CloudGuard Dome9 Help

VPC Flow Logs


You can see the traffic into and out of, and within, your AWS VPCs on the Dome9 console. You can select traffic for any of your VPCs, and then filter for specific flow items of interest. Dome9 extracts this information from the cloud platform, and enriches it with contextual information such as source and target names (if they are labelled).

The displayed information can also be exported to a file.

VPC flows can also be seen from the Clarity view (see Clarity).

Note: This feature is available for AWS VPCs only.

Benefits

  • console view of all VPC network & flows (on all cloud providers, all accounts, regions)

  • view of flow within network context (in Clarity, for AWS only)

  • variety of filters/search to narrow the scope, look for specific flows of interest

Use-cases

Here are some typical use-cases for viewing VPC flow logs:

  • investigate incidents, using network traffic in the VPC

  • filter traffic for specific network elements

Actions

Your AWS cloud account must be configured for VPC flow logs in order to view them on the Dome9 console. This is done on the AWS console, in the VPC Dashboard.

  1. Create a VPC flow log on AWS for our VPC. Follow the steps described in https://aws.amazon.com/blogs/aws/vpc-flow-logs-log-and-view-network-traffic-flows/ to enable flow logs for a specific VPC. This step must be done for each VPC for which you wish to view flow logs.

    Considerations for VPC flow logs

    You can log all traffic in your VPC, or filter for Accepted or Rejected traffic. If you choose to log all traffic, we recommend you create two flow logs, one for Rejected traffic, and one for all traffic. Rejected traffic is typically significantly lower than the total traffic, so logging this will have less of an effect on performance. Dome9 will query AWS for the relevant log according the filters you select when displaying the logs

  2. Enable the IAM policy for the Dome9 user on AWS(this is relevant for AWS for accounts that were added before Sep-2015). On the AWS console, select the IAM Dashboard.

    1. In the AWS IAM Dashboard, select Roles (on the left), and select the Dome9-Connect role.

    2. Check that the dome9-readonly-policy appears in the Permissions tab for this role. If either the role or the policy do not appear, the AWS account has not been completely onboarded to Dome9 - check or repeat the procedure in Onboard an AWS Account.

View flows for any of your VPCs, in any of your cloud accounts.

  1. Select the VPC (account, region, assets), and the time period (back from present time, or click the CUSTOM DATE link to select specific date & time).

  2. A list of entries for the selected VPC is shown. Each entry represents a flow.

  3. Hover over an entry for additional details.

Icon

Action

show IP address

show geolocation, hostname, and network, of the host

filter for this value

not this value (i.e., other than)

You can filter the flow list to show entries of interest. The filter options are at the top of the list

Filter options:

  • Select the VPC & instance - this is the primary filter

  • Select specific values for one of the columns (click on the terms, or enter as free text)

  • Add terms to build up the filter. As you add terms, the list of flows is incrementally filtered (the result is the AND of all selections):

  • Filter on specific value(s) of a field: press next to the value to filter for entries with this value

You can see flow logs from the Clarity view as well

  1. Open the Clarity NG viewer, and select the VPC, and select the SECURITY GROUPS view.

  2. Enable VPC Flow Logs.

  3. Security Groups will indicate rejected packets.

  4. Click to open a view of the flow logs.

See also

Onboard an AWS Account

Clarity

 

 

06 November 2019
© 2019 Check Point Software Technologies Ltd. All rights reserved.