aws-cdk-lib.aws_networkfirewall.CfnRuleGroup.StatefulRuleProperty

interface StatefulRuleProperty

LanguageType name
.NETAmazon.CDK.AWS.NetworkFirewall.CfnRuleGroup.StatefulRuleProperty
Gogithub.com/aws/aws-cdk-go/awscdk/v2/awsnetworkfirewall#CfnRuleGroup_StatefulRuleProperty
Javasoftware.amazon.awscdk.services.networkfirewall.CfnRuleGroup.StatefulRuleProperty
Pythonaws_cdk.aws_networkfirewall.CfnRuleGroup.StatefulRuleProperty
TypeScript aws-cdk-lib » aws_networkfirewall » CfnRuleGroup » StatefulRuleProperty

A single Suricata rules specification, for use in a stateful rule group.

Use this option to specify a simple Suricata rule with protocol, source and destination, ports, direction, and rule options. For information about the Suricata Rules format, see Rules Format .

Example

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import { aws_networkfirewall as networkfirewall } from 'aws-cdk-lib';
const statefulRuleProperty: networkfirewall.CfnRuleGroup.StatefulRuleProperty = {
  action: 'action',
  header: {
    destination: 'destination',
    destinationPort: 'destinationPort',
    direction: 'direction',
    protocol: 'protocol',
    source: 'source',
    sourcePort: 'sourcePort',
  },
  ruleOptions: [{
    keyword: 'keyword',

    // the properties below are optional
    settings: ['settings'],
  }],
};

Properties

NameTypeDescription
actionstringDefines what Network Firewall should do with the packets in a traffic flow when the flow matches the stateful rule criteria.
headerIResolvable | HeaderPropertyThe stateful inspection criteria for this rule, used to inspect traffic flows.
ruleOptionsIResolvable | IResolvable | RuleOptionProperty[]Additional settings for a stateful rule, provided as keywords and settings.

action

Type: string

Defines what Network Firewall should do with the packets in a traffic flow when the flow matches the stateful rule criteria.

For all actions, Network Firewall performs the specified action and discontinues stateful inspection of the traffic flow.

The actions for a stateful rule are defined as follows:

  • PASS - Permits the packets to go to the intended destination.
  • DROP - Blocks the packets from going to the intended destination and sends an alert log message, if alert logging is configured in the Firewall LoggingConfiguration .
  • REJECT - Drops traffic that matches the conditions of the stateful rule and sends a TCP reset packet back to sender of the packet. A TCP reset packet is a packet with no payload and a RST bit contained in the TCP header flags. REJECT is available only for TCP traffic.
  • ALERT - Permits the packets to go to the intended destination and sends an alert log message, if alert logging is configured in the Firewall LoggingConfiguration .

You can use this action to test a rule that you intend to use to drop traffic. You can enable the rule with ALERT action, verify in the logs that the rule is filtering as you want, then change the action to DROP .

  • REJECT - Drops TCP traffic that matches the conditions of the stateful rule, and sends a TCP reset packet back to sender of the packet. A TCP reset packet is a packet with no payload and a RST bit contained in the TCP header flags. Also sends an alert log mesage if alert logging is configured in the Firewall LoggingConfiguration .

REJECT isn't currently available for use with IMAP and FTP protocols.


header

Type: IResolvable | HeaderProperty

The stateful inspection criteria for this rule, used to inspect traffic flows.


ruleOptions

Type: IResolvable | IResolvable | RuleOptionProperty[]

Additional settings for a stateful rule, provided as keywords and settings.