1. Packages
  2. AWS Cloud Control
  3. API Docs
  4. networkfirewall
  5. getFirewallPolicy

We recommend new projects start with resources from the AWS provider.

AWS Cloud Control v1.9.0 published on Monday, Nov 18, 2024 by Pulumi

aws-native.networkfirewall.getFirewallPolicy

Explore with Pulumi AI

aws-native logo

We recommend new projects start with resources from the AWS provider.

AWS Cloud Control v1.9.0 published on Monday, Nov 18, 2024 by Pulumi

    Resource type definition for AWS::NetworkFirewall::FirewallPolicy

    Using getFirewallPolicy

    Two invocation forms are available. The direct form accepts plain arguments and either blocks until the result value is available, or returns a Promise-wrapped result. The output form accepts Input-wrapped arguments and returns an Output-wrapped result.

    function getFirewallPolicy(args: GetFirewallPolicyArgs, opts?: InvokeOptions): Promise<GetFirewallPolicyResult>
    function getFirewallPolicyOutput(args: GetFirewallPolicyOutputArgs, opts?: InvokeOptions): Output<GetFirewallPolicyResult>
    def get_firewall_policy(firewall_policy_arn: Optional[str] = None,
                            opts: Optional[InvokeOptions] = None) -> GetFirewallPolicyResult
    def get_firewall_policy_output(firewall_policy_arn: Optional[pulumi.Input[str]] = None,
                            opts: Optional[InvokeOptions] = None) -> Output[GetFirewallPolicyResult]
    func LookupFirewallPolicy(ctx *Context, args *LookupFirewallPolicyArgs, opts ...InvokeOption) (*LookupFirewallPolicyResult, error)
    func LookupFirewallPolicyOutput(ctx *Context, args *LookupFirewallPolicyOutputArgs, opts ...InvokeOption) LookupFirewallPolicyResultOutput

    > Note: This function is named LookupFirewallPolicy in the Go SDK.

    public static class GetFirewallPolicy 
    {
        public static Task<GetFirewallPolicyResult> InvokeAsync(GetFirewallPolicyArgs args, InvokeOptions? opts = null)
        public static Output<GetFirewallPolicyResult> Invoke(GetFirewallPolicyInvokeArgs args, InvokeOptions? opts = null)
    }
    public static CompletableFuture<GetFirewallPolicyResult> getFirewallPolicy(GetFirewallPolicyArgs args, InvokeOptions options)
    // Output-based functions aren't available in Java yet
    
    fn::invoke:
      function: aws-native:networkfirewall:getFirewallPolicy
      arguments:
        # arguments dictionary

    The following arguments are supported:

    FirewallPolicyArn string
    The Amazon Resource Name (ARN) of the FirewallPolicy .
    FirewallPolicyArn string
    The Amazon Resource Name (ARN) of the FirewallPolicy .
    firewallPolicyArn String
    The Amazon Resource Name (ARN) of the FirewallPolicy .
    firewallPolicyArn string
    The Amazon Resource Name (ARN) of the FirewallPolicy .
    firewall_policy_arn str
    The Amazon Resource Name (ARN) of the FirewallPolicy .
    firewallPolicyArn String
    The Amazon Resource Name (ARN) of the FirewallPolicy .

    getFirewallPolicy Result

    The following output properties are available:

    Description string
    A description of the firewall policy.
    FirewallPolicyArn string
    The Amazon Resource Name (ARN) of the FirewallPolicy .
    FirewallPolicyId string
    The unique ID of the FirewallPolicy resource.
    FirewallPolicyValue Pulumi.AwsNative.NetworkFirewall.Outputs.FirewallPolicy
    The traffic filtering behavior of a firewall policy, defined in a collection of stateless and stateful rule groups and other settings.
    Tags List<Pulumi.AwsNative.Outputs.Tag>

    An array of key-value pairs to apply to this resource.

    For more information, see Tag .

    Description string
    A description of the firewall policy.
    FirewallPolicy FirewallPolicyType
    The traffic filtering behavior of a firewall policy, defined in a collection of stateless and stateful rule groups and other settings.
    FirewallPolicyArn string
    The Amazon Resource Name (ARN) of the FirewallPolicy .
    FirewallPolicyId string
    The unique ID of the FirewallPolicy resource.
    Tags Tag

    An array of key-value pairs to apply to this resource.

    For more information, see Tag .

    description String
    A description of the firewall policy.
    firewallPolicy FirewallPolicy
    The traffic filtering behavior of a firewall policy, defined in a collection of stateless and stateful rule groups and other settings.
    firewallPolicyArn String
    The Amazon Resource Name (ARN) of the FirewallPolicy .
    firewallPolicyId String
    The unique ID of the FirewallPolicy resource.
    tags List<Tag>

    An array of key-value pairs to apply to this resource.

    For more information, see Tag .

    description string
    A description of the firewall policy.
    firewallPolicy FirewallPolicy
    The traffic filtering behavior of a firewall policy, defined in a collection of stateless and stateful rule groups and other settings.
    firewallPolicyArn string
    The Amazon Resource Name (ARN) of the FirewallPolicy .
    firewallPolicyId string
    The unique ID of the FirewallPolicy resource.
    tags Tag[]

    An array of key-value pairs to apply to this resource.

    For more information, see Tag .

    description str
    A description of the firewall policy.
    firewall_policy FirewallPolicy
    The traffic filtering behavior of a firewall policy, defined in a collection of stateless and stateful rule groups and other settings.
    firewall_policy_arn str
    The Amazon Resource Name (ARN) of the FirewallPolicy .
    firewall_policy_id str
    The unique ID of the FirewallPolicy resource.
    tags Sequence[root_Tag]

    An array of key-value pairs to apply to this resource.

    For more information, see Tag .

    description String
    A description of the firewall policy.
    firewallPolicy Property Map
    The traffic filtering behavior of a firewall policy, defined in a collection of stateless and stateful rule groups and other settings.
    firewallPolicyArn String
    The Amazon Resource Name (ARN) of the FirewallPolicy .
    firewallPolicyId String
    The unique ID of the FirewallPolicy resource.
    tags List<Property Map>

    An array of key-value pairs to apply to this resource.

    For more information, see Tag .

    Supporting Types

    FirewallPolicy

    StatelessDefaultActions List<string>

    The actions to take on a packet if it doesn't match any of the stateless rules in the policy. If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward_to_sfe .

    You must specify one of the standard actions: aws:pass , aws:drop , or aws:forward_to_sfe . In addition, you can specify custom actions that are compatible with your standard section choice.

    For example, you could specify ["aws:pass"] or you could specify ["aws:pass", "customActionName"] . For information about compatibility, see the custom action descriptions.

    StatelessFragmentDefaultActions List<string>

    The actions to take on a fragmented packet if it doesn't match any of the stateless rules in the policy. If you want non-matching fragmented packets to be forwarded for stateful inspection, specify aws:forward_to_sfe .

    You must specify one of the standard actions: aws:pass , aws:drop , or aws:forward_to_sfe . In addition, you can specify custom actions that are compatible with your standard section choice.

    For example, you could specify ["aws:pass"] or you could specify ["aws:pass", "customActionName"] . For information about compatibility, see the custom action descriptions.

    PolicyVariables Pulumi.AwsNative.NetworkFirewall.Inputs.FirewallPolicyPolicyVariablesProperties
    Contains variables that you can use to override default Suricata settings in your firewall policy.
    StatefulDefaultActions List<string>

    The default actions to take on a packet that doesn't match any stateful rules. The stateful default action is optional, and is only valid when using the strict rule order.

    Valid values of the stateful default action:

    • aws:drop_strict
    • aws:drop_established
    • aws:alert_strict
    • aws:alert_established

    For more information, see Strict evaluation order in the AWS Network Firewall Developer Guide .

    StatefulEngineOptions Pulumi.AwsNative.NetworkFirewall.Inputs.FirewallPolicyStatefulEngineOptions
    Additional options governing how Network Firewall handles stateful rules. The stateful rule groups that you use in your policy must have stateful rule options settings that are compatible with these settings.
    StatefulRuleGroupReferences List<Pulumi.AwsNative.NetworkFirewall.Inputs.FirewallPolicyStatefulRuleGroupReference>
    References to the stateful rule groups that are used in the policy. These define the inspection criteria in stateful rules.
    StatelessCustomActions List<Pulumi.AwsNative.NetworkFirewall.Inputs.FirewallPolicyCustomAction>
    The custom action definitions that are available for use in the firewall policy's StatelessDefaultActions setting. You name each custom action that you define, and then you can use it by name in your default actions specifications.
    StatelessRuleGroupReferences List<Pulumi.AwsNative.NetworkFirewall.Inputs.FirewallPolicyStatelessRuleGroupReference>
    References to the stateless rule groups that are used in the policy. These define the matching criteria in stateless rules.
    TlsInspectionConfigurationArn string
    The Amazon Resource Name (ARN) of the TLS inspection configuration.
    StatelessDefaultActions []string

    The actions to take on a packet if it doesn't match any of the stateless rules in the policy. If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward_to_sfe .

    You must specify one of the standard actions: aws:pass , aws:drop , or aws:forward_to_sfe . In addition, you can specify custom actions that are compatible with your standard section choice.

    For example, you could specify ["aws:pass"] or you could specify ["aws:pass", "customActionName"] . For information about compatibility, see the custom action descriptions.

    StatelessFragmentDefaultActions []string

    The actions to take on a fragmented packet if it doesn't match any of the stateless rules in the policy. If you want non-matching fragmented packets to be forwarded for stateful inspection, specify aws:forward_to_sfe .

    You must specify one of the standard actions: aws:pass , aws:drop , or aws:forward_to_sfe . In addition, you can specify custom actions that are compatible with your standard section choice.

    For example, you could specify ["aws:pass"] or you could specify ["aws:pass", "customActionName"] . For information about compatibility, see the custom action descriptions.

    PolicyVariables FirewallPolicyPolicyVariablesProperties
    Contains variables that you can use to override default Suricata settings in your firewall policy.
    StatefulDefaultActions []string

    The default actions to take on a packet that doesn't match any stateful rules. The stateful default action is optional, and is only valid when using the strict rule order.

    Valid values of the stateful default action:

    • aws:drop_strict
    • aws:drop_established
    • aws:alert_strict
    • aws:alert_established

    For more information, see Strict evaluation order in the AWS Network Firewall Developer Guide .

    StatefulEngineOptions FirewallPolicyStatefulEngineOptions
    Additional options governing how Network Firewall handles stateful rules. The stateful rule groups that you use in your policy must have stateful rule options settings that are compatible with these settings.
    StatefulRuleGroupReferences []FirewallPolicyStatefulRuleGroupReference
    References to the stateful rule groups that are used in the policy. These define the inspection criteria in stateful rules.
    StatelessCustomActions []FirewallPolicyCustomAction
    The custom action definitions that are available for use in the firewall policy's StatelessDefaultActions setting. You name each custom action that you define, and then you can use it by name in your default actions specifications.
    StatelessRuleGroupReferences []FirewallPolicyStatelessRuleGroupReference
    References to the stateless rule groups that are used in the policy. These define the matching criteria in stateless rules.
    TlsInspectionConfigurationArn string
    The Amazon Resource Name (ARN) of the TLS inspection configuration.
    statelessDefaultActions List<String>

    The actions to take on a packet if it doesn't match any of the stateless rules in the policy. If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward_to_sfe .

    You must specify one of the standard actions: aws:pass , aws:drop , or aws:forward_to_sfe . In addition, you can specify custom actions that are compatible with your standard section choice.

    For example, you could specify ["aws:pass"] or you could specify ["aws:pass", "customActionName"] . For information about compatibility, see the custom action descriptions.

    statelessFragmentDefaultActions List<String>

    The actions to take on a fragmented packet if it doesn't match any of the stateless rules in the policy. If you want non-matching fragmented packets to be forwarded for stateful inspection, specify aws:forward_to_sfe .

    You must specify one of the standard actions: aws:pass , aws:drop , or aws:forward_to_sfe . In addition, you can specify custom actions that are compatible with your standard section choice.

    For example, you could specify ["aws:pass"] or you could specify ["aws:pass", "customActionName"] . For information about compatibility, see the custom action descriptions.

    policyVariables FirewallPolicyPolicyVariablesProperties
    Contains variables that you can use to override default Suricata settings in your firewall policy.
    statefulDefaultActions List<String>

    The default actions to take on a packet that doesn't match any stateful rules. The stateful default action is optional, and is only valid when using the strict rule order.

    Valid values of the stateful default action:

    • aws:drop_strict
    • aws:drop_established
    • aws:alert_strict
    • aws:alert_established

    For more information, see Strict evaluation order in the AWS Network Firewall Developer Guide .

    statefulEngineOptions FirewallPolicyStatefulEngineOptions
    Additional options governing how Network Firewall handles stateful rules. The stateful rule groups that you use in your policy must have stateful rule options settings that are compatible with these settings.
    statefulRuleGroupReferences List<FirewallPolicyStatefulRuleGroupReference>
    References to the stateful rule groups that are used in the policy. These define the inspection criteria in stateful rules.
    statelessCustomActions List<FirewallPolicyCustomAction>
    The custom action definitions that are available for use in the firewall policy's StatelessDefaultActions setting. You name each custom action that you define, and then you can use it by name in your default actions specifications.
    statelessRuleGroupReferences List<FirewallPolicyStatelessRuleGroupReference>
    References to the stateless rule groups that are used in the policy. These define the matching criteria in stateless rules.
    tlsInspectionConfigurationArn String
    The Amazon Resource Name (ARN) of the TLS inspection configuration.
    statelessDefaultActions string[]

    The actions to take on a packet if it doesn't match any of the stateless rules in the policy. If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward_to_sfe .

    You must specify one of the standard actions: aws:pass , aws:drop , or aws:forward_to_sfe . In addition, you can specify custom actions that are compatible with your standard section choice.

    For example, you could specify ["aws:pass"] or you could specify ["aws:pass", "customActionName"] . For information about compatibility, see the custom action descriptions.

    statelessFragmentDefaultActions string[]

    The actions to take on a fragmented packet if it doesn't match any of the stateless rules in the policy. If you want non-matching fragmented packets to be forwarded for stateful inspection, specify aws:forward_to_sfe .

    You must specify one of the standard actions: aws:pass , aws:drop , or aws:forward_to_sfe . In addition, you can specify custom actions that are compatible with your standard section choice.

    For example, you could specify ["aws:pass"] or you could specify ["aws:pass", "customActionName"] . For information about compatibility, see the custom action descriptions.

    policyVariables FirewallPolicyPolicyVariablesProperties
    Contains variables that you can use to override default Suricata settings in your firewall policy.
    statefulDefaultActions string[]

    The default actions to take on a packet that doesn't match any stateful rules. The stateful default action is optional, and is only valid when using the strict rule order.

    Valid values of the stateful default action:

    • aws:drop_strict
    • aws:drop_established
    • aws:alert_strict
    • aws:alert_established

    For more information, see Strict evaluation order in the AWS Network Firewall Developer Guide .

    statefulEngineOptions FirewallPolicyStatefulEngineOptions
    Additional options governing how Network Firewall handles stateful rules. The stateful rule groups that you use in your policy must have stateful rule options settings that are compatible with these settings.
    statefulRuleGroupReferences FirewallPolicyStatefulRuleGroupReference[]
    References to the stateful rule groups that are used in the policy. These define the inspection criteria in stateful rules.
    statelessCustomActions FirewallPolicyCustomAction[]
    The custom action definitions that are available for use in the firewall policy's StatelessDefaultActions setting. You name each custom action that you define, and then you can use it by name in your default actions specifications.
    statelessRuleGroupReferences FirewallPolicyStatelessRuleGroupReference[]
    References to the stateless rule groups that are used in the policy. These define the matching criteria in stateless rules.
    tlsInspectionConfigurationArn string
    The Amazon Resource Name (ARN) of the TLS inspection configuration.
    stateless_default_actions Sequence[str]

    The actions to take on a packet if it doesn't match any of the stateless rules in the policy. If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward_to_sfe .

    You must specify one of the standard actions: aws:pass , aws:drop , or aws:forward_to_sfe . In addition, you can specify custom actions that are compatible with your standard section choice.

    For example, you could specify ["aws:pass"] or you could specify ["aws:pass", "customActionName"] . For information about compatibility, see the custom action descriptions.

    stateless_fragment_default_actions Sequence[str]

    The actions to take on a fragmented packet if it doesn't match any of the stateless rules in the policy. If you want non-matching fragmented packets to be forwarded for stateful inspection, specify aws:forward_to_sfe .

    You must specify one of the standard actions: aws:pass , aws:drop , or aws:forward_to_sfe . In addition, you can specify custom actions that are compatible with your standard section choice.

    For example, you could specify ["aws:pass"] or you could specify ["aws:pass", "customActionName"] . For information about compatibility, see the custom action descriptions.

    policy_variables FirewallPolicyPolicyVariablesProperties
    Contains variables that you can use to override default Suricata settings in your firewall policy.
    stateful_default_actions Sequence[str]

    The default actions to take on a packet that doesn't match any stateful rules. The stateful default action is optional, and is only valid when using the strict rule order.

    Valid values of the stateful default action:

    • aws:drop_strict
    • aws:drop_established
    • aws:alert_strict
    • aws:alert_established

    For more information, see Strict evaluation order in the AWS Network Firewall Developer Guide .

    stateful_engine_options FirewallPolicyStatefulEngineOptions
    Additional options governing how Network Firewall handles stateful rules. The stateful rule groups that you use in your policy must have stateful rule options settings that are compatible with these settings.
    stateful_rule_group_references Sequence[FirewallPolicyStatefulRuleGroupReference]
    References to the stateful rule groups that are used in the policy. These define the inspection criteria in stateful rules.
    stateless_custom_actions Sequence[FirewallPolicyCustomAction]
    The custom action definitions that are available for use in the firewall policy's StatelessDefaultActions setting. You name each custom action that you define, and then you can use it by name in your default actions specifications.
    stateless_rule_group_references Sequence[FirewallPolicyStatelessRuleGroupReference]
    References to the stateless rule groups that are used in the policy. These define the matching criteria in stateless rules.
    tls_inspection_configuration_arn str
    The Amazon Resource Name (ARN) of the TLS inspection configuration.
    statelessDefaultActions List<String>

    The actions to take on a packet if it doesn't match any of the stateless rules in the policy. If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward_to_sfe .

    You must specify one of the standard actions: aws:pass , aws:drop , or aws:forward_to_sfe . In addition, you can specify custom actions that are compatible with your standard section choice.

    For example, you could specify ["aws:pass"] or you could specify ["aws:pass", "customActionName"] . For information about compatibility, see the custom action descriptions.

    statelessFragmentDefaultActions List<String>

    The actions to take on a fragmented packet if it doesn't match any of the stateless rules in the policy. If you want non-matching fragmented packets to be forwarded for stateful inspection, specify aws:forward_to_sfe .

    You must specify one of the standard actions: aws:pass , aws:drop , or aws:forward_to_sfe . In addition, you can specify custom actions that are compatible with your standard section choice.

    For example, you could specify ["aws:pass"] or you could specify ["aws:pass", "customActionName"] . For information about compatibility, see the custom action descriptions.

    policyVariables Property Map
    Contains variables that you can use to override default Suricata settings in your firewall policy.
    statefulDefaultActions List<String>

    The default actions to take on a packet that doesn't match any stateful rules. The stateful default action is optional, and is only valid when using the strict rule order.

    Valid values of the stateful default action:

    • aws:drop_strict
    • aws:drop_established
    • aws:alert_strict
    • aws:alert_established

    For more information, see Strict evaluation order in the AWS Network Firewall Developer Guide .

    statefulEngineOptions Property Map
    Additional options governing how Network Firewall handles stateful rules. The stateful rule groups that you use in your policy must have stateful rule options settings that are compatible with these settings.
    statefulRuleGroupReferences List<Property Map>
    References to the stateful rule groups that are used in the policy. These define the inspection criteria in stateful rules.
    statelessCustomActions List<Property Map>
    The custom action definitions that are available for use in the firewall policy's StatelessDefaultActions setting. You name each custom action that you define, and then you can use it by name in your default actions specifications.
    statelessRuleGroupReferences List<Property Map>
    References to the stateless rule groups that are used in the policy. These define the matching criteria in stateless rules.
    tlsInspectionConfigurationArn String
    The Amazon Resource Name (ARN) of the TLS inspection configuration.

    FirewallPolicyActionDefinition

    PublishMetricAction Pulumi.AwsNative.NetworkFirewall.Inputs.FirewallPolicyPublishMetricAction

    Stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. This setting defines a CloudWatch dimension value to be published.

    You can pair this custom action with any of the standard stateless rule actions. For example, you could pair this in a rule action with the standard action that forwards the packet for stateful inspection. Then, when a packet matches the rule, Network Firewall publishes metrics for the packet and forwards it.

    PublishMetricAction FirewallPolicyPublishMetricAction

    Stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. This setting defines a CloudWatch dimension value to be published.

    You can pair this custom action with any of the standard stateless rule actions. For example, you could pair this in a rule action with the standard action that forwards the packet for stateful inspection. Then, when a packet matches the rule, Network Firewall publishes metrics for the packet and forwards it.

    publishMetricAction FirewallPolicyPublishMetricAction

    Stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. This setting defines a CloudWatch dimension value to be published.

    You can pair this custom action with any of the standard stateless rule actions. For example, you could pair this in a rule action with the standard action that forwards the packet for stateful inspection. Then, when a packet matches the rule, Network Firewall publishes metrics for the packet and forwards it.

    publishMetricAction FirewallPolicyPublishMetricAction

    Stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. This setting defines a CloudWatch dimension value to be published.

    You can pair this custom action with any of the standard stateless rule actions. For example, you could pair this in a rule action with the standard action that forwards the packet for stateful inspection. Then, when a packet matches the rule, Network Firewall publishes metrics for the packet and forwards it.

    publish_metric_action FirewallPolicyPublishMetricAction

    Stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. This setting defines a CloudWatch dimension value to be published.

    You can pair this custom action with any of the standard stateless rule actions. For example, you could pair this in a rule action with the standard action that forwards the packet for stateful inspection. Then, when a packet matches the rule, Network Firewall publishes metrics for the packet and forwards it.

    publishMetricAction Property Map

    Stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. This setting defines a CloudWatch dimension value to be published.

    You can pair this custom action with any of the standard stateless rule actions. For example, you could pair this in a rule action with the standard action that forwards the packet for stateful inspection. Then, when a packet matches the rule, Network Firewall publishes metrics for the packet and forwards it.

    FirewallPolicyCustomAction

    ActionDefinition Pulumi.AwsNative.NetworkFirewall.Inputs.FirewallPolicyActionDefinition
    The custom action associated with the action name.
    ActionName string
    The descriptive name of the custom action. You can't change the name of a custom action after you create it.
    ActionDefinition FirewallPolicyActionDefinition
    The custom action associated with the action name.
    ActionName string
    The descriptive name of the custom action. You can't change the name of a custom action after you create it.
    actionDefinition FirewallPolicyActionDefinition
    The custom action associated with the action name.
    actionName String
    The descriptive name of the custom action. You can't change the name of a custom action after you create it.
    actionDefinition FirewallPolicyActionDefinition
    The custom action associated with the action name.
    actionName string
    The descriptive name of the custom action. You can't change the name of a custom action after you create it.
    action_definition FirewallPolicyActionDefinition
    The custom action associated with the action name.
    action_name str
    The descriptive name of the custom action. You can't change the name of a custom action after you create it.
    actionDefinition Property Map
    The custom action associated with the action name.
    actionName String
    The descriptive name of the custom action. You can't change the name of a custom action after you create it.

    FirewallPolicyDimension

    Value string
    The value to use in the custom metric dimension.
    Value string
    The value to use in the custom metric dimension.
    value String
    The value to use in the custom metric dimension.
    value string
    The value to use in the custom metric dimension.
    value str
    The value to use in the custom metric dimension.
    value String
    The value to use in the custom metric dimension.

    FirewallPolicyIpSet

    Definition List<string>
    The list of IP addresses and address ranges, in CIDR notation.
    Definition []string
    The list of IP addresses and address ranges, in CIDR notation.
    definition List<String>
    The list of IP addresses and address ranges, in CIDR notation.
    definition string[]
    The list of IP addresses and address ranges, in CIDR notation.
    definition Sequence[str]
    The list of IP addresses and address ranges, in CIDR notation.
    definition List<String>
    The list of IP addresses and address ranges, in CIDR notation.

    FirewallPolicyOverrideAction

    FirewallPolicyPolicyVariablesProperties

    RuleVariables Dictionary<string, Pulumi.AwsNative.NetworkFirewall.Inputs.FirewallPolicyIpSet>
    RuleVariables map[string]FirewallPolicyIpSet
    ruleVariables Map<String,FirewallPolicyIpSet>
    ruleVariables {[key: string]: FirewallPolicyIpSet}
    rule_variables Mapping[str, FirewallPolicyIpSet]
    ruleVariables Map<Property Map>

    FirewallPolicyPublishMetricAction

    FirewallPolicyRuleOrder

    FirewallPolicyStatefulEngineOptions

    FlowTimeouts Pulumi.AwsNative.NetworkFirewall.Inputs.FirewallPolicyStatefulEngineOptionsFlowTimeoutsProperties
    Configures the amount of time that can pass without any traffic sent through the firewall before the firewall determines that the connection is idle.
    RuleOrder Pulumi.AwsNative.NetworkFirewall.FirewallPolicyRuleOrder
    Indicates how to manage the order of stateful rule evaluation for the policy. DEFAULT_ACTION_ORDER is the default behavior. Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them based on certain settings. For more information, see Evaluation order for stateful rules in the AWS Network Firewall Developer Guide .
    StreamExceptionPolicy Pulumi.AwsNative.NetworkFirewall.FirewallPolicyStreamExceptionPolicy
    Configures how Network Firewall processes traffic when a network connection breaks midstream. Network connections can break due to disruptions in external networks or within the firewall itself.

    • DROP - Network Firewall fails closed and drops all subsequent traffic going to the firewall. This is the default behavior.
    • CONTINUE - Network Firewall continues to apply rules to the subsequent traffic without context from traffic before the break. This impacts the behavior of rules that depend on this context. For example, if you have a stateful rule to drop http traffic, Network Firewall won't match the traffic for this rule because the service won't have the context from session initialization defining the application layer protocol as HTTP. However, this behavior is rule dependent—a TCP-layer rule using a flow:stateless rule would still match, as would the aws:drop_strict default action.
    • REJECT - Network Firewall fails closed and drops all subsequent traffic going to the firewall. Network Firewall also sends a TCP reject packet back to your client so that the client can immediately establish a new session. Network Firewall will have context about the new session and will apply rules to the subsequent traffic.
    FlowTimeouts FirewallPolicyStatefulEngineOptionsFlowTimeoutsProperties
    Configures the amount of time that can pass without any traffic sent through the firewall before the firewall determines that the connection is idle.
    RuleOrder FirewallPolicyRuleOrder
    Indicates how to manage the order of stateful rule evaluation for the policy. DEFAULT_ACTION_ORDER is the default behavior. Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them based on certain settings. For more information, see Evaluation order for stateful rules in the AWS Network Firewall Developer Guide .
    StreamExceptionPolicy FirewallPolicyStreamExceptionPolicy
    Configures how Network Firewall processes traffic when a network connection breaks midstream. Network connections can break due to disruptions in external networks or within the firewall itself.

    • DROP - Network Firewall fails closed and drops all subsequent traffic going to the firewall. This is the default behavior.
    • CONTINUE - Network Firewall continues to apply rules to the subsequent traffic without context from traffic before the break. This impacts the behavior of rules that depend on this context. For example, if you have a stateful rule to drop http traffic, Network Firewall won't match the traffic for this rule because the service won't have the context from session initialization defining the application layer protocol as HTTP. However, this behavior is rule dependent—a TCP-layer rule using a flow:stateless rule would still match, as would the aws:drop_strict default action.
    • REJECT - Network Firewall fails closed and drops all subsequent traffic going to the firewall. Network Firewall also sends a TCP reject packet back to your client so that the client can immediately establish a new session. Network Firewall will have context about the new session and will apply rules to the subsequent traffic.
    flowTimeouts FirewallPolicyStatefulEngineOptionsFlowTimeoutsProperties
    Configures the amount of time that can pass without any traffic sent through the firewall before the firewall determines that the connection is idle.
    ruleOrder FirewallPolicyRuleOrder
    Indicates how to manage the order of stateful rule evaluation for the policy. DEFAULT_ACTION_ORDER is the default behavior. Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them based on certain settings. For more information, see Evaluation order for stateful rules in the AWS Network Firewall Developer Guide .
    streamExceptionPolicy FirewallPolicyStreamExceptionPolicy
    Configures how Network Firewall processes traffic when a network connection breaks midstream. Network connections can break due to disruptions in external networks or within the firewall itself.

    • DROP - Network Firewall fails closed and drops all subsequent traffic going to the firewall. This is the default behavior.
    • CONTINUE - Network Firewall continues to apply rules to the subsequent traffic without context from traffic before the break. This impacts the behavior of rules that depend on this context. For example, if you have a stateful rule to drop http traffic, Network Firewall won't match the traffic for this rule because the service won't have the context from session initialization defining the application layer protocol as HTTP. However, this behavior is rule dependent—a TCP-layer rule using a flow:stateless rule would still match, as would the aws:drop_strict default action.
    • REJECT - Network Firewall fails closed and drops all subsequent traffic going to the firewall. Network Firewall also sends a TCP reject packet back to your client so that the client can immediately establish a new session. Network Firewall will have context about the new session and will apply rules to the subsequent traffic.
    flowTimeouts FirewallPolicyStatefulEngineOptionsFlowTimeoutsProperties
    Configures the amount of time that can pass without any traffic sent through the firewall before the firewall determines that the connection is idle.
    ruleOrder FirewallPolicyRuleOrder
    Indicates how to manage the order of stateful rule evaluation for the policy. DEFAULT_ACTION_ORDER is the default behavior. Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them based on certain settings. For more information, see Evaluation order for stateful rules in the AWS Network Firewall Developer Guide .
    streamExceptionPolicy FirewallPolicyStreamExceptionPolicy
    Configures how Network Firewall processes traffic when a network connection breaks midstream. Network connections can break due to disruptions in external networks or within the firewall itself.

    • DROP - Network Firewall fails closed and drops all subsequent traffic going to the firewall. This is the default behavior.
    • CONTINUE - Network Firewall continues to apply rules to the subsequent traffic without context from traffic before the break. This impacts the behavior of rules that depend on this context. For example, if you have a stateful rule to drop http traffic, Network Firewall won't match the traffic for this rule because the service won't have the context from session initialization defining the application layer protocol as HTTP. However, this behavior is rule dependent—a TCP-layer rule using a flow:stateless rule would still match, as would the aws:drop_strict default action.
    • REJECT - Network Firewall fails closed and drops all subsequent traffic going to the firewall. Network Firewall also sends a TCP reject packet back to your client so that the client can immediately establish a new session. Network Firewall will have context about the new session and will apply rules to the subsequent traffic.
    flow_timeouts FirewallPolicyStatefulEngineOptionsFlowTimeoutsProperties
    Configures the amount of time that can pass without any traffic sent through the firewall before the firewall determines that the connection is idle.
    rule_order FirewallPolicyRuleOrder
    Indicates how to manage the order of stateful rule evaluation for the policy. DEFAULT_ACTION_ORDER is the default behavior. Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them based on certain settings. For more information, see Evaluation order for stateful rules in the AWS Network Firewall Developer Guide .
    stream_exception_policy FirewallPolicyStreamExceptionPolicy
    Configures how Network Firewall processes traffic when a network connection breaks midstream. Network connections can break due to disruptions in external networks or within the firewall itself.

    • DROP - Network Firewall fails closed and drops all subsequent traffic going to the firewall. This is the default behavior.
    • CONTINUE - Network Firewall continues to apply rules to the subsequent traffic without context from traffic before the break. This impacts the behavior of rules that depend on this context. For example, if you have a stateful rule to drop http traffic, Network Firewall won't match the traffic for this rule because the service won't have the context from session initialization defining the application layer protocol as HTTP. However, this behavior is rule dependent—a TCP-layer rule using a flow:stateless rule would still match, as would the aws:drop_strict default action.
    • REJECT - Network Firewall fails closed and drops all subsequent traffic going to the firewall. Network Firewall also sends a TCP reject packet back to your client so that the client can immediately establish a new session. Network Firewall will have context about the new session and will apply rules to the subsequent traffic.
    flowTimeouts Property Map
    Configures the amount of time that can pass without any traffic sent through the firewall before the firewall determines that the connection is idle.
    ruleOrder "DEFAULT_ACTION_ORDER" | "STRICT_ORDER"
    Indicates how to manage the order of stateful rule evaluation for the policy. DEFAULT_ACTION_ORDER is the default behavior. Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them based on certain settings. For more information, see Evaluation order for stateful rules in the AWS Network Firewall Developer Guide .
    streamExceptionPolicy "DROP" | "CONTINUE" | "REJECT"
    Configures how Network Firewall processes traffic when a network connection breaks midstream. Network connections can break due to disruptions in external networks or within the firewall itself.

    • DROP - Network Firewall fails closed and drops all subsequent traffic going to the firewall. This is the default behavior.
    • CONTINUE - Network Firewall continues to apply rules to the subsequent traffic without context from traffic before the break. This impacts the behavior of rules that depend on this context. For example, if you have a stateful rule to drop http traffic, Network Firewall won't match the traffic for this rule because the service won't have the context from session initialization defining the application layer protocol as HTTP. However, this behavior is rule dependent—a TCP-layer rule using a flow:stateless rule would still match, as would the aws:drop_strict default action.
    • REJECT - Network Firewall fails closed and drops all subsequent traffic going to the firewall. Network Firewall also sends a TCP reject packet back to your client so that the client can immediately establish a new session. Network Firewall will have context about the new session and will apply rules to the subsequent traffic.

    FirewallPolicyStatefulEngineOptionsFlowTimeoutsProperties

    FirewallPolicyStatefulRuleGroupOverride

    Action Pulumi.AwsNative.NetworkFirewall.FirewallPolicyOverrideAction
    The action that changes the rule group from DROP to ALERT . This only applies to managed rule groups.
    Action FirewallPolicyOverrideAction
    The action that changes the rule group from DROP to ALERT . This only applies to managed rule groups.
    action FirewallPolicyOverrideAction
    The action that changes the rule group from DROP to ALERT . This only applies to managed rule groups.
    action FirewallPolicyOverrideAction
    The action that changes the rule group from DROP to ALERT . This only applies to managed rule groups.
    action FirewallPolicyOverrideAction
    The action that changes the rule group from DROP to ALERT . This only applies to managed rule groups.
    action "DROP_TO_ALERT"
    The action that changes the rule group from DROP to ALERT . This only applies to managed rule groups.

    FirewallPolicyStatefulRuleGroupReference

    ResourceArn string
    The Amazon Resource Name (ARN) of the stateful rule group.
    Override Pulumi.AwsNative.NetworkFirewall.Inputs.FirewallPolicyStatefulRuleGroupOverride
    The action that allows the policy owner to override the behavior of the rule group within a policy.
    Priority int

    An integer setting that indicates the order in which to run the stateful rule groups in a single FirewallPolicy . This setting only applies to firewall policies that specify the STRICT_ORDER rule order in the stateful engine options settings.

    Network Firewall evalutes each stateful rule group against a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy.

    You can change the priority settings of your rule groups at any time. To make it easier to insert rule groups later, number them so there's a wide range in between, for example use 100, 200, and so on.

    ResourceArn string
    The Amazon Resource Name (ARN) of the stateful rule group.
    Override FirewallPolicyStatefulRuleGroupOverride
    The action that allows the policy owner to override the behavior of the rule group within a policy.
    Priority int

    An integer setting that indicates the order in which to run the stateful rule groups in a single FirewallPolicy . This setting only applies to firewall policies that specify the STRICT_ORDER rule order in the stateful engine options settings.

    Network Firewall evalutes each stateful rule group against a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy.

    You can change the priority settings of your rule groups at any time. To make it easier to insert rule groups later, number them so there's a wide range in between, for example use 100, 200, and so on.

    resourceArn String
    The Amazon Resource Name (ARN) of the stateful rule group.
    override FirewallPolicyStatefulRuleGroupOverride
    The action that allows the policy owner to override the behavior of the rule group within a policy.
    priority Integer

    An integer setting that indicates the order in which to run the stateful rule groups in a single FirewallPolicy . This setting only applies to firewall policies that specify the STRICT_ORDER rule order in the stateful engine options settings.

    Network Firewall evalutes each stateful rule group against a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy.

    You can change the priority settings of your rule groups at any time. To make it easier to insert rule groups later, number them so there's a wide range in between, for example use 100, 200, and so on.

    resourceArn string
    The Amazon Resource Name (ARN) of the stateful rule group.
    override FirewallPolicyStatefulRuleGroupOverride
    The action that allows the policy owner to override the behavior of the rule group within a policy.
    priority number

    An integer setting that indicates the order in which to run the stateful rule groups in a single FirewallPolicy . This setting only applies to firewall policies that specify the STRICT_ORDER rule order in the stateful engine options settings.

    Network Firewall evalutes each stateful rule group against a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy.

    You can change the priority settings of your rule groups at any time. To make it easier to insert rule groups later, number them so there's a wide range in between, for example use 100, 200, and so on.

    resource_arn str
    The Amazon Resource Name (ARN) of the stateful rule group.
    override FirewallPolicyStatefulRuleGroupOverride
    The action that allows the policy owner to override the behavior of the rule group within a policy.
    priority int

    An integer setting that indicates the order in which to run the stateful rule groups in a single FirewallPolicy . This setting only applies to firewall policies that specify the STRICT_ORDER rule order in the stateful engine options settings.

    Network Firewall evalutes each stateful rule group against a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy.

    You can change the priority settings of your rule groups at any time. To make it easier to insert rule groups later, number them so there's a wide range in between, for example use 100, 200, and so on.

    resourceArn String
    The Amazon Resource Name (ARN) of the stateful rule group.
    override Property Map
    The action that allows the policy owner to override the behavior of the rule group within a policy.
    priority Number

    An integer setting that indicates the order in which to run the stateful rule groups in a single FirewallPolicy . This setting only applies to firewall policies that specify the STRICT_ORDER rule order in the stateful engine options settings.

    Network Firewall evalutes each stateful rule group against a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy.

    You can change the priority settings of your rule groups at any time. To make it easier to insert rule groups later, number them so there's a wide range in between, for example use 100, 200, and so on.

    FirewallPolicyStatelessRuleGroupReference

    Priority int
    An integer setting that indicates the order in which to run the stateless rule groups in a single FirewallPolicy . Network Firewall applies each stateless rule group to a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy.
    ResourceArn string
    The Amazon Resource Name (ARN) of the stateless rule group.
    Priority int
    An integer setting that indicates the order in which to run the stateless rule groups in a single FirewallPolicy . Network Firewall applies each stateless rule group to a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy.
    ResourceArn string
    The Amazon Resource Name (ARN) of the stateless rule group.
    priority Integer
    An integer setting that indicates the order in which to run the stateless rule groups in a single FirewallPolicy . Network Firewall applies each stateless rule group to a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy.
    resourceArn String
    The Amazon Resource Name (ARN) of the stateless rule group.
    priority number
    An integer setting that indicates the order in which to run the stateless rule groups in a single FirewallPolicy . Network Firewall applies each stateless rule group to a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy.
    resourceArn string
    The Amazon Resource Name (ARN) of the stateless rule group.
    priority int
    An integer setting that indicates the order in which to run the stateless rule groups in a single FirewallPolicy . Network Firewall applies each stateless rule group to a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy.
    resource_arn str
    The Amazon Resource Name (ARN) of the stateless rule group.
    priority Number
    An integer setting that indicates the order in which to run the stateless rule groups in a single FirewallPolicy . Network Firewall applies each stateless rule group to a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy.
    resourceArn String
    The Amazon Resource Name (ARN) of the stateless rule group.

    FirewallPolicyStreamExceptionPolicy

    Tag

    Key string
    The key name of the tag
    Value string
    The value of the tag
    Key string
    The key name of the tag
    Value string
    The value of the tag
    key String
    The key name of the tag
    value String
    The value of the tag
    key string
    The key name of the tag
    value string
    The value of the tag
    key str
    The key name of the tag
    value str
    The value of the tag
    key String
    The key name of the tag
    value String
    The value of the tag

    Package Details

    Repository
    AWS Native pulumi/pulumi-aws-native
    License
    Apache-2.0
    aws-native logo

    We recommend new projects start with resources from the AWS provider.

    AWS Cloud Control v1.9.0 published on Monday, Nov 18, 2024 by Pulumi