Firewall policy settings in AWS Network Firewall

Name – The identifier for the firewall policy. You assign a unique name to every firewall policy. You can't change the name of a firewall policy after you create it.

Description – Optional additional information about the firewall policy. Fill in any information that might help you remember the purpose of the firewall policy and how you want to use it. The description is included in firewall policy lists in the console and through the APIs.

Stream exception policy – The stream exception policy determines how Network Firewall handles traffic when a network connection breaks midstream. Network connections can break due to disruptions in external networks or within the firewall itself. For more information, see Stream exception policy options in your AWS Network Firewall firewall policy.

Stateless rule groups – Zero or more collections of stateless rules, with priority settings that define their processing order within the policy. For information about creating and managing rule groups for use in your policies, see Rule groups in AWS Network Firewall.

Stateless default actions – Define how Network Firewall handles a packet or UDP packet fragment that doesn't match any of the rules in the stateless rule groups. You can specify different default settings for full packets and for UDP packet fragments. Network Firewall silently drops packet fragments for other protocols.

You provide this configuration regardless of whether you define stateless rule groups for the policy.

The options for the firewall policy's default settings are the same as for stateless rules. For information about the options, see Defining rule actions in AWS Network Firewall.

Stateful engine options – The structure that holds stateful rule order settings. Note that you can only configure RuleOrder settings when you first create the policy. RuleOrder can't be edited later.

Stateful rule groups – Zero or more collections of stateful rules, provided in Suricata compatible format. For information about creating and managing rule groups for use in your policies, see Rule groups in AWS Network Firewall.

Stateful default actions – Define how Network Firewall handles a packet that doesn't match any of the rules in the stateful rule groups.

These settings apply when you use strict ordering for stateful rule evaluation, and you can provide them even if you don't define stateful rule groups for the policy.

For more information about the options, see Strict evaluation order.

Customer-managed key (Optional) – Network Firewall encrypts and decrypts Network Firewall resources, to protect against unauthorized access. By default, Network Firewall uses AWS owned keys for this. If you want to use your own keys, you can configure customer managed keys from AWS Key Management Service and provide them to Network Firewall. For information about this option, see Encryption at rest with AWS Key Management Service.

Policy variables (Optional) – You can configure one or more IPv4 or IPv6 addresses in CIDR notation to override the default value of Suricata HOME_NET. If your firewall is deployed using a centralized deployment model, you might want to override HOME_NET with the CIDRs of your home network. Otherwise, Network Firewall uses the CIDR of your inspection VPC.

The firewall policy EXTERNAL_NET setting is the negation of its HOME_NET setting. For example, if the HOME_NET is 11.0.0.0, then EXTERNAL_NET is set to !11.0.0.0.

TLS inspection configuration (Optional) – Contains settings to turn on decryption and re-encryption of the Secure Socket Layer (SSL)/Transport Layer Security (TLS) traffic going to your firewall so that the traffic can be inspected according to the policy's stateful rules. For more information, see Inspecting SSL/TLS traffic with TLS inspection configurations in AWS Network Firewall.

Tags (Optional) – Zero or more key-value tag pairs. A tag is a label that you assign to an AWS resource. You can use tags to search and filter your resources and to track your AWS costs. For more information about tags, see Tagging AWS Network Firewall resources.