/AWS1/CL_NWFRULESSOURCELIST¶
Stateful inspection criteria for a domain list rule group.
For HTTPS traffic, domain filtering is SNI-based. It uses the server name indicator extension of the TLS handshake.
By default, Network Firewall domain list inspection only includes traffic coming from the VPC where you deploy the firewall. To inspect traffic from IP addresses outside of the deployment VPC, you set the HOME_NET rule variable to include the CIDR range of the deployment VPC plus the other CIDR ranges. For more information, see RuleVariables in this guide and
Stateful domain list rule groups in Network Firewall in the Network Firewall Developer Guide.
CONSTRUCTOR¶
IMPORTING¶
Required arguments:¶
it_targets TYPE /AWS1/CL_NWFRULETARGETS_W=>TT_RULETARGETS TT_RULETARGETS¶
The domains that you want to inspect for in your traffic flows. Valid domain specifications are the following:
Explicit names. For example,
abc.example.commatches only the domainabc.example.com.Names that use a domain wildcard, which you indicate with an initial '
.'. For example,.example.commatchesexample.comand matches all subdomains ofexample.com, such asabc.example.comandwww.example.com.
it_targettypes TYPE /AWS1/CL_NWFTARGETTYPES_W=>TT_TARGETTYPES TT_TARGETTYPES¶
The protocols you want to inspect. Specify
TLS_SNIforHTTPS. SpecifyHTTP_HOSTforHTTP. You can specify either or both.
iv_generatedrulestype TYPE /AWS1/NWFGENERATEDRULESTYPE /AWS1/NWFGENERATEDRULESTYPE¶
Whether you want to apply allow, reject, alert, or drop behavior to the domains in your target list.
When logging is enabled and you choose Alert, traffic that matches the domain specifications generates an alert in the firewall's logs. Then, traffic either passes, is rejected, or drops based on other rules in the firewall policy.
Queryable Attributes¶
Targets¶
The domains that you want to inspect for in your traffic flows. Valid domain specifications are the following:
Explicit names. For example,
abc.example.commatches only the domainabc.example.com.Names that use a domain wildcard, which you indicate with an initial '
.'. For example,.example.commatchesexample.comand matches all subdomains ofexample.com, such asabc.example.comandwww.example.com.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_TARGETS() |
Getter for TARGETS, with configurable default |
ASK_TARGETS() |
Getter for TARGETS w/ exceptions if field has no value |
HAS_TARGETS() |
Determine if TARGETS has a value |
TargetTypes¶
The protocols you want to inspect. Specify
TLS_SNIforHTTPS. SpecifyHTTP_HOSTforHTTP. You can specify either or both.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_TARGETTYPES() |
Getter for TARGETTYPES, with configurable default |
ASK_TARGETTYPES() |
Getter for TARGETTYPES w/ exceptions if field has no value |
HAS_TARGETTYPES() |
Determine if TARGETTYPES has a value |
GeneratedRulesType¶
Whether you want to apply allow, reject, alert, or drop behavior to the domains in your target list.
When logging is enabled and you choose Alert, traffic that matches the domain specifications generates an alert in the firewall's logs. Then, traffic either passes, is rejected, or drops based on other rules in the firewall policy.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_GENERATEDRULESTYPE() |
Getter for GENERATEDRULESTYPE, with configurable default |
ASK_GENERATEDRULESTYPE() |
Getter for GENERATEDRULESTYPE w/ exceptions if field has no |
HAS_GENERATEDRULESTYPE() |
Determine if GENERATEDRULESTYPE has a value |