AWS network-firewall medium security documentation change
Summary
Changed recommendation for TCP keep-alive setting from 'longer period than default 350 seconds' to 'shorter period than default 350 seconds'
Security assessment
This change corrects guidance to prevent premature connection termination risks. Shorter TCP keep-alive intervals ensure connections stay active before Network Firewall's idle timeout expires, reducing risk of unexpected traffic drops that could impact availability.
Diff
diff --git a/network-firewall/latest/developerguide/troubleshooting-general-issues.md b/network-firewall/latest/developerguide/troubleshooting-general-issues.md index 7d68b5df3..0c76b8329 100644 --- a//network-firewall/latest/developerguide/troubleshooting-general-issues.md +++ b//network-firewall/latest/developerguide/troubleshooting-general-issues.md @@ -181 +181 @@ For information about using CloudWatch metrics for Network Firewall, see [Metric -To prevent this from happening, we recommend either configuring the **TCP keep-alive** setting on your client and server's application or operating system or configuring the idle timeout period in the Network Firewall console. If you choose to update the TCP keep-alive setting, set the value to a longer period than the default 350 seconds. This ensures that the client and server keep the flow alive if there's inactivity, or the flow is removed from Network Firewall. If you choose to update the idle timeout value in the Network Firewall console, set the value to a longer period than the default 350 seconds. This ensures that your firewall can go without detecting traffic for longer than 350 seconds without dropping traffic. For more information about Gateway Load Balancer, see [Gateway Load Balancers](https://docs.aws.amazon.com/elasticloadbalancing/latest/gateway/gateway-load-balancers.html) in the _Elastic Load Balancing User Guide_. For more information about the idle timeout setting in Network Firewall, see [Firewall policy settings](./firewall-policy-settings.html). +To prevent this from happening, we recommend either configuring the **TCP keep-alive** setting on your client and server's application or operating system or configuring the idle timeout period in the Network Firewall console. If you choose to update the TCP keep-alive setting, set the value to a shorter period than the default 350 seconds. This ensures that the client and server keep the flow alive if there's inactivity, or the flow is removed from Network Firewall. If you choose to update the idle timeout value in the Network Firewall console, set the value to a longer period than the default 350 seconds. This ensures that your firewall can go without detecting traffic for longer than 350 seconds without dropping traffic. For more information about Gateway Load Balancer, see [Gateway Load Balancers](https://docs.aws.amazon.com/elasticloadbalancing/latest/gateway/gateway-load-balancers.html) in the _Elastic Load Balancing User Guide_. For more information about the idle timeout setting in Network Firewall, see [Firewall policy settings](./firewall-policy-settings.html).