Package software.amazon.awscdk.services.networkfirewall

Interface CfnFirewallPolicy.StatefulEngineOptionsProperty

All Superinterfaces:

software.amazon.jsii.JsiiSerializable

All Known Implementing Classes:

CfnFirewallPolicy.StatefulEngineOptionsProperty.Jsii$Proxy

Enclosing class:

CfnFirewallPolicy

@Stability(Stable)
public static interface CfnFirewallPolicy.StatefulEngineOptionsProperty
extends software.amazon.jsii.JsiiSerializable

Configuration settings for the handling of the stateful rule groups in a firewall policy.

Example:

 // The code below shows an example of how to instantiate this type.
 // The values are placeholders you should change.
 import software.amazon.awscdk.services.networkfirewall.*;
 StatefulEngineOptionsProperty statefulEngineOptionsProperty = StatefulEngineOptionsProperty.builder()
         .ruleOrder("ruleOrder")
         .streamExceptionPolicy("streamExceptionPolicy")
         .build();
 

Nested Class Summary

Nested Classes

Modifier and Type	Interface	Description
static final class	CfnFirewallPolicy.StatefulEngineOptionsProperty.Builder	A builder for CfnFirewallPolicy.StatefulEngineOptionsProperty
static final class	CfnFirewallPolicy.StatefulEngineOptionsProperty.Jsii$Proxy	An implementation for CfnFirewallPolicy.StatefulEngineOptionsProperty

Method Summary

Modifier and Type	Method	Description
static CfnFirewallPolicy.StatefulEngineOptionsProperty.Builder	builder()
default String	getRuleOrder()	Indicates how to manage the order of stateful rule evaluation for the policy.
default String	getStreamExceptionPolicy()	Configures how Network Firewall processes traffic when a network connection breaks midstream.

Methods inherited from interface software.amazon.jsii.JsiiSerializable

$jsii$toJson

Method Details

getRuleOrder

@Stability(Stable)
@Nullable
default String getRuleOrder()

Indicates how to manage the order of stateful rule evaluation for the policy.

DEFAULT_ACTION_ORDER is the default behavior. Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them based on certain settings. For more information, see Evaluation order for stateful rules in the AWS Network Firewall Developer Guide .

getStreamExceptionPolicy

@Stability(Stable)
@Nullable
default String getStreamExceptionPolicy()

Configures how Network Firewall processes traffic when a network connection breaks midstream.

Network connections can break due to disruptions in external networks or within the firewall itself.

• DROP - Network Firewall fails closed and drops all subsequent traffic going to the firewall. This is the default behavior.
• CONTINUE - Network Firewall continues to apply rules to the subsequent traffic without context from traffic before the break. This impacts the behavior of rules that depend on this context. For example, if you have a stateful rule to drop http traffic, Network Firewall won't match the traffic for this rule because the service won't have the context from session initialization defining the application layer protocol as HTTP. However, this behavior is rule dependent—a TCP-layer rule using a flow:stateless rule would still match, as would the aws:drop_strict default action.
• REJECT - Network Firewall fails closed and drops all subsequent traffic going to the firewall. Network Firewall also sends a TCP reject packet back to your client so that the client can immediately establish a new session. Network Firewall will have context about the new session and will apply rules to the subsequent traffic.

builder

@Stability(Stable)
static CfnFirewallPolicy.StatefulEngineOptionsProperty.Builder builder()

Returns:

a CfnFirewallPolicy.StatefulEngineOptionsProperty.Builder of CfnFirewallPolicy.StatefulEngineOptionsProperty