Azure Firewall Logs Collection.

Jessie 85 Reputation points
2023-10-11T08:48:25.1866667+00:00

Any idea how to set firewall to collect logs for a specific time period (may be an hour), and what tool is best for analysing the firewall logs?

Also, what license type is needed to implement DDOS protection, and how do I verify the license plan or type in the Azure portal?

Azure DDos Protection
Azure DDos Protection
An Azure service that provides defense against distributed denial-of-service (DDoS) attacks.
66 questions
Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
580 questions
0 comments No comments
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 48,016 Reputation points Microsoft Employee
    2023-10-12T14:16:55.3766667+00:00

    Hello @Jessie ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to know how to collect Azure Firewall logs for a specific time period, and what tool is best for analyzing the firewall logs. You also would like to know what license type is needed to implement DDOS protection, and how to verify the license plan or type in the Azure portal. Please find the answers below.

    Any idea how to set firewall to collect logs for a specific time period (may be an hour), and what tool is best for analyzing the firewall logs?

    To collect Azure Firewall logs, you should enable diagnostic logs for Azure Firewall.

    You can access some of these logs through the portal. Logs can be sent to Azure Monitor logs, Storage, and Event Hubs and analyzed in Azure Monitor logs or by different tools such as Excel and Power BI.

    Metrics are lightweight and can support near real-time scenarios making them useful for alerting and fast issue detection.

    Refer: https://learn.microsoft.com/en-us/azure/firewall/logs-and-metrics

    Azure Firewall logs (Legacy) and metrics: https://learn.microsoft.com/en-us/azure/firewall/firewall-diagnostics

    Structured firewall logs are available which offers more control over the logs and faster queries.

    Refer: https://learn.microsoft.com/en-us/azure/firewall/firewall-structured-logs

    You can also monitor the logs using Azure Firewall Workbook.

    Refer: https://learn.microsoft.com/en-us/azure/firewall/firewall-workbook

    We also have a new feature for Top flows (preview) and Flow trace logs (preview) in Azure Firewall.

    Refer: https://learn.microsoft.com/en-us/azure/firewall/enable-top-ten-and-flow-trace

    Now, coming to the question how to collect logs for a specific time period, you can enable structured logs in Azure Firewall diagnostics and run a query using the predefined queries available in the Azure portal and setting a time range in the Azure Monitor/log analytics:

    https://learn.microsoft.com/en-us/azure/firewall/firewall-structured-logs#enable-structured-logs

    User's image

    https://learn.microsoft.com/en-us/azure/firewall/firewall-structured-logs#structured-log-queries

    User's image

    You can enable a time range when running a query in Azure monitor for Azure Firewall logs.

    Refer: https://learn.microsoft.com/en-us/azure/azure-monitor/logs/scope#time-range

    Example:

    enter image description here

    What license type is needed to implement DDOS protection, and how do I verify the license plan or type in the Azure portal?

    DDOS protection is available in all Azure subscription types.

    Refer: https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview

    https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-protection-reference-architectures

    https://learn.microsoft.com/en-us/azure/ddos-protection/manage-permissions

    https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-faq#how-does-pricing-work-

    https://azure.microsoft.com/en-us/pricing/details/ddos-protection/

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


1 additional answer

Sort by: Most helpful
  1. Jessie 85 Reputation points
    2023-11-14T06:53:31.32+00:00

    Hello @GitaraniSharma-MSFT

    Regarding firewall log queries, is there a query that displays a log of all the traffic blocked by Azure firewall?

    I tried the below query, but I am not getting the required information.

    AZFWNetworkRule

    | where SourceIp == "IP address"

    | where Action == "Deny"