Written in collaboration with @ShabazShaik and @gusmodena.
This blog has been updated to reflect the configuration steps required to enable Policy Analytics since it was released in General Availability.
Introduction:
Azure Firewall is a cloud-native and intelligent network firewall security service that provides the best of breed threat protection for your cloud workloads running in Azure. It’s a fully stateful firewall with built-in high availability and unrestricted cloud scalability. Multiple customers are looking for a feature that provides a centralized view of the Firewall rules and recommendations based on all the traffic passing through their Firewalls.
In this blog we will discuss in detail about the Policy Analytics which help you with enhanced Logging and Firewall rule management capabilities respectively.
Policy Analytics
Policy Analytics is a new feature released in General Availability in May 2023, which provides insights, centralized visibility, and control to Azure Firewall, helping IT teams who have the challenge to keep Firewall rules up to date, manage existing rules, and remove unused rules.
You can refine and update Firewall rules and policies with confidence in just a few steps in the Azure portal. You have granular control to define your own custom rules for an enhanced security and compliance posture.
Policy Analytics is accessible via Azure portal under Firewall Policy/Monitoring, and the insights tab brings 6 interesting dashboards, aggregating insights, and highlighting relevant policy information.
These are the key Policy Analytics features:
Policy Analytics starts monitoring the flows in the DNAT, Network, and Application rule analysis only after you enable the feature. It can’t analyze rules hit before the feature is enabled. Follow the steps below to enable Policy Analytics:
Policy Analytics has a dependency on both Log Analytics and Azure Firewall resource specific logging. Verify the Firewall is configured appropriately or follow the previous instructions. Be aware that logs take 60 minutes to appear after enabling them for the first time. This is because logs are aggregated in the backend every hour. You can check logs are configured appropriately by running a log analytics query on the resource specific tables such as AZFWNetworkRuleAggregation, AZFWApplicationRuleAggregation, and AZFWNatRuleAggregation.
Exploring Policy Analytics
Once all the prerequisites are done and the Diagnostic Setting is created, you will start seeing the dashboards being populated based on the Firewall Policy configuration and the logs available. In the insights tab you’ll find 6 dashboards:
This dashboard helps you identifying what rules may use IP Groups instead of having multiple IP addresses in the source/destination.
By selecting “See recommendations” you’ll find details of duplicated IP addresses and redundant rules.
You can also click at the recommended action to run the single rule analysis.
Policy Analytics also provides visibility of all your DNAT, Network and Application rules in 3 different tabs. In these tabs you will see a column called “Matching flows” which shows you the total number of flows for each rule in a period of time.
The Traffic flows tab will give you more details of each flow like Rule Name, Source, Destination, Port, Protocol, Hit count and others. You can also change the filter to show the data for 10 min up to 30 days.
The last tab is for Single-rule analysis that can be used to analyze a rule and to learn what traffic hits that rule to refine the access it provides and improve the overall security posture. After running the analysis, you will find a rule summary and you will also be able to apply changes on the Port, Protocol, Source and/or Destination, delete the rule or move the rule to a lowest priority collection group.
Enabling Policy Analytics on a Firewall Policy associated with a single firewall is billed per policy as described on the Azure Firewall Manager pricing page. Enabling Policy Analytics on a Firewall Policy associated with more than one firewall is offered at no additional cost.
Conclusion:
As you have seen above, Azure Firewall Policy Analytics simplifies firewall policy management by providing insights and a centralized view to help IT teams to have better and consistent control of Azure Firewall.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.