firewall/firewall-structured-logs#resource-specific-mode
- Also, could you please make sure that Firewall metrics are not enabled in the same diagnostic settings as the Resource Specific logs?
The diagnostics settings for metrics must be a separate configuration than logs. Firewall logs can be configured to use Azure Diagnostics or Resource Specific. However, Firewall metrics must always use Azure Diagnostics.
I will also check internally to see if there are any known issues or similar reported incidents by other customers.
Regards,
Gita
-
Martin Cato Dahl 5 Reputation points
2024-06-12T13:27:34.35+00:00 Thanks for suggestions, I checked all what is mentioned, also tried creating a new LA Workspace and point the Policy Analytics to that new Workspace instead of the existing one, waited for at least an hour, and still it doesnt work. I see tables created and data being received, but it's like the Policy Analytics part no longer can access the data. Not sure what to do next, so I guess I have to get a support case going. I'll update if I get a good explanation.
-
GitaraniSharma-MSFT 49,591 Reputation points • Microsoft Employee
2024-06-13T15:07:39.0066667+00:00 @Martin Cato Dahl , thank you for the update. I checked internally and found that there is an ongoing issue with the Policy analytics where it is not showing data under "Network rules" blade. So, your issue could be related to this bug.
So, to troubleshoot the exact issue here, we will need a specialized 1:1 session, where a support engineer can check the backend logs and engage the dev team for further assistance. So, if you have a support plan, I request you file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.
In case you need help with a one-time free technical support, please respond to the private message with the requested details.
Regards,
Gita
-
Gschwind Pablo 0 Reputation points
2024-06-14T14:43:36.87+00:00 Is this bug still around we have the same issue with a new Firewall Policy Analytics.
Is there an official ticket around?
-
GitaraniSharma-MSFT 49,591 Reputation points • Microsoft Employee
2024-06-18T01:59:12.41+00:00 Hello @Gschwind Pablo , yes, this is still an active bug, and the Product Group team is trying to fix the issue by upgrading the Azure Firewall to the latest new version. There is an official internal work item created for this bug which is being worked upon by the Product Group team.
I would request you to raise a support ticket to get the issue fixed.
Regards,
Gita
-
Martin Cato Dahl 5 Reputation points
2024-07-11T11:43:24.47+00:00 Had a case open with Microsoft, I don't know of any official ticket, but we got the issue fixed last week when they implemented a patch on the firewall. After the patch the Aggregated data is correctly being sent to Log Analytics and Policy Analytics is working as it should now.
Sign in to comment
1 answer
Sort by: Most helpful
-
Martin Cato Dahl 5 Reputation points
2024-07-11T11:45:20.6366667+00:00