Azure Firewall Rules Hit Count - Top Hitters

Ajaz Nawaz 21 Reputation points
2022-05-06T07:41:03.75+00:00

We have AZFW deployed with Standard subscription.

I am evaluating if there is any way to identify unused rules and 'top-hitters', so we can optimise the FW.

I checked under Metrics and see Summary view only. I am unable to drill down further, that could be based on the Standard subsciption.

Any help would be appreciated and any other tips for optimising Azure firewall.

Thanks in advance !

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,294 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. ChaitanyaNaykodi-MSFT 24,666 Reputation points Microsoft Employee
    2022-05-10T03:12:21.45+00:00

    Hello @Ajaz Nawaz , Hope you are well!
    As I understood from the question above, you want to identify the unused rules for your firewall and the rules which are used the most. You have also checked out the Metrics section for Application rules hit count, Network rules hit count etc. and now you wish to perform much deeper investigation.

    You can check out Azure Diagnostic Logging via Log analytics workspace for Azure Firewall. Diagnostic Logging supports Application rule log, Network rule log etc. Using application rule logs, you can determine which particular Application Rule either allowed or denied any particular request this might help you optimize you application rules. Currently this feature is not supported for Network logs though, you can go through this thread for additional details. You can also explore additional Kusto queries in getting the desired data.

    You can also use Azure Firewall workbook which provides a flexible canvas for Azure Firewall data analysis. You can use it to create rich visual reports within the Azure portal. You can gain insights into Azure Firewall events, learn about your application and network rules, and see statistics for firewall activities across URLs, ports, and addresses. Please go through this documentation for additional details.

    Hope this helps! Please let me know if you have any additional questions.

    0 comments No comments

  2. Jim M 146 Reputation points
    2023-08-08T07:46:41.6833333+00:00

    Would it be possible to have an example of actual Kusto code to list the top 20 network rules by name and hit count?