IT security administrators are often called upon to troubleshoot network issues. For example, an important application might show latency or disconnection, frustrating end users. These issues may be caused by a recent routing update or security changes. In some cases, the cause could be a sudden burst of network traffic – overwhelming network resources.
Microsoft Azure Firewall now provides new logging and metric improvements designed to increase visibility and provide more insight into the traffic being handled by the firewall. IT security administrators can use a combination of the following to resolve root application performance issues:
o Probe latency scale is Now in preview.
o Flow tracking log is Now in preview.
o Record highest flows is Now in preview.
Azure Firewall is a cloud-native firewall as a service that allows customers to centrally control and log all of their traffic flows using a DevOps approach. The service supports network and application level filtering rules and is combined with the Microsoft Defender Threat Intelligence feed to filter out known malicious IP addresses and domains. Azure Firewall is highly available with built-in automatic scaling.
Response time scale – now in preview
In network infrastructure, one may notice increases in latency depending on various factors. The ability to monitor firewall latency is essential to proactively engage any potential issues with traffic or services in the infrastructure.
The Latency Probe is designed to measure the overall Azure Firewall latency and provide insight into the health of the service. IT administrators can use the measurement to monitor and alert if there is observable latency and diagnose if Azure Firewall is causing network latency.
If Azure Firewall experiences latency, it may be due to various reasons, such as high CPU usage, data transfer rate, or network issues. As an important note, this tool is powered by Pingmesh technology, which means that the metric measures the average latency of the firewall itself. The metric does not measure end-to-end latency or latency of individual packets.
Flow Trace Logs — Now in preview
Azure Firewall logging provides logs of various traffic – such as network, application, and threat intelligence traffic. Today, these logs show traffic through the firewall on the first attempt at a Transmission Control Protocol (TCP) connection, also known as a SYN packet. However, this fails to show the complete journey of the packet in the TCP handshake. The ability to monitor and trace every packet through the firewall is critical to identifying packet drops or asymmetric paths.
To delve deeper into the asymmetric routing example, Azure Firewall – as a stateful firewall – maintains stateful connections and automatically and dynamically allows traffic to successfully return to the firewall. However, asymmetric routing can occur when a packet takes one path to the destination through the firewall and takes a different path when trying to return to the source. This may be due to user error in the configuration, such as adding an unnecessary route in the firewall path.
As a result, one can check if the packet has flowed successfully through the firewall or if there is asymmetric routing by viewing additional TCP handshake records in Flow Trace.
To do this, you can monitor the network logs to view the first SYN packet and click “Enable Flow Trace” to see additional flags for verification:
o SYN-ACK
who in
o FIN-ACK
hey rst
Q is invalid
By adding these additional flags in flow trace logs, IT administrators can now see the return packet, if there is a failed connection, or an unknown packet. To enable these logs, please read the documentation linked below.
Top streams – now in preview
Today, Microsoft Azure Firewall Standard can support up to 30Gbps and Azure Firewall Premium can support up to 100Gbps of traffic processing. However, in any case, sometimes traffic flows can be either unintentionally or intentionally “heavy” depending on packet size, duration, and other factors. Since these flows can affect other flows and the processing of the firewall, it is important to monitor these traffic flows, to ensure that the firewall can function optimally.
A history of Top Flows – or known to the industry as Fat Flows – shows the top connections contributing the highest bandwidth in a given time frame through the firewall.
This insight provides the following benefits to IT administrators:
o Determine which traffic flows best pass through the firewall.
o Identify any unexpected or anomalous traffic.
o Decide which traffic to allow or deny, based on results and goals.
To enable these logs, please read the documentation linked below.
next steps
For more information about Azure Firewall and everything we covered in this blog post, see the following resources:
Azure Firewall documentation.
Azure Firewall Manager documentation.
Deploy and configure Azure Firewall logs and metrics.
Enable flow tracking and top flows tutorial records.