Question
Is there a way to log the connections blocked by the AWS Network Firewall, or filter the logs of blocked connections?
Background
Currently having setup the rules, and would like to know which IP or domains have been blocked.
Looking at Logging network traffic from AWS Network Firewall but not clear if it is possible.
You can record flow logs and alert logs from your Network Firewall stateful engine.
Flow logs are standard network traffic flow logs. Each flow log record captures the network flow for a specific 5-tuple.
Alert logs report traffic that matches your stateful rules that have an action that sends an alert. A stateful rule sends alerts for the rule actions DROP and ALERT.
From the flow logs, it is not clear if it is passed or blocked.
{
"firewall_name": "network-firewall-sagemaker-studio-anfw",
"availability_zone": "us-east-1a",
"event_timestamp": "1628236046",
"event": {
"timestamp": "2021-08-06T07:47:26.000068+0000",
"flow_id": 1108238612337889,
"event_type": "netflow",
"src_ip": "51.222.5.114",
"src_port": 57528,
"dest_ip": "10.2.2.60",
"dest_port": 8088,
"proto": "TCP",
"netflow": {
"pkts": 1,
"bytes": 40,
"start": "2021-08-06T07:46:24.365793+0000",
"end": "2021-08-06T07:46:24.365793+0000",
"age": 0,
"min_ttl": 239,
"max_ttl": 239
},
"tcp": {
"tcp_flags": "02",
"syn": true
}
}
}
Yes, you can get network logs.
AWS Network Firewall is a managed service that you can use to deploy essential network protections for your Amazon Virtual Private Cloud instances. AWS Network Firewall works together with AWS Firewall Manager so you can build policies based on AWS Network Firewall rules and then centrally apply those policies across your VPCs and accounts.
https://docs.aws.amazon.com/athena/latest/ug/querying-network-firewall-logs.html
How to create amazon cloudwatch logs
https://docs.aws.amazon.com/network-firewall/latest/developerguide/logging-cw-logs.html
AWS Network Firewall logging destinations
https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-logging-destinations.html
In your firewall , Log configuration. Please enable logs for Alerts, you can then choose where the Alert ( Logs from blocked requests) should be shipped. You will have options like s3 or cloudwatch log group.
Good luck.
Related
How to supress below emails as they are being recieved very frequently ..
My client mentioned they were using cisco equipment.. which would not support dual tunnels, but supports only active/passive tunnels, Hence we would like to stop these alerts being generated ..(see description)
i have reviewed and found same alert in AWS Health Dashboard ,but could not found any option to suppress this type of alert Any one can help on this issue, I can open ticket with AWS team , but want to know if these changes can be modified ?? Does suppress alarms would cause any issues ?
Description
You're receiving this message because you have at least one VPN Connection in the us-east-1 Region, for which your VPN Customer Gateway is not using both tunnels. This mode of operation is not recommended as you may experience connectivity issues if your active tunnel fails.
The VPN Connection(s) which do not currently have both tunnels established are associated with this event.
You can obtain the VPN Connection configuration recommendations for several types of VPN devices from the AWS Management Console [1]. On the "Amazon VPC" tab, select "VPN Connections". Then highlight the VPN Connection and choose "Download Configuration".
OR
**Your VPN Connection associated with this event in the us-west-2 Region had a momentary lapse of redundancy as one of two tunnel endpoints was replaced. Connectivity on the second tunnel was not affected during this time. Both tunnels are now operating normally.
Reviewed : https://docs.aws.amazon.com/vpn/latest/s2svpn/monitoring-vpn-health-events.html#single-tunnel-notifications
need technical guidance to resolve this issue.
I have a simple setup: Fargate ECS cluster with ALB, running web API.
I want to monitor (and ring alarms) the number of requests timed out for my web app. The only metric close to that I found in CloudWatch is AWS/ApplicationELB -> TargetResponseTime
But, it seems like requests that timed out from the ALB point of view are not recorded there at all.
How do you monitor ALB timeouts?
This answer is only from ALB time out requests point of view.
It is confusing because there is not a specific metric which is termed or contains timeout.
ALB Timeout generates an HTTP 408 error code for which ALB internally increments the HTTPCode_ELB_4XX_Count.
From the Docs
The load balancer sends the HTTP code to the client, saves the request to the access log, and increments the HTTPCode_ELB_4XX_Count or HTTPCode_ELB_5XX_Count metric.
In my view you can set up a CloudWatch alarm to monitor HTTPCode_ELB_4XX_Countmetric and initiate an action (such as sending a notification to an email address) if the metric goes outside what you consider an acceptable range.
More details about the HTTPCode_ELB_4XX_Count -> https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-cloudwatch-metrics.html
I am a beginner at AWS services. I am getting this Error:
"ResourceInitializationError: unable to pull secrets or registry auth: execution resource retrieval failed: unable to retrieve ecr registry auth: service call has been retried 3 time(s): RequestError: send request failed caused by: Post https://api.ecr.us-east-1.amazonaws.com/: dial tcp 52..*.105:443: i/o timeout"
Some details that might help you help me:
Setting up "Run task" in 2 private subnets. (should it be one?)
In the "Run task" , I am using the same security group associated with my VPC endpoints
In the Service , I am using the same security group associated with my VPC endpoints
I am using a "Network Only" cluster.
I am using a task definition of type "Fargate"
For the task definition container, I am leaving port mappings blank
For Task execution role in task definition I have: ecsTaskExecutionRole
I am leaving "Mesh integration"/"proxy configuration"/" FireLens integration" unchecked
Auto-assign public IP: "Disabled"
My goal is to run an instance of my app in a private subnet and connect it to AWS resources through PrivateLink. I DO NOT intend on setting up an internet gateway/NAT device/AWS direct connection/VPN. I am almost sure I am missing something. Thorough explanations will be highly appreciated. Thank you.
I created a scaling server system in EC2 which only the client has had issues with it's deployment. The servers will randomly not be able to access outbound traffic especially on port 80 and 443.
I believe the client has maliciously done this to generate more work for me in developing system recovery code which they didn't want to pay for.
I have admin access to their AWS account and I want to know if there's an log I can access that shows changes in the security groups rules? Specifically the outbound traffic.
The first option would be to inspect CloudTrail Event history. The history stores only 90 days of events, unless you have enabled full trial for the account.
CloudTrail is only for retrospective analyses. If you want ongoing monitoring of changes to your infrastructure, you could set up AWS Config which provides a detailed view of changes as well as allows for automated response to unwanted changes.
Ive went through the whole start-up tutorial and connect to the tinkerpop3 server remotely from an EC2 that is in the same VPC and get the error
gremlin> g.addV('person').property(id, '1').property('name', 'marko')
Host did not respond in a timely fashion - check the server status and submit ag ain.
Type ':help' or ':h' for help.
Display stack trace? [yN]
any reason this might be happening?
Let's try a couple of things to get you started with debugging the issue here:
Have you tried hitting the /status endpoint? If this endpoint is working, then there is a problem with the console configuration. If it isn't, then there is an issue with the connectivity of the EC2 instance to the DB.
Can you ensure that the EC2 instance has been launched with the same security group for which you gave inbound access to port 8182 on the DB (during step#8 in the setting up instructions?
Please ensure that your cluster and instance status is "available" as observed from the Neptune console.
The recommended way to manage such connections is 2 have 2 security groups:
client - A security group that you attach to all clients, like Lambdas, EC2 instances etc. The default outbound rule gives you outbound access to every resource in the VPC. You can tighten that if you'd like.
db - A security group that you should attach to your Neptune cluster. In this security group, edit hte inbound rules, and explicitly add a TCP rule that allows inbound connections to your database port (8182 is the default port).
You can attach the db security group to your cluster either during creation or by modifying existing clusters.