Network Firewall shows "aws:alert_strict action" when it set with Strict Order stateful engine option.
Hello,
I'm using AWS Network Firewall. Firstly, I tried to use AWS Managed Rules and Allow Domain List custom rule with default action order. From my understanding, the default action order is Pass -> Drop -> Alert. Then, I tried to test download files from allowed domain list it always pass because the domain is allowed. The ThreatSignaturesMalwareCoinmining will not perform any actions. Am I correct?
So, I'm trying to change from default action order to strict order. The default actions are drop:all and alert:all. I expected that the network firewall will process my rule groups by priority and rules in each rule group by order. I copied Suricata context from AWS Managed Rule and created new rule group as shown in pictures.
My example allowed domain are AWS domains. pass http $HOME_NET any -> $EXTERNAL_NET 80 (http.host; dotprefix; content:".amazonaws.com"; endswith; msg:"Allow HTTP traffic to .amazonaws.com"; flow:to_server, established; sid:1000101; rev:1;)
pass tls $HOME_NET any -> $EXTERNAL_NET 443 (tls.sni; dotprefix; content:".amazonaws.com"; endswith; msg:"Allow TLS traffic to .amazonaws.com"; flow:to_server, established; sid:1000102; rev:1;)
Then, I added these rules into my firewall policy and I found that it stills block the traffic to .amazonaws.com.
{
"firewall_name": "inspector",
"availability_zone": "ap-southeast-1a",
"event_timestamp": "1663828976",
"event": {
"timestamp": "2022-09-22T06:42:56.727635+0000",
"flow_id": 1066945104298575,
"event_type": "alert",
"src_ip": "10.x.x.x",
"src_port": 23602,
"dest_ip": "3.0.186.102",
"dest_port": 443,
"proto": "TCP",
"alert": {
"action": "blocked",
"signature_id": 2,
"rev": 0,
"signature": "aws:alert_strict action",
"category": "",
"severity": 3
}
}
}
I checked 3.0.186.102 is own by AWS, ec2-xxx.amazonaws.com.
Why the network firewall always block the requests to AWS domain?
- Newest
- Most votes
- Most comments
Looks like the mentioned IP is blocked by default rule. Have you added rule to allow TCP 3-way handshake?
Thanks Mario. Sorry to disturb you I'm not network engineer or network expert guys.
I setup that follows AWS blog, https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/ #4.
If I have not the 1st rule, the centralized ingress VPC which expose public APIs to my customer always return 504. So, I added it to allow inter VPC connections but I'm not sure this is default behavior of the network firewall or it needs to do because my default actions are drop all and alert all.
For NTP, thank you for your suggestion.
I don't know exactly what was defined as $ALL_NET, however be careful, because you may allow all trafic going IN or OUT, effectively disabling protection.
I'm trying to allow the connection between VPC. $ALL_NET is huge IP range, so I reduce the scope to INGRESS_NET, EGRESS_NET and SPOKE_NET (refers to AWS diagram). Thanks
Mario,
You're correct I forgot to set the CIDR in HOME_NET.
I've more questions. Let me explain more details. The network firewall is centralized deployment model. Do I need to allow the network connectivity between my VPCs?
pass ip $ALL_NET any -> $ALL_NET any (msg:"Allow internal ALL_NET to connect each other"; sid:1001001; rev:1; metadata:created_at 2022_09_22, updated_at 2022_09_22;)
After I finished this, my public VPC is able to connect to my private VPC.
Another one, Is this related to NTP service? if yes, this rule will solve this issue right?
pass ntp $ALL_NET any <> $EXTERNAL_NET any (msg:"Allow NTP services"; sid:1001002; rev:1; metadata:created_at 2022_09_22, updated_at 2022_09_22;)
{
"firewall_name": "inspector",
"availability_zone": "ap-southeast-1a",
"event_timestamp": "1663845034",
"event": {
"timestamp": "2022-09-22T11:10:34.532348+0000",
"flow_id": 1197193187434364,
"event_type": "alert",
"src_ip": "10.106.100.5",
"src_port": 42875,
"dest_ip": "144.126.242.176",
"dest_port": 123,
"proto": "UDP",
"alert": {
"action": "blocked",
"signature_id": 2,
"rev": 0,
"signature": "aws:alert_strict action",
"category": "",
"severity": 3
},
"app_proto": "ntp"
}
}
The 1st rule will allow all inter-VPC connections, however I don't know if this is desired state for you. You can restrict only certain protocols, but it all depends on the use case and what you are trying to achieve.
Related to the NTP, I believe the mentioned rule should allow NTP traffic and resolve the issue from logs. Also you can slighlty modify the rules and use -> instead of <>.
Hello Mario,
I found that some requested was blocked from external net to my home net
- AWS endpoint trying to connect my Lambda ENI. How do I resolve this?
{
"firewall_name": "inspector",
"availability_zone": "ap-southeast-1a",
"event_timestamp": "1663910550",
"event": {
"timestamp": "2022-09-23T05:22:30.383659+0000",
"flow_id": 186598118836506,
"event_type": "alert",
"src_ip": "52.119.186.234",
"src_port": 443,
"dest_ip": "10.x.x.x",
"dest_port": 51098,
"proto": "TCP",
"alert": {
"action": "blocked",
"signature_id": 2,
"rev": 0,
"signature": "aws:alert_strict action",
"category": "",
"severity": 3
}
}
}
- Alert from external net to my home net when I try to reach not white domains. Why the external IP is trying to reach my internal IP and able to network firewall?
{
"firewall_name": "inspector",
"availability_zone": "ap-southeast-1b",
"event_timestamp": "1663859529",
"event": {
"timestamp": "2022-09-22T15:12:09.683397+0000",
"flow_id": 1773625992991748,
"event_type": "alert",
"src_ip": "10.x.x.x",
"src_port": 57792,
"dest_ip": "184.25.221.172",
"dest_port": 80,
"proto": "TCP",
"alert": {
"action": "blocked",
"signature_id": 2,
"rev": 0,
"signature": "aws:alert_strict action",
"category": "",
"severity": 3
},
"http": {
"hostname": "www.microsoft.com",
"url": "/",
"http_user_agent": "curl/7.79.1",
"http_method": "GET",
"protocol": "HTTP/1.1",
"length": 0
},
"app_proto": "http"
}
}
{
"firewall_name": "inspector",
"availability_zone": "ap-southeast-1a",
"event_timestamp": "1663859530",
"event": {
"timestamp": "2022-09-22T15:12:10.803703+0000",
"flow_id": 319536895860186,
"event_type": "alert",
"src_ip": "184.25.221.172",
"src_port": 80,
"dest_ip": "10.x.x.x",
"dest_port": 36476,
"proto": "TCP",
"alert": {
"action": "blocked",
"signature_id": 2,
"rev": 0,
"signature": "aws:alert_strict action",
"category": "",
"severity": 3
},
"http": {
"hostname": "www.microsoft.com",
"url": "/",
"http_user_agent": "curl/7.79.1",
"http_method": "GET",
"protocol": "HTTP/1.1",
"length": 0
},
"app_proto": "http"
}
}
Relevant content
- Accepted Answerasked 2 years ago
- asked 2 years ago
- asked 3 months ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
Thanks Mario.
I've tried to add the default root but it's still blocking.
Pass non-established TCP 80 / 443 flows (TCP 3-way handshake)
pass tcp $HOME_NET any <> $EXTERNAL_NET 80 (flow:not_established; sid:2001; rev:1;) pass tcp $HOME_NET any <> $EXTERNAL_NET 443 (flow:not_established; sid:2002; rev:1;)
I copied it from here https://medium.com/slalom-technology/secure-internet-access-egress-filtering-with-aws-network-firewall-ddf52ae121f9.
Khamoo,
Is HOME_NET variable refering to the VPC that originates traffic?