Class CfnFirewallPolicyPropsMixin.FirewallPolicyProperty
The traffic filtering behavior of a firewall policy, defined in a collection of stateless and stateful rule groups and other settings.
Inherited Members
Namespace: Amazon.CDK.Mixins.Preview.AWS.NetworkFirewall.Mixins
Assembly: Amazon.CDK.Mixins.Preview.dll
Syntax (csharp)
public class CfnFirewallPolicyPropsMixin.FirewallPolicyProperty : CfnFirewallPolicyPropsMixin.IFirewallPolicyPropertySyntax (vb)
Public Class CfnFirewallPolicyPropsMixin.FirewallPolicyProperty Implements CfnFirewallPolicyPropsMixin.IFirewallPolicyPropertyRemarks
ExampleMetadata: fixture=_generated
Examples
// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
using Amazon.CDK.Mixins.Preview.AWS.NetworkFirewall.Mixins;
var firewallPolicyProperty = new FirewallPolicyProperty {
EnableTlsSessionHolding = false,
PolicyVariables = new PolicyVariablesProperty {
RuleVariables = new Dictionary<string, object> {
{ "ruleVariablesKey", new Dictionary<string, string[]?> {
{ "definition", new [] { "definition" } }
} }
}
},
StatefulDefaultActions = new [] { "statefulDefaultActions" },
StatefulEngineOptions = new StatefulEngineOptionsProperty {
FlowTimeouts = new FlowTimeoutsProperty {
TcpIdleTimeoutSeconds = 123
},
RuleOrder = "ruleOrder",
StreamExceptionPolicy = "streamExceptionPolicy"
},
StatefulRuleGroupReferences = new [] { new StatefulRuleGroupReferenceProperty {
DeepThreatInspection = false,
Override = new StatefulRuleGroupOverrideProperty {
Action = "action"
},
Priority = 123,
ResourceArn = "resourceArn"
} },
StatelessCustomActions = new [] { new CustomActionProperty {
ActionDefinition = new ActionDefinitionProperty {
PublishMetricAction = new PublishMetricActionProperty {
Dimensions = new [] { new DimensionProperty {
Value = "value"
} }
}
},
ActionName = "actionName"
} },
StatelessDefaultActions = new [] { "statelessDefaultActions" },
StatelessFragmentDefaultActions = new [] { "statelessFragmentDefaultActions" },
StatelessRuleGroupReferences = new [] { new StatelessRuleGroupReferenceProperty {
Priority = 123,
ResourceArn = "resourceArn"
} },
TlsInspectionConfigurationArn = "tlsInspectionConfigurationArn"
};Synopsis
Constructors
| FirewallPolicyProperty() | The traffic filtering behavior of a firewall policy, defined in a collection of stateless and stateful rule groups and other settings. |
Properties
| EnableTlsSessionHolding | When true, prevents TCP and TLS packets from reaching destination servers until TLS Inspection has evaluated Server Name Indication (SNI) rules. |
| PolicyVariables | Contains variables that you can use to override default Suricata settings in your firewall policy. |
| StatefulDefaultActions | The default actions to take on a packet that doesn't match any stateful rules. |
| StatefulEngineOptions | Additional options governing how Network Firewall handles stateful rules. |
| StatefulRuleGroupReferences | References to the stateful rule groups that are used in the policy. |
| StatelessCustomActions | The custom action definitions that are available for use in the firewall policy's |
| StatelessDefaultActions | The actions to take on a packet if it doesn't match any of the stateless rules in the policy. |
| StatelessFragmentDefaultActions | The actions to take on a fragmented packet if it doesn't match any of the stateless rules in the policy. |
| StatelessRuleGroupReferences | References to the stateless rule groups that are used in the policy. |
| TlsInspectionConfigurationArn | The Amazon Resource Name (ARN) of the TLS inspection configuration. |
Constructors
FirewallPolicyProperty()
The traffic filtering behavior of a firewall policy, defined in a collection of stateless and stateful rule groups and other settings.
public FirewallPolicyProperty()Remarks
ExampleMetadata: fixture=_generated
Examples
// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
using Amazon.CDK.Mixins.Preview.AWS.NetworkFirewall.Mixins;
var firewallPolicyProperty = new FirewallPolicyProperty {
EnableTlsSessionHolding = false,
PolicyVariables = new PolicyVariablesProperty {
RuleVariables = new Dictionary<string, object> {
{ "ruleVariablesKey", new Dictionary<string, string[]?> {
{ "definition", new [] { "definition" } }
} }
}
},
StatefulDefaultActions = new [] { "statefulDefaultActions" },
StatefulEngineOptions = new StatefulEngineOptionsProperty {
FlowTimeouts = new FlowTimeoutsProperty {
TcpIdleTimeoutSeconds = 123
},
RuleOrder = "ruleOrder",
StreamExceptionPolicy = "streamExceptionPolicy"
},
StatefulRuleGroupReferences = new [] { new StatefulRuleGroupReferenceProperty {
DeepThreatInspection = false,
Override = new StatefulRuleGroupOverrideProperty {
Action = "action"
},
Priority = 123,
ResourceArn = "resourceArn"
} },
StatelessCustomActions = new [] { new CustomActionProperty {
ActionDefinition = new ActionDefinitionProperty {
PublishMetricAction = new PublishMetricActionProperty {
Dimensions = new [] { new DimensionProperty {
Value = "value"
} }
}
},
ActionName = "actionName"
} },
StatelessDefaultActions = new [] { "statelessDefaultActions" },
StatelessFragmentDefaultActions = new [] { "statelessFragmentDefaultActions" },
StatelessRuleGroupReferences = new [] { new StatelessRuleGroupReferenceProperty {
Priority = 123,
ResourceArn = "resourceArn"
} },
TlsInspectionConfigurationArn = "tlsInspectionConfigurationArn"
};Properties
EnableTlsSessionHolding
When true, prevents TCP and TLS packets from reaching destination servers until TLS Inspection has evaluated Server Name Indication (SNI) rules.
public object? EnableTlsSessionHolding { get; set; }Property Value
Remarks
Requires an associated TLS Inspection configuration.
Type union: either bool or IResolvable
PolicyVariables
Contains variables that you can use to override default Suricata settings in your firewall policy.
public object? PolicyVariables { get; set; }Property Value
Remarks
StatefulDefaultActions
The default actions to take on a packet that doesn't match any stateful rules.
public string[]? StatefulDefaultActions { get; set; }Property Value
string[]
Remarks
The stateful default action is optional, and is only valid when using the strict rule order.
Valid values of the stateful default action:
For more information, see Strict evaluation order in the AWS Network Firewall Developer Guide .
StatefulEngineOptions
Additional options governing how Network Firewall handles stateful rules.
public object? StatefulEngineOptions { get; set; }Property Value
Remarks
The stateful rule groups that you use in your policy must have stateful rule options settings that are compatible with these settings.
Type union: either IResolvable or CfnFirewallPolicyPropsMixin.IStatefulEngineOptionsProperty
StatefulRuleGroupReferences
References to the stateful rule groups that are used in the policy.
public object? StatefulRuleGroupReferences { get; set; }Property Value
Remarks
These define the inspection criteria in stateful rules.
Type union: either IResolvable or (either IResolvable or CfnFirewallPolicyPropsMixin.IStatefulRuleGroupReferenceProperty)[]
StatelessCustomActions
The custom action definitions that are available for use in the firewall policy's StatelessDefaultActions setting.
public object? StatelessCustomActions { get; set; }Property Value
Remarks
You name each custom action that you define, and then you can use it by name in your default actions specifications.
Type union: either IResolvable or (either IResolvable or CfnFirewallPolicyPropsMixin.ICustomActionProperty)[]
StatelessDefaultActions
The actions to take on a packet if it doesn't match any of the stateless rules in the policy.
public string[]? StatelessDefaultActions { get; set; }Property Value
string[]
Remarks
If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward_to_sfe .
You must specify one of the standard actions: aws:pass , aws:drop , or aws:forward_to_sfe . In addition, you can specify custom actions that are compatible with your standard section choice.
For example, you could specify ["aws:pass"] or you could specify ["aws:pass", “customActionName”] . For information about compatibility, see the custom action descriptions.
StatelessFragmentDefaultActions
The actions to take on a fragmented packet if it doesn't match any of the stateless rules in the policy.
public string[]? StatelessFragmentDefaultActions { get; set; }Property Value
string[]
Remarks
If you want non-matching fragmented packets to be forwarded for stateful inspection, specify aws:forward_to_sfe .
You must specify one of the standard actions: aws:pass , aws:drop , or aws:forward_to_sfe . In addition, you can specify custom actions that are compatible with your standard section choice.
For example, you could specify ["aws:pass"] or you could specify ["aws:pass", “customActionName”] . For information about compatibility, see the custom action descriptions.
StatelessRuleGroupReferences
References to the stateless rule groups that are used in the policy.
public object? StatelessRuleGroupReferences { get; set; }Property Value
Remarks
These define the matching criteria in stateless rules.
Type union: either IResolvable or (either IResolvable or CfnFirewallPolicyPropsMixin.IStatelessRuleGroupReferenceProperty)[]
TlsInspectionConfigurationArn
The Amazon Resource Name (ARN) of the TLS inspection configuration.
public string? TlsInspectionConfigurationArn { get; set; }