Home NewsX Monitoring traffic flows in Azure Firewall using Virtual Network Flow Logs

Monitoring traffic flows in Azure Firewall using Virtual Network Flow Logs

by info.odysseyx@gmail.com
0 comment 11 views


Azure Firewall is a managed service designed to protect your Azure Virtual Network resources, providing advanced threat protection and advanced logs and metrics, essential tools for monitoring and managing network security. By leveraging both logs and metrics, you can ensure the overall health and effectiveness of your firewall, maintain an audit trail of configuration changes, and comply with security and audit requirements.

In this blog post, we will show you another approach to improving your monitoring experience for Azure Firewall by using: Virtual network flow logs and Traffic Analysis. This combination provides a comprehensive view of traffic flows within your network, providing deep insights for analysis and investigation, helping you identify traffic anomalies that may indicate security issues, and identifying which applications are using Azure Firewall the most.

What are Virtual Network Flow Logs and Traffic Analysis?

Virtual Network Flow Logs and Traffic Analytics are both features of Azure Network Watcher that collect information about network traffic and enrich raw flow logs to provide insights into network traffic patterns, including source and destination IP addresses, ports, protocols, and traffic volume. To learn more about both features, see: Product Description.

Improved Azure Firewall monitoring

Azure Firewall has powerful A structured set of logs Provides detailed insight into the traffic and operations of your firewall. These logs include information on application rules, network rules, IDPS, and threat intelligence, allowing you to monitor and analyze the performance and security status of your firewall.

For deeper insights, enabling virtual network flow logs at the subnet level on Azure Firewall provides a comprehensive view of all traffic traversing Azure Firewall. This enhanced visibility helps you identify top talkers, detect unwanted traffic, and uncover potential security issues that may require further investigation and mitigation. By leveraging these insights, you can ensure a more secure and efficient network environment.

Follow the steps below to learn how to enable virtual network flow logs.

  1. Go to Network Watcher > Flow Logs (under Logs) and create a new flow log using the “Virtual Network” type.
  2. Select “AzureFirewallSubnet” as the target resource and fill in the remaining required fields such as location, storage account, retention days, etc.
  3. Don’t forget to enable Traffic Analysis in the Analysis tab, select the Log Analysis workspace, and define the processing interval (every hour or every 10 minutes). memo: In most scenarios, 1 hour is recommended, as 10 minutes of processing has a significant impact on cost.

When a new flow log is created, its configuration is as follows:

Gusmodena_0-1725035861166.png

Now give some time for Virtual Network Flow Log to collect traffic from AzureFirewallSubnet and for Traffic Analytics to process the collected data. Once you have data in the “NTANetAnalytics” table, it’s time to use KQL to learn more about the traffic passing through Azure Firewall. You can use the KQL query below as an example.

NTANetAnalytics
| where TimeGenerated > ago(8h)
| extend TotalBytes = BytesDestToSrc + BytesSrcToDest
| project TimeGenerated, SubType, FlowType, SrcVm,SrcIp, DestVm,DestIp, DestPublicIps, DestPort, BytesDestToSrc, BytesSrcToDest, TotalBytes

Gusmodena_1-1725035975800.png

In the above example, we are looking at the “raw” data, which may not be very helpful if you are trying to identify which workloads are using Azure Firewall the most based on traffic volume. To identify which IP addresses are sending the most data through Azure Firewall, you can use the query below along with a specific time frame that you want to investigate. Here you can also find the logs for the Azure Firewall instance below. Since you have enabled flow logs for the entire AzureFirewallSubnet, you should see logs for data sent from each active instance.

NTANetAnalytics
| where TimeGenerated > ago(8h)
| where SrcIp == "10.10.0.132" or SrcIp == "10.10.0.4" or SrcIp == "10.10.0.5"
| summarize TotalBytes=sum(BytesDestToSrc+BytesSrcToDest) by SrcIp, DestIp
| render columnchart

Gusmodena_2-1725036099477.png

In the dashboard, we can see that IP address 10.10.0.5 is sending about 55 GB to IP 10.10.0.132 and another 55 GB to 10.10.0.4. One thing to consider is that Azure Firewall, like any other NVA, receives data from the source and sends it to the destination, so the numbers you see are roughly double the data transferred between the VMs (27.5 GB to 10.10.0.4 and 27.5 GB to 10.10.0.132). Let’s assume that this could be a data leak or other technical issue caused by a user or application not transferring the expected amount of data. So, using this simple KQL query, we can identify some of the deviations and start a deeper investigation to identify the root cause. Another example where this same KQL query would be useful is if we need to identify workloads that are using Azure Firewall within a certain time period in order to partition the cost of Azure Firewall across multiple LOBs.

In the previous example we used the source IP address (SrcIp), but you could also use the VM name (SrcVm) if it makes it easier to identify the workload running on each virtual machine.

NTANetAnalytics
| where TimeGenerated > ago(3d)
| summarize TotalBytes=sum(BytesDestToSrc + BytesSrcToDest) by SrcVm
| top 10 by TotalBytes
| render columnchart

Gusmodena_3-1725036166083.png

The above query is an example of a KQL query that finds the Top 10 VMs based on total data transferred over the last 3 days. TotalBytes matches the above example where IP 10.10.0.5 transferred 55GB to 10.10.0.4 and 55GB to 10.10.0.132.

Using Network Watcher features: Virtual network flow logs and Traffic Analysis It provides a great experience to monitor all your networks in Azure. The goal of this blog is to show you a different approach to improve monitoring of all traffic passing through Azure Firewall and we have only shown you how to get a deeper view into the traffic using KQL queries. You should also consider exploring all the other views available in: Network Monitor > Traffic AnalysisSomething like the traffic analysis workbook you see in the picture below.

Gusmodena_4-1725036214774.png

conclusion

Monitoring traffic through Azure Firewall using virtual network flow logs and traffic analytics is a game-changer for network security and performance management. These tools provide valuable insight into traffic behavior, allowing you to identify patterns and deviations that may indicate potential security breaches. This capability allows you to proactively address threats before they escalate, ensuring your network remains secure. Virtual network flow logs and traffic analytics also help you pinpoint which workloads are putting the most demands on Azure Firewall. This information is critical to optimizing resource allocation and improving overall network efficiency. Understanding which workloads are most demanding allows you to make informed decisions about scaling and resource management, ultimately leading to a more robust and resilient network infrastructure.

Learn more





Source link

You may also like

Leave a Comment

Our Company

Welcome to OdysseyX, your one-stop destination for the latest news and opportunities across various domains.

Newsletter

Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Laest News

@2024 – All Right Reserved. Designed and Developed by OdysseyX