Limitations with using managed rule groups in AWS Network Firewall - AWS Network Firewall

Limitations with using managed rule groups in AWS Network Firewall

Keep in mind the following limitations when using managed rule groups in Network Firewall:

  • You can't override the Suricata HOME_NET variable in managed rule groups. Network Firewall automatically populates the HOME_NET variable with CIDR ranges based on your firewall's VPC. This likely isn't an issue if your firewall uses a distributed deployment model. However, if your firewall uses an inspection VPC, Network Firewall populates HOME_NET with CIDR ranges for the inspection VPC, instead of the spoke VPCs. To set HOME_NET to the values that correspond your desired CIDR ranges, you can create your own stateful rule group. For more information about how to manually configure HOME_NET, see Domain list inspection for traffic from outside the deployment VPC.