# Managing your firewall state table using flow operations in AWS Network Firewall
<a name="firewall-flow-operations"></a>

This section describes how to use flow operations to perform actions in your firewall's state table.

Flow operations are asynchronous actions that you execute within a firewall that you own. To track and manage traffic that's logged within the firewall's state table. You can run flow capture operations or flow flush operations. Flow capture operations collect information about active flows, and flow flush operations remove specified flows from the firewall.

Before you start using flow operations, review the following key definitions.
+ **Flows** – Network traffic that is monitored by a firewall, either by stateful or stateless rules. For traffic to be considered part of a flow, it must share Destination, DestinationPort, Direction, Protocol, Source, and SourcePort with other traffic. Flows that are processed by the firewall are tracked in the firewall state table and are visible in flow logs.
+ **Firewall state table** – Table where Network Firewall tracks and maintains information about network traffic flows. The firewall state table only tracks flows that are processed by stateful rules. When traffic matches the criteria in a stateful rule, the firewall creates a flow entry in the firewall state table. These entries persist until they are either removed using a flow flush operation, naturally terminate, or time out due to inactivity. You can manage the firewall state table using specific operations. This is also known as the firewall table or state table.

  For information, see [Flow operations in your firewall](#firewall-flow-operations).
+ **Flow filter** – Parameters that you use when defining the scope of a flow operation. You can use up to 20 filters in a single operation.

**Topics**
+ [Caveats and considerations for flow operations](#flow-operations-caveats)
+ [Capturing traffic in your firewall's state table](flow-operations-capture.md)
+ [Using flow flush operations in Network Firewall](flow-operations-flush.md)
+ [Viewing flow operations in Network Firewall](flow-operations-view.md)

**Note**  
This section and others that describe Suricata-based concepts are not intended to replace or duplicate information from the Suricata documentation. For more Suricata-specific information, see the [Suricata documentation](https://docs.suricata.io/en/suricata-7.0.8/).

## Caveats and considerations for flow operations
<a name="flow-operations-caveats"></a>

Before using flow operations, consider the following:
+ When you initiate a flow flush operation, the firewall treats impacted flows according to your stream exception policy configuration. Review your stream exception policy settings before performing a flush operation. For information, see [Stream exception policy options](stream-exception-policy.md).
+ If you execute flow capture operations using broad filter criteria (like wide IP ranges), you might encounter operation limits. To stay within these limits, use more specific flow filters, such as narrower IP ranges or additional criteria like ports and protocols.
+ When you flush flows, subsequent matching traffic is considered a new flow and evaluated against current firewall rule configurations.
+ Only firewall owners can perform flow operations. VPC endpoint association owners who do not also own the main firewall cannot perform flow operations on that firewall. For more information, see [Firewalls and firewall endpoints in AWS Network Firewall](firewalls.md).
+ Flow operations execute asynchronously across your firewall infrastructure. In the context of flow flush operations, this means flows might be marked for removal at slightly different times as the operation propagates.
+ Each flow operation (capture or flush) runs on one individual firewall at a time. If you need to perform flow operations across multiple firewalls in your network configuration, you must run separate operations for each firewall.
**Note**  
We throttle flush and capture operations to one concurrent request per firewall per Availability Zone (AZ). For example, if a firewall is deployed to two Availability Zones in the same Region, you can issue two concurrent flow or capture requests for that firewall (one request per Availability Zone). This throttling helps maintain optimal performance and prevents overloading the system.

For information on how Network Firewall propagates changes you make, see [Managing a firewall and firewall endpoints in AWS Network Firewall](firewall-managing.md).

# Capturing traffic in your firewall's state table
<a name="flow-operations-capture"></a>

With flow capture operations in Network Firewall, you can view information about active traffic flows that are tracked in your firewall's state table. These operations provide a time-boxed view of network traffic, showing both new and established flows that match your specified criteria. Captured data makes it easier to analyze current network traffic patterns, verify the effectiveness of your firewall rules, identify unexpected traffic flows, and troubleshoot network connectivity issues. 

You can the progress and history of flow captures in your firewall's **Details** page.

**Tip**  
When using flow capture operations with broad filter criteria (like wide IP ranges), you might encounter operation limits. To stay within these limits, use more specific flow filters, such as narrower IP ranges or additional criteria like ports and protocols.

**To capture traffic flows from a firewall state table**

1. Sign in to the AWS Management Console and open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, under **Network Firewall**, choose **Firewalls**.

1. Choose the name of the firewall where you want to perform the flow operation.

1. In the **Firewall operations** section, choose **Configure flow capture**.

1. Configure the scope of the flow operation, depending on your firewall configuration:
   + To perform the operation in the primary firewall endpoint only, define the VpcEndpointId.
   + To perform the operation in a VPC endpoint association only, define the VPC endpoint association ARN.
   + To perform the operation in the primary firewall endpoint and all associated VPC endpoints, define the Availability Zone of the primary firewall endpoint.

1. Optionally, configure additional flow filters to further customize the scope of the operation:
   + **Minimum age** - To exclude recently established flows, set this value to filter out flows that are newer than the specified age, in seconds
   + **Source** - A single IP address, a range of IPs (CIDR), or port
   + **Destination** - A single IP address, a range of IPs (CIDR), or port
   + **Protocol number** - The assigned internet protocol number (IANA) for each supported protocol. If left empty, the operation captures flows with any supported protocol (TCP, UDP, ICMP, ICMPv6, SCTP).

1. Review your configured filters in the **Filters** section.

1. Choose **Start capture**, then confirm that you want to begin the operation.

1. Return to the **Details** page to monitor the operation status.

For information on viewing the status and history of your operations, see [Viewing flow operations in Network Firewall](flow-operations-view.md).

# Using flow flush operations in Network Firewall
<a name="flow-operations-flush"></a>

Flow flush operations give you greater control over how your firewall rules are applied to network traffic. While Network Firewall automatically applies changes to stateful rules for new traffic flows, existing flows continue to be processed according to the rules that were in place when those flows began.

By flushing specific flows from your firewall's state table, you can force the firewall to treat subsequent matching traffic as new flows, ensuring they are evaluated against your current rule configurations. This is useful when you update rule groups or firewall policies and want these changes to take effect for existing network traffic. For example, if you modify a rule group to drop specific types of traffic, you can use a flow flush operation to ensure that all matching traffic—both new and existing—is evaluated against your updated rules.

The flow flush operation consists of two phases:

1. Initial flow identification phase - Marks specified flows for timeout in the state table

1. Flow pruning phase - Removes marked flows according to the firewall's built-in pruning mechanism

## Flushing traffic from your firewall's state table
<a name="flow-operations-flush-procedure"></a>

**Important**  
Flush operations cannot be cancelled once started. If you haven't already reviewed the stream exception policy in your firewall, go do that now. When you flush flows from the firewall state table, the rules engine will treat traffic according to the firewall's stream exception policy. For information, see [Stream exception policy options](stream-exception-policy.md).

**Tip**  
If your firewall is shared with other AWS accounts through VPC endpoint associations, take care to notify VPC endpoint association owners before you flush flows from the primary firewall. 

**To flush traffic flows from a firewall state table**

1. Sign in to the AWS Management Console and open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, under **Network Firewall**, choose **Firewalls**.

1. Choose the name of the firewall where you want to perform the flow operation.

1. In the **Firewall operations** section, choose **Configure flow flush**.

1. Configure the scope of the flow operation, depending on your firewall configuration:
   + To perform the operation in the primary firewall endpoint only, define the VpcEndpointId.
   + To perform the operation in a VPC endpoint association only, define the VPC endpoint association ARN.
   + To perform the operation in the primary firewall endpoint and all associated VPC endpoints, define the Availability Zone of the primary firewall endpoint.

1. Optionally, configure additional flow filters to further customize the scope of the operation:
   + **Minimum age** - To exclude recently established flows, set this value to filter out flows that are newer than the specified age, in seconds
   + **Source** - A single IP address, a range of IPs (CIDR), or port
   + **Destination** - A single IP address, a range of IPs (CIDR), or port
   + **Protocol number** - The assigned internet protocol number (IANA) for each supported protocol. If left empty, the operation captures flows with any supported protocol (TCP, UDP, ICMP, ICMPv6, SCTP).

1. Review your configured filters in the **Filters** section.

1. Choose **Start flush**, then confirm that you want to begin the operation.

1. Return to the firewall **Details** page to monitor the operation status.

For information on viewing the status and history of your operations, see [Viewing flow operations in Network Firewall](flow-operations-view.md).

# Viewing flow operations in Network Firewall
<a name="flow-operations-view"></a>

You can view the history of operations in your firewall and monitor the progress of ongoing operations. Network Firewall only stores capture and flush operations performed within the last 12 hours.

**To view operation history**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, under **Network Firewall**, choose **Firewalls**.

1. Choose the name of the firewall that you want to view.

1. Navigate to the **Firewall operation history** section.

1. Review the status of operations:  
**In progress**  
Operations that have not yet completed.  
**Completed**  
Operations that successfully completed.  
**Failed**  
Operations that could not be completed.  
**Completed with errors**  
Operations that experienced a timeout issue or an issue that prevented completion across all hosts. These operations may have flows missing from the results.

1. Choose any completed operation to view the summary of results.