AWS Security ChangesHomeSearch

AWS network-firewall documentation change

Service: network-firewall · 2026-03-28 · Documentation low

File: network-firewall/latest/developerguide/suricata-limitations-caveats.md

Summary

Added HTTP/2 overloading to unsupported features, updated TLS inspection logging behavior, and added guidance for matching HTTP/2 application traffic under TLS inspection with example rules.

Security assessment

This change updates documentation about limitations and provides configuration guidance for HTTP/2 traffic inspection. The addition of HTTP/2 rule examples helps users properly configure security rules for modern protocols, but there's no evidence of a specific security issue being addressed.

Diff

diff --git a/network-firewall/latest/developerguide/suricata-limitations-caveats.md b/network-firewall/latest/developerguide/suricata-limitations-caveats.md
index 7bb2f40b2..7b40c9c8e 100644
--- a//network-firewall/latest/developerguide/suricata-limitations-caveats.md
+++ b//network-firewall/latest/developerguide/suricata-limitations-caveats.md
@@ -36,0 +37,2 @@ The following Suricata features are not supported by Network Firewall:
+  * HTTP/2 overloading.
+
@@ -62 +64 @@ For example, say you set the rule group's `HOME_NET` to `10.0.0.0`, and the fire
-  * When matching TLS based rules in a session holding configuration, alert logs will not contain the SNI that was accessed upon rule match. 
+  * When matching TLS based rules in a TLS inspection-enabled configuration, alert logs capture http host information and not the SNI upon rule match
@@ -71,0 +74,9 @@ However, if the destination IP contains a `!`, then Suricata treats this as per
+  * To match HTTP/2 application traffic under a TLS inspection-enabled configuration, add http2 protocol rules to your rule set in addition to your existing HTTP rules. For example, if you used this rule to match HTTP traffic:
+    
+        drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"example rule"; flow:to_server,established; http.host; content:"example.com"; sid:1; rev:1;)
+
+You should add an http2 application rule to your ruleset:
+    
+        drop http $HOME_NET any -> $EXTERNAL_NET any (msg:"example rule"; flow:to_server,established; http.host; content:"example.com"; sid:1; rev:1;)
+    drop http2 $HOME_NET any -> $EXTERNAL_NET any (msg:"example rule"; flow:to_server,established; http.request_header; content:"authority|3a 20|example.com"; sid:2; rev:1;)
+