class Aws::NetworkFirewall::Types::FirewallPolicy

The firewall policy defines the behavior of a firewall using a collection of stateless and stateful rule groups and other settings. You can use one firewall policy for multiple firewalls.

This, along with FirewallPolicyResponse, define the policy. You can retrieve all objects for a firewall policy by calling DescribeFirewallPolicy.

@note When making an API call, you may pass FirewallPolicy

data as a hash:

    {
      stateless_rule_group_references: [
        {
          resource_arn: "ResourceArn", # required
          priority: 1, # required
        },
      ],
      stateless_default_actions: ["CollectionMember_String"], # required
      stateless_fragment_default_actions: ["CollectionMember_String"], # required
      stateless_custom_actions: [
        {
          action_name: "ActionName", # required
          action_definition: { # required
            publish_metric_action: {
              dimensions: [ # required
                {
                  value: "DimensionValue", # required
                },
              ],
            },
          },
        },
      ],
      stateful_rule_group_references: [
        {
          resource_arn: "ResourceArn", # required
        },
      ],
    }

@!attribute [rw] stateless_rule_group_references

References to the stateless rule groups that are used in the policy.
These define the matching criteria in stateless rules.
@return [Array<Types::StatelessRuleGroupReference>]

@!attribute [rw] stateless_default_actions

The actions to take on a packet if it doesn't match any of the
stateless rules in the policy. If you want non-matching packets to
be forwarded for stateful inspection, specify `aws:forward_to_sfe`.

You must specify one of the standard actions: `aws:pass`,
`aws:drop`, or `aws:forward_to_sfe`. In addition, you can specify
custom actions that are compatible with your standard section
choice.

For example, you could specify `["aws:pass"]` or you could specify
`["aws:pass", “customActionName”]`. For information about
compatibility, see the custom action descriptions under
CustomAction.
@return [Array<String>]

@!attribute [rw] stateless_fragment_default_actions

The actions to take on a fragmented UDP packet if it doesn't match
any of the stateless rules in the policy. Network Firewall only
manages UDP packet fragments and silently drops packet fragments for
other protocols. If you want non-matching fragmented UDP packets to
be forwarded for stateful inspection, specify `aws:forward_to_sfe`.

You must specify one of the standard actions: `aws:pass`,
`aws:drop`, or `aws:forward_to_sfe`. In addition, you can specify
custom actions that are compatible with your standard section
choice.

For example, you could specify `["aws:pass"]` or you could specify
`["aws:pass", “customActionName”]`. For information about
compatibility, see the custom action descriptions under
CustomAction.
@return [Array<String>]

@!attribute [rw] stateless_custom_actions

The custom action definitions that are available for use in the
firewall policy's `StatelessDefaultActions` setting. You name each
custom action that you define, and then you can use it by name in
your default actions specifications.
@return [Array<Types::CustomAction>]

@!attribute [rw] stateful_rule_group_references

References to the stateless rule groups that are used in the policy.
These define the inspection criteria in stateful rules.
@return [Array<Types::StatefulRuleGroupReference>]

@see docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/FirewallPolicy AWS API Documentation

Constants

SENSITIVE