Cloud NGFW for Azure
Enable and View Cloud NGFW for Azure Monitoring Metrics
Table of Contents
Enable and View Cloud NGFW for Azure Monitoring Metrics
Cloud NGFW for Azure integrates with the Azure Monitor to provide enhanced visibility
into the performance and operational health of your firewall resources. By leveraging Azure
Application Insights, you can ingest, query, and set alerts on key firewall metrics, all
within your existing Azure ecosystem.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
Prerequisites
Before you begin, you must have the following configured:
- Create Azure Application Insights: You must have Azure Application Insights created. For more information, see Configure Application Insights.Create and Associate the Managed Identity:
- Create a User-Assigned Managed Identity: First, you must create a user-assigned managed identity (MI). For more information, see create system managed identity.
- Associate Managed Identity with the Cloud NGFW Firewall: Go
to your Cloud NGFW firewall resource in the Azure portal. In
the left-hand menu, go to Settings > Managed Identity, and
click Add Identity. Add the managed identity you just
created. This step links the identity to the firewall.
![]()
This managed identity requires Monitoring Metrics Publisher role on the target Azure Application Insights resource.
Assign Monitoring Metrics Publisher role to the managed identity.- From the previously created Application Insights menu, go to
Access Control (IAM).Ensure that the Local authentication option is disabled for the selected Application Insights.
![]()
- Click Add.
- Select previously created Monitoring metrics publisher role.
![]()
- In the Members tab, select Managed Identity checkbox and select the managed identity name.
- Click Review and Assign.
Enable Cloud NGFW Metrics
To enable CNGFW Metrics perform the following steps:- In the Azure portal, select the Cloud NGFW Firewall resource for which you want to enable metrics.From the left navigation menu, go to Metrics and Logs > Metrics.Click Edit at the top of the page.Select Enable Metrics Settings checkbox.Select Subscription.Select the Azure Application Insights you created as a prerequisite.
![]()
Click Save.View Cloud NGFW Metrics
To view the metrics in your Azure Application Insights:- In the Azure portal, navigate to your Cloud NGFW Firewall.In the left navigation menu, click Metrics and Logs.Click Application Insights.
![]()
In the left navigation pane, go to Monitoring > Metrics.![]()
Configure the chart view:- Scope: Select the Cloud NGFW firewall resource for which you enabled metrics.
- Metric Namespace: Choose the custom namespace corresponding to your firewall. The namespace is formatted as pan.cngfw.<region>.<firewall-name>.
- Metric: Select the desired metric you wish to plot from the
drop-down list (e.g., SessionCount, BytesIn).
![]()
The portal will automatically plot the time-series graph for the selected metric. You can add multiple metrics to the chart and use standard Azure Monitor features for time selection, aggregation, and creating alert rules.The metrics published to your Application Insights are not real-time. There will be a minor delay consisting of a one-minute aggregation interval plus a propagation latency of under five minutesImportant Considerations
- If the linked Application Insights resource is deleted, CNGFW metrics will stop flowing. The resource link on the Cloud NGFW's Logs and Metrics page will become invalid or return a 404 error.
- Metric collection will fail if the associated User-Assigned Managed Identity is deleted or disabled, as the firewall will lose its ability to authenticate to your Azure Application insights.
- If the required Monitoring Metrics Publisher role is removed from the Managed Identity, the firewall will no longer have the authorization to send data, and metric publication will stop. In this case, add the role back to the managed identity. For any assistance contact customer support.
