AWS network-firewall documentation change
Summary
Added caveat that Application Layer drop established default rules are incompatible with session-holding configuration.
Security assessment
This change documents a limitation in Suricata rule compatibility with session-holding configurations. While it relates to security feature configuration, there's no evidence it addresses a specific security vulnerability. It adds documentation about security feature limitations.
Diff
diff --git a/network-firewall/latest/developerguide/suricata-limitations-caveats.md b/network-firewall/latest/developerguide/suricata-limitations-caveats.md index 424003a07..1d7cf09d6 100644 --- a//network-firewall/latest/developerguide/suricata-limitations-caveats.md +++ b//network-firewall/latest/developerguide/suricata-limitations-caveats.md @@ -40,0 +41,2 @@ The following Suricata features are not supported by Network Firewall: + * Application Layer drop established default rules are incompatible with a session-holding configuration. You can read more at [Managing evaluation order for Suricata compatible rules in AWS Network Firewall.](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html) +