Modify Customer Firewall Rules
Steps​
-
Log in to AWS
- Access the customer's account.
-
Navigate to VPC
- In AWS, search for "VPC".
- Open the VPC Dashboard.
-
Locate Network Firewall Rule Groups
- In the VPC Dashboard, go to Network Firewall > Network Firewall Rule Groups.
- Find one of the following rule groups:
Combine-Custom-OverridesCombine-Custom-Rule-Group- Note: The age of the deployment will dictate the name of the rule set.
-
Edit the Rule Set
- Click on the rule set name.
- Locate the "Rules" bubble on the page and click Edit.
- Tip: The rule edit textbox can be expanded using the handle on the bottom-right corner.
- All rules are Suricata-compatible rule strings.
-
Modify Rules
- For HTTPS traffic: Look for pre-existing
pass tlsandpass httprules. - For TCP traffic: Add rules to accommodate multiple protocol types if needed.
- For HTTPS traffic: Look for pre-existing
Example Rules​
Domain Name-Based Rule for HTTPS​
pass tls any any -> any any (msg:"White List"; flow:to_server; tls.sni; content:"labs-us-1.customer.com"; nocase; endswith; ssl_state:client_hello; sid:1005; rev:1;)
pass http any any -> any any (msg:"White List"; content:"labs-us-1.customer.com"; http_host; endswith; sid:1006; rev:1;)
- Notes:
- The
contenttag contains the target URL. - Ensure there are:
- No slashes (
/) at the end of the URL. - No
httpprefix in the URL.
- No slashes (
- The
sidandrevnumbers at the end of the rule must be unique.
- The
Static IP Address-Based Rule for TCP Traffic​
pass tcp any any -> 123.219.224.223 any (msg:"White List TLS for labs-us-1.customer.com IP"; flow:to_server, established; sid:1007; rev:1;)
pass tcp any any -> 123.197.107.234 any (msg:"White List TLS for labs-us-1.customer.com IP"; flow:to_server, established; sid:1008; rev:1;)
pass tcp any any -> 123.219.224.179 any (msg:"White List TLS for labs-us-1.customer.com IP"; flow:to_server, established; sid:1009; rev:1;)