Stateless default actions in your firewall policy - Amazon Network Firewall
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Stateless default actions in your firewall policy

In your firewall policy configuration, you indicate how Network Firewall should handle packets that don't match any stateless rule group that's defined for the policy. You provide this configuration regardless of whether you define stateless rule groups for the policy.

The firewall policy allows you to specify different default settings for full packets and for UDP packet fragments. Network Firewall silently drops packet fragments for other protocols. The action options are the same as for the stateless rules that you use in the firewall policy's stateless rule groups.

You are required to specify one of the following options:

  • Pass – Discontinue all inspection of the packet and permit it to go to its intended destination.

  • Drop – Discontinue all inspection of the packet and block it from going to its intended destination.

  • Forward to stateful rules – Discontinue stateless inspection of the packet and forward it to the stateful rule engine for inspection.

Additionally, you can optionally specify a named custom action to apply. For this action, Network Firewall assigns a dimension to Amazon CloudWatch metrics with the name set to CustomAction and a value that you specify. For more information, see Amazon Network Firewall metrics in Amazon CloudWatch.

After you define a named custom action, you can use it by name in the same context as where you defined it. You can reuse a custom action setting among the rules in a rule group and you can reuse a custom action setting between the two default stateless custom action settings for a firewall policy.