# Firewall monitoring in the Network Firewall console
<a name="nwfw-detailed-monitoring"></a>

Firewall monitoring provides comprehensive visibility into your firewall's flow logs and alert logs. After you enable detailed monitoring, you can access these dashboards directly from the **Monitoring** tab in the firewall details page, without leaving the Network Firewall console.

## Prerequisites
<a name="nwfw-detailed-monitoring-prerequisites"></a>

Before you can use firewall monitoring, review the following prerequisites based on your logging configuration:

------
#### [ General prerequisites ]
+ Set up flow or alert log delivery to either Amazon CloudWatch or Amazon S3. For more information, see [Sending AWS Network Firewall logs to Amazon Simple Storage Service](logging-s3.md) or [Sending AWS Network Firewall logs to Amazon CloudWatch Logs](logging-cw-logs.md).
+ Ensure you have the necessary permissions to access monitoring features. For more information, see [(Optional) Permissions to access CloudWatch log metrics in Network Firewall](logging-cw-logs.md#cw-permissions-for-nwfw-dashboard) or [(Optional) Permissions to access Amazon S3 log metrics in Network Firewall using Amazon Athena](logging-s3.md#logging-s3-athena).

**Note**  
CloudWatch and Amazon S3 logs may incur additional charges. For information, see [Pricing for AWS Network Firewall logging](firewall-logging-pricing.md).

For best practices on using the firewall monitoring dashboard, see [Working with the firewall monitoring dashboard](nwfw-using-dashboard.md).

------
#### [ S3 logging prerequisites ]

If your firewall sends logs to Amazon S3, ensure the following:
+ The Amazon S3 bucket storing the logs is in the same region as the firewall. Amazon Athena requires this for log processing, as it doesn't support cross-region processing.
+ If you specify a prefix for your S3 bucket, it doesn't begin with a forward slash (`/`). Prefixes starting with "/" aren't compatible with Amazon Athena processing and prevent the dashboard from functioning correctly. For more information about S3 bucket configuration, see [Sending AWS Network Firewall logs to Amazon Simple Storage Service](logging-s3.md).
+ Your account has the required permissions to query Amazon Athena APIs. For information, see [(Optional) Permissions to access Amazon S3 log metrics in Network Firewall using Amazon Athena](logging-s3.md#logging-s3-athena).

------

## Enable firewall monitoring
<a name="nwfw-detailed-monitoring-access"></a>

You can enable firewall monitoring in any of the following ways:
+ During firewall creation, using the logging configuration widget in the **Configure advanced settings** workflow. For more information, see [Creating a firewall in AWS Network Firewall](creating-firewall.md).
+ From the **Edit Logging Configuration** page of an existing firewall For more information, see [Updating a firewall in AWS Network Firewall](firewall-updating.md).
+ Directly from the **Monitoring** tab in the firewall details page

## Considerations for using firewall monitoring
<a name="detailed-monitoring-considerations"></a>

When you modify or move an Amazon S3 bucket or CloudWatch log group that is queried to populate the firewall monitoring dashboard, the metrics populated in the dashboard can become inaccurate.

When you enable detailed monitoring for a firewall that sends logs to Amazon S3:
+ Network Firewall creates Amazon Athena tables in your account to process the log data.
+ These tables are used exclusively for populating detailed monitoring dashboards and are managed by the Network Firewall console.
+ Network Firewall creates Amazon Athena metadata files (including CSV files) in your S3 bucket. These metadata files are downloadable records of the metrics that populate the firewall monitoring dashboard.

For information about how Amazon S3 integrates with Amazon Athena, see [Querying Amazon S3 Inventory with Athena](https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-inventory-athena-query.html).

For best practices on using the firewall monitoring dashboard, see [Working with the firewall monitoring dashboard](nwfw-using-dashboard.md).

# Working with the firewall monitoring dashboard
<a name="nwfw-using-dashboard"></a>

The firewall monitoring dashboard provides multiple options for viewing key metrics about your firewall. Review the guidance in this section to understand the dashboard's capabilities. 

Dashboard performance and data availability depend on two main factors:
+ The processing speed of CloudWatch and Athena in your respective AWS regions.
+ Your logging configuration choices (such as log types enabled and logging destinations) affect both the available visualizations and the dashboard's performance.

To analyze your network traffic using the dashboard:

1. Sign in to the AWS Management Console and open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, under **Network Firewall**, choose **Firewalls**.

1. In the **Firewalls** page, choose the name of the firewall that you want to edit. This takes you to the firewall's details page. 

1. In the firewall's details page, choose the **Monitoring** tab.

1. Optionally, adjust the scope of data shown in the dashboards:
   + Enter a valid IP address to specify which source or destination IPs you want to analyze
   + Select a protocol to specify the kind of traffic you want to analyze
   + Use the scope selector to specify whether metrics reflect logged activity from the top 10, 50, or 100 domains
   + Use the time range selector to specify the period you want to analyze

**Note**  
Changes to the time range will affect query costs. The scope selector (10/50/100 results) does not affect the cost of queries.

## Best practices
<a name="detailed-monitoring-best-practices"></a>

Review the following following best practices to optimize your use of the firewall monitoring dashboard:
+ Configure both flow and alert logs for your firewall to gain access to all available visualizations.
+ Use the time range selector or custom time range option to compare recent data against historical trends.
+ Avoid incurring extra charges by limiting the amount of times you update page data. When the dashboard updates page data, Network Firewall queries your configured logging destinations to pull the latest metrics. Each query incurs an additional charge.

  The dashboard will query your logging destinations when:
  + You make scope adjustments with the time range selectors.
  + You start a new browser session and navigate to **Monitoring** from Firewall Details.

  Note that refreshing your browser window or navigating away from and back to the dashboard will clear any displayed data, requiring new queries to restore the view.
**Note**  
Network Firewall queries logging destinations separately to fetch log data. If your firewall sends logs to both CloudWatch and Amazon S3, any update to the dashboard page data will result in separate queries.

# Flow and alert log metrics in the firewall monitoring dashboard
<a name="nwfw-detailed-monitoring-metrics"></a>

The firewall monitoring dashboard provides multiple options for viewing key metrics about your firewall. 

Availability of graphs and other visualizations in the dashboard depend on your logging configuration. If you have not reviewed the [prerequisites](nwfw-detailed-monitoring.md#nwfw-detailed-monitoring-prerequisites), do that now.

 The following table describes the available visualizations and metrics for each log type:


| Log type | Metric visualization | Description | 
| --- | --- | --- | 
| Flow logs | Firewall traffic summary | Total number of connections and unique destinations observed. | 
| Flow logs | Top long-lived TCP flows | TCP connections that were active for more than 350 seconds. | 
| Flow logs | Top TCP flows (SYN without SYN-ACK) | TCP connections showing potential connectivity issues or scanning activity. | 
| Flow logs | Top talkers | Most active source and destination IP addresses, ports, and domains observed in traffic. | 
| Flow logs | Top Source IP by Packets | Source IP addresses observed to send the highest number of packets. | 
| Flow logs | Top Source IP by Bytes | Source IP addresses observed to send the most data, measured in bytes. | 
| Flow logs | Top Destination IP by Packets | Destination IP addresses observed to receive the highest number of packets. | 
| Flow logs | Top Destination IP by Bytes | Destination IP addresses observed to receive the most data, measured in bytes. | 
| Alert logs | Top PrivateLink Endpoint Candidates | Most frequent suspected PrivateLink endpoints observed in traffic. | 
| Alert logs | Firewall traffic summary | Total number of rejected connections and dropped connections. | 
| Alert logs | Top rejected traffic | Most frequently rejected domains, IP addresses, and ports. | 
| Alert logs | Top dropped traffic | Most frequently dropped domains, IP addresses, and ports. | 
| Alert logs | Top alerted host headers | Most frequent HTTP host headers observed in traffic. | 
| Alert logs | Top dropped/rejected host headers | Most frequent HTTP host headers observed in dropped and rejected traffic. | 
| Alert logs | Top HTTP URI paths | Most frequently accessed HTTP URI paths. | 
| Alert logs | Top HTTP User-Agents | Most common HTTP User-Agent strings observed. | 
| Alert logs | Top alerted TLS SNI | Most frequent Server Name Indication values observed in TLS traffic. | 
| Alert logs | Top dropped/rejected TLS SNI | Most frequently dropped and rejected Server Name Indication values observed in TLS traffic. |