Agents Administration - Tests
 

Configuration of AzrFireWallTest

This test monitors each Azure firewall that is configured for the target subscription and reports the status of that firewall from time-to-time. Administrators are alerted if a firewall slides into a degraded/unhealthy state. Alerts are also sent out if the firewall's ability to differentiate between malicious and non-malicious traffic is compromised. The test also periodically scans the Azure Firewall logs for application, network, and NAT rule hits, and instantly notifies administrators if network traffic matches any of the configured rules. Detailed diagnostics reveal the complete details of the matching rules, so administrators can review the rules for correctness and effectiveness. From the firewall logs, the test also reads information pertaining to which IP addresses were denied access and which were allowed, thereby turning the spotlight on traffic that is ‘suspect’ and therefore, warrants further investigation. These analytics also help administrators determine whether/not the ‘right’ traffic was only allowed access. Changes, if required, can be made to firewall rules based on these findings.

The default parameters associated with this test are:

  • The TEST PERIOD list box helps the user to decide how often this test needs to be executed.

  • In the HOST text box, specify the HOST for which this test is to be configured.

  • Specify the GUID which uniquely identifies the Microsoft Azure Subscription to be monitored in the SUBSCRIPTION ID text box.To know the ID that maps to the target subscription, click here.

  • Specify the Directory ID of the Azure AD tenant to which the target subscription belongs in the TENANT ID text box. To know how to determine the Directory ID/Tenant ID, click here.

  • The eG agent communicates with the target Microsoft Azure Subscrption using Java API calls. To collect the required metrics, the eG agent requires an Access token in the form of an Application ID and the client secret value.Specify the Application ID of the created Application in the CLIENT ID text box. To know how to determine the Application ID ,click here. Specify the client secret value in the CLIENT PASSWORD text box. To obtain the client secret value, click here.

  • Confirm the CLIENT PASSWORD by retyping it in the CONFIRM PASSWORD text box.

  • In some environments, all communication with the Azure cloud be routed through a proxy server. In such environments, you should make sure that the eG agent connects to the cloud via the proxy server and collects metrics. To enable metrics collection via a proxy, specify the IP address of the proxy server and the port at which the server listens against the PROXY HOST and PROXY PORT parameters. By default, these parameters are set to none , indicating that the eG agent is not configured to communicate via a proxy, by default.

  • If the proxy server requires authentication, then, specify a valid proxy user name and password in the PROXY USERNAME and PROXY PASSWORD parameters, respectively. Then, confirm the password by retyping it in the CONFIRM PASSWORD text box.

  • By default, the Log Analytics Workspace Name parameter is set to All. This indicates that the test reads log data from all Log Analytics Workspaces configured for the target subscription, by default. However, if you want the test to use only those Log Analytics Workspaces to which the Azure Firewall logs are sent, then provide the names of these workspaces here as a comma-separated list. To determine the names of the workspaces, do the following: click here.

  • By default, Show Category DD flag is set to False. This means that detailed diagnostics will not be available, by default, for the Unique categories measure reported by this test. If you want to enable detailed reporting for this measure, then set this parameter to True. Once this is done, then you will be able to view the number of rule hits per category as part of the detailed analytics of the Unique categories measure.

  • By default, Show Operation DD flag is set to False. This means that detailed diagnostics will not be available, by default, for the Unique operations measure reported by this test. If you want to enable detailed reporting for this measure, then set this parameter to True. Once this is done, then you will be able to view the number of rule hits per operation as part of the detailed analytics of the Unique operations measure.

  • By default, Show Protocol DD flag is set to False. This means that detailed diagnostics will not be available, by default, for the Unique protocols measure reported by this test. If you want to enable detailed reporting for this measure, then set this parameter to True. Once this is done, then you will be able to view the number of rule hits per protocol as part of the detailed analytics of the Unique protocols measure.

  • By default, Show SourceIP DD flag is set to False. This means that detailed diagnostics will not be available, by default, for the Unique source IPs measure reported by this test. If you want to enable detailed reporting for this measure, then set this parameter to True. Once this is done, then you will be able to view the number of rule hits per source IP address as part of the detailed analytics of the Unique source IPs measure.

  • By default, Show TargetIP DD flag is set to False. This means that detailed diagnostics will not be available, by default, for the Unique target IPs measure reported by this test. If you want to enable detailed reporting for this measure, then set this parameter to True. Once this is done, then you will be able to view the number of rule hits per destination IP address as part of the detailed analytics of the Unique target IPs measure.

  • By default, Show AllowedIP DD flag is set to False. This means that detailed diagnostics will not be available, by default, for the Unique allowed target IPs measure reported by this test. If you want to enable detailed reporting for this measure, then set this parameter to True. Once this is done, then you will be able to view the number of rule hits for every target IP to which traffic was allowed, as part of the detailed analytics of the Unique allowed target IPs measure.

  • By default, Show DeniedIP DD flag is set to False. This means that detailed diagnostics will not be available, by default, for the Unique denied target IPs measure reported by this test. If you want to enable detailed reporting for this measure, then set this parameter to True. Once this is done, then you will be able to view the number of rule hits for every target IP to which traffic was blocked, as part of the detailed analytics of the Unique denied target IPs measure.

  • By default, Show Action DD flag is set to False. This means that detailed diagnostics will not be available, by default, for the Unique actions measure reported by this test. If you want ton enable detailed reporting for this measure, then set this parameter to True. Once this is done, then you will be able to view the number of rule hits for every action (Allow, Deny) taken, as part of the detailed analytics of the Unique actions measure.

  • By default, Show RuleColl DD flag is set to False. This means that detailed diagnostics will not be available, by default, for the Unique rule collections measure reported by this test. If you want to enable detailed reporting for this measure, then set this parameter to True. Once this is done, then you will be able to view the number of rule hits for every rule collection configured, as part of the detailed analytics of the Unique rule collections measure.

  • By default, Show ApplicationRule DD flag is set to False. This means that detailed diagnostics will not be available, by default, for the Unique application rules measure reported by this test. If you want to enable detailed reporting for this measure, then set this parameter to True. Once this is done, then you will be able to view the number of times each unique application rule found a match, as part of the detailed analytics of the Unique application rules measure.

  • By default, Show NetworkRule DD flag is set to False. This means that detailed diagnostics will not be available, by default, for the Unique network rules measure reported by this test. If you want to enable detailed reporting for this measure, then set this parameter to True. Once this is done, then you will be able to view the number of times each unique network rule found a match, as part of the detailed analytics of the Unique network rules measure.

  • By default, Show Rules DD flag is set to False. This means that detailed diagnostics will not be available, by default, for the Unique rules measure reported by this test. If you want to enable detailed reporting for this measure, then set this parameter to True. Once this is done, then you will be able to view the number of times each unique rule found a match, as part of the detailed analytics of the Unique rules measure.

  • To make diagnosis more efficient and accurate, eG embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test, by default, for a particular server, choose the On option against DETAILED DIAGNOSIS. To disable the capability, click on the Off option.

    The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:

    • The eG manager license should allow the detailed diagnosis capability.

    • Both the bad and normal frequencies configured for the detailed diagnosis measures should not be 0.

  • If multiple components of the same component type are awaiting configuration, then an APPLY TO OTHER COMPONENTS button will appear in this page. Clicking on this button will allow you to apply the configuration to all/selected components of that type.

  • Once the necessary values have been provided, clicking on the UPDATE button will register the changes made.

When changing the configuration for specific servers, a “*” beside the text box corresponding to the parameter signifies that these values have to be manually configured by the user. The parameter values that require to be configured will typically be prefixed with a “$” or contain a series of “*”. A value of “none” in the parameter value indicates that the corresponding parameter value can be changed if required.