Azure Firewall - Denied DNAT Traffic

Question

Hi,

I have structured logs enabled on our Azure firewall which is logging everything minus the fat and full flow logs.

Is there a way to see all IP addresses trying to connect to our public IPs on the firewall which are members of DNAT rules? We are trying to diagnose connectivity issues, we knew we were trying to connect to an Azure firewall public IP from an address which was not permitted via a DNAT rule. I could not see this traffic logged anywhere but perhaps it is not possible?

So to be clear, can we see any logs for source public IP addresses attempting to connect to destination public IP addresses on our Azure firewall regardless if it is successful or not? We only appear to see successful connections in the logs but I need to see where traffic is failing as well.

Thanks

Answer 1

@Son ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I did a Lab and I was not able to see the failed DNAT connections.

I believe this is expected.

If you compare the AZFWNatRule and AZFWNetworkRule data reference,

• You would notice that the AZFWNetworkRule has a Action field
  • 
• This field is not present in the AZFWNatRule
• i.e., only mapped rules are logged.

This also makes sense as millions of bad actors would always randomly port scanning Microsoft owned IPs (which should be taken care by infrastructure-level DDoS protection )

Please let us know if we can be of any further assistance here.

Thanks,

Kapil

---

Please Accept an answer if correct.

Original posters help the community find answers faster by identifying the correct answer.