We all know that Microsoft's recommended approach for analyzing Azure Firewall logs is to set up a Log Analytics Workspace to collect all the data and use Kusto Query Language (KQL) queries to check the results.
Azure-Firewall-mon focuses more on providing a tool that can answer the simple question "what is happening right now?" in an alternative and practical way. The idea is to provide an approach similar to Sysinternals Process Monitor or Check Point's SmartView/SmartLog, where you don't need to implement KQL queries or dashboards first to get it working. All events are available as a log-stream.
The real strength of the tool is the search field available in the top toolbar. To search for an event, simply start typing and the log flow will be automatically filtered according to those parameters.
The timestamp field displays the event date in UTC or local format. You can filter the view for the last few minutes or for a specific time range.
Within this tool, only events from the last 24 hours will appear because this is the duration set on the Event Hub Namespace. A longer duration would slow down the tool and not help answer the question "what is happening right now?" that az-firewall-mon aims to address.
As an alternative to full-text search, you can use the chatGPT mode: in the top search field, you can enter a request in natural language, and the system will filter the content accordingly.
Some examples of queries are as follows:
- "Show me events from the last 15 minutes"
- "Search project alpha"
- "Filter rows with category containing "NetworkRule""
- "Filter events between 12:00 and 13:00"
- "Filter for target containing 192.168.1.1"
- "Include only logs with protocol TCP"
- "Show me only the deny actions"
- "More information on source 192.168.1.1"
Azure-Firewall-mon is an open-source Single Page Application written in Angular with an Azure Functions backend written in C# .NET.
Here's the current architecture:
To use this app with YOUR FIREWALL data, you have 2 options:
- Use the Azure Firewall mon sample deployment available at https://az-firewall-mon.duckiesfarm.com
- Deploy Azure Firewall mon in your environment
The recommended option is number 2, as this way you can be 100% sure your logs are not going outside your environment. I suggest using the public deployment only for testing purposes.
https://az-firewall-mon.duckiesfarm.com uses resources from my subscription (Azure Maps API, Azure OpenAI, Azure Static Web App Standard). These resources have a cost, so I am limiting their usage as much as possible. As a result, the tool may be quite slow. In your own deployment, you can dedicate more resources and achieve better performance.
To use this version with your data, you must perform the following steps on your Azure Subscription:
-
Create an Azure Event Hub Namespace
-
Create an Azure Event Hub inside the namespace, with a
1-day retentionand1 partition -
Create a Shared Access Policy, with Listen claim
-
Open the Azure Firewall instance you want to monitor, go to Monitoring > Diagnostic Settings > Add Diagnostic Settings:
- Select all logs and "Stream to Event Hub"
- Select the Event Hub Namespace and Hub created above
- click
SAVE
If you are a lazy engineer, like me, you can perform all these steps by clicking the following button 😊
Open the Azure Firewall instance you want to monitor from the Azure portal, go to Monitoring > Diagnostic Settings > Add Diagnostic Settings:
- Select all logs and "Stream to Event Hub"
- Select the Event Hub Namespace and Hub created above
- Click SAVE
Now, open https://az-firewall-mon.duckiesfarm.com/ and do the following:
- Copy the connection string of the Shared Access Policy created above into the
Event Hub Connection Stringfield - Copy the corresponding
Event Hub Consumer Groupname - Click on
Let's begin.
To install az-firewall-mon in your environment, follow this guide. Once the instance is ready and working, you can go back and follow the instructions in the Use az-firewall-mon sample deployment section. Just replace the URL with the one from your deployment.
Azure Firewall (AF) is a cloud-native and intelligent network firewall security service that provides best-of-breed threat protection for your cloud workloads running in Azure. It's a fully stateful, firewall-as-a-service with built-in high availability and unrestricted cloud scalability. It provides both east-west and north-south traffic inspection.
Azure Monitor helps you maximize the availability and performance of your applications and services. It delivers a comprehensive solution for collecting, analyzing, and acting on telemetry from your cloud and on-premises environments.
Azure Firewall is integrated with Azure Monitor. This means you can forward Azure Firewall metrics and logs to:
- Log Analytics Workspace
- Azure Storage
- Event Hub
A Log Analytics workspace is a unique environment for log data from Azure Monitor and other Azure services. Each workspace has its own data repository and configuration but might combine data from multiple services.
Be mindful that the ingestion of logs into a Log Analytics workspace has some latency, so you may see a delay before logs are displayed.
Latency refers to the time between when data is created on the monitored system and when it becomes available for analysis in Azure Monitor.
The Kusto Query Language (KQL) is a tool to explore your data in a Log Analytics Workspace. The query uses schema entities that are organized in a hierarchy similar to SQL's: databases, tables, and columns.
Check Point's SmartView web log access
SysInternals process monitor
- 90342-security.json lottie animation by Kawsar Mahmud
- lf20_giodppcr.json lottie animation by hdev coder
- rubik.json lottie animation by Ision Industries
- Logo built with the new Bing
