Creating a stateful rule group - AWS Network Firewall

Creating a stateful rule group

This section provides guidance for creating a stateful rule group.

To create a stateful rule group

  1. Sign in to the AWS Management Console and open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, under Network Firewall, choose Network Firewall rule groups.

  3. Choose Create Network Firewall rule group.

  4. In the Create Network Firewall rule group page, for the Rule group type, choose Stateful rule group.

    For more information about stateful rule groups, see Working with stateful rule groups in AWS Network Firewall.

  5. Enter a name and description for the rule group. You'll use these to identify the rule group when you manage it and use it.

    Note

    You can't change the name after you create the rule group.

  6. For Capacity, set the maximum capacity you want to allow for the stateful rule group, up to the maximum of 30,000. You can't change this setting after you create the rule group. For information about how to calculate this, see Setting rule group capacity in AWS Network Firewall. For information about the maximum setting, see AWS Network Firewall quotas.

  7. Select the type of rule group that you want to add, from the Stateful rule group options. The rest of your rule group specifications depend on the option you choose.

    • (Option) 5-tuple – Entry form for a basic Suricata rule.

      Note

      If you need to specify additional rule options, you can also use one of the APIs or AWS CloudFormation. For information, see StatefulRule in the AWS Network Firewall API Reference and AWS::NetworkFirewall::RuleGroup StatefulRule in the AWS CloudFormation User Guide.

      To choose the way that your stateful rules are ordered for evaluation, in the Stateful rule order section, choose a rule order:

      • Choose Default to have the stateful rules engine determine the evaluation order of your rules.

      • Choose Strict to provide your rules in the order that you want them to be evaluated.

      For each rule that you want in your rule group, specify the following information and then choose Add rule. Your added rules are listed in the Rules list.

      • Choose the protocol and source and destination settings for your rule.

      • For Traffic direction, choose whether to apply the rule to any direction or only for traffic that flows forward, from the specified source to the specified destination.

      • For Action, select the action that you want Network Firewall to take when a packet matches the rule settings. For information on these options, see Stateful actions.

      For information about these rules, see Standard stateful rule groups in AWS Network Firewall.

    • (Option) Domain list – Specify the following information.

      • For Domain name source, enter the domain names that you want to inspect for, one name specification per line. Valid domain name specifications are the following:

        • Explicit names. For example, abc.example.com matches only the domain abc.example.com.

        • Names that use a domain wildcard, which you indicate with an initial '.'. For example,.example.com matches example.com and matches all subdomains of example.com, such as abc.example.com and www.example.com.

      • For Protocols, choose the protocols you want to inspect for.

      • For Action, select the list type that you are creating, either Allow or Deny. For information on these options, see Stateful actions.

      For information about stateful domain name rules, see Stateful domain list rule groups in AWS Network Firewall.

    • (Option) Suricata compatible IPS rules

      To choose the way that your stateful rules are ordered for evaluation, in the Stateful rule order section, choose a rule order:

      • Choose Default to have the stateful rules engine determine the evaluation order of your rules.

      • Choose Strict to provide your rules in the order that you want them to be evaluated.

      Paste your rules into the text box.

  8. Review the settings that you've provided for the rule group, then choose Create stateful rule group.

Your new rule group is added to the list in the Network Firewall rule groups page.

To use your rule group in a firewall policy, follow the procedures at Managing your firewall policy.