使用 Azure 防火墙工作簿监视日志Monitor logs using Azure Firewall Workbook

Azure 防火墙工作簿为 Azure 防火墙数据分析提供了一个灵活的画布。Azure Firewall Workbook provides a flexible canvas for Azure Firewall data analysis. 该画布可用于在 Azure 门户中创建丰富的视觉对象报表。You can use it to create rich visual reports within the Azure portal. 你可以利用跨 Azure 部署的多个防火墙,并将其组合成统一的交互式体验。You can tap into multiple Firewalls deployed across Azure, and combine them into unified interactive experiences.

可以深入了解 Azure 防火墙事件,了解应用程序和网络规则,并查看跨 URL、端口和地址的防火墙活动统计信息。You can gain insights into Azure Firewall events, learn about your application and network rules, and see statistics for firewall activities across URLs, ports, and addresses. 借助 Azure 防火墙工作簿,可以筛选防火墙和资源组,并且可以按类别进行动态地筛选,以便在调查日志中的问题时,数据集易于读取。Azure Firewall Workbook allows you to filter your firewalls and resource groups, and dynamically filter per category with easy to read data sets when investigating an issue in your logs.

先决条件Prerequisites

开始之前,应该通过 Azure 门户启用诊断日志记录Before starting, you should enable diagnostic logging through the Azure portal. 另请参阅 Azure 防火墙日志和指标,以获取关于可用于 Azure 防火墙的诊断日志和指标的概述。Also, read Azure Firewall logs and metrics for an overview of the diagnostics logs and metrics available for Azure Firewall.

入门Get started

若要部署工作簿,请转到适用于 Azure 防火墙的 Azure Monitor 工作簿,然后按照页面上的说明进行操作。To deploy the workbook, go to Azure Monitor Workbook for Azure Firewall and following the instructions on the page. Azure 防火墙工作簿旨在跨多租户、多订阅工作,并且可对多个防火墙进行筛选。Azure Firewall Workbook is designed to work across multi-tenants, multi-subscriptions, and is filterable to multiple firewalls.

部署到 AzureDeploy to Azure

概述页Overview page

概述页面提供了跨工作区、时间和防火墙进行筛选的方法。The overview page provides you with a way to filter across workspaces, time, and firewalls. 概述页面跨防火墙和日志类型(应用程序、网络、DNS 代理)按时间显示事件。It shows events by time across firewalls and log types (application, networks, DNS proxy).

Azure 防火墙工作簿概述

应用程序规则日志统计信息Application rule log statistics

此页面显示一段时间内 IP 地址的唯一源、应用程序规则计数的使用情况、一段时间内已拒绝/已允许的 FQDN,以及经过筛选的数据。This page shows unique sources of IP address over time, application rule count usage, denied/allowed FQDN over time, and filtered data. 可以根据 IP 地址筛选数据。You can filter data based on IP address.

Azure 防火墙工作簿应用程序规则日志

网络规则日志统计信息Network rule log statistics

此页面提供了一段时间内按规则操作(允许/拒绝)、不同 IP 的目标端口以及 DNAT 筛选的视图。This page provides a view by rule action - allow/deny, target port by IP and DNAT over time. 你还可以按操作、端口和目标类型进行筛选。You can also filter by action, port, and destination type.

Azure 防火墙工作簿网络规则日志

还可以根据时间范围筛选日志:You can also filter logs based on time window:

Azure 防火墙工作簿网络规则日志时间范围

调查Investigations

可以查看日志,并根据源 IP 地址详细了解资源。You can look at the logs and understand more about the resource based on the source IP address. 可以获取虚拟机名称和网络接口名称等信息。You can get information like virtual machine name and network interface name. 可以轻松地从日志中对资源进行筛选。It's simple to filter to the resource from the logs.

Azure 防火墙工作簿调查

后续步骤Next steps