question

RTK-6383 avatar image
0 Votes"
RTK-6383 asked GitaraniSharmaMSFT-4262 commented

Azure Firewall Inbound traffic Logs

I am unable to view any inbound traffic logs in Azure Firewall. I am trying to view in Log Analytics and can see only the outbound traffic logs which are from Azure. Is there any settings to be enabled to view the traffic?

I even tried running the below query to see any traffic coming from my machine.

AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"
and msg_s contains "request from 192.168.6.12"
and msg_s contains "Allow"

azure-firewall
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

GitaraniSharmaMSFT-4262 avatar image
0 Votes"
GitaraniSharmaMSFT-4262 answered GitaraniSharmaMSFT-4262 commented

Hello @RTK-6383 ,

You can find the query packs in Azure Monitor for any Azure resource/service which allows logging. So Azure Firewall log query pack can be found as below:
110986-image.png

The overall Azure Firewall log query would be as below:
AzureDiagnostics
| where Category == "AzureFirewallNetworkRule" or Category == "AzureFirewallApplicationRule"

If you have more than one Azure Firewall in your subscription, do specify the Firewall name:
AzureDiagnostics
| where Category == "AzureFirewallNetworkRule" and Resource == "FirewallName"

Or you can modify the query pack as per your requirement to get specific logs.

Else, we have "Azure firewall workbook" which can gain insights into Azure Firewall events, learn about your application and network rules, and see statistics for firewall activities across URLs, ports, and addresses. Azure Firewall Workbook allows you to filter your firewalls and resource groups, and dynamically filter per category with easy to read data sets when investigating an issue in your logs.

Kindly let us know if the above helps or you need further assistance on this issue.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.



image.png (64.3 KiB)
· 9
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I tested by adding a NAT rule for RDP and it worked for me. Thanks a bunch!!
You may close the ticket.

1 Vote 1 ·

@RTK-6383 , thank you for the update. Glad to hear that the issue is now resolved.

0 Votes 0 ·

Thanks for the response. I have only one firewall in my Azure subscription. To verify inbound logs, I tried to RDP a machine in a virtual network that is tied to Azure Firewall. When I run the above query I am not seeing any results (zero results). I believe it should show at least 3389 (RDP) allow log

0 Votes 0 ·

Hello @RTK-6383 ,

Apologies for the delay in my response.

You should be able to see inbound traffic logs if you have NAT rules configured on your Firewall. Please check your rules and try again with the query pack. In case it still doesn't work, I believe it would require a deeper investigation, so if you have a support plan, I request you file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.

Thanks,
Gita

0 Votes 0 ·

Thanks very much for the reply. I haven't created any NAT rules in the firewall. I will try and let you know.

0 Votes 0 ·

Hello @RTK-6383 , I'm following up to check if you have any updates on this post?

0 Votes 0 ·

@GitaraniSharmaMSFT-4262 Sorry for the delay. I was also thinking of another prospect, could this be because of not creating a route in the route table to let it know that all the traffic coming to my network from outside should go through the firewall.

Instead of creating a NAT rule, could this be a better choice?

Thanks in advance.

0 Votes 0 ·

Hello @RTK-6383 ,

Azure Firewall log data cover NAT rules. I am not sure if route table would make any difference as I have not explored that before. But you could give it a try. However, I would still request you to add a NAT rule and and check the logs.

Thanks,
Gita

0 Votes 0 ·

Hello @RTK-6383 , any updates?

0 Votes 0 ·