Need to find Top talkers from Azure Firewall network Logs

Question

Need to find Top talkers from Azure Firewall network Logs

Shramik Ghadigaonkar 0

I want a KQL query and configuration settings which can give me Azure firewall network rule logs with column having details for SentBytes and received bytes details for each packet.

4 answers

Your answer

Answer 1

You can use the following queries for top talkers:

Top source IPs (application rules):

AzureDiagnostics
| where Category == "AzureFirewallApplicationRule"
| parse msg_s with * " from " SourceIP ":" SourcePort " to " TargetHost ":" TargetPort ". Action: " Action ". Policy: " Policy ". Rule Collection Group: " Rcg ". Rule Collection: " Rc ". Rule: " Rule
| summarize ConnCount = count() by SourceIP
| order by ConnCount desc

Top source IPs (Network rules):

AzureDiagnostics
| where Category == "AzureFirewallNetworkRule"
| parse msg_s with * " from " SourceIP ":" SourcePort " to " DestinationIP ":" DestinationPort ". Action: " Action ". Policy: " Policy ". Rule Collection Group: " Rcg ". Rule Collection: " Rc ". Rule: " Rule
| summarize ConnCount = count() by SourceIP
| order by ConnCount desc

You can also run both (single view):

AzureDiagnostics
| where Category in ("AzureFirewallApplicationRule", "AzureFirewallNetworkRule")
| parse msg_s with * " from " SourceIP ":" SourcePort " to " Target ":" TargetPort ". Action: " Action "." *
| summarize ConnCount = count() by Category, SourceIP, Target, TargetPort, Action
| order by ConnCount desc

Answer 2

ChaitanyaNaykodi-MSFT 27,661 Microsoft Employee Moderator

@Shramik Ghadigaonkar Thank you for reaching out.

In order to determine the top talkers in from Azure Firewall activating the top flow logs will be the way to go.

https://learn.microsoft.com/en-us/azure/firewall/monitor-firewall-reference#top-flows

The top flows log is known in the industry as fat flow log and in the preceding table as Azure Firewall Fat Flow Log. The top flows log shows the top connections that are contributing to the highest throughput through the firewall.

Make sure you have enabled structured firewall logs in this case

https://learn.microsoft.com/en-us/azure/firewall/monitor-firewall#enable-structured-logs

Enable the Top flows log using the following Azure PowerShell commands:

Set-AzContext -SubscriptionName <SubscriptionName>
$firewall = Get-AzFirewall -ResourceGroupName <ResourceGroupName> -Name <FirewallName>
$firewall.EnableFatFlowLogging = $true
Set-AzFirewall -AzureFirewall $firewall

Note: Activate Top flows logs only when troubleshooting a specific issue to avoid excessive CPU usage of Azure Firewall.

Please follow the documentation above for disabling the logs.

You can find the sample query here
https://learn.microsoft.com/en-us/azure/azure-monitor/reference/queries/azfwfatflow

// Get the fatflows from past 1000 samples with rate atleast 5 mbps
AZFWFatFlow
| take 1000
| order by TimeGenerated desc
| where FlowRate > 5

This is list of columns available for this log
https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azfwfatflow#columns

Currently this log does not contain the SentBytes and received bytes details and if top flow logs do not satisfy your requirements it will help if you could file a feedback item for this request along with your business requirement. You can file this request here

Hope this helps! Please let me know if you have any additional questions. Thank you!

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Shramik Ghadigaonkar 0 Reputation points

2024-11-07T10:53:29.74+00:00

Does fat logs simply provide real-time logs, or do they also provide historical logs? Because I had a SNAT port utilization issue and couldn't locate anything at the time, does allowing fat logs provides info for previous logs? Also during such period where health of firewall is already showing degraded, enabling fat log feature is recommended or not?
ChaitanyaNaykodi-MSFT 27,661 Reputation points Microsoft Employee Moderator

2024-11-08T01:17:02.9533333+00:00

@Shramik Ghadigaonkar

Does fat logs simply provide real-time logs, or do they also provide historical logs? Because I had a SNAT port utilization issue and couldn't locate anything at the time, does allowing fat logs provides info for previous logs?

Yes they provide the real time logs after they are enabled. The Top Flows protocol runs periodically every three minutes. This is done to avoid excessive CPU usage of Azure Firewall.

In this scenario I think you can set alert for SNAT port Utilization and based on the alert enable fat flow logs to capture the correct data.

Just in case if you are unaware the recommended action if your firewall is running into SNAT port exhaustion, you should add at least five public IP address. This increases the number of SNAT ports available.

Also during such period where health of firewall is already showing degraded, enabling fat log feature is recommended or not?

If firewall health is degraded due SNAT port exhaustion the firewall keeps processing traffic and existing connections aren't affected. However, new connections might not be established intermittently. Because of this the logs for all connections might not get captured but I think you can still try this analyze the existing connections.

Hope this helps! Please let me know if you have any additional questions. Thank you!

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
ChaitanyaNaykodi-MSFT 27,661 Reputation points Microsoft Employee Moderator

2024-11-21T23:48:12.9166667+00:00

@Shramik Ghadigaonkar

Not sure if you go a chance to view my comment above.

In addition to fat flow logs above you can check Azure Firewall Policy Analytics and check the Traffic flow analysis tab, it maps traffic flow to rules by identifying top traffic flows and enabling an integrated experience.

Where you check the data from last 30 days and the hit count.
You can check logs are configured appropriately by running a log analytics query on the resource specific tables such as AZFWNetworkRuleAggregation, AZFWApplicationRuleAggregation, and AZFWNatRuleAggregation.

Hope this helps! Please let me know if you have any additional questions. Thank you!

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 3

Wrillrous 0

To get Azure Firewall network rule logs with SentBytes and ReceivedBytes details for each packet, you can use the following KQL query in Azure Log Analytics:

AzureDiagnostics

| where ResourceType == "AZUREFIREWALLS" and Category == "AzureFirewallNetworkRule"

| project TimeGenerated, SourceIP, DestinationIP, Protocol, Action, SentBytes, ReceivedBytes

Shramik Ghadigaonkar 0 Reputation points

2024-11-05T12:02:57.5366667+00:00

This query is also not working. Please find the error "'project' operator: Failed to resolve scalar expression named 'Action' Request id: 51a47a32-d84c-4099-b1ac-000ae102e4c3"

Answer 4

Sedat SALMAN 14,285 MVP Volunteer Moderator

assuming you already configured Azure Firewall

sending logs to Log Analytics Workspace

the following may help to you

AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS" and Category == "AzureFirewallNetworkRule"
| summarize TotalSentBytes = sum(SentBytes), TotalReceivedBytes = sum(ReceivedBytes) by SourceIP
| order by TotalSentBytes desc

Shramik Ghadigaonkar 0 Reputation points

2024-11-05T11:59:44.89+00:00

Hey Salman,

Thank you for your response but I did try this and get below error

"summarize' operator: Failed to resolve scalar expression named 'SentBytes' Request id: 102eea65-8d7a-4999-b841-d13963031f65"

Share via

Need to find Top talkers from Azure Firewall network Logs

4 answers

Your answer