Azure Firewall
Overview​
Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.
The Centreon Monitoring Connector Azure Firewall can rely on Azure API or Azure CLI to collect the metrics related to the Firewall service.
Monitoring Connector Assets​
Monitored Objects​
- Azure Firewall instances
Discovery rules​
The Centreon Monitoring Connector Azure Firewall includes a Host Discovery provider to automatically discover the Azure instances of a given subscription and add them to the Centreon configuration. This provider is named Microsoft Azure Firewall:
This discovery feature is only compatible with the 'api' custom mode. 'azcli' is not supported yet.
More information about the Host Discovery module is available in the Centreon documentation: Host Discovery
Collected Metrics​
- Health
- Hits
- Throughput
Metric name | Description | Unit |
---|---|---|
firewall.health.percentage | Firewall health state | % |
Metric name | Description | Unit |
---|---|---|
firewall.applications.rules.hits.count | Application rules hit count | Count |
firewall.newtork.rules.hits.count | Network rules hit count | Count |
Metric name | Description | Unit |
---|---|---|
firewall.data.processed.bytes | Data processed | B |
firewall.throughput.bitspersecond | Throughput | b/s |
Prerequisites​
Please find all the prerequisites needed for Centreon to get information from Azure on the dedicated page.
Setup​
- Online License
- Offline License
- Install the Centreon package on every Centreon poller expected to monitor Azure Firewall resources:
yum install centreon-plugin-Cloud-Azure-Network-Firewall-Api
- On the Centreon Web interface, install the Azure Firewall Centreon Monitoring Connector on the Configuration > Monitoring Connector Manager page
- Install the Centreon package on every Centreon poller expected to monitor Azure Firewall resources:
yum install centreon-plugin-Cloud-Azure-Network-Firewall-Api
- Install the Centreon Monitoring Connector RPM on the Centreon Central server:
yum install centreon-pack-cloud-azure-network-firewall.noarch
- On the Centreon Web interface, install the Azure Firewall Centreon Monitoring Connector on the Configuration > Monitoring Connector Manager page
Configuration​
Host​
Log into Centreon and add a new Host through "Configuration > Hosts".
In the IP Address/FQDN field, set the following IP address: '127.0.0.1'.
Select the Cloud-Azure-Network-Firewall-custom template to apply to the Host.
Once the template applied, some Macros marked as 'Mandatory' hereafter have to be configured. These mandatory Macros differ regarding the custom mode used:
- Azure Monitor API
- Azure AZ CLI
Mandatory | Nom | Description |
---|---|---|
X | AZURECUSTOMMODE | Custom mode 'api' |
X | AZURESUBSCRIPTION | Subscription ID |
X | AZURETENANT | Tenant ID |
X | AZURECLIENTID | Client ID |
X | AZURECLIENTSECRET | Client secret |
X | AZURERESOURCE | Id of the Firewall instance |
Mandatory | Nom | Description |
---|---|---|
X | AZURECUSTOMMODE | Custom mode 'azcli' |
X | AZURESUBSCRIPTION | Subscription ID |
X | AZURERESOURCE | Id of the Firewall instance |
FAQ​
How to check in the CLI that the configuration is OK and what are the main options for ?​
Once the Plugin installed, log into your Centreon Poller CLI using the centreon-engine user account and test the Plugin by running the following command:
/usr/lib/centreon/plugins/centreon_azure_network_firewall_api.pl \
--plugin=cloud::azure::network::firewall::plugin \
--mode=health \
--custommode=api \
--subscription='xxxxxxxxx' \
--tenant='xxxxxxxxx' \
--client-id='xxxxxxxxx' \
--client-secret='xxxxxxxxx' \
--resource='FWL001ABCD' \
--timeframe='900' \
--interval='PT5M' \
--warning-firewall-health-percentage='100:' \
--critical-firewall-health-percentage='50:'
Expected command output is shown below:
OK: Instance 'FWL001ABCD' Statistic 'average' Metrics Firewall health state: 100.00% |
'FWL001ABCD~average#firewall.health.percentage'=100.00%;100:;50:;0;100
The command above checks the health of an Azure Firewall instance using the 'api' custom-mode
(--plugin=cloud::azure::network::firewall::plugin --mode=health --custommode=api
).
This Key Vault is identified by its id (--resource='FWL001ABCD'
) and the authentication parameters
to be used with the custom mode are specified in the options (--subscription='xxxxxxxxx' --tenant='xxxxxxx'
--client-id='xxxxxxxx' --client-secret='xxxxxxxxxx'
).
The calculated metrics are an average (--aggregation='average'
) of values on a 900 secondes / 15 min period (--timeframe='900'
)
with one sample per 5 minutes (--interval='PT5M'
).
This command would trigger a WARNING alarm if the health of the Firewall instance is reported as less then 100%
(--warning-firewall-health-percentage='100:'
) and a CRITICAL alarm if less than 50% (--critical-firewall-health-percentage='50:'
).
All the available options for a given mode can be displayed by adding the --help
parameter to the command:
/usr/lib/centreon/plugins/centreon_azure_network_firewall_api.pl \
--plugin=cloud::azure::network::firewall::plugin \
--mode=datapath \
--help
Troubleshooting​
The Azure credentials have changed and the Plugin does not work anymore​
The Plugin is using a cache file to keep connection information and avoid an authentication at each call. If some of the authentication parameters change, you must delete the cache file.
The cache file can be found within /var/lib/centreon/centplugins/
folder with a name similar to azureapi<md5>_<md5>_<md5>_<md5>
.
UNKNOWN: Login endpoint API returns error code 'ERROR_NAME' (add --debug option for detailed message)
​
When I run my command I obtain the following error message:
UNKNOWN: Login endpoint API returns error code 'ERROR_NAME' (add --debug option for detailed message)
.
It means that some parameters used to authenticate the API request are wrong. The 'ERROR_NAME' string gives some hints about where the problem stands.
As an example, if my Client ID or Client Secret are wrong, 'ERROR_DESC' value will be 'invalid_client'.
UNKNOWN: 500 Can't connect to login.microsoftonline.com:443
​
This error message means that the Centreon Plugin couldn't successfully connect to the Azure Login API. Check that no third party
device (such as a firewall) is blocking the request. A proxy connection may also be necessary to connect to the API.
This can be done by using this option in the command: --proxyurl='http://proxy.mycompany:8080'
.
UNKNOWN: No metrics. Check your options or use --zeroed option to set 0 on undefined values
​
This command result means that Azure does not have any value for the requested period.
This result can be overriden by adding the --zeroed
option in the command. This will force a value of 0 when no metric has
been collected and will prevent the UNKNOWN error message.