Package-level declarations

Types

Link copied to clipboard

A custom action to use in stateless rule actions settings. This is used in CustomAction.

Link copied to clipboard
class Address

A single IP address specification. This is used in the MatchAttributes source and destination specifications.

Link copied to clipboard

A report that captures key activity from the last 30 days of network traffic monitored by your firewall.

Link copied to clipboard

The analysis result for Network Firewall's stateless rule group analyzer. Every time you call CreateRuleGroup, UpdateRuleGroup, or DescribeRuleGroup on a stateless rule group, Network Firewall analyzes the stateless rule groups in your account and identifies the rules that might adversely effect your firewall's functionality. For example, if Network Firewall detects a rule that's routing traffic asymmetrically, which impacts the service's ability to properly process traffic, the service includes the rule in a list of analysis results.

Link copied to clipboard

The results of a COMPLETED analysis report generated with StartAnalysisReport.

Link copied to clipboard
Link copied to clipboard
Link copied to clipboard

The definition and status of the firewall endpoint for a single subnet. In each configured subnet, Network Firewall instantiates a firewall endpoint to handle network traffic.

Link copied to clipboard
sealed class AttachmentStatus
Link copied to clipboard

Defines the mapping between an Availability Zone and a firewall endpoint for a transit gateway-attached firewall. Each mapping represents where the firewall can process traffic. You use these mappings when calling CreateFirewall, AssociateAvailabilityZones, and DisassociateAvailabilityZones.

Link copied to clipboard

High-level information about an Availability Zone where the firewall has an endpoint defined.

Link copied to clipboard

The status of the firewall endpoint defined by a VpcEndpointAssociation.

Link copied to clipboard

The capacity usage summary of the resources used by the ReferenceSets in a firewall.

Link copied to clipboard

Defines the actions to take on the SSL/TLS connection if the certificate presented by the server in the connection has a revoked or unknown status.

Link copied to clipboard

Summarizes the CIDR blocks used by the IP set references in a firewall. Network Firewall calculates the number of CIDRs by taking an aggregated count of all CIDRs used by the IP sets you are referencing.

Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard

An optional, non-standard action to use for stateless packet handling. You can define this in addition to the standard action that you must specify.

Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
class Dimension

The value to use in an Amazon CloudWatch custom metric dimension. This is used in the PublishMetricsCustomAction. A CloudWatch custom metric dimension is a name/value pair that's part of the identity of a metric.

Link copied to clipboard
sealed class EnabledAnalysisType
Link copied to clipboard

A complex type that contains optional Amazon Web Services Key Management Service (KMS) encryption settings for your Network Firewall resources. Your data is encrypted by default with an Amazon Web Services owned key that Amazon Web Services owns and manages for you. You can use either the Amazon Web Services owned key, or provide your own customer managed key. To learn more about KMS encryption of your Network Firewall resources, see Encryption at rest with Amazon Web Services Key Managment Service in the Network Firewall Developer Guide.

Link copied to clipboard
sealed class EncryptionType
Link copied to clipboard
class Firewall

A firewall defines the behavior of a firewall, the main VPC where the firewall is used, the Availability Zones where the firewall can be used, and one subnet to use for a firewall endpoint within each of the Availability Zones. The Availability Zones are defined implicitly in the subnet specifications.

Link copied to clipboard

High-level information about a firewall, returned by operations like create and describe. You can use the information provided in the metadata to retrieve and manage a firewall.

Link copied to clipboard

The firewall policy defines the behavior of a firewall using a collection of stateless and stateful rule groups and other settings. You can use one firewall policy for multiple firewalls.

Link copied to clipboard

High-level information about a firewall policy, returned by operations like create and describe. You can use the information provided in the metadata to retrieve and manage a firewall policy. You can retrieve all objects for a firewall policy by calling DescribeFirewallPolicy.

Link copied to clipboard

The high-level properties of a firewall policy. This, along with the FirewallPolicy, define the policy. You can retrieve all objects for a firewall policy by calling DescribeFirewallPolicy.

Link copied to clipboard

Detailed information about the current status of a Firewall. You can retrieve this for a firewall by calling DescribeFirewall and providing the firewall name and ARN.

Link copied to clipboard
sealed class FirewallStatusValue
Link copied to clipboard
class Flow

Any number of arrays, where each array is a single flow identified in the scope of the operation. If multiple flows were in the scope of the operation, multiple Flows arrays are returned.

Link copied to clipboard

Defines the scope a flow operation. You can use up to 20 filters to configure a single flow operation.

Link copied to clipboard

Contains information about a flow operation, such as related statuses, unique identifiers, and all filters defined in the operation.

Link copied to clipboard

An array of objects with metadata about the requested FlowOperation.

Link copied to clipboard
sealed class FlowOperationStatus
Link copied to clipboard
sealed class FlowOperationType
Link copied to clipboard

Describes the amount of time that can pass without any traffic sent through the firewall before the firewall determines that the connection is idle and Network Firewall removes the flow entry from its flow table. Existing connections and flows are not impacted when you update this value. Only new connections after you update this value are impacted.

Link copied to clipboard
sealed class GeneratedRulesType
Link copied to clipboard
class Header

The basic rule criteria for Network Firewall to use to inspect packet headers in stateful traffic flow inspection. Traffic flows that match the criteria are a match for the corresponding StatefulRule.

Link copied to clipboard
class Hits

Attempts made to a access domain.

Link copied to clipboard
sealed class IdentifiedType
Link copied to clipboard

Amazon Web Services doesn't currently have enough available capacity to fulfill your request. Try your request later.

Link copied to clipboard

Your request is valid, but Network Firewall couldn't perform the operation because of a system problem. Retry your request.

Link copied to clipboard

The operation failed because it's not valid. For example, you might have tried to delete a rule group or firewall policy that's in use.

Link copied to clipboard

The operation failed because of a problem with your request. Examples include:

Link copied to clipboard

The policy statement failed validation.

Link copied to clipboard

The token you provided is stale or isn't valid for the operation.

Link copied to clipboard
sealed class IpAddressType
Link copied to clipboard
class IpSet

A list of IP addresses and address ranges, in CIDR notation. This is part of a RuleVariables.

Link copied to clipboard

General information about the IP set.

Link copied to clipboard

Configures one or more IP set references for a Suricata-compatible rule group. This is used in CreateRuleGroup or UpdateRuleGroup. An IP set reference is a rule variable that references resources that you create and manage in another Amazon Web Services service, such as an Amazon VPC prefix list. Network Firewall IP set references enable you to dynamically update the contents of your rules. When you create, update, or delete the resource you are referencing in your rule, Network Firewall automatically updates the rule's content with the changes. For more information about IP set references in Network Firewall, see Using IP set references in the Network Firewall Developer Guide.

Link copied to clipboard

Unable to perform the operation because doing so would violate a limit setting.

Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard

Defines where Network Firewall sends logs for the firewall for one log type. This is used in LoggingConfiguration. You can send each type of log to an Amazon S3 bucket, a CloudWatch log group, or a Firehose delivery stream.

Link copied to clipboard

Unable to send logs to a configured logging destination.

Link copied to clipboard
sealed class LogDestinationType
Link copied to clipboard

Defines how Network Firewall performs logging for a Firewall.

Link copied to clipboard
sealed class LogType
Link copied to clipboard

Criteria for Network Firewall to use to inspect an individual packet in stateless rule inspection. Each match attributes set can include one or more items such as IP address, CIDR range, port number, protocol, and TCP flags.

Link copied to clipboard

Base class for all service related exceptions thrown by the NetworkFirewall client

Link copied to clipboard
sealed class OverrideAction
Link copied to clipboard

Provides configuration status for a single policy or rule group that is used for a firewall endpoint. Network Firewall provides each endpoint with the rules that are configured in the firewall policy. Each time you add a subnet or modify the associated firewall policy, Network Firewall synchronizes the rules in the endpoint, so it can properly filter network traffic. This is part of a SyncState for a firewall.

Link copied to clipboard
sealed class PerObjectSyncStatus
Link copied to clipboard

Contains variables that you can use to override default Suricata settings in your firewall policy.

Link copied to clipboard
class PortRange

A single port range specification. This is used for source and destination port ranges in the stateless rule MatchAttributes, SourcePorts, and DestinationPorts settings.

Link copied to clipboard
class PortSet

A set of port ranges for use in the rules in a rule group.

Link copied to clipboard

Stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. This setting defines a CloudWatch dimension value to be published.

Link copied to clipboard
Link copied to clipboard
Link copied to clipboard

Contains a set of IP set references.

Link copied to clipboard
Link copied to clipboard
sealed class ResourceManagedType
Link copied to clipboard

Unable to locate a resource using the parameters that you provided.

Link copied to clipboard

Unable to change the resource because your account doesn't own it.

Link copied to clipboard
sealed class ResourceStatus
Link copied to clipboard
Link copied to clipboard

The inspection criteria and action for a single stateless rule. Network Firewall inspects each packet for the specified matching criteria. When a packet matches the criteria, Network Firewall performs the rule's actions on the packet.

Link copied to clipboard
class RuleGroup

The object that defines the rules in a rule group. This, along with RuleGroupResponse, define the rule group. You can retrieve all objects for a rule group by calling DescribeRuleGroup.

Link copied to clipboard

High-level information about a rule group, returned by ListRuleGroups. You can use the information provided in the metadata to retrieve and manage a rule group.

Link copied to clipboard

The high-level properties of a rule group. This, along with the RuleGroup, define the rule group. You can retrieve all objects for a rule group by calling DescribeRuleGroup.

Link copied to clipboard
sealed class RuleGroupType
Link copied to clipboard

Additional settings for a stateful rule. This is part of the StatefulRule configuration.

Link copied to clipboard
sealed class RuleOrder
Link copied to clipboard

The stateless or stateful rules definitions for use in a single rule group. Each rule group requires a single RulesSource. You can use an instance of this for either stateless rules or stateful rules.

Link copied to clipboard

Stateful inspection criteria for a domain list rule group.

Link copied to clipboard

A complex type containing details about a Suricata rule. Contains:

Link copied to clipboard

Settings that are available for use in the rules in the RuleGroup where this is defined. See CreateRuleGroup or UpdateRuleGroup for usage.

Link copied to clipboard

Any Certificate Manager (ACM) Secure Sockets Layer/Transport Layer Security (SSL/TLS) server certificate that's associated with a ServerCertificateConfiguration. Used in a TLSInspectionConfiguration for inspection of inbound traffic to your firewall. You must request or import a SSL/TLS certificate into ACM for each domain Network Firewall needs to decrypt and inspect. Network Firewall uses the SSL/TLS certificates to decrypt specified inbound SSL/TLS traffic going to your firewall. For information about working with certificates in Certificate Manager, see Request a public certificate or Importing certificates in the Certificate Manager User Guide.

Link copied to clipboard

Configures the Certificate Manager certificates and scope that Network Firewall uses to decrypt and re-encrypt traffic using a TLSInspectionConfiguration. You can configure ServerCertificates for inbound SSL/TLS inspection, a CertificateAuthorityArn for outbound SSL/TLS inspection, or both. For information about working with certificates for TLS inspection, see Using SSL/TLS server certficiates with TLS inspection configurations in the Network Firewall Developer Guide.

Link copied to clipboard

Settings that define the Secure Sockets Layer/Transport Layer Security (SSL/TLS) traffic that Network Firewall should decrypt for inspection by the stateful rule engine.

Link copied to clipboard

High-level information about the managed rule group that your own rule group is copied from. You can use the the metadata to track version updates made to the originating rule group. You can retrieve all objects for a rule group by calling DescribeRuleGroup.

Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
sealed class StatefulAction
Link copied to clipboard

Configuration settings for the handling of the stateful rule groups in a firewall policy.

Link copied to clipboard

A single Suricata rules specification, for use in a stateful rule group. Use this option to specify a simple Suricata rule with protocol, source and destination, ports, direction, and rule options. For information about the Suricata Rules format, see Rules Format.

Link copied to clipboard
Link copied to clipboard

The setting that allows the policy owner to change the behavior of the rule group within a policy.

Link copied to clipboard

Identifier for a single stateful rule group, used in a firewall policy to refer to a rule group.

Link copied to clipboard

Additional options governing how Network Firewall handles the rule group. You can only use these for stateful rule groups.

Link copied to clipboard
Link copied to clipboard

A single stateless rule. This is used in StatelessRulesAndCustomActions.

Link copied to clipboard

Identifier for a single stateless rule group, used in a firewall policy to refer to the rule group.

Link copied to clipboard

Stateless inspection criteria. Each stateless rule group uses exactly one of these data types to define its stateless rules.

Link copied to clipboard
Link copied to clipboard

The ID for a subnet that's used in an association with a firewall. This is used in CreateFirewall, AssociateSubnets, and CreateVpcEndpointAssociation. Network Firewall creates an instance of the associated firewall in each subnet that you specify, to filter traffic in the subnet's Availability Zone.

Link copied to clipboard
class Summary

A complex type containing summaries of security protections provided by a rule group.

Link copied to clipboard

A complex type that specifies which Suricata rule metadata fields to use when displaying threat information. Contains:

Link copied to clipboard
sealed class SummaryRuleOption
Link copied to clipboard
class SyncState

The status of the firewall endpoint and firewall policy configuration for a single VPC subnet. This is part of the FirewallStatus.

Link copied to clipboard
class Tag

A key:value pair associated with an Amazon Web Services resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as "environment") and the tag value represents a specific value within that category (such as "test," "development," or "production"). You can add up to 50 tags to each Amazon Web Services resource.

Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
sealed class TargetType
Link copied to clipboard
sealed class TcpFlag
Link copied to clipboard

TCP flags and masks to inspect packets for, used in stateless rules MatchAttributes settings.

Link copied to clipboard

Unable to process the request due to throttling limitations.

Link copied to clipboard

Contains metadata about an Certificate Manager certificate.

Link copied to clipboard

The object that defines a TLS inspection configuration. This, along with TLSInspectionConfigurationResponse, define the TLS inspection configuration. You can retrieve all objects for a TLS inspection configuration by calling DescribeTLSInspectionConfiguration.

Link copied to clipboard

High-level information about a TLS inspection configuration, returned by ListTLSInspectionConfigurations. You can use the information provided in the metadata to retrieve and manage a TLS configuration.

Link copied to clipboard

The high-level properties of a TLS inspection configuration. This, along with the TLSInspectionConfiguration, define the TLS inspection configuration. You can retrieve all objects for a TLS inspection configuration by calling DescribeTLSInspectionConfiguration.

Link copied to clipboard
Link copied to clipboard

Contains information about the synchronization state of a transit gateway attachment, including its current status and any error messages. Network Firewall uses this to track the state of your transit gateway configuration changes.

Link copied to clipboard

A unique source IP address that connected to a domain.

Link copied to clipboard

The operation you requested isn't supported by Network Firewall.

Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard

A VPC endpoint association defines a single subnet to use for a firewall endpoint for a Firewall. You can define VPC endpoint associations only in the Availability Zones that already have a subnet mapping defined in the Firewall resource.

Link copied to clipboard

High-level information about a VPC endpoint association, returned by ListVpcEndpointAssociations. You can use the information provided in the metadata to retrieve and manage a VPC endpoint association.

Link copied to clipboard

Detailed information about the current status of a VpcEndpointAssociation. You can retrieve this by calling DescribeVpcEndpointAssociation and providing the VPC endpoint association ARN.