Creating a stateful rule group Updating a stateful rule group Deleting a stateful rule group

Working with stateful rule groups in AWS Network Firewall

A stateful rule group is a rule group that uses Suricata compatible intrusion prevention system (IPS) specifications. Suricata is an open source network IPS that includes a standard rule-based language for stateful network traffic inspection. AWS Network Firewall supports Suricata version 6.0.9.

Stateful rule groups have a configurable top-level setting called StatefulRuleOptions, which contains the RuleOrder attribute. You can set this in the console when you create a rule group, or in the API under StatefulRuleOptions. You can't change the RuleOrder after the rule group is created.

You can enter any stateful rule in Suricata compatible strings. For standard Suricata rules specifications and for domain list inspection, you can alternately provide specifications to Network Firewall and have Network Firewall create the Suricata compatible strings for you.

As needed, depending on the rules that you provide, the stateful engine performs deep packet inspection (DPI) of your traffic flows. DPI inspects and processes the payload data within your packets, rather than just the header information.

The rest of this section provides requirements and additional information for using Suricata compatible rules with Network Firewall. For full information about Suricata, see the Suricata website at Suricata and the Suricata User Guide. AWS Network Firewall supports Suricata version 6.0.9.

Topics

Creating a stateful rule group

This section provides guidance for creating a stateful rule group.

To create a stateful rule group

Sign in to the AWS Management Console and open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the navigation pane, under Network Firewall, choose Network Firewall rule groups.
Choose Create Network Firewall rule group.
Under Choose rule group type, for the Rule group format, choose Stateful rule group.

For Rule evaluation order, choose the way that your stateful rules are ordered for evaluation:
- Choose Strict order (recommended) to provide your rules in the order that you want them to be evaluated. You can then choose one or more default actions for packets that don't match any rules.
- Choose Action order to have the stateful rules engine determine the evaluation order of your rules. The default action for this rule order is Pass, followed by Drop, Reject, and Alert actions. This option was previously named Default order.
For more information about stateful default actions for rule groups, see Action order.

For more information about stateful rule groups, see Working with stateful rule groups in AWS Network Firewall.
Choose Next.
Enter a Name to identify this rule group.

Note
You can't change the name after you create the rule group.
(Optional) Enter a Description for the rule group to help you identify ot among your other resources.
For Capacity, set the maximum capacity you want to allow for the stateful rule group, up to the maximum of 30,000. You can't change this setting after you create the rule group. For information about how to calculate this, see Setting rule group capacity in AWS Network Firewall. For information about the maximum setting, see AWS Network Firewall quotas.
Choose Next.
Select the type of rule group that you want to add, from the Stateful rule group options. The rest of your rule group specifications depend on the option you choose.

Note
If you need to specify options that aren't available through the console, you can use one of the APIs or AWS CloudFormation. For information, see StatefulRule in the AWS Network Firewall API Reference and AWS::NetworkFirewall::RuleGroup StatefulRule in the AWS CloudFormation User Guide.
- (Option) Standard stateful rule – Entry form for a basic Suricata rule.
  
  For each rule that you want in your rule group, specify the following information and then choose Add rule. Your added rules are listed in the Rules list.
  - Choose the protocol and source and destination settings for your rule.
  - For Traffic direction, choose whether to apply the rule to any direction or only for traffic that flows forward, from the specified source to the specified destination.
    
    Note
    Network Firewall doesn't automatically add the direction keyword to_server, and will inspect all the packets in the flow, irrespective of the flow state.
  - For Action, select the action that you want Network Firewall to take when a packet matches the rule settings. For information on these options, see Stateful actions.
  To define IP sets and ports as variables that you can reference in your rules:
  - In the Rule variables section, enter variables and values for IP set variables and Port variables.
  To add one or more references to IP set resources, such as Amazon VPC prefix lists, that you can use as variables in your rules:
  - In the IP set reference section, enter a IP set variable name and select an IP set reference ID. The IP set reference ID corresponds to the resource ID of the IP set Amazon Resource Name (ARN) that you want to reference. Network Firewall currently supports Amazon VPC prefix lists and resource groups as IP set references. For more information about working with IP set references in Network Firewall, see Referencing Amazon VPC prefix lists.
  For information about these rules, see Standard stateful rule groups in AWS Network Firewall.
- (Option) Domain list – Specify the following information.
  - For Domain name source, enter the domain names that you want to inspect for, one name specification per line. Valid domain name specifications are the following:
    
    Explicit names. For example, abc.example.com matches only the domain abc.example.com.
    
    Names that use a domain wildcard, which you indicate with an initial '.'. For example,.example.com matches example.com and matches all subdomains of example.com, such as abc.example.com and www.example.com.
  - For Protocols, choose the protocols you want to inspect.
  - For Action, select the list type that you are creating, either Allow or Deny. For information on these options, see Stateful actions.
  For information about stateful domain name rules, see Stateful domain list rule groups in AWS Network Firewall.
- (Option) Suricata compatible rule string
  
  To define IP sets and ports as variables that you can reference in your rules:
  - In the Rule variables section, enter variables and values for IP set variables and Port variables.
  To add one or more references to IP set resources, such as Amazon VPC prefix lists, that you can use as variables in your rules:
  - In the IP set reference section, enter a IP set variable name and select an IP set reference ID. The IP set reference ID corresponds to the resource ID of the IP set Amazon Resource Name (ARN) that you want to reference. Network Firewall currently supports Amazon VPC prefix lists and resource groups as IP set references. For more information about working with IP set references in Network Firewall, see Referencing Amazon VPC prefix lists.
  Paste your rules into the text box.
Choose Next.
(Optional) On the Configure advanced settings page, under Customer managed key, toggle the Customize encryption settings option to configure your customer managed key. For more information about this option, see Encryption at rest with AWS Key Management Service.
Choose Next.
(Optional) On the Add tags page, enter a key and optional value for any tag that you want added to this firewall policy. Tags help you organize and manage your AWS resources. For more information about tagging your resources, see Tagging AWS Network Firewall resources.
Choose Next.
Review the settings that you've provided for the rule group, then choose Create stateful rule group.

Your new rule group is added to the list in the Network Firewall rule groups page.

To use your rule group in a firewall policy, follow the procedures at Managing your firewall policy.

Updating a stateful rule group

To change your stateful rule group settings, use the following procedure.

To update a stateful rule group

Sign in to the AWS Management Console and open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the navigation pane, under Network Firewall, choose Network Firewall rule groups.
In the Network Firewall rule groups page, choose the name of the rule group that you want to update. The rule group's details page appears.
In your rule group's details page, in the area that you want to change, choose Edit. Follow the prompts to make your updates. The interface varies according to the rule group type. When you're done editing an area, choose Save to save your changes in the rule group.

How Network Firewall propagates your changes

When you make any changes to a firewall, including changes to any of the firewall's components, like rule groups, TLS inspection configurations, and firewall policies, Network Firewall propagates the changes everywhere that the firewall is used. Your changes are applied within seconds, but there might be a brief period of inconsistency when the changes have arrived in some places and not in others. For example, if you modify a rule group so that it drops an additional type of packet, for a firewall that uses the rule group, the new packet type might briefly be dropped by one firewall endpoint while still being allowed by another.

This temporary inconsistency can occur when you first create a firewall and when you make changes to an existing firewall. Generally, any inconsistencies of this type last only a few seconds.

When you add a TLS inspection configuration to an existing firewall, Network Firewall interrupts traffic flows that match the criteria defined by the TLS inspection configuration scope configuration. Network Firewall will begin SSL/TLS decryption and inspection for new connections to the firewall.

Changes to stateful rules are applied only to new traffic flows. Other firewall changes, including changes to stateless rules, are applied to all network packets.

Deleting a stateful rule group

To delete a rule group, use the guidance in this section.

Deleting a rule group, TLS inspection configuration, or firewall policy

When you delete a rule group, TLS inspection configuration, or a firewall policy, AWS Network Firewall checks to see if it's currently being referenced. A rule group and TLS inspection configuration can be referenced by a firewall policy, and a firewall policy can be referenced by a firewall. If Network Firewall determines that the resource is being referenced, it warns you. Network Firewall is almost always able to determine whether a resource is being referenced. However, in rare cases, it might not be able to do so. If you need to be sure that the resource that you want to delete isn't in use, check all of your firewalls or firewall policies before deleting it. Note that policies that have associations can't be deleted.

To delete a stateful rule group

Sign in to the AWS Management Console and open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the navigation pane, under Network Firewall, choose Network Firewall rule groups.
In the Network Firewall rule groups page, select the name of the rule group that you want to delete, and then choose Delete.

How Network Firewall propagates your changes

This temporary inconsistency can occur when you first create a firewall and when you make changes to an existing firewall. Generally, any inconsistencies of this type last only a few seconds.

Changes to stateful rules are applied only to new traffic flows. Other firewall changes, including changes to stateless rules, are applied to all network packets.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Defining rule actions

Limitations and caveats