AWS network-firewall documentation change
Summary
Added 'aws_category' log field and examples showing URL/Domain category filtering in alert and TLS logs.
Security assessment
The change documents enhanced logging capabilities for security monitoring (category-based filtering), improving visibility into traffic classification. However, it doesn't address a specific vulnerability.
Diff
diff --git a/network-firewall/latest/developerguide/firewall-logging-contents.md b/network-firewall/latest/developerguide/firewall-logging-contents.md index 6786ebd03..370490d58 100644 --- a//network-firewall/latest/developerguide/firewall-logging-contents.md +++ b//network-firewall/latest/developerguide/firewall-logging-contents.md @@ -14,0 +15,2 @@ The Network Firewall logs contain the following information: + * **aws_category** – For rules using URL or Domain Category filtering, contains the matched categories in JSON array format. For example, ["Search Engines and Portals"] or ["Technology and Internet"]. + @@ -70,0 +73,64 @@ The following listing shows an example alert log entry for Network Firewall. +###### Example alert log entry with URL and Domain Category enabled + + + { + "firewall_name": "test-firewall", + "availability_zone": "us-east-1b", + "event_timestamp": "1762217722", + "event": { + "aws_category": "[\"Search Engines and Portals\"]", + "tx_id": 2, + "app_proto": "http2", + "src_ip": "10.0.100.55", + "src_port": 54878, + "event_type": "alert", + "alert": { + "severity": 3, + "signature_id": 6, + "rev": 0, + "signature": "", + "action": "blocked", + "category": "" + }, + "flow_id": 643336554233439, + "dest_ip": "64.233.180.147", + "proto": "TCP", + "verdict": { + "action": "drop" + }, + "http": { + "version": "2", + "request_headers": [{ + "name": ":method", + "value": "GET" + }, { + "name": ":scheme", + "value": "https" + }, { + "name": ":authority", + "value": "www.google.com" + }, { + "name": ":path", + "value": "/" + }, { + "name": "user-agent", + "value": "curl/8.11.1" + }, { + "name": "accept", + "value": "*/*" + }], + "http_user_agent": "curl/8.11.1", + "url": "/", + "http_method": "GET", + "http2": { + "stream_id": 1, + "request": {}, + "response": {} + } + }, + "dest_port": 443, + "timestamp": "2025-12-31T00:55:22.870721+0000", + "direction": "to_server" + } + } + @@ -94,0 +161,39 @@ The following listing shows an example TLS log entry for a failed certificate re +###### Example TLS log entry with URL and Domain Category enabled + + + { + "firewall_name": "test-firewall", + "availability_zone": "us-east-1b", + "event_timestamp": "1763508615", + "event": { + "aws_category": "[\"Technology and Internet\"]", + "tx_id": 0, + "app_proto": "tls", + "src_ip": "10.0.100.55", + "src_port": 44474, + "event_type": "alert", + "alert": { + "severity": 3, + "signature_id": 6, + "rev": 0, + "signature": "", + "action": "blocked", + "category": "" + }, + "flow_id": 1972143099170468, + "dest_ip": "192.178.155.113", + "proto": "TCP", + "verdict": { + "action": "drop" + }, + "tls": { + "sni": "developers.google.com", + "version": "UNDETERMINED" + }, + "dest_port": 443, + "pkt_src": "geneve encapsulation", + "timestamp": "2025-11-18T23:30:15.006867+0000", + "direction": "to_server" + } + } +