Microsoft Azure Traffic Log Configuration

Microsoft Azure Traffic Configuration

FortiCWP consolidates Azure cloud traffic logs of all virtual private cloud resources and present in a graphical user interface. By enabling traffic log, FortiCWP lets you be able to monitor all inbound and outbound traffic visually, and remediate suspicious activities on Azure Cloud. To activate Traffic feature on FortiCWP, Azure flow logs needs to be enabled.

Prerequisites

An active Azure Cloud account installed on FortiCWP is required to enable Traffic logging.

To utilize traffic log from Azure Cloud, an active virtual machine with network watcher is required to activate this feature on FortiCWP. Network Security Group flow logging also requires Microsoft Insights to create flow logs.

Enable Network Watcher

  1. In Azure Portal, in the top search field, search and click on Network Watcher
  2. Select Regions to expand it, and select ... to the right of the targeted region.
  3. Select Enable Network Watcher.

Register Insights Provider

  1. In Azure Portal, search and click on Subscriptions.
  2. Select the subscription you want to enable the provider.
  3. Select Resource providers under Settings.
  4. Make sure microsoft.insights provider is Registered. If it is Unregistered, select Register.

Enable NSG flow log

  1. NSG flow log requires an Azure Storage account to store the flow logs. To create an Azure Storage account, select +Create a resource at the top left corner of the portal.
  2. Select Storage, and then select Storage account.
  3. Enter Storage account name, Location, and select a Resource group, then select Create.
  4. The storage account may take around a few minutes to create. If you are using an existing storage account, make sure that the storage account has All networks(default) selected for Firewalls and virtual networks, under Setting in storage account.

  5. Search and click on Network Watcher in the top of Azure portal.
  6. Select NSG flow logs under LOGS.
  7. From the list of NSG flow logs, select (virtual machine name)-nsg.
  8. Under Flow logs settings, select On.
  9. Select flow logging version. Version 2 contains flow session statistics.
  10. Select the storage account created earlier in step 3.
  11. Set Retention(days) to 5 and then select Save.

Download/View flow log

  1. From Network Watcher portal, select NSG flow logs under LOGS.
  2. Select "You can download flow logs from configured storage accounts", as shown in the following:
  3. Select the storage account from step 2 of Enable NSG flow log.
  4. Under Blob service, select Blobs, and then select the insights-logs-networksecuritygroupflowevent container.
  5. In the container navigate the folder hierachy until you get to a PT1H.json file. Log files are in the following naming convention:
  6. https://{storageAccountName}.blob.core.windows.net/insights-logs-networksecuritygroupflowevent/resourceId=/SUBSCRIPTIONS/{subscriptionID}/RESOURCEGROUPS/{resourceGroupName}/PROVIDERS/MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/{nsgName}/y={year}/m={month}/d={day}/h={hour}/m=00/macAddress={macAddress}/PT1H.json

  7. Select ... to the right of the JSON file and select download to view the JSON file.

After verifying you can download and view the JSON file, the setting on Azure Cloud is completed. Now FortiCWP is able to capture traffic flow logs and present in Traffic.

Reference

Log network traffic to and from a virtual machine using the Azure portal.

https://docs.microsoft.com/en-us/azure/network-watcher/network-watcher-nsg-flow-logging-portal#enable-nsg-flow-log

Từ khóa » View Nsg Flow Logs In Log Analytics