Class: Aws::NetworkFirewall::Types::FirewallPolicy
- Inherits:
-
Struct
- Object
- Struct
- Aws::NetworkFirewall::Types::FirewallPolicy
- Defined in:
- gems/aws-sdk-networkfirewall/lib/aws-sdk-networkfirewall/types.rb
Overview
The firewall policy defines the behavior of a firewall using a collection of stateless and stateful rule groups and other settings. You can use one firewall policy for multiple firewalls.
This, along with FirewallPolicyResponse, define the policy. You can retrieve all objects for a firewall policy by calling DescribeFirewallPolicy.
Constant Summary collapse
- SENSITIVE =
[]
Instance Attribute Summary collapse
-
#policy_variables ⇒ Types::PolicyVariables
Contains variables that you can use to override default Suricata settings in your firewall policy.
-
#stateful_default_actions ⇒ Array<String>
The default actions to take on a packet that doesn't match any stateful rules.
-
#stateful_engine_options ⇒ Types::StatefulEngineOptions
Additional options governing how Network Firewall handles stateful rules.
-
#stateful_rule_group_references ⇒ Array<Types::StatefulRuleGroupReference>
References to the stateful rule groups that are used in the policy.
-
#stateless_custom_actions ⇒ Array<Types::CustomAction>
The custom action definitions that are available for use in the firewall policy's
StatelessDefaultActions
setting. -
#stateless_default_actions ⇒ Array<String>
The actions to take on a packet if it doesn't match any of the stateless rules in the policy.
-
#stateless_fragment_default_actions ⇒ Array<String>
The actions to take on a fragmented UDP packet if it doesn't match any of the stateless rules in the policy.
-
#stateless_rule_group_references ⇒ Array<Types::StatelessRuleGroupReference>
References to the stateless rule groups that are used in the policy.
-
#tls_inspection_configuration_arn ⇒ String
The Amazon Resource Name (ARN) of the TLS inspection configuration.
Instance Attribute Details
#policy_variables ⇒ Types::PolicyVariables
Contains variables that you can use to override default Suricata settings in your firewall policy.
1981 1982 1983 1984 1985 1986 1987 1988 1989 1990 1991 1992 1993 |
# File 'gems/aws-sdk-networkfirewall/lib/aws-sdk-networkfirewall/types.rb', line 1981 class FirewallPolicy < Struct.new( :stateless_rule_group_references, :stateless_default_actions, :stateless_fragment_default_actions, :stateless_custom_actions, :stateful_rule_group_references, :stateful_default_actions, :stateful_engine_options, :tls_inspection_configuration_arn, :policy_variables) SENSITIVE = [] include Aws::Structure end |
#stateful_default_actions ⇒ Array<String>
The default actions to take on a packet that doesn't match any stateful rules. The stateful default action is optional, and is only valid when using the strict rule order.
Valid values of the stateful default action:
aws:drop_strict
aws:drop_established
aws:alert_strict
aws:alert_established
For more information, see Strict evaluation order in the Network Firewall Developer Guide.
1981 1982 1983 1984 1985 1986 1987 1988 1989 1990 1991 1992 1993 |
# File 'gems/aws-sdk-networkfirewall/lib/aws-sdk-networkfirewall/types.rb', line 1981 class FirewallPolicy < Struct.new( :stateless_rule_group_references, :stateless_default_actions, :stateless_fragment_default_actions, :stateless_custom_actions, :stateful_rule_group_references, :stateful_default_actions, :stateful_engine_options, :tls_inspection_configuration_arn, :policy_variables) SENSITIVE = [] include Aws::Structure end |
#stateful_engine_options ⇒ Types::StatefulEngineOptions
Additional options governing how Network Firewall handles stateful rules. The stateful rule groups that you use in your policy must have stateful rule options settings that are compatible with these settings.
1981 1982 1983 1984 1985 1986 1987 1988 1989 1990 1991 1992 1993 |
# File 'gems/aws-sdk-networkfirewall/lib/aws-sdk-networkfirewall/types.rb', line 1981 class FirewallPolicy < Struct.new( :stateless_rule_group_references, :stateless_default_actions, :stateless_fragment_default_actions, :stateless_custom_actions, :stateful_rule_group_references, :stateful_default_actions, :stateful_engine_options, :tls_inspection_configuration_arn, :policy_variables) SENSITIVE = [] include Aws::Structure end |
#stateful_rule_group_references ⇒ Array<Types::StatefulRuleGroupReference>
References to the stateful rule groups that are used in the policy. These define the inspection criteria in stateful rules.
1981 1982 1983 1984 1985 1986 1987 1988 1989 1990 1991 1992 1993 |
# File 'gems/aws-sdk-networkfirewall/lib/aws-sdk-networkfirewall/types.rb', line 1981 class FirewallPolicy < Struct.new( :stateless_rule_group_references, :stateless_default_actions, :stateless_fragment_default_actions, :stateless_custom_actions, :stateful_rule_group_references, :stateful_default_actions, :stateful_engine_options, :tls_inspection_configuration_arn, :policy_variables) SENSITIVE = [] include Aws::Structure end |
#stateless_custom_actions ⇒ Array<Types::CustomAction>
The custom action definitions that are available for use in the
firewall policy's StatelessDefaultActions
setting. You name each
custom action that you define, and then you can use it by name in
your default actions specifications.
1981 1982 1983 1984 1985 1986 1987 1988 1989 1990 1991 1992 1993 |
# File 'gems/aws-sdk-networkfirewall/lib/aws-sdk-networkfirewall/types.rb', line 1981 class FirewallPolicy < Struct.new( :stateless_rule_group_references, :stateless_default_actions, :stateless_fragment_default_actions, :stateless_custom_actions, :stateful_rule_group_references, :stateful_default_actions, :stateful_engine_options, :tls_inspection_configuration_arn, :policy_variables) SENSITIVE = [] include Aws::Structure end |
#stateless_default_actions ⇒ Array<String>
The actions to take on a packet if it doesn't match any of the
stateless rules in the policy. If you want non-matching packets to
be forwarded for stateful inspection, specify aws:forward_to_sfe
.
You must specify one of the standard actions: aws:pass
,
aws:drop
, or aws:forward_to_sfe
. In addition, you can specify
custom actions that are compatible with your standard section
choice.
For example, you could specify ["aws:pass"]
or you could specify
["aws:pass", “customActionName”]
. For information about
compatibility, see the custom action descriptions under
CustomAction.
1981 1982 1983 1984 1985 1986 1987 1988 1989 1990 1991 1992 1993 |
# File 'gems/aws-sdk-networkfirewall/lib/aws-sdk-networkfirewall/types.rb', line 1981 class FirewallPolicy < Struct.new( :stateless_rule_group_references, :stateless_default_actions, :stateless_fragment_default_actions, :stateless_custom_actions, :stateful_rule_group_references, :stateful_default_actions, :stateful_engine_options, :tls_inspection_configuration_arn, :policy_variables) SENSITIVE = [] include Aws::Structure end |
#stateless_fragment_default_actions ⇒ Array<String>
The actions to take on a fragmented UDP packet if it doesn't match
any of the stateless rules in the policy. Network Firewall only
manages UDP packet fragments and silently drops packet fragments for
other protocols. If you want non-matching fragmented UDP packets to
be forwarded for stateful inspection, specify aws:forward_to_sfe
.
You must specify one of the standard actions: aws:pass
,
aws:drop
, or aws:forward_to_sfe
. In addition, you can specify
custom actions that are compatible with your standard section
choice.
For example, you could specify ["aws:pass"]
or you could specify
["aws:pass", “customActionName”]
. For information about
compatibility, see the custom action descriptions under
CustomAction.
1981 1982 1983 1984 1985 1986 1987 1988 1989 1990 1991 1992 1993 |
# File 'gems/aws-sdk-networkfirewall/lib/aws-sdk-networkfirewall/types.rb', line 1981 class FirewallPolicy < Struct.new( :stateless_rule_group_references, :stateless_default_actions, :stateless_fragment_default_actions, :stateless_custom_actions, :stateful_rule_group_references, :stateful_default_actions, :stateful_engine_options, :tls_inspection_configuration_arn, :policy_variables) SENSITIVE = [] include Aws::Structure end |
#stateless_rule_group_references ⇒ Array<Types::StatelessRuleGroupReference>
References to the stateless rule groups that are used in the policy. These define the matching criteria in stateless rules.
1981 1982 1983 1984 1985 1986 1987 1988 1989 1990 1991 1992 1993 |
# File 'gems/aws-sdk-networkfirewall/lib/aws-sdk-networkfirewall/types.rb', line 1981 class FirewallPolicy < Struct.new( :stateless_rule_group_references, :stateless_default_actions, :stateless_fragment_default_actions, :stateless_custom_actions, :stateful_rule_group_references, :stateful_default_actions, :stateful_engine_options, :tls_inspection_configuration_arn, :policy_variables) SENSITIVE = [] include Aws::Structure end |
#tls_inspection_configuration_arn ⇒ String
The Amazon Resource Name (ARN) of the TLS inspection configuration.
1981 1982 1983 1984 1985 1986 1987 1988 1989 1990 1991 1992 1993 |
# File 'gems/aws-sdk-networkfirewall/lib/aws-sdk-networkfirewall/types.rb', line 1981 class FirewallPolicy < Struct.new( :stateless_rule_group_references, :stateless_default_actions, :stateless_fragment_default_actions, :stateless_custom_actions, :stateful_rule_group_references, :stateful_default_actions, :stateful_engine_options, :tls_inspection_configuration_arn, :policy_variables) SENSITIVE = [] include Aws::Structure end |