Rule actions in AWS Network Firewall - AWS Network Firewall

Rule actions in AWS Network Firewall

The rule action setting tells AWS Network Firewall how to handle a packet that matches the rule's match criteria.

Stateless actions

The action options for stateless rules are the same as for the firewall policy's default stateless rule actions.

You are required to specify one of the following options:

  • Pass – Discontinue all inspection of the packet and permit it to go to its intended destination.

  • Drop – Discontinue all inspection of the packet and block it from going to its intended destination.

  • Forward to stateful rules – Discontinue stateless inspection of the packet and forward it to the stateful rule engine for inspection.

Additionally, you can optionally specify a named custom action to apply. For this action, Network Firewall assigns a dimension to Amazon CloudWatch metrics with the name set to CustomAction and a value that you specify. For more information, see AWS Network Firewall metrics in Amazon CloudWatch.

After you define a named custom action, you can use it by name in the same context as where you defined it. You can reuse a custom action setting among the rules in a rule group and you can reuse a custom action setting between the two default stateless custom action settings for a firewall policy.

Stateful actions

The actions that you specify for your stateful rules help determine the order in which the Suricata stateful rules engine processes them. Network Firewall supports the Suricata rule actions pass, drop, and alert. By default, the engine processes rules in the order of pass action, drop action, then finally alert action. Within each action, you can set a priority to indicate processing order. For more information, see Evaluation order for stateful rules.

Stateful rules can send alerts to the firewall's logs, if you have logging configured. To see the alerts, you must enable logging for the firewalls that use the rules. Logging incurs additional costs. For more information, see Logging network traffic from AWS Network Firewall.

The options for stateful action settings vary by rule type.

Standard rules and Suricata compatible strings

You specify one of the following action options for both the rules that you provide in Suricata compatible strings and the rules that you specify using the standard, 5-tuple interface in Network Firewall. These options are a subset of the action options that are defined by Suricata. For more information, see Stateful rule groups in AWS Network Firewall.

  • Pass – Discontinue inspection of the matching packet and permit it to go to its intended destination. Rules with pass action are evaluated before rules with other action settings.

  • Drop or Alert– Evaluate the packet against all rules with drop or alert action settings. If the firewall has alert logging configured, send a message to the firewall's alert logs for each matching rule. The first log entry for the packet will be for the first rule that matched the packet.

    After all rules have been evaluated, handle the packet according to the the action setting in the first rule that matched the packet. If the first rule has a drop action, block the packet. If it has an alert action, permit the packet to go to its intended destination.

For information about what you can do to manage the evaluation order of your stateful rules, see Evaluation order for stateful rules.

Domain lists

The domain list rule group has one action setting at the rule group level. You specify one of the following options:

  • Allow – Indicates that the domain name list is to be used as an allow list for all traffic that matches the specified protocols. For matching packets, discontinue inspection of the packet and permit it to pass to its intended destination. For non-matching packets, discontinue inspection of the packet, block it from going to its intended destination, and send a message to the firewall's alert logs if the firewall has alert logging configured.

  • Deny – Indicates that the domain name list is to be used as a deny list for traffic that matches the specified protocols. For matching packets, discontinue inspection of the packet, block it from going to its intended destination, and send a message to the firewall's alert logs if the firewall has alert logging configured. For non-matching packets, take no action.