AWS Network Firewall metrics in Amazon CloudWatch - AWS Network Firewall

AWS Network Firewall metrics in Amazon CloudWatch

You can monitor AWS Network Firewall using CloudWatch, which collects raw data and processes it into readable, near real-time metrics. CloudWatch stores your metrics for 15 months, so that you can access historical information for added perspective on how your web application or service is performing. You can also set alarms that watch for certain thresholds, and send notifications or take actions when those thresholds are met. For more information, see the Amazon CloudWatch User Guide.

Use the following procedures to view the metrics for Network Firewall.

To view metrics using the CloudWatch console

Metrics are grouped first by the service namespace, and then by the various dimension combinations within each namespace. The CloudWatch namespace for Network Firewall is AWS/NetworkFirewall.

  1. Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/.

  2. In the navigation pane, choose Metrics.

  3. On the All metrics tab, choose the Region and then choose AWS/NetworkFirewall.

To view metrics using the AWS CLI

  • For Network Firewall, at a command prompt use the following command:

    aws cloudwatch list-metrics --namespace "AWS/NetworkFirewall"

AWS Network Firewall metrics

The AWS/NetworkFirewall namespace includes the following metrics.

Metric Description

DroppedPackets

Number of packets dropped by the Network Firewall firewall.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

Packets

Number of packets inspected for a firewall policy or stateless rulegroup for which a custom action is defined. This metric is only used for the dimension CustomAction.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

PassedPackets

Number of packets that the Network Firewall firewall allowed through to their destinations.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

ReceivedPacketCount

Number of packets received by the Network Firewall firewall.

Reporting criteria: There is a nonzero value.

Valid statistics: Sum

AWS Network Firewall dimensions

Network Firewall can use the following dimension combinations to categorize your metrics:

Dimension Description

AvailabilityZone

Availability Zone in the Region where the Network Firewall firewall is active.

CustomAction

Dimension for a publish metrics custom action that you defined. You can define this for a rule action in a stateless rule group or for a stateless default action in a firewall policy.

Engine

Rules engine that processed the packet. The value for this is either Stateful or Stateless.

FirewallName

Name that you specified for the Network Firewall firewall.