|
2633 | 2633 | "members":{ |
2634 | 2634 | "FirstEntries":{ |
2635 | 2635 | "shape":"NetworkAclEntries", |
2636 | | - "documentation":"<p>The rules that you want to run first in the Firewall Manager managed network ACLs. </p> <note> <p>Provide these in the order in which you want them to run. Firewall Manager will assign the specific rule numbers for you, in the network ACLs that it creates. </p> </note>" |
| 2636 | + "documentation":"<p>The rules that you want to run first in the Firewall Manager managed network ACLs. </p> <note> <p>Provide these in the order in which you want them to run. Firewall Manager will assign the specific rule numbers for you, in the network ACLs that it creates. </p> </note> <p>You must specify at least one first entry or one last entry in any network ACL policy. </p>" |
2637 | 2637 | }, |
2638 | 2638 | "ForceRemediateForFirstEntries":{ |
2639 | 2639 | "shape":"BooleanObject", |
2640 | 2640 | "documentation":"<p>Applies only when remediation is enabled for the policy as a whole. Firewall Manager uses this setting when it finds policy violations that involve conflicts between the custom entries and the policy entries. </p> <p>If forced remediation is disabled, Firewall Manager marks the network ACL as noncompliant and does not try to remediate. For more information about the remediation behavior, see <a href=\"https://docs.aws.amazon.com/waf/latest/developerguide/network-acl-policies.html\">Network access control list (ACL) policies</a> in the <i>Firewall Manager Developer Guide</i>.</p>" |
2641 | 2641 | }, |
2642 | 2642 | "LastEntries":{ |
2643 | 2643 | "shape":"NetworkAclEntries", |
2644 | | - "documentation":"<p>The rules that you want to run last in the Firewall Manager managed network ACLs. </p> <note> <p>Provide these in the order in which you want them to run. Firewall Manager will assign the specific rule numbers for you, in the network ACLs that it creates. </p> </note>" |
| 2644 | + "documentation":"<p>The rules that you want to run last in the Firewall Manager managed network ACLs. </p> <note> <p>Provide these in the order in which you want them to run. Firewall Manager will assign the specific rule numbers for you, in the network ACLs that it creates. </p> </note> <p>You must specify at least one first entry or one last entry in any network ACL policy. </p>" |
2645 | 2645 | }, |
2646 | 2646 | "ForceRemediateForLastEntries":{ |
2647 | 2647 | "shape":"BooleanObject", |
|
4241 | 4241 | "members":{ |
4242 | 4242 | "RuleOrder":{ |
4243 | 4243 | "shape":"RuleOrder", |
4244 | | - "documentation":"<p>Indicates how to manage the order of stateful rule evaluation for the policy. <code>DEFAULT_ACTION_ORDER</code> is the default behavior. Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them based on certain settings. For more information, see <a href=\"https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html\">Evaluation order for stateful rules</a> in the <i>Network Firewall Developer Guide</i>.</p>" |
| 4244 | + "documentation":"<p>Indicates how to manage the order of stateful rule evaluation for the policy. Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them based on certain settings. For more information, see <a href=\"https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html\">Evaluation order for stateful rules</a> in the <i>Network Firewall Developer Guide</i>.</p> <p>Default: <code>DEFAULT_ACTION_ORDER</code> </p>" |
| 4245 | + }, |
| 4246 | + "StreamExceptionPolicy":{ |
| 4247 | + "shape":"StreamExceptionPolicy", |
| 4248 | + "documentation":"<p>Indicates how Network Firewall should handle traffic when a network connection breaks midstream.</p> <ul> <li> <p> <code>DROP</code> - Fail closed and drop all subsequent traffic going to the firewall.</p> </li> <li> <p> <code>CONTINUE</code> - Continue to apply rules to subsequent traffic without context from traffic before the break. This impacts the behavior of rules that depend on context. For example, with a stateful rule that drops HTTP traffic, Network Firewall won't match subsequent traffic because the it won't have the context from session initialization, which defines the application layer protocol as HTTP. However, a TCP-layer rule using a <code>flow:stateless</code> rule would still match, and so would the <code>aws:drop_strict</code> default action. </p> </li> <li> <p> <code>REJECT</code> - Fail closed and drop all subsequent traffic going to the firewall. With this option, Network Firewall also sends a TCP reject packet back to the client so the client can immediately establish a new session. With the new session, Network Firewall will have context and will apply rules appropriately.</p> <p>For applications that are reliant on long-lived TCP connections that trigger Gateway Load Balancer idle timeouts, this is the recommended setting. </p> </li> <li> <p> <code>FMS_IGNORE</code> - Firewall Manager doesn't monitor or modify the Network Firewall stream exception policy settings. </p> </li> </ul> <p>For more information, see <a href=\"https://docs.aws.amazon.com/network-firewall/latest/developerguide/stream-exception-policy.html\">Stream exception policy in your firewall policy</a> in the <i>Network Firewall Developer Guide</i>.</p> <p>Default: <code>FMS_IGNORE</code> </p>" |
4245 | 4249 | } |
4246 | 4250 | }, |
4247 | 4251 | "documentation":"<p>Configuration settings for the handling of the stateful rule groups in a Network Firewall firewall policy.</p>" |
|
4299 | 4303 | "max":65535, |
4300 | 4304 | "min":1 |
4301 | 4305 | }, |
| 4306 | + "StreamExceptionPolicy":{ |
| 4307 | + "type":"string", |
| 4308 | + "enum":[ |
| 4309 | + "DROP", |
| 4310 | + "CONTINUE", |
| 4311 | + "REJECT", |
| 4312 | + "FMS_IGNORE" |
| 4313 | + ] |
| 4314 | + }, |
4302 | 4315 | "Tag":{ |
4303 | 4316 | "type":"structure", |
4304 | 4317 | "required":[ |
|
0 commit comments