Monitor AWS Network Firewall With Datadog | Datadog

Monitor AWS Network Firewall with Datadog

Author Paul Gottschling
Author Jimmy Caputo
Author Anshum Garg

Published: November 17, 2020

AWS Network Firewall is a firewall for Amazon Virtual Private Cloud (VPC) with pluggable support for third-party intrusion detection systems like Snort and Suricata. Customers use AWS Network Firewall to guard against unwanted traffic to and from their VPCs. Since AWS Network Firewall plays a key role within a VPC’s overall network security architecture, it’s important to monitor firewall traffic within the context of a VPC network as a whole—and to get fine-grained visibility into potential attacks.

Datadog is pleased to be a launch partner for AWS Network Firewall. With our new integration, which you can install with one click using CloudFormation, you can understand the performance of your VPC firewalls, discover trends in firewall traffic from all of your AWS accounts, and quickly detect threats to your network—all in one place.

Understand your firewall performance

Status page for an anomaly monitor based on the aws.networkfirewall.dropped_packets metric.

AWS Network Firewall provides a flexible configuration language for determining which packets to drop or pass downstream. Datadog’s integration helps you monitor traffic through your firewall so you can ensure that your configuration is working as expected. You can use the integration to monitor the number of received, dropped, and passed packets. And with built-in tags for the name of each firewall and availability zone—and whether a packet was processed by AWS Network Firewall’s stateful or stateless engines—you can group and filter your AWS Network Firewall metrics to quickly locate the source of a misconfiguration.

You can visualize AWS Network Firewall metrics alongside VPC metrics to understand how much traffic your firewall is filtering in relation to other network infrastructure running in your VPC. For example, you can compare the dropped packet metric from AWS Network Firewall (aws.networkfirewall.dropped_packets) with the metric for traffic accepted or rejected by security groups or Network Access Control Lists, aws.vpc.flowlogs.action, to see which parts of your network are screening out the most traffic and discover possible root causes for network-related issues.

The integration also makes it easy to spot unexpected surges or drops in traffic. You can use an anomaly monitor to alert your team automatically if, for instance, your firewall drops far more packets than intended, so you can investigate the issue as soon as possible.

Network flow logs provide fine-grained visibility into firewall traffic so you can effectively troubleshoot incidents. AWS Network Firewall can write network flow logs to Amazon S3, CloudWatch Logs, or Amazon Kinesis Data Firehose. These logs include network traffic data such as source and destination addresses, protocols, and values of TCP flags.

You can forward your AWS Network Firewall flow logs to Datadog using our easy-to-install Lambda function, using adjustable exclusion filters to ensure that you’re indexing a manageable volume of flow logs. Datadog will automatically enrich your flow logs with attributes, which you can then aggregate and filter using Log Analytics to view trends in network activity through your firewall.

For example, you can use the netflow.tcp.tcp_flags attribute—which indicates the values of the TCP flags within your firewall traffic in hexadecimal format—to identify a burst of abruptly reset connections (04), as shown below. This could mean that a process listening for these connections has crashed, or that your infrastructure is subject to a TCP reset attack.

A Log Analytics view showing the count of AWS Network Firewall flow logs grouped by TCP flag.

Use your firewall to detect threats

It’s crucial that you monitor your firewall to ensure that it’s blocking malicious traffic. You can use Datadog Cloud SIEM to define Detection Rules that Datadog will use to identify potential threats within your AWS Network Firewall flow logs—regardless of whether your flow logs are indexed. In the screenshot below, Cloud SIEM highlights a possible DoS attack on one AWS VPC, which it detected by tracking the frequency of traffic from the same IP address within a specific evaluation window.

A Security Signals view showing a possible DDOS attack within an AWS VPC.

A watchtower for your firewall

Datadog’s AWS Network Firewall integration gives you deep visibility into traffic through your VPC. You can monitor AWS Network Firewall alongside AWS VPC and over 700 other technologies to ensure that the infrastructure running in your cloud-based networks is performing as expected. If you’re not already using Datadog, sign up for a .