AWS Network Firewall lets you generate reports on HTTP or HTTPS traffic observed over the last 30 days in any firewall, starting from the point in time when you enable Traffic analysis mode in a firewall. Network Firewall only starts collecting traffic analysis metrics when you enable Traffic analysis mode on your firewall.
Tip
If you enable Traffic analysis mode, then immediately generate a report, the report will only contain metrics from when you enabled that setting. For the most comprehensive analysis, we recommend you wait 30 days after you enable Traffic analysis mode before you generate a report.
Before you can generate a traffic analysis report, you must enable Traffic analysis mode when you create or update a firewall. For more information on firewall configuration, see Managing your firewall in AWS Network Firewall.
You can generate up to one report per traffic type, per 30 day period. For example, when you successfully create an HTTP traffic report, you cannot create another HTTP traffic report until 30 days pass. Alternatively, if you generate a report that combines metrics on both HTTP and HTTPS traffic, you cannot create another report for either traffic type until 30 days pass.
When you generate a report, you create a snapshot into the last 30 days of network traffic monitored by your firewall. The maximum number of results per report is 1000. Each report provides insight into the following metrics for any given firewall:
The most frequently accessed domains
The number of access attempts made to each observed domain
The number of unique source IPs connecting to each observed domain
The date and time any domain was first accessed (within the last 30 day period)
The date and time any domain last first accessed(within the last 30 day period)
The protocol (HTTP or HTTPS) used by any domain's traffic
Generating traffic analysis reports
Before you generate a report
If you haven't enabled Traffic analysis mode on your firewall, do that now. For more information, see Managing your firewall in AWS Network Firewall.
Important
Network Firewall only starts collecting traffic analysis metrics when you enable Traffic analysis mode on your firewall. Traffic observed before you enable Traffic analysis mode is not included in reporting.
To generate a traffic analysis report in Network Firewall
Sign in to the AWS Management Console and open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
In the navigation pane, under Network Firewall, choose Firewalls.
-
In the Firewalls page, choose the name of the firewall that you want to edit. This takes you to the firewall's details page.
-
In the firewall's details page, choose the Monitoring and observability tab.
-
In the Monitoring and observability tab, select Create report.
Creating stateful rule groups from reports
You can create stateful rule groups using the domains identified in your firewall's traffic analysis reports.
To generate a traffic analysis report in Network Firewall
Sign in to the AWS Management Console and open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
In the navigation pane, under Network Firewall, choose Firewalls.
-
In the Firewalls page, choose the name of the firewall that you want to edit. This takes you to the firewall's details page.
-
In the firewall's details page, choose the Monitoring and observability tab.
-
Select any completed report.
-
Select Create domain list group. The workflow for creating a stateful rule group opens.
Complete the configuration for your domain list stateful rule group. For more information, see Creating a stateful rule group.
