AWS Network Firewall metrics in Amazon CloudWatch
You can monitor AWS Network Firewall using CloudWatch, which collects raw data and processes it into readable, near real-time metrics. CloudWatch stores your metrics for 15 months, so that you can access historical information for added perspective on how your web application or service is performing. You can also set alarms that watch for certain thresholds, and send notifications or take actions when those thresholds are met. For more information, see the Amazon CloudWatch User Guide.
Use the following procedures to view the metrics for Network Firewall.
To view metrics using the CloudWatch console
Metrics are grouped first by the service namespace, and then by the various dimension combinations within each namespace. The CloudWatch namespace for Network Firewall is AWS/NetworkFirewall.
Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/
. -
In the navigation pane, choose Metrics.
-
On the All metrics tab, choose the Region and then choose
AWS/NetworkFirewall.
To view metrics using the AWS CLI
-
For Network Firewall, at a command prompt use the following command:
aws cloudwatch list-metrics --namespace "AWS/NetworkFirewall"
AWS Network Firewall metrics
The AWS/NetworkFirewall namespace includes the following metrics.
| Metric | Description |
|---|---|
|
|
Number of packets dropped due to rule actions. Reporting criteria: There is a nonzero value. Valid statistics: Sum |
|
|
Number of packets dropped for failing packet validation due to issues with the packet. Reporting criteria: There is a nonzero value. Valid statistics: Sum |
|
|
Number of packets dropped due to reasons other than those described by Reporting criteria: There is a nonzero value. Valid statistics: Sum |
|
|
Number of packets inspected for a firewall policy or stateless
rulegroup for which a custom action is defined. This metric is
only used for the dimension Reporting criteria: There is a nonzero value. Valid statistics: Sum |
|
|
Number of packets that the Network Firewall firewall allowed through to their destinations. Reporting criteria: There is a nonzero value. Valid statistics: Sum |
|
|
Number of packets received by the Network Firewall firewall. Reporting criteria: There is a nonzero value. Valid statistics: Sum |
|
|
The number of packets rejected due to Reporting criteria: There is a nonzero value. Valid statistics: Sum |
|
|
The number of packets matching the firewall policy's stream exception policy. You can configure stream exception policy settings while creating a firewall policy in the console, or by the StatefulEngineOptions structure when using the API. For more information about stream exception policy settings, see the Stream exception policy option in the Creating a firewall policy in AWS Network Firewall procedure. Reporting criteria: There is a nonzero value. Valid statistics: Sum |
|
|
Number of packets dropped by Network Firewall while inspecting SSL/TLS packets. The value of this metric might differ between stateless and stateful rule processing due to the TCP and TLS connection termination that occurs prior to stateful packet inspection. Reporting criteria: There is a nonzero value. Valid statistics: Sum |
|
|
Number of errors observed by Network Firewall while inspecting SSL/TLS packets. Reporting criteria: There is a nonzero value. Valid statistics: Sum |
|
|
Number of packets passed by Network Firewall while inspecting SSL/TLS packets. The value of this metric might differ between stateless and stateful rule processing due to the TCP and TLS connection termination that occurs prior to stateful packet inspection. Reporting criteria: There is a nonzero value. Valid statistics: Sum |
|
|
Number of SSL/TLS packets received by the Network Firewall firewall. The value of this metric might differ between stateless and stateful rule processing due to the TCP and TLS connection termination that occurs prior to stateful packet inspection. Reporting criteria: There is a nonzero value. Valid statistics: Sum |
|
|
Number of packets rejected by Network Firewall while inspecting SSL/TLS packets. The value of this metric might differ between stateless and stateful rule processing due to the TCP and TLS connection termination that occurs prior to stateful packet inspection. Reporting criteria: There is a nonzero value. Valid statistics: Sum |
|
|
The number of SSL/TLS connections to TLS servers whose certificates have been confirmed as not revoked. Reporting criteria: There is a nonzero value. Valid statistics: Sum |
|
|
The number of SSL/TLS connections to TLS servers whose certificates have been confirmed as revoked. Reporting criteria: There is a nonzero value. Valid statistics: Sum |
|
|
The number of SSL/TLS connections to TLS servers whose certificates revocation status is unknown or could not be determined by the firewall. This can occur when the OCSP responder for a server certificate returns an unknown status, or when the firewall is unable to connect to the CRL or OCSP endpoints provided in the certificate. Reporting criteria: There is a nonzero value. Valid statistics: Sum |
|
|
Number of SSL/TLS connections that timed out during SSL/TLS inspection by Network Firewall. Reporting criteria: There is a nonzero value. Valid statistics: Sum |
AWS Network Firewall dimensions
Network Firewall can use the following dimension combinations to categorize your metrics:
| Dimension | Description |
|---|---|
|
|
Availability Zone in the Region where the Network Firewall firewall is active. |
|
|
Dimension for a publish metrics custom action that you defined. You can define this for a rule action in a stateless rule group or for a stateless default action in a firewall policy. |
|
|
Rules engine that processed the packet. The value for this is
either Stateful or Stateless. |
|
|
Name that you specified for the Network Firewall firewall. |
