Unable to create stateful firewall rule groups when using strict order #23
Comments
|
Hello @tbmorris, I have tested your code snippet in a commercial region (us-east-1) and GovCloud (us-gov-west-1) on v1.2.2 and it works as expected to create a STRICT_ORDER rule group. (Note: I did have to remove the colon after the name of your rule group; that is incorrect YAML syntax and was caught in config validation). Please let us know if removing the colon helps. I will keep the issue open for tracking purposes. |
|
Working config snippet: |
|
I wish the error was something that was actually in my code, but the colon was added when I copied the code over. My actual code does not have the colon. |
|
I guess I should add that in my original code, I had several rules. I shortened the code for the sake of putting it on here, and realized that I may have cut out too much. I apologize for not putting the whole thing out. Here is what just failed for me. In the end, I want to create a stateful firewall rule and add it to the firewall-policy policy. I attached the CodeBuild log with the error that states: Failed resources:361 | AWSAccelerator-NetworkPrepStack-031334266292-us-gov-west-1 | 5:37:28 PM | UPDATE_FAILED | AWS::NetworkFirewall::RuleGroup | WorkloadToSharedServicesNetworkFirewallRuleGroup (WorkloadToSharedServicesNetworkFirewallRuleGroupF03E5CD4) Resource handler returned message: "parameter is invalid, parameter: [STRICT_ORDER] (Service: NetworkFirewall, Status Code: 400, Request ID: 1d8b0d67-1b01-4663-bac3-b373e62d8cd0)" (RequestToken: 2f770aa3-8692-250b-4a12-0b7914ae6901, HandlerErrorCode: InvalidRequest) centralNetworkServices:
delegatedAdminAccount: Network
networkFirewall:
firewalls:
- name: core-network-firewall
region: *HOME_REGION
firewallPolicy: accelerator-policy
subnets:
- Network-Inspection-Firewall-A
- Network-Inspection-Firewall-B
vpc: Network-Inspection
loggingConfiguration:
- destination: s3
type: ALERT
- destination: cloud-watch-logs
type: FLOW
policies:
- name: accelerator-policy
regions:
- *HOME_REGION
firewallPolicy:
statelessDefaultActions: ['aws:forward_to_sfe']
statelessFragmentDefaultActions: ['aws:forward_to_sfe']
# statefulDefaultActions: ['']
# statefulEngineOptions: 'STRICT_ORDER'
statefulRuleGroups:
- name: domain-list-group
# - name: workload-to-shared-services
# - name: explicit-deny
shareTargets:
organizationalUnits:
- Infrastructure
- name: firewall-policy
regions:
- *HOME_REGION
firewallPolicy:
statelessDefaultActions: ['aws:forward_to_sfe']
statelessFragmentDefaultActions: ['aws:forward_to_sfe']
statefulDefaultActions: ['aws:drop_strict']
statefulEngineOptions: 'STRICT_ORDER'
statefulRuleGroups:
# - name: domain-list-group
# - name: workload-to-shared-services
# priority: 1
# - name: explicit-deny
# priority: 100
shareTargets:
organizationalUnits:
- Infrastructure
rules:
- name: workload-to-shared-services
regions:
- *HOME_REGION
capacity: 100
type: STATEFUL
ruleGroup:
rulesSource:
statefulRules:
- action: PASS
header:
destination: 10.0.0.0/24
destinationPort: '80'
direction: FORWARD
protocol: TCP
source: 10.50.0.0/20
sourcePort: Any
ruleOptions:
- keyword: sid
settings: ['1']
# - action: PASS
# header:
# destination: 10.0.0.0/24
# destinationPort: '80'
# direction: FORWARD
# protocol: TCP
# source: 10.50.16.0/20
# sourcePort: Any
# ruleOptions:
# - keyword: sid
# settings: ['2']
# - action: PASS
# header:
# destination: 10.0.0.0/24
# destinationPort: '80'
# direction: FORWARD
# protocol: TCP
# source: 10.50.32.0/20
# sourcePort: Any
# ruleOptions:
# - keyword: sid
# settings: ['3']
statefulRuleOptions: "STRICT_ORDER"
- name: explicit-deny
regions:
- *HOME_REGION
capacity: 10
type: STATEFUL
ruleGroup:
rulesSource:
statefulRules:
- action: DROP
header:
destination: 0.0.0.0/0
destinationPort: ANY
direction: FORWARD
protocol: IP
source: 0.0.0.0/0
sourcePort: ANY
ruleOptions:
- keyword: priority
settings: ['100']
- keyword: sid
settings: ['100']
- name: domain-list-group
regions:
- *HOME_REGION
capacity: 10
type: STATEFUL
ruleGroup:
rulesSource:
rulesSourceList:
generatedRulesType: DENYLIST
# Add/Modify the domain list per business needs.
targets: ['.google.com']
targetTypes: ['TLS_SNI', 'HTTP_HOST']
ruleVariables:
ipSets:
name: HOME_NET
definition:
- 10.0.0.0/16
- 10.1.0.0/16
- 192.168.0.0/16
portSets:
name: HOME_NET
definition:
- '80'
- '443' |
|
I have tested you latest configuration for the centralNetworkServices in both us-east-1 and us-gov-wesst-1 regions. I was unable to replicate the issue. For reference I have attached the complete network-config.yaml file I used. |
|
Could not reproduce. Closing issue. |
|
Sorry for the late response. I have been playing with the code a lot since you posted (plus life happens and I got pulled in other directions). It appears that the issue was not the code itself, but changing the code. The first time I created the firewall rule, I did not have |
Describe the bug
Creating a stateful firewall rule group fails when using strict order.
To Reproduce
Add
statefulRuleOptions: "STRICT_ORDER"to a stateful firewall rule group in network-config.yaml.Expected behavior
Create a stateful firewall rule group with rule option strict order with no error.
Please complete the following information about the solution:
Additional context
Attached is the CodeBuild error log. I'm sure that I have the correct code because it failed earlier in the Build stage when, I believe, the solution goes through code verification. I changed the code to the snippet above to get past the error, but now it fails at the Network_Prepare stage of Deploy.
firewall-rule-error.txt
The text was updated successfully, but these errors were encountered: