Skip to main content

Azure Firewall

Overview​

Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.

The Centreon Monitoring Connector Azure Firewall can rely on Azure API or Azure CLI to collect the metrics related to the Firewall service.

Monitoring Connector Assets​

Monitored Objects​

  • Azure Firewall instances

Discovery rules​

The Centreon Monitoring Connector Azure Firewall includes a Host Discovery provider to automatically discover the Azure instances of a given subscription and add them to the Centreon configuration. This provider is named Microsoft Azure Firewall:

image

This discovery feature is only compatible with the 'api' custom mode. 'azcli' is not supported yet.

More information about the Host Discovery module is available in the Centreon documentation: Host Discovery

Collected Metrics​

Metric nameDescriptionUnit
firewall.health.percentageFirewall health state%

Prerequisites​

Please find all the prerequisites needed for Centreon to get information from Azure on the dedicated page.

Setup​

  1. Install the Centreon package on every Centreon poller expected to monitor Azure Firewall resources:
yum install centreon-plugin-Cloud-Azure-Network-Firewall-Api
  1. On the Centreon Web interface, install the Azure Firewall Centreon Monitoring Connector on the Configuration > Monitoring Connector Manager page

Configuration​

Host​

  • Log into Centreon and add a new Host through "Configuration > Hosts".

  • In the IP Address/FQDN field, set the following IP address: '127.0.0.1'.

  • Select the Cloud-Azure-Network-Firewall-custom template to apply to the Host.

  • Once the template applied, some Macros marked as 'Mandatory' hereafter have to be configured. These mandatory Macros differ regarding the custom mode used:

MandatoryNomDescription
XAZURECUSTOMMODECustom mode 'api'
XAZURESUBSCRIPTIONSubscription ID
XAZURETENANTTenant ID
XAZURECLIENTIDClient ID
XAZURECLIENTSECRETClient secret
XAZURERESOURCEId of the Firewall instance

FAQ​

How to check in the CLI that the configuration is OK and what are the main options for ?​

Once the Plugin installed, log into your Centreon Poller CLI using the centreon-engine user account and test the Plugin by running the following command:

/usr/lib/centreon/plugins/centreon_azure_network_firewall_api.pl \
--plugin=cloud::azure::network::firewall::plugin \
--mode=health \
--custommode=api \
--subscription='xxxxxxxxx' \
--tenant='xxxxxxxxx' \
--client-id='xxxxxxxxx' \
--client-secret='xxxxxxxxx' \
--resource='FWL001ABCD' \
--timeframe='900' \
--interval='PT5M' \
--warning-firewall-health-percentage='100:' \
--critical-firewall-health-percentage='50:'

Expected command output is shown below:

OK: Instance 'FWL001ABCD' Statistic 'average' Metrics Firewall health state: 100.00% |
'FWL001ABCD~average#firewall.health.percentage'=100.00%;100:;50:;0;100

The command above checks the health of an Azure Firewall instance using the 'api' custom-mode (--plugin=cloud::azure::network::firewall::plugin --mode=health --custommode=api). This Key Vault is identified by its id (--resource='FWL001ABCD') and the authentication parameters to be used with the custom mode are specified in the options (--subscription='xxxxxxxxx' --tenant='xxxxxxx' --client-id='xxxxxxxx' --client-secret='xxxxxxxxxx').

The calculated metrics are an average (--aggregation='average') of values on a 900 secondes / 15 min period (--timeframe='900') with one sample per 5 minutes (--interval='PT5M').

This command would trigger a WARNING alarm if the health of the Firewall instance is reported as less then 100% (--warning-firewall-health-percentage='100:') and a CRITICAL alarm if less than 50% (--critical-firewall-health-percentage='50:').

All the available options for a given mode can be displayed by adding the --help parameter to the command:

/usr/lib/centreon/plugins/centreon_azure_network_firewall_api.pl \
--plugin=cloud::azure::network::firewall::plugin \
--mode=datapath \
--help

Troubleshooting​

The Azure credentials have changed and the Plugin does not work anymore​

The Plugin is using a cache file to keep connection information and avoid an authentication at each call. If some of the authentication parameters change, you must delete the cache file.

The cache file can be found within /var/lib/centreon/centplugins/ folder with a name similar to azure_api_<md5>_<md5>_<md5>_<md5>.

UNKNOWN: Login endpoint API returns error code 'ERROR_NAME' (add --debug option for detailed message)​

When I run my command I obtain the following error message: UNKNOWN: Login endpoint API returns error code 'ERROR_NAME' (add --debug option for detailed message).

It means that some parameters used to authenticate the API request are wrong. The 'ERROR_NAME' string gives some hints about where the problem stands.

As an example, if my Client ID or Client Secret are wrong, 'ERROR_DESC' value will be 'invalid_client'.

UNKNOWN: 500 Can't connect to login.microsoftonline.com:443​

This error message means that the Centreon Plugin couldn't successfully connect to the Azure Login API. Check that no third party device (such as a firewall) is blocking the request. A proxy connection may also be necessary to connect to the API. This can be done by using this option in the command: --proxyurl='http://proxy.mycompany:8080'.

UNKNOWN: No metrics. Check your options or use --zeroed option to set 0 on undefined values​

This command result means that Azure does not have any value for the requested period. This result can be overriden by adding the --zeroed option in the command. This will force a value of 0 when no metric has been collected and will prevent the UNKNOWN error message.