Any idea how to set firewall to collect logs for a specific time period (may be an hour), and what tool is best for analysing the firewall logs? Also, what license type is needed to implement DDOS protection, and how do I verify the license plan or type in the Azure portal?

Hello @Jessie , Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well. I understand that you would like to know how to collect Azure Firewall logs for a specific time period, and what tool is best for analyzing the firewall logs. You also would like to know what license type is needed to implement DDOS protection, and how to verify the license plan or type in the Azure portal. Please find the answers below. Any idea how to set firewall to collect logs for a specific time period (may be an hour), and what tool is best for analyzing the firewall logs? To collect Azure Firewall logs, you should enable diagnostic logs for Azure Firewall. You can access some of these logs through the portal. Logs can be sent to Azure Monitor logs, Storage, and Event Hubs and analyzed in Azure Monitor logs or by different tools such as Excel and Power BI. Metrics are lightweight and can support near real-time scenarios making them useful for alerting and fast issue detection. Refer: https://learn.microsoft.com/en-us/azure/firewall/logs-and-metrics Azure Firewall logs (Legacy) and metrics: https://learn.microsoft.com/en-us/azure/firewall/firewall-diagnostics Structured firewall logs are available which offers more control over the logs and faster queries. Refer: https://learn.microsoft.com/en-us/azure/firewall/firewall-structured-logs You can also monitor the logs using Azure Firewall Workbook. Refer: https://learn.microsoft.com/en-us/azure/firewall/firewall-workbook We also have a new feature for Top flows (preview) and Flow trace logs (preview) in Azure Firewall. Refer: https://learn.microsoft.com/en-us/azure/firewall/enable-top-ten-and-flow-trace Now, coming to the question how to collect logs for a specific time period, you can enable structured logs in Azure Firewall diagnostics and run a query using the predefined queries available in the Azure portal and setting a time range in the Azure Monitor/log analytics: https://learn.microsoft.com/en-us/azure/firewall/firewall-structured-logs#enable-structured-logs https://learn.microsoft.com/en-us/azure/firewall/firewall-structured-logs#structured-log-queries You can enable a time range when running a query in Azure monitor for Azure Firewall logs. Refer: https://learn.microsoft.com/en-us/azure/azure-monitor/logs/scope#time-range Example: What license type is needed to implement DDOS protection, and how do I verify the license plan or type in the Azure portal? DDOS protection is available in all Azure subscription types. Refer: https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-protection-reference-architectures https://learn.microsoft.com/en-us/azure/ddos-protection/manage-permissions https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-faq#how-does-pricing-work- https://azure.microsoft.com/en-us/pricing/details/ddos-protection/ Kindly let us know if the above helps or you need further assistance on this issue. Please " Accept the answer " if the information helped you. This will help us and others in the community as well.

Hello @GitaraniSharma-MSFT Regarding firewall log queries, is there a query that displays a log of all the traffic blocked by Azure firewall? I tried the below query, but I am not getting the required information. AZFWNetworkRule | where SourceIp == "IP address" | where Action == "Deny"

Azure Firewall Logs Collection.

Accepted answer

GitaraniSharma-MSFT 47,676 Reputation points Microsoft Employee

2023-10-12T14:16:55.3766667+00:00

Hello @Jessie ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

I understand that you would like to know how to collect Azure Firewall logs for a specific time period, and what tool is best for analyzing the firewall logs. You also would like to know what license type is needed to implement DDOS protection, and how to verify the license plan or type in the Azure portal. Please find the answers below.

Any idea how to set firewall to collect logs for a specific time period (may be an hour), and what tool is best for analyzing the firewall logs?

To collect Azure Firewall logs, you should enable diagnostic logs for Azure Firewall.

You can access some of these logs through the portal. Logs can be sent to Azure Monitor logs, Storage, and Event Hubs and analyzed in Azure Monitor logs or by different tools such as Excel and Power BI.

Metrics are lightweight and can support near real-time scenarios making them useful for alerting and fast issue detection.

Refer: https://learn.microsoft.com/en-us/azure/firewall/logs-and-metrics

Azure Firewall logs (Legacy) and metrics: https://learn.microsoft.com/en-us/azure/firewall/firewall-diagnostics

Structured firewall logs are available which offers more control over the logs and faster queries.

Refer: https://learn.microsoft.com/en-us/azure/firewall/firewall-structured-logs

You can also monitor the logs using Azure Firewall Workbook.

Refer: https://learn.microsoft.com/en-us/azure/firewall/firewall-workbook

We also have a new feature for Top flows (preview) and Flow trace logs (preview) in Azure Firewall.

Refer: https://learn.microsoft.com/en-us/azure/firewall/enable-top-ten-and-flow-trace

Now, coming to the question how to collect logs for a specific time period, you can enable structured logs in Azure Firewall diagnostics and run a query using the predefined queries available in the Azure portal and setting a time range in the Azure Monitor/log analytics:

https://learn.microsoft.com/en-us/azure/firewall/firewall-structured-logs#enable-structured-logs

https://learn.microsoft.com/en-us/azure/firewall/firewall-structured-logs#structured-log-queries

You can enable a time range when running a query in Azure monitor for Azure Firewall logs.

Refer: https://learn.microsoft.com/en-us/azure/azure-monitor/logs/scope#time-range

Example:

What license type is needed to implement DDOS protection, and how do I verify the license plan or type in the Azure portal?

DDOS protection is available in all Azure subscription types.

Refer: https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview

https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-protection-reference-architectures

https://learn.microsoft.com/en-us/azure/ddos-protection/manage-permissions

https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-faq#how-does-pricing-work-

https://azure.microsoft.com/en-us/pricing/details/ddos-protection/

Kindly let us know if the above helps or you need further assistance on this issue.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.
Jessie 85 Reputation points

2023-10-13T00:04:26.07+00:00

Hello @GitaraniSharma-MSFT

Thank you for the detailed response to my questions.

Just so I understand you correctly regarding DDOS Protection.

Is my understanding that I do not require additional license to implement DDoS Portection correct?

GitaraniSharma-MSFT 47,676 Reputation points Microsoft Employee

2023-10-13T12:57:36.8366667+00:00

Hello @Jessie , yes, that is correct.

There is no concept of licensing in Azure. Every service is billed per hour.

You can find this information in the below doc:

Refer: https://learn.microsoft.com/en-us/microsoft-365/enterprise/subscriptions-licenses-accounts-and-tenants-for-microsoft-cloud-offerings?view=o365-worldwide#subscriptions

So, as long as you have an active Azure subscription, you can enable DDOS protection for a fixed monthly charge.

Refer: https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-faq#how-does-pricing-work-

https://azure.microsoft.com/en-us/pricing/details/ddos-protection/

Regards,

Gita

Jessie 85 Reputation points

2023-10-29T23:59:51.8366667+00:00

Hello @GitaraniSharma-MSFT ,

Just one question regarding Azure Network Security Groups.

When an NSG is created, by default there is a rule that allows access to the internet.

Creating a different deny rule blocks access to the internet.

Question:

Would this action be out of line in a Hub and Spoke network architecture where firewall resides in the Hub network?

We have found and taken the above actions in our environment and I am just wondering if there is a better way to block access to the internet other than the NSG or route table, that is line with hub and spoke network architecture.

GitaraniSharma-MSFT 47,676 Reputation points Microsoft Employee

2023-10-30T11:20:59.1333333+00:00

Hello @Jessie ,

In case of a simple hub and spoke topology, it is best to use NSGs and UDRs to block access to Internet. It is better to place a UDR in the subnets of the Spokes with a 0.0.0.0/0 and Next Hop of Azure Firewall. This is because it locks in a single exit point which next hop is the firewall, and also to reduce the risk of asymmetric routing should it learn more specific prefixes from your on-premises environment that might cause the traffic to bypass the firewall.

Refer: https://techcommunity.microsoft.com/t5/fasttrack-for-azure/multi-hub-and-spoke-topology-using-azure-firewalls/ba-p/3811148

In case of complex hub and spoke topology, it is best to use Azure Virtual Network Manager (AVNM) to create new or onboard existing hub and spoke virtual network topologies for central management of connectivity and security controls.

Refer: https://techcommunity.microsoft.com/t5/azure-networking-blog/simplify-and-centrally-manage-virtual-networks-using-azure/ba-p/2911523

A connectivity configuration enables you to create a mesh or a hub-and-spoke network topology including direct connectivity between spoke virtual networks.

A security configuration allows you to define a collection of rules that you can apply to one or more network groups at the global level.

Refer: https://learn.microsoft.com/en-us/azure/virtual-network-manager/concept-security-admins

Regards,

Gita

Jessie 85 Reputation points

2023-11-09T00:31:45.65+00:00

Hello @GitaraniSharma-MSFT

Thank you for the above clarification.

I thought this thread is better for firewall log related questions, hence the decision to also post it here.

When log collection in Azure firewall is configured, does it affect the performance of servers that are situated in the spoke environment?

Correct my impression but my understanding is that network bandwidth, if not adequate, can affect traffic flow that in turn, affects the performance of servers in the spoke environment.

Other things are probably the volume of log collected, the retention policy etc.

Is my assumption correct?

GitaraniSharma-MSFT 47,676 Reputation points Microsoft Employee

2023-11-09T19:14:46.91+00:00

Hello @Jessie ,

When log collection in Azure firewall is configured, does it affect the performance of servers that are situated in the spoke environment?

Log collection should not affect performance of the servers in your hub-and-spoke topology.

However, collecting the Top flows (preview) and Flow trace logs (preview) in Azure Firewall can cause excessive CPU and storage usage on the Azure Firewall infrastructure.

It's suggested to activate Top flows logs only when troubleshooting a specific issue to avoid excessive CPU usage of Azure Firewall.

Refer: https://learn.microsoft.com/en-us/azure/well-architected/services/networking/azure-firewall#recommendations-2

https://learn.microsoft.com/en-us/azure/firewall/enable-top-ten-and-flow-trace#top-flows

Correct my impression but my understanding is that network bandwidth, if not adequate, can affect traffic flow that in turn, affects the performance of servers in the spoke environment.

Azure Firewall performance can be affected in a hub-and-spoke topology if the spoke Vnet regions are different from the Hub.

Global VNet peering is supported, but it isn't recommended because of potential performance and latency issues across regions. For best performance, deploy one firewall per region.

Refer: https://learn.microsoft.com/en-us/azure/firewall/firewall-faq#what-is-the-typical-deployment-model-for-azure-firewall

You can use a central instance of Azure Firewall in the hub virtual network or Virtual WAN secure hub and share the same firewall across many spoke virtual networks that are connected to the same hub from the same region. Ensure there's no unexpected cross-region traffic as part of the hub-spoke topology.

Other things are probably the volume of log collected, the retention policy etc.

The volume of logs collected, and the retention policies will impact your cost side of things.

Azure Firewall has the ability to comprehensively log metadata of all traffic it sees, to Log Analytics Workspaces, Storage or third-party solutions through Event Hub. However, all logging solutions incur costs for data processing and storage. At very large volumes these costs can be significant. Consider whether it is required to log traffic metadata for all logging categories and modify in Diagnostic Settings if needed.

Refer: https://learn.microsoft.com/en-us/azure/well-architected/services/networking/azure-firewall#performance-efficiency

Regards,

Gita
Sign in to comment

Azure Firewall Logs Collection.

1 additional answer