AWS Network Firewall Policy - STRICT_ORDER on a rules_source of rules_source_list (Domain List)

michael.dodd · June 21, 2024, 5:55pm

I have been trying to create a STATEFUL firewall policy that incorporates my ALLOW Domain List and some stateful rules. I would like to do this with STRICT_ORDER to follow AWS recommend practices.

When I try to combine a STRICT_ORDER rule and a Domain List TFE errors out on me complaining about Priority. However I do have priorities for all my rules.

Error: creating NetworkFirewall Firewall Policy (strict-order-network-firewall-policy): InvalidRequestException: ResourceArn has invalid rule order, parameter: [arn:aws:network-firewall:us-east-1::stateful-rulegroup/managed-domain-list-wildcards], context: StatefulRuleGroupReferences[0].ResourceArn

with aws_networkfirewall_firewall_policy.strict-order-network-firewall-policy

TF Document on rule groups with a big NOTE:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_rule_group

The above had a note that STRICT_ORDER is not allowed with Terraform Proivder for AWS Network Firewall Rule Groups of rules_source type rules_source_list.

I believe this is why it fails and I have to revert to using default ACTION ordering. The AWS Console however I can ClickOps a STATEFUL policy together that includes a STRICT_ORDER, policy numbered list that includes both a Domain List priority 1 and a STATEFUL rule with priority 2.

Is this a Terraform limitation or am I missing something?

Code example that errors on invalid priority:

resource “aws_networkfirewall_firewall_policy” “strict-order-network-firewall-policy” {
name = “strict-order-network-firewall-policy”
firewall_policy {
stateless_default_actions = [“aws:forward_to_sfe”]
stateless_fragment_default_actions = [“aws:forward_to_sfe”]
stateful_engine_options {
rule_order = “STRICT_ORDER”
}
stateful_default_actions = [“aws:drop_established”, “aws:alert_established”]
stateful_rule_group_reference {
priority = 1
resource_arn = “arn:aws:network-firewall:{var.region}:{var.aws_account_id}:stateful-rulegroup/allow-dns-stateful”
}
stateful_rule_group_reference {
priority = 2
resource_arn = “arn:aws:network-firewall:{var.region}:{var.aws_account_id}:stateful-rulegroup/managed-domain-list-wildcards”
}
}
}

michael.dodd · June 27, 2024, 4:03pm

I spoke with a AWS Network Firewall solutions architect. There is not feature parity with using IaC vs the Console. He suggested abandoning my design and do EVERYTHING using Suricata rules including domain lists. He said this is how most Enterprises who do IaC are implementing AWS Network Firewall.

Looks like for now its expected to get errors if you try to mix and match Strict Order, Stateful Rules, and Domain lists in a policy. He also shared some best practices like only using “Drop Established” so you get full header info and use Stateful never Stateless Rules.

https://aws.github.io/aws-security-services-best-practices/guides/network-firewall/

dsantanu · October 13, 2024, 1:13pm

Hi @michael.dodd,

Did it work in the end?
I’m just try to addthe AWS default stateful rule-group sets and keep getting getting exactrly the same error,regardless of whatever I try:

│ Error: creating NetworkFirewall Firewall Policy (znpexc-ibc-aut-policy-anf): operation error Network Firewall: CreateFirewallPolicy, https response error StatusCode: 400, RequestID: 7c7e277c-6f11-4962-8ad6-cc2517ef218e, InvalidRequestException: ResourceArn has invalid rule order, parameter: [arn:aws:network-firewall:eu-west-2:72xxxxxxxxxx:stateful-rulegroup/ThreatSignaturesBotnetActionOrder], context: StatefulRuleGroupReferences[0].ResourceArn

resource "aws_networkfirewall_firewall_policy" "this" {
  name = "${var.prefix}-policy-${var.firewall_name}"

  firewall_policy {
    stateless_default_actions          = ["aws:forward_to_sfe"]
    stateless_fragment_default_actions = ["aws:forward_to_sfe"]

    stateful_engine_options {
      rule_order = "STRICT_ORDER"
    }

    stateful_default_actions = [
      "aws:drop_established",
      "aws:alert_established",
    ]

    ## StateFul Rule Group Reference
    dynamic "stateful_rule_group_reference" {
      for_each = local.stateful_group_arns
      content {
        priority = index(
          local.stateful_group_arns,
          stateful_rule_group_reference.value
        ) + 1
        resource_arn = stateful_rule_group_reference.value
      }
    }
  }
}

I followed the NFW reference guide that you pasted above and cannot figureout what’s I’m doing wrong or diffrent. Is there anyway you can shade some lights on it?

-S

michael.dodd · October 14, 2024, 4:12pm

yes you must abandon that design pattern and switch to using the suricata rule format as infrastructure as code.

You can do everything you need, and more, with suricata rules, including allow lists.

Topic		Replies	Views
Support for aws network firewall group AWS tf-aws-provider-release	0	439	December 3, 2021
AWS Netwotk FWs Rule Groups AWS	1	182	May 14, 2024
AWS Network Firewall - Invalid ARN error when adding AWS Managed Rule Group To Policy AWS	2	2750	August 31, 2022
Deal with Optional Field which orders the resources Plugin Development	2	114	February 26, 2024
Aws network firewall rules Terraform	0	449	August 4, 2021

AWS Network Firewall Policy - STRICT_ORDER on a rules_source of rules_source_list (Domain List)

Related topics