AWS network-firewall medium security documentation change
Summary
Added new troubleshooting section for intermittent rule matching issues caused by TCP reassembly depth limits, with example Suricata rules to detect inspection limits.
Security assessment
Addresses a security-adjacent scenario where traffic might bypass inspection due to system limits. Provides security-focused detection via 'stream-event:reassembly_depth_reached' rules to alert on inspection gaps.
Diff
diff --git a/network-firewall/latest/developerguide/troubleshooting-rules.md b/network-firewall/latest/developerguide/troubleshooting-rules.md index 6c06aa469..9664141b8 100644 --- a/network-firewall/latest/developerguide/troubleshooting-rules.md +++ b/network-firewall/latest/developerguide/troubleshooting-rules.md @@ -5 +5 @@ -Rules with the HOME_NET variable are not working as expected with managed rule groupsI created a rule to allow only outbound traffic from HOME_NET to EXTERNAL_NET, but EXTERNAL_NET was also able to initiate a connection back to HOME_NET. How do I prevent this from happening?I'm using strict ordering, but stateful rules near the bottom of my ruleset appear to be handling traffic before rules near the top of my rulesetI've configured a drop action rule but traffic still goes through the firewall +Rules with the HOME_NET variable are not working as expected with managed rule groupsI created a rule to allow only outbound traffic from HOME_NET to EXTERNAL_NET, but EXTERNAL_NET was also able to initiate a connection back to HOME_NET. How do I prevent this from happening?I'm using strict ordering, but stateful rules near the bottom of my ruleset appear to be handling traffic before rules near the top of my rulesetI've configured a drop action rule but traffic still goes through the firewallI have a rule that is intermittently not matching when I think it should @@ -66,0 +67,15 @@ The AWS Network Firewall stateful rule engine supports action order, previous kn +## I have a rule that is intermittently not matching when I think it should + +The AWS Network Firewall stateful rule engine has limits for traffic inspection parameters such as the maximum total size of all network packets it can inspect within a single network flow. If your traffic exceeds these limits, the stateful rule engine will not be able to match the rule. You can make use of keywords such as `stream-event:reassembly_depth_reached;` in your rules to handle these cases or to troubleshoot and diagnose when this happens. Example 1 shows how you might add an alert rule in a strict action order firewall policy to receive alert logs when the tcp reassembly depth limit is reached for a corresponding rule. + +###### Example 1 + + + # Rule 1 is intended to log when rule 2 cannot match due to hitting the TCP reassembly depth limit + alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (flow:established,to_server; stream-event:reassembly_depth_reached; flowbits: set, stream_reassembly_depth_reached; classtype:protocol-command-decode; sid:1;) + # Rule 2 + drop tcp $HOME_NET any -> $EXTERNAL_NET 80 (flow:established, to_server; sid:2;) + + +For information on how the stateful rule engine works, see [Firewall behavior in AWS Network Firewall](./firewall-behavior.html). +