Using Policy Analytics for Azure Firewall to Reinforce Security

With the evolving nature of workload demands, it’s important to ensure your network security policies are keeping up pace. These policies are frequently being altered several times per week, with many even being changed several times in a day!

You’ll find that over time, as network and application rules grow, the quality of your Azure Firewall becomes suboptimal; the firewall’s performance and speed are negatively impacted. You may have instances where applications are hosted in a network that’s been moved to another network. Yet the firewall rules regarding older networks haven’t been removed. As a result, high-priority rules can end up being unintentionally prioritised less.

It’s a challenging task for any IT team to maintain and optimise firewall rules, especially for large, geographically dispersed enterprises. It can involve multiple teams from different locations undertaking the complex job of manually augmenting the Azure Firewall policy. On top of this, there’s always the risk that an update can critically impact a crucial workload, leading to major disruptions.

Fortunately, Policy Analytics can help you optimise your Azure Firewall over time by providing crucial insights and recommendations. Its aim is to essentially strengthen your security position.

Policy Analytics for Azure Preview is now in preview, so you can get started right away.

Optimising your Azure Firewall using Policy Analytics

Policy Analytics provides visibility into the traffic flowing through your Azure Firewall. From your Azure Portal, you have the following capabilities available:

  • Firewall Flow Logs: Displays the traffic flow of your Azure Firewall as well as hit rate and network and application rule match. This view is great for finding top flows across all rules, while also allowing you to filter flows to match specific sources, destinations, ports, and protocols.
  • Rule Analytics: Displays the traffic flow charted to destination network address translation (DNAT), network, and application rules. Using this, you’ll be provided with better visibility of all flows corresponding a specific rule over time. These rules can be studied across both parent and child policies.
  • Policy Insight Panel: Groups policy insights and provides policy recommendations to enhance Azure Firewall Policies.
  • Single-Rule Analysis: Studies traffic flows that match a selected rule, then recommends augmentations based on those flows.

Breakdown of single-rule analysis

As mentioned, single-rule analysis involves selecting a specific rule and analysing matching traffic flows. This is perfect for optimisation and can be done with only a few clicks!

First, select a policy. Then, select Policy Analytics (preview) from the Monitoring blade. From here, you can click on Single-rule analysis.

Preview of your firewall's 'Policy Analytics' tab.
Finding single-rule analysis

Policy analytics lets you pick a rule of interest and perform a rule analysis on it. So, from here you simply need to select a rule you’d like to optimise.

NOTE: Single rule analysis does not support refining rules with Service Tags, FQDN Tags, Web categories and IP Groups during Public Preview.

You’ll be shown some recommendations based on the analysed traffic flows. From this view, you can evaluate and apply the recommendations as you see fit. This includes deleting rules or making them a lower priority. You can also lock down the rules to specific ports matching traffic.

Preview of the 'Single-rule analysis' tab in 'Policy Analytics'.
Selecting a rule and viewing recommendations

Pricing for Policy Analytics

While still in preview, to enable Policy Analytics on a Firewall Policy that’s associated with only a single firewall, you’ll be billed per policy. You can find more information about this billing here.

Otherwise, enabling Policy Analytics on a Firewall Policy associated with more than one firewall can be done at no extra cost.