Azure 防火墙日志和指标Azure Firewall logs and metrics

可以使用防火墙日志来监视 Azure 防火墙。You can monitor Azure Firewall using firewall logs. 此外,可以使用活动日志来审核对 Azure 防火墙资源执行的操作。You can also use activity logs to audit operations on Azure Firewall resources.

可通过门户访问其中部分日志。You can access some of these logs through the portal. 可将日志发送到 Azure Monitor 日志、存储和事件中心,并使用 Azure Monitor 日志或其他工具(例如 Excel 和 Power BI)对其进行分析。Logs can be sent to Azure Monitor logs, Storage, and Event Hubs and analyzed in Azure Monitor logs or by different tools such as Excel and Power BI.

指标是能够为近实时方案提供支持的轻型数据,因此,它们特别适合用于警报和快速检测问题。Metrics are lightweight and can support near real-time scenarios making them useful for alerting and fast issue detection.

诊断日志Diagnostic logs

以下诊断日志适用于 Azure 防火墙:The following diagnostic logs are available for Azure Firewall:

  • 应用程序规则日志Application rule log

    仅当为每个 Azure 防火墙启用了应用程序规则日志时,才会将此日志保存到存储帐户、流式传输到事件中心和/或发送到 Azure Monitor 日志。The Application rule log is saved to a storage account, streamed to Event hubs and/or sent to Azure Monitor logs only if you've enabled it for each Azure Firewall. 每当建立与某个配置的应用程序规则匹配的新连接,就会为接受/拒绝的连接生成一条日志。Each new connection that matches one of your configured application rules results in a log for the accepted/denied connection. 如以下示例中所示,数据以 JSON 格式记录:The data is logged in JSON format, as shown in the following example:

    Category: application rule logs.
    Time: log timestamp.
    Properties: currently contains the full message. 
    note: this field will be parsed to specific fields in the future, while maintaining backward compatibility with the existing properties field.
    
    {
        "category": "AzureFirewallApplicationRule",
        "time": "2018-04-16T23:45:04.8295030Z",
        "resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/{resourceName}",
        "operationName": "AzureFirewallApplicationRuleLog",
        "properties": {
            "msg": "HTTPS request from 10.1.0.5:55640 to mydestination.com:443. Action: Allow. Rule Collection: collection1000. Rule: rule1002"
        }
    }
    
  • 网络规则日志Network rule log

    仅当为每个 Azure 防火墙启用了网络规则日志时,才会将此日志保存到存储帐户、流式传输到事件中心和/或发送到 Azure Monitor 日志。The Network rule log is saved to a storage account, streamed to Event hubs and/or sent to Azure Monitor logs only if you've enabled it for each Azure Firewall. 每当建立与某个配置的网络规则匹配的新连接,就会为接受/拒绝的连接生成一条日志。Each new connection that matches one of your configured network rules results in a log for the accepted/denied connection. 如以下示例中所示,数据以 JSON 格式记录:The data is logged in JSON format, as shown in the following example:

    Category: network rule logs.
    Time: log timestamp.
    Properties: currently contains the full message. 
    note: this field will be parsed to specific fields in the future, while maintaining backward compatibility with the existing properties field.
    
    {
        "category": "AzureFirewallNetworkRule",
        "time": "2018-06-14T23:44:11.0590400Z",
        "resourceId": "/SUBSCRIPTIONS/{subscriptionId}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/AZUREFIREWALLS/{resourceName}",
        "operationName": "AzureFirewallNetworkRuleLog",
        "properties": {
            "msg": "TCP request from 111.35.136.173:12518 to 13.78.143.217:2323. Action: Deny"
        }
    }
    
    

可通过三种方式存储日志:You have three options for storing your logs:

  • 存储帐户:如果日志存储时间较长并且希望能根据需要随时查看,则最好使用存储帐户。Storage account: Storage accounts are best used for logs when logs are stored for a longer duration and reviewed when needed.
  • 事件中心:若要集成其他安全信息和事件管理 (SEIM) 工具,获取资源警报,则事件中心是很好的选择。Event hubs: Event hubs are a great option for integrating with other security information and event management (SEIM) tools to get alerts on your resources.
  • Azure Monitor 日志:Azure Monitor 日志最适合用于应用程序常规实时监视或查看趋势。Azure Monitor logs: Azure Monitor logs is best used for general real-time monitoring of your application or looking at trends.

活动日志Activity logs

默认情况下会收集活动日志条目,可在 Azure 门户中查看这些条目。Activity log entries are collected by default, and you can view them in the Azure portal.

可以使用 Azure 活动日志(以前称为操作日志和审核日志)查看提交到 Azure 订阅的所有操作。You can use Azure activity logs (formerly known as operational logs and audit logs) to view all operations submitted to your Azure subscription.

指标Metrics

Azure Monitor 中的指标是数字值,用于描述系统某些方面在特定时间的情况。Metrics in Azure Monitor are numerical values that describe some aspect of a system at a particular time. 指标每分钟收集一次,可用于警报,因为可对其频繁采样。Metrics are collected every minute, and are useful for alerting because they can be sampled frequently. 可以使用相对简单的逻辑快速激发警报。An alert can be fired quickly with relatively simple logic.

以下指标适用于 Azure 防火墙:The following metrics are available for Azure Firewall:

  • 应用程序规则命中计数 - 应用程序规则的命中次数。Application rules hit count - The number of times an application rule has been hit.

    单位:计数Unit: count

  • 网络规则命中计数 - 网络规则的命中次数。Network rules hit count - The number of times a network rule has been hit.

    单位:计数Unit: count

  • 已处理的数据 - 在给定时间范围内遍历防火墙的数据总和。Data processed - Sum of data traversing the firewall in a given time window.

    单位:字节Unit: bytes

  • 吞吐量 - 数据每秒遍历防火墙的速率。Throughput - Rate of data traversing the firewall per second.

    单位:每秒位数Unit: bits per second

  • 防火墙运行状况状态 - 基于 SNAT 端口可用性指示防火墙的运行状况。Firewall health state - Indicates the health of the firewall based on SNAT port availability.

    单位:百分比Unit: percent

    该指标包含两个维度:This metric has two dimensions:

    • 状态:可能的值为“正常”、“已降级”和“不正常”。 Status: Possible values are Healthy, Degraded, Unhealthy.

    • 原因:指示防火墙出现相应状态的原因。Reason: Indicates the reason for the corresponding status of the firewall.

      如果已用 SNAT 端口数 > 95%,则视为该端口已用尽,并且运行状况为 50%,状态为“已降级”,原因为“SNAT 端口”。If SNAT ports are used > 95%, they are considered exhausted and the health is 50% with status=Degraded and reason=SNAT port. 防火墙继续处理流量,现有连接不受影响。The firewall keeps processing traffic and existing connections are not affected. 但是,系统可能不会间歇地建立新连接。However, new connections may not be established intermittently.

      如果已用 SNAT 端口数 < 95%,则视为防火墙正常,并且运行状况显示为 100%。If SNAT ports are used < 95%, then firewall is considered healthy and health is shown as 100%.

      如果系统未报告 SNAT 端口使用率,则运行状况显示为 0%。If no SNAT ports usage is reported, health is shown as 0%.

  • SNAT 端口利用率 - 防火墙利用的 SNAT 端口数百分比。SNAT port utilization - The percentage of SNAT ports that have been utilized by the firewall.

    单位:百分比Unit: percent

    如果你将更多公共 IP 地址添加到防火墙,则更多的 SNAT 端口可用,从而降低 SNAT 端口的利用率。When you add more public IP addresses to your firewall, more SNAT ports are available, reducing the SNAT ports utilization. 此外,当防火墙出于不同的原因(例如 CPU 或吞吐量)而横向扩展后,可用的 SNAT 端口也会变得更多。Additionally, when the firewall scales out for different reasons (for example, CPU or throughput) additional SNAT ports also become available. 因此,如果不添加任何公共 IP 地址,而只是横向扩展了服务,给定的 SNAT 端口利用率百分比实际上可能会下降。可以直接控制可用的公共 IP 地址数来增加防火墙上的可用端口。So effectively, a given percentage of SNAT ports utilization may go down without you adding any public IP addresses, just because the service scaled out. You can directly control the number of public IP addresses available to increase the ports available on your firewall. 但无法直接控制防火墙缩放。But, you can't directly control firewall scaling.

后续步骤Next steps