![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 36%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EQ%3C/text%3E%3C/svg%3E)
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
hi QuyHoang,
those logs are basically azure firewall telling u it received a https connection attempt that was missing the server name indication extension. it's like a letter with no address. the firewall can't figure out where it's supposed to go, so it drops it and logs the event.
the problem is, the source of this traffic is likely something on your network that is making outdated or misconfigured https calls. since the sni is missing, the firewall has no destination ip or fqdn to log. that's why those fields are empty.
to stop the logs and the cost, u need to stop the traffic at the source. here is how u can hunt it down.
first, use the source ip from the log. track down which machine or device in your network has that ip address. it could be an old piece of software, a device, or a server making these bad requests.
once u find the source machine, u need to figure out what application is making the calls. check its configuration. it might be trying to connect to an external service using an old tls version that doesn't support sni, or it might be badly configured.
if u absolutely cannot find or fix the source, u can create a firewall network rule to explicitly block traffic from that source ip on port 443. this will still create a log, but it will be a shorter 'deny' log instead of the long 'sni missing' log, which might be cheaper.
to reduce the log volume immediately, u can adjust your diagnostic settings for the firewall. instead of sending all logs to log analytics, u could send them to a storage account for cheaper long term retention. or, u could try to filter out logs with that specific actionreason before they are sent.
hope u find that noisy device. stopping it will save u a ton of logging hassle.
Best regards,
Alex
and "yes" if you would follow me at Q&A - personaly thx.
P.S. If my answer help to you, please Accept my answer
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 22%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETG%3C/text%3E%3C/svg%3E)