---
id: network-firewall
title: AWS Network Firewall
description: The Sumo Logic App for Amazon ElastiCache allows you to set up, run, and scale popular open-source compatible in-memory data stores in the cloud.
slug: /help/docs/integrations/amazon-aws/network-firewall/
canonical: https://www.sumologic.com/help/docs/integrations/amazon-aws/network-firewall/
---

import useBaseUrl from '@docusaurus/useBaseUrl';

<img src={useBaseUrl('img/integrations/amazon-aws/network-firewall.png')} alt="Network Firewall icon" width="60"/>

The AWS Network Firewall application provides visibility into traffic flows and alerts generated by AWS Network Firewall.


## Log types

The AWS Network Firewall application uses logs generated by the AWS Network firewall. It leverages the Netflow and Alert logs.

### Prerequisites

Before you begin, you must:

1. Enable logging from the AWS Network Firewall to an Amazon S3 bucket as described in the [AWS Network Firewall documentation](https://docs.aws.amazon.com/network-firewall/latest/developerguide/logging-s3.html).
2. Confirm that logs are being delivered to the S3 bucket.
3. [Grant Sumo Logic Access to the Amazon S3 Bucket](/docs/send-data/hosted-collectors/amazon-aws/grant-access-aws-product).


## Collecting logs for AWS Network Firewall

This section has instructions for collecting logs for the Sumo Logic App for AWS Network Firewall Logs.

### Enable S3 Ingestion

Follow steps to create [Amazon S3 Source](/docs/send-data/hosted-collectors/amazon-aws/aws-s3-source).

The following is an example of a path expression that supports ingesting alerts.

<img src={useBaseUrl('img/integrations/amazon-aws/Ingesting_Alerts.png')} alt="Ingesting_Alerts" />

### Sample log messages

This section provides an example of AWS Network Firewall Alert and Netflow log messages.

```json title="AWS Network Firewall Alert log"
{
  "firewall_name": "example-firewall",
  "availability_zone": "us-west-1b",
  "event_timestamp": "1604597216",
  "event": {
    "timestamp": "2020-11-05T17:26:56.075365+0000",
    "flow_id": 1552126922778600,
    "event_type": "alert",
    "src_ip": "10.0.0.227",
    "src_port": 55188,
    "dest_ip": "13.227.75.102",
    "dest_port": 80,
    "proto": "TCP",
    "tx_id": 0,
    "alert": {
      "action": "allowed",
      "signature_id": 5,
      "rev": 0,
      "signature": "Malicious User Agent",
      "category": "",
      "severity": 1
    },
    "http": {
      "hostname": "www.somehackerurl.com",
      "url": "/",
      "http_user_agent": "hacker-tool-user-agent",
      "http_method": "GET",
      "protocol": "HTTP/1.1",
      "length": 0
    },
    "app_proto": "http"
  }
}
```

```json title="AWS Network Firewall Netflow log"
{
    "firewall_name": "example-firewall",
    "availability_zone": "us-west-1b",
    "event_timestamp": "1604598416",
    "event": {
        "timestamp": "2020-11-05T17:46:56.003583+0000",
        "flow_id": 554650891867171,
        "event_type": "netflow",
        "src_ip": "209.115.181.113",
        "src_port": 123,
        "dest_ip": "10.0.0.227",
        "dest_port": 60642,
        "proto": "UDP",
        "app_proto": "ntp",
        "netflow": {
            "pkts": 1,
            "bytes": 90,
            "start": "2020-11-05T17:41:54.611363+0000",
            "end": "2020-11-05T17:41:54.675362+0000",
            "age": 0,
            "min_ttl": 43,
          " max_ttl": 238
        }
    }
}
```


### Sample queries

This section provides a sample from the **Traffic By Application** panel on the **AWS Network Firewall - Netflow Overview** dashboard.

```sumo
_sourceCategory=aws/vanta/*
| json "firewall_name", "availability_zone", "event" nodrop
| json field=event "event_type", "src_ip", "src_port", "dest_ip", "dest_port", "proto", "app_proto", "netflow" nodrop
| json field=netflow "bytes", "pkts" nodrop
| where event_type="netflow"
| timeslice 15m
| count _timeslice, app_proto
| transpose row _timeslice column app_proto
```

## Installing the AWS Network Firewall App

This section provides instructions for installing the Sumo Logic App for AWS Network Firewall.

import AppInstallV2 from '../../reuse/apps/app-install-v2.md';

<AppInstallV2/>

## Viewing AWS Network Firewall dashboards

import ViewDashboards from '../../reuse/apps/view-dashboards.md';

<ViewDashboards/>

### Netflow Overview

The **AWS Network Firewall - Netflow Overview** provides visibility into network flows traversing across the firewall. This includes visibility into traffic by application, protocol, traffic over time, and top connections.

Use this dashboard to:
* Monitor traffic types and rates traveling through the firewall
* Gain visibility into common protocols and hosts in use behind the firewall.

<img src={useBaseUrl('img/integrations/amazon-aws/AWS-Network-Firewall-Netflow.png')} alt="AWS Network Firewall dashboards" />


### IDS Overview

The **AWS Network Firewall - IDS Overview** provides visibility into alerts generated by the firewall rules. This includes geolocation information on top destinations, alerts over time, correlation with Sumo Logic [threat intelligence](/docs/security/threat-intelligence/) data, and top systems blocked.

Use this dashboard to:
* Gain visibility into alerts generated by the AWS Network Firewall including location information from top destinations.
* Gain visibility into traffic from malicious IPs determined by correlating AWS Network Firewall data with Sumo Logic [threat intelligence](/docs/security/threat-intelligence/) data.

<img src={useBaseUrl('img/integrations/amazon-aws/AWS_Network_Firewall_IDS_Overview.png')} alt="AWS Network Firewall dashboards" />