Class CfnFirewallPolicy.FirewallPolicyProperty
The traffic filtering behavior of a firewall policy, defined in a collection of stateless and stateful rule groups and other settings.
Inheritance
Implements
Namespace: Amazon.CDK.AWS.NetworkFirewall
Assembly: Amazon.CDK.AWS.NetworkFirewall.dll
Syntax (csharp)
public class FirewallPolicyProperty : Object, CfnFirewallPolicy.IFirewallPolicyProperty
Syntax (vb)
Public Class FirewallPolicyProperty
Inherits Object
Implements CfnFirewallPolicy.IFirewallPolicyProperty
Remarks
ExampleMetadata: fixture=_generated
Examples
// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
using Amazon.CDK.AWS.NetworkFirewall;
var firewallPolicyProperty = new FirewallPolicyProperty {
StatelessDefaultActions = new [] { "statelessDefaultActions" },
StatelessFragmentDefaultActions = new [] { "statelessFragmentDefaultActions" },
// the properties below are optional
PolicyVariables = new PolicyVariablesProperty {
RuleVariables = new Dictionary<string, object> {
{ "ruleVariablesKey", new Dictionary<string, string[]?> {
{ "definition", new [] { "definition" } }
} }
}
},
StatefulDefaultActions = new [] { "statefulDefaultActions" },
StatefulEngineOptions = new StatefulEngineOptionsProperty {
RuleOrder = "ruleOrder",
StreamExceptionPolicy = "streamExceptionPolicy"
},
StatefulRuleGroupReferences = new [] { new StatefulRuleGroupReferenceProperty {
ResourceArn = "resourceArn",
// the properties below are optional
Override = new StatefulRuleGroupOverrideProperty {
Action = "action"
},
Priority = 123
} },
StatelessCustomActions = new [] { new CustomActionProperty {
ActionDefinition = new ActionDefinitionProperty {
PublishMetricAction = new PublishMetricActionProperty {
Dimensions = new [] { new DimensionProperty {
Value = "value"
} }
}
},
ActionName = "actionName"
} },
StatelessRuleGroupReferences = new [] { new StatelessRuleGroupReferenceProperty {
Priority = 123,
ResourceArn = "resourceArn"
} }
};
Synopsis
Constructors
FirewallPolicyProperty() |
Properties
PolicyVariables | Contains variables that you can use to override default Suricata settings in your firewall policy. |
StatefulDefaultActions | The default actions to take on a packet that doesn't match any stateful rules. |
StatefulEngineOptions | Additional options governing how Network Firewall handles stateful rules. |
StatefulRuleGroupReferences | References to the stateful rule groups that are used in the policy. |
StatelessCustomActions | The custom action definitions that are available for use in the firewall policy's |
StatelessDefaultActions | The actions to take on a packet if it doesn't match any of the stateless rules in the policy. |
StatelessFragmentDefaultActions | The actions to take on a fragmented packet if it doesn't match any of the stateless rules in the policy. |
StatelessRuleGroupReferences | References to the stateless rule groups that are used in the policy. |
Constructors
FirewallPolicyProperty()
public FirewallPolicyProperty()
Properties
PolicyVariables
Contains variables that you can use to override default Suricata settings in your firewall policy.
public object PolicyVariables { get; set; }
Property Value
System.Object
Remarks
StatefulDefaultActions
The default actions to take on a packet that doesn't match any stateful rules.
public string[] StatefulDefaultActions { get; set; }
Property Value
System.String[]
Remarks
The stateful default action is optional, and is only valid when using the strict rule order.
Valid values of the stateful default action:
For more information, see Strict evaluation order in the AWS Network Firewall Developer Guide .
StatefulEngineOptions
Additional options governing how Network Firewall handles stateful rules.
public object StatefulEngineOptions { get; set; }
Property Value
System.Object
Remarks
The stateful rule groups that you use in your policy must have stateful rule options settings that are compatible with these settings.
StatefulRuleGroupReferences
References to the stateful rule groups that are used in the policy.
public object StatefulRuleGroupReferences { get; set; }
Property Value
System.Object
Remarks
These define the inspection criteria in stateful rules.
StatelessCustomActions
The custom action definitions that are available for use in the firewall policy's StatelessDefaultActions
setting.
public object StatelessCustomActions { get; set; }
Property Value
System.Object
Remarks
You name each custom action that you define, and then you can use it by name in your default actions specifications.
StatelessDefaultActions
The actions to take on a packet if it doesn't match any of the stateless rules in the policy.
public string[] StatelessDefaultActions { get; set; }
Property Value
System.String[]
Remarks
If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward_to_sfe
.
You must specify one of the standard actions: aws:pass
, aws:drop
, or aws:forward_to_sfe
. In addition, you can specify custom actions that are compatible with your standard section choice.
For example, you could specify ["aws:pass"]
or you could specify ["aws:pass", “customActionName”]
. For information about compatibility, see the custom action descriptions.
StatelessFragmentDefaultActions
The actions to take on a fragmented packet if it doesn't match any of the stateless rules in the policy.
public string[] StatelessFragmentDefaultActions { get; set; }
Property Value
System.String[]
Remarks
If you want non-matching fragmented packets to be forwarded for stateful inspection, specify aws:forward_to_sfe
.
You must specify one of the standard actions: aws:pass
, aws:drop
, or aws:forward_to_sfe
. In addition, you can specify custom actions that are compatible with your standard section choice.
For example, you could specify ["aws:pass"]
or you could specify ["aws:pass", “customActionName”]
. For information about compatibility, see the custom action descriptions.
StatelessRuleGroupReferences
References to the stateless rule groups that are used in the policy.
public object StatelessRuleGroupReferences { get; set; }
Property Value
System.Object
Remarks
These define the matching criteria in stateless rules.