@aws-sdk/client-network-firewall 3.441.0 → 3.445.0

package/dist-cjs/models/models_0.js

@@ -1,7 +1,11 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.ResourceOwnerCheckException = exports.LogDestinationPermissionException = exports.ResourceManagedStatus = exports.ResourceManagedType = exports.LogType = exports.LogDestinationType = exports.InvalidResourcePolicyException = exports.UnsupportedOperationException = exports.RuleGroupType = exports.TCPFlag = exports.StatefulRuleProtocol = exports.StatefulRuleDirection = exports.StatefulAction = exports.TargetType = exports.GeneratedRulesType = exports.ResourceStatus = exports.OverrideAction = exports.StreamExceptionPolicy = exports.RuleOrder = exports.LimitExceededException = exports.PerObjectSyncStatus = exports.FirewallStatusValue = exports.EncryptionType = exports.ConfigurationSyncState = exports.RevocationCheckAction = exports.AttachmentStatus = exports.InsufficientCapacityException = exports.IPAddressType = exports.ThrottlingException = exports.ResourceNotFoundException = exports.InvalidTokenException = exports.InvalidRequestException = exports.InvalidOperationException = exports.InternalServerError = void 0;
+exports.ResourceOwnerCheckException = exports.LogDestinationPermissionException = exports.ResourceManagedStatus = exports.ResourceManagedType = exports.LogType = exports.LogDestinationType = exports.InvalidResourcePolicyException = exports.UnsupportedOperationException = exports.RuleGroupType = exports.TCPFlag = exports.StatefulRuleProtocol = exports.StatefulRuleDirection = exports.StatefulAction = exports.TargetType = exports.GeneratedRulesType = exports.ResourceStatus = exports.OverrideAction = exports.StreamExceptionPolicy = exports.RuleOrder = exports.LimitExceededException = exports.PerObjectSyncStatus = exports.FirewallStatusValue = exports.EncryptionType = exports.ConfigurationSyncState = exports.RevocationCheckAction = exports.AttachmentStatus = exports.InsufficientCapacityException = exports.IPAddressType = exports.ThrottlingException = exports.ResourceNotFoundException = exports.InvalidTokenException = exports.InvalidRequestException = exports.InvalidOperationException = exports.InternalServerError = exports.IdentifiedType = void 0;
 const NetworkFirewallServiceException_1 = require("./NetworkFirewallServiceException");
+exports.IdentifiedType = {
+    STATELESS_RULE_CONTAINS_TCP_FLAGS: "STATELESS_RULE_CONTAINS_TCP_FLAGS",
+    STATELESS_RULE_FORWARDING_ASYMMETRICALLY: "STATELESS_RULE_FORWARDING_ASYMMETRICALLY",
+};
 class InternalServerError extends NetworkFirewallServiceException_1.NetworkFirewallServiceException {
     constructor(opts) {
         super({

package/dist-cjs/protocols/Aws_json1_0.js

@@ -1973,6 +1973,7 @@ const de_UnsupportedOperationExceptionRes = async (parsedOutput, context) => {
 };
 const se_CreateRuleGroupRequest = (input, context) => {
     return (0, smithy_client_1.take)(input, {
+        AnalyzeRuleGroup: [],
         Capacity: [],
         Description: [],
         DryRun: [],
@@ -1987,6 +1988,7 @@ const se_CreateRuleGroupRequest = (input, context) => {
 };
 const se_UpdateRuleGroupRequest = (input, context) => {
     return (0, smithy_client_1.take)(input, {
+        AnalyzeRuleGroup: [],
         Description: [],
         DryRun: [],
         EncryptionConfiguration: smithy_client_1._json,
@@ -2081,6 +2083,7 @@ const de_FirewallPolicyResponse = (output, context) => {
 };
 const de_RuleGroupResponse = (output, context) => {
     return (0, smithy_client_1.take)(output, {
+        AnalysisResults: smithy_client_1._json,
         Capacity: smithy_client_1.expectInt32,
         ConsumedCapacity: smithy_client_1.expectInt32,
         Description: smithy_client_1.expectString,

package/dist-es/models/models_0.js

@@ -1,4 +1,8 @@
 import { NetworkFirewallServiceException as __BaseException } from "./NetworkFirewallServiceException";
+export const IdentifiedType = {
+    STATELESS_RULE_CONTAINS_TCP_FLAGS: "STATELESS_RULE_CONTAINS_TCP_FLAGS",
+    STATELESS_RULE_FORWARDING_ASYMMETRICALLY: "STATELESS_RULE_FORWARDING_ASYMMETRICALLY",
+};
 export class InternalServerError extends __BaseException {
     constructor(opts) {
         super({

package/dist-es/protocols/Aws_json1_0.js

@@ -1897,6 +1897,7 @@ const de_UnsupportedOperationExceptionRes = async (parsedOutput, context) => {
 };
 const se_CreateRuleGroupRequest = (input, context) => {
     return take(input, {
+        AnalyzeRuleGroup: [],
         Capacity: [],
         Description: [],
         DryRun: [],
@@ -1911,6 +1912,7 @@ const se_CreateRuleGroupRequest = (input, context) => {
 };
 const se_UpdateRuleGroupRequest = (input, context) => {
     return take(input, {
+        AnalyzeRuleGroup: [],
         Description: [],
         DryRun: [],
         EncryptionConfiguration: _json,
@@ -2005,6 +2007,7 @@ const de_FirewallPolicyResponse = (output, context) => {
 };
 const de_RuleGroupResponse = (output, context) => {
     return take(output, {
+        AnalysisResults: _json,
         Capacity: __expectInt32,
         ConsumedCapacity: __expectInt32,
         Description: __expectString,

package/dist-types/commands/CreateRuleGroupCommand.d.ts

@@ -178,6 +178,7 @@ export interface CreateRuleGroupCommandOutput extends CreateRuleGroupResponse, _
  *     SourceArn: "STRING_VALUE",
  *     SourceUpdateToken: "STRING_VALUE",
  *   },
+ *   AnalyzeRuleGroup: true || false,
  * };
  * const command = new CreateRuleGroupCommand(input);
  * const response = await client.send(command);
@@ -209,6 +210,15 @@ export interface CreateRuleGroupCommandOutput extends CreateRuleGroupResponse, _
  * //     },
  * //     SnsTopic: "STRING_VALUE",
  * //     LastModifiedTime: new Date("TIMESTAMP"),
+ * //     AnalysisResults: [ // AnalysisResultList
+ * //       { // AnalysisResult
+ * //         IdentifiedRuleIds: [ // RuleIdList
+ * //           "STRING_VALUE",
+ * //         ],
+ * //         IdentifiedType: "STATELESS_RULE_FORWARDING_ASYMMETRICALLY" || "STATELESS_RULE_CONTAINS_TCP_FLAGS",
+ * //         AnalysisDetail: "STRING_VALUE",
+ * //       },
+ * //     ],
  * //   },
  * // };
  *

package/dist-types/commands/CreateTLSInspectionConfigurationCommand.d.ts

@@ -23,7 +23,7 @@ export interface CreateTLSInspectionConfigurationCommandOutput extends CreateTLS
 }
 /**
  * @public
- * <p>Creates an Network Firewall TLS inspection configuration. A TLS inspection configuration contains the Certificate Manager certificate associations that Network Firewall uses to decrypt and re-encrypt traffic traveling through your firewall.</p>
+ * <p>Creates an Network Firewall TLS inspection configuration. A TLS inspection configuration contains Certificate Manager certificate associations between and the scope configurations that Network Firewall uses to decrypt and re-encrypt traffic traveling through your firewall.</p>
  *          <p>After you create a TLS inspection configuration, you can associate it with a new firewall policy.</p>
  *          <p>To update the settings for a TLS inspection configuration, use <a>UpdateTLSInspectionConfiguration</a>.</p>
  *          <p>To manage a TLS inspection configuration's tags, use the standard Amazon Web Services resource tagging operations, <a>ListTagsForResource</a>, <a>TagResource</a>, and <a>UntagResource</a>.</p>

package/dist-types/commands/DeleteRuleGroupCommand.d.ts

@@ -64,6 +64,15 @@ export interface DeleteRuleGroupCommandOutput extends DeleteRuleGroupResponse, _
  * //     },
  * //     SnsTopic: "STRING_VALUE",
  * //     LastModifiedTime: new Date("TIMESTAMP"),
+ * //     AnalysisResults: [ // AnalysisResultList
+ * //       { // AnalysisResult
+ * //         IdentifiedRuleIds: [ // RuleIdList
+ * //           "STRING_VALUE",
+ * //         ],
+ * //         IdentifiedType: "STATELESS_RULE_FORWARDING_ASYMMETRICALLY" || "STATELESS_RULE_CONTAINS_TCP_FLAGS",
+ * //         AnalysisDetail: "STRING_VALUE",
+ * //       },
+ * //     ],
  * //   },
  * // };
  *

package/dist-types/commands/DescribeRuleGroupCommand.d.ts

@@ -34,6 +34,7 @@ export interface DescribeRuleGroupCommandOutput extends DescribeRuleGroupRespons
  *   RuleGroupName: "STRING_VALUE",
  *   RuleGroupArn: "STRING_VALUE",
  *   Type: "STATELESS" || "STATEFUL",
+ *   AnalyzeRuleGroup: true || false,
  * };
  * const command = new DescribeRuleGroupCommand(input);
  * const response = await client.send(command);
@@ -189,6 +190,15 @@ export interface DescribeRuleGroupCommandOutput extends DescribeRuleGroupRespons
  * //     },
  * //     SnsTopic: "STRING_VALUE",
  * //     LastModifiedTime: new Date("TIMESTAMP"),
+ * //     AnalysisResults: [ // AnalysisResultList
+ * //       { // AnalysisResult
+ * //         IdentifiedRuleIds: [ // RuleIdList
+ * //           "STRING_VALUE",
+ * //         ],
+ * //         IdentifiedType: "STATELESS_RULE_FORWARDING_ASYMMETRICALLY" || "STATELESS_RULE_CONTAINS_TCP_FLAGS",
+ * //         AnalysisDetail: "STRING_VALUE",
+ * //       },
+ * //     ],
  * //   },
  * // };
  *

package/dist-types/commands/UpdateRuleGroupCommand.d.ts

@@ -175,6 +175,7 @@ export interface UpdateRuleGroupCommandOutput extends UpdateRuleGroupResponse, _
  *     SourceArn: "STRING_VALUE",
  *     SourceUpdateToken: "STRING_VALUE",
  *   },
+ *   AnalyzeRuleGroup: true || false,
  * };
  * const command = new UpdateRuleGroupCommand(input);
  * const response = await client.send(command);
@@ -206,6 +207,15 @@ export interface UpdateRuleGroupCommandOutput extends UpdateRuleGroupResponse, _
  * //     },
  * //     SnsTopic: "STRING_VALUE",
  * //     LastModifiedTime: new Date("TIMESTAMP"),
+ * //     AnalysisResults: [ // AnalysisResultList
+ * //       { // AnalysisResult
+ * //         IdentifiedRuleIds: [ // RuleIdList
+ * //           "STRING_VALUE",
+ * //         ],
+ * //         IdentifiedType: "STATELESS_RULE_FORWARDING_ASYMMETRICALLY" || "STATELESS_RULE_CONTAINS_TCP_FLAGS",
+ * //         AnalysisDetail: "STRING_VALUE",
+ * //       },
+ * //     ],
  * //   },
  * // };
  *

package/dist-types/index.d.ts

@@ -83,6 +83,8 @@
 export * from "./NetworkFirewallClient";
 export * from "./NetworkFirewall";
 export { ClientInputEndpointParameters } from "./endpoint/EndpointParameters";
+export { RuntimeExtension } from "./runtimeExtensions";
+export { NetworkFirewallExtensionConfiguration } from "./extensionConfiguration";
 export * from "./commands";
 export * from "./pagination";
 export * from "./models";

package/dist-types/models/models_0.d.ts

@@ -75,6 +75,63 @@ export interface Address {
      */
     AddressDefinition: string | undefined;
 }
+/**
+ * @public
+ * @enum
+ */
+export declare const IdentifiedType: {
+    readonly STATELESS_RULE_CONTAINS_TCP_FLAGS: "STATELESS_RULE_CONTAINS_TCP_FLAGS";
+    readonly STATELESS_RULE_FORWARDING_ASYMMETRICALLY: "STATELESS_RULE_FORWARDING_ASYMMETRICALLY";
+};
+/**
+ * @public
+ */
+export type IdentifiedType = (typeof IdentifiedType)[keyof typeof IdentifiedType];
+/**
+ * @public
+ * <p>The analysis result for Network Firewall's stateless rule group analyzer. Every time you call <a>CreateRuleGroup</a>, <a>UpdateRuleGroup</a>, or <a>DescribeRuleGroup</a> on a stateless rule group, Network Firewall analyzes the stateless rule groups in your account and identifies the rules that might adversely effect your firewall's functionality. For example, if Network Firewall detects a rule that's routing traffic asymmetrically, which impacts the service's ability to properly process traffic, the service includes the rule in a list of analysis results.</p>
+ */
+export interface AnalysisResult {
+    /**
+     * @public
+     * <p>The priority number of the stateless rules identified in the analysis.</p>
+     */
+    IdentifiedRuleIds?: string[];
+    /**
+     * @public
+     * <p>The types of rule configurations that Network Firewall analyzes your rule groups for. Network Firewall analyzes stateless rule groups for the following types of rule configurations:</p>
+     *          <ul>
+     *             <li>
+     *                <p>
+     *                   <code>STATELESS_RULE_FORWARDING_ASYMMETRICALLY</code>
+     *                </p>
+     *                <p>Cause: One or more stateless rules with the action <code>pass</code> or <code>forward</code> are forwarding traffic asymmetrically. Specifically, the rule's set of source IP addresses  or their associated port numbers, don't match the set of destination IP addresses or their associated port numbers.</p>
+     *                <p>To mitigate: Make sure that there's an existing return path. For example, if the rule allows traffic from source 10.1.0.0/24 to destination 20.1.0.0/24, you should allow return traffic from source 20.1.0.0/24 to destination 10.1.0.0/24.</p>
+     *             </li>
+     *             <li>
+     *                <p>
+     *                   <code>STATELESS_RULE_CONTAINS_TCP_FLAGS</code>
+     *                </p>
+     *                <p>Cause: At least one stateless rule with the action <code>pass</code> or<code>forward</code> contains TCP flags that are inconsistent in the forward and return directions.</p>
+     *                <p>To mitigate: Prevent asymmetric routing issues caused by TCP flags by following these actions:</p>
+     *                <ul>
+     *                   <li>
+     *                      <p>Remove unnecessary TCP flag inspections from the rules.</p>
+     *                   </li>
+     *                   <li>
+     *                      <p>If you need to inspect TCP flags, check that the rules correctly account for changes in TCP flags throughout the TCP connection cycle, for example <code>SYN</code> and <code>ACK</code> flags used in a 3-way TCP handshake.</p>
+     *                   </li>
+     *                </ul>
+     *             </li>
+     *          </ul>
+     */
+    IdentifiedType?: IdentifiedType;
+    /**
+     * @public
+     * <p>Provides analysis details for the identified rule.</p>
+     */
+    AnalysisDetail?: string;
+}
 /**
  * @public
  */
@@ -474,11 +531,11 @@ export interface CheckCertificateRevocationStatusActions {
      *             </li>
      *             <li>
      *                <p>
-     *                   <b>DROP</b> - Network Firewall fails closed and drops all subsequent traffic.</p>
+     *                   <b>DROP</b> - Network Firewall closes the connection and drops subsequent packets for that connection.</p>
      *             </li>
      *             <li>
      *                <p>
-     *                   <b>REJECT</b> - Network Firewall sends a TCP reject packet back to your client so that the client can immediately establish a new session. Network Firewall then fails closed and drops all subsequent traffic. <code>REJECT</code> is available only for TCP traffic.</p>
+     *                   <b>REJECT</b> - Network Firewall sends a TCP reject packet back to your client. The service closes the connection and drops subsequent packets for that connection. <code>REJECT</code> is available only for TCP traffic.</p>
      *             </li>
      *          </ul>
      */
@@ -493,11 +550,11 @@ export interface CheckCertificateRevocationStatusActions {
      *             </li>
      *             <li>
      *                <p>
-     *                   <b>DROP</b> - Network Firewall fails closed and drops all subsequent traffic.</p>
+     *                   <b>DROP</b> - Network Firewall closes the connection and drops subsequent packets for that connection.</p>
      *             </li>
      *             <li>
      *                <p>
-     *                   <b>REJECT</b> - Network Firewall sends a TCP reject packet back to your client so that the client can immediately establish a new session. Network Firewall then fails closed and drops all subsequent traffic. <code>REJECT</code> is available only for TCP traffic. </p>
+     *                   <b>REJECT</b> - Network Firewall sends a TCP reject packet back to your client. The service closes the connection and drops subsequent packets for that connection. <code>REJECT</code> is available only for TCP traffic.</p>
      *             </li>
      *          </ul>
      */
@@ -919,9 +976,9 @@ export type StreamExceptionPolicy = (typeof StreamExceptionPolicy)[keyof typeof
 export interface StatefulEngineOptions {
     /**
      * @public
-     * <p>Indicates how to manage the order of stateful rule evaluation for the policy. <code>DEFAULT_ACTION_ORDER</code> is
-     *          the default behavior. Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them
-     *          based on certain settings. For more information, see
+     * <p>Indicates how to manage the order of stateful rule evaluation for the policy. <code>STRICT_ORDER</code> is
+     *          the default and recommended option. With <code>STRICT_ORDER</code>, provide your rules in the order that you want them to be evaluated. You can then choose one or more default actions for packets that don't match any rules. Choose <code>STRICT_ORDER</code> to have the stateful rules engine determine the evaluation order of your rules. The default action for this rule order is <code>PASS</code>, followed by <code>DROP</code>, <code>REJECT</code>, and <code>ALERT</code> actions. Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them
+     *          based on your settings. For more information, see
      *          <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html">Evaluation order for stateful rules</a> in the <i>Network Firewall Developer Guide</i>.
      *       </p>
      */
@@ -1552,8 +1609,7 @@ export interface StatefulRule {
      *             </li>
      *             <li>
      *                <p>
-     *                   <b>ALERT</b> - Permits the packets to go to the
-     *                intended destination and sends an alert log message, if alert logging is configured in the <a>Firewall</a>
+     *                   <b>ALERT</b> - Sends an alert log message, if alert logging is configured in the <a>Firewall</a>
      *                   <a>LoggingConfiguration</a>. </p>
      *                <p>You can use this action to test a rule that you intend to use to drop traffic. You
      *                can enable the rule with <code>ALERT</code> action, verify in the logs that the rule
@@ -1795,12 +1851,14 @@ export interface StatelessRulesAndCustomActions {
 export interface RulesSource {
     /**
      * @public
-     * <p>Stateful inspection criteria, provided in Suricata compatible intrusion prevention
-     *          system (IPS) rules. Suricata is an open-source network IPS that includes a standard
+     * <p>Stateful inspection criteria, provided in Suricata compatible rules. Suricata is an open-source threat detection framework that includes a standard
      *          rule-based language for network traffic inspection.</p>
      *          <p>These rules contain the inspection criteria and the action to take for traffic that
      *          matches the criteria, so this type of rule group doesn't have a separate action
      *          setting.</p>
+     *          <note>
+     *             <p>You can't use the <code>priority</code> keyword if the <code>RuleOrder</code> option in <a>StatefulRuleOptions</a> is set to  <code>STRICT_ORDER</code>.</p>
+     *          </note>
      */
     RulesString?: string;
     /**
@@ -1895,7 +1953,7 @@ export interface RuleGroup {
     /**
      * @public
      * <p>Additional options governing how Network Firewall handles stateful rules. The policies where you use your stateful
-     *        rule group must have stateful rule options settings that are compatible with these settings.</p>
+     *        rule group must have stateful rule options settings that are compatible with these settings. Some limitations apply; for more information, see <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-limitations-caveats.html">Strict evaluation order</a> in the <i>Network Firewall Developer Guide</i>.</p>
      */
     StatefulRuleOptions?: StatefulRuleOptions;
 }
@@ -2036,6 +2094,11 @@ export interface CreateRuleGroupRequest {
      * <p>A complex type that contains metadata about the rule group that your own rule group is copied from. You can use the metadata to keep track of updates made to the originating rule group.</p>
      */
     SourceMetadata?: SourceMetadata;
+    /**
+     * @public
+     * <p>Indicates whether you want Network Firewall to analyze the stateless rules in the rule group for rule behavior such as asymmetric routing. If set to <code>TRUE</code>, Network Firewall runs the analysis and then creates the rule group for you. To run the stateless rule group analyzer without creating the rule group, set <code>DryRun</code> to <code>TRUE</code>.</p>
+     */
+    AnalyzeRuleGroup?: boolean;
 }
 /**
  * @public
@@ -2125,6 +2188,11 @@ export interface RuleGroupResponse {
      * <p>The last time that the rule group was changed.</p>
      */
     LastModifiedTime?: Date;
+    /**
+     * @public
+     * <p>The list of analysis results for <code>AnalyzeRuleGroup</code>. If you set <code>AnalyzeRuleGroup</code> to <code>TRUE</code> in <a>CreateRuleGroup</a>, <a>UpdateRuleGroup</a>, or <a>DescribeRuleGroup</a>, Network Firewall analyzes the rule group and identifies the rules that might adversely effect your firewall's functionality. For example, if Network Firewall detects a rule that's routing traffic asymmetrically, which impacts the service's ability to properly process traffic, the service includes the rule in the list of analysis results.</p>
+     */
+    AnalysisResults?: AnalysisResult[];
 }
 /**
  * @public
@@ -2191,7 +2259,7 @@ export interface ServerCertificate {
 }
 /**
  * @public
- * <p>Configures the Certificate Manager certificates and scope that Network Firewall uses to decrypt and re-encrypt traffic using a <a>TLSInspectionConfiguration</a>. You can configure <code>ServerCertificates</code> for inbound SSL/TLS inspection, a <code>CertificateAuthorityArn</code> for outbound SSL/TLS inspection, or both. For information about working with certificates for TLS inspection, see <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection-certificate-requirements.html"> Requirements for using SSL/TLS server certficiates with TLS inspection configurations</a> in the <i>Network Firewall Developer Guide</i>.</p>
+ * <p>Configures the Certificate Manager certificates and scope that Network Firewall uses to decrypt and re-encrypt traffic using a <a>TLSInspectionConfiguration</a>. You can configure <code>ServerCertificates</code> for inbound SSL/TLS inspection, a <code>CertificateAuthorityArn</code> for outbound SSL/TLS inspection, or both. For information about working with certificates for TLS inspection, see <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection-certificate-requirements.html"> Using SSL/TLS server certficiates with TLS inspection configurations</a> in the <i>Network Firewall Developer Guide</i>.</p>
  *          <note>
  *             <p>If a server certificate that's associated with your <a>TLSInspectionConfiguration</a> is revoked, deleted, or expired it can result in client-side TLS errors.</p>
  *          </note>
@@ -2199,7 +2267,7 @@ export interface ServerCertificate {
 export interface ServerCertificateConfiguration {
     /**
      * @public
-     * <p>The list of a server certificate configuration's Certificate Manager certificates, used for inbound SSL/TLS inspection.</p>
+     * <p>The list of server certificates to use for inbound SSL/TLS inspection.</p>
      */
     ServerCertificates?: ServerCertificate[];
     /**
@@ -2209,7 +2277,7 @@ export interface ServerCertificateConfiguration {
     Scopes?: ServerCertificateScope[];
     /**
      * @public
-     * <p>The Amazon Resource Name (ARN) of the imported certificate authority (CA) certificate configured in Certificate Manager (ACM) to use for outbound SSL/TLS inspection.</p>
+     * <p>The Amazon Resource Name (ARN) of the imported certificate authority (CA) certificate within Certificate Manager (ACM) to use for outbound SSL/TLS inspection.</p>
      *          <p>The following limitations apply:</p>
      *          <ul>
      *             <li>
@@ -2219,13 +2287,13 @@ export interface ServerCertificateConfiguration {
      *                <p>You can't use certificates issued by Private Certificate Authority.</p>
      *             </li>
      *          </ul>
-     *          <p>For more information about the certificate requirements for outbound inspection, see <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection-certificate-requirements.html">Requirements for using SSL/TLS certificates with TLS inspection configurations</a> in the <i>Network Firewall Developer Guide</i>. </p>
+     *          <p>For more information about configuring certificates for outbound inspection, see <a href="https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection-certificate-requirements.html">Using SSL/TLS certificates with certificates with TLS inspection configurations</a> in the <i>Network Firewall Developer Guide</i>. </p>
      *          <p>For information about working with certificates in ACM, see <a href="https://docs.aws.amazon.com/acm/latest/userguide/import-certificate.html">Importing certificates</a> in the <i>Certificate Manager User Guide</i>.</p>
      */
     CertificateAuthorityArn?: string;
     /**
      * @public
-     * <p>When enabled, Network Firewall checks if the server certificate presented by the server in the SSL/TLS connection has a revoked or unkown status. If the certificate has an unknown or revoked status, you must specify the actions that Network Firewall takes on outbound traffic. To use this option, you must specify a <code>CertificateAuthorityArn</code> in <a>ServerCertificateConfiguration</a>.</p>
+     * <p>When enabled, Network Firewall checks if the server certificate presented by the server in the SSL/TLS connection has a revoked or unkown status. If the certificate has an unknown or revoked status, you must specify the actions that Network Firewall takes on outbound traffic. To check the certificate revocation status, you must also specify a <code>CertificateAuthorityArn</code> in <a>ServerCertificateConfiguration</a>.</p>
      */
     CheckCertificateRevocationStatus?: CheckCertificateRevocationStatusActions;
 }
@@ -2769,6 +2837,11 @@ export interface DescribeRuleGroupRequest {
      *          </note>
      */
     Type?: RuleGroupType;
+    /**
+     * @public
+     * <p>Indicates whether you want Network Firewall to analyze the stateless rules in the rule group for rule behavior such as asymmetric routing. If set to <code>TRUE</code>, Network Firewall runs the analysis.</p>
+     */
+    AnalyzeRuleGroup?: boolean;
 }
 /**
  * @public
@@ -3798,6 +3871,11 @@ export interface UpdateRuleGroupRequest {
      * <p>A complex type that contains metadata about the rule group that your own rule group is copied from. You can use the metadata to keep track of updates made to the originating rule group.</p>
      */
     SourceMetadata?: SourceMetadata;
+    /**
+     * @public
+     * <p>Indicates whether you want Network Firewall to analyze the stateless rules in the rule group for rule behavior such as asymmetric routing. If set to <code>TRUE</code>, Network Firewall runs the analysis and then updates the rule group for you. To run the stateless rule group analyzer without updating the rule group, set <code>DryRun</code> to <code>TRUE</code>. </p>
+     */
+    AnalyzeRuleGroup?: boolean;
 }
 /**
  * @public

package/dist-types/ts3.4/index.d.ts

@@ -1,6 +1,8 @@
 export * from "./NetworkFirewallClient";
 export * from "./NetworkFirewall";
 export { ClientInputEndpointParameters } from "./endpoint/EndpointParameters";
+export { RuntimeExtension } from "./runtimeExtensions";
+export { NetworkFirewallExtensionConfiguration } from "./extensionConfiguration";
 export * from "./commands";
 export * from "./pagination";
 export * from "./models";

package/dist-types/ts3.4/models/models_0.d.ts

@@ -12,6 +12,17 @@ export interface ActionDefinition {
 export interface Address {
   AddressDefinition: string | undefined;
 }
+export declare const IdentifiedType: {
+  readonly STATELESS_RULE_CONTAINS_TCP_FLAGS: "STATELESS_RULE_CONTAINS_TCP_FLAGS";
+  readonly STATELESS_RULE_FORWARDING_ASYMMETRICALLY: "STATELESS_RULE_FORWARDING_ASYMMETRICALLY";
+};
+export type IdentifiedType =
+  (typeof IdentifiedType)[keyof typeof IdentifiedType];
+export interface AnalysisResult {
+  IdentifiedRuleIds?: string[];
+  IdentifiedType?: IdentifiedType;
+  AnalysisDetail?: string;
+}
 export interface AssociateFirewallPolicyRequest {
   UpdateToken?: string;
   FirewallArn?: string;
@@ -476,6 +487,7 @@ export interface CreateRuleGroupRequest {
   DryRun?: boolean;
   EncryptionConfiguration?: EncryptionConfiguration;
   SourceMetadata?: SourceMetadata;
+  AnalyzeRuleGroup?: boolean;
 }
 export interface RuleGroupResponse {
   RuleGroupArn: string | undefined;
@@ -492,6 +504,7 @@ export interface RuleGroupResponse {
   SourceMetadata?: SourceMetadata;
   SnsTopic?: string;
   LastModifiedTime?: Date;
+  AnalysisResults?: AnalysisResult[];
 }
 export interface CreateRuleGroupResponse {
   UpdateToken: string | undefined;
@@ -650,6 +663,7 @@ export interface DescribeRuleGroupRequest {
   RuleGroupName?: string;
   RuleGroupArn?: string;
   Type?: RuleGroupType;
+  AnalyzeRuleGroup?: boolean;
 }
 export interface DescribeRuleGroupResponse {
   UpdateToken: string | undefined;
@@ -882,6 +896,7 @@ export interface UpdateRuleGroupRequest {
   DryRun?: boolean;
   EncryptionConfiguration?: EncryptionConfiguration;
   SourceMetadata?: SourceMetadata;
+  AnalyzeRuleGroup?: boolean;
 }
 export interface UpdateRuleGroupResponse {
   UpdateToken: string | undefined;

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@aws-sdk/client-network-firewall",
   "description": "AWS SDK for JavaScript Network Firewall Client for Node.js, Browser and React Native",
-  "version": "3.441.0",
+  "version": "3.445.0",
   "scripts": {
     "build": "concurrently 'yarn:build:cjs' 'yarn:build:es' 'yarn:build:types'",
     "build:cjs": "tsc -p tsconfig.cjs.json",
@@ -21,9 +21,9 @@
   "dependencies": {
     "@aws-crypto/sha256-browser": "3.0.0",
     "@aws-crypto/sha256-js": "3.0.0",
-    "@aws-sdk/client-sts": "3.441.0",
-    "@aws-sdk/core": "3.441.0",
-    "@aws-sdk/credential-provider-node": "3.441.0",
+    "@aws-sdk/client-sts": "3.445.0",
+    "@aws-sdk/core": "3.445.0",
+    "@aws-sdk/credential-provider-node": "3.445.0",
     "@aws-sdk/middleware-host-header": "3.433.0",
     "@aws-sdk/middleware-logger": "3.433.0",
     "@aws-sdk/middleware-recursion-detection": "3.433.0",