Try Azure Firewall’s new structured firewall logs (resource specific)

This article is a translation of https://qiita.com/aktsmm/items/c3486b17c0482f7da411


Hello, this is Yamapan.
I have been experimenting with the new structured firewall logs (resource specific) in Azure Firewall.
At the time of writing, this is a preview feature.

What makes me happy.

The old Azure Firewall new structured firewall logs (resource specific) had to be formatted using a Kusto query (parse process) to make them easier to read. Here's the article on that one!

https://qiita.com/aktsmm/items/380eab220bd892581a19

On the other hand, the structured logs we will be using this time are log data generated by Azure Firewall that is formatted in a certain way, although there is not much difference in the data that can be obtained compared to the conventional firewall logs (Azure Diagnostics). This makes it easier to analyze and visualize the data, find security incidents, and understand traffic trends.

Configuring Diagnostics.

Docs are here, basically you can configure it according to the following, but it took longer for the settings to take effect compared to the traditional firewall logs (Azure Diagnostics). (In my environment, it took about half a day for the settings to take effect and the logs could be viewed in the Log Analytics workspace.)

https://learn.microsoft.com/en-us/azure/firewall/firewall-preview#structured-firewall-logs-preview

Enable in Azure PowerShell

This is a preview only procedure and will not be necessary after GA (General Available).

Connect-AzAccount 
Select-AzSubscription -Subscription "subscription_id or subscription_name" 
Register-AzProviderFeature -FeatureName AFWEnableStructuredLogs -ProviderNamespace Microsoft.Network
Register-AzResourceProvider -ProviderNamespace Microsoft.
Microsoft.Network

image.png

In my environment, the value did not become registered after one shot of the command (it returned as registering), so if it is not registered, you need to execute the command Register~~~ again until it becomes registered.

Configure Azure Firewall diagnostic settings

This time, we configured as follows.
The key point is that the target table is Resource Specific, not Azure Diagnostics.
image.png

If you have old diagnostic settings, try deleting them and re-creating them.
In my environment, I had an old diagnostic configuration (Azure Diagnostics) that I had already created, and I tried to edit it and change the target table to Resource Specific, but for some reason it did not work. I deleted the diagnostic configuration and re-created it with resource-specific diagnostic configuration and it worked.

Using structured firewall logs (resource-specific)

In previous firewall log (Azure Diagnostics), I had to parse the firewall logs, but I think that using the structured firewall logs here I think it is no longer necessary by using this structured firewall log.
SourceIP, DestinationIP, and Action are standard columns, so you don't need to parse to get these information at least (to make it easier to see).

AzureFirewallNetworkRuleLog / AZFWNetworkRule table

kusto query

AZFWNetworkRule

Result Sample
image.png

AzureFirewallNATRulelog / AZFWNatRule table

kusto query

AZFWNatRule

image.png

Other tables

The AZFW~ tables, including those listed above, include the following.

  • AZFWApplicationRule
  • AZFWApplicationRuleAggregation
  • AZFWDnsQuery
  • AZFWFatFlow
  • AZFWIdpsSignature
  • AZFWInternalFqdnResolutionFailure
  • AZFWNatRule
  • AZFWNatRuleAggregation
  • AZFWNetworkRule
  • AZFWNetworkRuleAggregation
  • AZFWThreatIntel

For more information, see the description of the target table below, and please try it!
https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azfwapplicationrule

image.png

シェアする

  • このエントリーをはてなブックマークに追加

フォローする