View VPC Flow Logs
CloudGuard Dome9 VPC flow logs provides an easy to use, context aware, visualization of VPC flow logs. Using CloudGuard Dome9 VPC flow logs visualization allows to easily identify blocked or accepted traffic for analysis or connectivity debugging.
Leveraging CloudGuard Dome9 VPC flow logs, reduce the time and analysis effort required to extract flow logs useful information.
To use VPC flow logs you first have to setup as explained in VPC Flow Logs Setup Instructions
Once properly set up, VPC flow logs visualization are accessible though Clarity (in the future will also be accessible through CloudGuard Dome9Central).
To view VPC Flow logs, In Clarity VPC view
- Click on VPC Flow logs, this operation will fetch VPC flow logs if they were enabled for the VPC
- For each Security Group, an indicator will appear indicating the amount of rejected traffic
- Click on a Security group, the relevant records are presented in a context aware manner and in an easy to consume format
- Each line will also have additional operations such as apply filter or show location based on the record being Accepted or Rejected traffic
Note that the filter can be a complex one using the AWS CloudWatch Filter syntax. For example, the following filter can be used:
[version, accountid, interfaceid, srcaddr, dstaddr, srcport!=22 && srcport!=80 && srcport!=443 && srcport!=3389, distport==22 && distport!=80, protocol, packets, bytes, start, end, action=ACCEPT, logstatus]
When using this filtering method, traffic action selector must be set to ALL (thus making sure that Clarity will not add the action filter and break the query).
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.