# Monitoring and reporting in Network Firewall
<a name="nwfw-monitoring-reporting"></a>

Network Firewall offers multiple in-console options to analyze the network traffic monitored by a firewall. The **Monitoring** page provides tools for real-time monitoring and retroactive analysis, including enhanced filtering and sorting capabilities for IP addresses and protocols. Your firewall's advanced configuration settings affect which dashboards are populated with data. For information on adjusting your firewall's configuration, see [Updating a firewall in AWS Network Firewall](firewall-updating.md).

Network Firewall provides the following features in the **Monitoring** section of firewall details:


| Monitoring feature | Description | Data source | Enabled by default? | 
| --- | --- | --- | --- | 
|  Firewall requests  |  Provides a graph of the number of packets monitored by the firewall. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/network-firewall/latest/developerguide/nwfw-monitoring-reporting.html)  |  Stateless and stateful engine traffic.  |  Yes  | 
|  Firewall monitoring dashboard  |  Provides real-time analysis of flow and alert logs through multiple visualization options, including: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/network-firewall/latest/developerguide/nwfw-monitoring-reporting.html)  |  Amazon S3 and CloudWatch logs.  |  No. Must be enabled in your firewall's advanced settings.  | 
|  Traffic analysis mode and reports  |  Provides retroactive analysis and report generation.  |  HTTP or HTTPS traffic observed over the last 30 days, starting from when you enable **Traffic analysis mode** on your firewall.  |  No. Must be enabled in your firewall's advanced settings.  | 

**Access Monitoring in the Network Firewall console**  
Follow these steps to access the monitoring and observability features for your firewall:

1. Sign in to the AWS Management Console and open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, under **Network Firewall**, choose **Firewalls**.

1. In the **Firewalls** page, choose the name of the firewall that you want to edit. This takes you to the firewall's details page. 

1. In the firewall's details page, choose the **Monitoring** tab.

Review the topics in this guide to learn about the monitoring options you can enable using the Network Firewall console.

**Topics**
+ [

# Firewall monitoring in the Network Firewall console
](nwfw-detailed-monitoring.md)
+ [

# Reporting on network traffic in Network Firewall
](reporting.md)

# Firewall monitoring in the Network Firewall console
<a name="nwfw-detailed-monitoring"></a>

Firewall monitoring provides comprehensive visibility into your firewall's flow logs and alert logs. After you enable detailed monitoring, you can access these dashboards directly from the **Monitoring** tab in the firewall details page, without leaving the Network Firewall console.

## Prerequisites
<a name="nwfw-detailed-monitoring-prerequisites"></a>

Before you can use firewall monitoring, review the following prerequisites based on your logging configuration:

------
#### [ General prerequisites ]
+ Set up flow or alert log delivery to either Amazon CloudWatch or Amazon S3. For more information, see [Sending AWS Network Firewall logs to Amazon Simple Storage Service](logging-s3.md) or [Sending AWS Network Firewall logs to Amazon CloudWatch Logs](logging-cw-logs.md).
+ Ensure you have the necessary permissions to access monitoring features. For more information, see [(Optional) Permissions to access CloudWatch log metrics in Network Firewall](logging-cw-logs.md#cw-permissions-for-nwfw-dashboard) or [(Optional) Permissions to access Amazon S3 log metrics in Network Firewall using Amazon Athena](logging-s3.md#logging-s3-athena).

**Note**  
CloudWatch and Amazon S3 logs may incur additional charges. For information, see [Pricing for AWS Network Firewall logging](firewall-logging-pricing.md).

For best practices on using the firewall monitoring dashboard, see [Working with the firewall monitoring dashboard](nwfw-using-dashboard.md).

------
#### [ S3 logging prerequisites ]

If your firewall sends logs to Amazon S3, ensure the following:
+ The Amazon S3 bucket storing the logs is in the same region as the firewall. Amazon Athena requires this for log processing, as it doesn't support cross-region processing.
+ If you specify a prefix for your S3 bucket, it doesn't begin with a forward slash (`/`). Prefixes starting with "/" aren't compatible with Amazon Athena processing and prevent the dashboard from functioning correctly. For more information about S3 bucket configuration, see [Sending AWS Network Firewall logs to Amazon Simple Storage Service](logging-s3.md).
+ Your account has the required permissions to query Amazon Athena APIs. For information, see [(Optional) Permissions to access Amazon S3 log metrics in Network Firewall using Amazon Athena](logging-s3.md#logging-s3-athena).

------

## Enable firewall monitoring
<a name="nwfw-detailed-monitoring-access"></a>

You can enable firewall monitoring in any of the following ways:
+ During firewall creation, using the logging configuration widget in the **Configure advanced settings** workflow. For more information, see [Creating a firewall in AWS Network Firewall](creating-firewall.md).
+ From the **Edit Logging Configuration** page of an existing firewall For more information, see [Updating a firewall in AWS Network Firewall](firewall-updating.md).
+ Directly from the **Monitoring** tab in the firewall details page

## Considerations for using firewall monitoring
<a name="detailed-monitoring-considerations"></a>

When you modify or move an Amazon S3 bucket or CloudWatch log group that is queried to populate the firewall monitoring dashboard, the metrics populated in the dashboard can become inaccurate.

When you enable detailed monitoring for a firewall that sends logs to Amazon S3:
+ Network Firewall creates Amazon Athena tables in your account to process the log data.
+ These tables are used exclusively for populating detailed monitoring dashboards and are managed by the Network Firewall console.
+ Network Firewall creates Amazon Athena metadata files (including CSV files) in your S3 bucket. These metadata files are downloadable records of the metrics that populate the firewall monitoring dashboard.

For information about how Amazon S3 integrates with Amazon Athena, see [Querying Amazon S3 Inventory with Athena](https://docs.aws.amazon.com/AmazonS3/latest/userguide/storage-inventory-athena-query.html).

For best practices on using the firewall monitoring dashboard, see [Working with the firewall monitoring dashboard](nwfw-using-dashboard.md).

# Working with the firewall monitoring dashboard
<a name="nwfw-using-dashboard"></a>

The firewall monitoring dashboard provides multiple options for viewing key metrics about your firewall. Review the guidance in this section to understand the dashboard's capabilities. 

Dashboard performance and data availability depend on two main factors:
+ The processing speed of CloudWatch and Athena in your respective AWS regions.
+ Your logging configuration choices (such as log types enabled and logging destinations) affect both the available visualizations and the dashboard's performance.

To analyze your network traffic using the dashboard:

1. Sign in to the AWS Management Console and open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, under **Network Firewall**, choose **Firewalls**.

1. In the **Firewalls** page, choose the name of the firewall that you want to edit. This takes you to the firewall's details page. 

1. In the firewall's details page, choose the **Monitoring** tab.

1. Optionally, adjust the scope of data shown in the dashboards:
   + Enter a valid IP address to specify which source or destination IPs you want to analyze
   + Select a protocol to specify the kind of traffic you want to analyze
   + Use the scope selector to specify whether metrics reflect logged activity from the top 10, 50, or 100 domains
   + Use the time range selector to specify the period you want to analyze

**Note**  
Changes to the time range will affect query costs. The scope selector (10/50/100 results) does not affect the cost of queries.

## Best practices
<a name="detailed-monitoring-best-practices"></a>

Review the following following best practices to optimize your use of the firewall monitoring dashboard:
+ Configure both flow and alert logs for your firewall to gain access to all available visualizations.
+ Use the time range selector or custom time range option to compare recent data against historical trends.
+ Avoid incurring extra charges by limiting the amount of times you update page data. When the dashboard updates page data, Network Firewall queries your configured logging destinations to pull the latest metrics. Each query incurs an additional charge.

  The dashboard will query your logging destinations when:
  + You make scope adjustments with the time range selectors.
  + You start a new browser session and navigate to **Monitoring** from Firewall Details.

  Note that refreshing your browser window or navigating away from and back to the dashboard will clear any displayed data, requiring new queries to restore the view.
**Note**  
Network Firewall queries logging destinations separately to fetch log data. If your firewall sends logs to both CloudWatch and Amazon S3, any update to the dashboard page data will result in separate queries.

# Flow and alert log metrics in the firewall monitoring dashboard
<a name="nwfw-detailed-monitoring-metrics"></a>

The firewall monitoring dashboard provides multiple options for viewing key metrics about your firewall. 

Availability of graphs and other visualizations in the dashboard depend on your logging configuration. If you have not reviewed the [prerequisites](nwfw-detailed-monitoring.md#nwfw-detailed-monitoring-prerequisites), do that now.

 The following table describes the available visualizations and metrics for each log type:


| Log type | Metric visualization | Description | 
| --- | --- | --- | 
| Flow logs | Firewall traffic summary | Total number of connections and unique destinations observed. | 
| Flow logs | Top long-lived TCP flows | TCP connections that were active for more than 350 seconds. | 
| Flow logs | Top TCP flows (SYN without SYN-ACK) | TCP connections showing potential connectivity issues or scanning activity. | 
| Flow logs | Top talkers | Most active source and destination IP addresses, ports, and domains observed in traffic. | 
| Flow logs | Top Source IP by Packets | Source IP addresses observed to send the highest number of packets. | 
| Flow logs | Top Source IP by Bytes | Source IP addresses observed to send the most data, measured in bytes. | 
| Flow logs | Top Destination IP by Packets | Destination IP addresses observed to receive the highest number of packets. | 
| Flow logs | Top Destination IP by Bytes | Destination IP addresses observed to receive the most data, measured in bytes. | 
| Alert logs | Top PrivateLink Endpoint Candidates | Most frequent suspected PrivateLink endpoints observed in traffic. | 
| Alert logs | Firewall traffic summary | Total number of rejected connections and dropped connections. | 
| Alert logs | Top rejected traffic | Most frequently rejected domains, IP addresses, and ports. | 
| Alert logs | Top dropped traffic | Most frequently dropped domains, IP addresses, and ports. | 
| Alert logs | Top alerted host headers | Most frequent HTTP host headers observed in traffic. | 
| Alert logs | Top dropped/rejected host headers | Most frequent HTTP host headers observed in dropped and rejected traffic. | 
| Alert logs | Top HTTP URI paths | Most frequently accessed HTTP URI paths. | 
| Alert logs | Top HTTP User-Agents | Most common HTTP User-Agent strings observed. | 
| Alert logs | Top alerted TLS SNI | Most frequent Server Name Indication values observed in TLS traffic. | 
| Alert logs | Top dropped/rejected TLS SNI | Most frequently dropped and rejected Server Name Indication values observed in TLS traffic. | 

# Reporting on network traffic in Network Firewall
<a name="reporting"></a>

AWS Network Firewall lets you generate reports on HTTP or HTTPS traffic observed over the last 30 days in any firewall, starting from the point in time when you enable **Traffic analysis mode** in a firewall. Network Firewall only starts collecting traffic analysis metrics when you enable **Traffic analysis mode** on your firewall. 

**Tip**  
If you enable **Traffic analysis mode**, then immediately generate a report, the report will only contain metrics from when you enabled that setting. For the most comprehensive analysis, we recommend you wait 30 days after you enable **Traffic analysis mode** before you generate a report.

 Before you can generate a traffic analysis report, you must enable **Traffic analysis mode** when you create or update a firewall. For more information on firewall configuration, see [Managing a firewall and firewall endpoints in AWS Network Firewall](firewall-managing.md). 

**Note**  
You can generate up to one report per traffic type, per 30 day period. For example, when you successfully create an HTTP traffic report, you cannot create another HTTP traffic report until 30 days pass. Alternatively, if you generate a report that combines metrics on both HTTP and HTTPS traffic, you cannot create another report for either traffic type until 30 days pass. Network Firewall automatically deletes the report after 30 days.

Each report provides insight into the following metrics for any given firewall:
+ The most frequently accessed domains
+ The number of access attempts made to each observed domain 
+ The number of unique source IPs connecting to each observed domain 
+ The date and time any domain was first accessed (within the last 30 day period)
+ The date and time any domain last first accessed(within the last 30 day period)
+ The protocol (HTTP or HTTPS) used by any domain's traffic

## Caveats and considerations for traffic analysis reports
<a name="traffic-analysis-reports-considerations"></a>

Consider the following in your use of traffic analysis reports:
+ When you generate a report, you create a snapshot into the last 30 days of network traffic monitored by your firewall.
+ The maximum number of results per report is 1000.
+ If your custom HTTP and TLS logs do not contain an SNI or the HTTP hostname, Network Firewall will classify it as UNKNOWN\$1DOMAIN.
+ The observation count on reported domain access attempts cannot exceed the maximum of 2,147,483,647. For example, if one or more of your reported domains was accessed more than 2,147,483,647 times within the 30 day reporting period, the count shown in your generated report will not exceed 2,147,483,647.

## Generating traffic analysis reports
<a name="generating-reports"></a>

**Before you generate a report**  
If you haven't enabled **Traffic analysis mode** on your firewall, do that now. For more information, see [Managing a firewall and firewall endpoints in AWS Network Firewall](firewall-managing.md).

**Important**  
Network Firewall only starts collecting traffic analysis metrics when you enable **Traffic analysis mode** on your firewall. Traffic observed before you enable **Traffic analysis mode** is not included in reporting. 

**To generate a traffic analysis report in Network Firewall**

1. Sign in to the AWS Management Console and open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, under **Network Firewall**, choose **Firewalls**.

1. In the **Firewalls** page, choose the name of the firewall that you want to edit. This takes you to the firewall's details page. 

1. In the firewall's details page, choose the **Monitoring and observability tab**.

1. In the **Monitoring and observability tab**, select **Create report**.

## Creating stateful rule groups from reports
<a name="creating-stateful-rule-groups-from-reports"></a>

 You can create stateful rule groups using the domains identified in your firewall's traffic analysis reports. 

**To generate a traffic analysis report in Network Firewall**

1. Sign in to the AWS Management Console and open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, under **Network Firewall**, choose **Firewalls**.

1. In the **Firewalls** page, choose the name of the firewall that you want to edit. This takes you to the firewall's details page. 

1. In the firewall's details page, choose the **Monitoring and observability tab**.

1. Select any completed report.

1. Select **Create domain list group**. The workflow for creating a stateful rule group opens.

1. Complete the configuration for your domain list stateful rule group. For more information, see [Creating a stateful rule group](rule-group-stateful-creating.md).