Troubleshooting logging in Network Firewall - Amazon Network Firewall
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Troubleshooting logging in Network Firewall

Use the information here to help you diagnose common issues that you might encounter when working with logging in Network Firewall.

My firewall isn't logging all traffic that matches pass action rules

Network Firewall only logs traffic that match drop, reject, and alert action rules. Rules with a pass action silently allow the traffic in a way that any proceeding rules will not alert on that traffic. If you want to log all traffic for troubleshooting purposes, use the strict evaluation order, and add an alert action rule before the pass action rule. For example, to log allowed traffic to https://checkip.amazonaws.com, add an alert action rule before the pass action rule:

alert tls $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:“checkip.amazonaws.com"; ssl_state:client_hello; startswith; nocase; endswith; msg:"alert on TLS allowlisted FQDNs"; flow:to_server; sid:111111; rev:1;)
pass tls $HOME_NET any -> $EXTERNAL_NET any (tls.sni; content:“checkip.amazonaws.com"; ssl_state:client_hello; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server; sid:222222; rev:1;)

For more information about rule actions, see Defining rule actions.

I don't see Alert logs that match drop action rules in my rule group

A stateful rule sends alerts for the rule actions drop, alert, and reject. Alert logs are generated for the traffic that match your stateful rules and have an action that sends an alert. Network Firewall can send alert logs to Amazon S3, CloudWatch, and Firehose. Make sure you have enabled logging by updating the firewall's logging configuration. If you are using strict evaluation order with a default action set to Drop established, make sure you have also enabled an alert action so that the firewall will generate alert messages for this traffic. You can select Alert all to log an alert message on all packets, or select Alert established to log an alert message only on packets that are in established connections. Flows dropped by the Drop established or Drop all stateful default actions won't generate alert logs if you don't configure a stateful default alert action.