Skip to content

/AWS1/CL_NWFHEADER

The basic rule criteria for Network Firewall to use to inspect packet headers in stateful traffic flow inspection. Traffic flows that match the criteria are a match for the corresponding StatefulRule.

CONSTRUCTOR

IMPORTING

Required arguments:

iv_protocol TYPE /AWS1/NWFSTATEFULRULEPROTOCOL /AWS1/NWFSTATEFULRULEPROTOCOL

The protocol to inspect for. To specify all, you can use IP, because all traffic on Amazon Web Services and on the internet is IP.

iv_source TYPE /AWS1/NWFSOURCE /AWS1/NWFSOURCE

The source IP address or address range to inspect for, in CIDR notation. To match with any address, specify ANY.

Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. Network Firewall supports all address ranges for IPv4 and IPv6.

Examples:

  • To configure Network Firewall to inspect for the IP address 192.0.2.44, specify 192.0.2.44/32.

  • To configure Network Firewall to inspect for IP addresses from 192.0.2.0 to 192.0.2.255, specify 192.0.2.0/24.

  • To configure Network Firewall to inspect for the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify 1111:0000:0000:0000:0000:0000:0000:0111/128.

  • To configure Network Firewall to inspect for IP addresses from 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify 1111:0000:0000:0000:0000:0000:0000:0000/64.

For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.

iv_sourceport TYPE /AWS1/NWFPORT /AWS1/NWFPORT

The source port to inspect for. You can specify an individual port, for example 1994 and you can specify a port range, for example 1990:1994. To match with any port, specify ANY.

iv_direction TYPE /AWS1/NWFSTATEFULRULEDIRECTION /AWS1/NWFSTATEFULRULEDIRECTION

The direction of traffic flow to inspect. If set to ANY, the inspection matches bidirectional traffic, both from the source to the destination and from the destination to the source. If set to FORWARD, the inspection only matches traffic going from the source to the destination.

iv_destination TYPE /AWS1/NWFDESTINATION /AWS1/NWFDESTINATION

The destination IP address or address range to inspect for, in CIDR notation. To match with any address, specify ANY.

Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. Network Firewall supports all address ranges for IPv4 and IPv6.

Examples:

  • To configure Network Firewall to inspect for the IP address 192.0.2.44, specify 192.0.2.44/32.

  • To configure Network Firewall to inspect for IP addresses from 192.0.2.0 to 192.0.2.255, specify 192.0.2.0/24.

  • To configure Network Firewall to inspect for the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify 1111:0000:0000:0000:0000:0000:0000:0111/128.

  • To configure Network Firewall to inspect for IP addresses from 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify 1111:0000:0000:0000:0000:0000:0000:0000/64.

For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.

iv_destinationport TYPE /AWS1/NWFPORT /AWS1/NWFPORT

The destination port to inspect for. You can specify an individual port, for example 1994 and you can specify a port range, for example 1990:1994. To match with any port, specify ANY.

Queryable Attributes

Protocol

The protocol to inspect for. To specify all, you can use IP, because all traffic on Amazon Web Services and on the internet is IP.

Accessible with the following methods

Method Description
GET_PROTOCOL() Getter for PROTOCOL, with configurable default
ASK_PROTOCOL() Getter for PROTOCOL w/ exceptions if field has no value
HAS_PROTOCOL() Determine if PROTOCOL has a value

Source

The source IP address or address range to inspect for, in CIDR notation. To match with any address, specify ANY.

Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. Network Firewall supports all address ranges for IPv4 and IPv6.

Examples:

  • To configure Network Firewall to inspect for the IP address 192.0.2.44, specify 192.0.2.44/32.

  • To configure Network Firewall to inspect for IP addresses from 192.0.2.0 to 192.0.2.255, specify 192.0.2.0/24.

  • To configure Network Firewall to inspect for the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify 1111:0000:0000:0000:0000:0000:0000:0111/128.

  • To configure Network Firewall to inspect for IP addresses from 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify 1111:0000:0000:0000:0000:0000:0000:0000/64.

For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.

Accessible with the following methods

Method Description
GET_SOURCE() Getter for SOURCE, with configurable default
ASK_SOURCE() Getter for SOURCE w/ exceptions if field has no value
HAS_SOURCE() Determine if SOURCE has a value

SourcePort

The source port to inspect for. You can specify an individual port, for example 1994 and you can specify a port range, for example 1990:1994. To match with any port, specify ANY.

Accessible with the following methods

Method Description
GET_SOURCEPORT() Getter for SOURCEPORT, with configurable default
ASK_SOURCEPORT() Getter for SOURCEPORT w/ exceptions if field has no value
HAS_SOURCEPORT() Determine if SOURCEPORT has a value

Direction

The direction of traffic flow to inspect. If set to ANY, the inspection matches bidirectional traffic, both from the source to the destination and from the destination to the source. If set to FORWARD, the inspection only matches traffic going from the source to the destination.

Accessible with the following methods

Method Description
GET_DIRECTION() Getter for DIRECTION, with configurable default
ASK_DIRECTION() Getter for DIRECTION w/ exceptions if field has no value
HAS_DIRECTION() Determine if DIRECTION has a value

Destination

The destination IP address or address range to inspect for, in CIDR notation. To match with any address, specify ANY.

Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. Network Firewall supports all address ranges for IPv4 and IPv6.

Examples:

  • To configure Network Firewall to inspect for the IP address 192.0.2.44, specify 192.0.2.44/32.

  • To configure Network Firewall to inspect for IP addresses from 192.0.2.0 to 192.0.2.255, specify 192.0.2.0/24.

  • To configure Network Firewall to inspect for the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify 1111:0000:0000:0000:0000:0000:0000:0111/128.

  • To configure Network Firewall to inspect for IP addresses from 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify 1111:0000:0000:0000:0000:0000:0000:0000/64.

For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.

Accessible with the following methods

Method Description
GET_DESTINATION() Getter for DESTINATION, with configurable default
ASK_DESTINATION() Getter for DESTINATION w/ exceptions if field has no value
HAS_DESTINATION() Determine if DESTINATION has a value

DestinationPort

The destination port to inspect for. You can specify an individual port, for example 1994 and you can specify a port range, for example 1990:1994. To match with any port, specify ANY.

Accessible with the following methods

Method Description
GET_DESTINATIONPORT() Getter for DESTINATIONPORT, with configurable default
ASK_DESTINATIONPORT() Getter for DESTINATIONPORT w/ exceptions if field has no val
HAS_DESTINATIONPORT() Determine if DESTINATIONPORT has a value