AWS network-firewall documentation change
Summary
Clarified logging behavior for pass rules with 'alert' modifier and updated examples
Security assessment
Improves documentation about logging security-relevant events via pass+alert rules, but doesn't indicate a resolved security vulnerability.
Diff
diff --git a/network-firewall/latest/developerguide/troubleshooting-logging.md b/network-firewall/latest/developerguide/troubleshooting-logging.md index 6f04a1609..6fdf847b6 100644 --- a/network-firewall/latest/developerguide/troubleshooting-logging.md +++ b/network-firewall/latest/developerguide/troubleshooting-logging.md @@ -13 +13 @@ Use the information here to help you diagnose common issues that you might encou -Network Firewall only logs traffic that match drop, reject, and alert action rules. Rules with a pass action silently allow the traffic in a way that any proceeding rules will not alert on that traffic. If you want to log all traffic for troubleshooting purposes, use the [strict evaluation order](./suricata-rule-evaluation-order.html#suricata-strict-rule-evaluation-order), and add an alert action rule before the pass action rule. For example, to log allowed traffic to https://checkip.amazonaws.com, add an alert action rule before the pass action rule: +Network Firewall only logs traffic for the rule action drop, alert, reject, or pass with an `alert` modifier keyword. Rules with a pass action that do not use the `alert` modifier keyword silently allow the traffic in a way that any proceeding rules will not alert on that traffic. If you want to log all traffic for troubleshooting purposes, add the `alert` modifier keyword to your pass rules. When your pass rules include the `alert` modifier keyword, they will create an alert log for any traffic that matches applicable rules. For example, to log allowed traffic to https://checkip.amazonaws.com, add the `alert` modifier keyword to a pass rule: @@ -16,4 +16 @@ Network Firewall only logs traffic that match drop, reject, and alert action rul - alert tls $HOME_NET any -> $EXTERNAL_NET any (ssl_state:client_hello; tls.sni; content:“checkip.amazonaws.com"; startswith; nocase; endswith; msg:"alert on TLS allowlisted FQDNs"; flow:to_server; sid:111111; rev:1;) - - - pass tls $HOME_NET any -> $EXTERNAL_NET any (ssl_state:client_hello; tls.sni; content:“checkip.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server; sid:222222; rev:1;) + pass tls $HOME_NET any -> $EXTERNAL_NET any (ssl_state:client_hello; tls.sni; content:“checkip.amazonaws.com"; startswith; nocase; endswith; msg:"matching TLS allowlisted FQDNs"; flow:to_server; alert; sid:222222; rev:1;) @@ -25 +22,3 @@ For more information about rule actions, see [Defining rule actions](./rule-acti -A stateful rule sends alerts for the rule actions drop, alert, and reject. Alert logs are generated for the traffic that match your stateful rules and have an action that sends an alert. Network Firewall can send alert logs to Amazon S3, CloudWatch, and Firehose. Make sure you have enabled logging by [updating the firewall's logging configuration](https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-update-logging-configuration.html). If you are using [strict evaluation order](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html#suricata-strict-rule-evaluation-order) with a default action set to **Drop established** , make sure you have also enabled an alert action so that the firewall will generate alert messages for this traffic. You can select **Alert all** to log an alert message on all packets, or select **Alert established** to log an alert message only on packets that are in established connections. Flows dropped by the **Drop established** or **Drop all** stateful default actions won't generate alert logs if you don't configure a stateful default alert action. +A stateful rule sends alerts for specific rule actions (drop, alert, reject, and pass) that also include an `alert` modifier keyword. + +Network Firewall can send alert logs to Amazon S3, CloudWatch, and Firehose. Make sure you have enabled logging by [updating the firewall's logging configuration](https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-update-logging-configuration.html). If you are using [strict evaluation order](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html#suricata-strict-rule-evaluation-order) with a default action set to **Drop established** , make sure you have also enabled an alert action so that the firewall will generate alert messages for this traffic. You can select **Alert all** to log an alert message on all packets, or select **Alert established** to log an alert message only on packets that are in established connections. Flows dropped by the **Drop established** or **Drop all** stateful default actions won't generate alert logs if you don't configure a stateful default alert action.