You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/web-application-firewall/afds/waf-front-door-monitor.md
+19-9Lines changed: 19 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,28 +5,38 @@ author: vhorne
5
5
ms.service: web-application-firewall
6
6
ms.topic: article
7
7
services: web-application-firewall
8
-
ms.date: 08/16/2022
8
+
ms.date: 02/96/2023
9
9
ms.author: victorh
10
10
zone_pivot_groups: front-door-tiers
11
11
---
12
12
13
13
# Azure Web Application Firewall monitoring and logging
14
14
15
-
Azure Web Application Firewall (WAF) monitoring and logging are provided through logging and integration with Azure Monitor and Azure Monitor logs.
16
-
17
-
## Azure Monitor
15
+
Azure Front Door's Web Application Firewall (WAF) provides extensive logging and telemetry to help you to understand how your WAF is performing and the actions it takes.
18
16
19
17
Front Door's WAF log is integrated with [Azure Monitor](../../azure-monitor/overview.md). Azure Monitor enables you to track diagnostic information including WAF alerts and logs. You can configure WAF monitoring within the Front Door resource in the portal under the **Diagnostics** tab, through infrastructure as code approaches, or by using the Azure Monitor service directly.
20
18
21
-
From Azure portal, go to Front Door resource type. From **Monitoring**/**Metrics** tab on the left, you can add **WebApplicationFirewallRequestCount** to track number of requests that match WAF rules. Custom filters can be created based on action types and rule names.
19
+
## Metrics
20
+
21
+
Azure Front Door automatically records metrics to help you to understand the behavior of your WAF.
1. Sign in to the [Azure portal](https://portal.azure.com) and navigate to your Azure Front Door profile.
26
+
1. Select the **Monitoring**/**Metrics** tab on the left.
27
+
1. Add the **WebApplicationFirewallRequestCount** to track number of requests that match WAF rules.
28
+
29
+
Custom filters can be created based on action types and rule names. Metrics include requests with all actions except *Log*.
30
+
31
+
:::image type="content" source="../media/waf-frontdoor-monitor/waf-frontdoor-metrics.png" alt-text="Screenshot of the Azure portal showing the metrics for an Azure Front Door WAF.":::
24
32
25
33
## Logs and diagnostics
26
34
27
-
WAF with Front Door provides detailed reporting on each request, and each threat that it detects. Logging is integrated with Azure's diagnostics logs and alerts. These logs can be integrated with [Azure Monitor logs](../../azure-monitor/insights/azure-networking-analytics.md).
35
+
Azure Front Door's WAF provides detailed reporting on each request, and each threat that it detects. Logging is integrated with Azure's diagnostics logs and alerts by using [Azure Monitor logs](../../azure-monitor/insights/azure-networking-analytics.md).
36
+
37
+
Logs aren't enabled by default. You need to explicitly enable logs. You can configure logs in the Azure portal by using the **Diagnostic settings** tab.
30
40
31
41
If logging is enabled and a WAF rule is triggered, any matching patterns are logged in plain text to help you analyze and debug the WAF policy behavior. You can use exclusions to fine tune rules and exclude any data that you want to be excluded from the logs. For more information, see [Web application firewall exclusion lists in Azure Front Door](../afds/waf-front-door-exclusion.md).
32
42
@@ -154,7 +164,7 @@ The following table shows the values logged for each request:
154
164
155
165
| Property | Description |
156
166
| ------------- | ------------- |
157
-
| Action |Action taken on the request. Logs include requests with all actions. Metrics include requests with all actions except *Log*.|
167
+
| Action |Action taken on the request. Logs include requests with all actions. Actions are:<ol> <li>**Allow** and **allow**: The request was allowed to continue processing.</li> <li>**Block** and **block**: The request matched a WAF rule configured to block the request. Alternatively, the [anomaly scoring](waf-front-door-drs.md#anomaly-scoring) threshold was reached and the request was blocked.</li> <li>**Log** and **log**: The request matched a WAF rule configured to use the *Log* action.</li> <li>**AnomalyScoring** and **logandscore**: The request matched a WAF rule. The rule contributes to the [anomaly score](waf-front-door-drs.md#anomaly-scoring). The request might or might not be blocked depending on other rules that run on the same request.</li> </ol> |
158
168
| ClientIP | The IP address of the client that made the request. If there was an `X-Forwarded-For` header in the request, the client IP address is taken from that header field instead. |
159
169
| ClientPort | The IP port of the client that made the request. |
160
170
| Details | Additional details on the request, including any threats that were detected. <br />matchVariableName: HTTP parameter name of the request matched, for example, header names (up to 100 characters maximum).<br /> matchVariableValue: Values that triggered the match (up to 100 characters maximum). |
0 commit comments