Firewall policy settings in AWS Network Firewall - AWS Network Firewall

Firewall policy settings in AWS Network Firewall

A firewall policy in Network Firewall has the following configuration settings, which you define when you create or update the firewall policy. All settings except for the firewall policy name are mutable.

  • Name – The identifier for the firewall policy. You assign a unique name to every firewall policy. You can't change the name of a firewall policy after you create it.

  • Description – Optional additional information about the firewall policy. Fill in any information that might help you remember the purpose of the firewall policy and how you want to use it. The description is included in firewall policy lists in the console and through the APIs.

  • Stream exception policy – The stream exception policy determines how Network Firewall handles traffic when a network connection breaks midstream. Network connections can break due to disruptions in external networks or within the firewall itself. For more information, see Stream exception policy options in your AWS Network Firewall firewall policy.

  • Stateless rule groups – Zero or more collections of stateless rules, with priority settings that define their processing order within the policy. For information about creating and managing rule groups for use in your policies, see Rule groups in AWS Network Firewall.

  • Stateless default actions – Define how Network Firewall handles a packet or UDP packet fragment that doesn't match any of the rules in the stateless rule groups. You can specify different default settings for full packets and for UDP packet fragments. Network Firewall silently drops packet fragments for other protocols.

    You provide this configuration regardless of whether you define stateless rule groups for the policy.

    The options for the firewall policy's default settings are the same as for stateless rules. For information about the options, see Defining rule actions in AWS Network Firewall.

  • Stateful engine options – The structure that holds stateful rule order settings. Note that you can only configure RuleOrder settings when you first create the policy. RuleOrder can't be edited later.

  • Stateful rule groups – Zero or more collections of stateful rules, provided in Suricata compatible format. For information about creating and managing rule groups for use in your policies, see Rule groups in AWS Network Firewall.

  • Stateful default actions – Define how Network Firewall handles a packet that doesn't match any of the rules in the stateful rule groups.

    These settings apply when you use strict ordering for stateful rule evaluation, and you can provide them even if you don't define stateful rule groups for the policy.

    For more information about the options, see Strict evaluation order.

  • Customer-managed key (Optional) – Network Firewall encrypts and decrypts Network Firewall resources, to protect against unauthorized access. By default, Network Firewall uses AWS owned keys for this. If you want to use your own keys, you can configure customer managed keys from AWS Key Management Service and provide them to Network Firewall. For information about this option, see Encryption at rest with AWS Key Management Service.

  • Policy variables (Optional) – You can configure one or more IPv4 or IPv6 addresses in CIDR notation to override the default value of Suricata HOME_NET. If your firewall is deployed using a centralized deployment model, you might want to override HOME_NET with the CIDRs of your home network. Otherwise, Network Firewall uses the CIDR of your inspection VPC.

    The firewall policy EXTERNAL_NET setting is the negation of its HOME_NET setting. For example, if the HOME_NET is 11.0.0.0, then EXTERNAL_NET is set to !11.0.0.0.

  • TCP idle timeouts (Optional) – Defines the number of seconds that can pass without any traffic sent through the firewall before the firewall determines that the TCP connection is idle. Existing TCP connections and flows are not impacted when you update this value. Only new connections after you update this value are impacted.

    You can define the value to be between 60 and 6000 seconds. If no value is provided, it defaults to 350 seconds.

  • TLS inspection configuration (Optional) – Contains settings to turn on decryption and re-encryption of the Secure Socket Layer (SSL)/Transport Layer Security (TLS) traffic going to your firewall so that the traffic can be inspected according to the policy's stateful rules. For more information, see Inspecting SSL/TLS traffic with TLS inspection configurations in AWS Network Firewall.

  • Tags (Optional) – Zero or more key-value tag pairs. A tag is a label that you assign to an AWS resource. You can use tags to search and filter your resources and to track your AWS costs. For more information about tags, see Tagging AWS Network Firewall resources.

AWS Network Firewall firewall policy capacity limitations

Network Firewall uses capacity calculations and limiting to control the operating resources that are required to process your rule groups and firewall policies. Each rule group has a capacity setting that's reserved for it in the firewall policy when you add it. Additionally, the firewall policy has limits on the count of rule groups that you can add. For information about limits, see AWS Network Firewall quotas for information about rule group capacity, see Setting rule group capacity in AWS Network Firewall.