Written in collaboration with @ShabazShaik and @gusmodena.
This blog has been updated to reflect the configuration steps required to enable Policy Analytics since it was released in General Availability.
Introduction:
Azure Firewall is a cloud-native and intelligent network firewall security service that provides the best of breed threat protection for your cloud workloads running in Azure. It’s a fully stateful firewall with built-in high availability and unrestricted cloud scalability. Multiple customers are looking for a feature that provides a centralized view of the Firewall rules and recommendations based on all the traffic passing through their Firewalls.
In this blog we will discuss in detail about the Policy Analytics which help you with enhanced Logging and Firewall rule management capabilities respectively.
Policy Analytics
Policy Analytics is a new feature released in General Availability in May 2023, which provides insights, centralized visibility, and control to Azure Firewall, helping IT teams who have the challenge to keep Firewall rules up to date, manage existing rules, and remove unused rules.
You can refine and update Firewall rules and policies with confidence in just a few steps in the Azure portal. You have granular control to define your own custom rules for an enhanced security and compliance posture.
Policy Analytics is accessible via Azure portal under Firewall Policy/Monitoring, and the insights tab brings 6 interesting dashboards, aggregating insights, and highlighting relevant policy information.
These are the key Policy Analytics features:
- Policy insight panel: Aggregates insights and highlights relevant policy information.
- Rule analytics: Analyzes existing DNAT, Network, and Application rules to identify rules with low utilization or rules with low usage in a specific time window.
- Traffic flow analysis: Maps traffic flow to rules by identifying top traffic flows and enabling an integrated experience.
- Single Rule analysis: Analyzes a single rule to learn what traffic hits that rule to refine the access it provides and improve the overall security posture.
Policy Analytics starts monitoring the flows in the DNAT, Network, and Application rule analysis only after you enable the feature. It can’t analyze rules hit before the feature is enabled. Follow the steps below to enable Policy Analytics:
- Select Policy analytics in the table of contents.
- Next, select Configure Workspaces.
- In the pane that opens, select the Enable Policy Analytics checkbox.
- Next, choose a log analytics workspace. The log analytics workspace should be the same as the Firewall attached to the policy.
- Select Save after you choose the log analytics workspace.
Policy Analytics has a dependency on both Log Analytics and Azure Firewall resource specific logging. Verify the Firewall is configured appropriately or follow the previous instructions. Be aware that logs take 60 minutes to appear after enabling them for the first time. This is because logs are aggregated in the backend every hour. You can check logs are configured appropriately by running a log analytics query on the resource specific tables such as AZFWNetworkRuleAggregation, AZFWApplicationRuleAggregation, and AZFWNatRuleAggregation.
Exploring Policy Analytics
Once all the prerequisites are done and the Diagnostic Setting is created, you will start seeing the dashboards being populated based on the Firewall Policy configuration and the logs available. In the insights tab you’ll find 6 dashboards:
- Policy limits: This dashboard shows the overall limits of your policy as total number of rules, total number of unique source/destinations IPs, total number of IP Groups and DNAT rule limits.
- Rules with multiple IP addresses: Here you will find the rules with multiple IP addresses at source or destination field. The number of IPs which will trigger the recommendations is customizable between 1 and 100.
This dashboard helps you identifying what rules may use IP Groups instead of having multiple IP addresses in the source/destination.
- Rules with low utilization: A rule is considered to have low utilization when no hits are observed on some or all matching network flows over a period of time. You can select the time that you would like to use as a basis for generating recommendations.
- Duplicate Rules: This dashboard is customizable, and you may select the following options to show recommendations for:
- Two or more rules with exactly same values for all the parameters (except name)
- Two or more rules where the source or destination of one fully contains the others, and all other rule parameters match (except name)
- One rule with duplicate sources or duplicate destinations
By selecting “See recommendations” you’ll find details of duplicated IP addresses and redundant rules.
- Generic rules: Here you will learn what rules are using wildcard as source or destination IP addresses. By selecting “See recommendations” you will see what rules those are and what is the recommended action.
You can also click at the recommended action to run the single rule analysis.
- Potentially malicious sources: This dashboard shows traffic from malicious sources that are triggering Threat Intelligence and/or IDPS logs. By selecting “See recommendations” you will learn what action is recommended to prevent against potential threat detected.
Policy Analytics also provides visibility of all your DNAT, Network and Application rules in 3 different tabs. In these tabs you will see a column called “Matching flows” which shows you the total number of flows for each rule in a period of time.
The Traffic flows tab will give you more details of each flow like Rule Name, Source, Destination, Port, Protocol, Hit count and others. You can also change the filter to show the data for 10 min up to 30 days.
The last tab is for Single-rule analysis that can be used to analyze a rule and to learn what traffic hits that rule to refine the access it provides and improve the overall security posture. After running the analysis, you will find a rule summary and you will also be able to apply changes on the Port, Protocol, Source and/or Destination, delete the rule or move the rule to a lowest priority collection group.
Enabling Policy Analytics on a Firewall Policy associated with a single firewall is billed per policy as described on the Azure Firewall Manager pricing page. Enabling Policy Analytics on a Firewall Policy associated with more than one firewall is offered at no additional cost.
Conclusion:
As you have seen above, Azure Firewall Policy Analytics simplifies firewall policy management by providing insights and a centralized view to help IT teams to have better and consistent control of Azure Firewall.