# Document history for Amazon Network Firewall
<a name="document-history"></a>

This page lists significant changes to this documentation. 

Service features are sometimes rolled out incrementally to the Amazon Regions where a service is available. We update this documentation for the first release only. We don't provide information about Region availability or announce subsequent Region rollouts. For information about Region availability of service features and to subscribe to notifications about updates, see [What's New with Amazon?](https://aws.amazon.com/new). 

| Change | Description | Date | 
| --- |--- |--- |
| [Updated resource type name for Amazon Marketplace managed rule groups](firewall-policy-settings.md) | Updated the resource type name from `stateful-domain-list` to `stateful-domain-rulegroup` in the consumed domain capacity description. | April 16, 2026 | 
| [Updated resource type name for Amazon Marketplace managed rule groups](stateful-rule-groups-domain-names.md) | Updated the resource type name from `stateful-domain-list` to `stateful-domain-rulegroup`. | April 16, 2026 | 
| [Updated resource type name for Amazon Marketplace managed rule groups](aws-marketplace-rule-groups.md) | Updated the resource type name from `stateful-domain-list` to `stateful-domain-rulegroup`. | April 16, 2026 | 
| [Updated resource type name for Amazon Marketplace managed rule groups](quotas.md) | Updated the resource type name from `stateful-domain-list` to `stateful-domain-rulegroup` in the consumed domain capacity quota description. | April 16, 2026 | 
| [Added scaling behavior section](troubleshooting.md) | Added information about how Network Firewall automatically scales to meet traffic demand, including scaling behavior and considerations. | April 16, 2026 | 
| [Added `xbits`, `hostbits`, and `tag:host` to unsupported Suricata features](suricata-limitations-caveats.md) | The keywords `xbits` and `hostbits` with host or IP-level tracking, and `tag:host`, are not supported. | April 15, 2026 | 
| [Added caveat regarding default application established rules not being supported in a session-holding configuration.](suricata-limitations-caveats.md) | Network Firewall does not support default app layer established rules with session-holding. | April 13, 2026 | 
| [Added caveat regarding matching HTTP rules under a TLS inspection configuration](suricata-limitations-caveats.md) | Customer must add HTTP2 rules in addition to HTTP to protect against HTTP2 workloads under a TLS inspection configuration. | March 26, 2026 | 
| [Added caveat regarding HTTP/2 overloading support](suricata-limitations-caveats.md) | Network Firewall does not support HTTP/2 overloading. | March 26, 2026 | 
| [url/domain based filtering in stateful rules](rule-groups-url-filtering.md) | You can now use `aws_url_category` and `aws_domain_category` keywords in stateful rules, to filter traffic based on web content categories | January 16, 2026 | 
| [Enhancements to stateful domain list rule groups](stateful-rule-groups-domain-names.md) | You can now use `REJECT` and `ALERT` actions in your stateful domain list rule groups. | September 26, 2025 | 
| [New default actions available for stateful rule groups](suricata-rule-evaluation-order.md) | The `Application Layer alert established` and `Application Layer drop established` actions are now available for firewall policies using strict ordering. | September 25, 2025 | 
| [Session holding for TLS inspection is now available](tls-inspection-configurations.md) | You can now enable session holding in firewall policies that have an associated TLS inspection configuration. | September 17, 2025 | 
| [Enhanced native dashboard capabilities](nwfw-monitoring-reporting.md) | The Network Firewall console now provides enhanced dashboard features including PrivateLink Endpoint analysis and improved filtering capabilities for IP addresses and protocols. | September 17, 2025 | 
| [Added support for the active threat defense managed rule group](nwfw-managed-rule-groups.md) | Amazon Network Firewall now supports active threat defense Amazon managed rule groups. | June 17, 2025 | 
| [Enhanced transit gateway firewall support](tgw-firewall.md) | You can provision firewalls using networking configuration settings shared with your account from Amazon Transit Gateway account owners. | June 16, 2025 | 
| [New permissions added for logging](logging-monitoring.md) | You must add new CloudWatch and Amazon S3 permisssions to properly display logging metrics in the firewall monitoring dashboard. | June 4, 2025 | 
| [Built-in dashboards added to the Network Firewall console](nwfw-monitoring-reporting.md) | The Network Firewall console now provides multiple visualizations of firewall metrics through the **Monitoring** section of firewall details. You can use the enhanced dashboard experience to monitor and analyze key firewall metrics. | June 4, 2025 | 
| [New type of firewall endpoint for extending firewall capabilities](firewalls.md) | VPC endpoint associations let you deploy a firewall across multiple VPCs and provision multiple firewall endpoints in a single Availability Zone. | May 28, 2025 | 
| [Added service quotas for VPC endpoint associations](quotas.md) | VPC endpoints associations have a fixed quota of 50 VPC endpoint associations allowed per firewall, per Availability Zone. VPC endpoints also have an adjustable quota of 300 VPC endpoint associations are allowed per account, per Region. | May 28, 2025 | 
| [Enhanced logging and firewall rule capabilities](stateful-rule-groups-ips.md) | Network Firewall now supports additional Suricata features. You can now generate alerts on traffic that matches pass action rules and use JA4 fingerprinting in firewall rules. For more Suricata-specific information, see the [Suricata documentation](https://docs.suricata.io/en/suricata-7.0.8/).  | March 27, 2025 | 
| [New flow operations for managing the firewall state table](firewall-flow-operations.md) | You can now use flow operations to either flush or capture traffic monitored in your firewall's state table.  | March 20, 2025 | 
| [Updated console procedures for creating and updating a firewall](creating-firewall.md) | The **Monitoring** tab of the console now includes the new **Traffic analysis** mode. The console procedures have been updated to reflect the ability to generate traffic analysis reports. | February 19, 2025 | 
| [New traffic analysis reports and automatic domain list rules](reporting.md) | You can now generate traffic analysis reports and use them to create stateful domain list rule groups. | February 19, 2025 | 
| [Updated firewall policy settings section](firewall-policy-settings.md) | Updated information on stateless default actions and added information about default actions for fragmented packets. | February 12, 2025 | 
| [Added support for IPv6 service endpoints](what-is-aws-network-firewall.md#regions-and-endpoints) | Amazon Network Firewall now supports dual-stack endpoints.  | December 20, 2024 | 
| [Updated supported Suricata version to 7.0.](stateful-rule-groups-ips.md) |  This might require changes in your use of Network Firewall. For information about the update to this version, see [Upgrading 6.0 to 7.0](https://docs.suricata.io/en/latest/upgrade.html#upgrading-6-0-to-7-0) and the [Suricata User Guide](https://docs.suricata.io/en/suricata-7.0.8/index.html).  | November 24, 2024 | 
| [New idle timeout configuration](firewall-policy-settings.md) | You can now configure the TCP idle timeout in your firewall policy settings. | October 30, 2024 | 
| [Interface endpoints through Amazon PrivateLink](vpc-interface-endpoints.md) | You can use Amazon PrivateLink to create a private connection between your VPC and Amazon Network Firewall, without requiring access through an internet connection. | September 12, 2024 | 
| [Country code filtering in stateful rules](rule-groups-geo-ip-filtering.md) | You can now use the Suricata `geoip` keyword in stateful rules, to filter for the country codes associated with IP addresses. | August 28, 2024 | 
| [Removed caveat regarding QUIC protocol detection](suricata-limitations-caveats.md) | Network Firewall now supports QUIC protocol detection. | August 16, 2024 | 
| [TLS logging](tls-inspection-logging.md) | You can now use the TLS log type to log TLS errors and outbound traffic that fails a TLS inspection server certificate revocation check. This is a new log type, in an addition to the existing alert and flow log types.  | July 25, 2024 | 
| [Stateful rules match on `TLS.SNI` for decrypted traffic](tls-inspection-considerations.md) | With TLS inspection, Network Firewall now matches on the `TLS.SNI` keyword in stateful rules, even when it decrypts traffic.  | June 25, 2024 | 
| [Quota on stateful rules per policy is adjustable](quotas.md) | The Network Firewall service quota for stateful rules per firewall policy is now adjustable.  | May 22, 2024 | 
| [Removed Regional availability constraint for outbound SSL/TLS inspection](tls-inspection-configurations.md) | Network Firewall now supports inspection of outbound SSL/TLS traffic in all Regions that Network Firewall is available in. For information about available Regions, see [Amazon Network Firewall endpoints and quotas]() in the *Amazon Web Services General Reference*. | December 19, 2023 | 
| [Added caveat regarding IP-only rule syntax](suricata-limitations-caveats.md) | Unless you include `!` with your destination IP, Suricata treats the rule as an IP-only rule. | November 17, 2023 | 
| [New stateless rule group analyzer](stateless-rule-group-analyzer.md) | Network Firewall now has a stateless rule group analyzer that identifies stateless rules that have asymmetric routing. | November 2, 2023 | 
| [Outbound SSL/TLS inspection is available in Israel (Tel Aviv) and Europe (Ireland)](tls-inspection-configurations.md) | Network Firewall now supports inspection of outbound SSL/TLS traffic in the Israel (Tel Aviv) Region and the Europe (Ireland) Region. | October 26, 2023 | 
| [New troubleshooting chapter](troubleshooting.md) | Added a chapter on troubleshooting problems with configuring and using Network Firewall. | October 20, 2023 | 
| [New `tls_inspected` flag](firewall-logging-contents.md) | Network Firewall now adds a `tls_inspected` field to firewall logs to indicate when there's TLS traffic flowing across a firewall that's enabled with TLS inspection. | October 12, 2023 | 
| [New stream exception policy topic](stream-exception-policy.md) | Added information about a firewall policy's stream exception policy. | October 12, 2023 | 
| [New Suricata rule examples](suricata-examples.md) | Added examples of Suricata rules that can be used with Network Firewall. | October 6, 2023 | 
| [New CloudWatch metrics](monitoring-cloudwatch.md#metrics) | New metrics for tracking TLS packet count: `TLSDroppedPackets`, `TLSPassedPackets`, and `TLSRejectedPackets`. | October 2, 2023 | 
| [Added unsupported certificate type](tls-inspection-certificate-requirements.md) | Network Firewall doesn't support cross-signed root certificates in TLS inspection configurations. | September 25, 2023 | 
| [Updated console procedures for creating rule groups](rule-group-stateful-creating.md) | Updated the console procedures to reflect the new console user experience. | August 31, 2023 | 
| [Updated console procedures for creating a firewall policy](firewall-policy-creating.md) | Updated the console procedure to reflect the new console user experience. | August 31, 2023 | 
| [Updated console procedures for creating a firewall](creating-firewall.md) | Updated the console procedure to reflect the new console user experience. | August 31, 2023 | 
| [Added two new error states](firewall-troubleshooting-endpoint-failures.md) | Added two error states regarding invalid certificates in TLS inspection configurations. | August 24, 2023 | 
| [New CloudWatch metrics](monitoring-cloudwatch.md#metrics) | `TLSTimedOutConnections` is the number of SSL/TLS connections that timed out during SSL/TLS inspection by Network Firewall. `TLSErrors` is the number of errors observed by Network Firewall while inspecting SSL/TLS packets. | June 26, 2023 | 
| [Adding note about pass behavior](suricata-rule-evaluation-order.md) | If a packet within a flow matches a rule containing `pass` action, then Suricata doesn't scan the other packets in that flow and passes the unscanned packets. | June 9, 2023 | 
| [Added caveat regarding QUIC protocol detection](suricata-limitations-caveats.md) | Network Firewall doesn't currently support QUIC protocol detection. | May 25, 2023 | 
| [TLS inspection configurations now available in all Regions](tls-inspection-configurations.md) | TLS inspection configurations are now available in all Regions that Amazon Network Firewall is available in. For more information, see [What's New with Amazon](https://aws.amazon.com/about-aws/whats-new/2023/05/aws-network-firewall-ingress-tls-inspection-all-regions/). | May 9, 2023 | 
| [New stream exception `REJECT` option](firewall-policy-creating.md) | You can now choose to reject traffic in your midstream exception configurations. | May 4, 2023 | 
| [New firewall policy option](firewall-policy-creating.md) | You can now override the Suricata `HOME_NET` variable with your own CIDRs. This is helpful when working using a centralized deployment model. | May 3, 2023 | 
| [TLS inspection configurations now available in additional Regions](tls-inspection-configurations.md) | TLS inspection configurations are now available in additional Regions. For more information, see [What's New with Amazon](https://aws.amazon.com/about-aws/whats-new/2023/04/aws-network-firewall-ingress-tls-inspection-new-regions/). | April 27, 2023 | 
| [New chapter on TLS inspection configurations](tls-inspection-configurations.md) | Network Firewall now supports TLS inspection configurations. Use TLS inspection configurations with your firewall policy to enable decryption and re-encryption of the SSL/TLS traffic going through your firewall. | March 30, 2023 | 
| [New CloudWatch `TLSReceivedPackets` metric](monitoring-cloudwatch.md#metrics) | `TLSReceivedPackets` is the number of TLS packets received by the Network Firewall firewall. | March 30, 2023 | 
| [Amazon managed policy updates - Update to an existing policy](security-iam-awsmanpol.md#security-iam-awsmanpol-updates) | Updated `AWSNetworkFirewallServiceRolePolicy` to support describing ACM certificates for use with TLS inspection configurations. | March 30, 2023 | 
| [New topic on asymmetric routing](asymmetric-routing.md) | Provides information about how to prevent asymmetric routing issues within your firewall. | March 28, 2023 | 
| [Updated the IAM guidance for Amazon Network Firewall](security-iam.md) | Updated guide to align with the IAM best practices. For more information, see [Security best practices in IAM](https://docs.amazonaws.cn//IAM/latest/UserGuide/best-practices.html). | February 15, 2023 | 
| [New resource type for IP set references](rule-groups-ip-set-references.md) | You can now include resource groups in your IP set references. | February 14, 2023 | 
| [New Network Firewall resource groups top-level resource](resource-groups.md) | Network Firewall now supports referencing resource groups in stateful rule groups. Resource groups ensure that your rules stay in sync as your Amazon resources change. | February 14, 2023 | 
| [Added note regarding 5-tuple traffic direction keyword](rule-group-stateful-creating.md) | When you create a 5-tuple rule from the console, the rule doesn't automatically add the direction keyword `to_server`. | February 2, 2023 | 
| [Added caveat regarding `EXTERNAL_NET`](suricata-limitations-caveats.md) | If customers override `HOME_NET`, they must also override `EXTERNAL_NET` to equal the negation of `HOME_NET`. | February 2, 2023 | 
| [New subnet IP address type](vpc-config-subnets.md) | You can now configure your subnets to use IPv4, IPv6, or dualstack IP addresses. | January 17, 2023 | 
| [New stateful rule action](rule-action.md#rule-action-stateful) | Network Firewall now supports the stateful rule action `reject`, in addition to the actions pass, drop, and alert. | January 9, 2023 | 
| [New CloudWatch `RejectedPackets` metric](monitoring-cloudwatch.md#metrics) | `RejectedPackets` tracks the number of packets rejected due to `Reject` stateful rule actions. | January 9, 2023 | 
| [New status message field](firewall-troubleshooting-endpoint-failures.md) | Use a firewall's status message to troubleshoot why an endpoint is failing. | December 28, 2022 | 
| [Added evaluation order for stateful domain list rule groups](rule-group-stateful-creating.md) | You can now configure evaluation order for your own stateful domain list rule groups. | December 21, 2022 | 
| [New stream exception configuration for firewall policies](firewall-policy-creating.md) | You can now select how Network Firewall handles traffic when there's a midstream break in network traffic. | October 5, 2022 | 
| [Added maximum number of IP set references](quotas.md) | You can use as many as five IP set references per Suricata compatible stateful rule group. | October 5, 2022 | 
| [Added maximum network traffic bandwidth per firewall endpoint](quotas.md) | The maximum network traffic bandwidth per firewall endpoint is 100 Gbps. | September 19, 2022 | 
| [Added two new threat signature categories](aws-managed-rule-groups-threat-signature.md) | Added support for Malware Coin Mining and Phishing. | July 29, 2022 | 
| [New topic on using IP set references](rule-groups-ip-set-references.md) | IP set references enable you to reference an IP set resource, such as an Amazon VPC prefix list, in your Suricata compatible stateful rules. | July 21, 2022 | 
| [Updated endpoint capacity](vpc-config.md) | Network Firewall now supports as much as 100 Gbps of network traffic per firewall endpoint. | June 17, 2022 | 
| [Added caveat regarding inner packet inspection for tunneling protocols](suricata-limitations-caveats.md) | The Network Firewall stateful rule engine supports inner packet inspection for tunneling protocols. To block the tunnelled traffic, you can write rules against the tunnel layer or against the inner packet. | June 14, 2022 | 
| [Added warning regarding Amazon KMS customer managed keys](kms-encryption-at-rest.md) | If you revoke access to the grant or delete the customer managed keys, endpoints encrypted using the customer managed keys will drop all packets. | June 2, 2022 | 
| [Updated Amazon managed rule groups for Network Firewall](nwfw-managed-rule-groups.md) | Added documentation for each rule in the Amazon managed rule groups for Network Firewall.  | April 28, 2022 | 
| [Added support for threat signature managed rule groups](nwfw-managed-rule-groups.md) | Amazon Network Firewall now supports threat signature Amazon managed rule groups.  | April 28, 2022 | 
| [New topic on encryption using Amazon KMS customer managed keys](kms-encryption-at-rest.md) | Network Firewall now supports the use of customer managed keys to encrypt data at rest. | April 26, 2022 | 
| [Added maximum character length for Suricata rules](quotas.md) | The maximum character length of a Suricata rule is 8,192. | March 22, 2022 | 
| [Added support for managed rule groups](nwfw-managed-rule-groups.md) | Amazon Network Firewall now supports Amazon Managed Rule Groups.  | December 9, 2021 | 
| [Optional strict evaluation order for Suricata compatible stateful rule groups](suricata-rule-evaluation-order.md) | This release adds support for strict ordering for stateful rule groups. Using strict ordering, stateful rule groups are evaluated in the exact order in which you provide them in the firewall policy. | October 1, 2021 | 
| [Expanded availability of Amazon managed policy](security-iam-awsmanpol.md#security-iam-awsmanpol-updates) | Network Firewall expanded the availability of the managed policy `AWSNetworkFirewallServiceRolePolicy` to Amazon GovCloud (US) Regions. | June 24, 2021 | 
| [Increased stateless rule group capacity](quotas.md) | The capacity for stateless rule groups is increased from 10,000 to 30,000. | June 10, 2021 | 
| [Reorganized stateful rule groups sections and expanded examples](stateful-rule-groups-ips.md) | Domain list rule groups and the standard stateless rule groups provide easy entry forms for Suricata compatible rule strings, and the documentation didn't indicate this. Reorganized stateful rule group sections, clarified the information, and added examples showing the correlation between the easy entry forms and the resulting Suricata compatible rule strings. | April 28, 2021 | 
| [JA3 keywords support](suricata-limitations-caveats.md) | JA3 keywords are now supported by Network Firewall.  | April 28, 2021 | 
| [First release of Amazon Network Firewall](what-is-aws-network-firewall.md) | Network Firewall is now available to provide firewall protection for your Amazon Virtual Private Cloud VPCs. | November 16, 2020 |