By using AWS re:Post, you agree to the AWS re:Post Terms of Use

AWS Network Firewall logging

0

Dear Team - Our team has created the AWS Network Firewall in a VPC. They have created Firewall Policy with Alert established and Drop established . They have created Stateful domain list rule group and allowed one domain www.example.com. On the firewall level, Log type is configured with Alert which is sending to AWS cloudwatch group.

When we test the traffic from Virtual Machine behind the Firewall, below is the logging behaviour.

Query www.example.com -> Allowed --> No request is logged in cloudwatch
Query www.test.com --> Denied --> Request is logged in Cloudwatch.

So how can we see the allowed request traffic in cloudwatch with above scenario ?

asked 2 months ago178 views
2 Answers
3
Accepted Answer

Hi, Stateful rules only send alerts for the DROP, ALERT, and REJECT actions (ref: https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-logging.html). If you want to see log entries for your PASS rules then you need to create a matching ALERT rule before each PASS rule. You can find more detail on that in the section "Effective logging with alert rules" in the following blog post: https://aws.amazon.com/blogs/security/cost-considerations-and-common-options-for-aws-network-firewall-log-management/

AWS
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago
-1

To see the allowed request traffic in CloudWatch with your current setup, you'll need to adjust your logging configuration. Currently, you've only enabled Alert logging, which captures traffic that matches stateful rules with actions set to Alert, Drop, or Reject. This is why you're only seeing the denied requests (www.test.com) in CloudWatch.

To capture the allowed traffic (www.example.com), you should enable Flow logging in addition to Alert logging. Flow logging provides information on all network traffic that passes through the stateful rules engine, including allowed traffic.

Here's how you can modify your logging configuration:

  1. Go to the AWS Management Console and navigate to the Network Firewall section.
  2. Select your firewall and go to the Firewall details tab.
  3. In the Logging section, choose Edit.
  4. In addition to Alert, select Flow under Log type.
  5. Configure the destination for Flow logs (you can use the same CloudWatch log group or a different one).
  6. Save your changes.

After making these changes, you should be able to see logs for both allowed and denied traffic in CloudWatch. The Flow logs will capture the allowed requests to www.example.com, while the Alert logs will continue to capture the denied requests to www.test.com.

Remember that enabling additional logging may increase your CloudWatch costs, so monitor your usage accordingly. Also, note that there might be a short delay before the new logging configuration takes effect.
Sources
Logging network traffic from AWS Network Firewall - AWS Network Firewall
Firewall settings in AWS Network Firewall - AWS Network Firewall
Updating a AWS Network Firewall logging configuration - AWS Network Firewall

profile picture
answered 2 months ago
profile picture
EXPERT
reviewed 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions