AWS Security ChangesHomeSearch

AWS network-firewall medium security documentation change

Service: network-firewall · 2025-03-23 · Security-related medium

File: network-firewall/latest/developerguide/troubleshooting-rules.md

Summary

Added new troubleshooting section for intermittent rule matching issues caused by TCP reassembly depth limits, with example Suricata rules to detect inspection limits.

Security assessment

Addresses a security-adjacent scenario where traffic might bypass inspection due to system limits. Provides security-focused detection via 'stream-event:reassembly_depth_reached' rules to alert on inspection gaps.

Diff

diff --git a/network-firewall/latest/developerguide/troubleshooting-rules.md b/network-firewall/latest/developerguide/troubleshooting-rules.md
index 6c06aa469..9664141b8 100644
--- a/network-firewall/latest/developerguide/troubleshooting-rules.md
+++ b/network-firewall/latest/developerguide/troubleshooting-rules.md
@@ -5 +5 @@
-Rules with the HOME_NET variable are not working as expected with managed rule groupsI created a rule to allow only outbound traffic from HOME_NET to EXTERNAL_NET, but EXTERNAL_NET was also able to initiate a connection back to HOME_NET. How do I prevent this from happening?I'm using strict ordering, but stateful rules near the bottom of my ruleset appear to be handling traffic before rules near the top of my rulesetI've configured a drop action rule but traffic still goes through the firewall
+Rules with the HOME_NET variable are not working as expected with managed rule groupsI created a rule to allow only outbound traffic from HOME_NET to EXTERNAL_NET, but EXTERNAL_NET was also able to initiate a connection back to HOME_NET. How do I prevent this from happening?I'm using strict ordering, but stateful rules near the bottom of my ruleset appear to be handling traffic before rules near the top of my rulesetI've configured a drop action rule but traffic still goes through the firewallI have a rule that is intermittently not matching when I think it should
@@ -66,0 +67,15 @@ The AWS Network Firewall stateful rule engine supports action order, previous kn
+## I have a rule that is intermittently not matching when I think it should
+
+The AWS Network Firewall stateful rule engine has limits for traffic inspection parameters such as the maximum total size of all network packets it can inspect within a single network flow. If your traffic exceeds these limits, the stateful rule engine will not be able to match the rule. You can make use of keywords such as `stream-event:reassembly_depth_reached;` in your rules to handle these cases or to troubleshoot and diagnose when this happens. Example 1 shows how you might add an alert rule in a strict action order firewall policy to receive alert logs when the tcp reassembly depth limit is reached for a corresponding rule.
+
+###### Example 1
+    
+    
+    # Rule 1 is intended to log when rule 2 cannot match due to hitting the TCP reassembly depth limit
+    alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (flow:established,to_server; stream-event:reassembly_depth_reached; flowbits: set, stream_reassembly_depth_reached; classtype:protocol-command-decode; sid:1;)
+    # Rule 2
+    drop tcp $HOME_NET any -> $EXTERNAL_NET 80 (flow:established, to_server; sid:2;)
+    			
+
+For information on how the stateful rule engine works, see [Firewall behavior in AWS Network Firewall](./firewall-behavior.html).
+