aws-sdk-networkfirewall 1.36.0 → 1.37.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 5c5bf32a26450f873306ff092b4e1b4ece4508dedc0e8c60f8c90f683a9049a5
4
- data.tar.gz: cc5d2460dadd157009ec50050cbcc928bfdf37c8ae47b09dffb13aa5eda1e272
3
+ metadata.gz: 1ead7232a47e4248e5f8e27ffea9f25c2440d542fc0bfa6578c81b9486b7b07b
4
+ data.tar.gz: c85889a00b03ab03b4b4497d90bc5d43b820a91ed2138c8794e65bd58f5eba3e
5
5
  SHA512:
6
- metadata.gz: 1e21e992ce09f252a6f004ab93349d8d4a66f7c08d1658e68a89d515a8f24db017fbeebb17110df25d4a8b89aac63b933f40cf486558490f17bc118db25183d9
7
- data.tar.gz: b867ef794e837c2045c6ef228f5ae324f5b80844da2198c636c2b4733591ba676959ab4c29f1a82b411f085c0a359feb0edea732c8ba0c75c72d443d905115e4
6
+ metadata.gz: 0f9693651148e310a4006394e3381083ef03f7eff5d883e8cf5e9ac9957d55ec79b1cce56c4251feca36e702c1136804a58740568ccd3b7088a321edad22af15
7
+ data.tar.gz: dfc2ed10eb6ad18b5191eddc9c48ce7d233239c5fe911503882d981891d126e7a0c6ae6e2c189ee1ce8344051a4b8dfc3b44a7396a7cd5c97c878027e8831fbe
data/CHANGELOG.md CHANGED
@@ -1,6 +1,11 @@
1
1
  Unreleased Changes
2
2
  ------------------
3
3
 
4
+ 1.37.0 (2023-11-02)
5
+ ------------------
6
+
7
+ * Feature - This release introduces the stateless rule analyzer, which enables you to analyze your stateless rules for asymmetric routing.
8
+
4
9
  1.36.0 (2023-10-26)
5
10
  ------------------
6
11
 
data/VERSION CHANGED
@@ -1 +1 @@
1
- 1.36.0
1
+ 1.37.0
@@ -955,6 +955,13 @@ module Aws::NetworkFirewall
955
955
  # own rule group is copied from. You can use the metadata to keep track
956
956
  # of updates made to the originating rule group.
957
957
  #
958
+ # @option params [Boolean] :analyze_rule_group
959
+ # Indicates whether you want Network Firewall to analyze the stateless
960
+ # rules in the rule group for rule behavior such as asymmetric routing.
961
+ # If set to `TRUE`, Network Firewall runs the analysis and then creates
962
+ # the rule group for you. To run the stateless rule group analyzer
963
+ # without creating the rule group, set `DryRun` to `TRUE`.
964
+ #
958
965
  # @return [Types::CreateRuleGroupResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
959
966
  #
960
967
  # * {Types::CreateRuleGroupResponse#update_token #update_token} => String
@@ -1089,6 +1096,7 @@ module Aws::NetworkFirewall
1089
1096
  # source_arn: "ResourceArn",
1090
1097
  # source_update_token: "UpdateToken",
1091
1098
  # },
1099
+ # analyze_rule_group: false,
1092
1100
  # })
1093
1101
  #
1094
1102
  # @example Response structure
@@ -1112,6 +1120,11 @@ module Aws::NetworkFirewall
1112
1120
  # resp.rule_group_response.source_metadata.source_update_token #=> String
1113
1121
  # resp.rule_group_response.sns_topic #=> String
1114
1122
  # resp.rule_group_response.last_modified_time #=> Time
1123
+ # resp.rule_group_response.analysis_results #=> Array
1124
+ # resp.rule_group_response.analysis_results[0].identified_rule_ids #=> Array
1125
+ # resp.rule_group_response.analysis_results[0].identified_rule_ids[0] #=> String
1126
+ # resp.rule_group_response.analysis_results[0].identified_type #=> String, one of "STATELESS_RULE_FORWARDING_ASYMMETRICALLY", "STATELESS_RULE_CONTAINS_TCP_FLAGS"
1127
+ # resp.rule_group_response.analysis_results[0].analysis_detail #=> String
1115
1128
  #
1116
1129
  # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/CreateRuleGroup AWS API Documentation
1117
1130
  #
@@ -1123,9 +1136,10 @@ module Aws::NetworkFirewall
1123
1136
  end
1124
1137
 
1125
1138
  # Creates an Network Firewall TLS inspection configuration. A TLS
1126
- # inspection configuration contains the Certificate Manager certificate
1127
- # associations that Network Firewall uses to decrypt and re-encrypt
1128
- # traffic traveling through your firewall.
1139
+ # inspection configuration contains Certificate Manager certificate
1140
+ # associations between and the scope configurations that Network
1141
+ # Firewall uses to decrypt and re-encrypt traffic traveling through your
1142
+ # firewall.
1129
1143
  #
1130
1144
  # After you create a TLS inspection configuration, you can associate it
1131
1145
  # with a new firewall policy.
@@ -1508,6 +1522,11 @@ module Aws::NetworkFirewall
1508
1522
  # resp.rule_group_response.source_metadata.source_update_token #=> String
1509
1523
  # resp.rule_group_response.sns_topic #=> String
1510
1524
  # resp.rule_group_response.last_modified_time #=> Time
1525
+ # resp.rule_group_response.analysis_results #=> Array
1526
+ # resp.rule_group_response.analysis_results[0].identified_rule_ids #=> Array
1527
+ # resp.rule_group_response.analysis_results[0].identified_rule_ids[0] #=> String
1528
+ # resp.rule_group_response.analysis_results[0].identified_type #=> String, one of "STATELESS_RULE_FORWARDING_ASYMMETRICALLY", "STATELESS_RULE_CONTAINS_TCP_FLAGS"
1529
+ # resp.rule_group_response.analysis_results[0].analysis_detail #=> String
1511
1530
  #
1512
1531
  # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DeleteRuleGroup AWS API Documentation
1513
1532
  #
@@ -1817,6 +1836,11 @@ module Aws::NetworkFirewall
1817
1836
  #
1818
1837
  # </note>
1819
1838
  #
1839
+ # @option params [Boolean] :analyze_rule_group
1840
+ # Indicates whether you want Network Firewall to analyze the stateless
1841
+ # rules in the rule group for rule behavior such as asymmetric routing.
1842
+ # If set to `TRUE`, Network Firewall runs the analysis.
1843
+ #
1820
1844
  # @return [Types::DescribeRuleGroupResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
1821
1845
  #
1822
1846
  # * {Types::DescribeRuleGroupResponse#update_token #update_token} => String
@@ -1829,6 +1853,7 @@ module Aws::NetworkFirewall
1829
1853
  # rule_group_name: "ResourceName",
1830
1854
  # rule_group_arn: "ResourceArn",
1831
1855
  # type: "STATELESS", # accepts STATELESS, STATEFUL
1856
+ # analyze_rule_group: false,
1832
1857
  # })
1833
1858
  #
1834
1859
  # @example Response structure
@@ -1904,6 +1929,11 @@ module Aws::NetworkFirewall
1904
1929
  # resp.rule_group_response.source_metadata.source_update_token #=> String
1905
1930
  # resp.rule_group_response.sns_topic #=> String
1906
1931
  # resp.rule_group_response.last_modified_time #=> Time
1932
+ # resp.rule_group_response.analysis_results #=> Array
1933
+ # resp.rule_group_response.analysis_results[0].identified_rule_ids #=> Array
1934
+ # resp.rule_group_response.analysis_results[0].identified_rule_ids[0] #=> String
1935
+ # resp.rule_group_response.analysis_results[0].identified_type #=> String, one of "STATELESS_RULE_FORWARDING_ASYMMETRICALLY", "STATELESS_RULE_CONTAINS_TCP_FLAGS"
1936
+ # resp.rule_group_response.analysis_results[0].analysis_detail #=> String
1907
1937
  #
1908
1938
  # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DescribeRuleGroup AWS API Documentation
1909
1939
  #
@@ -3169,6 +3199,13 @@ module Aws::NetworkFirewall
3169
3199
  # own rule group is copied from. You can use the metadata to keep track
3170
3200
  # of updates made to the originating rule group.
3171
3201
  #
3202
+ # @option params [Boolean] :analyze_rule_group
3203
+ # Indicates whether you want Network Firewall to analyze the stateless
3204
+ # rules in the rule group for rule behavior such as asymmetric routing.
3205
+ # If set to `TRUE`, Network Firewall runs the analysis and then updates
3206
+ # the rule group for you. To run the stateless rule group analyzer
3207
+ # without updating the rule group, set `DryRun` to `TRUE`.
3208
+ #
3172
3209
  # @return [Types::UpdateRuleGroupResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
3173
3210
  #
3174
3211
  # * {Types::UpdateRuleGroupResponse#update_token #update_token} => String
@@ -3298,6 +3335,7 @@ module Aws::NetworkFirewall
3298
3335
  # source_arn: "ResourceArn",
3299
3336
  # source_update_token: "UpdateToken",
3300
3337
  # },
3338
+ # analyze_rule_group: false,
3301
3339
  # })
3302
3340
  #
3303
3341
  # @example Response structure
@@ -3321,6 +3359,11 @@ module Aws::NetworkFirewall
3321
3359
  # resp.rule_group_response.source_metadata.source_update_token #=> String
3322
3360
  # resp.rule_group_response.sns_topic #=> String
3323
3361
  # resp.rule_group_response.last_modified_time #=> Time
3362
+ # resp.rule_group_response.analysis_results #=> Array
3363
+ # resp.rule_group_response.analysis_results[0].identified_rule_ids #=> Array
3364
+ # resp.rule_group_response.analysis_results[0].identified_rule_ids[0] #=> String
3365
+ # resp.rule_group_response.analysis_results[0].identified_type #=> String, one of "STATELESS_RULE_FORWARDING_ASYMMETRICALLY", "STATELESS_RULE_CONTAINS_TCP_FLAGS"
3366
+ # resp.rule_group_response.analysis_results[0].analysis_detail #=> String
3324
3367
  #
3325
3368
  # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/UpdateRuleGroup AWS API Documentation
3326
3369
  #
@@ -3572,7 +3615,7 @@ module Aws::NetworkFirewall
3572
3615
  params: params,
3573
3616
  config: config)
3574
3617
  context[:gem_name] = 'aws-sdk-networkfirewall'
3575
- context[:gem_version] = '1.36.0'
3618
+ context[:gem_version] = '1.37.0'
3576
3619
  Seahorse::Client::Request.new(handlers, context)
3577
3620
  end
3578
3621
 
@@ -18,6 +18,8 @@ module Aws::NetworkFirewall
18
18
  Address = Shapes::StructureShape.new(name: 'Address')
19
19
  AddressDefinition = Shapes::StringShape.new(name: 'AddressDefinition')
20
20
  Addresses = Shapes::ListShape.new(name: 'Addresses')
21
+ AnalysisResult = Shapes::StructureShape.new(name: 'AnalysisResult')
22
+ AnalysisResultList = Shapes::ListShape.new(name: 'AnalysisResultList')
21
23
  AssociateFirewallPolicyRequest = Shapes::StructureShape.new(name: 'AssociateFirewallPolicyRequest')
22
24
  AssociateFirewallPolicyResponse = Shapes::StructureShape.new(name: 'AssociateFirewallPolicyResponse')
23
25
  AssociateSubnetsRequest = Shapes::StructureShape.new(name: 'AssociateSubnetsRequest')
@@ -103,6 +105,7 @@ module Aws::NetworkFirewall
103
105
  IPSetReferenceMap = Shapes::MapShape.new(name: 'IPSetReferenceMap')
104
106
  IPSetReferenceName = Shapes::StringShape.new(name: 'IPSetReferenceName')
105
107
  IPSets = Shapes::MapShape.new(name: 'IPSets')
108
+ IdentifiedType = Shapes::StringShape.new(name: 'IdentifiedType')
106
109
  InsufficientCapacityException = Shapes::StructureShape.new(name: 'InsufficientCapacityException')
107
110
  InternalServerError = Shapes::StructureShape.new(name: 'InternalServerError')
108
111
  InvalidOperationException = Shapes::StructureShape.new(name: 'InvalidOperationException')
@@ -168,6 +171,7 @@ module Aws::NetworkFirewall
168
171
  RuleGroupResponse = Shapes::StructureShape.new(name: 'RuleGroupResponse')
169
172
  RuleGroupType = Shapes::StringShape.new(name: 'RuleGroupType')
170
173
  RuleGroups = Shapes::ListShape.new(name: 'RuleGroups')
174
+ RuleIdList = Shapes::ListShape.new(name: 'RuleIdList')
171
175
  RuleOption = Shapes::StructureShape.new(name: 'RuleOption')
172
176
  RuleOptions = Shapes::ListShape.new(name: 'RuleOptions')
173
177
  RuleOrder = Shapes::StringShape.new(name: 'RuleOrder')
@@ -266,6 +270,13 @@ module Aws::NetworkFirewall
266
270
 
267
271
  Addresses.member = Shapes::ShapeRef.new(shape: Address)
268
272
 
273
+ AnalysisResult.add_member(:identified_rule_ids, Shapes::ShapeRef.new(shape: RuleIdList, location_name: "IdentifiedRuleIds"))
274
+ AnalysisResult.add_member(:identified_type, Shapes::ShapeRef.new(shape: IdentifiedType, location_name: "IdentifiedType"))
275
+ AnalysisResult.add_member(:analysis_detail, Shapes::ShapeRef.new(shape: CollectionMember_String, location_name: "AnalysisDetail"))
276
+ AnalysisResult.struct_class = Types::AnalysisResult
277
+
278
+ AnalysisResultList.member = Shapes::ShapeRef.new(shape: AnalysisResult)
279
+
269
280
  AssociateFirewallPolicyRequest.add_member(:update_token, Shapes::ShapeRef.new(shape: UpdateToken, location_name: "UpdateToken"))
270
281
  AssociateFirewallPolicyRequest.add_member(:firewall_arn, Shapes::ShapeRef.new(shape: ResourceArn, location_name: "FirewallArn"))
271
282
  AssociateFirewallPolicyRequest.add_member(:firewall_name, Shapes::ShapeRef.new(shape: ResourceName, location_name: "FirewallName"))
@@ -350,6 +361,7 @@ module Aws::NetworkFirewall
350
361
  CreateRuleGroupRequest.add_member(:dry_run, Shapes::ShapeRef.new(shape: Boolean, location_name: "DryRun"))
351
362
  CreateRuleGroupRequest.add_member(:encryption_configuration, Shapes::ShapeRef.new(shape: EncryptionConfiguration, location_name: "EncryptionConfiguration"))
352
363
  CreateRuleGroupRequest.add_member(:source_metadata, Shapes::ShapeRef.new(shape: SourceMetadata, location_name: "SourceMetadata"))
364
+ CreateRuleGroupRequest.add_member(:analyze_rule_group, Shapes::ShapeRef.new(shape: Boolean, location_name: "AnalyzeRuleGroup"))
353
365
  CreateRuleGroupRequest.struct_class = Types::CreateRuleGroupRequest
354
366
 
355
367
  CreateRuleGroupResponse.add_member(:update_token, Shapes::ShapeRef.new(shape: UpdateToken, required: true, location_name: "UpdateToken"))
@@ -457,6 +469,7 @@ module Aws::NetworkFirewall
457
469
  DescribeRuleGroupRequest.add_member(:rule_group_name, Shapes::ShapeRef.new(shape: ResourceName, location_name: "RuleGroupName"))
458
470
  DescribeRuleGroupRequest.add_member(:rule_group_arn, Shapes::ShapeRef.new(shape: ResourceArn, location_name: "RuleGroupArn"))
459
471
  DescribeRuleGroupRequest.add_member(:type, Shapes::ShapeRef.new(shape: RuleGroupType, location_name: "Type"))
472
+ DescribeRuleGroupRequest.add_member(:analyze_rule_group, Shapes::ShapeRef.new(shape: Boolean, location_name: "AnalyzeRuleGroup"))
460
473
  DescribeRuleGroupRequest.struct_class = Types::DescribeRuleGroupRequest
461
474
 
462
475
  DescribeRuleGroupResponse.add_member(:update_token, Shapes::ShapeRef.new(shape: UpdateToken, required: true, location_name: "UpdateToken"))
@@ -735,10 +748,13 @@ module Aws::NetworkFirewall
735
748
  RuleGroupResponse.add_member(:source_metadata, Shapes::ShapeRef.new(shape: SourceMetadata, location_name: "SourceMetadata"))
736
749
  RuleGroupResponse.add_member(:sns_topic, Shapes::ShapeRef.new(shape: ResourceArn, location_name: "SnsTopic"))
737
750
  RuleGroupResponse.add_member(:last_modified_time, Shapes::ShapeRef.new(shape: LastUpdateTime, location_name: "LastModifiedTime"))
751
+ RuleGroupResponse.add_member(:analysis_results, Shapes::ShapeRef.new(shape: AnalysisResultList, location_name: "AnalysisResults"))
738
752
  RuleGroupResponse.struct_class = Types::RuleGroupResponse
739
753
 
740
754
  RuleGroups.member = Shapes::ShapeRef.new(shape: RuleGroupMetadata)
741
755
 
756
+ RuleIdList.member = Shapes::ShapeRef.new(shape: CollectionMember_String)
757
+
742
758
  RuleOption.add_member(:keyword, Shapes::ShapeRef.new(shape: Keyword, required: true, location_name: "Keyword"))
743
759
  RuleOption.add_member(:settings, Shapes::ShapeRef.new(shape: Settings, location_name: "Settings"))
744
760
  RuleOption.struct_class = Types::RuleOption
@@ -993,6 +1009,7 @@ module Aws::NetworkFirewall
993
1009
  UpdateRuleGroupRequest.add_member(:dry_run, Shapes::ShapeRef.new(shape: Boolean, location_name: "DryRun"))
994
1010
  UpdateRuleGroupRequest.add_member(:encryption_configuration, Shapes::ShapeRef.new(shape: EncryptionConfiguration, location_name: "EncryptionConfiguration"))
995
1011
  UpdateRuleGroupRequest.add_member(:source_metadata, Shapes::ShapeRef.new(shape: SourceMetadata, location_name: "SourceMetadata"))
1012
+ UpdateRuleGroupRequest.add_member(:analyze_rule_group, Shapes::ShapeRef.new(shape: Boolean, location_name: "AnalyzeRuleGroup"))
996
1013
  UpdateRuleGroupRequest.struct_class = Types::UpdateRuleGroupRequest
997
1014
 
998
1015
  UpdateRuleGroupResponse.add_member(:update_token, Shapes::ShapeRef.new(shape: UpdateToken, required: true, location_name: "UpdateToken"))
@@ -74,6 +74,70 @@ module Aws::NetworkFirewall
74
74
  include Aws::Structure
75
75
  end
76
76
 
77
+ # The analysis result for Network Firewall's stateless rule group
78
+ # analyzer. Every time you call CreateRuleGroup, UpdateRuleGroup, or
79
+ # DescribeRuleGroup on a stateless rule group, Network Firewall analyzes
80
+ # the stateless rule groups in your account and identifies the rules
81
+ # that might adversely effect your firewall's functionality. For
82
+ # example, if Network Firewall detects a rule that's routing traffic
83
+ # asymmetrically, which impacts the service's ability to properly
84
+ # process traffic, the service includes the rule in a list of analysis
85
+ # results.
86
+ #
87
+ # @!attribute [rw] identified_rule_ids
88
+ # The priority number of the stateless rules identified in the
89
+ # analysis.
90
+ # @return [Array<String>]
91
+ #
92
+ # @!attribute [rw] identified_type
93
+ # The types of rule configurations that Network Firewall analyzes your
94
+ # rule groups for. Network Firewall analyzes stateless rule groups for
95
+ # the following types of rule configurations:
96
+ #
97
+ # * `STATELESS_RULE_FORWARDING_ASYMMETRICALLY`
98
+ #
99
+ # Cause: One or more stateless rules with the action `pass` or
100
+ # `forward` are forwarding traffic asymmetrically. Specifically, the
101
+ # rule's set of source IP addresses or their associated port
102
+ # numbers, don't match the set of destination IP addresses or their
103
+ # associated port numbers.
104
+ #
105
+ # To mitigate: Make sure that there's an existing return path. For
106
+ # example, if the rule allows traffic from source 10.1.0.0/24 to
107
+ # destination 20.1.0.0/24, you should allow return traffic from
108
+ # source 20.1.0.0/24 to destination 10.1.0.0/24.
109
+ #
110
+ # * `STATELESS_RULE_CONTAINS_TCP_FLAGS`
111
+ #
112
+ # Cause: At least one stateless rule with the action `pass`
113
+ # or`forward` contains TCP flags that are inconsistent in the
114
+ # forward and return directions.
115
+ #
116
+ # To mitigate: Prevent asymmetric routing issues caused by TCP flags
117
+ # by following these actions:
118
+ #
119
+ # * Remove unnecessary TCP flag inspections from the rules.
120
+ #
121
+ # * If you need to inspect TCP flags, check that the rules correctly
122
+ # account for changes in TCP flags throughout the TCP connection
123
+ # cycle, for example `SYN` and `ACK` flags used in a 3-way TCP
124
+ # handshake.
125
+ # @return [String]
126
+ #
127
+ # @!attribute [rw] analysis_detail
128
+ # Provides analysis details for the identified rule.
129
+ # @return [String]
130
+ #
131
+ # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/AnalysisResult AWS API Documentation
132
+ #
133
+ class AnalysisResult < Struct.new(
134
+ :identified_rule_ids,
135
+ :identified_type,
136
+ :analysis_detail)
137
+ SENSITIVE = []
138
+ include Aws::Structure
139
+ end
140
+
77
141
  # @!attribute [rw] update_token
78
142
  # An optional token that you can use for optimistic locking. Network
79
143
  # Firewall returns a token to your requests that access the firewall.
@@ -367,13 +431,13 @@ module Aws::NetworkFirewall
367
431
  # * **PASS** - Allow the connection to continue, and pass subsequent
368
432
  # packets to the stateful engine for inspection.
369
433
  #
370
- # * **DROP** - Network Firewall fails closed and drops all subsequent
371
- # traffic.
434
+ # * **DROP** - Network Firewall closes the connection and drops
435
+ # subsequent packets for that connection.
372
436
  #
373
437
  # * **REJECT** - Network Firewall sends a TCP reject packet back to
374
- # your client so that the client can immediately establish a new
375
- # session. Network Firewall then fails closed and drops all
376
- # subsequent traffic. `REJECT` is available only for TCP traffic.
438
+ # your client. The service closes the connection and drops
439
+ # subsequent packets for that connection. `REJECT` is available only
440
+ # for TCP traffic.
377
441
  # @return [String]
378
442
  #
379
443
  # @!attribute [rw] unknown_status_action
@@ -386,13 +450,13 @@ module Aws::NetworkFirewall
386
450
  # * **PASS** - Allow the connection to continue, and pass subsequent
387
451
  # packets to the stateful engine for inspection.
388
452
  #
389
- # * **DROP** - Network Firewall fails closed and drops all subsequent
390
- # traffic.
453
+ # * **DROP** - Network Firewall closes the connection and drops
454
+ # subsequent packets for that connection.
391
455
  #
392
456
  # * **REJECT** - Network Firewall sends a TCP reject packet back to
393
- # your client so that the client can immediately establish a new
394
- # session. Network Firewall then fails closed and drops all
395
- # subsequent traffic. `REJECT` is available only for TCP traffic.
457
+ # your client. The service closes the connection and drops
458
+ # subsequent packets for that connection. `REJECT` is available only
459
+ # for TCP traffic.
396
460
  # @return [String]
397
461
  #
398
462
  # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/CheckCertificateRevocationStatusActions AWS API Documentation
@@ -704,6 +768,14 @@ module Aws::NetworkFirewall
704
768
  # track of updates made to the originating rule group.
705
769
  # @return [Types::SourceMetadata]
706
770
  #
771
+ # @!attribute [rw] analyze_rule_group
772
+ # Indicates whether you want Network Firewall to analyze the stateless
773
+ # rules in the rule group for rule behavior such as asymmetric
774
+ # routing. If set to `TRUE`, Network Firewall runs the analysis and
775
+ # then creates the rule group for you. To run the stateless rule group
776
+ # analyzer without creating the rule group, set `DryRun` to `TRUE`.
777
+ # @return [Boolean]
778
+ #
707
779
  # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/CreateRuleGroupRequest AWS API Documentation
708
780
  #
709
781
  class CreateRuleGroupRequest < Struct.new(
@@ -716,7 +788,8 @@ module Aws::NetworkFirewall
716
788
  :tags,
717
789
  :dry_run,
718
790
  :encryption_configuration,
719
- :source_metadata)
791
+ :source_metadata,
792
+ :analyze_rule_group)
720
793
  SENSITIVE = []
721
794
  include Aws::Structure
722
795
  end
@@ -1382,12 +1455,19 @@ module Aws::NetworkFirewall
1382
1455
  # </note>
1383
1456
  # @return [String]
1384
1457
  #
1458
+ # @!attribute [rw] analyze_rule_group
1459
+ # Indicates whether you want Network Firewall to analyze the stateless
1460
+ # rules in the rule group for rule behavior such as asymmetric
1461
+ # routing. If set to `TRUE`, Network Firewall runs the analysis.
1462
+ # @return [Boolean]
1463
+ #
1385
1464
  # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DescribeRuleGroupRequest AWS API Documentation
1386
1465
  #
1387
1466
  class DescribeRuleGroupRequest < Struct.new(
1388
1467
  :rule_group_name,
1389
1468
  :rule_group_arn,
1390
- :type)
1469
+ :type,
1470
+ :analyze_rule_group)
1391
1471
  SENSITIVE = []
1392
1472
  include Aws::Structure
1393
1473
  end
@@ -3033,7 +3113,12 @@ module Aws::NetworkFirewall
3033
3113
  # Additional options governing how Network Firewall handles stateful
3034
3114
  # rules. The policies where you use your stateful rule group must have
3035
3115
  # stateful rule options settings that are compatible with these
3036
- # settings.
3116
+ # settings. Some limitations apply; for more information, see [Strict
3117
+ # evaluation order][1] in the *Network Firewall Developer Guide*.
3118
+ #
3119
+ #
3120
+ #
3121
+ # [1]: https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-limitations-caveats.html
3037
3122
  # @return [Types::StatefulRuleOptions]
3038
3123
  #
3039
3124
  # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/RuleGroup AWS API Documentation
@@ -3159,6 +3244,17 @@ module Aws::NetworkFirewall
3159
3244
  # The last time that the rule group was changed.
3160
3245
  # @return [Time]
3161
3246
  #
3247
+ # @!attribute [rw] analysis_results
3248
+ # The list of analysis results for `AnalyzeRuleGroup`. If you set
3249
+ # `AnalyzeRuleGroup` to `TRUE` in CreateRuleGroup, UpdateRuleGroup, or
3250
+ # DescribeRuleGroup, Network Firewall analyzes the rule group and
3251
+ # identifies the rules that might adversely effect your firewall's
3252
+ # functionality. For example, if Network Firewall detects a rule
3253
+ # that's routing traffic asymmetrically, which impacts the service's
3254
+ # ability to properly process traffic, the service includes the rule
3255
+ # in the list of analysis results.
3256
+ # @return [Array<Types::AnalysisResult>]
3257
+ #
3162
3258
  # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/RuleGroupResponse AWS API Documentation
3163
3259
  #
3164
3260
  class RuleGroupResponse < Struct.new(
@@ -3175,7 +3271,8 @@ module Aws::NetworkFirewall
3175
3271
  :encryption_configuration,
3176
3272
  :source_metadata,
3177
3273
  :sns_topic,
3178
- :last_modified_time)
3274
+ :last_modified_time,
3275
+ :analysis_results)
3179
3276
  SENSITIVE = []
3180
3277
  include Aws::Structure
3181
3278
  end
@@ -3239,14 +3336,18 @@ module Aws::NetworkFirewall
3239
3336
  # instance of this for either stateless rules or stateful rules.
3240
3337
  #
3241
3338
  # @!attribute [rw] rules_string
3242
- # Stateful inspection criteria, provided in Suricata compatible
3243
- # intrusion prevention system (IPS) rules. Suricata is an open-source
3244
- # network IPS that includes a standard rule-based language for network
3245
- # traffic inspection.
3339
+ # Stateful inspection criteria, provided in Suricata compatible rules.
3340
+ # Suricata is an open-source threat detection framework that includes
3341
+ # a standard rule-based language for network traffic inspection.
3246
3342
  #
3247
3343
  # These rules contain the inspection criteria and the action to take
3248
3344
  # for traffic that matches the criteria, so this type of rule group
3249
3345
  # doesn't have a separate action setting.
3346
+ #
3347
+ # <note markdown="1"> You can't use the `priority` keyword if the `RuleOrder` option in
3348
+ # StatefulRuleOptions is set to `STRICT_ORDER`.
3349
+ #
3350
+ # </note>
3250
3351
  # @return [String]
3251
3352
  #
3252
3353
  # @!attribute [rw] rules_source_list
@@ -3365,9 +3466,9 @@ module Aws::NetworkFirewall
3365
3466
  # TLSInspectionConfiguration. You can configure `ServerCertificates` for
3366
3467
  # inbound SSL/TLS inspection, a `CertificateAuthorityArn` for outbound
3367
3468
  # SSL/TLS inspection, or both. For information about working with
3368
- # certificates for TLS inspection, see [ Requirements for using SSL/TLS
3369
- # server certficiates with TLS inspection configurations][1] in the
3370
- # *Network Firewall Developer Guide*.
3469
+ # certificates for TLS inspection, see [ Using SSL/TLS server
3470
+ # certficiates with TLS inspection configurations][1] in the *Network
3471
+ # Firewall Developer Guide*.
3371
3472
  #
3372
3473
  # <note markdown="1"> If a server certificate that's associated with your
3373
3474
  # TLSInspectionConfiguration is revoked, deleted, or expired it can
@@ -3380,8 +3481,8 @@ module Aws::NetworkFirewall
3380
3481
  # [1]: https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection-certificate-requirements.html
3381
3482
  #
3382
3483
  # @!attribute [rw] server_certificates
3383
- # The list of a server certificate configuration's Certificate
3384
- # Manager certificates, used for inbound SSL/TLS inspection.
3484
+ # The list of server certificates to use for inbound SSL/TLS
3485
+ # inspection.
3385
3486
  # @return [Array<Types::ServerCertificate>]
3386
3487
  #
3387
3488
  # @!attribute [rw] scopes
@@ -3390,7 +3491,7 @@ module Aws::NetworkFirewall
3390
3491
  #
3391
3492
  # @!attribute [rw] certificate_authority_arn
3392
3493
  # The Amazon Resource Name (ARN) of the imported certificate authority
3393
- # (CA) certificate configured in Certificate Manager (ACM) to use for
3494
+ # (CA) certificate within Certificate Manager (ACM) to use for
3394
3495
  # outbound SSL/TLS inspection.
3395
3496
  #
3396
3497
  # The following limitations apply:
@@ -3401,8 +3502,8 @@ module Aws::NetworkFirewall
3401
3502
  # * You can't use certificates issued by Private Certificate
3402
3503
  # Authority.
3403
3504
  #
3404
- # For more information about the certificate requirements for outbound
3405
- # inspection, see [Requirements for using SSL/TLS certificates with
3505
+ # For more information about configuring certificates for outbound
3506
+ # inspection, see [Using SSL/TLS certificates with certificates with
3406
3507
  # TLS inspection configurations][1] in the *Network Firewall Developer
3407
3508
  # Guide*.
3408
3509
  #
@@ -3420,8 +3521,9 @@ module Aws::NetworkFirewall
3420
3521
  # presented by the server in the SSL/TLS connection has a revoked or
3421
3522
  # unkown status. If the certificate has an unknown or revoked status,
3422
3523
  # you must specify the actions that Network Firewall takes on outbound
3423
- # traffic. To use this option, you must specify a
3424
- # `CertificateAuthorityArn` in ServerCertificateConfiguration.
3524
+ # traffic. To check the certificate revocation status, you must also
3525
+ # specify a `CertificateAuthorityArn` in
3526
+ # ServerCertificateConfiguration.
3425
3527
  # @return [Types::CheckCertificateRevocationStatusActions]
3426
3528
  #
3427
3529
  # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/ServerCertificateConfiguration AWS API Documentation
@@ -3525,11 +3627,17 @@ module Aws::NetworkFirewall
3525
3627
  #
3526
3628
  # @!attribute [rw] rule_order
3527
3629
  # Indicates how to manage the order of stateful rule evaluation for
3528
- # the policy. `DEFAULT_ACTION_ORDER` is the default behavior. Stateful
3529
- # rules are provided to the rule engine as Suricata compatible
3530
- # strings, and Suricata evaluates them based on certain settings. For
3531
- # more information, see [Evaluation order for stateful rules][1] in
3532
- # the *Network Firewall Developer Guide*.
3630
+ # the policy. `STRICT_ORDER` is the default and recommended option.
3631
+ # With `STRICT_ORDER`, provide your rules in the order that you want
3632
+ # them to be evaluated. You can then choose one or more default
3633
+ # actions for packets that don't match any rules. Choose
3634
+ # `STRICT_ORDER` to have the stateful rules engine determine the
3635
+ # evaluation order of your rules. The default action for this rule
3636
+ # order is `PASS`, followed by `DROP`, `REJECT`, and `ALERT` actions.
3637
+ # Stateful rules are provided to the rule engine as Suricata
3638
+ # compatible strings, and Suricata evaluates them based on your
3639
+ # settings. For more information, see [Evaluation order for stateful
3640
+ # rules][1] in the *Network Firewall Developer Guide*.
3533
3641
  #
3534
3642
  #
3535
3643
  #
@@ -3596,9 +3704,8 @@ module Aws::NetworkFirewall
3596
3704
  # destination and sends an alert log message, if alert logging is
3597
3705
  # configured in the Firewall LoggingConfiguration.
3598
3706
  #
3599
- # * **ALERT** - Permits the packets to go to the intended destination
3600
- # and sends an alert log message, if alert logging is configured in
3601
- # the Firewall LoggingConfiguration.
3707
+ # * **ALERT** - Sends an alert log message, if alert logging is
3708
+ # configured in the Firewall LoggingConfiguration.
3602
3709
  #
3603
3710
  # You can use this action to test a rule that you intend to use to
3604
3711
  # drop traffic. You can enable the rule with `ALERT` action, verify
@@ -4803,6 +4910,14 @@ module Aws::NetworkFirewall
4803
4910
  # track of updates made to the originating rule group.
4804
4911
  # @return [Types::SourceMetadata]
4805
4912
  #
4913
+ # @!attribute [rw] analyze_rule_group
4914
+ # Indicates whether you want Network Firewall to analyze the stateless
4915
+ # rules in the rule group for rule behavior such as asymmetric
4916
+ # routing. If set to `TRUE`, Network Firewall runs the analysis and
4917
+ # then updates the rule group for you. To run the stateless rule group
4918
+ # analyzer without updating the rule group, set `DryRun` to `TRUE`.
4919
+ # @return [Boolean]
4920
+ #
4806
4921
  # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/UpdateRuleGroupRequest AWS API Documentation
4807
4922
  #
4808
4923
  class UpdateRuleGroupRequest < Struct.new(
@@ -4815,7 +4930,8 @@ module Aws::NetworkFirewall
4815
4930
  :description,
4816
4931
  :dry_run,
4817
4932
  :encryption_configuration,
4818
- :source_metadata)
4933
+ :source_metadata,
4934
+ :analyze_rule_group)
4819
4935
  SENSITIVE = []
4820
4936
  include Aws::Structure
4821
4937
  end
@@ -52,6 +52,6 @@ require_relative 'aws-sdk-networkfirewall/customizations'
52
52
  # @!group service
53
53
  module Aws::NetworkFirewall
54
54
 
55
- GEM_VERSION = '1.36.0'
55
+ GEM_VERSION = '1.37.0'
56
56
 
57
57
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: aws-sdk-networkfirewall
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.36.0
4
+ version: 1.37.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Amazon Web Services
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2023-10-26 00:00:00.000000000 Z
11
+ date: 2023-11-02 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: aws-sdk-core