Stream exception policy in your firewall policy - AWS Network Firewall

Stream exception policy in your firewall policy

The firewall policy's stream exception policy setting determines how Network Firewall handles traffic when a network connection breaks midstream. Network connections can break due to disruptions in external networks or within the firewall itself. A stream exception policy presents the following options:

  • Drop - Network Firewall fails closed and drops all subsequent traffic going to the firewall. This is the default behavior.

  • Continue - Network Firewall continues to apply rules to the subsequent traffic without context from traffic before the break. This impacts the behavior of rules that depend on this context. For example, if you have a stateful rule to drop httptraffic, Network Firewall won't match the traffic for this rule because the service won't have the context from session initialization defining the application layer protocol as HTTP. However, this behavior is rule dependent—a TCP-layer rule using a flow:stateless rule would still match, as would the aws:drop_strict default action.

  • Reject - Network Firewall fails closed and drops all subsequent traffic going to the firewall. Network Firewall also sends a TCP reject packet back to your client so that the client can immediately establish a new session. Network Firewall will have context about the new session and will apply rules to the subsequent traffic.

Important

Long-lived TCP connections – If your applications rely on long-lived TCP connections that trigger Gateway Load Balancer idle timeout, we recommend that you use the Reject option for your stream exception policy. This ensures that the applications using long-lived connections receive a TCP reset packet, which signals to the application’s TCP stack that it needs to establish a new connection before continuing. When the application establishes a new connection through the firewall, the firewall can make a decision based on the full connection context, which is often used in determining if a firewall should allow or deny a connection. You can configure your firewall’s stream exception policy using the console or the StatefulEngineOptions data type in the API.