By using AWS re:Post, you agree to the Terms of Use

AWS CLI Updating Network Firewall Rules

0

I've been trying to determine a method to streamline/automate the updating of AWS Network firewall rules. The AWS CLI looked promising but I've consistently seen failure when trying to push a new ruleset. For example, running the command: aws network-firewall describe-rule-group --rule-group-arn <arn>

Returns the JSON as expected with the content as a flat string:

"RuleGroup": {
    "RulesSource": {
        "RulesString": "pass http $HOME_NET any -> $EXTERNAL_NET 80 (http.host; dotprefix; content:\".example.com\"; endswith; msg:\"Allowed HTTP domain\"; sid:1; rev:1;)\npass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:\"example.com\"; startswith; nocase; endswith; msg:\"matching TLS allowlisted FQDNs\"; sid:2; rev:1;)\npass http $HOME_NET any -> $EXTERNAL_NET 80 (http.host; dotprefix; content:\".google.com\"; endswith; msg:\"Allowed HTTP domain\"; sid:3; rev:1;)\npass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:\"www.google.com\"; startswith; nocase; endswith; msg:\"matching TLS allowlisted FQDNs\"; sid:4; rev:1;)\npass http $HOME_NET any -> $EXTERNAL_NET 80 (http.host; dotprefix; content:\".ubuntu.com\"; endswith; msg:\"Allowed HTTP domain\"; sid:5; rev:1;)\npass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; content:\"ipinfo.io\"; startswith; nocase; endswith; msg:\"matching TLS allowlisted FQDNs\"; sid:6; rev:1;)\npass tcp $HOME_NET any <> $EXTERNAL_NET 80 (flow:not_established; sid:899998; rev:1;)\npass tcp $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; sid:899999; rev:1;)"

When trying to update the flat string with a new string including more entries though, I receive an error: aws network-firewall update-rule-group --cli-input-yaml file://example.yaml Error received: An error occurred (InvalidRequestException) when calling the UpdateRuleGroup operation: parameter is invalid

I've tried the JSON/YAML/CLI methods and I encounter the issue using any of those methods. I've also tried using the --rule-group vs --rules options to update. I suspected there was an issue with string formatting but I've failed to find a resolution.

Updating the rules via the console works without issue.

Could anyone provide a pointer where I'm going wrong or even a working method they are using? Not too bothered if it is via CLI, SDK etc. as I may revert to python as it is the language I know best.

1 Answer
0

Hi Dave,

Have you tried doing a "describe-rule-group" first to retrieve the UpdateToken, and then using the "update-rule-group" command with a new JSON file using --rule-group ?

There's a good step by step guide you could follow to test using Domain-list rule-group here: https://docs.aws.amazon.com/network-firewall/latest/developerguide/stateful-rule-groups-domain-names.html#stateful-rule-groups-domain-names-home-net

I've written a few Python script, CFN templates, Jinja2, REST API, etc. to update AWS NFW Rule-groups, let me know if you still need a way to update rule-groups as I might be able to help.

Regards,

-CarlosGP@

answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions