AWS Network Firewall metrics in Amazon CloudWatch - AWS Network Firewall

AWS Network Firewall metrics in Amazon CloudWatch

You can monitor AWS Network Firewall using CloudWatch, which collects raw data and processes it into readable, near real-time metrics. CloudWatch stores your metrics for 15 months, so that you can access historical information for added perspective on how your web application or service is performing. You can also set alarms that watch for certain thresholds, and send notifications or take actions when those thresholds are met. For more information, see the Amazon CloudWatch User Guide.

Use the following procedures to view the metrics for Network Firewall.

To view metrics using the CloudWatch console

Metrics are grouped first by the service namespace, and then by the various dimension combinations within each namespace. The CloudWatch namespace for Network Firewall is AWS/NetworkFirewall.

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, choose Metrics.

  3. On the All metrics tab, choose the Region and then choose AWS/NetworkFirewall.

To view metrics using the AWS CLI
  • For Network Firewall, at a command prompt use the following command:

    aws cloudwatch list-metrics --namespace "AWS/NetworkFirewall"

AWS Network Firewall metrics

The AWS/NetworkFirewall namespace includes the following metrics.

Metric Description

DroppedPackets

Number of packets dropped due to rule actions.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

InvalidDroppedPackets

Number of packets dropped for failing packet validation due to issues with the packet.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

OtherDroppedPackets

Number of packets dropped due to reasons other than those described by InvalidDroppedPackets or DroppedPackets.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

Packets

Number of packets inspected for a firewall policy or stateless rulegroup for which a custom action is defined. This metric is only used for the dimension CustomAction.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

PassedPackets

Number of packets that the Network Firewall firewall allowed through to their destinations.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

ReceivedPackets

Number of packets received by the Network Firewall firewall.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

RejectedPackets

The number of packets rejected due to Reject stateful rule actions. For information about stateful actions, see Stateful actions.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

StreamExceptionPolicyPackets

The number of packets matching the firewall policy's stream exception policy. You can configure stream exception policy settings while creating a firewall policy in the console, or by the StatefulEngineOptions structure when using the API. For more information about stream exception policy settings, see the Stream exception policy option in the Creating a firewall policy procedure.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

TLSDroppedPackets

Number of packets dropped by Network Firewall while inspecting SSL/TLS packets. The value of this metric might differ between stateless and stateful rule processing due to the TCP and TLS connection termination that occurs prior to stateful packet inspection.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

TLSErrors

Number of errors observed by Network Firewall while inspecting SSL/TLS packets.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

TLSPassedPackets

Number of packets passed by Network Firewall while inspecting SSL/TLS packets. The value of this metric might differ between stateless and stateful rule processing due to the TCP and TLS connection termination that occurs prior to stateful packet inspection.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

TLSReceivedPackets

Number of SSL/TLS packets received by the Network Firewall firewall. The value of this metric might differ between stateless and stateful rule processing due to the TCP and TLS connection termination that occurs prior to stateful packet inspection.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

TLSRejectedPackets

Number of packets rejected by Network Firewall while inspecting SSL/TLS packets. The value of this metric might differ between stateless and stateful rule processing due to the TCP and TLS connection termination that occurs prior to stateful packet inspection.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

TLSRevocationStatusOKConnections

The number of SSL/TLS connections to TLS servers whose certificates have been confirmed as not revoked.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

TLSRevocationStatusRevokedConnections

The number of SSL/TLS connections to TLS servers whose certificates have been confirmed as revoked.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

TLSRevocationStatusUnknownConnections

The number of SSL/TLS connections to TLS servers whose certificates revocation status is unknown or could not be determined by the firewall. This can occur when the OCSP responder for a server certificate returns an unknown status, or when the firewall is unable to connect to the CRL or OCSP endpoints provided in the certificate.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

TLSTimedOutConnections

Number of SSL/TLS connections that timed out during SSL/TLS inspection by Network Firewall.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

AWS Network Firewall dimensions

Network Firewall can use the following dimension combinations to categorize your metrics:

Dimension Description

AvailabilityZone

Availability Zone in the Region where the Network Firewall firewall is active.

CustomAction

Dimension for a publish metrics custom action that you defined. You can define this for a rule action in a stateless rule group or for a stateless default action in a firewall policy.

Engine

Rules engine that processed the packet. The value for this is either Stateful or Stateless.

FirewallName

Name that you specified for the Network Firewall firewall.