Using Amazon Marketplace rule groups - Amazon Network Firewall
PricingInformation and supportSubscribe to Amazon Marketplace rule groupsUnsubscribe from Amazon Marketplace rule groupsAdd Amazon Marketplace managed rule groupsView managed rules groupsAmazon Marketplace rule group sync statesTroubleshoot Amazon Marketplace managed rule groups in Network FirewallConsiderations while using Amazon Marketplace managed rule groups in Amazon Network Firewall
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using Amazon Marketplace rule groups

Amazon Marketplace rule groups provide managed security rules from Amazon Partners that you can integrate with Amazon Network Firewall.

Amazon Marketplace rule groups are available by subscription through the Amazon Marketplace console at Amazon Marketplace or through the Amazon Management console. After you subscribe to an Amazon Marketplace rule group, to enable the functionality in Amazon Network Firewall, you can apply it to a firewall policy and associate it to a firewall to have these rules take effect.

Pricing

Amazon Marketplace rule groups are available with no long-term contracts or minimal commitments. When you subscribe to a managed rule group provided by an Amazon Marketplace seller, you will be charged additional fees based on the price set by the seller, which will be based on per GB traffic inspected by the firewall. For more information, see Amazon Network Firewall Pricing and the description for each Amazon Marketplace rule group at Amazon Marketplace.

Information and support

To find additional information about an Amazon Marketplace managed rule group or to contact the seller's support team, visit the individual seller's marketplace listing on Amazon Marketplace. You can navigate directly to the seller's product listing from the rule group details page in Amazon Network Firewall.

Subscribe to Amazon Marketplace rule groups

You can subscribe to and unsubscribe from Amazon Marketplace rule groups on the Amazon Network Firewall console or the Amazon Marketplace.

To subscribe to an Amazon Marketplace rule group

  1. Sign in to the Amazon Management Console and open the Amazon VPC console.

  2. In the navigation pane, under Network Firewall, choose Network Firewall rule groups.

  3. In the Amazon Marketplace section, choose the name of a rule group to view the details and pricing information.

  4. To subscribe to an Amazon Marketplace rule group, navigate to a rule group, then choose View Subscription Options. From there you can subscribe.

Note

If you decide not to subscribe to the rule group, simply close the pop-up.

After you're subscribed to an Amazon Marketplace rule group, you can associate it onto your Amazon Network Firewall policy as you do other managed rule groups. For information, see Adding Amazon managed rule groups to your firewall policy using the console.

Unsubscribe from Amazon Marketplace rule groups

You can unsubscribe from Amazon Marketplace rule groups on the Amazon Network Firewall console and the Amazon Marketplace.

Important

To stop the subscription charges for an Amazon Marketplace rule group, you must remove it from all Amazon Network Firewall policies in Amazon Network Firewall, in addition to unsubscribing from it. If you unsubscribe from an Amazon Marketplace rule group but don't remove it from your Amazon Network Firewall policy, you will continue to be charged for the subscription until the rule group is removed from the policy.

To unsubscribe from an Amazon Marketplace rule group

  1. Open the Amazon Marketplace console.

  2. Navigate to the Manage subscriptions page.

  3. Open the Delivery method list and choose SaaS.

  4. Under Agreement, open the Actions list and choose Cancel subscription next to the name of the Amazon Marketplace product that you want to unsubscribe from.

  5. In the Cancel subscription dialog box, enter confirm, then choose Yes, cancel subscription.

Add Amazon Marketplace managed rule groups

Once you subscribe to an Amazon Marketplace managed rule, add them to one or more Network Firewall policies. The policy automatically implements the built-in protection across your firewall when you associate the rule group to the firewall policy. You can add Amazon Marketplace managed rule groups either through the Network Firewall rule groups page or from your firewall policy's detail page.

To add one or more Amazon Marketplace managed rule groups to your firewall policy from the details page

  1. Open the Amazon VPC console.

  2. In the navigation pane, under Network Firewall, choose Firewall policies.

  3. Select the policy that you'd like to add one or more Amazon Marketplace managed rule groups to.

  4. In the Stateful rule groups section, in the Actions drop-down menu, select Add Partner managed stateful rule groups.

  5. Select the Amazon Marketplace managed rule groups to add to your policy.

  6. Choose Add to policy.

View managed rules groups

You can view available Amazon Marketplace rule groups for your firewall policy.

To view the list of Amazon Marketplace managed rule groups

You can view the list of managed rule groups using the following methods:

  • Amazon console – You can view the list of managed rule groups either in the Network Firewall rule groups page in the Amazon Marketplace tab, or in the policy details page. When you add Amazon Marketplace managed rule groups to a policy, you'll see only the managed rule groups that fit your policy type. For example, if your policy type is strict ordered, you'll see only the managed rule groups that have a type of strict ordered.

  • Network Firewall APIListRuleGroups with the parameter Scope.

  • Amazon CLIaws network-firewall list-rule-groups --scope MANAGED and --managed-type PARTNER_MANAGED.

Amazon Marketplace rule group sync states

Amazon Marketplace rule groups can have different sync states that indicate their current status and availability:

DEPRECATED

The rule group has been deprecated by the seller. While the rule group will still be sent to the firewall, Amazon Network Firewall does not have control over whether these rules are being updated or removed by the seller. It is recommended to remove this rule group from your firewall policy and use the recommended approach from the owner of the product.

NOT_SUBSCRIBED

You have a rule group configured in your firewall policy that does not have an active subscription to the product in Amazon Marketplace. When this occurs, the rule group will not be sent to the firewall and will be effectively inactive. To resolve this, you need to either:

  • Subscribe to the product in Amazon Marketplace, or

  • Remove the rule group from your firewall policy

You can check your subscription status in the Amazon Marketplace console under Manage subscriptions.

Troubleshoot Amazon Marketplace managed rule groups in Network Firewall

As a best practice, before using a rule group in production, with logging enabled, run the Amazon Marketplace managed rule group in a specific mode depending on the intention of the firewall. You can use alert mode if you're using the firewall as an intrusion detection system (IDS) or you can use drop mode if you use the firewall as an intrusion prevention system (IPS) in a non-production environment. Either mode sends alert messages to the logs for traffic that doesn't pass inspection. For more information, see Logging network traffic from Amazon Network Firewall.

Running a managed rule group in either alert mode or drop mode allows you to do a dry run with alert logs that show you what the resulting behavior would be before you commit to making changes to your traffic. Evaluate the rule group using Network Firewall logs. When you're satisfied that the rule group does what you want it to do, disable test mode on the group.

For more information about a rule in an Amazon Marketplace managed rule group, see the provider's listing at Amazon Marketplace or contact the Amazon Support Center.

Considerations while using Amazon Marketplace managed rule groups in Amazon Network Firewall

You can subscribe to Amazon Marketplace managed rule groups either by visiting the product page in the Marketplace console or via Network Firewall console. While the experience is similar, you would be automatically redirected to the Seller's home page while subscribing to the product from Marketplace console, however you would not be redirected to this page if you attempted to subscribe via NFW console. If you would like to use NFW console to subscribe to a Amazon Marketplace managed rule group, we recommend visiting the seller's home page and enter your details separately.