AWS Network Firewall Monitoring in Applications Manager enables you to track the health, availability, and performance of your firewall resources deployed within Virtual Private Clouds (VPCs). With detailed metrics on firewall readiness, configuration sync state, traffic flow, packet drops, and TLS inspection, you can ensure that your network is secure, compliant, and functioning without disruptions. Continuous monitoring helps identify misconfigurations, detect anomalies in real time, and maintain high availability of critical applications running in your AWS environment.
To learn how to create a new AWS Network Firewall monitor, refer here.
Go to the Monitors Category View by clicking the Monitors tab. Click on the AWS Network Firewall instance available under Amazon in the Cloud Apps section. Displayed is the AWS Network Firewall bulk configuration view distributed into three tabs:
By clicking a monitor from the list, you'll be taken to the AWS Network Firewall dashboard which includes the following tabs:
| Parameter | Description |
|---|---|
| NETWORK FIREWALL INFORMATION | |
| Firewall Status | The readiness of the configured firewall to handle network traffic across all of the Availability Zones where you have it configured. This setting is READY only when the ConfigurationSyncStateSummary value is IN_SYNC and the Attachment Status values for all of the configured subnets are READY. Possible values: PROVISIONING, DELETING, READY. |
| Configuration Sync State | The configuration sync state for the firewall. This summarizes the Config settings in the SyncStates for this firewall status object. Possible values: PENDING, IN_SYNC, CAPACITY_CONSTRAINED. |
| Number of Associations | The number of VpcEndpointAssociation resources that use this firewall. |
| Parameter | Description |
|---|---|
| PACKETS DROPPED PERCENTAGE (STATEFUL) | |
| Packets Dropped Percentage (Stateful) | Percentage of packets dropped in the stateful engine between the poll interval. |
| PACKETS REJECTED PERCENTAGE (STATEFUL) | |
| Packets Rejected Percentage (Stateful) | Percentage of packets rejected by the stateful engine between the poll interval. |
| STATEFUL PACKET FLOW | |
| Packets Received (Stateful) | Number of packets received by the firewall in the stateful engine between the poll interval. |
| Packets Dropped (Stateful) | Number of packets dropped due to rule actions in the stateful engine between the poll interval. |
| Packets Rejected (Stateful) | Number of packets rejected due to Reject stateful rule actions between the poll interval. |
| Packets Passed (Stateful) | Number of packets allowed through by the firewall in the stateful engine between the poll interval. |
| Stream Exception Policy Packets | Number of packets matching the firewall policy’s stream exception policy between the poll interval. |
| TLS PACKETS DROPPED PERCENTAGE | |
| TLS Packets Dropped Percentage | Percentage of SSL/TLS packets dropped during inspection between the poll interval. |
| TLS PACKETS REJECTED PERCENTAGE | |
| TLS Packets Rejected Percentage | Percentage of SSL/TLS packets rejected during inspection between the poll interval. |
| TLS ERRORS | |
| TLS Errors | Number of errors observed while inspecting SSL/TLS packets between the poll interval. |
| TLS CONNECTIONS TIMED OUT | |
| TLS Connections Timed Out | Number of SSL/TLS connections that timed out during inspection between the poll interval. |
| TLS FLOW | |
| TLS Packets Dropped Percentage | Percentage of SSL/TLS packets dropped during inspection between the poll interval. |
| TLS Packets Dropped | Number of packets dropped while inspecting SSL/TLS packets between the poll interval. |
| TLS Packets Rejected Percentage | Percentage of SSL/TLS packets rejected during inspection between the poll interval. |
| TLS Packets Rejected | Number of SSL/TLS packets rejected by Network Firewall between the poll interval. |
| TLS Packets Passed | Number of SSL/TLS packets passed by Network Firewall between the poll interval. |
| TLS Errors | Number of errors observed while inspecting SSL/TLS packets between the poll interval. |
| TLS Connections Timed Out | Number of SSL/TLS connections that timed out during inspection between the poll interval. |
| TLS CERTIFICATE VALIDATION | |
| TLS Connections - Revocation Status OK | Number of SSL/TLS connections to servers with certificates confirmed as not revoked between the poll interval. |
| TLS Connections - Revocation Status Revoked | Number of SSL/TLS connections to servers with certificates confirmed as revoked between the poll interval. |
| TLS Connections - Revocation Status Unknown | Number of SSL/TLS connections to servers with unknown certificate revocation status between the poll interval. |
| Parameter | Description |
|---|---|
| OVERALL PACKETS DROPPED PERCENTAGE (STATELESS) | |
| Overall Packets Dropped Percentage (Stateless) | Percentage of total packets dropped in the stateless engine between the poll interval. |
| OVERALL PACKETS DROPPED (STATELESS) | |
| Overall Packets Dropped (Stateless) | Total number of packets dropped in the stateless engine, including dropped, invalid, and other categories between the poll interval. |
| STATELESS PACKET FLOW | |
| Packets Received (Stateless) | Number of packets received by the firewall in the stateless engine between the poll interval. |
| Overall Packets Dropped Percentage (Stateless) | Percentage of total packets dropped in the stateless engine between the poll interval. |
| Overall Packets Dropped (Stateless) | Total number of packets dropped in the stateless engine, including dropped, invalid, and other categories between the poll interval. |
| Packets Dropped (Stateless) | Number of packets dropped due to stateless rule actions between the poll interval. |
| Other Packets Dropped (Stateless) | Number of packets dropped due to reasons other than InvalidDroppedPackets or DroppedPackets, including throttled packets between the poll interval. |
| Invalid Packets Dropped (Stateless) | Number of packets dropped for failing packet validation due to issues with the packet between the poll interval. |
| Packets Passed (Stateless) | Number of packets allowed through by the firewall in the stateless engine between the poll interval. |
| TLS Packets Received (Stateless) | Number of SSL/TLS packets received by the firewall between the poll interval. |
| Firewall ID | The unique identifier for the firewall. |
| VPC ID | The unique identifier of the VPC where the firewall is in use. |
| Firewall Policy Arn | The Amazon Resource Name (ARN) of the firewall policy. |
| Encryption Key Type | The type of AWS KMS key to use for encryption of your Network Firewall resources. Possible values: CUSTOMER_KMS, AWS_OWNED_KMS_KEY. |
| Encryption Key ID | The ID of the AWS Key Management Service (KMS) customer managed key. |
| Availability Zone Change Protection | A setting indicating whether the firewall is protected against changes to its Availability Zone configuration. |
| Firewall Policy Change Protection | A setting indicating whether the firewall is protected against a change to the firewall policy association. |
| Delete Protection | A flag indicating whether it is possible to delete the firewall. |
| Subnet Change Protection | A setting indicating whether the firewall is protected against changes to the subnet associations. |
Thank you for your feedback!
