# Logging and monitoring in AWS Network Firewall
Logging and monitoring helps you maintain the reliability, availability, and performance of AWS Network Firewall. You can monitor how the service is being used and you can monitor network traffic and traffic filtering in your Network Firewall firewalls.
AWS provides a number of tools that you can use to monitor Network Firewall. You can configure some of these tools to do the monitoring for you, while other tools require manual intervention. We recommend that you automate monitoring tasks as much as possible.
**Automated monitoring tools that work with Network Firewall**
You can use the following automated monitoring tools with Network Firewall:
+ *Amazon CloudWatch* provides metrics for the AWS resources and the applications that you run on AWS. Monitoring and alarms are real time. You can collect and track metrics, create customized dashboards, and set alarms that notify you or take actions when a specified metric reaches a threshold that you specify. For example, you can have CloudWatch track CPU usage or other metrics of your Amazon EC2 instances and automatically launch new instances when needed. For more information, see the [Amazon CloudWatch User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/).
+ *Amazon CloudWatch Logs* provides logging for sources such as Amazon EC2 instances and CloudTrail. CloudWatch Logs can monitor information in the log files and notify you when certain thresholds are met. You can also archive your log data in highly durable storage. For more information, see the [Amazon CloudWatch Logs User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/).
+ *AWS CloudTrail* captures API calls and related events made by or on behalf of your AWS account and delivers the log files to an Amazon S3 bucket that you specify. You can identify which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred. For more information, see the [AWS CloudTrail User Guide](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/).
+ *AWS Config* lets you view the configuration of your AWS resources in your AWS account. The available information includes how the resources are related to one another and how they were configured in the past, so that you can see how the configurations and relationships change over time. For more information, see the [AWS Config Developer Guide](https://docs.aws.amazon.com/config/latest/developerguide/).
**Monitoring and reporting options native to AWS Network Firewall**
In addition to automated monitoring tools, you can access the following monitoring and reporting capabilities to analyze your network traffic directly from the Network Firewall console:
+ Firewall request graph of packets monitored
+ Firewall monitoring dashboard for flow and alert logs
+ Traffic analysis mode and report generation
**Note**
Firewall monitoring and traffic analysis mode each have specific prerequisites and configuration. For information, see [Monitoring and reporting in Network Firewall](nwfw-monitoring-reporting.md).
Review the topics in this guide to learn more about the different logging, monitoring, and reporting capabilities you can use with Network Firewall.
**Topics**
+ [
# Managing AWS Network Firewall events using Amazon EventBridge
](eventbridge-events.md)
+ [
# Logging network traffic from AWS Network Firewall
](firewall-logging.md)
+ [
# Logging calls to the AWS Network Firewall API with AWS CloudTrail
](logging-using-cloudtrail.md)
+ [
# AWS Network Firewall metrics in Amazon CloudWatch
](monitoring-cloudwatch.md)
+ [
# Monitoring and reporting in Network Firewall
](nwfw-monitoring-reporting.md)
# Managing AWS Network Firewall events using Amazon EventBridge
AWS Network Firewall sends events directly to the EventBridge default event bus when firewall state changes occur. You can use these events to automate responses, send notifications, or integrate with other AWS services when your firewall configuration or attachment status changes.
## Event types
The following table describes the event types that AWS Network Firewall publishes to EventBridge default event bus for firewall state changes.
| Event type | Description |
| --- | --- |
| Firewall Configuration Changed | Published when the firewall configuration changes, such as when a firewall policy or rule group is updated. |
| Firewall Attachment Status Changed | Published when the status of a firewall endpoint attachment changes. |
| Firewall Transit Gateway Attachment Status Changed | Published when the status of a transit gateway attachment to the firewall changes. |
## Event examples
The following examples show the structure of events that AWS Network Firewall publishes to EventBridge.
### Firewall Configuration Changed
Events published when a firewall configuration changes, such as when a firewall policy or rule group is updated.
------
#### [ Update Events ]
This event is published when a firewall policy or rule group is updated, changing the configuration synchronization status. The example shows a policy update that transitions the configuration sync status from `IN_SYNC` to `PENDING`.
```
{
"version": "0",
"id": "01234567-0123-0123-0123-0123456789ab",
"detail-type": "Firewall Configuration Changed",
"source": "aws.network-firewall",
"account": "111122223333",
"time": "2026-01-28T00:39:59Z",
"region": "us-east-1",
"resources": [
"arn:aws:network-firewall:us-east-1:111122223333:firewall/firewallname"
],
"detail": {
"data": [
{
"Availability Zone": "us-east-1c",
"Configuration Resource ARN": "arn:aws:network-firewall:us-east-1:111122223333:firewall-policy/policyname",
"Current Configuration Sync Status": "PENDING",
"Previous Configuration Sync Status": "IN_SYNC",
"Previous Configuration Update Token": "3855de80-2c83-4383-9d43-11ae9010855e"
},
{
"Availability Zone": "us-east-1c",
"Configuration Resource ARN": "arn:aws:network-firewall:us-east-1:aws-managed:stateful-rulegroup/statefulrulegroupname",
"Current Configuration Sync Status": "PENDING"
}
],
"metadata": {
"State Change ID": "08c4c78d4580bd12cde6c94eee221f4e15f592825eb299572c04ddd7a9a4a7f2"
},
"version": "1.0.0"
}
}
```
------
### Firewall Attachment Status Changed
Events published when the status of a firewall endpoint attachment changes during the firewall lifecycle.
------
#### [ Creating Events ]
This event is published when a firewall endpoint attachment is being created in an availability zone. The `Current Attachment Status` field shows `CREATING`.
```
{
"version": "0",
"id": "01234567-0123-0123-0123-0123456789ab",
"detail-type": "Firewall Attachment Status Changed",
"source": "aws.network-firewall",
"account": "111122223333",
"time": "2026-01-28T00:39:59Z",
"region": "us-east-1",
"resources": [
"arn:aws:network-firewall:us-east-1:111122223333:firewall/firewallname"
],
"detail": {
"data": [
{
"Availability Zone": "us-east-1c",
"Current Attachment Status": "CREATING"
}
],
"metadata": {
"State Change ID": "ec543b4702a2f9b277ddc1edfced32f5920431fca62d83d3052be5c637360b9f"
},
"version": "1.0.0"
}
}
```
------
#### [ Ready Events ]
This event is published when a firewall endpoint attachment completes creation and becomes ready for traffic. The status transitions from `CREATING` to `READY`.
```
{
"version": "0",
"id": "01234567-0123-0123-0123-0123456789ab",
"detail-type": "Firewall Attachment Status Changed",
"source": "aws.network-firewall",
"account": "111122223333",
"time": "2026-01-28T00:39:59Z",
"region": "us-east-1",
"resources": [
"arn:aws:network-firewall:us-east-1:111122223333:firewall/firewallname"
],
"detail": {
"data": [
{
"Availability Zone": "us-east-1c",
"Current Attachment Status": "READY",
"Endpoint ID": "vpce-1234567890abcdefg",
"Previous Attachment Status": "CREATING"
}
],
"metadata": {
"State Change ID": "59d86fd2f87cf005a2d41cffa8c86980f3648e9e2359b6c21068b6fbd31f6bd4"
},
"version": "1.0.0"
}
}
```
------
#### [ Deleting Events ]
This event is published when a firewall endpoint attachment is being deleted. The status transitions from `READY` to `DELETING`.
```
{
"version": "0",
"id": "01234567-0123-0123-0123-0123456789ab",
"detail-type": "Firewall Attachment Status Changed",
"source": "aws.network-firewall",
"account": "111122223333",
"time": "2026-01-28T00:39:59Z",
"region": "us-east-1",
"resources": [
"arn:aws:network-firewall:us-east-1:111122223333:firewall/firewallname"
],
"detail": {
"data": [
{
"Availability Zone": "us-east-1c",
"Current Attachment Status": "DELETING",
"Endpoint ID": "vpce-1234567890abcdefg",
"Previous Attachment Status": "READY"
}
],
"metadata": {
"State Change ID": "b6602d36c880bd5c6e6bdd62206cc6554c162019569f2170502f85c1b9332a33"
},
"version": "1.0.0"
}
}
```
------
### Firewall Transit Gateway Attachment Status Changed
Events published when the status of a transit gateway attachment to the firewall changes during the attachment lifecycle.
------
#### [ Creating Events ]
This event is published when a transit gateway attachment to the firewall is being created. The `Current Transit Gateway Attachment Status` field shows `CREATING`.
```
{
"version": "0",
"id": "01234567-0123-0123-0123-0123456789ab",
"detail-type": "Firewall Transit Gateway Attachment Status Changed",
"source": "aws.network-firewall",
"account": "111122223333",
"time": "2026-01-28T00:39:59Z",
"region": "us-east-1",
"resources": [
"arn:aws:network-firewall:us-east-1:111122223333:firewall/firewallname"
],
"detail": {
"data": {
"Attachment ID": "tgw-attach-1234567890abcdefg",
"Current Transit Gateway Attachment Status": "CREATING"
},
"metadata": {
"State Change ID": "4331b74ee5b5860fe659341efd09798857de175a8a4da7128ad0439e6ef710e7"
},
"version": "1.0.0"
}
}
```
------
#### [ Pending Events ]
This event is published when a transit gateway attachment is waiting for acceptance. The status transitions from `CREATING` to `PENDING_ACCEPTANCE`.
```
{
"version": "0",
"id": "01234567-0123-0123-0123-0123456789ab",
"detail-type": "Firewall Transit Gateway Attachment Status Changed",
"source": "aws.network-firewall",
"account": "111122223333",
"time": "2026-01-28T00:39:59Z",
"region": "us-east-1",
"resources": [
"arn:aws:network-firewall:us-east-1:111122223333:firewall/firewallname"
],
"detail": {
"data": {
"Attachment ID": "tgw-attach-1234567890abcdefg",
"Current Transit Gateway Attachment Status": "PENDING_ACCEPTANCE",
"Previous Transit Gateway Attachment Status": "CREATING"
},
"metadata": {
"State Change ID": "ce5a91c102a91bb94527baa4290b39dd3be79a9f3452f644c11145cf4755e13c"
},
"version": "1.0.0"
}
}
```
------
#### [ Ready Events ]
This event is published when a transit gateway attachment completes and becomes ready for traffic. The status transitions from `CREATING` to `READY`.
```
{
"version": "0",
"id": "01234567-0123-0123-0123-0123456789ab",
"detail-type": "Firewall Transit Gateway Attachment Status Changed",
"source": "aws.network-firewall",
"account": "111122223333",
"time": "2026-01-28T00:39:59Z",
"region": "us-east-1",
"resources": [
"arn:aws:network-firewall:us-east-1:111122223333:firewall/firewallname"
],
"detail": {
"data": {
"Attachment ID": "tgw-attach-1234567890abcdefg",
"Current Transit Gateway Attachment Status": "READY",
"Previous Transit Gateway Attachment Status": "CREATING"
},
"metadata": {
"State Change ID": "466efda83ad59a8d543eac712f5ad96465ac4ad87f5dab196cbf1be92f4d9918"
},
"version": "1.0.0"
}
}
```
------
#### [ Deleting Events ]
This event is published when a transit gateway attachment is being deleted. The status transitions from `READY` to `DELETING`.
```
{
"version": "0",
"id": "01234567-0123-0123-0123-0123456789ab",
"detail-type": "Firewall Transit Gateway Attachment Status Changed",
"source": "aws.network-firewall",
"account": "111122223333",
"time": "2026-01-28T00:39:59Z",
"region": "us-east-1",
"resources": [
"arn:aws:network-firewall:us-east-1:111122223333:firewall/firewallname"
],
"detail": {
"data": {
"Attachment ID": "tgw-attach-1234567890abcdefg",
"Current Transit Gateway Attachment Status": "DELETING",
"Previous Transit Gateway Attachment Status": "READY"
},
"metadata": {
"State Change ID": "5e68266934a286c64a5cc0593505f1ad2a0a959bef915e74aa6612bfb5accc6b"
},
"version": "1.0.0"
}
}
```
------
# Logging network traffic from AWS Network Firewall
You can configure AWS Network Firewall logging for your firewall's stateful engine. Logging gives you detailed information about network traffic, including the time that the stateful engine received a packet, detailed information about the packet, and any stateful rule action taken against the packet. The logs are published to the log destination that you've configured, where you can retrieve and view them.
**Note**
Firewall logging is only available for traffic that you forward to the stateful rules engine. You forward traffic to the stateful engine through stateless rule actions and stateless default actions in the firewall policy. For information about these actions settings, see [Firewall policy settings in AWS Network Firewall](firewall-policy-settings.md) and [Defining rule actions in AWS Network Firewall](rule-action.md).
Metrics provide some higher-level information for both stateless and stateful engine types. For more information, see [AWS Network Firewall metrics in Amazon CloudWatch](monitoring-cloudwatch.md).
You can record the following types of logs from your Network Firewall stateful engine.
+ Flow logs are standard network traffic flow logs.
+ Alert logs report traffic that matches your stateful rules that have an action that sends an alert. A stateful rule sends alerts for the rule actions `DROP`, `ALERT`, and `REJECT`. For more information, see [Actions for stateful rules](rule-action.md#rule-action-stateful).
+ TLS logs report events that are related to TLS inspection. These logs require the firewall to be configured for TLS inspection. For information, see [Inspecting SSL/TLS traffic with TLS inspection configurations in AWS Network Firewall](tls-inspection-configurations.md).
You can use the same or different logging destination for each log type. You enable logging for a firewall after you create it. For information about how to do this, see [Updating a AWS Network Firewall logging configuration](firewall-update-logging-configuration.md).
**Topics**
+ [
# Contents of a AWS Network Firewall log
](firewall-logging-contents.md)
+ [
# Timing of AWS Network Firewall log delivery
](firewall-logging-timing.md)
+ [
# Permissions to configure AWS Network Firewall logging
](firewall-logging-permissions.md)
+ [
# Pricing for AWS Network Firewall logging
](firewall-logging-pricing.md)
+ [
# AWS Network Firewall logging destinations
](firewall-logging-destinations.md)
+ [
# Logging in AWS Network Firewall with server-side encryption and customer-provided keys
](firewall-logging-encrypt-kms.md)
+ [
# Updating a AWS Network Firewall logging configuration
](firewall-update-logging-configuration.md)
# Contents of a AWS Network Firewall log
The Network Firewall logs contain the following information:
+ **firewall\$1name** – The name of the firewall that's associated with the log entry.
+ **availability\$1zone** – The Availability Zone of the firewall endpoint that generated the log entry.
+ **event\$1timestamp** – The time that the log was created, written in epoch seconds at Coordinated Universal Time (UTC).
+ **aws\$1category ** – For rules using URL or Domain Category filtering, contains the matched categories in JSON array format. For example, ["Search Engines and Portals"] or ["Technology and Internet"].
+ **event** – Detailed information about the event. This information includes the event timestamp converted to human readable format, event type, network packet details, and, if applicable, details about the stateful rule that the packet matched against.
+ **Alert and flow events** – Alert and flow events are produced by Suricata, the open source threat detection engine that the stateful rules engine runs on. Suricata writes the event information in the Suricata EVE JSON output format, with the exception of the AWS managed `tls_inspected` attribute.
+ Flow log events use the EVE output type `netflow`. The log type `netflow` logs uni-directional flows, so each event represents traffic going in a single direction.
+ Alert log events using the EVE output type `alert`.
+ If the firewall that's associated with the log uses TLS inspection and the firewall's traffic uses SSL/TLS, Network Firewall adds the custom field `"tls_inspected": true` to the log. If your firewall doesn't use TLS inspection, Network Firewall omits this field.
For detailed information about these Suricata events, see [EVE JSON Output](https://docs.suricata.io/en/suricata-7.0.8/output/eve/eve-json-output.html?highlight=EVE) in the [Suricata User Guide](https://docs.suricata.io/en/suricata-7.0.8/index.html).
+ **TLS events** – TLS events are produced by a dedicated stateful TLS engine, which is separate from Suricata. TLS events have the output type `tls`. The logs have a JSON structure that's similar to the Suricata EVE output.
These events require the firewall to be configured for TLS inspection. For information, see [Inspecting SSL/TLS traffic with TLS inspection configurations in AWS Network Firewall](tls-inspection-configurations.md).
TLS logs report the following types of errors:
+ TLS errors, with the custom field `"tls_error":` containing the error details. Currently, this category includes Server Name Indication (SNI) mismatches and SNI naming errors. Typically these errors are caused by problems with customer traffic or with the customer's client or server. For example, errors caused when the client hello SNI is NULL or doesn't match the subject name in the server certificate.
+ Revocation check errors, with the custom field `"revocation_check":` containing the check failure details. These report outbound traffic that fails the server certificate revocation check during TLS inspection. This requires the firewall to be configured with TLS inspection for outbound traffic, and for the TLS inspection to be configured to check the certificate revocation status. The logs include the revocation check status, the action taken, and the SNI that the revocation check was for. For information about configuring certificate revocation checking, see [Using SSL/TLS certificates with TLS inspection configurations in AWS Network Firewall](tls-inspection-certificate-requirements.md).
For detailed information about these Suricata events, see [EVE JSON Output](https://docs.suricata.io/en/suricata-7.0.8/output/eve/eve-json-output.html?highlight=EVE) in the [Suricata User Guide](https://docs.suricata.io/en/suricata-7.0.8/index.html).
**Example alert log entry**
The following listing shows an example alert log entry for Network Firewall.
```
{
"firewall_name":"test-firewall",
"availability_zone":"us-east-1b",
"event_timestamp":"1602627001",
"event":{
"timestamp":"2020-10-13T22:10:01.006481+0000",
"flow_id":1582438383425873,
"event_type":"alert",
"src_ip":"203.0.113.4",
"src_port":55555,
"dest_ip":"192.0.2.16",
"dest_port":111,
"proto":"TCP",
"alert":{
"action":"allowed",
"signature_id":5,
"rev":0,
"signature":"test_tcp",
"category":"",
"severity":1
}
}
}
```
**Example alert log entry with URL and Domain Category enabled**
```
{
"firewall_name": "test-firewall",
"availability_zone": "us-east-1b",
"event_timestamp": "1762217722",
"event": {
"aws_category": "[\"Search Engines and Portals\"]",
"tx_id": 2,
"app_proto": "http2",
"src_ip": "10.0.100.55",
"src_port": 54878,
"event_type": "alert",
"alert": {
"severity": 3,
"signature_id": 6,
"rev": 0,
"signature": "",
"action": "blocked",
"category": ""
},
"flow_id": 643336554233439,
"dest_ip": "64.233.180.147",
"proto": "TCP",
"verdict": {
"action": "drop"
},
"http": {
"version": "2",
"request_headers": [{
"name": ":method",
"value": "GET"
}, {
"name": ":scheme",
"value": "https"
}, {
"name": ":authority",
"value": "www.google.com"
}, {
"name": ":path",
"value": "/"
}, {
"name": "user-agent",
"value": "curl/8.11.1"
}, {
"name": "accept",
"value": "*/*"
}],
"http_user_agent": "curl/8.11.1",
"url": "/",
"http_method": "GET",
"http2": {
"stream_id": 1,
"request": {},
"response": {}
}
},
"dest_port": 443,
"timestamp": "2025-12-31T00:55:22.870721+0000",
"direction": "to_server"
}
}
```
**Example TLS log entry**
The following listing shows an example TLS log entry for a failed certificate revocation check.
```
{
"firewall_name": "egress-fw",
"availability_zone": "us-east-1d",
"event_timestamp": 1708361189,
"event": {
"src_ip": "10.0.2.53",
"src_port": "55930",
"revocation_check": {
"leaf_cert_fpr": "1234567890EXAMPLE0987654321",
"status": "REVOKED",
"action": "DROP"
},
"dest_ip": "54.92.160.72",
"dest_port": "443",
"timestamp": "2024-02-19T16:46:29.441824Z",
"sni": "revoked-rsa-dv.ssl.com"
}
}
```
**Example TLS log entry with URL and Domain Category enabled**
```
{
"firewall_name": "test-firewall",
"availability_zone": "us-east-1b",
"event_timestamp": "1763508615",
"event": {
"aws_category": "[\"Technology and Internet\"]",
"tx_id": 0,
"app_proto": "tls",
"src_ip": "10.0.100.55",
"src_port": 44474,
"event_type": "alert",
"alert": {
"severity": 3,
"signature_id": 6,
"rev": 0,
"signature": "",
"action": "blocked",
"category": ""
},
"flow_id": 1972143099170468,
"dest_ip": "192.178.155.113",
"proto": "TCP",
"verdict": {
"action": "drop"
},
"tls": {
"sni": "developers.google.com",
"version": "UNDETERMINED"
},
"dest_port": 443,
"pkt_src": "geneve encapsulation",
"timestamp": "2025-11-18T23:30:15.006867+0000",
"direction": "to_server"
}
}
```
# Timing of AWS Network Firewall log delivery
A log file or log stream generally contains information about the requests that your firewall received during a given time period. The timing of Network Firewall log delivery varies by location type, averaging 3-6 minutes for Amazon CloudWatch Logs and Amazon Data Firehose and 8-12 minutes for Amazon Simple Storage Service buckets. In some cases, logs may take longer than these averages. When log entries are delayed, Network Firewall saves them and then logs them according to the date and time of the period in which the requests occurred, not the date and time when the logs are delivered.
**Note**
If your firewall doesn't filter traffic for a period of time, you don't receive logs for that period.
When creating a log file or stream, Network Firewall consolidates information for your firewall from all the endpoints that received traffic during the time period that the log covers.
# Permissions to configure AWS Network Firewall logging
You must have the following permissions to make any changes to your firewall logging configuration. These settings are included in the permissions requirements for each logging configuration type, under [AWS Network Firewall logging destinations](firewall-logging-destinations.md).
```
{
"Action": [
"logs:CreateLogDelivery",
"logs:GetLogDelivery",
"logs:UpdateLogDelivery",
"logs:DeleteLogDelivery",
"logs:ListLogDeliveries"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "FirewallLogging"
}
```
The permissions required for logging configuration are in addition to the standard permissions required to use the Network Firewall API. For information about the standard permissions that are required to use Network Firewall, see [Managing access using policies](security-iam.md#security_iam_access-manage).
# Pricing for AWS Network Firewall logging
You are charged for Amazon CloudWatch *vended logs*, on top of the basic charges for using Network Firewall. Additionally, you incur charges when querying logs, whether through CloudWatch and or through Amazon Athena for logs stored in Amazon S3. Vended logs are specific AWS service logs published by AWS on your behalf at volume discount pricing.
Your logging costs can vary depending on factors such as the destination type that you choose and the amount of data that you log. For example, flow logging sends logs for all of the network traffic that reaches your firewall's stateful rules, but alert logging sends logs only for network traffic that your stateful rules drop or explicitly alert on.
Review the following resources to understand the pricing considerations for using firewall logs:
+ For information about CloudWatch vended log pricing, see [Logs](https://aws.amazon.com/cloudwatch/pricing/) on the *Amazon CloudWatch pricing* page.
+ For information about Network Firewall pricing, see [Network Firewall pricing](https://aws.amazon.com/network-firewall/pricing/).
+ For information about Amazon S3 pricing, see [Amazon S3 pricing](https://aws.amazon.com/S3/pricing/).
+ For information about Amazon Athena pricing, see [Amazon Athena pricing](https://aws.amazon.com/athena/pricing/).
# AWS Network Firewall logging destinations
This section describes the logging destinations that you can choose from for your Network Firewall logs. Each section provides guidance for configuring logging for the destination type and information about any behavior that's specific to the destination type. After you've configured your logging destination, you can provide its specifications to the firewall logging configuration to start logging to it.
For information about how to update the logging destination for an existing logging configuration, see [Updating a firewall's logging configuration](firewall-update-logging-configuration.md).
**Topics**
+ [
# Sending AWS Network Firewall logs to Amazon Simple Storage Service
](logging-s3.md)
+ [
# Sending AWS Network Firewall logs to Amazon CloudWatch Logs
](logging-cw-logs.md)
+ [
# Sending AWS Network Firewall logs to Amazon Data Firehose
](logging-kinesis.md)
# Sending AWS Network Firewall logs to Amazon Simple Storage Service
To send your firewall logs to Amazon S3, you need to set up an Amazon S3 bucket as the destination for the logs. In your bucket configuration for the firewall, you can optionally include a prefix, to immediately follow the bucket name. When you enable logging to Amazon S3 in Network Firewall, you provide the bucket name and, if you are using one, the prefix. For information about creating your logging bucket, see [Create a Bucket](https://docs.aws.amazon.com/AmazonS3/latest/userguide/CreatingABucket.html) in the *Amazon Simple Storage Service User Guide*.
**Note**
Network Firewall supports encryption with Amazon S3 buckets for key type Amazon S3 key (SSE-S3) and for AWS Key Management Service (SSE-KMS) AWS KMS keys. Network Firewall doesn't support encryption for AWS Key Management Service keys that are managed by AWS.
**Note**
For information about the fees associated with sending logs to Amazon S3, see [Pricing for AWS Network Firewall logging](firewall-logging-pricing.md).
**Important**
If you enable detailed monitoring for a firewall that sends alert or flow logs to Amazon S3, Network Firewall uses Amazon Athena to create tables as required in your account. These tables process log data and are used exclusively for populating firewall monitoring dashboards and are managed by the Network Firewall console. For more information on how Amazon S3 integrates with Amazon Athena, see [https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-inventory-athena-query.html](https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-inventory-athena-query.html).
**Important**
To use the firewall monitoring dashboard functionality with S3 logging destinations:
The Amazon S3 bucket storing the logs must be in the same region as the firewall. This is required for Amazon Athena to process the logs, as cross-region processing is not supported.
If you specify a prefix for your S3 bucket, ensure it does not begin with a forward slash (`/`). Prefixes starting with (`/`) are not compatible with Amazon Athena processing and will prevent the dashboard from functioning correctly.
Network Firewall collects log records, consolidates them into log files, and then publishes the log files to the Amazon S3 bucket at 5-minute intervals. Each log file contains log records for the network traffic recorded in the previous five minutes.
The maximum file size for a log file is 75 MB. If the log file reaches the file size limit within the 5-minute period, the log stops adding records to it, publishes it to the Amazon S3 bucket, and then creates a new log file.
A single log file contains interleaved entries with multiple connection identifier (source IP address, source port, destination IP address, destination port, and protocol) records. To see all the log files for your firewall, look for entries aggregated by the firewall name and your account ID.
Log files are saved in the specified Amazon S3 bucket using a folder structure that's determined by the log's ID, Region, Network Firewall log type, and the date. The bucket folder structure uses the following format:
```
s3-bucket-name/optional-s3-bucket-prefix/AWSLogs/aws-account-id/network-firewall/log-type/Region/firewall-name/timestamp/
```
Similarly, the log file name is determined by the flow log's ID, Region, and the date and time it was created. File names use the following format:
```
aws-account-id_network-firewall_log-type_Region_firewall-name_timestamp_hash.log.gz
```
In the specification of the folder and file name, the following apply:
+ The log type is either `alert`, `flow`, or `tls`.
+ The timestamp uses the `YYYYMMDDTHHmmZ` format.
+ If you don't provide a specification for the S3 bucket prefix, the log file bucket folder structure will be similar to the following:
```
s3-bucket-name/AWSLogs/aws-account-id
```
+ If you specify slash (`/`) for the S3 bucket prefix, or provide a prefix that begins with a slash, the log file bucket folder structure will contain a double slash (`//`), like the following for a prefix set to a single slash:
```
s3-bucket-name//AWSLogs/aws-account-id
```
The following shows an example flow log file in Amazon S3 for AWS account `11111111111`, firewall name `test-firewall`, bucket name `s3://amzn-s3-demo-bucket`, and bucket prefix `flow-logs`.
```
s3://amzn-s3-demo-bucket/flow-logs/AWSLogs/11111111111/network-firewall/flow/us-east-1/test-firewall/2020/10/01/19/11111111111_network-firewall_flow_us-east-1_test-firewall_202010011920_44442222.log.gz
```
## Permissions to publish logs to Amazon S3
You must have the following permissions settings to configure your firewall to send logs to Amazon S3.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogDelivery",
"logs:GetLogDelivery",
"logs:UpdateLogDelivery",
"logs:DeleteLogDelivery",
"logs:ListLogDeliveries"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "FirewallLogging"
},
{
"Sid": "FirewallLoggingS3",
"Action": [
"s3:PutBucketPolicy",
"s3:GetBucketPolicy"
],
"Resource": [
"arn:aws:s3:::bucket-name"
],
"Effect": "Allow"
}
]
}
```
------
By default, Amazon S3 buckets and the objects that they contain are private. Only the bucket owner can access the bucket and the objects stored in it. The bucket owner, however, can grant access to other resources and users by writing an access policy.
If the user creating the log owns the bucket, the service automatically attaches the following policy to the bucket to give the log permission to publish logs to it:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite",
"Effect": "Allow",
"Principal": {"Service": "delivery.logs.amazonaws.com"},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::bucket-name/optional-folder/AWSLogs/123456789012/*",
"Condition": {"StringEquals": {"s3:x-amz-acl": "bucket-owner-full-control"}}
},
{
"Sid": "AWSLogDeliveryAclCheck",
"Effect": "Allow",
"Principal": {"Service": "delivery.logs.amazonaws.com"},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::bucket-name"
}
]
}
```
------
If the user creating the log doesn't own the bucket, or doesn't have the `GetBucketPolicy` and `PutBucketPolicy` permissions for the bucket, the log creation fails. In this case, the bucket owner must manually add the preceding policy to the bucket and specify the log creator's AWS account ID. For more information, see [How Do I Add an S3 Bucket Policy?](https://docs.aws.amazon.com/AmazonS3/latest/userguide/add-bucket-policy.html) in the *Amazon Simple Storage Service User Guide*. If the bucket receives logs from multiple accounts, add a `Resource` element entry to the `AWSLogDeliveryWrite` policy statement for each account.
For example, the following bucket policy allows AWS accounts `111122223333` and `444455556666` to publish logs to a folder named `flow-logs` in a bucket named `amzn-s3-demo-bucket`:
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "AWSLogDeliveryWrite",
"Effect": "Allow",
"Principal": {"Service": "delivery.logs.amazonaws.com"},
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::amzn-s3-demo-bucket:/flow-logs/AWSLogs/111122223333/",
"arn:aws:s3:::amzn-s3-demo-bucket:/flow-logs/AWSLogs/444455556666/"
],
"Condition": {"StringEquals": {"s3:x-amz-acl": "bucket-owner-full-control"}}
},
{
"Sid": "AWSLogDeliveryAclCheck",
"Effect": "Allow",
"Principal": {"Service": "delivery.logs.amazonaws.com"},
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::amzn-s3-demo-bucket"
}
]
}
```
------
## (Optional) Permissions to access Amazon S3 log metrics in Network Firewall using Amazon Athena
In addition to your existing Amazon S3 permissions, you must have the following permissions for flow or alert log metrics to populate the firewall monitoring dashboard.
**Important**
When you enable firewall monitoring for a firewall that sends logs to Amazon S3, Network Firewall uses Amazon Athena to create tables and metadata files (including CSV files) in your S3 bucket. To optimize storage costs, we recommend periodically cleaning up these metadata files when they are no longer needed.
If you haven't already verified that your account has the baseline logging permissions, go do that now. For more information, see [Permissions to configure AWS Network Firewall logging](firewall-logging-permissions.md).
**Important**
Additional fees are incurred when Network Firewall uses Amazon Athena to query Amazon S3 logs for the detailed monitoring dashboard. For best practices to minimize additional cost, see [Working with the firewall monitoring dashboard](nwfw-using-dashboard.md).
```
{
"Effect": "Allow",
"Action": [
"athena:StartQueryExecution",
"athena:GetQueryExecution",
"athena:GetQueryResults"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetBucketLocation",
"s3:ListBuckets",
"s3:ListBucket"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"glue:GetTable",
"glue:GetDatabase",
"glue:GetPartitions",
"glue:CreateTable",
"glue:DeleteTable"
],
"Resource": "*"
}
```
If you're using CloudWatch Logs as a logging destination, you'll need additional permissions. For more information, see [Permissions to publish logs to CloudWatch Logs](logging-cw-logs.md#logging-cw-logs-permissions).
The following view shows both standard Amazon S3 permissions and the additional Athena permissions needed for detailed monitoring.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "FirewallLogging",
"Effect": "Allow",
"Action": [
"logs:CreateLogDelivery",
"logs:GetLogDelivery",
"logs:UpdateLogDelivery",
"logs:DeleteLogDelivery",
"logs:ListLogDeliveries"
],
"Resource": "*"
},
{
"Sid": "FirewallLoggingS3",
"Effect": "Allow",
"Action": [
"s3:PutBucketPolicy",
"s3:GetBucketPolicy",
"s3:PutObject",
"s3:GetObject",
"s3:GetBucketLocation",
"s3:ListAllMyBuckets",
"s3:ListBucket"
],
"Resource": "*"
},
{
"Sid": "FirewallLoggingAthena",
"Effect": "Allow",
"Action": [
"athena:StartQueryExecution",
"athena:GetQueryExecution",
"athena:GetQueryResults"
],
"Resource": "*"
},
{
"Sid": "FirewallLoggingGlue",
"Effect": "Allow",
"Action": [
"glue:GetTable",
"glue:GetDatabase",
"glue:GetPartitions",
"glue:CreateTable",
"glue:DeleteTable"
],
"Resource": "*"
}
]
}
```
------
## Amazon S3 log file access
In addition to the required bucket policies, Amazon S3 uses access control lists (ACLs) to manage access to the log files created by a Network Firewall log. By default, the bucket owner has `FULL_CONTROL` permissions on each log file. The log delivery owner, if different from the bucket owner, has no permissions. The log delivery account has `READ` and `WRITE` permissions. For more information, see [Access Control List (ACL) Overview](https://docs.aws.amazon.com/AmazonS3/latest/userguide/acl-overview.html) in the *Amazon Simple Storage Service User Guide*.
The log files are compressed. If you open the files using the Amazon S3 console, Amazon S3 decompresses the log records and displays them. If you download the log files, you must decompress them to view the records.
# Sending AWS Network Firewall logs to Amazon CloudWatch Logs
To send logs to Amazon CloudWatch Logs, you create a CloudWatch Logs log group. When you enable logging in Network Firewall, you provide the log group name. After you enable logging for your firewall, AWS Network Firewall delivers logs to the CloudWatch Logs log group in log streams. Each log stream contains an hour of log records.
You can use any name for your CloudWatch Logs log group. Configure the log group in the same Region as the firewall and using the same account as you use to manage the firewall.
For information about configuring a CloudWatch Logs log group, see [Working with Log Groups and Log Streams](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/Working-with-log-groups-and-streams.html).
**Names of alert and flow logs**
When you configure your Network Firewall firewall to send alert and flow logs to the log group, the resulting log streams have the following naming format:
```
/aws/network-firewall/log-type/firewall-name_YYYY-MM-DD-HH
```
In the specification, the log type is either `alert` or `flow`.
The following shows an example log stream created on October 1, 2020, at 5 pm for alert logging for firewall `test-firewall`.
```
/aws/network-firewall/alert/test-firewall_2020-10-01-17
```
**Names of TLS logs**
When you configure your Network Firewall firewall to send TLS logs to the log group, the resulting log streams have the following naming format:
```
/aws/network-firewall/tls/firewall-name
```
The following shows the log stream for TLS logging for the example firewall `test-firewall`.
```
/aws/network-firewall/tls/test-firewall
```
## Permissions to publish logs to CloudWatch Logs
You must have the following permissions settings to configure your firewall to send logs to a CloudWatch Logs log group and to access log metrics in Network Firewall.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogDelivery",
"logs:GetLogDelivery",
"logs:UpdateLogDelivery",
"logs:DeleteLogDelivery",
"logs:ListLogDeliveries"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "FirewallLogging"
},
{
"Sid": "FirewallLoggingCWL",
"Action": [
"logs:PutResourcePolicy",
"logs:DescribeResourcePolicies",
"logs:DescribeLogGroups"
],
"Resource": [
"arn:aws:logs:us-east-1:123456789012:log-group:log-group-name"
],
"Effect": "Allow"
}
]
}
```
------
**Important**
Additional fees are incurred when Network Firewall queries CloudWatch to fetch log data for the detailed monitoring dashboard. For best practices to minimize additional cost, see [Working with the firewall monitoring dashboard](nwfw-using-dashboard.md).
## (Optional) Permissions to access CloudWatch log metrics in Network Firewall
You must have the following permissions settings added to your existing CloudWatch permissions to configure your firewall to query CloudWatch logs for the detailed monitoring dashboard.
**Important**
Additional fees are incurred when querying logs, whether through CloudWatch Logs or through Amazon Athena for logs stored in S3. For best practices to minimize additional cost, see [Working with the firewall monitoring dashboard](nwfw-using-dashboard.md).
```
{
"Effect": "Allow",
"Action": [
"logs:StartQuery",
"logs:GetQueryResults"
],
"Resource": "CloudWatch Logs log group ARN"
}
```
The following view shows both standard CloudWatch permissions and the additional permissions needed for detailed monitoring.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogDelivery",
"logs:GetLogDelivery",
"logs:UpdateLogDelivery",
"logs:DeleteLogDelivery",
"logs:ListLogDeliveries"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "FirewallLogging"
},
{
"Sid": "FirewallLoggingCWL",
"Action": [
"logs:PutResourcePolicy",
"logs:DescribeResourcePolicies",
"logs:DescribeLogGroups"
],
"Resource": [
"arn:aws:logs:us-east-1:123456789012:log-group:log-group-name"
],
"Effect": "Allow"
},
{
"Sid": "FirewallLoggingSearch",
"Effect": "Allow",
"Action": [
"logs:StartQuery",
"logs:GetQueryResults"
],
"Resource": "*"
}
]
}
```
------
# Sending AWS Network Firewall logs to Amazon Data Firehose
To send logs to Amazon Data Firehose, you first need to set up a Firehose delivery stream. As part of that process, you choose a destination for storing your logs. After you enable logging for your firewall, AWS Network Firewall delivers logs to the destination through the HTTPS endpoint of Amazon Data Firehose. One AWS Network Firewall log corresponds to one Amazon Data Firehose record.
Configure an Amazon Data Firehose delivery stream for your firewall as follows.
+ Create it using the same account as you use to manage the firewall.
+ Create it in the same Region as the firewall.
+ Configure it for direct put, which allows applications to access the delivery stream directly. In the Amazon Data Firehose console, for the delivery stream **Source** setting, choose **Direct PUT or other sources**. Through the API, set the delivery stream property `DeliveryStreamType` to `DirectPut`.
For information about how to create an Amazon Data Firehose delivery stream and review the stored logs, see [Creating an Amazon Data Firehose delivery stream](https://docs.aws.amazon.com/firehose/latest/dev/basic-create.html) and [What is Amazon Data Firehose?](https://docs.aws.amazon.com/firehose/latest/dev/what-is-this-service.html)
When you successfully enable logging to an Amazon Data Firehose data stream, Network Firewall creates a service linked role with the necessary permissions to write logs to it. For more information, see [Using service-linked roles](using-service-linked-roles.md).
## Permissions to publish logs to Amazon Data Firehose
You must have the following permissions to configure your firewall to send logs to an Amazon Data Firehose delivery stream.
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogDelivery",
"logs:GetLogDelivery",
"logs:UpdateLogDelivery",
"logs:DeleteLogDelivery",
"logs:ListLogDeliveries"
],
"Resource": [
"*"
],
"Effect": "Allow",
"Sid": "FirewallLogging"
},
{
"Sid": "FirewallLoggingFH1",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Sid": "FirewallLoggingFH2",
"Action": [
"firehose:TagDeliveryStream"
],
"Resource": "arn:aws:firehose:us-east-1:123456789012:deliverystream/delivery-stream-name",
"Effect": "Allow"
}
]
}
```
------
# Logging in AWS Network Firewall with server-side encryption and customer-provided keys
If your logging destination uses server-side encryption with keys that are stored in AWS Key Management Service (SSE-KMS) and you use a customer managed key (KMS key), you must give Network Firewall permission to use your KMS key. To do this, you add a key policy to the KMS key for your chosen destination to permit Network Firewall logging to write your log files to the destination.
**Policy for an Amazon S3 bucket**
Add the following key policy to your KMS key to allow Network Firewall to log to your Amazon S3 bucket.
```
{
"Sid": "Allow Network Firewall to use the key",
"Effect": "Allow",
"Principal": {
"Service": [
"delivery.logs.amazonaws.com"
]
},
"Action": "kms:GenerateDataKey*",
"Resource": "*"
}
```
**Note**
Network Firewall supports encryption with Amazon S3 buckets for key type Amazon S3 key (SSE-S3) and for AWS Key Management Service (SSE-KMS) AWS KMS keys. Network Firewall doesn't support encryption for AWS Key Management Service keys that are managed by AWS.
**Policy for a CloudWatch Logs log group**
For a CloudWatch Logs log group, the service principal requires access to the logs for the Region. This is the same as for all encrypted CloudWatch Logs log streams. For more information about log data encryption in CloudWatch Logs, see [Encrypt Log Data in CloudWatch Logs Using AWS KMS](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html).
Add the following key policy to your KMS key to allow Network Firewall to log to your CloudWatch Logs log group.
```
{
"Effect": "Allow",
"Principal": {
"Service": "logs.{region}.amazonaws.com"
},
"Action": [
"kms:Encrypt*",
"kms:Decrypt*",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:Describe*"
],
"Resource": "*"
}
```
**Policy for a Firehose delivery stream**
For Firehose delivery streams, you allow the service principal to generate keys so that it can put the logging records.
Add the following key policy to your KMS key to allow Network Firewall to log to your Firehose delivery stream.
```
{
"Sid": "Allow Network Firewall logs to use the key",
"Effect": "Allow",
"Principal": {
"Service": [
"delivery.logs.amazonaws.com"
]
},
"Action": "kms:GenerateDataKey*",
"Resource": "*"
}
```
# Updating a AWS Network Firewall logging configuration
To update your firewall's logging configuration through the Network Firewall AWS Management Console, use the procedure in this section. For the API, see the Network Firewall API action, `UpdateLoggingConfiguration`.
**Note**
Firewall logging is only available for traffic that you forward to the stateful rules engine. You forward traffic to the stateful engine through stateless rule actions and stateless default actions in the firewall policy. For information about these actions settings, see [Firewall policy settings in AWS Network Firewall](firewall-policy-settings.md) and [Defining rule actions in AWS Network Firewall](rule-action.md).
**To update a firewall's logging configuration through the console**
1. Sign in to the AWS Management Console and open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, under **Network Firewall**, choose **Firewalls**.
1. In the **Firewalls** page, choose the name of the firewall that you want to edit. This takes you to the firewall's details page.
1. Choose the tab **Firewall details**, then in the **Logging** section, choose **Edit**.
1. Adjust the **Log type** selections as needed. To disable logging for a firewall, deselect all options.
+ **Flow** – Sends logs for all network traffic that the stateless engine forwards to the stateful rules engine.
+ **Alert** – Sends logs for traffic that matches any stateful rule whose action is set to `Alert`, `Drop`, or `Reject`. For more information about stateful rules and rule groups, see [Managing your own rule groups in AWS Network Firewall](rule-groups.md).
+ **TLS** – Sends logs for events related to TLS inspection. Network Firewall currently logs failures in certificate revocation checks for outbound traffic and TLS errors.
These logs require the firewall to be configured for TLS inspection. For more information, see [Inspecting SSL/TLS traffic with TLS inspection configurations in AWS Network Firewall](tls-inspection-configurations.md).
1. For each selected log type, choose the destination type, then provide the information for the logging destination that you prepared following the guidance in [Firewall logging destinations](firewall-logging-destinations.md).
In order to change the destination for an existing **Log type**, you must first disable logging for the policy. Then, edit the policy and specify the new destination(s) for the **Log type**.
1. Choose **Save** to save your changes and return to the firewall's detail page.
# Logging calls to the AWS Network Firewall API with AWS CloudTrail
AWS Network Firewall is integrated with AWS CloudTrail, a service that provides a record of API calls to Network Firewall by a user, role, or an AWS service. CloudTrail captures all API calls for Network Firewall as events. The calls captured include calls from the Network Firewall console and code calls to the Network Firewall API operations. If you create a trail, you can enable continuous delivery of CloudTrail events to an Amazon S3 bucket, including events for Network Firewall. If you don't configure a trail, you can still view the most recent events in the CloudTrail console in **Event history**. Using the information collected by CloudTrail, you can determine information including the request that was made to Network Firewall, the IP address from which the request was made, who made the request, and when the request was made.
To learn more about CloudTrail, see the [AWS CloudTrail User Guide](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/).
## AWS Network Firewall information in CloudTrail
CloudTrail is enabled on your AWS account when you create the account. When activity occurs in Network Firewall, it's recorded in a CloudTrail event along with other AWS service events in **Event history**. You can view, search, and download recent events in your AWS account. For more information, see [Viewing events with CloudTrail event history](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html).
For an ongoing record of events in your AWS account, including events for Network Firewall, create a trail. A *trail* enables CloudTrail to deliver log files to an Amazon S3 bucket. By default, when you create a trail in the console, the trail applies to all AWS Regions. The trail logs events from all Regions in the AWS partition and delivers the log files to the Amazon S3 bucket that you specify. Additionally, you can configure other AWS services to further analyze and act upon the event data collected in CloudTrail logs. For more information, see the following:
+ [Overview for creating a trail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-create-and-update-a-trail.html)
+ [CloudTrail supported services and integrations](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-aws-service-specific-topics.html#cloudtrail-aws-service-specific-topics-integrations)
+ [Configuring Amazon SNS notifications for CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/getting_notifications_top_level.html)
+ [Receiving CloudTrail log files from multiple Regions](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/receive-cloudtrail-log-files-from-multiple-regions.html) and [Receiving CloudTrail log files from multiple accounts](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-receive-logs-from-multiple-accounts.html)
All Network Firewall actions are logged by CloudTrail. These actions are documented in the [Actions](https://docs.aws.amazon.com/network-firewall/latest/APIReference/API_Operations.html) section of the [AWS Network Firewall API Reference](https://docs.aws.amazon.com/network-firewall/latest/APIReference/). For example, calls to the actions `CreateFirewall`, `ListFirewalls`, and `DeleteFirewall` generate entries in the CloudTrail log files.
Every event or log entry contains information about who generated the request. The identity information helps you determine the following:
+ Whether the request was made with root or AWS Identity and Access Management (IAM) user credentials.
+ Whether the request was made with temporary security credentials for a role or federated user.
+ Whether the request was made by another AWS service.
For more information, see the [CloudTrail userIdentity element](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html).
## CloudTrail log file examples
A trail is a configuration that enables delivery of events as log files to an Amazon S3 bucket that you specify. CloudTrail log files contain one or more log entries. An event represents a single request from any source and includes information about the requested action, the date and time of the action, request parameters, and so on. CloudTrail log files aren't an ordered stack trace of the public API calls, so they don't appear in any specific order.
The following are examples of CloudTrail log entries for Network Firewall operations.
Example: CloudTrail log entry for `CreateFirewall`
```
{
"eventVersion": "1.05",
"userIdentity": {
"type": "AssumedRole",
"principalId": "EXAMPLEPrincipalId",
"arn": "arn:aws:sts::444455556666:assumed-role/Admin/EXAMPLE",
"accountId": "444455556666",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "EXAMPLEPrincipalId",
"arn": "arn:aws:iam::444455556666:role/Admin",
"accountId": "444455556666",
"userName": "Admin"
},
"webIdFederationData": {},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2020-08-13T03:07:52Z"
}
}
},
"eventTime": "2020-08-13T03:07:53Z",
"eventSource": "network-firewall.amazonaws.com",
"eventName": "CreateFirewall",
"awsRegion": "us-west-2",
"sourceIPAddress": "203.0.113.4",
"userAgent": "aws-cli/1.18.117 Python/3.6.10 Linux/4.9.217-0.1.ac.205.84.332.metal1.x86_64 botocore/1.17.40",
"requestParameters": {
"firewallName": "firewall01",
"firewallPolicyArn": "arn:aws:network-firewall:us-west-2:444455556666:firewall-policy/policy01",
"vpcId": "vpc-11112222",
"subnetMappings": [
{
"subnetId": "subnet-44443333",
"requestedCapacity": "10"
}
],
"deleteProtection": false
},
"responseElements": {
"firewall": {
"firewallName": "firewall01",
"firewallArn": "arn:aws:network-firewall:us-west-2:444455556666:firewall/firewall01",
"firewallPolicyArn": "arn:aws:network-firewall:us-west-2:444455556666:firewall-policy/policy01",
"vpcId": "vpc-11112222",
"subnetMappings": [
{
"subnetId": "subnet-44443333",
"requestedCapacity": "10"
}
],
"deleteProtection": false
},
"firewallStatus": {
"status": "PROVISIONING",
"configurationSyncStateSummary": "PENDING"
}
},
"requestID": "43a8cad0-68b6-45d2-b6f3-28cf0e195d47",
"eventID": "7d575a14-ec3f-43c8-8735-eaadd21fd9d1",
"readOnly": false,
"eventType": "AwsApiCall",
"recipientAccountId": "444455556666"
}
```
Example: CloudTrail log entry for `ListFirewalls`
```
{
"eventVersion": "1.05",
"userIdentity": {
"type": "AssumedRole",
"principalId": "EXAMPLEPrincipalId",
"arn": "arn:aws:sts::444455556666:assumed-role/Admin/EXAMPLE",
"accountId": "444455556666",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "EXAMPLEPrincipalId",
"arn": "arn:aws:iam::444455556666:role/Admin",
"accountId": "444455556666",
"userName": "Admin"
},
"webIdFederationData": {},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2020-08-13T03:07:55Z"
}
}
},
"eventTime": "2020-08-13T03:07:55Z",
"eventSource": "network-firewall.amazonaws.com",
"eventName": "ListFirewalls",
"awsRegion": "us-west-2",
"sourceIPAddress": "203.0.113.4",
"userAgent": "aws-cli/1.18.117 Python/3.6.10 Linux/4.9.217-0.1.ac.205.84.332.metal1.x86_64 botocore/1.17.40",
"requestParameters": {
"maxResults": 10
},
"responseElements": null,
"requestID": "1ac1567a-fa84-49ac-b5aa-6016052ad646",
"eventID": "79b95fd6-a288-49b1-a907-b61ed99b94c0",
"readOnly": true,
"eventType": "AwsApiCall",
"recipientAccountId": "444455556666"
}
```
Example: CloudTrail log entry for `DeleteFirewall`
```
{
"eventVersion": "1.05",
"userIdentity": {
"type": "AssumedRole",
"principalId": "EXAMPLEPrincipalId",
"arn": "arn:aws:sts::444455556666:assumed-role/Admin/EXAMPLE",
"accountId": "444455556666",
"accessKeyId": "AKIAIOSFODNN7EXAMPLE",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "EXAMPLEPrincipalId",
"arn": "arn:aws:iam::444455556666:role/Admin",
"accountId": "444455556666",
"userName": "Admin"
},
"webIdFederationData": {},
"attributes": {
"mfaAuthenticated": "false",
"creationDate": "2020-08-19T16:09:29Z"
}
}
},
"eventTime": "2020-08-19T16:18:43Z",
"eventSource": "network-firewall.amazonaws.com",
"eventName": "DeleteFirewall",
"awsRegion": "us-west-2",
"sourceIPAddress": "198.51.100.190",
"userAgent": "Apache-HttpClient/UNAVAILABLE (Java/1.8.0_232)",
"requestParameters": {
"firewallArn": "arn:aws:network-firewall:us-west-2:444455556666:firewall/DeleteMeFast"
},
"responseElements": {
"firewall": {
"firewallName": "DeleteMeFast",
"firewallArn": "arn:aws:network-firewall:us-west-2:444455556666:firewall/DeleteMeFast",
"firewallPolicyArn": "arn:aws:network-firewall:us-west-2:444455556666:firewall-policy/123",
"vpcId": "vpc-11112222",
"subnetMappings": [
{
"subnetId": "subnet-99990000",
"requestedCapacity": "14"
},
{
"subnetId": "subnet-77776666",
"requestedCapacity": "12"
}
],
"deleteProtection": true,
"description": "HIDDEN_DUE_TO_SECURITY_REASONS"
},
"firewallStatus": {
"status": "DELETING",
"configurationSyncStateSummary": "PENDING",
"syncStates": {
"us-west-2c": {
"attachment": {
"subnetId": "subnet-99990000",
"networkInterfaceId": "eni-01e59ab6f6064c453",
"status": "SCALING"
},
"config": {}
},
"us-west-2d": {
"attachment": {
"subnetId": "subnet-77776666",
"networkInterfaceId": "eni-04c3ac8c04076ed36",
"status": "SCALING"
},
"config": {}
}
}
}
},
"requestID": "299b886e-23da-4c77-8beb-0853a0a08bcf",
"eventID": "142b089a-8aca-4183-8326-5ff32a38876e",
"readOnly": false,
"eventType": "AwsApiCall",
"recipientAccountId": "444455556666"
}
```
# AWS Network Firewall metrics in Amazon CloudWatch
You can monitor AWS Network Firewall using CloudWatch, which collects raw data and processes it into readable, near real-time metrics. CloudWatch stores your metrics for 15 months, so that you can access historical information for added perspective on how your web application or service is performing. You can also set alarms that watch for certain thresholds, and send notifications or take actions when those thresholds are met. For more information, see the [Amazon CloudWatch User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/).
**Note**
Access to metrics in CloudWatch depends on whether you are a firewall owner or VPC endpoint association owner. A firewall owner can view metrics for firewalls they own, including VPC endpoint associations associated with the firewall. If a VPC endpoint association owner also owns the primary firewall endpoint, they can view metrics in CloudWatch for both the firewall's primary endpoints and any associated secondary endpoints (VPC endpoint associations). However, if a VPC endpoint association owner does not also own the firewall endpoint, they cannot access or view metrics in CloudWatch. For information, see [Considerations for working with firewalls and firewall endpoints](firewall-and-firewall-endpoints-considerations.md).
Use the following procedures to view the metrics for Network Firewall.
**To view metrics using the CloudWatch console**
Metrics are grouped first by the service namespace, and then by the various dimension combinations within each namespace. The CloudWatch namespace for Network Firewall is AWS/NetworkFirewall.
1. Open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. In the navigation pane, choose **Metrics**.
1. On the **All metrics** tab, choose the Region and then choose `AWS/NetworkFirewall`.
**To view metrics using the AWS CLI**
+ For Network Firewall, at a command prompt use the following command:
```
1. aws cloudwatch list-metrics --namespace "AWS/NetworkFirewall"
```
## AWS Network Firewall metrics
The AWS/NetworkFirewall namespace includes the following metrics.
| Metric | Description | Applicable resource |
| --- | --- | --- |
| `DroppedPackets` | Number of packets dropped due to rule actions. Reporting criteria: There is a nonzero value. Valid statistics: Sum | Firewalls and VPC endpoint associations |
| `InvalidDroppedPackets` | Number of packets dropped for failing packet validation due to issues with the packet. Reporting criteria: There is a nonzero value. Valid statistics: Sum | Firewalls and VPC endpoint associations |
| `OtherDroppedPackets` | Number of packets dropped due to reasons other than those described by `InvalidDroppedPackets` or `DroppedPackets`, including packets that are throttled due to bursting traffic. Reporting criteria: There is a nonzero value. Valid statistics: Sum | Firewalls and VPC endpoint associations |
| `Packets` | Number of packets inspected for a firewall policy or stateless rulegroup for which a custom action is defined. This metric is only used for the dimension `CustomAction`. Reporting criteria: There is a nonzero value. Valid statistics: Sum | Firewall only |
| `PassedPackets` | Number of packets that the Network Firewall firewall allowed through to their destinations. Reporting criteria: There is a nonzero value. Valid statistics: Sum | Firewalls and VPC endpoint associations |
| `ReceivedPackets` | Number of packets received by the Network Firewall firewall. Reporting criteria: There is a nonzero value. Valid statistics: Sum | Firewalls and VPC endpoint associations |
| `ReceivedBytes` | Number of bytes received by the Network Firewall firewall. Reporting criteria: There is a nonzero value. Valid statistics: Sum | Firewall only |
| `RejectedPackets` | The number of packets rejected due to `Reject` stateful rule actions. For information about stateful actions, see [Actions for stateful rules](rule-action.md#rule-action-stateful). Reporting criteria: There is a nonzero value. Valid statistics: Sum | Firewall only |
| `StreamExceptionPolicyPackets` | The number of packets matching the firewall policy's stream exception policy. You can configure stream exception policy settings while creating a firewall policy in the console, or by the [StatefulEngineOptions](https://docs.aws.amazon.com/network-firewall/latest/APIReference/API_StatefulEngineOptions.html) structure when using the API. For more information about stream exception policy settings, see the **Stream exception policy** option in the [Creating a firewall policy in AWS Network Firewall](firewall-policy-creating.md) procedure. Reporting criteria: There is a nonzero value. Valid statistics: Sum | Firewall only |
| `TLSDroppedPackets` | Number of packets dropped by Network Firewall while inspecting SSL/TLS packets. The value of this metric might differ between stateless and stateful rule processing due to the TCP and TLS connection termination that occurs prior to stateful packet inspection. Reporting criteria: There is a nonzero value. Valid statistics: Sum | Firewall only |
| `TLSErrors` | Number of errors observed by Network Firewall while inspecting SSL/TLS packets. Reporting criteria: There is a nonzero value. Valid statistics: Sum | Firewall only |
| `TLSPassedPackets` | Number of packets passed by Network Firewall while inspecting SSL/TLS packets. The value of this metric might differ between stateless and stateful rule processing due to the TCP and TLS connection termination that occurs prior to stateful packet inspection. Reporting criteria: There is a nonzero value. Valid statistics: Sum | Firewall only |
| `TLSReceivedPackets` | Number of SSL/TLS packets received by the Network Firewall firewall. The value of this metric might differ between stateless and stateful rule processing due to the TCP and TLS connection termination that occurs prior to stateful packet inspection. Reporting criteria: There is a nonzero value. Valid statistics: Sum | Firewall only |
| `TLSRejectedPackets` | Number of packets rejected by Network Firewall while inspecting SSL/TLS packets. The value of this metric might differ between stateless and stateful rule processing due to the TCP and TLS connection termination that occurs prior to stateful packet inspection. Reporting criteria: There is a nonzero value. Valid statistics: Sum | Firewall only |
| `TLSRevocationStatusOKConnections` | The number of SSL/TLS connections to TLS servers whose certificates have been confirmed as not revoked. Reporting criteria: There is a nonzero value. Valid statistics: Sum | Firewall only |
| `TLSRevocationStatusRevokedConnections` | The number of SSL/TLS connections to TLS servers whose certificates have been confirmed as revoked. Reporting criteria: There is a nonzero value. Valid statistics: Sum | Firewall only |
| `TLSRevocationStatusUnknownConnections` | The number of SSL/TLS connections to TLS servers whose certificates revocation status is unknown or could not be determined by the firewall. This can occur when the OCSP responder for a server certificate returns an unknown status, or when the firewall is unable to connect to the CRL or OCSP endpoints provided in the certificate. Reporting criteria: There is a nonzero value. Valid statistics: Sum | Firewall only |
| `TLSTimedOutConnections` | Number of SSL/TLS connections that timed out during SSL/TLS inspection by Network Firewall. Reporting criteria: There is a nonzero value. Valid statistics: Sum | Firewall only |
## AWS Network Firewall dimensions
Network Firewall can use the following dimension combinations to categorize your metrics:
| Dimension | Description |
| --- | --- |
| `AvailabilityZone` | Availability Zone in the Region where the Network Firewall firewall is active. |
| `CustomAction` | Dimension for a publish metrics custom action that you defined. You can define this for a rule action in a stateless rule group or for a stateless default action in a firewall policy. |
| `Engine` | Rules engine that processed the packet. The value for this is either Stateful or Stateless. |
| `FirewallName` | Name that you specified for the Network Firewall firewall. |
| `EndpointName` | Name that is generated for the Network Firewall `VpcEndpointAssociation`. |
# Monitoring and reporting in Network Firewall
Network Firewall offers multiple in-console options to analyze the network traffic monitored by a firewall. The **Monitoring** page provides tools for real-time monitoring and retroactive analysis, including enhanced filtering and sorting capabilities for IP addresses and protocols. Your firewall's advanced configuration settings affect which dashboards are populated with data. For information on adjusting your firewall's configuration, see [Updating a firewall in AWS Network Firewall](firewall-updating.md).
Network Firewall provides the following features in the **Monitoring** section of firewall details:
| Monitoring feature | Description | Data source | Enabled by default? |
| --- | --- | --- | --- |
| Firewall requests | Provides a graph of the number of packets monitored by the firewall. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/network-firewall/latest/developerguide/nwfw-monitoring-reporting.html) | Stateless and stateful engine traffic. | Yes |
| Firewall monitoring dashboard | Provides real-time analysis of flow and alert logs through multiple visualization options, including: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/network-firewall/latest/developerguide/nwfw-monitoring-reporting.html) | Amazon S3 and CloudWatch logs. | No. Must be enabled in your firewall's advanced settings. |
| Traffic analysis mode and reports | Provides retroactive analysis and report generation. | HTTP or HTTPS traffic observed over the last 30 days, starting from when you enable **Traffic analysis mode** on your firewall. | No. Must be enabled in your firewall's advanced settings. |
**Access Monitoring in the Network Firewall console**
Follow these steps to access the monitoring and observability features for your firewall:
1. Sign in to the AWS Management Console and open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, under **Network Firewall**, choose **Firewalls**.
1. In the **Firewalls** page, choose the name of the firewall that you want to edit. This takes you to the firewall's details page.
1. In the firewall's details page, choose the **Monitoring** tab.
Review the topics in this guide to learn about the monitoring options you can enable using the Network Firewall console.
**Topics**
+ [
# Firewall monitoring in the Network Firewall console
](nwfw-detailed-monitoring.md)
+ [
# Reporting on network traffic in Network Firewall
](reporting.md)
# Firewall monitoring in the Network Firewall console
Firewall monitoring provides comprehensive visibility into your firewall's flow logs and alert logs. After you enable detailed monitoring, you can access these dashboards directly from the **Monitoring** tab in the firewall details page, without leaving the Network Firewall console.
## Prerequisites
Before you can use firewall monitoring, review the following prerequisites based on your logging configuration:
------
#### [ General prerequisites ]
+ Set up flow or alert log delivery to either Amazon CloudWatch or Amazon S3. For more information, see [Sending AWS Network Firewall logs to Amazon Simple Storage Service](logging-s3.md) or [Sending AWS Network Firewall logs to Amazon CloudWatch Logs](logging-cw-logs.md).
+ Ensure you have the necessary permissions to access monitoring features. For more information, see [(Optional) Permissions to access CloudWatch log metrics in Network Firewall](logging-cw-logs.md#cw-permissions-for-nwfw-dashboard) or [(Optional) Permissions to access Amazon S3 log metrics in Network Firewall using Amazon Athena](logging-s3.md#logging-s3-athena).
**Note**
CloudWatch and Amazon S3 logs may incur additional charges. For information, see [Pricing for AWS Network Firewall logging](firewall-logging-pricing.md).
For best practices on using the firewall monitoring dashboard, see [Working with the firewall monitoring dashboard](nwfw-using-dashboard.md).
------
#### [ S3 logging prerequisites ]
If your firewall sends logs to Amazon S3, ensure the following:
+ The Amazon S3 bucket storing the logs is in the same region as the firewall. Amazon Athena requires this for log processing, as it doesn't support cross-region processing.
+ If you specify a prefix for your S3 bucket, it doesn't begin with a forward slash (`/`). Prefixes starting with "/" aren't compatible with Amazon Athena processing and prevent the dashboard from functioning correctly. For more information about S3 bucket configuration, see [Sending AWS Network Firewall logs to Amazon Simple Storage Service](logging-s3.md).
+ Your account has the required permissions to query Amazon Athena APIs. For information, see [(Optional) Permissions to access Amazon S3 log metrics in Network Firewall using Amazon Athena](logging-s3.md#logging-s3-athena).
------
## Enable firewall monitoring
You can enable firewall monitoring in any of the following ways:
+ During firewall creation, using the logging configuration widget in the **Configure advanced settings** workflow. For more information, see [Creating a firewall in AWS Network Firewall](creating-firewall.md).
+ From the **Edit Logging Configuration** page of an existing firewall For more information, see [Updating a firewall in AWS Network Firewall](firewall-updating.md).
+ Directly from the **Monitoring** tab in the firewall details page
## Considerations for using firewall monitoring
When you modify or move an Amazon S3 bucket or CloudWatch log group that is queried to populate the firewall monitoring dashboard, the metrics populated in the dashboard can become inaccurate.
When you enable detailed monitoring for a firewall that sends logs to Amazon S3:
+ Network Firewall creates Amazon Athena tables in your account to process the log data.
+ These tables are used exclusively for populating detailed monitoring dashboards and are managed by the Network Firewall console.
+ Network Firewall creates Amazon Athena metadata files (including CSV files) in your S3 bucket. These metadata files are downloadable records of the metrics that populate the firewall monitoring dashboard.
For information about how Amazon S3 integrates with Amazon Athena, see [Querying Amazon S3 Inventory with Athena](https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-inventory-athena-query.html).
For best practices on using the firewall monitoring dashboard, see [Working with the firewall monitoring dashboard](nwfw-using-dashboard.md).
# Working with the firewall monitoring dashboard
The firewall monitoring dashboard provides multiple options for viewing key metrics about your firewall. Review the guidance in this section to understand the dashboard's capabilities.
Dashboard performance and data availability depend on two main factors:
+ The processing speed of CloudWatch and Athena in your respective AWS regions.
+ Your logging configuration choices (such as log types enabled and logging destinations) affect both the available visualizations and the dashboard's performance.
To analyze your network traffic using the dashboard:
1. Sign in to the AWS Management Console and open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, under **Network Firewall**, choose **Firewalls**.
1. In the **Firewalls** page, choose the name of the firewall that you want to edit. This takes you to the firewall's details page.
1. In the firewall's details page, choose the **Monitoring** tab.
1. Optionally, adjust the scope of data shown in the dashboards:
+ Enter a valid IP address to specify which source or destination IPs you want to analyze
+ Select a protocol to specify the kind of traffic you want to analyze
+ Use the scope selector to specify whether metrics reflect logged activity from the top 10, 50, or 100 domains
+ Use the time range selector to specify the period you want to analyze
**Note**
Changes to the time range will affect query costs. The scope selector (10/50/100 results) does not affect the cost of queries.
## Best practices
Review the following following best practices to optimize your use of the firewall monitoring dashboard:
+ Configure both flow and alert logs for your firewall to gain access to all available visualizations.
+ Use the time range selector or custom time range option to compare recent data against historical trends.
+ Avoid incurring extra charges by limiting the amount of times you update page data. When the dashboard updates page data, Network Firewall queries your configured logging destinations to pull the latest metrics. Each query incurs an additional charge.
The dashboard will query your logging destinations when:
+ You make scope adjustments with the time range selectors.
+ You start a new browser session and navigate to **Monitoring** from Firewall Details.
Note that refreshing your browser window or navigating away from and back to the dashboard will clear any displayed data, requiring new queries to restore the view.
**Note**
Network Firewall queries logging destinations separately to fetch log data. If your firewall sends logs to both CloudWatch and Amazon S3, any update to the dashboard page data will result in separate queries.
# Flow and alert log metrics in the firewall monitoring dashboard
The firewall monitoring dashboard provides multiple options for viewing key metrics about your firewall.
Availability of graphs and other visualizations in the dashboard depend on your logging configuration. If you have not reviewed the [prerequisites](nwfw-detailed-monitoring.md#nwfw-detailed-monitoring-prerequisites), do that now.
The following table describes the available visualizations and metrics for each log type:
| Log type | Metric visualization | Description |
| --- | --- | --- |
| Flow logs | Firewall traffic summary | Total number of connections and unique destinations observed. |
| Flow logs | Top long-lived TCP flows | TCP connections that were active for more than 350 seconds. |
| Flow logs | Top TCP flows (SYN without SYN-ACK) | TCP connections showing potential connectivity issues or scanning activity. |
| Flow logs | Top talkers | Most active source and destination IP addresses, ports, and domains observed in traffic. |
| Flow logs | Top Source IP by Packets | Source IP addresses observed to send the highest number of packets. |
| Flow logs | Top Source IP by Bytes | Source IP addresses observed to send the most data, measured in bytes. |
| Flow logs | Top Destination IP by Packets | Destination IP addresses observed to receive the highest number of packets. |
| Flow logs | Top Destination IP by Bytes | Destination IP addresses observed to receive the most data, measured in bytes. |
| Alert logs | Top PrivateLink Endpoint Candidates | Most frequent suspected PrivateLink endpoints observed in traffic. |
| Alert logs | Firewall traffic summary | Total number of rejected connections and dropped connections. |
| Alert logs | Top rejected traffic | Most frequently rejected domains, IP addresses, and ports. |
| Alert logs | Top dropped traffic | Most frequently dropped domains, IP addresses, and ports. |
| Alert logs | Top alerted host headers | Most frequent HTTP host headers observed in traffic. |
| Alert logs | Top dropped/rejected host headers | Most frequent HTTP host headers observed in dropped and rejected traffic. |
| Alert logs | Top HTTP URI paths | Most frequently accessed HTTP URI paths. |
| Alert logs | Top HTTP User-Agents | Most common HTTP User-Agent strings observed. |
| Alert logs | Top alerted TLS SNI | Most frequent Server Name Indication values observed in TLS traffic. |
| Alert logs | Top dropped/rejected TLS SNI | Most frequently dropped and rejected Server Name Indication values observed in TLS traffic. |
# Reporting on network traffic in Network Firewall
AWS Network Firewall lets you generate reports on HTTP or HTTPS traffic observed over the last 30 days in any firewall, starting from the point in time when you enable **Traffic analysis mode** in a firewall. Network Firewall only starts collecting traffic analysis metrics when you enable **Traffic analysis mode** on your firewall.
**Tip**
If you enable **Traffic analysis mode**, then immediately generate a report, the report will only contain metrics from when you enabled that setting. For the most comprehensive analysis, we recommend you wait 30 days after you enable **Traffic analysis mode** before you generate a report.
Before you can generate a traffic analysis report, you must enable **Traffic analysis mode** when you create or update a firewall. For more information on firewall configuration, see [Managing a firewall and firewall endpoints in AWS Network Firewall](firewall-managing.md).
**Note**
You can generate up to one report per traffic type, per 30 day period. For example, when you successfully create an HTTP traffic report, you cannot create another HTTP traffic report until 30 days pass. Alternatively, if you generate a report that combines metrics on both HTTP and HTTPS traffic, you cannot create another report for either traffic type until 30 days pass. Network Firewall automatically deletes the report after 30 days.
Each report provides insight into the following metrics for any given firewall:
+ The most frequently accessed domains
+ The number of access attempts made to each observed domain
+ The number of unique source IPs connecting to each observed domain
+ The date and time any domain was first accessed (within the last 30 day period)
+ The date and time any domain last first accessed(within the last 30 day period)
+ The protocol (HTTP or HTTPS) used by any domain's traffic
## Caveats and considerations for traffic analysis reports
Consider the following in your use of traffic analysis reports:
+ When you generate a report, you create a snapshot into the last 30 days of network traffic monitored by your firewall.
+ The maximum number of results per report is 1000.
+ If your custom HTTP and TLS logs do not contain an SNI or the HTTP hostname, Network Firewall will classify it as UNKNOWN\$1DOMAIN.
+ The observation count on reported domain access attempts cannot exceed the maximum of 2,147,483,647. For example, if one or more of your reported domains was accessed more than 2,147,483,647 times within the 30 day reporting period, the count shown in your generated report will not exceed 2,147,483,647.
## Generating traffic analysis reports
**Before you generate a report**
If you haven't enabled **Traffic analysis mode** on your firewall, do that now. For more information, see [Managing a firewall and firewall endpoints in AWS Network Firewall](firewall-managing.md).
**Important**
Network Firewall only starts collecting traffic analysis metrics when you enable **Traffic analysis mode** on your firewall. Traffic observed before you enable **Traffic analysis mode** is not included in reporting.
**To generate a traffic analysis report in Network Firewall**
1. Sign in to the AWS Management Console and open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, under **Network Firewall**, choose **Firewalls**.
1. In the **Firewalls** page, choose the name of the firewall that you want to edit. This takes you to the firewall's details page.
1. In the firewall's details page, choose the **Monitoring and observability tab**.
1. In the **Monitoring and observability tab**, select **Create report**.
## Creating stateful rule groups from reports
You can create stateful rule groups using the domains identified in your firewall's traffic analysis reports.
**To generate a traffic analysis report in Network Firewall**
1. Sign in to the AWS Management Console and open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).
1. In the navigation pane, under **Network Firewall**, choose **Firewalls**.
1. In the **Firewalls** page, choose the name of the firewall that you want to edit. This takes you to the firewall's details page.
1. In the firewall's details page, choose the **Monitoring and observability tab**.
1. Select any completed report.
1. Select **Create domain list group**. The workflow for creating a stateful rule group opens.
1. Complete the configuration for your domain list stateful rule group. For more information, see [Creating a stateful rule group](rule-group-stateful-creating.md).