Troubleshooting logging in Network Firewall - Amazon Network Firewall
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Troubleshooting logging in Network Firewall

Use the information here to help you diagnose common issues that you might encounter when working with logging in Network Firewall.

My firewall isn't logging all traffic that matches pass action rules

Network Firewall only logs traffic that match drop, reject, and alert action rules. Rules with a pass action silently allow the traffic in a way that any proceeding rules will not alert on that traffic. If you want to log all traffic for troubleshooting purposes, use the strict evaluation order, and add an alert action rule before the pass action rule. For example, to log allowed traffic to https://checkip.amazonaws.com, add an alert action rule before the pass action rule:

alert tls $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:“checkip.amazonaws.com"; ssl_state:client_hello; startswith; nocase; endswith; msg:"alert on TLS allowlisted FQDNs"; flow:to_server; sid:111111; rev:1;)
pass tls $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:“checkip.amazonaws.com"; ssl_state:client_hello; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server; sid:222222; rev:1;)

For more information about rule actions, see Defining rule actions.

I don't see Alert logs that match drop action rules in my rule group

A stateful rule sends alerts for the rule actions drop, alert, and reject. Alert logs are generated for the traffic that match your stateful rules and have an action that sends an alert. Network Firewall can send alert logs to Amazon S3, CloudWatch, and Firehose. Make sure you have enabled logging by updating the firewall's logging configuration. If you are using strict evaluation order with a default action set to Drop established, make sure you have also enabled an alert action so that the firewall will generate alert messages for this traffic. You can select Alert all to log an alert message on all packets, or select Alert established to log an alert message only on packets that are in established connections. Flows dropped by the Drop established or Drop all stateful default actions won't generate alert logs if you don't configure a stateful default alert action.

I don’t see any TLS logs even though I have TLS logging enabled

TLS logging reports only TLS errors and outbound traffic that fails certificate revocation checks.

Double check your firewall policy configuration. Your firewall policy must be configured for TLS inspection. Additionally, for revocation check logging, your firewall must be configured with outbound SSL/TLS inspection enabled and certificate revocation status checking enabled.

If your firewall policy is correctly configured, then it's possible that your traffic isn't generating anything for the logs.

  • For TLS errors, currently the logs report SNI mismatches and naming errors. If your traffic doesn't have these errors, the logs might not report anything in this category.

  • For revocation checks:

    • TLS inspection performs checks only on outbound traffic, and only for servers that you don't own or control.

    • TLS inspection only creates a log record when the check returns a status of REVOKED or UNKNOWN.

    If you don't have traffic of this type, or if the certificates for this type of traffic are all passing the revocation checks, Network Firewall won't log anything into your TLS logs for revocation checks.