Configuring Azure to Send Log Data to TOS

Overview

Configure Azure so TOS can collect traffic information for Azure network resources.

TOS supports the following log sources for Azure traffic:

• NSG traffic logs

  • Virtual network (VNet) flow logs

    Recommended for new Azure devices. Supported from TOS 5.1.0.

  • Network security group (NSG) flow logs

    Supported for existing configurations. Used as a fallback when VNet flow logs are not configured.

• Azure Firewall traffic logs

  Azure Firewall diagnostic logs, used for Azure Firewall network rules and application rules.

Prerequisites

• Azure device configured in SecureTrack with at least one of the following enabled:

  • Collect traffic logs for rule usage analysis: Supported for Azure Firewall and NSG.

  • Collect traffic logs for object usage analysis: Supported for NSG only.

  Usage collection is not supported when Azure subscription is monitored on a remote collector.

• Required roles and permissions for tos-role, as described in Roles and permissions for Azure devices.

Azure flow log configuration

To send Azure flow log data to TOS, configure the following in Azure:

• Flow log settings for the relevant Azure resources

• TOS access to the Azure storage account that stores the flow logs

VNet flow logs

Azure virtual network (VNet) flow logs are an Azure Network Watcher feature that records information about IP traffic flowing through a virtual network.

VNet flow logs provide traffic visibility at the virtual network level. For new Azure devices, use VNet flow logs.

For detailed information, see Microsoft's documentation on Flow logging for virtual networks.

NSG flow logs

Network security group (NSG) flow logs record traffic for a specific NSG. NSGs are associated with Azure subnets or network interfaces and control inbound and outbound traffic by using security rules.

Use NSG flow logs only for existing Azure configurations where NSG flow logs are already enabled. TOS supports NSG flow logs version 1 and version 2.

For detailed information, see Microsoft's documentation on Flow logging for network security groups.

Grant TOS access to storage account

Grant TOS access to the storage account from which to pull usage logs.

1. In the Storage Accounts page for your account:

   1. Select the storage account.

   2. Click Access Control (IAM).

   3. Under the Role assignments tab, verify that TOS has permissions for the following:

      • Storage Blob Data Contributor

      • Storage Queue Data Contributor

   4. Select Data Storage > Containers.

   5. Verify that the insights-logs-networksecuritygroupflowevent event directory exists.

Azure firewall diagnostic logs

To allow TOS to collect Azure Firewall traffic information, configure Azure Firewall diagnostic logs to send data to a Log Analytics workspace.

1. In the Firewall page for your account, select Monitoring > Diagnostic settings.

2. Select Add diagnostic setting.

3. In the Diagnostic setting page:

   1. In the Logs > Categories section, select Azure Firewall Network Rule and Azure Firewall Application Rule.

   2. In the Destination details section:

      1. Select Send to Log Analytics workspace.

      2. Select the Subscription and the Log Analytics workspace from the corresponding lists.

      3. For the Access Control (IAM), ensure that the tufin app has permission to access the Log Analytics workspace

      4. For the Destination table, select Azure diagnostics, or from TOS 5.1.0, Resource specific.

After configuring Azure to allow TOS to pull traffic information, you can use TQL queries in the Rule Viewer (timeLastHit) to see the Last Hit date.