Azure Firewall Rules Hit Count - Top Hitters

Question

We have AZFW deployed with Standard subscription.

I am evaluating if there is any way to identify unused rules and 'top-hitters', so we can optimise the FW.

I checked under Metrics and see Summary view only. I am unable to drill down further, that could be based on the Standard subsciption.

Any help would be appreciated and any other tips for optimising Azure firewall.

Thanks in advance !

Answer 1

Hello @Ajaz Nawaz , Hope you are well!
As I understood from the question above, you want to identify the unused rules for your firewall and the rules which are used the most. You have also checked out the Metrics section for Application rules hit count, Network rules hit count etc. and now you wish to perform much deeper investigation.

You can check out Azure Diagnostic Logging via Log analytics workspace for Azure Firewall. Diagnostic Logging supports Application rule log, Network rule log etc. Using application rule logs, you can determine which particular Application Rule either allowed or denied any particular request this might help you optimize you application rules. Currently this feature is not supported for Network logs though, you can go through this thread for additional details. You can also explore additional Kusto queries in getting the desired data.

You can also use Azure Firewall workbook which provides a flexible canvas for Azure Firewall data analysis. You can use it to create rich visual reports within the Azure portal. You can gain insights into Azure Firewall events, learn about your application and network rules, and see statistics for firewall activities across URLs, ports, and addresses. Please go through this documentation for additional details.

Hope this helps! Please let me know if you have any additional questions.

Answer 2

Would it be possible to have an example of actual Kusto code to list the top 20 network rules by name and hit count?