- Newest
- Most votes
- Most comments
Hi, Stateful rules only send alerts for the DROP, ALERT, and REJECT actions (ref: https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-logging.html). If you want to see log entries for your PASS rules then you need to create a matching ALERT rule before each PASS rule. You can find more detail on that in the section "Effective logging with alert rules" in the following blog post: https://aws.amazon.com/blogs/security/cost-considerations-and-common-options-for-aws-network-firewall-log-management/
To see the allowed request traffic in CloudWatch with your current setup, you'll need to adjust your logging configuration. Currently, you've only enabled Alert logging, which captures traffic that matches stateful rules with actions set to Alert, Drop, or Reject. This is why you're only seeing the denied requests (www.test.com) in CloudWatch.
To capture the allowed traffic (www.example.com), you should enable Flow logging in addition to Alert logging. Flow logging provides information on all network traffic that passes through the stateful rules engine, including allowed traffic.
Here's how you can modify your logging configuration:
- Go to the AWS Management Console and navigate to the Network Firewall section.
- Select your firewall and go to the Firewall details tab.
- In the Logging section, choose Edit.
- In addition to Alert, select Flow under Log type.
- Configure the destination for Flow logs (you can use the same CloudWatch log group or a different one).
- Save your changes.
After making these changes, you should be able to see logs for both allowed and denied traffic in CloudWatch. The Flow logs will capture the allowed requests to www.example.com, while the Alert logs will continue to capture the denied requests to www.test.com.
Remember that enabling additional logging may increase your CloudWatch costs, so monitor your usage accordingly. Also, note that there might be a short delay before the new logging configuration takes effect.
Sources
Logging network traffic from AWS Network Firewall - AWS Network Firewall
Firewall settings in AWS Network Firewall - AWS Network Firewall
Updating a AWS Network Firewall logging configuration - AWS Network Firewall
Relevant content
- asked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
As per https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-logging.html, Flow logs are standard network traffic flow logs. Each flow log record captures the network flow for a specific standard stateless rule group. - Can someone reconfirm ? Tried above but not working.