Document history for Amazon Network Firewall
The following table describes important changes to this documentation.
| Change | Description | Date |
|---|---|---|
You can now use the TLS log type to log TLS errors and outbound traffic that fails a TLS inspection server certificate revocation check. This is a new log type, in an addition to the existing alert and flow log types. | July 25, 2024 | |
With TLS inspection, Network Firewall now matches on the | June 25, 2024 | |
The Network Firewall service quota for stateful rules per firewall policy is now adjustable. | May 22, 2024 | |
Removed Regional availability constraint for outbound SSL/TLS inspection | Network Firewall now supports inspection of outbound SSL/TLS traffic in all Regions that Network Firewall is available in. For information about available Regions, see Amazon Network Firewall endpoints and quotas in the Amazon Web Services General Reference. | December 19, 2023 |
Unless you include | November 17, 2023 | |
Network Firewall now has a stateless rule group analyzer that identifies stateless rules that have asymmetric routing. | November 2, 2023 | |
Outbound SSL/TLS inspection is available in Israel (Tel Aviv) and Europe (Ireland) | Network Firewall now supports inspection of outbound SSL/TLS traffic in the Israel (Tel Aviv) Region and the Europe (Ireland) Region. | October 26, 2023 |
Added a chapter on troubleshooting problems with configuring and using Network Firewall. | October 20, 2023 | |
Network Firewall now adds a | October 12, 2023 | |
Added information about a firewall policy's stream exception policy. | October 12, 2023 | |
Added examples of Suricata rules that can be used with Network Firewall. | October 6, 2023 | |
New metrics for tracking TLS packet count: | October 2, 2023 | |
Network Firewall doesn't support cross-signed root certificates in TLS inspection configurations. | September 25, 2023 | |
Updated the console procedures to reflect the new console user experience. | August 31, 2023 | |
Updated the console procedure to reflect the new console user experience. | August 31, 2023 | |
Updated the console procedure to reflect the new console user experience. | August 31, 2023 | |
Added two error states regarding invalid certificates in TLS inspection configurations. | August 24, 2023 | |
| June 26, 2023 | |
If a packet within a flow matches a rule containing | June 9, 2023 | |
Network Firewall doesn't current support QUIC protocol detection. | May 25, 2023 | |
TLS inspection configurations are now available in all Regions that Amazon Network Firewall is available in.
For more information, see What's New with Amazon | May 9, 2023 | |
You can now choose to reject traffic in your midstream exception configurations. | May 4, 2023 | |
You can now override the Suricata | May 3, 2023 | |
TLS inspection configurations now available in additional Regions | TLS inspection configurations are now available in additional Regions. For more information, see
What's New with Amazon | April 27, 2023 |
Network Firewall now supports TLS inspection configurations. Use TLS inspection configurations with your firewall policy to enable decryption and re-encryption of the SSL/TLS traffic going through your firewall. | March 30, 2023 | |
| March 30, 2023 | |
Amazon managed policy updates - Update to an existing policy | Updated | March 30, 2023 |
Provides information about how to prevent asymmetric routing issues within your firewall. | March 28, 2023 | |
Updated guide to align with the IAM best practices. For more information, see Security best practices in IAM. | February 15, 2023 | |
You can now include resource groups in your IP set references. | February 14, 2023 | |
Network Firewall now supports referencing resource groups in stateful rule groups. Resource groups ensure that your rules stay in sync as your Amazon resources change. | February 14, 2023 | |
When you create a 5-tuple rule from the console, the rule doesn't automatically add the direction keyword | February 2, 2023 | |
If customers override | February 2, 2023 | |
You can now configure your subnets to use IPv4, IPv6, or dualstack IP addresses. | January 17, 2023 | |
Network Firewall now supports the stateful rule action | January 9, 2023 | |
| January 9, 2023 | |
Use a firewall's status message to troubleshoot why an endpoint is failing. | December 28, 2022 | |
You can now configure evaluation order for your own stateful domain list rule groups. | December 21, 2022 | |
You can now select how Network Firewall handles traffic when there's a midstream break in network traffic. | October 5, 2022 | |
You can use as many as five IP set references per Suricata compatible stateful rule group. | October 5, 2022 | |
Added maximum network traffic bandwidth per firewall endpoint | The maximum network traffic bandwidth per firewall endpoint is 100 Gbps. | September 19, 2022 |
Added support for Malware Coin Mining and Phishing. | July 29, 2022 | |
IP set references enable you to reference an IP set resource, such as an Amazon VPC prefix list, in your Suricata compatible stateful rules. | July 21, 2022 | |
Network Firewall now supports as much as 100 Gbps of network traffic per firewall endpoint. | June 17, 2022 | |
Added caveat regarding inner packet inspection for tunneling protocols | The Network Firewall stateful rule engine supports inner packet inspection for tunneling protocols. To block the tunnelled traffic, you can write rules against the tunnel layer or against the inner packet. | June 14, 2022 |
If you revoke access to the grant or delete the customer managed keys, endpoints encrypted using the customer managed keys will drop all packets. | June 2, 2022 | |
Added documentation for each rule in the Amazon managed rule groups for Network Firewall. | April 28, 2022 | |
Amazon Network Firewall now supports threat signature Amazon Managed Rule Groups. | April 28, 2022 | |
New topic on encryption using Amazon KMS customer managed keys | Network Firewall now supports the use of customer managed keys to encrypt data at rest. | April 26, 2022 |
The maximum character length of a Suricata rule is 8,192. | March 22, 2022 | |
Amazon Network Firewall now supports Amazon Managed Rule Groups. | December 9, 2021 | |
Optional strict evaluation order for Suricata compatible stateful rule groups | This release adds support for strict ordering for stateful rule groups. Using strict ordering, stateful rule groups are evaluated in the exact order in which you provide them in the firewall policy. | October 1, 2021 |
Network Firewall expanded the availability of the managed policy
| June 24, 2021 | |
The capacity for stateless rule groups is increased from 10,000 to 30,000. | June 10, 2021 | |
Reorganized stateful rule groups sections and expanded examples | Domain list rule groups and the standard stateless rule groups provide easy entry forms for Suricata compatible rule strings, and the documentation didn't indicate this. Reorganized stateful rule group sections, clarified the information, and added examples showing the correlation between the easy entry forms and the resulting Suricata compatible rule strings. | April 28, 2021 |
JA3 keywords are now supported by Network Firewall. | April 28, 2021 | |
Network Firewall is now available to provide firewall protection for your Amazon Virtual Private Cloud VPCs. | November 16, 2020 |