Limitations with using managed rule groups in AWS Network Firewall

Keep in mind the following limitations when using managed rule groups in Network Firewall:

You can't override the Suricata HOME_NET variable in managed rule groups. Network Firewall automatically populates the HOME_NET variable with CIDR ranges based on your firewall's VPC. This likely isn't an issue if your firewall uses a distributed deployment model. However, if your firewall uses an inspection VPC, Network Firewall populates HOME_NET with CIDR ranges for the inspection VPC, instead of the spoke VPCs. To set HOME_NET to the values that correspond your desired CIDR ranges, you can create your own stateful rule group. For more information about how to manually configure HOME_NET, see Domain list inspection for traffic from outside the deployment VPC.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Threat signature rule groups

Managed rule groups disclaimer