AWS network-firewall documentation change
Summary
Expanded session-holding incompatibility to include server-directed drop rules
Security assessment
Clarifies security feature limitations by adding new rule type to incompatibility list, enhancing documentation of security controls without addressing a specific vulnerability.
Diff
diff --git a/network-firewall/latest/developerguide/session-holding-tls.md b/network-firewall/latest/developerguide/session-holding-tls.md index 4408d6d27..eeff7e9c0 100644 --- a//network-firewall/latest/developerguide/session-holding-tls.md +++ b//network-firewall/latest/developerguide/session-holding-tls.md @@ -13 +13 @@ To use session holding, you must have TLS Inspection configuration and TLS Inspe -Application Layer drop established default rules are incompatible with a session-holding configuration. You can read more at [Managing evaluation order for Suricata compatible rules in AWS Network Firewall.](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html) +Application drop established (bidirectional) and Application drop established (server-directed only) default rules are incompatible with a session-holding configuration. You can read more at [Managing evaluation order for Suricata compatible rules in AWS Network Firewall.](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html)