Limitations and caveats for stateful rules in AWS Network Firewall
AWS Network Firewall stateful rules are Suricata compatible. Most Suricata rules work out of the box with Network Firewall. Your use of Suricata rules with Network Firewall has the restrictions and caveats listed in this section.
Not supported
The following Suricata features are not supported by Network Firewall:
-
Datasets. The keywords
dataset
anddatarep
aren't allowed. -
ENIP/CIP keywords.
-
File extraction. File keywords aren't allowed.
-
FTP-data protocol detection.
-
GeoIP.
-
IP reputation. The
iprep
keyword is not allowed. -
Lua scripting.
-
QUIC protocol detection and QUIC related application level protocols such as HTTP3.
-
Rules actions except for pass, drop, reject, and alert. Pass, drop, reject, and alert are supported. For additional information about stateful rule actions, see Stateful actions.
-
STCP protocol.
-
Thresholding.
Supported with caveats
The following Suricata features have caveats for use with Network Firewall:
-
The AWS Network Firewall stateful inspection engine supports inspecting inner packets for tunneling protocols such as Generic Routing Encapsulation (GRE). If you want to block the tunneled traffic, you can write rules against the tunnel layer itself or against the inner packet. Due to the service inspecting the different layers, you might see flows and alerts for the packets within the tunnel.
-
To create a rule that requires a variable, you must specify the variable in the rule group. Without the required variables, the rule group isn't valid. For an example of a rule group that's configured with variables, see Rule with variables.
-
In payload keywords, the
pcre
keyword is only allowed withcontent
,tls.sni
,http.host
, anddns.query
keywords. The
priority
keyword is not supported for rule groups that evaluate rules using strict evaluation order.-
You can set custom values for
HOME_NET
andEXTERNAL_NET
in a rule group's rule variables. Rule group rule variables have higher priority than policy variables, but policy variables affect all rule groups that don't already defineHOME_NET
. If you don't set your own value forEXTERNAL_NET
in a rule group, then Network Firewall maintains that the value ofEXTERNAL_NET
in the rule group equals the negation of theHOME_NET
value that you define at the firewall policy level. For example, if you setHOME_NET
to be10.0.0.0
in your rule group, and setHOME_NET
to be11.0.0.0
in the firewall policy. If you don't setEXTERNAL_NET
in the rule group, then the value ofEXTERNAL_NET
will be!11.0.0.0
based on the defaultHOME_NET
value set in the policy. -
When you use a stateful rule with a layer 3 or 4 protocol such as IP or TCP, and you don't include any flow state context, for example
"flow:not_established"
, then Suricata treats this rule as an IP-only rule. Suricata only evaluates IP-only rules for the first packet in each direction of the flow. For example, Suricata will process the following rule as an IP-only rule:pass tcp $HOME_NET any -> [10.0.0.0/8] $HTTPS_PORTS (sid: 44444; rev:2;)
However, if the destination IP contains a
!
, then Suricata treats this as per the protocol specified in the rule. Suricata will process the following rule as a TCP rule.pass tcp $HOME_NET any -> [!10.0.0.0/16] $HTTPS_PORTS (sid: 44444; rev:2;)