Monitoring Microsoft Azure

Overview

TOS monitors Microsoft Azure® Public Cloud and Azure Government for policy revision changes.

To monitor Azure, you must complete three setup tasks in the Azure portal:

To see which TOS features are supported for your device, review the SecureTrack Features by Vendor.

Classic rules are firewall rules that are configured directly on the device and are not part of Azure Firewall policies. These rules are not supported.

Prerequisites

The following values and permissions are required to add a Microsoft Azure device in TOS:

These tasks are required in Azure: Register an app, create a role, and assign the role.

Roles and Permissions

Permissions in Azure are assigned through roles. You can either create a custom role to define the required permissions or use an existing role.

To create a custom role, see the Microsoft documentation: Create or update Azure custom roles.

When assigning the role, set the scope at the level of the subscription or resource group that you want TOS to monitor. Permissions set at a higher level (for example, subscription) are inherited by lower levels (for example, resource groups).

General Azure Monitoring

Use the following permission blocks based on the features you want to enable:

Azure Firewall Monitoring

These permissions apply specifically to Azure Firewall and its related policy and diagnostic components.

Add a Device

Use the wizard to add a Microsoft Azure device so TOS can monitor it.

  1. Select Azure.

  2. Configure the device settings:

    • Name for Display: Enter a name to identify the device.
    • Domain: Available only if you have configured your system for managing multi-domains and All Domains is currently selected. Select the domain to which to add the device. The Domain can only be entered when adding a device; to change the Domain, you must migrate the device.

    • ST server: In a distributed deployment, select which TOS cluster monitors this device.

    • Usage Analysis:
      • Collect traffic logs for rule usage analysis: Selected by default, from R24-1. Supported for Azure Firewall and NSG.

      • Collect traffic logs for object usage analysis: Selected by default, from R24-2. Supported for NSG only.

      Usage collection is not supported when Azure subscription is monitored on a remote collector.

      Enabling Usage Analysis requires additional configuration in Azure. See Configuring Azure to Send Log Data to TOS.
    • Enable Topology: Collects routing information for building the network Map.
  3. Click Next.

  4. Configure the TOS connection to the Microsoft Azure device according to the parameters required by the device. See Prerequisites for details.

    For proxy server connections, select Proxy and enter the https/http proxy server and port. Username and password are optional.

  5. Click Next.

  6. Select Monitoring Settings and Periodic Polling.

    • Monitoring Settings
      • To use timing settings from the Timing page, select Default.
      • To use custom monitoring, select Custom and configure the monitoring mode and settings.
    • Periodic Polling
      • To use the timing page settings, select Use timing page settings (Monitoring > Timing).
      • To define a custom interval, select Custom settings and configure the Polling frequency. If you select 1 day, you can then set the exact time (hour and minute) for daily polling.
  7. Click Next
  8. Save the configuration.

    The Microsoft Azure device now appears in the Monitored Devices tree.

  9. Choose the next step:

    • Import Azure Virtual Networks

    • Import Azure Load Balancers

    • Import Azure Firewall Policies

    • Import Azure Virtual WAN

    • Add another Microsoft Azure

    Importing Virtual Networks requires that the vnet has at least one VNIC.

  10. Click Done.

Configure a Monitored Device

After you add a device, you can configure or manage it from the Monitored Devices tree. Options vary depending on your environment.

The following example shows configuration options for an Azure device. Options vary depending on the device type.

  • Edit configuration: Open the wizard to modify device settings. See Add a Device.
  • Delete this device: Type yes to confirm deletion.
  • Import Azure Virtual Networks: Select the virtual networks to add.
  • Import Azure Load Balancers: Select the load balancers to add.
  • Import Azure Firewall Policies: Select the firewall policies to add.
  • Import Azure Virtual WAN: Select the virtual WANs and virtual hubs to add.

How Do I Get Here?

SecureTrack > Monitoring > Manage Devices