Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
685 questions
Azure Firewall Policy Analytics: "rules with multiple IP addresses"
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 46%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERK%3C/text%3E%3C/svg%3E)
Robbert K
1
Reputation point
We started using Policy Analytics and I have the following issue:
The 'Rules with multiple IP addresses' the pane on the Insights tab shows '6 rules with more than 10 source IPs'. When I click on 'See recommendations' I get a list of over 50 recommendations. This is not what I expect when clicking on the recommendations link.
Where can I see what 6 rules this recommendation is about? And can this confusing part of the UI be corrected?
{count} votes
-
KapilAnanth-MSFT 47,206 Reputation points Microsoft Employee2024-11-19T11:04:17.3366667+00:00 Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you are using Policy Analytics in Azure Firewall.
Can you please elaborate what is the recommendation you are expecting?
- The screenshot you shared is partial
- From the Policy Analytics video available here : https://www.microsoft.com/en-us/videoplayer/embed/RE57NCC?postJsllMsg=true,
-
- I see RuleName, RuleCollection, RuleGroup as well
-
- Are you concerned about the multiple/duplicate entries for each Rule?
- I assume there are multiple entries based on the number of IPs
- Once you create an IP group for a single Rule, it should not be popping up in this table.
If you have any suggestions for the UI/Recommendations, please consider requesting the feature in Azure Feedback Hub.
All the feedback shared in these forums are monitored and reviewed by the Microsoft engineering teams responsible for building Azure.
Please let us know if we can be of any further assistance here.
Thanks,
Kapil
Please Accept an answer if correct.
Original posters help the community find answers faster by identifying the correct answer.
-
Robbert K 1 Reputation point
2024-11-19T11:34:45.9666667+00:00 As I said (and if you look at the first screenshot) it shows "6 rules with more than 10 source IPs". Then there is a link below that "See recommendations". When I click on that I expect to see those 6 rules, not a list of 50 or so rules as can be seen in the second screenshot.
-
Robbert K 1 Reputation point
2024-11-19T11:38:08.8033333+00:00 Duplicate
-
KapilAnanth-MSFT 47,206 Reputation points Microsoft Employee
2024-11-19T11:46:37.0666667+00:00 @Robbert K , I understand.
Looks like this is a UI issue (multiple entries for a single rule).
As mentioned, you can raise a request in Azure Feedback Hub. I shall also share the feedback internally.
Even though you see 50+ rules, if we remove the duplicates it should be just 6
- Are you seeing additional rules? That does not match the criteria?
- Is there any thing else we can assist you with?
Cheers,
Kapil.
-
Robbert K 1 Reputation point
2024-11-19T12:56:45.65+00:00 @KapilAnanth-MSFT Yes I agree this is a UI issue. But it's not showing duplicate rules. It's showing unique rules, but way more than the 6 mentioned in the dashboard pane. So it's very unclear which 6 rules I have to take action on.
I actually was directed here from a Microsoft support request. They mentioned that this is a "product design limitation". But I would like to keep up to date with any progress made on this issue.
What is the best way for me to stay updated on this issue and Policy Analytics developments in general?
-
Robbert K 1 Reputation point
2024-11-19T13:01:54.9466667+00:00 Duplicate
-
Robbert K 1 Reputation point
2024-11-19T13:05:34.97+00:00 @KapilAnanth-MSFT Also, thanks for pointing me to Azure Feedback Hub - but I'm not sure how this will help me. What I'm seeing is more a UI bug than a feature request in my opinion and what I see on Feedback Hub is mostly feature requests with very little responses.
-
KapilAnanth-MSFT 47,206 Reputation points Microsoft Employee
2024-11-20T04:21:22.1133333+00:00 @Robbert K , I did a Lab and I was able to see the behavior.
From my Lab,
For me, the analytics matches the number of rules with more IP Addresses,
- As you can see, I don't see rule4 in the recommendations.
- Can you confirm if there is a rule that is shown in recommendations as containing more IP Addresses, but in reality has less than 10(threshold) source/destination IPs? i.e., false positive.
- I am also initiating a private conversation so you can share the SR# of the Azure support case.
I pointed out Azure Feedback Hub so you can raise a feedback item to improve the UI's recommended action.
- Instead of the action saying, "This rule has more IP addresses in the source/destination than the chosen threshold."
- It can be divided into,
- This rule has more IP addresses in the source than the chosen threshold.
- This rule has more IP addresses in the destination than the chosen threshold.
- This rule has more IP addresses in the both source/destination than the chosen threshold.
- So that the users have a better view of what should be done with the individual rule
Cheers,
Kapil
-
-
Robbert K 1 Reputation point
2024-11-21T08:56:48.67+00:00 @KapilAnanth-MSFT I looked at a bunch of rules that are shown in the recommendations are there are lots of them that have less than 10 IP src/dst IPs. So indeed false positives. That would mean a bug then?
-
Robbert K 1 Reputation point
2024-11-21T09:10:36.4133333+00:00 duplicate
Sign in to comment
Sign in to answer