Limitations and caveats for stateful rules in AWS Network Firewall

AWS Network Firewall stateful rules are Suricata compatible. Most Suricata rules work out of the box with Network Firewall. Your use of Suricata rules with Network Firewall has the restrictions and caveats listed in this section.

Not supported

The following Suricata features are not supported by Network Firewall:

Datasets. The keywords dataset and datarep aren't allowed.
ENIP/CIP keywords.
File extraction. File keywords aren't allowed.
FTP-data protocol detection.
GeoIP.
IP reputation. The iprep keyword is not allowed.
Lua scripting.
Rules actions except for pass, drop, and alert. Pass, drop, and alert are supported. For additional information about stateful rule actions, see Stateful actions.
Thresholding.

Supported with caveats

The following Suricata features have caveats for use with Network Firewall:

The AWS Network Firewall stateful inspection engine supports inspecting inner packets for tunneling protocols such as Generic Routing Encapsulation (GRE). If you want to block the tunneled traffic, you can write rules against the tunnel layer itself or against the inner packet. Due to the service inspecting the different layers, you might see flows and alerts for the packets within the tunnel.
To create a rule that requires a variable, you must specify the variable in the rule group. Without the required variables, the rule group isn't valid. For an example of a rule group that's configured with variables, see Rule with variables.
In payload keywords, the pcre keyword is only allowed with the content keyword.
The priority keyword is not supported for rule groups that evaluate rules using strict evaluation order.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Working with stateful rule groups

Creating a stateful rule group