Question
Is there a way to log the connections blocked by the AWS Network Firewall, or filter the logs of blocked connections?
Background
Currently having setup the rules, and would like to know which IP or domains have been blocked.
Looking at Logging network traffic from AWS Network Firewall but not clear if it is possible.
You can record flow logs and alert logs from your Network Firewall stateful engine.
Flow logs are standard network traffic flow logs. Each flow log record captures the network flow for a specific 5-tuple.
Alert logs report traffic that matches your stateful rules that have an action that sends an alert. A stateful rule sends alerts for the rule actions DROP and ALERT.
From the flow logs, it is not clear if it is passed or blocked.
{
"firewall_name": "network-firewall-sagemaker-studio-anfw",
"availability_zone": "us-east-1a",
"event_timestamp": "1628236046",
"event": {
"timestamp": "2021-08-06T07:47:26.000068+0000",
"flow_id": 1108238612337889,
"event_type": "netflow",
"src_ip": "51.222.5.114",
"src_port": 57528,
"dest_ip": "10.2.2.60",
"dest_port": 8088,
"proto": "TCP",
"netflow": {
"pkts": 1,
"bytes": 40,
"start": "2021-08-06T07:46:24.365793+0000",
"end": "2021-08-06T07:46:24.365793+0000",
"age": 0,
"min_ttl": 239,
"max_ttl": 239
},
"tcp": {
"tcp_flags": "02",
"syn": true
}
}
}
You must configure your firewall to log the log type of "Alert".
It will then show source, destination and action (i.e. DROP or ALLOW).
Here is some documentation on how to change the log type:
https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-update-logging-configuration.html