Share via

Wide range of timing for firewall latency probe

Michael Oehlert 20 Reputation points
2026-05-22T17:58:33.46+00:00

In Monitoring/Metrics for my Azure firewall I set the chart to look at Latency Probe for the last month [granularity set at 1 minute]. I got a few lines at 108ms or 367ms but most were 1ms or 1.33333ms.

Why is there such a wide disparity in the Latency Probe timing?

Azure Firewall
Azure Firewall

An Azure network security service that is used to protect Azure Virtual Network resources.

0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Venkatesan S 9,565 Reputation points Microsoft External Staff Moderator
    2026-05-26T07:02:46.81+00:00

    Hi Michael Oehlert,

    Thanks for reaching out in Microsoft Q&A forum

    Azure Firewall’s Latency Probe measures the firewall’s own average latency inside Azure, not the end-to-end latency of a user’s traffic path. Seeing most values around 1 ms, with occasional spikes such as 108 ms or 367 ms, is generally expected and does not by itself indicate a problem.

    • The probe is based on Ping Mesh.
    • The expected average latency is around 1 ms, though it can vary by deployment.
    • Intermittent spikes are normal and can appear even when the firewall is healthy.
    • A 1-minute chart can make a brief transient delay look like a much higher datapoint.

    You should investigate further only if the latency stays consistently high, becomes frequent, or matches user-facing connectivity issues or other degraded metrics such as CPU or throughput.

    In practical terms, the pattern you described mostly very low readings with a few sharp peaks is usually a normal Azure Firewall monitoring pattern rather than evidence of a sustained issue. The spikes become meaningful when they are persistent, repeat often, or correlate with real performance problems.

    Official documentation:

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please do not forget to 210246-screenshot-2021-12-10-121802.pngand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    Was this answer helpful?

  2. AI answer

    2026-05-22T17:58:44.84+00:00

    The wide range in Azure Firewall Latency Probe values is expected and comes from how the metric is measured and how the Azure platform behaves, not from a constant change in firewall performance.

    Key reasons for the disparity:

    1. What the metric actually measures
      • The AZFW Latency Probe metric measures latency of Azure Firewall within the Azure platform, not end‑to‑end network latency.
      • It uses periodic probes and reports the average latency in milliseconds for those probes at each 1‑minute interval.
    2. ICMP‑based probe behavior and normal spikes
      • The current probe uses Microsoft’s Ping Mesh technology based on ICMP.
      • ICMP traffic is treated differently (lower priority) than typical application TCP traffic across the Azure platform.
      • Because of this, intermittent spikes are normal and are considered part of standard host network behavior, not necessarily a firewall issue.
      • Documentation explicitly notes that latency spikes with ICMP probes are expected and should not be misinterpreted as a problem unless they are persistent.
    3. Normal baseline vs occasional outliers
      • Typical Azure Firewall latency averages 1–10 ms, depending on SKU and deployment size.
      • Most of the values around 1–1.33 ms represent the normal baseline in your environment.
      • Occasional higher values (for example, 100+ ms or 300+ ms) are outliers caused by:
        • transient network conditions in the Azure platform,
        • temporary high CPU utilization on the firewall,
        • temporary high throughput/traffic load.
    4. How to interpret the pattern
      • Expect a chart that is mostly low values with occasional high spikes.
      • Guidance is to:
        • Set a baseline under light traffic.
        • Treat latency as concerning if it regularly exceeds ~3× that baseline over time, not just in isolated points.
        • Investigate further if high values are sustained or frequent, especially when correlated with high CPU, high throughput, or SNAT port pressure.

    In summary, the 1–1.33 ms points are normal baseline latency, and the 100–300+ ms points are expected transient spikes from ICMP‑based probing and platform conditions. Only persistent or patterned elevation beyond roughly three times the baseline should be treated as a performance issue.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.