aws-sdk-networkfirewall 1.36.0 → 1.37.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5c5bf32a26450f873306ff092b4e1b4ece4508dedc0e8c60f8c90f683a9049a5
-  data.tar.gz: cc5d2460dadd157009ec50050cbcc928bfdf37c8ae47b09dffb13aa5eda1e272
+  metadata.gz: 1ead7232a47e4248e5f8e27ffea9f25c2440d542fc0bfa6578c81b9486b7b07b
+  data.tar.gz: c85889a00b03ab03b4b4497d90bc5d43b820a91ed2138c8794e65bd58f5eba3e
 SHA512:
-  metadata.gz: 1e21e992ce09f252a6f004ab93349d8d4a66f7c08d1658e68a89d515a8f24db017fbeebb17110df25d4a8b89aac63b933f40cf486558490f17bc118db25183d9
-  data.tar.gz: b867ef794e837c2045c6ef228f5ae324f5b80844da2198c636c2b4733591ba676959ab4c29f1a82b411f085c0a359feb0edea732c8ba0c75c72d443d905115e4
+  metadata.gz: 0f9693651148e310a4006394e3381083ef03f7eff5d883e8cf5e9ac9957d55ec79b1cce56c4251feca36e702c1136804a58740568ccd3b7088a321edad22af15
+  data.tar.gz: dfc2ed10eb6ad18b5191eddc9c48ce7d233239c5fe911503882d981891d126e7a0c6ae6e2c189ee1ce8344051a4b8dfc3b44a7396a7cd5c97c878027e8831fbe

data/CHANGELOG.md

@@ -1,6 +1,11 @@
 Unreleased Changes
 ------------------
 
+1.37.0 (2023-11-02)
+------------------
+
+* Feature - This release introduces the stateless rule analyzer, which enables you to analyze your stateless rules for asymmetric routing.
+
 1.36.0 (2023-10-26)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-1.36.0
+1.37.0

data/lib/aws-sdk-networkfirewall/client.rb

@@ -955,6 +955,13 @@ module Aws::NetworkFirewall
     #   own rule group is copied from. You can use the metadata to keep track
     #   of updates made to the originating rule group.
     #
+    # @option params [Boolean] :analyze_rule_group
+    #   Indicates whether you want Network Firewall to analyze the stateless
+    #   rules in the rule group for rule behavior such as asymmetric routing.
+    #   If set to `TRUE`, Network Firewall runs the analysis and then creates
+    #   the rule group for you. To run the stateless rule group analyzer
+    #   without creating the rule group, set `DryRun` to `TRUE`.
+    #
     # @return [Types::CreateRuleGroupResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::CreateRuleGroupResponse#update_token #update_token} => String
@@ -1089,6 +1096,7 @@ module Aws::NetworkFirewall
     #       source_arn: "ResourceArn",
     #       source_update_token: "UpdateToken",
     #     },
+    #     analyze_rule_group: false,
     #   })
     #
     # @example Response structure
@@ -1112,6 +1120,11 @@ module Aws::NetworkFirewall
     #   resp.rule_group_response.source_metadata.source_update_token #=> String
     #   resp.rule_group_response.sns_topic #=> String
     #   resp.rule_group_response.last_modified_time #=> Time
+    #   resp.rule_group_response.analysis_results #=> Array
+    #   resp.rule_group_response.analysis_results[0].identified_rule_ids #=> Array
+    #   resp.rule_group_response.analysis_results[0].identified_rule_ids[0] #=> String
+    #   resp.rule_group_response.analysis_results[0].identified_type #=> String, one of "STATELESS_RULE_FORWARDING_ASYMMETRICALLY", "STATELESS_RULE_CONTAINS_TCP_FLAGS"
+    #   resp.rule_group_response.analysis_results[0].analysis_detail #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/CreateRuleGroup AWS API Documentation
     #
@@ -1123,9 +1136,10 @@ module Aws::NetworkFirewall
     end
 
     # Creates an Network Firewall TLS inspection configuration. A TLS
-    # inspection configuration contains the Certificate Manager certificate
-    # associations that Network Firewall uses to decrypt and re-encrypt
-    # traffic traveling through your firewall.
+    # inspection configuration contains Certificate Manager certificate
+    # associations between and the scope configurations that Network
+    # Firewall uses to decrypt and re-encrypt traffic traveling through your
+    # firewall.
     #
     # After you create a TLS inspection configuration, you can associate it
     # with a new firewall policy.
@@ -1508,6 +1522,11 @@ module Aws::NetworkFirewall
     #   resp.rule_group_response.source_metadata.source_update_token #=> String
     #   resp.rule_group_response.sns_topic #=> String
     #   resp.rule_group_response.last_modified_time #=> Time
+    #   resp.rule_group_response.analysis_results #=> Array
+    #   resp.rule_group_response.analysis_results[0].identified_rule_ids #=> Array
+    #   resp.rule_group_response.analysis_results[0].identified_rule_ids[0] #=> String
+    #   resp.rule_group_response.analysis_results[0].identified_type #=> String, one of "STATELESS_RULE_FORWARDING_ASYMMETRICALLY", "STATELESS_RULE_CONTAINS_TCP_FLAGS"
+    #   resp.rule_group_response.analysis_results[0].analysis_detail #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DeleteRuleGroup AWS API Documentation
     #
@@ -1817,6 +1836,11 @@ module Aws::NetworkFirewall
     #
     #    </note>
     #
+    # @option params [Boolean] :analyze_rule_group
+    #   Indicates whether you want Network Firewall to analyze the stateless
+    #   rules in the rule group for rule behavior such as asymmetric routing.
+    #   If set to `TRUE`, Network Firewall runs the analysis.
+    #
     # @return [Types::DescribeRuleGroupResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::DescribeRuleGroupResponse#update_token #update_token} => String
@@ -1829,6 +1853,7 @@ module Aws::NetworkFirewall
     #     rule_group_name: "ResourceName",
     #     rule_group_arn: "ResourceArn",
     #     type: "STATELESS", # accepts STATELESS, STATEFUL
+    #     analyze_rule_group: false,
     #   })
     #
     # @example Response structure
@@ -1904,6 +1929,11 @@ module Aws::NetworkFirewall
     #   resp.rule_group_response.source_metadata.source_update_token #=> String
     #   resp.rule_group_response.sns_topic #=> String
     #   resp.rule_group_response.last_modified_time #=> Time
+    #   resp.rule_group_response.analysis_results #=> Array
+    #   resp.rule_group_response.analysis_results[0].identified_rule_ids #=> Array
+    #   resp.rule_group_response.analysis_results[0].identified_rule_ids[0] #=> String
+    #   resp.rule_group_response.analysis_results[0].identified_type #=> String, one of "STATELESS_RULE_FORWARDING_ASYMMETRICALLY", "STATELESS_RULE_CONTAINS_TCP_FLAGS"
+    #   resp.rule_group_response.analysis_results[0].analysis_detail #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DescribeRuleGroup AWS API Documentation
     #
@@ -3169,6 +3199,13 @@ module Aws::NetworkFirewall
     #   own rule group is copied from. You can use the metadata to keep track
     #   of updates made to the originating rule group.
     #
+    # @option params [Boolean] :analyze_rule_group
+    #   Indicates whether you want Network Firewall to analyze the stateless
+    #   rules in the rule group for rule behavior such as asymmetric routing.
+    #   If set to `TRUE`, Network Firewall runs the analysis and then updates
+    #   the rule group for you. To run the stateless rule group analyzer
+    #   without updating the rule group, set `DryRun` to `TRUE`.
+    #
     # @return [Types::UpdateRuleGroupResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::UpdateRuleGroupResponse#update_token #update_token} => String
@@ -3298,6 +3335,7 @@ module Aws::NetworkFirewall
     #       source_arn: "ResourceArn",
     #       source_update_token: "UpdateToken",
     #     },
+    #     analyze_rule_group: false,
     #   })
     #
     # @example Response structure
@@ -3321,6 +3359,11 @@ module Aws::NetworkFirewall
     #   resp.rule_group_response.source_metadata.source_update_token #=> String
     #   resp.rule_group_response.sns_topic #=> String
     #   resp.rule_group_response.last_modified_time #=> Time
+    #   resp.rule_group_response.analysis_results #=> Array
+    #   resp.rule_group_response.analysis_results[0].identified_rule_ids #=> Array
+    #   resp.rule_group_response.analysis_results[0].identified_rule_ids[0] #=> String
+    #   resp.rule_group_response.analysis_results[0].identified_type #=> String, one of "STATELESS_RULE_FORWARDING_ASYMMETRICALLY", "STATELESS_RULE_CONTAINS_TCP_FLAGS"
+    #   resp.rule_group_response.analysis_results[0].analysis_detail #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/UpdateRuleGroup AWS API Documentation
     #
@@ -3572,7 +3615,7 @@ module Aws::NetworkFirewall
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-networkfirewall'
-      context[:gem_version] = '1.36.0'
+      context[:gem_version] = '1.37.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-networkfirewall/client_api.rb

@@ -18,6 +18,8 @@ module Aws::NetworkFirewall
     Address = Shapes::StructureShape.new(name: 'Address')
     AddressDefinition = Shapes::StringShape.new(name: 'AddressDefinition')
     Addresses = Shapes::ListShape.new(name: 'Addresses')
+    AnalysisResult = Shapes::StructureShape.new(name: 'AnalysisResult')
+    AnalysisResultList = Shapes::ListShape.new(name: 'AnalysisResultList')
     AssociateFirewallPolicyRequest = Shapes::StructureShape.new(name: 'AssociateFirewallPolicyRequest')
     AssociateFirewallPolicyResponse = Shapes::StructureShape.new(name: 'AssociateFirewallPolicyResponse')
     AssociateSubnetsRequest = Shapes::StructureShape.new(name: 'AssociateSubnetsRequest')
@@ -103,6 +105,7 @@ module Aws::NetworkFirewall
     IPSetReferenceMap = Shapes::MapShape.new(name: 'IPSetReferenceMap')
     IPSetReferenceName = Shapes::StringShape.new(name: 'IPSetReferenceName')
     IPSets = Shapes::MapShape.new(name: 'IPSets')
+    IdentifiedType = Shapes::StringShape.new(name: 'IdentifiedType')
     InsufficientCapacityException = Shapes::StructureShape.new(name: 'InsufficientCapacityException')
     InternalServerError = Shapes::StructureShape.new(name: 'InternalServerError')
     InvalidOperationException = Shapes::StructureShape.new(name: 'InvalidOperationException')
@@ -168,6 +171,7 @@ module Aws::NetworkFirewall
     RuleGroupResponse = Shapes::StructureShape.new(name: 'RuleGroupResponse')
     RuleGroupType = Shapes::StringShape.new(name: 'RuleGroupType')
     RuleGroups = Shapes::ListShape.new(name: 'RuleGroups')
+    RuleIdList = Shapes::ListShape.new(name: 'RuleIdList')
     RuleOption = Shapes::StructureShape.new(name: 'RuleOption')
     RuleOptions = Shapes::ListShape.new(name: 'RuleOptions')
     RuleOrder = Shapes::StringShape.new(name: 'RuleOrder')
@@ -266,6 +270,13 @@ module Aws::NetworkFirewall
 
     Addresses.member = Shapes::ShapeRef.new(shape: Address)
 
+    AnalysisResult.add_member(:identified_rule_ids, Shapes::ShapeRef.new(shape: RuleIdList, location_name: "IdentifiedRuleIds"))
+    AnalysisResult.add_member(:identified_type, Shapes::ShapeRef.new(shape: IdentifiedType, location_name: "IdentifiedType"))
+    AnalysisResult.add_member(:analysis_detail, Shapes::ShapeRef.new(shape: CollectionMember_String, location_name: "AnalysisDetail"))
+    AnalysisResult.struct_class = Types::AnalysisResult
+
+    AnalysisResultList.member = Shapes::ShapeRef.new(shape: AnalysisResult)
+
     AssociateFirewallPolicyRequest.add_member(:update_token, Shapes::ShapeRef.new(shape: UpdateToken, location_name: "UpdateToken"))
     AssociateFirewallPolicyRequest.add_member(:firewall_arn, Shapes::ShapeRef.new(shape: ResourceArn, location_name: "FirewallArn"))
     AssociateFirewallPolicyRequest.add_member(:firewall_name, Shapes::ShapeRef.new(shape: ResourceName, location_name: "FirewallName"))
@@ -350,6 +361,7 @@ module Aws::NetworkFirewall
     CreateRuleGroupRequest.add_member(:dry_run, Shapes::ShapeRef.new(shape: Boolean, location_name: "DryRun"))
     CreateRuleGroupRequest.add_member(:encryption_configuration, Shapes::ShapeRef.new(shape: EncryptionConfiguration, location_name: "EncryptionConfiguration"))
     CreateRuleGroupRequest.add_member(:source_metadata, Shapes::ShapeRef.new(shape: SourceMetadata, location_name: "SourceMetadata"))
+    CreateRuleGroupRequest.add_member(:analyze_rule_group, Shapes::ShapeRef.new(shape: Boolean, location_name: "AnalyzeRuleGroup"))
     CreateRuleGroupRequest.struct_class = Types::CreateRuleGroupRequest
 
     CreateRuleGroupResponse.add_member(:update_token, Shapes::ShapeRef.new(shape: UpdateToken, required: true, location_name: "UpdateToken"))
@@ -457,6 +469,7 @@ module Aws::NetworkFirewall
     DescribeRuleGroupRequest.add_member(:rule_group_name, Shapes::ShapeRef.new(shape: ResourceName, location_name: "RuleGroupName"))
     DescribeRuleGroupRequest.add_member(:rule_group_arn, Shapes::ShapeRef.new(shape: ResourceArn, location_name: "RuleGroupArn"))
     DescribeRuleGroupRequest.add_member(:type, Shapes::ShapeRef.new(shape: RuleGroupType, location_name: "Type"))
+    DescribeRuleGroupRequest.add_member(:analyze_rule_group, Shapes::ShapeRef.new(shape: Boolean, location_name: "AnalyzeRuleGroup"))
     DescribeRuleGroupRequest.struct_class = Types::DescribeRuleGroupRequest
 
     DescribeRuleGroupResponse.add_member(:update_token, Shapes::ShapeRef.new(shape: UpdateToken, required: true, location_name: "UpdateToken"))
@@ -735,10 +748,13 @@ module Aws::NetworkFirewall
     RuleGroupResponse.add_member(:source_metadata, Shapes::ShapeRef.new(shape: SourceMetadata, location_name: "SourceMetadata"))
     RuleGroupResponse.add_member(:sns_topic, Shapes::ShapeRef.new(shape: ResourceArn, location_name: "SnsTopic"))
     RuleGroupResponse.add_member(:last_modified_time, Shapes::ShapeRef.new(shape: LastUpdateTime, location_name: "LastModifiedTime"))
+    RuleGroupResponse.add_member(:analysis_results, Shapes::ShapeRef.new(shape: AnalysisResultList, location_name: "AnalysisResults"))
     RuleGroupResponse.struct_class = Types::RuleGroupResponse
 
     RuleGroups.member = Shapes::ShapeRef.new(shape: RuleGroupMetadata)
 
+    RuleIdList.member = Shapes::ShapeRef.new(shape: CollectionMember_String)
+
     RuleOption.add_member(:keyword, Shapes::ShapeRef.new(shape: Keyword, required: true, location_name: "Keyword"))
     RuleOption.add_member(:settings, Shapes::ShapeRef.new(shape: Settings, location_name: "Settings"))
     RuleOption.struct_class = Types::RuleOption
@@ -993,6 +1009,7 @@ module Aws::NetworkFirewall
     UpdateRuleGroupRequest.add_member(:dry_run, Shapes::ShapeRef.new(shape: Boolean, location_name: "DryRun"))
     UpdateRuleGroupRequest.add_member(:encryption_configuration, Shapes::ShapeRef.new(shape: EncryptionConfiguration, location_name: "EncryptionConfiguration"))
     UpdateRuleGroupRequest.add_member(:source_metadata, Shapes::ShapeRef.new(shape: SourceMetadata, location_name: "SourceMetadata"))
+    UpdateRuleGroupRequest.add_member(:analyze_rule_group, Shapes::ShapeRef.new(shape: Boolean, location_name: "AnalyzeRuleGroup"))
     UpdateRuleGroupRequest.struct_class = Types::UpdateRuleGroupRequest
 
     UpdateRuleGroupResponse.add_member(:update_token, Shapes::ShapeRef.new(shape: UpdateToken, required: true, location_name: "UpdateToken"))

data/lib/aws-sdk-networkfirewall/types.rb

@@ -74,6 +74,70 @@ module Aws::NetworkFirewall
       include Aws::Structure
     end
 
+    # The analysis result for Network Firewall's stateless rule group
+    # analyzer. Every time you call CreateRuleGroup, UpdateRuleGroup, or
+    # DescribeRuleGroup on a stateless rule group, Network Firewall analyzes
+    # the stateless rule groups in your account and identifies the rules
+    # that might adversely effect your firewall's functionality. For
+    # example, if Network Firewall detects a rule that's routing traffic
+    # asymmetrically, which impacts the service's ability to properly
+    # process traffic, the service includes the rule in a list of analysis
+    # results.
+    #
+    # @!attribute [rw] identified_rule_ids
+    #   The priority number of the stateless rules identified in the
+    #   analysis.
+    #   @return [Array<String>]
+    #
+    # @!attribute [rw] identified_type
+    #   The types of rule configurations that Network Firewall analyzes your
+    #   rule groups for. Network Firewall analyzes stateless rule groups for
+    #   the following types of rule configurations:
+    #
+    #   * `STATELESS_RULE_FORWARDING_ASYMMETRICALLY`
+    #
+    #     Cause: One or more stateless rules with the action `pass` or
+    #     `forward` are forwarding traffic asymmetrically. Specifically, the
+    #     rule's set of source IP addresses or their associated port
+    #     numbers, don't match the set of destination IP addresses or their
+    #     associated port numbers.
+    #
+    #     To mitigate: Make sure that there's an existing return path. For
+    #     example, if the rule allows traffic from source 10.1.0.0/24 to
+    #     destination 20.1.0.0/24, you should allow return traffic from
+    #     source 20.1.0.0/24 to destination 10.1.0.0/24.
+    #
+    #   * `STATELESS_RULE_CONTAINS_TCP_FLAGS`
+    #
+    #     Cause: At least one stateless rule with the action `pass`
+    #     or`forward` contains TCP flags that are inconsistent in the
+    #     forward and return directions.
+    #
+    #     To mitigate: Prevent asymmetric routing issues caused by TCP flags
+    #     by following these actions:
+    #
+    #     * Remove unnecessary TCP flag inspections from the rules.
+    #
+    #     * If you need to inspect TCP flags, check that the rules correctly
+    #       account for changes in TCP flags throughout the TCP connection
+    #       cycle, for example `SYN` and `ACK` flags used in a 3-way TCP
+    #       handshake.
+    #   @return [String]
+    #
+    # @!attribute [rw] analysis_detail
+    #   Provides analysis details for the identified rule.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/AnalysisResult AWS API Documentation
+    #
+    class AnalysisResult < Struct.new(
+      :identified_rule_ids,
+      :identified_type,
+      :analysis_detail)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @!attribute [rw] update_token
     #   An optional token that you can use for optimistic locking. Network
     #   Firewall returns a token to your requests that access the firewall.
@@ -367,13 +431,13 @@ module Aws::NetworkFirewall
     #   * **PASS** - Allow the connection to continue, and pass subsequent
     #     packets to the stateful engine for inspection.
     #
-    #   * **DROP** - Network Firewall fails closed and drops all subsequent
-    #     traffic.
+    #   * **DROP** - Network Firewall closes the connection and drops
+    #     subsequent packets for that connection.
     #
     #   * **REJECT** - Network Firewall sends a TCP reject packet back to
-    #     your client so that the client can immediately establish a new
-    #     session. Network Firewall then fails closed and drops all
-    #     subsequent traffic. `REJECT` is available only for TCP traffic.
+    #     your client. The service closes the connection and drops
+    #     subsequent packets for that connection. `REJECT` is available only
+    #     for TCP traffic.
     #   @return [String]
     #
     # @!attribute [rw] unknown_status_action
@@ -386,13 +450,13 @@ module Aws::NetworkFirewall
     #   * **PASS** - Allow the connection to continue, and pass subsequent
     #     packets to the stateful engine for inspection.
     #
-    #   * **DROP** - Network Firewall fails closed and drops all subsequent
-    #     traffic.
+    #   * **DROP** - Network Firewall closes the connection and drops
+    #     subsequent packets for that connection.
     #
     #   * **REJECT** - Network Firewall sends a TCP reject packet back to
-    #     your client so that the client can immediately establish a new
-    #     session. Network Firewall then fails closed and drops all
-    #     subsequent traffic. `REJECT` is available only for TCP traffic.
+    #     your client. The service closes the connection and drops
+    #     subsequent packets for that connection. `REJECT` is available only
+    #     for TCP traffic.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/CheckCertificateRevocationStatusActions AWS API Documentation
@@ -704,6 +768,14 @@ module Aws::NetworkFirewall
     #   track of updates made to the originating rule group.
     #   @return [Types::SourceMetadata]
     #
+    # @!attribute [rw] analyze_rule_group
+    #   Indicates whether you want Network Firewall to analyze the stateless
+    #   rules in the rule group for rule behavior such as asymmetric
+    #   routing. If set to `TRUE`, Network Firewall runs the analysis and
+    #   then creates the rule group for you. To run the stateless rule group
+    #   analyzer without creating the rule group, set `DryRun` to `TRUE`.
+    #   @return [Boolean]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/CreateRuleGroupRequest AWS API Documentation
     #
     class CreateRuleGroupRequest < Struct.new(
@@ -716,7 +788,8 @@ module Aws::NetworkFirewall
       :tags,
       :dry_run,
       :encryption_configuration,
-      :source_metadata)
+      :source_metadata,
+      :analyze_rule_group)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -1382,12 +1455,19 @@ module Aws::NetworkFirewall
     #    </note>
     #   @return [String]
     #
+    # @!attribute [rw] analyze_rule_group
+    #   Indicates whether you want Network Firewall to analyze the stateless
+    #   rules in the rule group for rule behavior such as asymmetric
+    #   routing. If set to `TRUE`, Network Firewall runs the analysis.
+    #   @return [Boolean]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DescribeRuleGroupRequest AWS API Documentation
     #
     class DescribeRuleGroupRequest < Struct.new(
       :rule_group_name,
       :rule_group_arn,
-      :type)
+      :type,
+      :analyze_rule_group)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -3033,7 +3113,12 @@ module Aws::NetworkFirewall
     #   Additional options governing how Network Firewall handles stateful
     #   rules. The policies where you use your stateful rule group must have
     #   stateful rule options settings that are compatible with these
-    #   settings.
+    #   settings. Some limitations apply; for more information, see [Strict
+    #   evaluation order][1] in the *Network Firewall Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-limitations-caveats.html
     #   @return [Types::StatefulRuleOptions]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/RuleGroup AWS API Documentation
@@ -3159,6 +3244,17 @@ module Aws::NetworkFirewall
     #   The last time that the rule group was changed.
     #   @return [Time]
     #
+    # @!attribute [rw] analysis_results
+    #   The list of analysis results for `AnalyzeRuleGroup`. If you set
+    #   `AnalyzeRuleGroup` to `TRUE` in CreateRuleGroup, UpdateRuleGroup, or
+    #   DescribeRuleGroup, Network Firewall analyzes the rule group and
+    #   identifies the rules that might adversely effect your firewall's
+    #   functionality. For example, if Network Firewall detects a rule
+    #   that's routing traffic asymmetrically, which impacts the service's
+    #   ability to properly process traffic, the service includes the rule
+    #   in the list of analysis results.
+    #   @return [Array<Types::AnalysisResult>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/RuleGroupResponse AWS API Documentation
     #
     class RuleGroupResponse < Struct.new(
@@ -3175,7 +3271,8 @@ module Aws::NetworkFirewall
       :encryption_configuration,
       :source_metadata,
       :sns_topic,
-      :last_modified_time)
+      :last_modified_time,
+      :analysis_results)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -3239,14 +3336,18 @@ module Aws::NetworkFirewall
     # instance of this for either stateless rules or stateful rules.
     #
     # @!attribute [rw] rules_string
-    #   Stateful inspection criteria, provided in Suricata compatible
-    #   intrusion prevention system (IPS) rules. Suricata is an open-source
-    #   network IPS that includes a standard rule-based language for network
-    #   traffic inspection.
+    #   Stateful inspection criteria, provided in Suricata compatible rules.
+    #   Suricata is an open-source threat detection framework that includes
+    #   a standard rule-based language for network traffic inspection.
     #
     #   These rules contain the inspection criteria and the action to take
     #   for traffic that matches the criteria, so this type of rule group
     #   doesn't have a separate action setting.
+    #
+    #   <note markdown="1"> You can't use the `priority` keyword if the `RuleOrder` option in
+    #   StatefulRuleOptions is set to `STRICT_ORDER`.
+    #
+    #    </note>
     #   @return [String]
     #
     # @!attribute [rw] rules_source_list
@@ -3365,9 +3466,9 @@ module Aws::NetworkFirewall
     # TLSInspectionConfiguration. You can configure `ServerCertificates` for
     # inbound SSL/TLS inspection, a `CertificateAuthorityArn` for outbound
     # SSL/TLS inspection, or both. For information about working with
-    # certificates for TLS inspection, see [ Requirements for using SSL/TLS
-    # server certficiates with TLS inspection configurations][1] in the
-    # *Network Firewall Developer Guide*.
+    # certificates for TLS inspection, see [ Using SSL/TLS server
+    # certficiates with TLS inspection configurations][1] in the *Network
+    # Firewall Developer Guide*.
     #
     # <note markdown="1"> If a server certificate that's associated with your
     # TLSInspectionConfiguration is revoked, deleted, or expired it can
@@ -3380,8 +3481,8 @@ module Aws::NetworkFirewall
     # [1]: https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection-certificate-requirements.html
     #
     # @!attribute [rw] server_certificates
-    #   The list of a server certificate configuration's Certificate
-    #   Manager certificates, used for inbound SSL/TLS inspection.
+    #   The list of server certificates to use for inbound SSL/TLS
+    #   inspection.
     #   @return [Array<Types::ServerCertificate>]
     #
     # @!attribute [rw] scopes
@@ -3390,7 +3491,7 @@ module Aws::NetworkFirewall
     #
     # @!attribute [rw] certificate_authority_arn
     #   The Amazon Resource Name (ARN) of the imported certificate authority
-    #   (CA) certificate configured in Certificate Manager (ACM) to use for
+    #   (CA) certificate within Certificate Manager (ACM) to use for
     #   outbound SSL/TLS inspection.
     #
     #   The following limitations apply:
@@ -3401,8 +3502,8 @@ module Aws::NetworkFirewall
     #   * You can't use certificates issued by Private Certificate
     #     Authority.
     #
-    #   For more information about the certificate requirements for outbound
-    #   inspection, see [Requirements for using SSL/TLS certificates with
+    #   For more information about configuring certificates for outbound
+    #   inspection, see [Using SSL/TLS certificates with certificates with
     #   TLS inspection configurations][1] in the *Network Firewall Developer
     #   Guide*.
     #
@@ -3420,8 +3521,9 @@ module Aws::NetworkFirewall
     #   presented by the server in the SSL/TLS connection has a revoked or
     #   unkown status. If the certificate has an unknown or revoked status,
     #   you must specify the actions that Network Firewall takes on outbound
-    #   traffic. To use this option, you must specify a
-    #   `CertificateAuthorityArn` in ServerCertificateConfiguration.
+    #   traffic. To check the certificate revocation status, you must also
+    #   specify a `CertificateAuthorityArn` in
+    #   ServerCertificateConfiguration.
     #   @return [Types::CheckCertificateRevocationStatusActions]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/ServerCertificateConfiguration AWS API Documentation
@@ -3525,11 +3627,17 @@ module Aws::NetworkFirewall
     #
     # @!attribute [rw] rule_order
     #   Indicates how to manage the order of stateful rule evaluation for
-    #   the policy. `DEFAULT_ACTION_ORDER` is the default behavior. Stateful
-    #   rules are provided to the rule engine as Suricata compatible
-    #   strings, and Suricata evaluates them based on certain settings. For
-    #   more information, see [Evaluation order for stateful rules][1] in
-    #   the *Network Firewall Developer Guide*.
+    #   the policy. `STRICT_ORDER` is the default and recommended option.
+    #   With `STRICT_ORDER`, provide your rules in the order that you want
+    #   them to be evaluated. You can then choose one or more default
+    #   actions for packets that don't match any rules. Choose
+    #   `STRICT_ORDER` to have the stateful rules engine determine the
+    #   evaluation order of your rules. The default action for this rule
+    #   order is `PASS`, followed by `DROP`, `REJECT`, and `ALERT` actions.
+    #   Stateful rules are provided to the rule engine as Suricata
+    #   compatible strings, and Suricata evaluates them based on your
+    #   settings. For more information, see [Evaluation order for stateful
+    #   rules][1] in the *Network Firewall Developer Guide*.
     #
     #
     #
@@ -3596,9 +3704,8 @@ module Aws::NetworkFirewall
     #     destination and sends an alert log message, if alert logging is
     #     configured in the Firewall LoggingConfiguration.
     #
-    #   * **ALERT** - Permits the packets to go to the intended destination
-    #     and sends an alert log message, if alert logging is configured in
-    #     the Firewall LoggingConfiguration.
+    #   * **ALERT** - Sends an alert log message, if alert logging is
+    #     configured in the Firewall LoggingConfiguration.
     #
     #     You can use this action to test a rule that you intend to use to
     #     drop traffic. You can enable the rule with `ALERT` action, verify
@@ -4803,6 +4910,14 @@ module Aws::NetworkFirewall
     #   track of updates made to the originating rule group.
     #   @return [Types::SourceMetadata]
     #
+    # @!attribute [rw] analyze_rule_group
+    #   Indicates whether you want Network Firewall to analyze the stateless
+    #   rules in the rule group for rule behavior such as asymmetric
+    #   routing. If set to `TRUE`, Network Firewall runs the analysis and
+    #   then updates the rule group for you. To run the stateless rule group
+    #   analyzer without updating the rule group, set `DryRun` to `TRUE`.
+    #   @return [Boolean]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/UpdateRuleGroupRequest AWS API Documentation
     #
     class UpdateRuleGroupRequest < Struct.new(
@@ -4815,7 +4930,8 @@ module Aws::NetworkFirewall
       :description,
       :dry_run,
       :encryption_configuration,
-      :source_metadata)
+      :source_metadata,
+      :analyze_rule_group)
       SENSITIVE = []
       include Aws::Structure
     end

data/lib/aws-sdk-networkfirewall.rb

@@ -52,6 +52,6 @@ require_relative 'aws-sdk-networkfirewall/customizations'
 # @!group service
 module Aws::NetworkFirewall
 
-  GEM_VERSION = '1.36.0'
+  GEM_VERSION = '1.37.0'
 
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-networkfirewall
 version: !ruby/object:Gem::Version
-  version: 1.36.0
+  version: 1.37.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-10-26 00:00:00.000000000 Z
+date: 2023-11-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core