Enable and configure diagnostic logging and metrics for the Azure Firewall

Implementation Effort: Medium

User Impact: Low

Overview

Diagnostic logs and metrics are vital for validating your firewall’s effectiveness, detecting policy gaps, and enabling rapid incident investigation. Enable comprehensive diagnostic logging and metrics for Azure Firewall as follows:

In the Azure portal, navigate to your firewall’s Diagnostic settings and add a new setting that sends logs to your Log Analytics workspace. Selecting the required resource-specific tables such as 'AzureFirewallApplicationRule', 'AzureFirewallNetworkRule', 'AzureFirewallThreatIntel', or AzureFirewallIdpsSignature, —capturing all application-layer matches, network-layer matches, threat-intelligence matches or blocks and IDPS related events.

Azure Firewall also emits platform metrics—such as Application rules hit count, Network rules hit count, Data processed, SNAT port utilization, and Firewall health state —by default. You can chart these metrics, create alerts, and correlate them in Azure Monitor to monitor performance, capacity, and policy efficacy .

Reference

• Azure Monitor overview
• Monitor Azure Firewall
• Supported Azure Firewall log categories
• Azure Firewall monitoring data reference
• Using Azure Firewall Workbooks