Class: Aws::NetworkFirewall::Types::AnalysisResult

Inherits:

Struct

• Object
• Struct
• Aws::NetworkFirewall::Types::AnalysisResult

Defined in:

gems/aws-sdk-networkfirewall/lib/aws-sdk-networkfirewall/types.rb

Overview

The analysis result for Network Firewall's stateless rule group analyzer. Every time you call CreateRuleGroup, UpdateRuleGroup, or DescribeRuleGroup on a stateless rule group, Network Firewall analyzes the stateless rule groups in your account and identifies the rules that might adversely effect your firewall's functionality. For example, if Network Firewall detects a rule that's routing traffic asymmetrically, which impacts the service's ability to properly process traffic, the service includes the rule in a list of analysis results.

See Also:

• AWS API Documentation

Constant Summary

SENSITIVE =

[]

Instance Attribute Summary

• #analysis_detail ⇒ String

  Provides analysis details for the identified rule.

• #identified_rule_ids ⇒ Array<String>

  The priority number of the stateless rules identified in the analysis.

• #identified_type ⇒ String

  The types of rule configurations that Network Firewall analyzes your rule groups for.

Instance Attribute Details

#analysis_detail ⇒ String

Provides analysis details for the identified rule.

Returns:

• (String)

# File 'gems/aws-sdk-networkfirewall/lib/aws-sdk-networkfirewall/types.rb', line 133

class AnalysisResult < Struct.new(
  :identified_rule_ids,
  :identified_type,
  :analysis_detail)
  SENSITIVE = []
  include Aws::Structure
end

#identified_rule_ids ⇒ Array<String>

The priority number of the stateless rules identified in the analysis.

Returns:

• (Array<String>)

# File 'gems/aws-sdk-networkfirewall/lib/aws-sdk-networkfirewall/types.rb', line 133

class AnalysisResult < Struct.new(
  :identified_rule_ids,
  :identified_type,
  :analysis_detail)
  SENSITIVE = []
  include Aws::Structure
end

#identified_type ⇒ String

The types of rule configurations that Network Firewall analyzes your rule groups for. Network Firewall analyzes stateless rule groups for the following types of rule configurations:

• STATELESS_RULE_FORWARDING_ASYMMETRICALLY

  Cause: One or more stateless rules with the action pass or forward are forwarding traffic asymmetrically. Specifically, the rule's set of source IP addresses or their associated port numbers, don't match the set of destination IP addresses or their associated port numbers.

  To mitigate: Make sure that there's an existing return path. For example, if the rule allows traffic from source 10.1.0.0/24 to destination 20.1.0.0/24, you should allow return traffic from source 20.1.0.0/24 to destination 10.1.0.0/24.

• STATELESS_RULE_CONTAINS_TCP_FLAGS

  Cause: At least one stateless rule with the action pass orforward contains TCP flags that are inconsistent in the forward and return directions.

  To mitigate: Prevent asymmetric routing issues caused by TCP flags by following these actions:

  • Remove unnecessary TCP flag inspections from the rules.

  • If you need to inspect TCP flags, check that the rules correctly account for changes in TCP flags throughout the TCP connection cycle, for example SYN and ACK flags used in a 3-way TCP handshake.

Returns:

• (String)

# File 'gems/aws-sdk-networkfirewall/lib/aws-sdk-networkfirewall/types.rb', line 133

class AnalysisResult < Struct.new(
  :identified_rule_ids,
  :identified_type,
  :analysis_detail)
  SENSITIVE = []
  include Aws::Structure
end