Logging and monitoring in Amazon Network Firewall - Amazon Network Firewall
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Logging and monitoring in Amazon Network Firewall

Logging and monitoring help you to maintain the reliability, availability, and performance of Amazon Network Firewall. You can monitor how the service is being used and you can monitor network traffic and traffic filtering done by the stateful rule groups in your Network Firewall firewalls.

Amazon provides a number of tools that you can use to monitor Network Firewall. You can configure some of these tools to do the monitoring for you, while other tools require manual intervention. We recommend that you automate monitoring tasks as much as possible.

For information on manual monitoring tools with Network Firewall, see

You can use the following automated monitoring tools with Network Firewall:

  • Amazon CloudWatch provides metrics for the Amazon resources and the applications that you run on Amazon. Monitoring and alarms are real time. You can collect and track metrics, create customized dashboards, and set alarms that notify you or take actions when a specified metric reaches a threshold that you specify. For example, you can have CloudWatch track CPU usage or other metrics of your Amazon EC2 instances and automatically launch new instances when needed. For more information, see the Amazon CloudWatch User Guide.

  • Amazon CloudWatch Logs provides logging for sources such as Amazon EC2 instances and CloudTrail. CloudWatch Logs can monitor information in the log files and notify you when certain thresholds are met. You can also archive your log data in highly durable storage. For more information, see the Amazon CloudWatch Logs User Guide.

  • Amazon CloudTrail captures API calls and related events made by or on behalf of your Amazon Web Services account and delivers the log files to an Amazon S3 bucket that you specify. You can identify which users and accounts called Amazon, the source IP address from which the calls were made, and when the calls occurred. For more information, see the Amazon CloudTrail User Guide.

  • Amazon Config lets you view the configuration of your Amazon resources in your Amazon Web Services account. The available information includes how the resources are related to one another and how they were configured in the past, so that you can see how the configurations and relationships change over time. For more information, see the Amazon Config Developer Guide.

You can use also manually generate reports for the domains that are most frequently observed by a firewall. If you enable Traffic analysis mode for your firewall, you can create a report based on HTTP or HTTPS traffic observed over the last 30 days. You can only generate one report per traffic type per 30 day period.

Topics