AWS network firewall partner rule groups
AWS network firewall partner rule groups are contract-based firewall signatures that Fortinet offers to augment the basic protections that AWS Network Firewall offers. With these rule groups, AWS Network Firewall customers can choose prepackaged rules based on their requirements. The following lists the rule groups on offer:
Rule groups |
Type |
What this rule group detects |
---|---|---|
Fortinet-ips-client-enable-rulegroup1 |
Intrusion prevention system (IPS) |
Attempts to exploit vulnerabilities in common client applications, including desktop software. |
Fortinet-ids-client-alert-rulegroup1 |
Intrusion detection system (IDS) |
|
Fortinet-ips-malware-enable-rulegroup1 |
IPS |
Communication attempts from malware backdoors, worms, and remote access trojans, including command and control traffic. |
Fortinet-ids-malware-alert-rulegroup1 |
IDS |
|
Fortinet-ips-serveros-enable-rulegroup1 |
IPS |
Vulnerabilities targeting operating systems (OS) and common server applications, including DNS, email, and remote access. |
Fortinet-ips-serveros-enable-rulegroup2 |
||
Fortinet-ids-serveros-alert-rulegroup1 |
IDS |
|
Fortinet-ids-serveros-alert-rulegroup2 |
||
Fortinet-ips-webclient-enable-rulegroup1 |
IPS |
Exploits targeting vulnerabilities in web browsers, including Chrome, Firefox, Internet Explorer, Edge, and so on. |
Fortinet-ids-webclient-alert-rulegroup1 |
IDS |
|
Fortinet-ips-webapp-enable-rulegroup1 |
IPS |
Exploits targeting vulnerabilities in common web applications, including popular content management platforms such as WordPress and Joomla. |
Fortinet-ids-webapp-alert-rulegroup1 |
IDS |
|
Fortinet-ips-webserver-enable-rulegroup1 |
IPS |
Exploits targeting web server vulnerabilities, including web servers such as Apache and proxy web servers such as Squid. |
Fortinet-ids-webserver-alert-rulegroup1 |
IDS |
The listed rule groups allow for network traffic to be examined for predetermined attack patterns. This is accomplished by matching the signatures of incoming packets to the signature available in the rule groups. There are two types of rule groups:
Type |
Description |
---|---|
IPS |
Can perform the DROP or ALERT action. If alert logging is configured, an alert is sent to the firewall logs for each matching rule. The packet is then forwarded or dropped based on the action setting in the first matched rule. Use of this rule group helps prevent the ingress of malicious traffic into the network. For information regarding stateful actions, see AWS Network Firewall - Rule Actions. |
IDS |
When a signature matches, sends an ALERT and forwards the packet to its intended destination. Using this rule group helps detect and log malicious activity without disrupting traffic. |
You can use any combination of the listed IPS and IDS rule groups in a firewall policy, as long as it is within the firewall policy rule limit of 30000 rules. When you apply IPS and IDS rule groups from the same category, the packet is evaluated against all rules with drop and alert action settings. The packet is then handled according to the action setting of the first rule that matched the packet. For information regarding stateful actions, see AWS Network Firewall - Rule Actions.
The following presents three use cases for AWS network firewall rule groups:
Use case |
Applicable rule groups |
---|---|
If the protected network contains endpoint devices such as desktop computers, laptops, smartphones, and tablets, you must secure the network against common client vulnerabilities that affect applications, as well as OS and web browser-based malware and vulnerabilities. |
|
If the protected network contains servers or hosted services including web applications, databases, email, DNS, and other services that must be secured against targeted attacks. |
|
Scenario where you must monitor resource activity without disrupting connectivity and traffic flow. |
Endpoint-based rule groups:
Server-based rule groups:
|
The rules listed for the first and second use cases are of the IPS type, which means that when a signature match occurs, the packet is dropped. You can use these rule groups with their IDS counterparts to design a more robust firewall with logging of malicious activity. See AWS Network Firewall - Rule Actions. The third use case uses IDS rule groups.
Each rule group has a predefined capacity for the maximum number of rules in the rule group. You must consider the capacity when configuring the firewall policy, as the AWS firewall policy has a global rule limit of 30000 rules. Selecting seven rule groups currently occupies 20000 rules. The following shows the capacity for each rule group:
Rule group |
Capacity (maximum number of rules) |
---|---|
Fortinet-ips-client-enable-rulegroup1 / Fortinet-ids-client-alert-rulegroup1 |
5000 |
Fortinet-ips-malware-enable-rulegroup1 / Fortinet-ids-malware-alert-rulegroup1 |
2000 |
Fortinet-ips-serveros-enable-rulegroup1 / Fortinet-ids-serveros-alert-rulegroup1 |
5000 |
Fortinet-ips-serveros-enable-rulegroup2 / Fortinet-ids-serveros-alert-rulegroup2 |
2500 |
Fortinet-ips-webclient-enable-rulegroup1 / Fortinet-ids-webclient-alert-rulegroup1 |
1500 |
Fortinet-ips-webapp-enable-rulegroup1 / Fortinet-ids-webapp-alert-rulegroup1 |
2500 |
Fortinet-ips-webserver-enable-rulegroup1 / Fortinet-ids-webserver-alert-rulegroup1 |
1500 |
You cannot select rule groups with capacity that adds up to more than 30000 rules in a single firewall policy.