Rule actions in AWS Network Firewall - Network Firewall

Rule actions in AWS Network Firewall

The rule action setting tells AWS Network Firewall how to handle a packet that matches the rule's match criteria.

Stateless actions

The action options for stateless rules are the same as for the firewall policy's default stateless rule actions.

You are required to specify one of the following options:

  • Pass – Discontinue all inspection of the packet and permit it to go to its intended destination.

  • Drop – Discontinue all inspection of the packet and block it from going to its intended destination.

  • Forward to stateful rules – Discontinue stateless inspection of the packet and forward it to the stateful rule engine for inspection.

Additionally, you can optionally specify a named custom action to apply. For this action, Network Firewall assigns a dimension to Amazon CloudWatch metrics with the name set to CustomAction and a value that you specify. For more information, see AWS Network Firewall metrics in Amazon CloudWatch.

After you define a named custom action, you can use it by name in the same context as where you defined it. You can reuse a custom action setting among the rules in a rule group and you can reuse a custom action setting between the two default stateless custom action settings for a firewall policy.

Stateful actions

The actions that you specify for your stateful rules helps determine the order in which the Suricata stateful rules engine processes them. Network Firewall supports the Suricata rule actions pass, drop, and alert. By default, the engine processes rules in the order of pass action, drop action, then finally alert action. For more information, see the Suricata Action-order documentation.

Stateful rules can send alerts to the firewall's logs, if you have logging configured. To see the alerts, you must enable logging for the firewalls that use the rules. Logging incurs additional costs. For more information, see Logging network traffic from AWS Network Firewall.

The options for stateful action settings vary by rule type.

5-tuple and Suricata compatible rules

For stateful 5-tuple rules and for Suricata compatible rules, you specify one of the following options. These options are a subset of the action options that are defined by Suricata. For more information, see Stateful Suricata compatible IPS rule groups in AWS Network Firewall.

  • Pass – Discontinue inspection of the matching packet and permit it to go to its intended destination.

  • Drop – Discontinue inspection of the matching packet, block it from going to its intended destination, and send a message to the firewall's alert logs if the firewall has alert logging configured.

  • Alert – Discontinue inspection of the matching packet, permit it to go to its intended destination, and send a message to the firewall's alert logs if the firewall has alert logging configured.

Domain lists

The domain list rule group has one action setting at the rule group level. You specify one of the following options:

  • Allow – Indicates that the domain name list is to be used as an allow list. For matching packets, discontinue inspection of the packet and permit it to pass to its intended destination.

  • Deny – Indicates that the domain name list is to be used as a deny list. Discontinue inspection of the packet, block it from going to its intended destination, and send a message to the firewall's alert logs if the firewall has alert logging configured.