We recommend new projects start with resources from the AWS provider.
aws-native.networkfirewall.getFirewallPolicy
Explore with Pulumi AI
We recommend new projects start with resources from the AWS provider.
Resource type definition for AWS::NetworkFirewall::FirewallPolicy
Using getFirewallPolicy
Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.
function getFirewallPolicy(args: GetFirewallPolicyArgs, opts?: InvokeOptions): Promise<GetFirewallPolicyResult>
function getFirewallPolicyOutput(args: GetFirewallPolicyOutputArgs, opts?: InvokeOptions): Output<GetFirewallPolicyResult>
def get_firewall_policy(firewall_policy_arn: Optional[str] = None,
opts: Optional[InvokeOptions] = None) -> GetFirewallPolicyResult
def get_firewall_policy_output(firewall_policy_arn: Optional[pulumi.Input[str]] = None,
opts: Optional[InvokeOptions] = None) -> Output[GetFirewallPolicyResult]
func LookupFirewallPolicy(ctx *Context, args *LookupFirewallPolicyArgs, opts ...InvokeOption) (*LookupFirewallPolicyResult, error)
func LookupFirewallPolicyOutput(ctx *Context, args *LookupFirewallPolicyOutputArgs, opts ...InvokeOption) LookupFirewallPolicyResultOutput
> Note: This function is named LookupFirewallPolicy
in the Go SDK.
public static class GetFirewallPolicy
{
public static Task<GetFirewallPolicyResult> InvokeAsync(GetFirewallPolicyArgs args, InvokeOptions? opts = null)
public static Output<GetFirewallPolicyResult> Invoke(GetFirewallPolicyInvokeArgs args, InvokeOptions? opts = null)
}
public static CompletableFuture<GetFirewallPolicyResult> getFirewallPolicy(GetFirewallPolicyArgs args, InvokeOptions options)
// Output-based functions aren't available in Java yet
fn::invoke:
function: aws-native:networkfirewall:getFirewallPolicy
arguments:
# arguments dictionary
The following arguments are supported:
- Firewall
Policy stringArn - The Amazon Resource Name (ARN) of the
FirewallPolicy
.
- Firewall
Policy stringArn - The Amazon Resource Name (ARN) of the
FirewallPolicy
.
- firewall
Policy StringArn - The Amazon Resource Name (ARN) of the
FirewallPolicy
.
- firewall
Policy stringArn - The Amazon Resource Name (ARN) of the
FirewallPolicy
.
- firewall_
policy_ strarn - The Amazon Resource Name (ARN) of the
FirewallPolicy
.
- firewall
Policy StringArn - The Amazon Resource Name (ARN) of the
FirewallPolicy
.
getFirewallPolicy Result
The following output properties are available:
- Description string
- A description of the firewall policy.
- Firewall
Policy stringArn - The Amazon Resource Name (ARN) of the
FirewallPolicy
. - Firewall
Policy stringId - The unique ID of the
FirewallPolicy
resource. - Firewall
Policy Pulumi.Value Aws Native. Network Firewall. Outputs. Firewall Policy - The traffic filtering behavior of a firewall policy, defined in a collection of stateless and stateful rule groups and other settings.
- List<Pulumi.
Aws Native. Outputs. Tag> An array of key-value pairs to apply to this resource.
For more information, see Tag .
- Description string
- A description of the firewall policy.
- Firewall
Policy FirewallPolicy Type - The traffic filtering behavior of a firewall policy, defined in a collection of stateless and stateful rule groups and other settings.
- Firewall
Policy stringArn - The Amazon Resource Name (ARN) of the
FirewallPolicy
. - Firewall
Policy stringId - The unique ID of the
FirewallPolicy
resource. - Tag
An array of key-value pairs to apply to this resource.
For more information, see Tag .
- description String
- A description of the firewall policy.
- firewall
Policy FirewallPolicy - The traffic filtering behavior of a firewall policy, defined in a collection of stateless and stateful rule groups and other settings.
- firewall
Policy StringArn - The Amazon Resource Name (ARN) of the
FirewallPolicy
. - firewall
Policy StringId - The unique ID of the
FirewallPolicy
resource. - List<Tag>
An array of key-value pairs to apply to this resource.
For more information, see Tag .
- description string
- A description of the firewall policy.
- firewall
Policy FirewallPolicy - The traffic filtering behavior of a firewall policy, defined in a collection of stateless and stateful rule groups and other settings.
- firewall
Policy stringArn - The Amazon Resource Name (ARN) of the
FirewallPolicy
. - firewall
Policy stringId - The unique ID of the
FirewallPolicy
resource. - Tag[]
An array of key-value pairs to apply to this resource.
For more information, see Tag .
- description str
- A description of the firewall policy.
- firewall_
policy FirewallPolicy - The traffic filtering behavior of a firewall policy, defined in a collection of stateless and stateful rule groups and other settings.
- firewall_
policy_ strarn - The Amazon Resource Name (ARN) of the
FirewallPolicy
. - firewall_
policy_ strid - The unique ID of the
FirewallPolicy
resource. - Sequence[root_Tag]
An array of key-value pairs to apply to this resource.
For more information, see Tag .
- description String
- A description of the firewall policy.
- firewall
Policy Property Map - The traffic filtering behavior of a firewall policy, defined in a collection of stateless and stateful rule groups and other settings.
- firewall
Policy StringArn - The Amazon Resource Name (ARN) of the
FirewallPolicy
. - firewall
Policy StringId - The unique ID of the
FirewallPolicy
resource. - List<Property Map>
An array of key-value pairs to apply to this resource.
For more information, see Tag .
Supporting Types
FirewallPolicy
- Stateless
Default List<string>Actions The actions to take on a packet if it doesn't match any of the stateless rules in the policy. If you want non-matching packets to be forwarded for stateful inspection, specify
aws:forward_to_sfe
.You must specify one of the standard actions:
aws:pass
,aws:drop
, oraws:forward_to_sfe
. In addition, you can specify custom actions that are compatible with your standard section choice.For example, you could specify
["aws:pass"]
or you could specify["aws:pass", "customActionName"]
. For information about compatibility, see the custom action descriptions.- Stateless
Fragment List<string>Default Actions The actions to take on a fragmented packet if it doesn't match any of the stateless rules in the policy. If you want non-matching fragmented packets to be forwarded for stateful inspection, specify
aws:forward_to_sfe
.You must specify one of the standard actions:
aws:pass
,aws:drop
, oraws:forward_to_sfe
. In addition, you can specify custom actions that are compatible with your standard section choice.For example, you could specify
["aws:pass"]
or you could specify["aws:pass", "customActionName"]
. For information about compatibility, see the custom action descriptions.- Policy
Variables Pulumi.Aws Native. Network Firewall. Inputs. Firewall Policy Policy Variables Properties - Contains variables that you can use to override default Suricata settings in your firewall policy.
- Stateful
Default List<string>Actions The default actions to take on a packet that doesn't match any stateful rules. The stateful default action is optional, and is only valid when using the strict rule order.
Valid values of the stateful default action:
- aws:drop_strict
- aws:drop_established
- aws:alert_strict
- aws:alert_established
For more information, see Strict evaluation order in the AWS Network Firewall Developer Guide .
- Stateful
Engine Pulumi.Options Aws Native. Network Firewall. Inputs. Firewall Policy Stateful Engine Options - Additional options governing how Network Firewall handles stateful rules. The stateful rule groups that you use in your policy must have stateful rule options settings that are compatible with these settings.
- Stateful
Rule List<Pulumi.Group References Aws Native. Network Firewall. Inputs. Firewall Policy Stateful Rule Group Reference> - References to the stateful rule groups that are used in the policy. These define the inspection criteria in stateful rules.
- Stateless
Custom List<Pulumi.Actions Aws Native. Network Firewall. Inputs. Firewall Policy Custom Action> - The custom action definitions that are available for use in the firewall policy's
StatelessDefaultActions
setting. You name each custom action that you define, and then you can use it by name in your default actions specifications. - Stateless
Rule List<Pulumi.Group References Aws Native. Network Firewall. Inputs. Firewall Policy Stateless Rule Group Reference> - References to the stateless rule groups that are used in the policy. These define the matching criteria in stateless rules.
- Tls
Inspection stringConfiguration Arn - The Amazon Resource Name (ARN) of the TLS inspection configuration.
- Stateless
Default []stringActions The actions to take on a packet if it doesn't match any of the stateless rules in the policy. If you want non-matching packets to be forwarded for stateful inspection, specify
aws:forward_to_sfe
.You must specify one of the standard actions:
aws:pass
,aws:drop
, oraws:forward_to_sfe
. In addition, you can specify custom actions that are compatible with your standard section choice.For example, you could specify
["aws:pass"]
or you could specify["aws:pass", "customActionName"]
. For information about compatibility, see the custom action descriptions.- Stateless
Fragment []stringDefault Actions The actions to take on a fragmented packet if it doesn't match any of the stateless rules in the policy. If you want non-matching fragmented packets to be forwarded for stateful inspection, specify
aws:forward_to_sfe
.You must specify one of the standard actions:
aws:pass
,aws:drop
, oraws:forward_to_sfe
. In addition, you can specify custom actions that are compatible with your standard section choice.For example, you could specify
["aws:pass"]
or you could specify["aws:pass", "customActionName"]
. For information about compatibility, see the custom action descriptions.- Policy
Variables FirewallPolicy Policy Variables Properties - Contains variables that you can use to override default Suricata settings in your firewall policy.
- Stateful
Default []stringActions The default actions to take on a packet that doesn't match any stateful rules. The stateful default action is optional, and is only valid when using the strict rule order.
Valid values of the stateful default action:
- aws:drop_strict
- aws:drop_established
- aws:alert_strict
- aws:alert_established
For more information, see Strict evaluation order in the AWS Network Firewall Developer Guide .
- Stateful
Engine FirewallOptions Policy Stateful Engine Options - Additional options governing how Network Firewall handles stateful rules. The stateful rule groups that you use in your policy must have stateful rule options settings that are compatible with these settings.
- Stateful
Rule []FirewallGroup References Policy Stateful Rule Group Reference - References to the stateful rule groups that are used in the policy. These define the inspection criteria in stateful rules.
- Stateless
Custom []FirewallActions Policy Custom Action - The custom action definitions that are available for use in the firewall policy's
StatelessDefaultActions
setting. You name each custom action that you define, and then you can use it by name in your default actions specifications. - Stateless
Rule []FirewallGroup References Policy Stateless Rule Group Reference - References to the stateless rule groups that are used in the policy. These define the matching criteria in stateless rules.
- Tls
Inspection stringConfiguration Arn - The Amazon Resource Name (ARN) of the TLS inspection configuration.
- stateless
Default List<String>Actions The actions to take on a packet if it doesn't match any of the stateless rules in the policy. If you want non-matching packets to be forwarded for stateful inspection, specify
aws:forward_to_sfe
.You must specify one of the standard actions:
aws:pass
,aws:drop
, oraws:forward_to_sfe
. In addition, you can specify custom actions that are compatible with your standard section choice.For example, you could specify
["aws:pass"]
or you could specify["aws:pass", "customActionName"]
. For information about compatibility, see the custom action descriptions.- stateless
Fragment List<String>Default Actions The actions to take on a fragmented packet if it doesn't match any of the stateless rules in the policy. If you want non-matching fragmented packets to be forwarded for stateful inspection, specify
aws:forward_to_sfe
.You must specify one of the standard actions:
aws:pass
,aws:drop
, oraws:forward_to_sfe
. In addition, you can specify custom actions that are compatible with your standard section choice.For example, you could specify
["aws:pass"]
or you could specify["aws:pass", "customActionName"]
. For information about compatibility, see the custom action descriptions.- policy
Variables FirewallPolicy Policy Variables Properties - Contains variables that you can use to override default Suricata settings in your firewall policy.
- stateful
Default List<String>Actions The default actions to take on a packet that doesn't match any stateful rules. The stateful default action is optional, and is only valid when using the strict rule order.
Valid values of the stateful default action:
- aws:drop_strict
- aws:drop_established
- aws:alert_strict
- aws:alert_established
For more information, see Strict evaluation order in the AWS Network Firewall Developer Guide .
- stateful
Engine FirewallOptions Policy Stateful Engine Options - Additional options governing how Network Firewall handles stateful rules. The stateful rule groups that you use in your policy must have stateful rule options settings that are compatible with these settings.
- stateful
Rule List<FirewallGroup References Policy Stateful Rule Group Reference> - References to the stateful rule groups that are used in the policy. These define the inspection criteria in stateful rules.
- stateless
Custom List<FirewallActions Policy Custom Action> - The custom action definitions that are available for use in the firewall policy's
StatelessDefaultActions
setting. You name each custom action that you define, and then you can use it by name in your default actions specifications. - stateless
Rule List<FirewallGroup References Policy Stateless Rule Group Reference> - References to the stateless rule groups that are used in the policy. These define the matching criteria in stateless rules.
- tls
Inspection StringConfiguration Arn - The Amazon Resource Name (ARN) of the TLS inspection configuration.
- stateless
Default string[]Actions The actions to take on a packet if it doesn't match any of the stateless rules in the policy. If you want non-matching packets to be forwarded for stateful inspection, specify
aws:forward_to_sfe
.You must specify one of the standard actions:
aws:pass
,aws:drop
, oraws:forward_to_sfe
. In addition, you can specify custom actions that are compatible with your standard section choice.For example, you could specify
["aws:pass"]
or you could specify["aws:pass", "customActionName"]
. For information about compatibility, see the custom action descriptions.- stateless
Fragment string[]Default Actions The actions to take on a fragmented packet if it doesn't match any of the stateless rules in the policy. If you want non-matching fragmented packets to be forwarded for stateful inspection, specify
aws:forward_to_sfe
.You must specify one of the standard actions:
aws:pass
,aws:drop
, oraws:forward_to_sfe
. In addition, you can specify custom actions that are compatible with your standard section choice.For example, you could specify
["aws:pass"]
or you could specify["aws:pass", "customActionName"]
. For information about compatibility, see the custom action descriptions.- policy
Variables FirewallPolicy Policy Variables Properties - Contains variables that you can use to override default Suricata settings in your firewall policy.
- stateful
Default string[]Actions The default actions to take on a packet that doesn't match any stateful rules. The stateful default action is optional, and is only valid when using the strict rule order.
Valid values of the stateful default action:
- aws:drop_strict
- aws:drop_established
- aws:alert_strict
- aws:alert_established
For more information, see Strict evaluation order in the AWS Network Firewall Developer Guide .
- stateful
Engine FirewallOptions Policy Stateful Engine Options - Additional options governing how Network Firewall handles stateful rules. The stateful rule groups that you use in your policy must have stateful rule options settings that are compatible with these settings.
- stateful
Rule FirewallGroup References Policy Stateful Rule Group Reference[] - References to the stateful rule groups that are used in the policy. These define the inspection criteria in stateful rules.
- stateless
Custom FirewallActions Policy Custom Action[] - The custom action definitions that are available for use in the firewall policy's
StatelessDefaultActions
setting. You name each custom action that you define, and then you can use it by name in your default actions specifications. - stateless
Rule FirewallGroup References Policy Stateless Rule Group Reference[] - References to the stateless rule groups that are used in the policy. These define the matching criteria in stateless rules.
- tls
Inspection stringConfiguration Arn - The Amazon Resource Name (ARN) of the TLS inspection configuration.
- stateless_
default_ Sequence[str]actions The actions to take on a packet if it doesn't match any of the stateless rules in the policy. If you want non-matching packets to be forwarded for stateful inspection, specify
aws:forward_to_sfe
.You must specify one of the standard actions:
aws:pass
,aws:drop
, oraws:forward_to_sfe
. In addition, you can specify custom actions that are compatible with your standard section choice.For example, you could specify
["aws:pass"]
or you could specify["aws:pass", "customActionName"]
. For information about compatibility, see the custom action descriptions.- stateless_
fragment_ Sequence[str]default_ actions The actions to take on a fragmented packet if it doesn't match any of the stateless rules in the policy. If you want non-matching fragmented packets to be forwarded for stateful inspection, specify
aws:forward_to_sfe
.You must specify one of the standard actions:
aws:pass
,aws:drop
, oraws:forward_to_sfe
. In addition, you can specify custom actions that are compatible with your standard section choice.For example, you could specify
["aws:pass"]
or you could specify["aws:pass", "customActionName"]
. For information about compatibility, see the custom action descriptions.- policy_
variables FirewallPolicy Policy Variables Properties - Contains variables that you can use to override default Suricata settings in your firewall policy.
- stateful_
default_ Sequence[str]actions The default actions to take on a packet that doesn't match any stateful rules. The stateful default action is optional, and is only valid when using the strict rule order.
Valid values of the stateful default action:
- aws:drop_strict
- aws:drop_established
- aws:alert_strict
- aws:alert_established
For more information, see Strict evaluation order in the AWS Network Firewall Developer Guide .
- stateful_
engine_ Firewalloptions Policy Stateful Engine Options - Additional options governing how Network Firewall handles stateful rules. The stateful rule groups that you use in your policy must have stateful rule options settings that are compatible with these settings.
- stateful_
rule_ Sequence[Firewallgroup_ references Policy Stateful Rule Group Reference] - References to the stateful rule groups that are used in the policy. These define the inspection criteria in stateful rules.
- stateless_
custom_ Sequence[Firewallactions Policy Custom Action] - The custom action definitions that are available for use in the firewall policy's
StatelessDefaultActions
setting. You name each custom action that you define, and then you can use it by name in your default actions specifications. - stateless_
rule_ Sequence[Firewallgroup_ references Policy Stateless Rule Group Reference] - References to the stateless rule groups that are used in the policy. These define the matching criteria in stateless rules.
- tls_
inspection_ strconfiguration_ arn - The Amazon Resource Name (ARN) of the TLS inspection configuration.
- stateless
Default List<String>Actions The actions to take on a packet if it doesn't match any of the stateless rules in the policy. If you want non-matching packets to be forwarded for stateful inspection, specify
aws:forward_to_sfe
.You must specify one of the standard actions:
aws:pass
,aws:drop
, oraws:forward_to_sfe
. In addition, you can specify custom actions that are compatible with your standard section choice.For example, you could specify
["aws:pass"]
or you could specify["aws:pass", "customActionName"]
. For information about compatibility, see the custom action descriptions.- stateless
Fragment List<String>Default Actions The actions to take on a fragmented packet if it doesn't match any of the stateless rules in the policy. If you want non-matching fragmented packets to be forwarded for stateful inspection, specify
aws:forward_to_sfe
.You must specify one of the standard actions:
aws:pass
,aws:drop
, oraws:forward_to_sfe
. In addition, you can specify custom actions that are compatible with your standard section choice.For example, you could specify
["aws:pass"]
or you could specify["aws:pass", "customActionName"]
. For information about compatibility, see the custom action descriptions.- policy
Variables Property Map - Contains variables that you can use to override default Suricata settings in your firewall policy.
- stateful
Default List<String>Actions The default actions to take on a packet that doesn't match any stateful rules. The stateful default action is optional, and is only valid when using the strict rule order.
Valid values of the stateful default action:
- aws:drop_strict
- aws:drop_established
- aws:alert_strict
- aws:alert_established
For more information, see Strict evaluation order in the AWS Network Firewall Developer Guide .
- stateful
Engine Property MapOptions - Additional options governing how Network Firewall handles stateful rules. The stateful rule groups that you use in your policy must have stateful rule options settings that are compatible with these settings.
- stateful
Rule List<Property Map>Group References - References to the stateful rule groups that are used in the policy. These define the inspection criteria in stateful rules.
- stateless
Custom List<Property Map>Actions - The custom action definitions that are available for use in the firewall policy's
StatelessDefaultActions
setting. You name each custom action that you define, and then you can use it by name in your default actions specifications. - stateless
Rule List<Property Map>Group References - References to the stateless rule groups that are used in the policy. These define the matching criteria in stateless rules.
- tls
Inspection StringConfiguration Arn - The Amazon Resource Name (ARN) of the TLS inspection configuration.
FirewallPolicyActionDefinition
- Publish
Metric Pulumi.Action Aws Native. Network Firewall. Inputs. Firewall Policy Publish Metric Action Stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. This setting defines a CloudWatch dimension value to be published.
You can pair this custom action with any of the standard stateless rule actions. For example, you could pair this in a rule action with the standard action that forwards the packet for stateful inspection. Then, when a packet matches the rule, Network Firewall publishes metrics for the packet and forwards it.
- Publish
Metric FirewallAction Policy Publish Metric Action Stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. This setting defines a CloudWatch dimension value to be published.
You can pair this custom action with any of the standard stateless rule actions. For example, you could pair this in a rule action with the standard action that forwards the packet for stateful inspection. Then, when a packet matches the rule, Network Firewall publishes metrics for the packet and forwards it.
- publish
Metric FirewallAction Policy Publish Metric Action Stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. This setting defines a CloudWatch dimension value to be published.
You can pair this custom action with any of the standard stateless rule actions. For example, you could pair this in a rule action with the standard action that forwards the packet for stateful inspection. Then, when a packet matches the rule, Network Firewall publishes metrics for the packet and forwards it.
- publish
Metric FirewallAction Policy Publish Metric Action Stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. This setting defines a CloudWatch dimension value to be published.
You can pair this custom action with any of the standard stateless rule actions. For example, you could pair this in a rule action with the standard action that forwards the packet for stateful inspection. Then, when a packet matches the rule, Network Firewall publishes metrics for the packet and forwards it.
- publish_
metric_ Firewallaction Policy Publish Metric Action Stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. This setting defines a CloudWatch dimension value to be published.
You can pair this custom action with any of the standard stateless rule actions. For example, you could pair this in a rule action with the standard action that forwards the packet for stateful inspection. Then, when a packet matches the rule, Network Firewall publishes metrics for the packet and forwards it.
- publish
Metric Property MapAction Stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. This setting defines a CloudWatch dimension value to be published.
You can pair this custom action with any of the standard stateless rule actions. For example, you could pair this in a rule action with the standard action that forwards the packet for stateful inspection. Then, when a packet matches the rule, Network Firewall publishes metrics for the packet and forwards it.
FirewallPolicyCustomAction
- Action
Definition Pulumi.Aws Native. Network Firewall. Inputs. Firewall Policy Action Definition - The custom action associated with the action name.
- Action
Name string - The descriptive name of the custom action. You can't change the name of a custom action after you create it.
- Action
Definition FirewallPolicy Action Definition - The custom action associated with the action name.
- Action
Name string - The descriptive name of the custom action. You can't change the name of a custom action after you create it.
- action
Definition FirewallPolicy Action Definition - The custom action associated with the action name.
- action
Name String - The descriptive name of the custom action. You can't change the name of a custom action after you create it.
- action
Definition FirewallPolicy Action Definition - The custom action associated with the action name.
- action
Name string - The descriptive name of the custom action. You can't change the name of a custom action after you create it.
- action_
definition FirewallPolicy Action Definition - The custom action associated with the action name.
- action_
name str - The descriptive name of the custom action. You can't change the name of a custom action after you create it.
- action
Definition Property Map - The custom action associated with the action name.
- action
Name String - The descriptive name of the custom action. You can't change the name of a custom action after you create it.
FirewallPolicyDimension
- Value string
- The value to use in the custom metric dimension.
- Value string
- The value to use in the custom metric dimension.
- value String
- The value to use in the custom metric dimension.
- value string
- The value to use in the custom metric dimension.
- value str
- The value to use in the custom metric dimension.
- value String
- The value to use in the custom metric dimension.
FirewallPolicyIpSet
- Definition List<string>
- The list of IP addresses and address ranges, in CIDR notation.
- Definition []string
- The list of IP addresses and address ranges, in CIDR notation.
- definition List<String>
- The list of IP addresses and address ranges, in CIDR notation.
- definition string[]
- The list of IP addresses and address ranges, in CIDR notation.
- definition Sequence[str]
- The list of IP addresses and address ranges, in CIDR notation.
- definition List<String>
- The list of IP addresses and address ranges, in CIDR notation.
FirewallPolicyOverrideAction
FirewallPolicyPolicyVariablesProperties
- Rule
Variables Dictionary<string, Pulumi.Aws Native. Network Firewall. Inputs. Firewall Policy Ip Set>
- Rule
Variables map[string]FirewallPolicy Ip Set
- rule
Variables Map<String,FirewallPolicy Ip Set>
- rule
Variables {[key: string]: FirewallPolicy Ip Set}
- rule_
variables Mapping[str, FirewallPolicy Ip Set]
- rule
Variables Map<Property Map>
FirewallPolicyPublishMetricAction
FirewallPolicyRuleOrder
FirewallPolicyStatefulEngineOptions
- Flow
Timeouts Pulumi.Aws Native. Network Firewall. Inputs. Firewall Policy Stateful Engine Options Flow Timeouts Properties - Configures the amount of time that can pass without any traffic sent through the firewall before the firewall determines that the connection is idle.
- Rule
Order Pulumi.Aws Native. Network Firewall. Firewall Policy Rule Order - Indicates how to manage the order of stateful rule evaluation for the policy.
DEFAULT_ACTION_ORDER
is the default behavior. Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them based on certain settings. For more information, see Evaluation order for stateful rules in the AWS Network Firewall Developer Guide . - Stream
Exception Pulumi.Policy Aws Native. Network Firewall. Firewall Policy Stream Exception Policy - Configures how Network Firewall processes traffic when a network connection breaks midstream. Network connections can break due to disruptions in external networks or within the firewall itself.
DROP
- Network Firewall fails closed and drops all subsequent traffic going to the firewall. This is the default behavior.CONTINUE
- Network Firewall continues to apply rules to the subsequent traffic without context from traffic before the break. This impacts the behavior of rules that depend on this context. For example, if you have a stateful rule todrop http
traffic, Network Firewall won't match the traffic for this rule because the service won't have the context from session initialization defining the application layer protocol as HTTP. However, this behavior is rule dependent—a TCP-layer rule using aflow:stateless
rule would still match, as would theaws:drop_strict
default action.REJECT
- Network Firewall fails closed and drops all subsequent traffic going to the firewall. Network Firewall also sends a TCP reject packet back to your client so that the client can immediately establish a new session. Network Firewall will have context about the new session and will apply rules to the subsequent traffic.
- Flow
Timeouts FirewallPolicy Stateful Engine Options Flow Timeouts Properties - Configures the amount of time that can pass without any traffic sent through the firewall before the firewall determines that the connection is idle.
- Rule
Order FirewallPolicy Rule Order - Indicates how to manage the order of stateful rule evaluation for the policy.
DEFAULT_ACTION_ORDER
is the default behavior. Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them based on certain settings. For more information, see Evaluation order for stateful rules in the AWS Network Firewall Developer Guide . - Stream
Exception FirewallPolicy Policy Stream Exception Policy - Configures how Network Firewall processes traffic when a network connection breaks midstream. Network connections can break due to disruptions in external networks or within the firewall itself.
DROP
- Network Firewall fails closed and drops all subsequent traffic going to the firewall. This is the default behavior.CONTINUE
- Network Firewall continues to apply rules to the subsequent traffic without context from traffic before the break. This impacts the behavior of rules that depend on this context. For example, if you have a stateful rule todrop http
traffic, Network Firewall won't match the traffic for this rule because the service won't have the context from session initialization defining the application layer protocol as HTTP. However, this behavior is rule dependent—a TCP-layer rule using aflow:stateless
rule would still match, as would theaws:drop_strict
default action.REJECT
- Network Firewall fails closed and drops all subsequent traffic going to the firewall. Network Firewall also sends a TCP reject packet back to your client so that the client can immediately establish a new session. Network Firewall will have context about the new session and will apply rules to the subsequent traffic.
- flow
Timeouts FirewallPolicy Stateful Engine Options Flow Timeouts Properties - Configures the amount of time that can pass without any traffic sent through the firewall before the firewall determines that the connection is idle.
- rule
Order FirewallPolicy Rule Order - Indicates how to manage the order of stateful rule evaluation for the policy.
DEFAULT_ACTION_ORDER
is the default behavior. Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them based on certain settings. For more information, see Evaluation order for stateful rules in the AWS Network Firewall Developer Guide . - stream
Exception FirewallPolicy Policy Stream Exception Policy - Configures how Network Firewall processes traffic when a network connection breaks midstream. Network connections can break due to disruptions in external networks or within the firewall itself.
DROP
- Network Firewall fails closed and drops all subsequent traffic going to the firewall. This is the default behavior.CONTINUE
- Network Firewall continues to apply rules to the subsequent traffic without context from traffic before the break. This impacts the behavior of rules that depend on this context. For example, if you have a stateful rule todrop http
traffic, Network Firewall won't match the traffic for this rule because the service won't have the context from session initialization defining the application layer protocol as HTTP. However, this behavior is rule dependent—a TCP-layer rule using aflow:stateless
rule would still match, as would theaws:drop_strict
default action.REJECT
- Network Firewall fails closed and drops all subsequent traffic going to the firewall. Network Firewall also sends a TCP reject packet back to your client so that the client can immediately establish a new session. Network Firewall will have context about the new session and will apply rules to the subsequent traffic.
- flow
Timeouts FirewallPolicy Stateful Engine Options Flow Timeouts Properties - Configures the amount of time that can pass without any traffic sent through the firewall before the firewall determines that the connection is idle.
- rule
Order FirewallPolicy Rule Order - Indicates how to manage the order of stateful rule evaluation for the policy.
DEFAULT_ACTION_ORDER
is the default behavior. Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them based on certain settings. For more information, see Evaluation order for stateful rules in the AWS Network Firewall Developer Guide . - stream
Exception FirewallPolicy Policy Stream Exception Policy - Configures how Network Firewall processes traffic when a network connection breaks midstream. Network connections can break due to disruptions in external networks or within the firewall itself.
DROP
- Network Firewall fails closed and drops all subsequent traffic going to the firewall. This is the default behavior.CONTINUE
- Network Firewall continues to apply rules to the subsequent traffic without context from traffic before the break. This impacts the behavior of rules that depend on this context. For example, if you have a stateful rule todrop http
traffic, Network Firewall won't match the traffic for this rule because the service won't have the context from session initialization defining the application layer protocol as HTTP. However, this behavior is rule dependent—a TCP-layer rule using aflow:stateless
rule would still match, as would theaws:drop_strict
default action.REJECT
- Network Firewall fails closed and drops all subsequent traffic going to the firewall. Network Firewall also sends a TCP reject packet back to your client so that the client can immediately establish a new session. Network Firewall will have context about the new session and will apply rules to the subsequent traffic.
- flow_
timeouts FirewallPolicy Stateful Engine Options Flow Timeouts Properties - Configures the amount of time that can pass without any traffic sent through the firewall before the firewall determines that the connection is idle.
- rule_
order FirewallPolicy Rule Order - Indicates how to manage the order of stateful rule evaluation for the policy.
DEFAULT_ACTION_ORDER
is the default behavior. Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them based on certain settings. For more information, see Evaluation order for stateful rules in the AWS Network Firewall Developer Guide . - stream_
exception_ Firewallpolicy Policy Stream Exception Policy - Configures how Network Firewall processes traffic when a network connection breaks midstream. Network connections can break due to disruptions in external networks or within the firewall itself.
DROP
- Network Firewall fails closed and drops all subsequent traffic going to the firewall. This is the default behavior.CONTINUE
- Network Firewall continues to apply rules to the subsequent traffic without context from traffic before the break. This impacts the behavior of rules that depend on this context. For example, if you have a stateful rule todrop http
traffic, Network Firewall won't match the traffic for this rule because the service won't have the context from session initialization defining the application layer protocol as HTTP. However, this behavior is rule dependent—a TCP-layer rule using aflow:stateless
rule would still match, as would theaws:drop_strict
default action.REJECT
- Network Firewall fails closed and drops all subsequent traffic going to the firewall. Network Firewall also sends a TCP reject packet back to your client so that the client can immediately establish a new session. Network Firewall will have context about the new session and will apply rules to the subsequent traffic.
- flow
Timeouts Property Map - Configures the amount of time that can pass without any traffic sent through the firewall before the firewall determines that the connection is idle.
- rule
Order "DEFAULT_ACTION_ORDER" | "STRICT_ORDER" - Indicates how to manage the order of stateful rule evaluation for the policy.
DEFAULT_ACTION_ORDER
is the default behavior. Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them based on certain settings. For more information, see Evaluation order for stateful rules in the AWS Network Firewall Developer Guide . - stream
Exception "DROP" | "CONTINUE" | "REJECT"Policy - Configures how Network Firewall processes traffic when a network connection breaks midstream. Network connections can break due to disruptions in external networks or within the firewall itself.
DROP
- Network Firewall fails closed and drops all subsequent traffic going to the firewall. This is the default behavior.CONTINUE
- Network Firewall continues to apply rules to the subsequent traffic without context from traffic before the break. This impacts the behavior of rules that depend on this context. For example, if you have a stateful rule todrop http
traffic, Network Firewall won't match the traffic for this rule because the service won't have the context from session initialization defining the application layer protocol as HTTP. However, this behavior is rule dependent—a TCP-layer rule using aflow:stateless
rule would still match, as would theaws:drop_strict
default action.REJECT
- Network Firewall fails closed and drops all subsequent traffic going to the firewall. Network Firewall also sends a TCP reject packet back to your client so that the client can immediately establish a new session. Network Firewall will have context about the new session and will apply rules to the subsequent traffic.
FirewallPolicyStatefulEngineOptionsFlowTimeoutsProperties
- tcp
Idle IntegerTimeout Seconds
- tcp
Idle numberTimeout Seconds
- tcp
Idle NumberTimeout Seconds
FirewallPolicyStatefulRuleGroupOverride
- Action
Pulumi.
Aws Native. Network Firewall. Firewall Policy Override Action - The action that changes the rule group from
DROP
toALERT
. This only applies to managed rule groups.
- Action
Firewall
Policy Override Action - The action that changes the rule group from
DROP
toALERT
. This only applies to managed rule groups.
- action
Firewall
Policy Override Action - The action that changes the rule group from
DROP
toALERT
. This only applies to managed rule groups.
- action
Firewall
Policy Override Action - The action that changes the rule group from
DROP
toALERT
. This only applies to managed rule groups.
- action
Firewall
Policy Override Action - The action that changes the rule group from
DROP
toALERT
. This only applies to managed rule groups.
- action "DROP_TO_ALERT"
- The action that changes the rule group from
DROP
toALERT
. This only applies to managed rule groups.
FirewallPolicyStatefulRuleGroupReference
- Resource
Arn string - The Amazon Resource Name (ARN) of the stateful rule group.
- Override
Pulumi.
Aws Native. Network Firewall. Inputs. Firewall Policy Stateful Rule Group Override - The action that allows the policy owner to override the behavior of the rule group within a policy.
- Priority int
An integer setting that indicates the order in which to run the stateful rule groups in a single
FirewallPolicy
. This setting only applies to firewall policies that specify theSTRICT_ORDER
rule order in the stateful engine options settings.Network Firewall evalutes each stateful rule group against a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy.
You can change the priority settings of your rule groups at any time. To make it easier to insert rule groups later, number them so there's a wide range in between, for example use 100, 200, and so on.
- Resource
Arn string - The Amazon Resource Name (ARN) of the stateful rule group.
- Override
Firewall
Policy Stateful Rule Group Override - The action that allows the policy owner to override the behavior of the rule group within a policy.
- Priority int
An integer setting that indicates the order in which to run the stateful rule groups in a single
FirewallPolicy
. This setting only applies to firewall policies that specify theSTRICT_ORDER
rule order in the stateful engine options settings.Network Firewall evalutes each stateful rule group against a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy.
You can change the priority settings of your rule groups at any time. To make it easier to insert rule groups later, number them so there's a wide range in between, for example use 100, 200, and so on.
- resource
Arn String - The Amazon Resource Name (ARN) of the stateful rule group.
- override
Firewall
Policy Stateful Rule Group Override - The action that allows the policy owner to override the behavior of the rule group within a policy.
- priority Integer
An integer setting that indicates the order in which to run the stateful rule groups in a single
FirewallPolicy
. This setting only applies to firewall policies that specify theSTRICT_ORDER
rule order in the stateful engine options settings.Network Firewall evalutes each stateful rule group against a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy.
You can change the priority settings of your rule groups at any time. To make it easier to insert rule groups later, number them so there's a wide range in between, for example use 100, 200, and so on.
- resource
Arn string - The Amazon Resource Name (ARN) of the stateful rule group.
- override
Firewall
Policy Stateful Rule Group Override - The action that allows the policy owner to override the behavior of the rule group within a policy.
- priority number
An integer setting that indicates the order in which to run the stateful rule groups in a single
FirewallPolicy
. This setting only applies to firewall policies that specify theSTRICT_ORDER
rule order in the stateful engine options settings.Network Firewall evalutes each stateful rule group against a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy.
You can change the priority settings of your rule groups at any time. To make it easier to insert rule groups later, number them so there's a wide range in between, for example use 100, 200, and so on.
- resource_
arn str - The Amazon Resource Name (ARN) of the stateful rule group.
- override
Firewall
Policy Stateful Rule Group Override - The action that allows the policy owner to override the behavior of the rule group within a policy.
- priority int
An integer setting that indicates the order in which to run the stateful rule groups in a single
FirewallPolicy
. This setting only applies to firewall policies that specify theSTRICT_ORDER
rule order in the stateful engine options settings.Network Firewall evalutes each stateful rule group against a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy.
You can change the priority settings of your rule groups at any time. To make it easier to insert rule groups later, number them so there's a wide range in between, for example use 100, 200, and so on.
- resource
Arn String - The Amazon Resource Name (ARN) of the stateful rule group.
- override Property Map
- The action that allows the policy owner to override the behavior of the rule group within a policy.
- priority Number
An integer setting that indicates the order in which to run the stateful rule groups in a single
FirewallPolicy
. This setting only applies to firewall policies that specify theSTRICT_ORDER
rule order in the stateful engine options settings.Network Firewall evalutes each stateful rule group against a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy.
You can change the priority settings of your rule groups at any time. To make it easier to insert rule groups later, number them so there's a wide range in between, for example use 100, 200, and so on.
FirewallPolicyStatelessRuleGroupReference
- Priority int
- An integer setting that indicates the order in which to run the stateless rule groups in a single
FirewallPolicy
. Network Firewall applies each stateless rule group to a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy. - Resource
Arn string - The Amazon Resource Name (ARN) of the stateless rule group.
- Priority int
- An integer setting that indicates the order in which to run the stateless rule groups in a single
FirewallPolicy
. Network Firewall applies each stateless rule group to a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy. - Resource
Arn string - The Amazon Resource Name (ARN) of the stateless rule group.
- priority Integer
- An integer setting that indicates the order in which to run the stateless rule groups in a single
FirewallPolicy
. Network Firewall applies each stateless rule group to a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy. - resource
Arn String - The Amazon Resource Name (ARN) of the stateless rule group.
- priority number
- An integer setting that indicates the order in which to run the stateless rule groups in a single
FirewallPolicy
. Network Firewall applies each stateless rule group to a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy. - resource
Arn string - The Amazon Resource Name (ARN) of the stateless rule group.
- priority int
- An integer setting that indicates the order in which to run the stateless rule groups in a single
FirewallPolicy
. Network Firewall applies each stateless rule group to a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy. - resource_
arn str - The Amazon Resource Name (ARN) of the stateless rule group.
- priority Number
- An integer setting that indicates the order in which to run the stateless rule groups in a single
FirewallPolicy
. Network Firewall applies each stateless rule group to a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy. - resource
Arn String - The Amazon Resource Name (ARN) of the stateless rule group.
FirewallPolicyStreamExceptionPolicy
Tag
Package Details
- Repository
- AWS Native pulumi/pulumi-aws-native
- License
- Apache-2.0
We recommend new projects start with resources from the AWS provider.