Azure Firewall's Change Tracking (Preview) feature is a powerful enhancement that provides administrators with insights into changes made to firewall configurations, particularly Rule Collection Groups. This feature leverages Azure Resource Graph (ARG) to enable efficient monitoring and analysis of changes, improving visibility, accountability, and troubleshooting capabilities.
Key Benefits of Change Tracking
Enhanced Visibility
Monitor modifications to Rule Collection Groups, enabling administrators to track configuration changes in real time.
Improved Accountability
Identify when changes were made and what changed, addressing compliance and audit requirements.
Efficient Troubleshooting
Detect unintended changes quickly to resolve issues affecting security or performance.
How Azure Resource Graph (ARG) Powers Change Tracking
Azure Resource Graph is the backbone of the Change Tracking feature, providing an efficient query and analysis engine designed for large-scale Azure environments. ARG collects metadata and property changes from Azure resources, including Azure Firewall, and enables administrators to query and analyze this data.
Key ARG Features for Change Tracking:
- Scalable Querying: ARG supports querying changes across multiple subscriptions, management groups, or even tenants, ensuring insights are accessible for large environments.
- Detailed Change Insights: Administrators can query historical data, revealing what property changed and when.
- Kusto Query Language (KQL): ARG queries use KQL, allowing for flexible filtering, grouping, and analysis.
ARG’s recent support for Rule Collection Groups ensures precise tracking of firewall rule changes, such as:
- Addition or removal of rule collections.
- Updates to specific rules (e.g., IP ranges, protocols, actions).
- Reordering of rule collections affecting priority and execution.
How to Use Change Tracking with ARG
Administrators can use the Azure Resource Graph Explorer in the Azure Portal to execute custom queries. Here’s an example query to retrieve changes in Rule Collection Groups:
networkresourcechanges
| where properties contains "microsoft.network/firewallpolicies/rulecollectiongroups"
| where properties contains "properties.rulecollections"
For more readable logs, you can use the following enhanced query:
networkresourcechanges
| where properties contains "microsoft.network/firewallpolicies/rulecollectiongroups"
| extend parsedProperties = parse_json(properties)
| extend TargetResource = tostring(parsedProperties.targetResourceId),
Timestamp = todatetime(parsedProperties.changeAttributes.timestamp),
Changes = todynamic(parsedProperties.changes),
ChangeType = tostring(parsedProperties.changeType),
PreviousSnapshotId = tostring(parsedProperties.changeAttributes.previousResourceSnapshotId),
NewSnapshotId = tostring(parsedProperties.changeAttributes.newResourceSnapshotId),
CorrelationId = tostring(parsedProperties.changeAttributes.correlationId),
ChangesCount = toint(parsedProperties.changeAttributes.changesCount),
TenantId = tostring(tenantId),
Location = tostring(location),
SubscriptionId = tostring(subscriptionId),
ResourceGroup = tostring(resourceGroup),
FirewallPolicyName = extract('/firewallPolicies/([^/]+)/', 1, tostring(id))
| mv-expand ChangeKey = bag_keys(Changes)
| extend ChangeDetails = todynamic(Changes[tostring(ChangeKey)])
| extend RuleCollectionName = extract('properties\\.ruleCollections\\["([^"]+)"\\]', 1, tostring(ChangeKey))
| where isnotempty(RuleCollectionName)
| summarize
Changes = make_list(pack("ChangeKey", ChangeKey, "PreviousValue", tostring(ChangeDetails.previousValue), "NewValue", tostring(ChangeDetails.newValue)))
by
Timestamp = format_datetime(Timestamp, 'yyyy-MM-dd HH:mm:ss'),
TenantId,
SubscriptionId,
ResourceGroup,
Location,
TargetResource,
FirewallPolicyName,
RuleCollectionName,
ChangeType,
PreviousSnapshotId,
NewSnapshotId,
CorrelationId,
ChangesCount
| project
Timestamp,
TenantId,
SubscriptionId,
ResourceGroup,
Location,
TargetResource,
FirewallPolicyName,
RuleCollectionName,
ChangeType,
PreviousSnapshotId,
NewSnapshotId,
CorrelationId,
ChangesCount,
Changes
This enhanced query filters changes related to Azure Firewall's Rule Collection Groups, parses and extracts key details like timestamps, change types, and rule collection names, and formats the output for readability. This provides a clear and detailed log of configuration changes, making it easier for administrators to monitor and analyze changes over time.
Here is a screenshot showing an example of the output from this query:
Real-World Use Cases
Change Management
Maintain a historical record of configuration changes for audits and compliance.
Security Monitoring
Detect unauthorized changes to firewall rules, ensuring configurations remain aligned with organizational security policies.
Operational Efficiency
Quickly identify and resolve issues caused by recent changes to Rule Collection Groups.
Conclusion
With Change Tracking (Preview), powered by Azure Resource Graph, Azure Firewall becomes a more robust tool for managing and securing your network environment. Administrators gain enhanced control and insight into firewall configurations, improving their ability to maintain compliance, troubleshoot issues, and enforce security policies effectively.
Start exploring Change Tracking today using the Azure Resource Graph Explorer and enhance your network security posture.
Updated Feb 17, 2025
Version 2.0
SaleemBseeu
Microsoft
Microsoft
