Creating a firewall policy - Amazon Network Firewall
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Creating a firewall policy

To create a firewall policy, you need rule groups that you've already defined to use in the policy. You can create new rule groups and reuse existing ones. For information about creating and managing rule groups, see Rule groups in Amazon Network Firewall.

If you want to use TLS inspection, you need to first create a TLS inspection configuration to use in the policy. For information about working with TLS inspection configurations, see Inspecting SSL/TLS traffic with TLS inspection configurations.

To create a firewall policy
  1. Sign in to the Amazon Web Services Management Console and open the Amazon VPC console at

  2. In the navigation pane, under Network Firewall, choose Firewall policies.

  3. Choose Create firewall policy.

  4. Enter a Name to identify this firewall policy.


    You can't change the name after you create the firewall policy.

  5. (Optional) Enter a Description for the policy to help you identify if among your other resources.

  6. For Stream exception policy, choose how Network Firewall handles traffic when a network connection breaks midstream. Network connections can break due to disruptions in external networks or within the firewall itself. Choose from the following options:

    • Drop - Network Firewall fails closed and drops all subsequent traffic going to the firewall. This is the default behavior.

    • Continue - Network Firewall continues to apply rules to the subsequent traffic without context from traffic before the break. This impacts the behavior of rules that depend on this context. For example, if you have a stateful rule to drop httptraffic, Network Firewall won't match the traffic for this rule because the service won't have the context from session initialization defining the application layer protocol as HTTP. However, this behavior is rule dependent—a TCP-layer rule using a flow:stateless rule would still match, as would the aws:drop_strict default action.

    • Reject - Network Firewall fails closed and drops all subsequent traffic going to the firewall. Network Firewall also sends a TCP reject packet back to your client so that the client can immediately establish a new session. Network Firewall will have context about the new session and will apply rules to the subsequent traffic.


    Long-lived TCP connections – If your applications rely on long-lived TCP connections that trigger Gateway Load Balancer idle timeout, we recommend that you use the Reject option for your stream exception policy. This ensures that the applications using long-lived connections receive a TCP reset packet, which signals to the application’s TCP stack that it needs to establish a new connection before continuing. When the application establishes a new connection through the firewall, the firewall can make a decision based on the full connection context, which is often used in determining if a firewall should allow or deny a connection. You can configure your firewall’s stream exception policy using the console or the StatefulEngineOptions data type in the API.

  7. Choose Next to go to the firewall policy's Add rule groups page.

  8. To choose the actions to take on packets that don't match any stateless rules, in the Stateless default actions section, first choose how to treat fragmented packets. You can choose Use the same actions for all packets or Use different actions for full packets and fragmented packets. You can then choose Pass, Drop, or Forward to stateful rule groups for all packets, or choose individually for full and fragmented packets. You also have the option to enable a custom action that lets you publish custom Amazon CloudWatch metrics to monitor the usage of stateless rules in your rule group.

  9. To choose the way that your stateful rules are ordered for evaluation, and the actions to take on packets that don't match any stateful rules, in the Stateful rule evaluation order and default action section, first choose a rule evaluation order:

    • Choose Strict order (recommended) to provide your rules in the order that you want them to be evaluated. You can then choose one or more default actions for packets that don't match any rules.

    • Choose Action order to have the stateful rules engine determine the evaluation order of your rules. The default action for this rule order is Pass, followed by Drop, Reject, and Alert actions. This option was previously named Default order.

    For more information about stateful default actions for rule groups, see Action order.

  10. To add stateless rule groups, in the Stateless rule groups section, choose Add rule groups, then select the check boxes for the rule groups that you want to add and choose Add rule groups.

  11. If your firewall policy has multiple stateless rule groups, in the Stateless rule group section, update the processing order as needed. Network Firewall processes stateless rule groups by order of priority, starting from the lowest. To move a rule group in the list, select the check box next to its name and then move it up or down. For more information, see How Amazon Network Firewall filters network traffic.

  12. Choose the stateless default actions for the firewall policy to take if a packet or UDP packet fragment doesn't match any of the stateless rule groups. Network Firewall silently drops packet fragments for other protocols. For information about the action options, see Stateless default actions in your firewall policy.

    Network Firewall doesn't automatically forward packets to stateful rule groups. It forwards only for the following situations:

    • The packet matches a stateless rule whose action specifies forward to stateful rule groups.

    • The packet doesn't match any stateless rule and the applicable default action setting specifies forward to stateful rule groups.

  13. To add stateful rule groups, in the Stateful rule groups section, choose Add rule groups, then select the check boxes for the rule groups that you want to add and choose Add rule groups.

  14. Choose Next.

  15. On the Configure advanced settings page, optionally customize encryption and policy variables, and set the stream exception policy.

  16. (Optional) Under Customer managed key, toggle the Customize encryption settings option to use a Amazon Key Management Service customer managed key to encrypt your resources. For more information about this option, see Encryption at rest with Amazon Key Management Service.

  17. (Optional) For Policy variables enter one or more IPv4 or IPv6 addresses in CIDR notation to override the default value of Suricata HOME_NET. If your firewall is deployed using a centralized deployment model, you might want to override HOME_NET with the CIDRs of your home network. Otherwise, Network Firewall uses the CIDR of your inspection VPC.

  18. Choose Next.

  19. (Optional) On the Add TLS inspection configuration page, choose Add TLS inspection configuration to turn on decryption and re-encryption of incoming SSL/TLS traffic for the firewalls associated with this policy. You can't add or remove a TLS inspection configuration after firewall policy creation. For information about TLS inspection configurations, see Inspecting SSL/TLS traffic with TLS inspection configurations.

  20. Choose Next.

  21. (Optional) On the Add tags page, enter a key and optional value for any tag that you want added to this firewall policy. Tags help you organize and manage your Amazon resources. For more information about tagging your resources, see Tagging Amazon Network Firewall resources.

  22. Choose Next.

  23. In the Review and create page, check over your firewall policy settings. If you want to change any section, choose Edit for the section. This returns you to the page in the firewall policy wizard. Make your changes, then choose Next on each page until you come back to the review and create page.

  24. Choose Create firewall policy.

Your new firewall policy is added to the list in the Firewall policies page.