Lab 1 - Verify Firewall Resources

This lab assumes you have deployed AWS Network Firewall using Distributed Deployment Model Setup. Same steps are applicable for Centralized Deployment Model. Resource names may vary depending on the CloudFormation stack name you provided.

In this lab, we’ll verify that AWS Network Firewall and other resources previously provisioned as part of 2.1.1 Setup.

Step 1 - List Firewalls

Since we have already provisioned an AWS Network Firewall as part of our Setup instructions, let’s verify the policy and rule groups created by CloudFormation template.

AWS Network Firewall is listed under VPC in the AWS Web console:

lab1_step1_figure1

In the AWS Web Console, click on VPC -> Firewalls to list the currently provisioned Firewalls.

lab1_step1_figure2

Step 2 - Firewall Details

Click on aws-network-firewall-anfw-distributed-demo Firewall to see more details.

lab1_step2_figure1

At this step, review following information :

  1. What is the current status of the Firewall?
  2. What policy has been associated with the Firewall?
  3. What is the default Stateless action?
  4. What Stateful rules are configured in the policy mentioned above?

Click on the Firewall details tab :

lab1_step2_figure2

The Firewall details tab provides the following details :

  • Details of Firewall endpoints & status
  • Logging configuration displaying Flow/Alert type and CloudWatch Log Group configurations
  • Tags

Step 3 - Firewall Monitoring details

Click on the Monitoring tab:

lab1_step3_figure1

This tab provides details on Firewall metrics e.g.:

  • How many packets are received/passed/dropped by Firewall Stateless Inspection
  • How many packets are received/passed/dropped by Firewall Stateful Inspection

Step 4 - List and verify EC2 instance

  • CloudFormation stack for Distributed Deployment Model Setup creates EC2 instances test-instance-* in Private Subnet in each AZ. In this step, we will EC2 instance details.

  • EC2 instances are listed under EC2 in the AWS Web console. Launch Amazon EC2 console in the region where you have created your Distributed Deployment Model Setup and verify EC2 instance is listed and running.

  • Amazon EC2 console in Oregon

lab1_step4_figure1

  • Verify you can connect to the EC2 instance:

    • Select one of the instance: test-instance-1-anfw-distributed-demo or test-instance-2-anfw-distributed-demo (instance name may vary depending on the CloudFormation stack name you provided) and cick on connect:

    lab1_step4_figure2

    • Select Session Manager and click on Connect:

    lab1_step4_figure3

    • You should see a new browser tab opened like one below:

    lab1_step4_figure4

    • You are now connected to EC2 instance. You can terminate the session by clicking on Terminate:

    lab1_step4_figure5

    • Repeat the steps for second instance as required.

Now we are ready to proceed with next exercise. Press Next (the right arrow) on this page.