Document history for Amazon Network Firewall - Amazon Network Firewall
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Document history for Amazon Network Firewall

The following table describes important changes to this documentation.

ChangeDescriptionDate

TLS logging

You can now use the TLS log type to log TLS errors and outbound traffic that fails a TLS inspection server certificate revocation check. This is a new log type, in an addition to the existing alert and flow log types.

July 25, 2024

Stateful rules match on TLS.SNI for decrypted traffic

With TLS inspection, Network Firewall now matches on the TLS.SNI keyword in stateful rules, even when it decrypts traffic.

June 25, 2024

Quota on stateful rules per policy is adjustable

The Network Firewall service quota for stateful rules per firewall policy is now adjustable.

May 22, 2024

Removed Regional availability constraint for outbound SSL/TLS inspection

Network Firewall now supports inspection of outbound SSL/TLS traffic in all Regions that Network Firewall is available in. For information about available Regions, see Amazon Network Firewall endpoints and quotas in the Amazon Web Services General Reference.

December 19, 2023

Added caveat regarding IP-only rule syntax

Unless you include ! with your destination IP, Suricata treats the rule as an IP-only rule.

November 17, 2023

New stateless rule group analyzer

Network Firewall now has a stateless rule group analyzer that identifies stateless rules that have asymmetric routing.

November 2, 2023

Outbound SSL/TLS inspection is available in Israel (Tel Aviv) and Europe (Ireland)

Network Firewall now supports inspection of outbound SSL/TLS traffic in the Israel (Tel Aviv) Region and the Europe (Ireland) Region.

October 26, 2023

New troubleshooting chapter

Added a chapter on troubleshooting problems with configuring and using Network Firewall.

October 20, 2023

New tls_inspected flag

Network Firewall now adds a tls_inspected field to firewall logs to indicate when there's TLS traffic flowing across a firewall that's enabled with TLS inspection.

October 12, 2023

New stream exception policy topic

Added information about a firewall policy's stream exception policy.

October 12, 2023

New Suricata rule examples

Added examples of Suricata rules that can be used with Network Firewall.

October 6, 2023

New CloudWatch metrics

New metrics for tracking TLS packet count: TLSDroppedPackets, TLSPassedPackets, and TLSRejectedPackets.

October 2, 2023

Added unsupported certificate type

Network Firewall doesn't support cross-signed root certificates in TLS inspection configurations.

September 25, 2023

Updated console procedures for creating rule groups

Updated the console procedures to reflect the new console user experience.

August 31, 2023

Updated console procedures for creating a firewall policy

Updated the console procedure to reflect the new console user experience.

August 31, 2023

Updated console procedures for creating a firewall

Updated the console procedure to reflect the new console user experience.

August 31, 2023

Added two new error states

Added two error states regarding invalid certificates in TLS inspection configurations.

August 24, 2023

New CloudWatch metrics

TLSTimedOutConnections is the number of SSL/TLS connections that timed out during SSL/TLS inspection by Network Firewall. TLSErrors is the number of errors observed by Network Firewall while inspecting SSL/TLS packets.

June 26, 2023

Adding note about pass behavior

If a packet within a flow matches a rule containing pass action, then Suricata doesn't scan the other packets in that flow and passes the unscanned packets.

June 9, 2023

Added caveat regarding QUIC protocol detection

Network Firewall doesn't current support QUIC protocol detection.

May 25, 2023

TLS inspection configurations now available in all Regions

TLS inspection configurations are now available in all Regions that Amazon Network Firewall is available in. For more information, see What's New with Amazon.

May 9, 2023

New stream exception REJECT option

You can now choose to reject traffic in your midstream exception configurations.

May 4, 2023

New firewall policy option

You can now override the Suricata HOME_NET variable with your own CIDRs. This is helpful when working using a centralized deployment model.

May 3, 2023

TLS inspection configurations now available in additional Regions

TLS inspection configurations are now available in additional Regions. For more information, see What's New with Amazon.

April 27, 2023

New chapter on TLS inspection configurations

Network Firewall now supports TLS inspection configurations. Use TLS inspection configurations with your firewall policy to enable decryption and re-encryption of the SSL/TLS traffic going through your firewall.

March 30, 2023

New CloudWatch TLSReceivedPackets metric

TLSReceivedPackets is the number of TLS packets received by the Network Firewall firewall.

March 30, 2023

Amazon managed policy updates - Update to an existing policy

Updated AWSNetworkFirewallServiceRolePolicy to support describing ACM certificates for use with TLS inspection configurations.

March 30, 2023

New topic on asymmetric routing

Provides information about how to prevent asymmetric routing issues within your firewall.

March 28, 2023

Updated the IAM guidance for Amazon Network Firewall

Updated guide to align with the IAM best practices. For more information, see Security best practices in IAM.

February 15, 2023

New resource type for IP set references

You can now include resource groups in your IP set references.

February 14, 2023

New Network Firewall resource groups top-level resource

Network Firewall now supports referencing resource groups in stateful rule groups. Resource groups ensure that your rules stay in sync as your Amazon resources change.

February 14, 2023

Added note regarding 5-tuple traffic direction keyword

When you create a 5-tuple rule from the console, the rule doesn't automatically add the direction keyword to_server.

February 2, 2023

Added caveat regarding EXTERNAL_NET

If customers override HOME_NET, they must also override EXTERNAL_NET to equal the negation of HOME_NET.

February 2, 2023

New subnet IP address type

You can now configure your subnets to use IPv4, IPv6, or dualstack IP addresses.

January 17, 2023

New stateful rule action

Network Firewall now supports the stateful rule action reject, in addition to the actions pass, drop, and alert.

January 9, 2023

New CloudWatch RejectedPackets metric

RejectedPackets tracks the number of packets rejected due to Reject stateful rule actions.

January 9, 2023

New status message field

Use a firewall's status message to troubleshoot why an endpoint is failing.

December 28, 2022

Added evaluation order for stateful domain list rule groups

You can now configure evaluation order for your own stateful domain list rule groups.

December 21, 2022

New stream exception configuration for firewall policies

You can now select how Network Firewall handles traffic when there's a midstream break in network traffic.

October 5, 2022

Added maximum number of IP set references

You can use as many as five IP set references per Suricata compatible stateful rule group.

October 5, 2022

Added maximum network traffic bandwidth per firewall endpoint

The maximum network traffic bandwidth per firewall endpoint is 100 Gbps.

September 19, 2022

Added two new threat signature categories

Added support for Malware Coin Mining and Phishing.

July 29, 2022

New topic on using IP set references

IP set references enable you to reference an IP set resource, such as an Amazon VPC prefix list, in your Suricata compatible stateful rules.

July 21, 2022

Updated endpoint capacity

Network Firewall now supports as much as 100 Gbps of network traffic per firewall endpoint.

June 17, 2022

Added caveat regarding inner packet inspection for tunneling protocols

The Network Firewall stateful rule engine supports inner packet inspection for tunneling protocols. To block the tunnelled traffic, you can write rules against the tunnel layer or against the inner packet.

June 14, 2022

Added warning regarding Amazon KMS customer managed keys

If you revoke access to the grant or delete the customer managed keys, endpoints encrypted using the customer managed keys will drop all packets.

June 2, 2022

Updated Amazon managed rule groups for Network Firewall

Added documentation for each rule in the Amazon managed rule groups for Network Firewall.

April 28, 2022

Added support for threat signature managed rule groups

Amazon Network Firewall now supports threat signature Amazon Managed Rule Groups.

April 28, 2022

New topic on encryption using Amazon KMS customer managed keys

Network Firewall now supports the use of customer managed keys to encrypt data at rest.

April 26, 2022

Added maximum character length for Suricata rules

The maximum character length of a Suricata rule is 8,192.

March 22, 2022

Added support for managed rule groups

Amazon Network Firewall now supports Amazon Managed Rule Groups.

December 9, 2021

Optional strict evaluation order for Suricata compatible stateful rule groups

This release adds support for strict ordering for stateful rule groups. Using strict ordering, stateful rule groups are evaluated in the exact order in which you provide them in the firewall policy.

October 1, 2021

Expanded availability of Amazon managed policy

Network Firewall expanded the availability of the managed policy AWSNetworkFirewallServiceRolePolicy to Amazon GovCloud (US) Regions.

June 24, 2021

Increased stateless rule group capacity

The capacity for stateless rule groups is increased from 10,000 to 30,000.

June 10, 2021

Reorganized stateful rule groups sections and expanded examples

Domain list rule groups and the standard stateless rule groups provide easy entry forms for Suricata compatible rule strings, and the documentation didn't indicate this. Reorganized stateful rule group sections, clarified the information, and added examples showing the correlation between the easy entry forms and the resulting Suricata compatible rule strings.

April 28, 2021

JA3 keywords support

JA3 keywords are now supported by Network Firewall.

April 28, 2021

First release of Amazon Network Firewall

Network Firewall is now available to provide firewall protection for your Amazon Virtual Private Cloud VPCs.

November 16, 2020