eG Monitoring
 

Measures reported by AzrFireWallTest

Azure Firewall is a cloud-native and intelligent network firewall security service that provides the best of breed threat protection for your cloud workloads running in Azure.

The continued availability and good health of the firewall service is essential to protect the applications running on the Azure cloud from malicious attacks. Also, to keep suspicious traffic away, the administrators should know what traffic to allow and what should be blocked, and accordingly configure firewall rules. The AzrFireWallTest helps administrators address both these security requirements!

This test monitors each Azure firewall that is configured for the target subscription and reports the status of that firewall from time-to-time. Administrators are alerted if a firewall slides into a degraded/unhealthy state. Alerts are also sent out if the firewall's ability to differentiate between malicious and non-malicious traffic is compromised. The test also periodically scans the Azure Firewall logs for application, network, and NAT rule hits, and instantly notifies administrators if network traffic matches any of the configured rules. Detailed diagnostics reveal the complete details of the matching rules, so administrators can review the rules for correctness and effectiveness. From the firewall logs, the test also reads information pertaining to which IP addresses were denied access and which were allowed, thereby turning the spotlight on traffic that is ‘suspect’ and therefore, warrants further investigation. These analytics also help administrators determine whether/not the ‘right’ traffic was only allowed access. Changes, if required, can be made to firewall rules based on these findings.

Outputs of the test : One set of results for each Azure firewall configured for each resource group in the target Azure subscription

The measures made by this test are as follows:

Measurement Description Measurement Unit Interpretation
Prvsng_status Indicates the current provisioning state of this VPN firewall.   The values reported by this measure and its numeric equivalents are mentioned in the table below:

Measure Value Numeric Value
Failed 1
Updating 2
Deleting 3
Succeeded 4


Note:

By default, this measure reports the Measure Values listed in the table above to indicate the provisioning status of a firewall. In the graph of this measure however, the same is represented using the numeric equivalents only.

Use the detailed diagnosis of this measure to know the location of the firewall, and the zones and tags associated with it.
Threat_intel Indicates whether/not threat intelligence filtering is enabled for this firewall.   Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and domains.

The values reported by this measure and its numeric equivalents are mentioned in the table below:

Measure Value Numeric Value
Off 1
Deny 2
Alert 3


In the ‘Alert’ mode, an alert is logged when a rule is triggered. In the ‘Deny’ mode, the traffic is denied.

Note:

By default, this measure reports the Measure Values listed in the table above to indicate the threat intelligence mode set for a firewall. In the graph of this measure however, the same is represented using the numeric equivalents only.
Ip_configured Indicates the number of public IP addresses configured for this firewall. Number Use the detailed diagnosis of this measure to know the public IP addresses configured, the private IP address that maps to each, the allocation mode, SKU name, tier, version, and how long each IP address has been idle.
Application_rule Indicates the number of application rules that have been configured for this firewall. Number With Azure Firewall, you can configure: Application rules that define fully qualified domain names (FQDNs) that can be accessed from a subnet.

The detailed diagnosis of this measure, if enabled, provides the complete details of the configured application rules.
Network_rule Indicates the number of network rules that have been configured for this firewall. Number Network rules define source address, protocol, destination port, and destination address.

The detailed diagnosis of this measure, if enabled, provides the complete details of the configured network rules.
NAT_rule Indicates the number of NAT rules that have been configured for this firewall. Number A NAT rule is a routing rule, directing traffic from a public IP address to a private IP address.

The detailed diagnosis of this measure, if enabled, provides the complete details of the configured NAT rules.
Health_status Indicates the current health of this firewall based on SNAT port availability. Percent If the SNAT port usage is greater than 95%, then the value of this measure will be 50%. This represents a Degraded state. In this state, the firewall keeps processing traffic and existing connections are not affected. However, new connections may not be established intermittently.

If SNAT port usage is lesser than 95%, then the value of this measure will be 100%. This means that the firewall is in a Healthy state.

If no SNAT ports are used, then the value of this measure will be 0%.
Data_processed Indicates the total amount of data traversing this firewall. MB  
Throughput Indicates the rate at which data was traversing this firewall. MB/Sec  
NAT_utilization Indicates the percentage of SNAT ports utilized by this firewall. Percent If the value of this measure is greater than 95%, then the value of the Firewall health status measure will be 50%. This indicates that the firewall is in a Degraded state.

If the value of this measure is lesser than 95%, then the value of the Firewall health status measure will be 100%. This indicates that the firewall is in a Healthy state.
Category_hit Indicates the total number of rule hits across all unique categories of traffic traversing this firewall. Number Use the detailed diagnosis of this measure to know the number of rule hits per unique category.
Operation_hit Indicates the total number of rule hits across all unique operations performed by traffic traversing this firewall. Number Use the detailed diagnosis of this measure to know the number of rule hits per unique operation.
Protocol_hit Indicates the total number of rule hits across all unique traffic protocols traversing this firewall. Number Use the detailed diagnosis of this measure to know the number of rule hits per protocol.
Source_ip_hit Indicates the total number of rule hits across all unique sources from which this firewall received traffic. Number Use the detailed diagnosis of this measure to know the number of rule hits per unique source IP address.
Target_ip_hit Indicates the total number of rule hits across all unique destinations to which this firewall sent traffic. Number Use the detailed diagnosis of this measure to know the number of rule hits per unique target IP address.
Allowed_trgt_hit Indicates the total number of rule hits across all IP addresses to which traffic was allowed by this firewall. Number Use the detailed diagnosis of this measure to know the number of rule hits per target IP address to which traffic was allowed.
Denied_trgt_hit Indicates the total number of rule hits across all IP addresses to which traffic was denied by this firewall. Number Use the detailed diagnosis of this measure to know the number of rule hits per target IP address to which traffic was denied.
Action_hit Indicates the total number of rule hits across all unique actions configured for this firewall. Number Use the detailed diagnosis of this measure to know the number of rule hits per action.
Rule_coll_hit Indicates the total number of rule hits across all unique rule collections configured for this firewall. Number Use the detailed diagnosis of this measure to know the number of rule hits per rule collection.
Apprule_usg_hit Indicates the total number of rule hits across all unique application rules configured for this firewall. Number Use the detailed diagnosis of this measure to know the number of rule hits per unique application rule.
Ntwrkrule_usg_hit Indicates the total number of rule hits across all unique network rules configured for this firewall. Number Use the detailed diagnosis of this measure to know the number of rule hits per unique network rule.
Rule_usg_hit Indicates the total number of rule hits cross all unique rules onfigured for this irewall. Number Use the detailed diagnosis of this measure to know the number of rule hits per unique rule.