Firewall policy settings - AWS Network Firewall
Capacity limitations

Firewall policy settings

A firewall policy has the following settings.

  • Name – The identifier for the firewall policy. You assign a unique name to every firewall policy. You can't change the name of a firewall policy after you create it.

  • Description – Optional additional information about the firewall policy. Fill in any information that might help you remember the purpose of the firewall policy and how you want to use it. The description is included in firewall policy lists in the console and through the APIs.

  • Stream exception policy – The stream exception policy determines how Network Firewall handles traffic when a network connection breaks midstream. Network connections can break due to disruptions in external networks or within the firewall itself. For more information, see Stream exception policy in your firewall policy.

  • Stateless rule groups – Zero or more collections of stateless rules, with priority settings that define their processing order within the policy. For information about creating and managing rule groups for use in your policies, see Rule groups in AWS Network Firewall.

  • Stateless default actions – Define how Network Firewall handles a packet or UDP packet fragment that doesn't match any of the rules in the stateless rule groups. Network Firewall silently drops packet fragments for other protocols. The options for the firewall policy's default settings are the same as for stateless rules. For more information about the options, see Stateless default actions in your firewall policy.

  • Stateful engine options – The structure that holds stateful rule order settings. Note that you can only configure RuleOrder settings when you first create the policy. RuleOrder can't be edited later.

  • Stateful rule groups – Zero or more collections of stateful rules, provided in Suricata compatible format. For information about creating and managing rule groups for use in your policies, see Rule groups in AWS Network Firewall.

  • Stateful default actions – Define how Network Firewall handles a packet that doesn't match any of the rules in the stateful rule groups. For more information about the options, see Stateful default actions in your firewall policy.

  • Customer-managed key (Optional) – Network Firewall encrypts and decrypts Network Firewall resources, to protect against unauthorized access. By default, Network Firewall uses AWS owned keys for this. If you want to use your own keys, you can configure customer managed keys from AWS Key Management Service and provide them to Network Firewall. For information about this option, see Encryption at rest with AWS Key Management Service.

  • Policy variables (Optional) – You can configure one or more IPv4 or IPv6 addresses in CIDR notation to override the default value of Suricata HOME_NET. If your firewall is deployed using a centralized deployment model, you might want to override HOME_NET with the CIDRs of your home network. Otherwise, Network Firewall uses the CIDR of your inspection VPC..

  • TLS inspection configuration (Optional) – Contains settings to turn on decryption and re-encryption of the Secure Socket Layer (SSL)/Transport Layer Security (TLS) traffic going to your firewall so that the traffic can be inspected according to the policy's stateful rules. For more information, see Inspecting SSL/TLS traffic with TLS inspection configurations.

  • Tags (Optional) – Zero or more key-value tag pairs. A tag is a label that you assign to an AWS resource. You can use tags to search and filter your resources and to track your AWS costs. For more information about tags, see Tagging AWS Network Firewall resources.

Capacity limitations

Network Firewall uses capacity calculations and limiting to control the operating resources that are required to process your rule groups and firewall policies. Each rule group has a capacity setting that's reserved for it in the firewall policy when you add it. Additionally, the firewall policy has limits on the count of rule groups that you can add. For information about limits, see AWS Network Firewall quotas for information about rule group capacity, see Setting rule group capacity in AWS Network Firewall.