Version:


Table of Contents

Download PDF
Copy Link

AWS network firewall partner rule groups

AWS network firewall partner rule groups are contract-based firewall signatures that Fortinet offers to augment the basic protections that AWS Network Firewall offers. With these rule groups, AWS Network Firewall customers can choose prepackaged rules based on their requirements. The following lists the rule groups on offer:

Rule groups

Type

What this rule group detects

Fortinet-ips-client-enable-rulegroup1

Intrusion prevention system (IPS)

Attempts to exploit vulnerabilities in common client applications, including desktop software.

Fortinet-ids-client-alert-rulegroup1

Intrusion detection system (IDS)

Fortinet-ips-malware-enable-rulegroup1

IPS

Communication attempts from malware backdoors, worms, and remote access trojans, including command and control traffic.

Fortinet-ids-malware-alert-rulegroup1

IDS

Fortinet-ips-serveros-enable-rulegroup1

IPS

Vulnerabilities targeting operating systems (OS) and common server applications, including DNS, email, and remote access.

Fortinet-ips-serveros-enable-rulegroup2

Fortinet-ids-serveros-alert-rulegroup1

IDS

Fortinet-ids-serveros-alert-rulegroup2

Fortinet-ips-webclient-enable-rulegroup1

IPS

Exploits targeting vulnerabilities in web browsers, including Chrome, Firefox, Internet Explorer, Edge, and so on.

Fortinet-ids-webclient-alert-rulegroup1

IDS

Fortinet-ips-webapp-enable-rulegroup1

IPS

Exploits targeting vulnerabilities in common web applications, including popular content management platforms such as WordPress and Joomla.

Fortinet-ids-webapp-alert-rulegroup1

IDS

Fortinet-ips-webserver-enable-rulegroup1

IPS

Exploits targeting web server vulnerabilities, including web servers such as Apache and proxy web servers such as Squid.

Fortinet-ids-webserver-alert-rulegroup1

IDS

The listed rule groups allow for network traffic to be examined for predetermined attack patterns. This is accomplished by matching the signatures of incoming packets to the signature available in the rule groups. There are two types of rule groups:

Type

Description

IPS

Can perform the DROP or ALERT action. If alert logging is configured, an alert is sent to the firewall logs for each matching rule. The packet is then forwarded or dropped based on the action setting in the first matched rule. Use of this rule group helps prevent the ingress of malicious traffic into the network. For information regarding stateful actions, see AWS Network Firewall - Rule Actions.

IDS

When a signature matches, sends an ALERT and forwards the packet to its intended destination. Using this rule group helps detect and log malicious activity without disrupting traffic.

You can use any combination of the listed IPS and IDS rule groups in a firewall policy, as long as it is within the firewall policy rule limit of 30000 rules. When you apply IPS and IDS rule groups from the same category, the packet is evaluated against all rules with drop and alert action settings. The packet is then handled according to the action setting of the first rule that matched the packet. For information regarding stateful actions, see AWS Network Firewall - Rule Actions.

The following presents three use cases for AWS network firewall rule groups:

Use case

Applicable rule groups

If the protected network contains endpoint devices such as desktop computers, laptops, smartphones, and tablets, you must secure the network against common client vulnerabilities that affect applications, as well as OS and web browser-based malware and vulnerabilities.

  • Fortinet-ips-client-enable-rulegroup1
  • Fortinet-ips-malware-enable-rulegroup1
  • Fortinet-ips-webclient-enable-rulegroup1

If the protected network contains servers or hosted services including web applications, databases, email, DNS, and other services that must be secured against targeted attacks.

  • Fortinet-ips-serveros-enable-rulegroup1 and rulegroup2
  • Fortinet-ips-malware-enable-rulegroup1
  • Fortinet-ips-webapp-enable-rulegroup1
  • Fortinet-ips-webserver-enable-rulegroup1

Scenario where you must monitor resource activity without disrupting connectivity and traffic flow.

Endpoint-based rule groups:

  • Fortinet-ids-client-alert-rulegroup1
  • Fortinet-ids-malware-alert-rulegroup1
  • Fortinet-ids-webclient-alert-rulegroup1

Server-based rule groups:

  • Fortinet-ids-serveros-alert-rulegroup1 and rulegroup2
  • Fortinet-ids-malware-alert-rulegroup1
  • Fortinet-ids-webapp-alert-rulegroup1
  • Fortinet-ids-webserver-alert-rulegroup1

The rules listed for the first and second use cases are of the IPS type, which means that when a signature match occurs, the packet is dropped. You can use these rule groups with their IDS counterparts to design a more robust firewall with logging of malicious activity. See AWS Network Firewall - Rule Actions. The third use case uses IDS rule groups.

Each rule group has a predefined capacity for the maximum number of rules in the rule group. You must consider the capacity when configuring the firewall policy, as the AWS firewall policy has a global rule limit of 30000 rules. Selecting seven rule groups currently occupies 20000 rules. The following shows the capacity for each rule group:

Rule group

Capacity (maximum number of rules)

Fortinet-ips-client-enable-rulegroup1 / Fortinet-ids-client-alert-rulegroup1

5000

Fortinet-ips-malware-enable-rulegroup1 / Fortinet-ids-malware-alert-rulegroup1

2000

Fortinet-ips-serveros-enable-rulegroup1 / Fortinet-ids-serveros-alert-rulegroup1

5000

Fortinet-ips-serveros-enable-rulegroup2 / Fortinet-ids-serveros-alert-rulegroup2

2500

Fortinet-ips-webclient-enable-rulegroup1 / Fortinet-ids-webclient-alert-rulegroup1

1500

Fortinet-ips-webapp-enable-rulegroup1 / Fortinet-ids-webapp-alert-rulegroup1

2500

Fortinet-ips-webserver-enable-rulegroup1 / Fortinet-ids-webserver-alert-rulegroup1

1500

You cannot select rule groups with capacity that adds up to more than 30000 rules in a single firewall policy.

AWS network firewall partner rule groups

AWS network firewall partner rule groups are contract-based firewall signatures that Fortinet offers to augment the basic protections that AWS Network Firewall offers. With these rule groups, AWS Network Firewall customers can choose prepackaged rules based on their requirements. The following lists the rule groups on offer:

Rule groups

Type

What this rule group detects

Fortinet-ips-client-enable-rulegroup1

Intrusion prevention system (IPS)

Attempts to exploit vulnerabilities in common client applications, including desktop software.

Fortinet-ids-client-alert-rulegroup1

Intrusion detection system (IDS)

Fortinet-ips-malware-enable-rulegroup1

IPS

Communication attempts from malware backdoors, worms, and remote access trojans, including command and control traffic.

Fortinet-ids-malware-alert-rulegroup1

IDS

Fortinet-ips-serveros-enable-rulegroup1

IPS

Vulnerabilities targeting operating systems (OS) and common server applications, including DNS, email, and remote access.

Fortinet-ips-serveros-enable-rulegroup2

Fortinet-ids-serveros-alert-rulegroup1

IDS

Fortinet-ids-serveros-alert-rulegroup2

Fortinet-ips-webclient-enable-rulegroup1

IPS

Exploits targeting vulnerabilities in web browsers, including Chrome, Firefox, Internet Explorer, Edge, and so on.

Fortinet-ids-webclient-alert-rulegroup1

IDS

Fortinet-ips-webapp-enable-rulegroup1

IPS

Exploits targeting vulnerabilities in common web applications, including popular content management platforms such as WordPress and Joomla.

Fortinet-ids-webapp-alert-rulegroup1

IDS

Fortinet-ips-webserver-enable-rulegroup1

IPS

Exploits targeting web server vulnerabilities, including web servers such as Apache and proxy web servers such as Squid.

Fortinet-ids-webserver-alert-rulegroup1

IDS

The listed rule groups allow for network traffic to be examined for predetermined attack patterns. This is accomplished by matching the signatures of incoming packets to the signature available in the rule groups. There are two types of rule groups:

Type

Description

IPS

Can perform the DROP or ALERT action. If alert logging is configured, an alert is sent to the firewall logs for each matching rule. The packet is then forwarded or dropped based on the action setting in the first matched rule. Use of this rule group helps prevent the ingress of malicious traffic into the network. For information regarding stateful actions, see AWS Network Firewall - Rule Actions.

IDS

When a signature matches, sends an ALERT and forwards the packet to its intended destination. Using this rule group helps detect and log malicious activity without disrupting traffic.

You can use any combination of the listed IPS and IDS rule groups in a firewall policy, as long as it is within the firewall policy rule limit of 30000 rules. When you apply IPS and IDS rule groups from the same category, the packet is evaluated against all rules with drop and alert action settings. The packet is then handled according to the action setting of the first rule that matched the packet. For information regarding stateful actions, see AWS Network Firewall - Rule Actions.

The following presents three use cases for AWS network firewall rule groups:

Use case

Applicable rule groups

If the protected network contains endpoint devices such as desktop computers, laptops, smartphones, and tablets, you must secure the network against common client vulnerabilities that affect applications, as well as OS and web browser-based malware and vulnerabilities.

  • Fortinet-ips-client-enable-rulegroup1
  • Fortinet-ips-malware-enable-rulegroup1
  • Fortinet-ips-webclient-enable-rulegroup1

If the protected network contains servers or hosted services including web applications, databases, email, DNS, and other services that must be secured against targeted attacks.

  • Fortinet-ips-serveros-enable-rulegroup1 and rulegroup2
  • Fortinet-ips-malware-enable-rulegroup1
  • Fortinet-ips-webapp-enable-rulegroup1
  • Fortinet-ips-webserver-enable-rulegroup1

Scenario where you must monitor resource activity without disrupting connectivity and traffic flow.

Endpoint-based rule groups:

  • Fortinet-ids-client-alert-rulegroup1
  • Fortinet-ids-malware-alert-rulegroup1
  • Fortinet-ids-webclient-alert-rulegroup1

Server-based rule groups:

  • Fortinet-ids-serveros-alert-rulegroup1 and rulegroup2
  • Fortinet-ids-malware-alert-rulegroup1
  • Fortinet-ids-webapp-alert-rulegroup1
  • Fortinet-ids-webserver-alert-rulegroup1

The rules listed for the first and second use cases are of the IPS type, which means that when a signature match occurs, the packet is dropped. You can use these rule groups with their IDS counterparts to design a more robust firewall with logging of malicious activity. See AWS Network Firewall - Rule Actions. The third use case uses IDS rule groups.

Each rule group has a predefined capacity for the maximum number of rules in the rule group. You must consider the capacity when configuring the firewall policy, as the AWS firewall policy has a global rule limit of 30000 rules. Selecting seven rule groups currently occupies 20000 rules. The following shows the capacity for each rule group:

Rule group

Capacity (maximum number of rules)

Fortinet-ips-client-enable-rulegroup1 / Fortinet-ids-client-alert-rulegroup1

5000

Fortinet-ips-malware-enable-rulegroup1 / Fortinet-ids-malware-alert-rulegroup1

2000

Fortinet-ips-serveros-enable-rulegroup1 / Fortinet-ids-serveros-alert-rulegroup1

5000

Fortinet-ips-serveros-enable-rulegroup2 / Fortinet-ids-serveros-alert-rulegroup2

2500

Fortinet-ips-webclient-enable-rulegroup1 / Fortinet-ids-webclient-alert-rulegroup1

1500

Fortinet-ips-webapp-enable-rulegroup1 / Fortinet-ids-webapp-alert-rulegroup1

2500

Fortinet-ips-webserver-enable-rulegroup1 / Fortinet-ids-webserver-alert-rulegroup1

1500

You cannot select rule groups with capacity that adds up to more than 30000 rules in a single firewall policy.