Azure Firewall Test

Azure Firewall is a cloud-native and intelligent network firewall security service that provides the best of breed threat protection for your cloud workloads running in Azure.

The continued availability and good health of the firewall service is essential to protect the applications running on the Azure cloud from malicious attacks. Also, to keep suspicious traffic away, the administrators should know what traffic to allow and what should be blocked, and accordingly configure firewall rules. The Azure Firewall test helps administrators address both these security requirements!

This test monitors each Azure firewall that is configured for the target subscription and reports the status of that firewall from time-to-time. Administrators are alerted if a firewall slides into a degraded/unhealthy state. Alerts are also sent out if the firewall's ability to differentiate between malicious and non-malicious traffic is compromised. The test also periodically scans the Azure Firewall logs for application, network, and NAT rule hits, and instantly notifies administrators if network traffic matches any of the configured rules. Detailed diagnostics reveal the complete details of the matching rules, so administrators can review the rules for correctness and effectiveness. From the firewall logs, the test also reads information pertaining to which IP addresses were denied access and which were allowed, thereby turning the spotlight on traffic that is 'suspect' and therefore, warrants further investigation. These analytics also help administrators determine whether/not the 'right' traffic was only allowed access. Changes, if required, can be made to firewall rules based on these findings.

Note:

Typically, to consolidate log entries, correlate log data, and perform complex analysis, the Firewall logs are often sent to one/more Log Analytics Workspaces. This test reports valid metrics on firewall rule hits by reading data from these Log Analytics Workspaces only. If the firewall logs are not sent to any Log Analytics Workspace, then this test will only report the value 0 for most of its measures. To avoid this, before configuring this test, make sure that the firewall logs are configured to be sent to at least one Log Analytics Workspace. Follow the steps discussed in Configuring the Activity Log to be Sent to a Log Analytics Workspace to achieve this.

Target of the Test: A Microsoft Azure Subscription

Agent deploying the test: A remote agent

Output of the test: One set of results for each Azure firewall configured for each resource group in the target Azure subscription

Configurable parameters for the test
Parameters Description

Test Period

How often should the test be executed.

Host

The host for which the test is to be configured.

Subscription ID

Specify the GUID which uniquely identifies the Microsoft Azure Subscription to be monitored. To know the ID that maps to the target subscription, do the following:

  1. Login to the Microsoft Azure Portal.

  2. When the portal opens, click on the Subscriptions option (as indicated by Figure 1).

    Figure 1 : Clicking on the Subscriptions option

  3. Figure 2 that appears next will list all the subscriptions that have been configured for the target Azure AD tenant. Locate the subscription that is being monitored in the list, and check the value displayed for that subscription in the Subscription ID column.

    Figure 2 : Determining the Subscription ID

  4. Copy the Subscription ID in Figure 2 to the text box corresponding to the SUBSCRIPTION ID parameter in the test configuration page.

Tenant ID

Specify the Directory ID of the Azure AD tenant to which the target subscription belongs. To know how to determine the Directory ID, refer to Configuring the eG Agent to Monitor a Microsoft Azure Subscription Using Azure ARM REST API.

Client ID, Client Password, and Confirm Password

To connect to the target subscription, the eG agent requires an Access token in the form of an Application ID and the client secret value. For this purpose, you should register a new application with the Azure AD tenant. To know how to create such an application and determine its Application ID and client secret, refer to Configuring the eG Agent to Monitor a Microsoft Azure Subscription Using Azure ARM REST API. Specify the Application ID of the created Application in the Client ID text box and the client secret value in the Client Password text box. Confirm the Client Password by retyping it in the Confirm Password text box.

Proxy Host and Proxy Port

In some environments, all communication with the Azure cloud be routed through a proxy server. In such environments, you should make sure that the eG agent connects to the cloud via the proxy server and collects metrics. To enable metrics collection via a proxy, specify the IP address of the proxy server and the port at which the server listens against the Proxy Host and Proxy Port parameters. By default, these parameters are set to none, indicating that the eG agent is not configured to communicate via a proxy, by default.

Proxy Username, Proxy Password and Confirm Password

If the proxy server requires authentication, then, specify a valid proxy user name and password in the Proxy Username and Proxy Password parameters, respectively. Then, confirm the password by retyping it in the Confirm Password text box.

Log Analytics Workspace Name

Typically, to consolidate log entries, correlate log data, and perform complex analysis, Firewall logs are often sent to one/more Log Analytics Workspaces.

By default, the Log Analytics Workspace Name parameter is set to All. This indicates that the test reads log data from all Log Analytics Workspaces configured for the target subscription, by default. However, if you want the test to use only those Log Analytics Workspaces to which the Firewall logs are sent, then provide the names of these workspaces here as a comma-separated list. To determine the names of the workspaces, do the following:

  1. Login to the Microsoft Azure Portal, open your firewall resource group, and select the firewall that you are monitoring..

  1. Under Monitoring, select Diagnostic settings.

  2. The diagnostic settings that pre-exist for the chosen firewall will then appear. If any of the existing diagnostic settings have already been configured with Log Analytics Workspaces, then the Log Analytics workspace column of that list will display these workspace names. You can configure the LOG ANALYTICS WORKSPACE NAME parameter of this test with any of these workspace names. If required, you can even configure this parameter with two/more workspaces displayed here, as a comma-separated list

  1. However, If the Log Analytics workspace column is blank for all the existing diagnostic settings, it is a clear indication that the Firewall logs are yet to be configured to be sent to any Log Analytics Workspace. In this case therefore, you should create a new diagnostic setting for the target Azure Firewall, where a Log Analytics Workspace is configured as the destination for the firewall logs. To achieve this, follow the procedure detailed in Configuring the Firewall Logs to be Sent to a Log Analytics Workspace.

Show Category DD

By default, this parameter is set to False. This means that detailed diagnostics will not be available, by default, for the Unique categories measure reported by this test. If you want to enable detailed reporting for this measure, then set this parameter to True. Once this is done, then you will be able to view the number of rule hits per category as part of the detailed analytics of the Unique categories measure.

Show Operation DD

By default, this parameter is set to False. This means that detailed diagnostics will not be available, by default, for the Unique operations measure reported by this test. If you want to enable detailed reporting for this measure, then set this parameter to True. Once this is done, then you will be able to view the number of rule hits per operation as part of the detailed analytics of the Unique operations measure.

Show Protocol DD

By default, this parameter is set to False. This means that detailed diagnostics will not be available, by default, for the Unique protocols measure reported by this test. If you want to enable detailed reporting for this measure, then set this parameter to True. Once this is done, then you will be able to view the number of rule hits per protocol as part of the detailed analytics of the Unique protocols measure.

Show SourceIP DD

By default, this parameter is set to False. This means that detailed diagnostics will not be available, by default, for the Unique source IPs measure reported by this test. If you want to enable detailed reporting for this measure, then set this parameter to True. Once this is done, then you will be able to view the number of rule hits per source IP address as part of the detailed analytics of the Unique source IPs measure.

Show TargetIP DD

By default, this parameter is set to False. This means that detailed diagnostics will not be available, by default, for the Unique target IPs measure reported by this test. If you want to enable detailed reporting for this measure, then set this parameter to True. Once this is done, then you will be able to view the number of rule hits per destination IP address as part of the detailed analytics of the Unique target IPs measure.

Show AllowedIP DD

By default, this parameter is set to False. This means that detailed diagnostics will not be available, by default, for the Unique allowed target IPs measure reported by this test. If you want to enable detailed reporting for this measure, then set this parameter to True. Once this is done, then you will be able to view the number of rule hits for every target IP to which traffic was allowed, as part of the detailed analytics of the Unique allowed target IPs measure.

Show DeniedIP DD

By default, this parameter is set to False. This means that detailed diagnostics will not be available, by default, for the Unique denied target IPs measure reported by this test. If you want to enable detailed reporting for this measure, then set this parameter to True. Once this is done, then you will be able to view the number of rule hits for every target IP to which traffic was blocked, as part of the detailed analytics of the Unique denied target IPs measure.

Show Action DD

By default, this parameter is set to False. This means that detailed diagnostics will not be available, by default, for the Unique actions measure reported by this test. If you want to enable detailed reporting for this measure, then set this parameter to True. Once this is done, then you will be able to view the number of rule hits for every action (Allow, Deny) taken, as part of the detailed analytics of the Unique actions measure.

Show RuleColl DD

By default, this parameter is set to False. This means that detailed diagnostics will not be available, by default, for the Unique rule collections measure reported by this test. If you want to enable detailed reporting for this measure, then set this parameter to True. Once this is done, then you will be able to view the number of rule hits for every rule collection configured, as part of the detailed analytics of the Unique rule collections measure.

Show ApplicationRule DD

By default, this parameter is set to False. This means that detailed diagnostics will not be available, by default, for the Unique application rules measure reported by this test. If you want to enable detailed reporting for this measure, then set this parameter to True. Once this is done, then you will be able to view the number of times each unique application rule found a match, as part of the detailed analytics of the Unique application rules measure.

Show NetworkRule DD

By default, this parameter is set to False. This means that detailed diagnostics will not be available, by default, for the Unique network rules measure reported by this test. If you want to enable detailed reporting for this measure, then set this parameter to True. Once this is done, then you will be able to view the number of times each unique network rule found a match, as part of the detailed analytics of the Unique network rules measure.

Show Rules DD

By default, this parameter is set to False. This means that detailed diagnostics will not be available, by default, for the Unique rules measure reported by this test. If you want to enable detailed reporting for this measure, then set this parameter to True. Once this is done, then you will be able to view the number of times each unique rule found a match, as part of the detailed analytics of the Unique rules measure.

Detailed Diagnosis

To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option.

The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:

  • The eG manager license should allow the detailed diagnosis capability
  • Both the normal and abnormal frequencies configured for the detailed diagnosis measures should not be 0.
Measures made by the test:
Measurement Description Measurement Unit Interpretation

Provisioning status

Indicates the current provisioning state of this firewall.

 

The values reported by this measure and its numeric equivalents are mentioned in the table below:

Measure Value Numeric Value
Failed 1
Updating 2
Deleting 3
Succeeded 4

Note:

By default, this measure reports the Measure Values listed in the table above to indicate the provisioning status of a firewall. In the graph of this measure however, the same is represented using the numeric equivalents only.

Use the detailed diagnosis of this measure to know the location of the firewall, and the zones and tags associated with it.

Threat intelligence mode

Indicates whether/not threat intelligence filtering is enabled for this firewall.

 

Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and domains.

The values reported by this measure and its numeric equivalents are mentioned in the table below:

Measure Value Numeric Value
Off 1
Deny 2
Alert 3

In the 'Alert' mode, an alert is logged when a rule is triggered. In the 'Deny' mode, the traffic is denied.

Note:

By default, this measure reports the Measure Values listed in the table above to indicate the threat intelligence mode set for a firewall. In the graph of this measure however, the same is represented using the numeric equivalents only.

Total IPs configured

Indicates the number of public IP addresses configured for this firewall.

Number

Use the detailed diagnosis of this measure to know the public IP addresses configured, the private IP address that maps to each, the allocation mode, SKU name, tier, version, and how long each IP address has been idle.

Application rules

Indicates the number of application rules that have been configured for this firewall.

Number

With Azure Firewall, you can configure: Application rules that define fully qualified domain names (FQDNs) that can be accessed from a subnet.

The detailed diagnosis of this measure, if enabled, provides the complete details of the configured application rules.

Network rules

Indicates the number of network rules that have been configured for this firewall.

Number

Network rules define source address, protocol, destination port, and destination address.

The detailed diagnosis of this measure, if enabled, provides the complete details of the configured network rules.

NAT rules

Indicates the number of NAT rules that have been configured for this firewall.

Number

A NAT rule is a routing rule, directing traffic from a public IP address to a private IP address.

The detailed diagnosis of this measure, if enabled, provides the complete details of the configured NAT rules.

Firewall health status

Indicates the current health of this firewall based on SNAT port availability.

Percent

If the SNAT port usage is greater than 95%, then the value of this measure will be 50%. This represents a Degraded state. In this state, the firewall keeps processing traffic and existing connections are not affected. However, new connections may not be established intermittently.

If SNAT port usage is lesser than 95%, then the value of this measure will be 100%. This means that the firewall is in a Healthy state.

If no SNAT ports are used, then the value of this measure will be 0%.

Data processed

Indicates the total amount of data traversing this firewall.

MB

 

Throughput

Indicates the rate at which data was traversing this firewall.

MB/Sec

 

NAT utilization

Indicates the percentage of SNAT ports utilized by this firewall.

Percent

If the value of this measure is greater than 95%, then the value of the Firewall health status measure will be 50%. This indicates that the firewall is in a Degraded state.

If the value of this measure is lesser than 95%, then the value of the Firewall health status measure will be 100%. This indicates that the firewall is in a Healthy state.

Unique categories

Indicates the total number of rule hits across all unique categories of traffic traversing this firewall.

Number

Use the detailed diagnosis of this measure to know the number of rule hits per unique category.

Unique operations

Indicates the total number of rule hits across all unique operations performed by traffic traversing this firewall.

Number

Use the detailed diagnosis of this measure to know the number of rule hits per unique operation.

Unique protocols

Indicates the total number of rule hits across all unique traffic protocols traversing this firewall.

Number

Use the detailed diagnosis of this measure to know the number of rule hits per protocol.

Unique source IPs

Indicates the total number of rule hits across all unique sources from which this firewall received traffic.

Number

Use the detailed diagnosis of this measure to know the number of rule hits per unique source IP address.

Unique target IPs

Indicates the total number of rule hits across all unique destinations to which this firewall sent traffic.

Number

Use the detailed diagnosis of this measure to know the number of rule hits per unique target IP address.

Unique allowed target IPs

Indicates the total number of rule hits across all IP addresses to which traffic was allowed by this firewall.

Number

Use the detailed diagnosis of this measure to know the number of rule hits per target IP address to which traffic was allowed.

Unique denied target IPs

Indicates the total number of rule hits across all IP addresses to which traffic was denied by this firewall.

Number

Use the detailed diagnosis of this measure to know the number of rule hits per target IP address to which traffic was denied.

Unique actions

Indicates the total number of rule hits across all unique actions configured for this firewall.

Number

Use the detailed diagnosis of this measure to know the number of rule hits per action.

Unique rule collections

Indicates the total number of rule hits across all unique rule collections configured for this firewall.

Number

Use the detailed diagnosis of this measure to know the number of rule hits per rule collection.

Unique application rules

Indicates the total number of rule hits across all unique application rules configured for this firewall.

Number

Use the detailed diagnosis of this measure to know the number of rule hits per unique application rule

Unique network rules

Indicates the total number of rule hits across all unique network rules configured for this firewall.

Number

Use the detailed diagnosis of this measure to know the number of rule hits per unique network rule.

Unique rules

Indicates the total number of rule hits across all unique rules configured for this firewall.

Number

Use the detailed diagnosis of this measure to know the number of rule hits per unique rule.