Limitations and caveats for stateful rules in AWS Network Firewall

AWS Network Firewall stateful rules are Suricata compatible. Most Suricata rules work out of the box with Network Firewall. Your use of Suricata rules with Network Firewall has the restrictions and caveats listed in this section.

Not supported

The following Suricata features are not supported by Network Firewall:

Datasets. The keywords dataset and datarep aren't allowed.
ENIP/CIP keywords.
File extraction. File keywords aren't allowed.
FTP-data protocol detection.
GeoIP.
IP reputation. The iprep keyword is not allowed.
Lua scripting.
QUIC protocol detection and QUIC related application level protocols such as HTTP3.
Rules actions except for pass, drop, reject, and alert. Pass, drop, reject, and alert are supported. For additional information about stateful rule actions, see Stateful actions.
STCP protocol.
Thresholding.

Supported with caveats

The following Suricata features have caveats for use with Network Firewall:

The AWS Network Firewall stateful inspection engine supports inspecting inner packets for tunneling protocols such as Generic Routing Encapsulation (GRE). If you want to block the tunneled traffic, you can write rules against the tunnel layer itself or against the inner packet. Due to the service inspecting the different layers, you might see flows and alerts for the packets within the tunnel.
To create a rule that requires a variable, you must specify the variable in the rule group. Without the required variables, the rule group isn't valid. For an example of a rule group that's configured with variables, see Rule with variables.
In payload keywords, the pcre keyword is only allowed with content, tls.sni, http.host, and dns.query keywords.
The priority keyword is not supported for rule groups that evaluate rules using strict evaluation order.
You can set custom values for HOME_NET and EXTERNAL_NET in a rule group's rule variables. Rule group rule variables have higher priority than policy variables, but policy variables affect all rule groups that don't already define HOME_NET. If you don't set your own value for EXTERNAL_NET in a rule group, then Network Firewall maintains that the value of EXTERNAL_NET in the rule group equals the negation of the HOME_NET value that you define at the firewall policy level. For example, if you set HOME_NET to be 10.0.0.0 in your rule group, and set HOME_NET to be 11.0.0.0 in the firewall policy. If you don't set EXTERNAL_NET in the rule group, then the value of EXTERNAL_NET will be !11.0.0.0 based on the default HOME_NET value set in the policy.
When you use a stateful rule with a layer 3 or 4 protocol such as IP or TCP, and you don't include any flow state context, for example "flow:not_established", then Suricata treats this rule as an IP-only rule. Suricata only evaluates IP-only rules for the first packet in each direction of the flow. For example, Suricata will process the following rule as an IP-only rule:
```
pass tcp $HOME_NET any -> [10.0.0.0/8] $HTTPS_PORTS (sid: 44444; rev:2;)
```
However, if the destination IP contains a !, then Suricata treats this as per the protocol specified in the rule. Suricata will process the following rule as a TCP rule.
```
pass tcp $HOME_NET any -> [!10.0.0.0/16] $HTTPS_PORTS (sid: 44444; rev:2;)
```

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Working with stateful rule groups

Creating a stateful rule group