# Firewall policies in AWS Network Firewall
<a name="firewall-policies"></a>

An AWS Network Firewall *firewall policy* defines the monitoring and protection behavior for a firewall. The details of the behavior are defined in the rule groups that you add to your policy, and in some policy default settings. To use a firewall policy, you associate it with one or more firewall endpoints or firewall endpoint associations.

**Topics**
+ [Firewall policy settings in AWS Network Firewall](firewall-policy-settings.md)
+ [Stream exception policy options in your AWS Network Firewall firewall policy](stream-exception-policy.md)
+ [Managing your firewall policy in AWS Network Firewall](firewall-policy-managing.md)

# Firewall policy settings in AWS Network Firewall
<a name="firewall-policy-settings"></a>

A firewall policy in Network Firewall has the following configuration settings, which you define when you create or update the firewall policy. All settings except for the firewall policy name are changeable.

**Tip**  
If you own a firewall that is shared with others using VPC endpoint associations, you should review the settings in your firewall policy to ensure they apply to VPC endpoint associations as needed.
+ **Name** – The identifier for the firewall policy. You assign a unique name to every firewall policy. You can't change the name of a firewall policy after you create it.
+ **Description** – Optional additional information about the firewall policy. Fill in any information that might help you remember the purpose of the firewall policy and how you want to use it. The description is included in firewall policy lists in the console and through the APIs.
+ **Stream exception policy** – The stream exception policy determines how Network Firewall handles traffic when a network connection breaks midstream. Network connections can break due to disruptions in external networks or within the firewall itself. For more information, see [Stream exception policy options in your AWS Network Firewall firewall policy](stream-exception-policy.md).
+ **Stateless rule groups** – Zero or more collections of stateless rules, with priority settings that define their processing order within the policy. For information about creating and managing rule groups for use in your policies, see [Managing your own rule groups in AWS Network Firewall](rule-groups.md).
+ **Stateless default actions** – Define how Network Firewall handles a packet that doesn't match any of the rules in the stateless rule groups.

  You can specify same default settings for all packets or different default settings for full packets and for UDP packet fragments.

  Network Firewall silently drops packet fragments for other protocols.

  The options for the firewall policy's default settings are the same as for stateless rules. For information about the options, see [Defining rule actions in AWS Network Firewall](rule-action.md).
+  **Default actions for fragmented packets** – Define how Network Firewall handles UDP packet fragments. Network Firewall silently drops packet fragments for other protocols. 
+  **Stateful engine options** – The structure that holds stateful rule order settings. Note that you can only configure RuleOrder settings when you first create the policy. RuleOrder can't be edited later. 
+ **Stateful rule groups** – Zero or more collections of stateful rules, provided in Suricata compatible format. For information about creating and managing rule groups for use in your policies, see [Managing your own rule groups in AWS Network Firewall](rule-groups.md).
+ **Stateful default actions** – Define how Network Firewall handles a packet that doesn't match any of the rules in the stateful rule groups. 

  These settings apply when you use strict ordering for stateful rule evaluation, and you can provide them even if you don't define stateful rule groups for the policy. 

  For more information about the options, see [Strict evaluation orderStrict evaluation orderDrop actionsAlert actions](suricata-rule-evaluation-order.md#suricata-strict-rule-evaluation-order).
+ **Customer-managed key** (Optional) – Network Firewall encrypts and decrypts Network Firewall resources, to protect against unauthorized access. By default, Network Firewall uses AWS owned keys for this. If you want to use your own keys, you can configure customer managed keys from AWS Key Management Service and provide them to Network Firewall. For information about this option, see [Encryption at rest with AWS Key Management Service](kms-encryption-at-rest.md).
+ **Policy variables** (Optional) – You can configure one or more IPv4 or IPv6 addresses in CIDR notation to override the default value of Suricata `HOME_NET`. If your firewall is deployed using a centralized deployment model, you might want to override `HOME_NET` with the CIDRs of your home network. Otherwise, Network Firewall uses the CIDR of your inspection VPC. 

  The firewall policy `EXTERNAL_NET` setting is the negation of its `HOME_NET` setting. For example, if the `HOME_NET` is `11.0.0.0`, then `EXTERNAL_NET` is set to `!11.0.0.0`.
**Note**  
Policy variables do not automatically apply to VPC endpoint associations. For example, if `HOME_NET` is already configured for a primary firewall, you must also configure it to apply to VPC endpoints associated with that firewall.
+ **TCP idle timeouts** (Optional) – Defines the number of seconds that can pass without any traffic sent through the firewall before the firewall determines that the TCP connection is idle. When you update this value, existing connections will be treated according to your stream exception policy configuration. 

  You can define the value to be between 60 and 6000 seconds. If no value is provided, it defaults to 350 seconds. 
+ **Consumed domain capacity** – The total number of domain name specifications across all AWS Marketplace managed rule groups in the firewall policy that use the `stateful-domain-rulegroup`. Only rule groups from AWS Marketplace managed rules that use the `stateful-domain-rulegroup` resource type contribute to this capacity. A firewall policy can have a consumed domain capacity of up to 10,000,000 (10 million) domain name specifications. For more information about quotas, see [AWS Network Firewall quotas](quotas.md).
+ **TLS inspection configuration** (Optional) – Contains settings to turn on decryption and re-encryption of the Secure Socket Layer (SSL)/Transport Layer Security (TLS) traffic going to your firewall so that the traffic can be inspected according to the policy's stateful rules. For more information, see [Inspecting SSL/TLS traffic with TLS inspection configurations in AWS Network Firewall](tls-inspection-configurations.md).
+ **Tags** (Optional) – Zero or more key-value tag pairs. A tag is a label that you assign to an AWS resource. You can use tags to search and filter your resources and to track your AWS costs. For more information about tags, see [Tagging AWS Network Firewall resources](tagging.md).

## AWS Network Firewall firewall policy capacity limitations
<a name="firewall-policy-capacity"></a>

Network Firewall uses capacity calculations and limiting to control the operating resources that are required to process your rule groups and firewall policies. Each rule group has a capacity setting that's reserved for it in the firewall policy when you add it. Additionally, the firewall policy has limits on the count of rule groups that you can add. For information about limits, see [AWS Network Firewall quotas](quotas.md) for information about rule group capacity, see [Setting rule group capacity in AWS Network Firewall](nwfw-rule-group-capacity.md).

# Stream exception policy options in your AWS Network Firewall firewall policy
<a name="stream-exception-policy"></a>

The firewall policy's stream exception policy setting determines how Network Firewall handles traffic when a network connection breaks midstream. Network connections can break due to disruptions in external networks or within the firewall itself. A stream exception policy presents the following options:
+ **Drop** - Network Firewall fails closed and drops all subsequent traffic going to the firewall. This is the default behavior.
+ **Continue** - Network Firewall continues to apply rules to the subsequent traffic without context from traffic before the break. This impacts the behavior of rules that depend on this context. For example, if you have a stateful rule to drop httptraffic, Network Firewall won't match the traffic for this rule because the service won't have the context from session initialization defining the application layer protocol as HTTP. However, this behavior is rule dependent—a TCP-layer rule using a `flow:stateless` rule would still match, as would the `aws:drop_strict` default action.
+ **Reject** - Network Firewall fails closed and drops all subsequent traffic going to the firewall. Network Firewall also sends a TCP reject packet back to your client so that the client can immediately establish a new session. Network Firewall will have context about the new session and will apply rules to the subsequent traffic.

# Managing your firewall policy in AWS Network Firewall
<a name="firewall-policy-managing"></a>

This section describes how to create, update, and delete your firewall policy in Network Firewall. 

**How Network Firewall propagates your changes**  
When you make any changes to a firewall, including changes to any of the firewall's components, like rule groups, TLS inspection configurations, and firewall policies, Network Firewall propagates the changes everywhere that the firewall is used. Your changes are normally applied within minutes, but there might be a brief period of inconsistency when the changes have arrived in some places and not in others. For example, if you modify a rule group so that it drops an additional type of packet, for a firewall that uses the rule group, the new packet type might briefly be dropped by one firewall endpoint while still being allowed by another. 

This temporary inconsistency can occur when you first create a firewall and when you make changes to an existing firewall. Generally, any inconsistencies of this type last only a few seconds. 

When you add a TLS inspection configuration to an existing firewall, Network Firewall interrupts traffic flows that match the criteria defined by the TLS inspection configuration scope configuration. Network Firewall will begin SSL/TLS decryption and inspection for new connections to the firewall.

Changes to stateful rules are applied only to new traffic flows. Other firewall changes, including changes to stateless rules, are applied to all network packets. 

**Topics**
+ [Creating a firewall policy in AWS Network Firewall](firewall-policy-creating.md)
+ [Updating a firewall policy in AWS Network Firewall](firewall-policy-updating.md)
+ [Deleting a firewall policy in AWS Network Firewall](firewall-policy-deleting.md)

# Creating a firewall policy in AWS Network Firewall
<a name="firewall-policy-creating"></a>

To create a firewall policy in Network Firewall, you need rule groups that you've already defined to use in the policy. You can create new rule groups and reuse existing ones. For information about creating and managing rule groups, see [Managing your own rule groups in AWS Network Firewall](rule-groups.md). 

If you want to use TLS inspection, you need to first create a TLS inspection configuration to use in the policy. For information about working with TLS inspection configurations, see [Inspecting SSL/TLS traffic with TLS inspection configurations in AWS Network Firewall](tls-inspection-configurations.md).

**To create a firewall policy**

1. Sign in to the AWS Management Console and open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, under **Network Firewall**, choose **Firewall policies**.

1. Choose **Create firewall policy**.

1. Enter a **Name** to identify this firewall policy. 
**Note**  
You can't change the name after you create the firewall policy.

1. (Optional) Enter a **Description** for the policy to help you identify if among your other resources.

1. **Enable Active Threat Defense - optional** gives you visibility into threat activity and indicator groups, types, and threat names you are protected against. You can add the appropriate Active Threat Defense rule groups to your firewall policy to block these threats. See the [AWS active threat defense for AWS Network Firewall](aws-managed-rule-groups-atd.md) for more details.

1. For **Stream exception policy**, choose how Network Firewall handles traffic when a network connection breaks midstream. Network connections can break due to disruptions in external networks or within the firewall itself. Choose from the following options:
   + **Drop** - Network Firewall fails closed and drops all subsequent traffic going to the firewall. This is the default behavior.
   + **Continue** - Network Firewall continues to apply rules to the subsequent traffic without context from traffic before the break. This impacts the behavior of rules that depend on this context. For example, if you have a stateful rule to drop httptraffic, Network Firewall won't match the traffic for this rule because the service won't have the context from session initialization defining the application layer protocol as HTTP. However, this behavior is rule dependent—a TCP-layer rule using a `flow:stateless` rule would still match, as would the `aws:drop_strict` default action.
   + **Reject** - Network Firewall fails closed and drops all subsequent traffic going to the firewall. Network Firewall also sends a TCP reject packet back to your client so that the client can immediately establish a new session. Network Firewall will have context about the new session and will apply rules to the subsequent traffic.

1. Choose **Next** to go to the firewall policy's **Add rule groups** page.

1. To choose the actions to take on packets that don't match any stateless rules, in the **Stateless default actions** section, first choose how to treat fragmented packets. You can choose **Use the same actions for all packets** or **Use different actions for full packets and fragmented packets**. You can then choose **Pass**, **Drop**, or **Forward to stateful rule groups** for all packets, or choose individually for full and fragmented packets. You also have the option to enable a custom action that lets you publish custom Amazon CloudWatch metrics to monitor the usage of stateless rules in your rule group. 

1. To choose the way that your stateful rules are ordered for evaluation, and the actions to take on packets that don't match any stateful rules, in the **Stateful rule evaluation order and default action** section, first choose a rule evaluation order: 
   + Choose **Strict order** (recommended) to provide your rules in the order that you want them to be evaluated. You can then choose one or more default actions for packets that don't match any rules.
   + Choose **Action order** to have the stateful rules engine determine the evaluation order of your rules. The default action for this rule order is **Pass**, followed by **Drop**, **Reject**, and **Alert** actions. This option was previously named **Default** order.

   For more information about stateful default actions for rule groups, see [Action orderAction order](suricata-rule-evaluation-order.md#suricata-default-rule-evaluation-order).

1. To add stateless rule groups, in the **Stateless rule groups** section, choose **Add rule groups**, then select the check boxes for the rule groups that you want to add and choose **Add rule groups**. 

1. If your firewall policy has multiple stateless rule groups, in the **Stateless rule group** section, update the processing order as needed. Network Firewall processes stateless rule groups by order of priority, starting from the lowest. To move a rule group in the list, select the check box next to its name and then move it up or down. For more information, see [How AWS Network Firewall filters network traffic](firewall-policy-processing.md). 

1. Choose the stateless default actions for the firewall policy to take if a full packet or UDP packet fragment doesn't match any of the stateless rule groups. Network Firewall silently drops packet fragments for other protocols. For information about the action options, see [Defining rule actions in AWS Network Firewall](rule-action.md).

   Network Firewall doesn't automatically forward packets to stateful rule groups. It forwards only for the following situations: 
   + The packet matches a stateless rule whose action specifies forward to stateful rule groups.
   + The packet doesn't match any stateless rule and the applicable default action setting specifies forward to stateful rule groups.

1. To add stateful rule groups, in the **Stateful rule groups** section, choose **Add rule groups**, then select the check boxes for the rule groups that you want to add and choose **Add rule groups**. 

1. Choose **Next**.

1. On the **Configure advanced settings** page, optionally customize encryption and policy variables, and set the stream exception policy.

1. (Optional) Under **Customer managed key**, toggle the **Customize encryption settings** option to use a AWS Key Management Service customer managed key to encrypt your resources. For more information about this option, see [Encryption at rest with AWS Key Management Service](kms-encryption-at-rest.md).

1. (Optional) For **Policy variables** enter one or more IPv4 or IPv6 addresses in CIDR notation to override the default value of Suricata `HOME_NET`. If your firewall is deployed using a centralized deployment model, you might want to override `HOME_NET` with the CIDRs of your home network. Otherwise, Network Firewall uses the CIDR of your inspection VPC.

1. Choose **Next**.

1. (Optional) Under **Idle Timeouts**, toggle the **Customize TCP idle timeout settings** option. This lets you define the number of seconds a TCP connection can remain idle before Network Firewall drops the traffic. For information about the idle timeout setting, see [Firewall policy settings in AWS Network Firewall](firewall-policy-settings.md). 

1. (Optional) On the **Add TLS inspection configuration** page, choose **Add TLS inspection configuration** to turn on decryption and re-encryption of incoming SSL/TLS traffic for the firewalls associated with this policy. You can't add or remove a TLS inspection configuration after firewall policy creation. For information about TLS inspection configurations, see [Inspecting SSL/TLS traffic with TLS inspection configurations in AWS Network Firewall](tls-inspection-configurations.md).

1. Choose **Next**.

1. (Optional) On the **Add tags** page, enter a key and optional value for any tag that you want added to this firewall policy. Tags help you organize and manage your AWS resources. For more information about tagging your resources, see [Tagging AWS Network Firewall resources](tagging.md). 

1. Choose **Next**.

1. In the **Review and create** page, check over your firewall policy settings. If you want to change any section, choose **Edit** for the section. This returns you to the page in the firewall policy wizard. Make your changes, then choose **Next** on each page until you come back to the review and create page.

1. Choose **Create firewall policy**. 

Your new firewall policy is added to the list in the **Firewall policies** page.

# Updating a firewall policy in AWS Network Firewall
<a name="firewall-policy-updating"></a>

To change your Network Firewall firewall policy settings, use the following procedure:

**To update a firewall policy**

1. Sign in to the AWS Management Console and open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, under **Network Firewall**, choose **Firewall policies**.

1. In the **Firewall policies** page, select the name of the firewall policy you want to update. 

1. In the firewall policy's page, make your changes. Note the following constraints:
   + You can't change the name of the firewall policy.
   + You can't add or remove a TLS inspection configuration. However, you can replace an existing TLS inspection configuration with another TLS inspection configuration.
   + You can change other policy details, including rule groups.

1. Choose **Save** to save your changes.

**How Network Firewall propagates your changes**  
When you make any changes to a firewall, including changes to any of the firewall's components, like rule groups, TLS inspection configurations, and firewall policies, Network Firewall propagates the changes everywhere that the firewall is used. Your changes are normally applied within minutes, but there might be a brief period of inconsistency when the changes have arrived in some places and not in others. For example, if you modify a rule group so that it drops an additional type of packet, for a firewall that uses the rule group, the new packet type might briefly be dropped by one firewall endpoint while still being allowed by another. 

This temporary inconsistency can occur when you first create a firewall and when you make changes to an existing firewall. Generally, any inconsistencies of this type last only a few seconds. 

When you add a TLS inspection configuration to an existing firewall, Network Firewall interrupts traffic flows that match the criteria defined by the TLS inspection configuration scope configuration. Network Firewall will begin SSL/TLS decryption and inspection for new connections to the firewall.

Changes to stateful rules are applied only to new traffic flows. Other firewall changes, including changes to stateless rules, are applied to all network packets. 

# Deleting a firewall policy in AWS Network Firewall
<a name="firewall-policy-deleting"></a>

To delete a firewall policy, perform the following procedure.

**Deleting a rule group, TLS inspection configuration, or firewall policy**  
When you delete a rule group, TLS inspection configuration, or a firewall policy, AWS Network Firewall checks to see if it's currently being referenced. A rule group and TLS inspection configuration can be referenced by a firewall policy, and a firewall policy can be referenced by a firewall. If Network Firewall determines that the resource is being referenced, it warns you. Network Firewall is almost always able to determine whether a resource is being referenced. However, in rare cases, it might not be able to do so. If you need to be sure that the resource that you want to delete isn't in use, check all of your firewalls or firewall policies before deleting it. Note that policies that have associations can't be deleted.

**To delete a firewall policy**

1. Sign in to the AWS Management Console and open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, under **Network Firewall**, choose **Firewall policies**.

1. In the **Firewall policies** page, select firewall policy that you want to delete. 

1. Choose **Delete**, and confirm your request.

Your firewall policy is removed from the list in the **Firewall policies** page.