How to Check Azure Firewall Logs?

Monitor Azure Firewall Logs Inbound and Outbound Traffic:

Azure Firewall is a service that encrypts network traffic. With Azure Firewall Logs we can monitor both Inbound and Outbound Traffic from on-premise to azure or vice versa. Enabling these logs helps in monitoring inbound and outbound traffic to identify suspicious traffic or threats or to identify the issues which are getting blocked or to troubleshoot firewall network errors and issues.

Azure Firewall Logs Query Examples:

The following are the azure firewall log kusto queries to monitor firewall inbound and outbound traffic.

Troubleshoot Azure Firewall Traffic from Source IP and Destination IP Only!

AzureDiagnostics
| where TimeGenerated > ago(30m)
| where Category == "AzureFirewallNetworkRule"
| parse msg_s with Protocol " request from " SourceIP ":" SourcePort " to " DestinationIP ":" DestinationPort ". Action: " Action
| project TimeGenerated, SourceIP, SourcePort, 
DestinationIP, DestinationPort, Action, msg_s
| where SourceIP has "_add_ip_" and DestinationIP has "_add_ip_"

Check Denied Firewall Traffic from Azure Firewall to On-Premises

//Denied Firewall Traffic from azure to onpremises
AzureDiagnostics
| where TimeGenerated > ago(30m)
| where Category == "AzureFirewallNetworkRule"
| parse msg_s with Protocol " request from " SourceIP ":" SourcePort " to " DestinationIP ":" DestinationPort ". Action: " Action
| project TimeGenerated, SourceIP, SourcePort, 
DestinationIP, DestinationPort, Action, msg_s
| where SourceIP has "azure_ip" and Action has "Deny."

Check Denied Firewall Traffic from On-Premises to Azure Firewall

//Denied Traffic from onpremises to azure
AzureDiagnostics
| where TimeGenerated > ago(30m)
| where Category == "AzureFirewallNetworkRule"
| parse msg_s with Protocol " request from " SourceIP ":" SourcePort " to " DestinationIP ":" DestinationPort ". Action: " Action
| project TimeGenerated, SourceIP, SourcePort, 
DestinationIP, DestinationPort, Action, msg_s
| where DestinationIP has "onprem_ip" and Action has "Deny."

Check Allowed Traffic from Azure Firewall to On-Premises

//Allowed Firewall Traffic from azure to onpremises
AzureDiagnostics
| where TimeGenerated > ago(30m)
| where Category == "AzureFirewallNetworkRule"
| parse msg_s with Protocol " request from " SourceIP ":" SourcePort " to " DestinationIP ":" DestinationPort ". Action: " Action
| project TimeGenerated, SourceIP, SourcePort, 
DestinationIP, DestinationPort, Action, msg_s
| where SourceIP has "azure_ip" and Action has "Allow."

Check Allowed Traffic from On-Premises to Azure Firewall

//Allowed Firewall Traffic from onprem to azure
AzureDiagnostics
| where TimeGenerated > ago(30m)
| where Category == "AzureFirewallNetworkRule"
| parse msg_s with Protocol " request from " SourceIP ":" SourcePort " to " DestinationIP ":" DestinationPort ". Action: " Action
| project TimeGenerated, SourceIP, SourcePort, 
DestinationIP, DestinationPort, Action, msg_s
| where DestinationIP has "onprem_ip" and Action has "Allow."

What are the diagnostic logs are available for Azure Firewall?

The following are the available data collection logs that can be configured on Azure Firewall.

  • Azure Firewall Application Rule
  • Azure Firewall Network Rule
  • Azure Firewall DNS Proxy
  • Azure Firewall Network Rule Hit
  • Azure Firewall Application Rule Hit
  • Azure Firewall Nat Rule Hit
  • Azure Firewall ThreatIntel Hit
  • Azure Firewall Idps Signature Hit
  • Azure Firewall Dns query Hit
  • Azure Firewall Fqdn Resolution Failure Hit
  • Azure Firewall Fat Flow Log
  • Azure Firewall Flow Trace Log
  • Azure Firewall Network Rule Aggregation Hit
  • Azure Firewall Application Rule Aggregation Hit
  • Azure Firewall Nat Rule Aggregation Hit