Sélectionner vos préférences de cookies

Nous utilisons des cookies essentiels et des outils similaires qui sont nécessaires au fonctionnement de notre site et à la fourniture de nos services. Nous utilisons des cookies de performance pour collecter des statistiques anonymes afin de comprendre comment les clients utilisent notre site et d’apporter des améliorations. Les cookies essentiels ne peuvent pas être désactivés, mais vous pouvez cliquer sur « Personnaliser » ou « Refuser » pour refuser les cookies de performance.

Si vous êtes d’accord, AWS et les tiers approuvés utiliseront également des cookies pour fournir des fonctionnalités utiles au site, mémoriser vos préférences et afficher du contenu pertinent, y compris des publicités pertinentes. Pour accepter ou refuser tous les cookies non essentiels, cliquez sur « Accepter » ou « Refuser ». Pour effectuer des choix plus détaillés, cliquez sur « Personnaliser ».

Préférences
Contactez-nous
Commentaire
AWS Documentation
Créer un compte AWS
FirewallPolicy - AWS Network Firewall
ContentsSee Also
Cette page n'a pas été traduite dans votre langue. Demande de traduction

FirewallPolicy

PDF

The firewall policy defines the behavior of a firewall using a collection of stateless and stateful rule groups and other settings. You can use one firewall policy for multiple firewalls.

This, along with FirewallPolicyResponse, define the policy. You can retrieve all objects for a firewall policy by calling DescribeFirewallPolicy.

Contents

StatelessDefaultActions

The actions to take on a packet if it doesn't match any of the stateless rules in the policy. If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward_to_sfe.

You must specify one of the standard actions: aws:pass, aws:drop, or aws:forward_to_sfe. In addition, you can specify custom actions that are compatible with your standard section choice.

For example, you could specify ["aws:pass"] or you could specify ["aws:pass", “customActionName”]. For information about compatibility, see the custom action descriptions under CustomAction.

Type: Array of strings

Required: Yes

StatelessFragmentDefaultActions

The actions to take on a fragmented UDP packet if it doesn't match any of the stateless rules in the policy. Network Firewall only manages UDP packet fragments and silently drops packet fragments for other protocols. If you want non-matching fragmented UDP packets to be forwarded for stateful inspection, specify aws:forward_to_sfe.

You must specify one of the standard actions: aws:pass, aws:drop, or aws:forward_to_sfe. In addition, you can specify custom actions that are compatible with your standard section choice.

For example, you could specify ["aws:pass"] or you could specify ["aws:pass", “customActionName”]. For information about compatibility, see the custom action descriptions under CustomAction.

Type: Array of strings

Required: Yes

PolicyVariables

Contains variables that you can use to override default Suricata settings in your firewall policy.

Type: PolicyVariables object

Required: No

StatefulDefaultActions

The default actions to take on a packet that doesn't match any stateful rules. The stateful default action is optional, and is only valid when using the strict rule order.

Valid values of the stateful default action:

  • aws:drop_strict

  • aws:drop_established

  • aws:alert_strict

  • aws:alert_established

For more information, see Strict evaluation order in the AWS Network Firewall Developer Guide.

Type: Array of strings

Required: No

StatefulEngineOptions

Additional options governing how Network Firewall handles stateful rules. The stateful rule groups that you use in your policy must have stateful rule options settings that are compatible with these settings.

Type: StatefulEngineOptions object

Required: No

StatefulRuleGroupReferences

References to the stateful rule groups that are used in the policy. These define the inspection criteria in stateful rules.

Type: Array of StatefulRuleGroupReference objects

Required: No

StatelessCustomActions

The custom action definitions that are available for use in the firewall policy's StatelessDefaultActions setting. You name each custom action that you define, and then you can use it by name in your default actions specifications.

Type: Array of CustomAction objects

Required: No

StatelessRuleGroupReferences

References to the stateless rule groups that are used in the policy. These define the matching criteria in stateless rules.

Type: Array of StatelessRuleGroupReference objects

Required: No

TLSInspectionConfigurationArn

The Amazon Resource Name (ARN) of the TLS inspection configuration.

Type: String

Length Constraints: Minimum length of 1. Maximum length of 256.

Pattern: ^arn:aws.*

Required: No

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following:

Rubrique suivante :

FirewallPolicyMetadata

Rubrique précédente :

FirewallMetadata

Avez-vous besoin d’aide ?

ConfidentialitéConditions d'utilisation du sitePréférences de cookies
© 2025, Amazon Web Services, Inc. ou ses affiliés. Tous droits réservés.