I've recently spent some time looking at Azure firewalls troubleshooting traffic routes which requires the use of KQL queries. The Azure Firewall Workbook is great for seeing overall trends but if you want to dive into specific rules then writing your own query is the way to go. In my experience Googling and asking Copilot for help on creating queries only seemed to get me so far so I wanted to share my learnings and cover the main things you might want to inspect.
Note to be able to query the logs you need to configure your Azure Firewall to send diagnostic data to a Log Analytics workspace.
When inspecting traffic I'm generally interested in a subset of fields which I've included in the default query. This includes changing the name of the columns so they are a bit more readable e.g. SourceIp rather than AdditionalFields.SourceIp. If you comment out the "project" statement then this will return all available fields with their standard names. Below are the fields I've included:
Time generated
Action (allow, block)
Action reason (e.g. No rule matched, proceeding with default action)
Source IP
Source port
Destination IP (if it's an IP)
Destination port
Destination FQDN (if it's an FQDN)
Rule (the rule hit)
Rule Category (e.g. Application rule, Network etc.)
I've also included some common ways to filter on say IP, you can specify a single address, multiple addresses or a CIDR range.
How to use the code
Navigate to your Azure Firewall instance and select "Logs" under the "Monitoring" heading to get to the Log Analytics query pane. Copy the code and uncomment the lines you want to be active by removing the "//" from the start of the line.
Note: I've not had a need to check IPv6 addresses so haven't added those
Hope this helps someone!
Comments