Class: Aws::NetworkFirewall::Types::FirewallPolicy

Inherits:

Struct

• Object
• Struct
• Aws::NetworkFirewall::Types::FirewallPolicy

Includes:

Structure

Defined in:

lib/aws-sdk-networkfirewall/types.rb

Overview

The firewall policy defines the behavior of a firewall using a collection of stateless and stateful rule groups and other settings. You can use one firewall policy for multiple firewalls.

This, along with FirewallPolicyResponse, define the policy. You can retrieve all objects for a firewall policy by calling DescribeFirewallPolicy.

See Also:

• AWS API Documentation

Constant Summary

SENSITIVE =

[]

Instance Attribute Summary

• #policy_variables ⇒ Types::PolicyVariables

  Contains variables that you can use to override default Suricata settings in your firewall policy.

• #stateful_default_actions ⇒ Array<String>

  The default actions to take on a packet that doesn’t match any stateful rules.

• #stateful_engine_options ⇒ Types::StatefulEngineOptions

  Additional options governing how Network Firewall handles stateful rules.

• #stateful_rule_group_references ⇒ Array<Types::StatefulRuleGroupReference>

  References to the stateful rule groups that are used in the policy.

• #stateless_custom_actions ⇒ Array<Types::CustomAction>

  The custom action definitions that are available for use in the firewall policy’s ‘StatelessDefaultActions` setting.

• #stateless_default_actions ⇒ Array<String>

  The actions to take on a packet if it doesn’t match any of the stateless rules in the policy.

• #stateless_fragment_default_actions ⇒ Array<String>

  The actions to take on a fragmented UDP packet if it doesn’t match any of the stateless rules in the policy.

• #stateless_rule_group_references ⇒ Array<Types::StatelessRuleGroupReference>

  References to the stateless rule groups that are used in the policy.

• #tls_inspection_configuration_arn ⇒ String

  The Amazon Resource Name (ARN) of the TLS inspection configuration.

Instance Attribute Details

#policy_variables ⇒ Types::PolicyVariables

Contains variables that you can use to override default Suricata settings in your firewall policy.

Returns:

• (Types::PolicyVariables)

# File 'lib/aws-sdk-networkfirewall/types.rb', line 1981

class FirewallPolicy < Struct.new(
  :stateless_rule_group_references,
  :stateless_default_actions,
  :stateless_fragment_default_actions,
  :stateless_custom_actions,
  :stateful_rule_group_references,
  :stateful_default_actions,
  :stateful_engine_options,
  :tls_inspection_configuration_arn,
  :policy_variables)
  SENSITIVE = []
  include Aws::Structure
end

#stateful_default_actions ⇒ Array<String>

The default actions to take on a packet that doesn’t match any stateful rules. The stateful default action is optional, and is only valid when using the strict rule order.

Valid values of the stateful default action:

• aws:drop_strict

• aws:drop_established

• aws:alert_strict

• aws:alert_established

For more information, see [Strict evaluation order] in the *Network Firewall Developer Guide*.

[1]: docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html#suricata-strict-rule-evaluation-order.html

Returns:

• (Array<String>)

# File 'lib/aws-sdk-networkfirewall/types.rb', line 1981

class FirewallPolicy < Struct.new(
  :stateless_rule_group_references,
  :stateless_default_actions,
  :stateless_fragment_default_actions,
  :stateless_custom_actions,
  :stateful_rule_group_references,
  :stateful_default_actions,
  :stateful_engine_options,
  :tls_inspection_configuration_arn,
  :policy_variables)
  SENSITIVE = []
  include Aws::Structure
end

#stateful_engine_options ⇒ Types::StatefulEngineOptions

Additional options governing how Network Firewall handles stateful rules. The stateful rule groups that you use in your policy must have stateful rule options settings that are compatible with these settings.

Returns:

• (Types::StatefulEngineOptions)

# File 'lib/aws-sdk-networkfirewall/types.rb', line 1981

class FirewallPolicy < Struct.new(
  :stateless_rule_group_references,
  :stateless_default_actions,
  :stateless_fragment_default_actions,
  :stateless_custom_actions,
  :stateful_rule_group_references,
  :stateful_default_actions,
  :stateful_engine_options,
  :tls_inspection_configuration_arn,
  :policy_variables)
  SENSITIVE = []
  include Aws::Structure
end

#stateful_rule_group_references ⇒ Array<Types::StatefulRuleGroupReference>

References to the stateful rule groups that are used in the policy. These define the inspection criteria in stateful rules.

Returns:

• (Array<Types::StatefulRuleGroupReference>)

# File 'lib/aws-sdk-networkfirewall/types.rb', line 1981

class FirewallPolicy < Struct.new(
  :stateless_rule_group_references,
  :stateless_default_actions,
  :stateless_fragment_default_actions,
  :stateless_custom_actions,
  :stateful_rule_group_references,
  :stateful_default_actions,
  :stateful_engine_options,
  :tls_inspection_configuration_arn,
  :policy_variables)
  SENSITIVE = []
  include Aws::Structure
end

#stateless_custom_actions ⇒ Array<Types::CustomAction>

The custom action definitions that are available for use in the firewall policy’s ‘StatelessDefaultActions` setting. You name each custom action that you define, and then you can use it by name in your default actions specifications.

Returns:

• (Array<Types::CustomAction>)

# File 'lib/aws-sdk-networkfirewall/types.rb', line 1981

class FirewallPolicy < Struct.new(
  :stateless_rule_group_references,
  :stateless_default_actions,
  :stateless_fragment_default_actions,
  :stateless_custom_actions,
  :stateful_rule_group_references,
  :stateful_default_actions,
  :stateful_engine_options,
  :tls_inspection_configuration_arn,
  :policy_variables)
  SENSITIVE = []
  include Aws::Structure
end

#stateless_default_actions ⇒ Array<String>

The actions to take on a packet if it doesn’t match any of the stateless rules in the policy. If you want non-matching packets to be forwarded for stateful inspection, specify ‘aws:forward_to_sfe`.

You must specify one of the standard actions: ‘aws:pass`, `aws:drop`, or `aws:forward_to_sfe`. In addition, you can specify custom actions that are compatible with your standard section choice.

For example, you could specify ‘[“aws:pass”]` or you could specify `[“aws:pass”, “customActionName”]`. For information about compatibility, see the custom action descriptions under CustomAction.

Returns:

• (Array<String>)

# File 'lib/aws-sdk-networkfirewall/types.rb', line 1981

class FirewallPolicy < Struct.new(
  :stateless_rule_group_references,
  :stateless_default_actions,
  :stateless_fragment_default_actions,
  :stateless_custom_actions,
  :stateful_rule_group_references,
  :stateful_default_actions,
  :stateful_engine_options,
  :tls_inspection_configuration_arn,
  :policy_variables)
  SENSITIVE = []
  include Aws::Structure
end

#stateless_fragment_default_actions ⇒ Array<String>

The actions to take on a fragmented UDP packet if it doesn’t match any of the stateless rules in the policy. Network Firewall only manages UDP packet fragments and silently drops packet fragments for other protocols. If you want non-matching fragmented UDP packets to be forwarded for stateful inspection, specify ‘aws:forward_to_sfe`.

You must specify one of the standard actions: ‘aws:pass`, `aws:drop`, or `aws:forward_to_sfe`. In addition, you can specify custom actions that are compatible with your standard section choice.

For example, you could specify ‘[“aws:pass”]` or you could specify `[“aws:pass”, “customActionName”]`. For information about compatibility, see the custom action descriptions under CustomAction.

Returns:

• (Array<String>)

# File 'lib/aws-sdk-networkfirewall/types.rb', line 1981

class FirewallPolicy < Struct.new(
  :stateless_rule_group_references,
  :stateless_default_actions,
  :stateless_fragment_default_actions,
  :stateless_custom_actions,
  :stateful_rule_group_references,
  :stateful_default_actions,
  :stateful_engine_options,
  :tls_inspection_configuration_arn,
  :policy_variables)
  SENSITIVE = []
  include Aws::Structure
end

#stateless_rule_group_references ⇒ Array<Types::StatelessRuleGroupReference>

References to the stateless rule groups that are used in the policy. These define the matching criteria in stateless rules.

Returns:

• (Array<Types::StatelessRuleGroupReference>)

# File 'lib/aws-sdk-networkfirewall/types.rb', line 1981

class FirewallPolicy < Struct.new(
  :stateless_rule_group_references,
  :stateless_default_actions,
  :stateless_fragment_default_actions,
  :stateless_custom_actions,
  :stateful_rule_group_references,
  :stateful_default_actions,
  :stateful_engine_options,
  :tls_inspection_configuration_arn,
  :policy_variables)
  SENSITIVE = []
  include Aws::Structure
end

#tls_inspection_configuration_arn ⇒ String

The Amazon Resource Name (ARN) of the TLS inspection configuration.

Returns:

• (String)

# File 'lib/aws-sdk-networkfirewall/types.rb', line 1981

class FirewallPolicy < Struct.new(
  :stateless_rule_group_references,
  :stateless_default_actions,
  :stateless_fragment_default_actions,
  :stateless_custom_actions,
  :stateful_rule_group_references,
  :stateful_default_actions,
  :stateful_engine_options,
  :tls_inspection_configuration_arn,
  :policy_variables)
  SENSITIVE = []
  include Aws::Structure
end