Hello, I create some rule in the azure firewall, but why on the policy analytics seem all my rule is not hitting? Matching flows and hit count always 0? The rule mainly is to block and permit access to the internet. The rule is working normally and the hit counts should be increased. We can see on the firewall metric the traffic hitting the rules.

@Handian Sudianto , Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well. Can you confirm you have enabled Policy Analytics explicitly, Select Policy analytics in the table of contents and select "Insights" Next, select Configure Workspaces . In the pane that opens, select the Enable Policy Analytics checkbox. Next, choose a log analytics workspace. The log analytics workspace should be the same workspace configured in the firewall Diagnostic settings. Select Save after you choose the log analytics workspace. Also, note that logs take 60 minutes to appear after enabling them for the first time. This is because logs are aggregated in the backend every hour Cheers, Kapil

Azure Firewall Policy Analytics

Accepted answer

KapilAnanth-MSFT 46,096 Reputation points Microsoft Employee

2024-08-19T09:26:05.26+00:00
@Handian Sudianto ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

Can you confirm you have enabled Policy Analytics explicitly,

Select Policy analytics in the table of contents and select "Insights"

Next, select Configure Workspaces.

In the pane that opens, select the Enable Policy Analytics checkbox.

Next, choose a log analytics workspace. The log analytics workspace should be the same workspace configured in the firewall Diagnostic settings.

Select Save after you choose the log analytics workspace.

Also, note that logs take 60 minutes to appear after enabling them for the first time. This is because logs are aggregated in the backend every hour

Cheers,

Kapil
Please sign in to rate this answer.
Handian Sudianto 4,981 Reputation points

2024-08-19T09:36:38.6066667+00:00

Hi @KapilAnanth-MSFT

Policy Analytics already enabled

Also i have enable diagnostic on firewall level.

KapilAnanth-MSFT 46,096 Reputation points Microsoft Employee

2024-08-19T09:47:52.16+00:00

@Handian Sudianto , thanks for sharing the info.

From the docs, I see

Policy Analytics has a dependency on both Log Analytics and Azure Firewall resource specific logging. Verify the Firewall is configured appropriately or follow the previous instructions. Be aware that logs take 60 minutes to appear after enabling them for the first time. This is because logs are aggregated in the backend every hour. You can check logs are configured appropriately by running a log analytics query on the resource specific tables such as AZFWNetworkRuleAggregation, AZFWApplicationRuleAggregation, and AZFWNatRuleAggregation.

From your screenshot, I see you are using Azure Diagnostics Table.

Can you switch to resource specific logging and let us know the results? (after 60 minutes)

Cheers,

Kapil

Handian Sudianto 4,981 Reputation points

2024-08-20T00:26:56.8566667+00:00

Hi @KapilAnanth-MSFT

The issue was resolved by removing the existing diagnostic on the firewall, then turn off the policy analytics and turn on the policy analytics. I can see when we turn on the policy analytic, this will configure the firewall diagnostic also.

KapilAnanth-MSFT 46,096 Reputation points Microsoft Employee

2024-08-20T04:22:17.3266667+00:00

@Handian Sudianto , that's wonderful.

Thanks for keeping us updated. I take it that enabling Policy analytics automatically enables diagnostic logs (resource specific) - correct me if I am wrong.

I have converted our discussion/comments to an answer.

Kindly Accept the answer, as this can be beneficial to other community members and close this thread.

Cheers,

Kapil
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Azure Firewall Policy Analytics

0 additional answers

Your answer