AWS Security ChangesHomeSearch

AWS network-firewall documentation change

Service: network-firewall · 2025-09-28 · Documentation medium

File: network-firewall/latest/developerguide/suricata-rule-evaluation-order.md

Summary

Expanded documentation for strict rule order default actions, including application-layer handling for TLS/HTTPS traffic

Security assessment

Adds details about Application Layer drop/alert actions that improve inspection of segmented encrypted traffic. These are security feature enhancements but are not tied to resolving a specific security incident.

Diff

diff --git a/network-firewall/latest/developerguide/suricata-rule-evaluation-order.md b/network-firewall/latest/developerguide/suricata-rule-evaluation-order.md
index 17643b48f..599a7233f 100644
--- a//network-firewall/latest/developerguide/suricata-rule-evaluation-order.md
+++ b//network-firewall/latest/developerguide/suricata-rule-evaluation-order.md
@@ -61 +61 @@ If your firewall policy is set up to use strict ordering, Network Firewall allow
-When you choose **Strict** for your rule order, you can choose one or more **Default actions**. Note that this does not refer to default action rule ordering, but rather, to the default actions that Network Firewall takes when following your strict, or exact, rule ordering. The default actions are as follows:
+When configuring these actions, consider the following caveats:
@@ -63 +63,12 @@ When you choose **Strict** for your rule order, you can choose one or more **Def
-###### Drop actions
+  1. For drop actions, you can choose either none or only one drop action.
+
+  2. For alert actions, you can choose none, one alert action, or **Alert all** plus any of the other two alert actions.
+
+  3. Some combinations of actions are invalid. If either **Drop established** or **Alert established** is selected, you cannot select **Application Layer drop established** or **Application Layer alert established** , and vice versa.
+
+  4. When you choose **Strict** for your rule order, you can choose one or more **Default actions**. Note that this does not refer to default action rule ordering, but rather, to the default actions that Network Firewall takes when following your strict, or exact, rule ordering.
+
+
+
+
+The default actions are as follows:
@@ -67 +78 @@ If you have rules that match application layer data, such as those that evaluate
-_Choose none or one. You can't choose both._
+_Choose none or one. You can't choose more than one._
@@ -76,0 +88,5 @@ For other protocols, such as UDP, Network Firewall considers the connection esta
+  * **Application Layer drop established** – Drops server-initiated banner packets and packets in established connections. It also provides enhanced support for segmented application layer traffic through the following behaviors:
+
+    * Allows segmented TLS client hello packets until a `TLS.SNI` field is detected, then applies rules based on SNI.
+
+    * Allows segmented HTTPS request packets until the `HTTP.HOST` field is detected, then applies rules based on host
@@ -80 +95,0 @@ For other protocols, such as UDP, Network Firewall considers the connection esta
-###### Alert actions
@@ -82 +97 @@ For other protocols, such as UDP, Network Firewall considers the connection esta
-_Choose none, one, or both._
+_Choose none, one, or all._
@@ -87,0 +103,6 @@ _Choose none, one, or both._
+  * **Application Layer alert established** – Logs an `ALERT` message on only the packets that are in established connections, with enhanced support for segmented application layer traffic.
+
+###### Tip
+
+You can use these logged messages to better understand the impact that the Application Layer Drop Established action has on firewall behavior.
+