how to monitor Azure firewall health

Ananya Sarkar 311 Reputation points

What are the best ways we can monitor azure firewall health? Is there any specific metrics/logs using which we can do that? Can you plz provide some use cases or log query?

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
562 questions
0 comments No comments
{count} votes

Accepted answer
  1. SaiKishor-MSFT 17,171 Reputation points

    @Ananya Sarkar Azure firewall health can be monitored using the Firewall health state metric.

    Firewall health state - Indicates the health of the firewall based on SNAT port availability.

    Unit: percent

    This metric has two dimensions:

    Status: Possible values are Healthy, Degraded, Unhealthy.

    Reason: Indicates the reason for the corresponding status of the firewall.

    If SNAT ports are used > 95%, they are considered exhausted and the health is 50% with status=Degraded and reason=SNAT port. The firewall keeps processing traffic and existing connections are not affected. However, new connections may not be established intermittently.

    If SNAT ports are used < 95%, then firewall is considered healthy and health is shown as 100%.

    If no SNAT ports usage is reported, health is shown as 0%.

    Please also note that the Azure Firewall's initial throughput capacity is 2.5 - 3 Gbps and it scales out to 30 Gbps as given here in the FAQ. It scales out automatically based on CPU usage and throughput. This will also ensure that the Firewall does not exceed its throughput from time to time resulting in keeping the Firewall healthy. Hope this helps.

    Please let us know if you have any further questions/concerns and we will be glad to assist further.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Ananya Sarkar 311 Reputation points

    Thanks @SaiKishor-MSFT for the info.
    I have a simple azure infrastructure setup where i am using a hub-spoke model. I have created some traffic for port 22, 80 etc. to the private VMs thru firewall and to hit some application rules. The FW has only one public ip
    However the SNAT port utilization is showing 0% and the FW health is showing 100%.
    I want to do some further setup to generate some SNAT traffic, so can see some SNAT port utilization & FW health below 100%.

    Can you plz provide some use cases to get some SNAT port utilization and FW health below 100%? This will be really helpful.

  2. SaiKishor-MSFT 17,171 Reputation points

    @Ananya Sarkar

    The Azure Firewall SNAT port utilization metric may show 0% usage even when SNAT ports are used. In this case, using the metric as part of the firewall health metric provides an incorrect result.

    • This issue has been fixed and rollout to production is targeted for May 2020. In some cases, firewall redeployment resolves the issue, but it's not consistent. As an intermediate workaround, only use the firewall health state to look for status=degraded, not for status=unhealthy. Port exhaustion will show as degraded. Not healthy is reserved for future use when the are more metrics to impact the firewall health.

    All outbound virtual network traffic IP addresses are translated to the Azure Firewall public IP (Source Network Address Translation). You can identify and allow traffic originating from your virtual network to remote Internet destinations. Azure Firewall doesn't SNAT when the destination IP is a private IP range per IANA RFC 1918. So the more traffic to the internet the more SNAT utilization is seen.

    Here is a link to a document that talks about DNS traffic using SNAT rules causing SNAT utilization to reach 100% as a use case scenario. Hope this helps.

    Please let us know if you have any further questions/concerns and we will be glad to assist you. Have a good rest of your day!