Updating a firewall's logging configuration - AWS Network Firewall

Updating a firewall's logging configuration

To update your firewall's logging configuration through the AWS Management Console, use the procedure in this section. For the API, see the API action, UpdateLoggingConfiguration.


Firewall logging is only available for traffic that you forward to the stateful rules engine. You forward traffic to the stateful engine through stateless rule actions and stateless default actions in the firewall policy. For information about these actions settings, see Stateless default actions in your firewall policy and Rule actions in AWS Network Firewall.

To update a firewall's logging configuration through the console

  1. Sign in to the AWS Management Console and open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, under Network Firewall, choose Firewalls.

  3. In the Firewalls page, choose the name of the firewall that you want to edit. This takes you to the firewall's details page.

  4. Choose the tab Firewall details, then in the Logging section, choose Edit.

  5. Adjust the Log type selections as needed. You can configure logging for alert and flow logs.

    • Alert – Sends logs for traffic that matches any stateful rule whose action is set to Alert or Drop. For more information about stateful rules and rule groups, see Rule groups in AWS Network Firewall.

    • Flow – Sends logs for all network traffic that the stateless engine forwards to the stateful rules engine.

  6. For each selected log type, choose the destination type, then provide the information for the logging destination that you prepared following the guidance in Firewall logging destinations.

  7. Choose Save to save your changes and return to the firewall's detail page.