Network Security Group logging capabilities to show dropped packets
Enable Network Security Group logging capabilities to show dropped packets.
Please provide a way to log the dropped packets that are blocked by Network Security Groups and make the log accessible to us for auditing and security reasons.
Released in Public Preview as part of the Network Watcher service
Andy Williams commented
When will "Network Watcher" be available in Europe?
Looks like this was just released in preview as part of the new Network Watcher service:
NSG flow logs
Flow data is a critical component for diagnosing and validating your Network Security Group configurations. You can now enable logging of NSG flow data that is allowed or denied per Network Security Group setting to help meet these needs. The NSG flow information includes timestamp, source IP, destination IP, source port, destination port and protocol, the Network Security Group and the security rule. This data can be ingested and visualized by Microsoft tools such as Power BI, as well as security information and event management tools provided by 3rd party partners and open source tools.
Would be very useful
Ralf Todenhagen commented
Is considered an important feature on our side - it is a standard feature in (on prem) firewall and security logging/monitoring. Might prevent us from implementing additional third party security VMs.
This would be a great value add, +1!
Please, please can we get an update to this, it's really not that hard for the a product manager to keep an eye on there own feedback items..
This is an important feature to have visibility about the deny and allow rules.
Michael Meaney commented
Are there any further updates regarding this feature? It's quite a crucial capability we need for assurance, and a current blocker for our use of Azure.
Marc DEVIN commented
Hello Azure Team,
More than a year after announcing this quite essential feature as "planned", it is still in "planned" state... Is it still in the Azure roadmap ? Do you have any update about the ETA?
Event logging (specific source IP, destination IP, port/service) needs to be enhanced for troubleshooting and security investigations.
Pedram Sanayei commented
Can we include enabling Diagnostics through the resource group templates used to define the NSG (this in fact covers every resource that implements diagnostics)? Unfortunately the only way it seems possible to enable diagnostics is via the console, which is a problem for us as we only perform write actions through the use of a template.
Thanks for the feedback. We are working on this feature. It will be available in second half of CY16.
Bryan Fuehrer commented
How can you not provide logs for a firewall!?
As much as I love so many of the other features of Azure, this is a production road block for any troubleshooting.
André Coelho commented
Any news for NSG logging?
Eric van Aken commented
Would like to have this option, building NSG's but can't seem to find out why the application is not working.
Reuben Dunn commented
This would be very helpful in testing NSG s
I think this is extremely important as rules without visibility to see their impact is dangerous and likely not to be used. NSG logging should be released soon.