feat(client-network-firewall): StreamExceptionPolicy configures how A…

…WS Network Firewall processes traffic when a network connection breaks midstream
aws · Oct 5, 2022 · caa6cba · caa6cba
1 parent ab0e7be
commit caa6cba
Show file tree

Hide file tree

Showing 6 changed files with 513 additions and 372 deletions.
diff --git a/clients/client-network-firewall/README.md b/clients/client-network-firewall/README.md
@@ -35,9 +35,9 @@ Guide</a>.</p>
 prevention service for Amazon Virtual Private Cloud (Amazon VPC). With Network Firewall, you can filter traffic at the
 perimeter of your VPC. This includes filtering traffic going to and coming from an internet
 gateway, NAT gateway, or over VPN or Direct Connect. Network Firewall uses rules that are compatible
-with Suricata, a free, open source intrusion detection system (IDS) engine.
+with Suricata, a free, open source network analysis and threat detection engine.
 Network Firewall supports Suricata version 5.0.2. For information about Suricata,
-see the <a href="https://suricata-ids.org/">Suricata website</a>.</p>
+see the <a href="https://suricata.io/">Suricata website</a>.</p>
 <p>You can use Network Firewall to monitor and protect your VPC traffic in a number of ways.
 The following are just a few examples: </p>
 <ul>

diff --git a/clients/client-network-firewall/src/NetworkFirewall.ts b/clients/client-network-firewall/src/NetworkFirewall.ts
@@ -181,9 +181,9 @@ import { NetworkFirewallClient } from "./NetworkFirewallClient";
  *          prevention service for Amazon Virtual Private Cloud (Amazon VPC). With Network Firewall, you can filter traffic at the
  *          perimeter of your VPC. This includes filtering traffic going to and coming from an internet
  *          gateway, NAT gateway, or over VPN or Direct Connect. Network Firewall uses rules that are compatible
- *       with Suricata, a free, open source intrusion detection system (IDS) engine.
+ *       with Suricata, a free, open source network analysis and threat detection engine.
  *       Network Firewall supports Suricata version 5.0.2. For information about Suricata,
- *           see the <a href="https://suricata-ids.org/">Suricata website</a>.</p>
+ *           see the <a href="https://suricata.io/">Suricata website</a>.</p>
  *          <p>You can use Network Firewall to monitor and protect your VPC traffic in a number of ways.
  *          The following are just a few examples: </p>
  *          <ul>

diff --git a/clients/client-network-firewall/src/NetworkFirewallClient.ts b/clients/client-network-firewall/src/NetworkFirewallClient.ts
@@ -386,9 +386,9 @@ export interface NetworkFirewallClientResolvedConfig extends NetworkFirewallClie
  *          prevention service for Amazon Virtual Private Cloud (Amazon VPC). With Network Firewall, you can filter traffic at the
  *          perimeter of your VPC. This includes filtering traffic going to and coming from an internet
  *          gateway, NAT gateway, or over VPN or Direct Connect. Network Firewall uses rules that are compatible
- *       with Suricata, a free, open source intrusion detection system (IDS) engine.
+ *       with Suricata, a free, open source network analysis and threat detection engine.
  *       Network Firewall supports Suricata version 5.0.2. For information about Suricata,
- *           see the <a href="https://suricata-ids.org/">Suricata website</a>.</p>
+ *           see the <a href="https://suricata.io/">Suricata website</a>.</p>
  *          <p>You can use Network Firewall to monitor and protect your VPC traffic in a number of ways.
  *          The following are just a few examples: </p>
  *          <ul>

diff --git a/clients/client-network-firewall/src/models/models_0.ts b/clients/client-network-firewall/src/models/models_0.ts
@@ -753,6 +753,11 @@ export enum RuleOrder {
   STRICT_ORDER = "STRICT_ORDER",
 }
 
+export enum StreamExceptionPolicy {
+  CONTINUE = "CONTINUE",
+  DROP = "DROP",
+}
+
 /**
  * <p>Configuration settings for the handling of the stateful rule groups in a firewall policy. </p>
  */
@@ -765,6 +770,21 @@ export interface StatefulEngineOptions {
    *       </p>
    */
   RuleOrder?: RuleOrder | string;
+
+  /**
+   * <p>Configures how Network Firewall processes traffic when a network connection breaks midstream. Network connections can break due to disruptions in external networks or within the firewall itself.</p>
+   *          <ul>
+   *             <li>
+   *                <p>
+   *                   <code>DROP</code> - Network Firewall fails closed and drops all subsequent traffic going to the firewall. This is the default behavior.</p>
+   *             </li>
+   *             <li>
+   *                <p>
+   *                   <code>CONTINUE</code> - Network Firewall continues to apply rules to the subsequent traffic without context from traffic before the break. This impacts the behavior of rules that depend on this context. For example, if you have a stateful rule to <code>drop http</code> traffic, Network Firewall won't match the traffic for this rule because the service won't have the context from session initialization defining the application layer protocol as HTTP. However, this behavior is rule dependent—a TCP-layer rule using a <code>flow:stateless</code> rule would still match, as would the <code>aws:drop_strict</code> default action.</p>
+   *             </li>
+   *          </ul>
+   */
+  StreamExceptionPolicy?: StreamExceptionPolicy | string;
 }
 
 export enum OverrideAction {
@@ -1259,7 +1279,7 @@ export interface RuleOption {
  * <p>A single Suricata rules specification, for use in a stateful rule group.
  *        Use this option to specify a simple Suricata rule with protocol, source and destination, ports, direction, and rule options.
  *        For information about the Suricata <code>Rules</code> format, see
- *                                         <a href="https://suricata.readthedocs.io/en/suricata-5.0.0/rules/intro.html#">Rules Format</a>. </p>
+ *                                         <a href="https://suricata.readthedocs.io/rules/intro.html#">Rules Format</a>. </p>
  */
 export interface StatefulRule {
   /**
@@ -1528,7 +1548,7 @@ export interface RulesSource {
    * <p>An array of individual stateful rules inspection criteria to be used together in a stateful rule group.
    *        Use this option to specify simple Suricata rules with protocol, source and destination, ports, direction, and rule options.
    *        For information about the Suricata <code>Rules</code> format, see
-   *                                         <a href="https://suricata.readthedocs.io/en/suricata-5.0.0/rules/intro.html#">Rules Format</a>. </p>
+   *                                         <a href="https://suricata.readthedocs.io/rules/intro.html#">Rules Format</a>. </p>
    */
   StatefulRules?: StatefulRule[];
 

diff --git a/clients/client-network-firewall/src/protocols/Aws_json1_0.ts b/clients/client-network-firewall/src/protocols/Aws_json1_0.ts
@@ -3033,6 +3033,7 @@ const serializeAws_json1_0StatefulActions = (input: string[], context: __SerdeCo
 const serializeAws_json1_0StatefulEngineOptions = (input: StatefulEngineOptions, context: __SerdeContext): any => {
   return {
     ...(input.RuleOrder != null && { RuleOrder: input.RuleOrder }),
+    ...(input.StreamExceptionPolicy != null && { StreamExceptionPolicy: input.StreamExceptionPolicy }),
   };
 };
 
@@ -4282,6 +4283,7 @@ const deserializeAws_json1_0StatefulActions = (output: any, context: __SerdeCont
 const deserializeAws_json1_0StatefulEngineOptions = (output: any, context: __SerdeContext): StatefulEngineOptions => {
   return {
     RuleOrder: __expectString(output.RuleOrder),
+    StreamExceptionPolicy: __expectString(output.StreamExceptionPolicy),
   } as any;
 };