| Copyright | (c) 2013-2021 Brendan Hay |
|---|---|
| License | Mozilla Public License, v. 2.0. |
| Maintainer | Brendan Hay <brendan.g.hay+amazonka@gmail.com> |
| Stability | auto-generated |
| Portability | non-portable (GHC extensions) |
| Safe Haskell | None |
Amazonka.NetworkFirewall.Types
Contents
- Service Configuration
- Errors
- AttachmentStatus
- ConfigurationSyncState
- FirewallStatusValue
- GeneratedRulesType
- LogDestinationType
- LogType
- PerObjectSyncStatus
- ResourceStatus
- RuleGroupType
- RuleOrder
- StatefulAction
- StatefulRuleDirection
- StatefulRuleProtocol
- TCPFlag
- TargetType
- ActionDefinition
- Address
- Attachment
- CustomAction
- Dimension
- Firewall
- FirewallMetadata
- FirewallPolicy
- FirewallPolicyMetadata
- FirewallPolicyResponse
- FirewallStatus
- Header
- IPSet
- LogDestinationConfig
- LoggingConfiguration
- MatchAttributes
- PerObjectStatus
- PortRange
- PortSet
- PublishMetricAction
- RuleDefinition
- RuleGroup
- RuleGroupMetadata
- RuleGroupResponse
- RuleOption
- RuleVariables
- RulesSource
- RulesSourceList
- StatefulEngineOptions
- StatefulRule
- StatefulRuleGroupReference
- StatefulRuleOptions
- StatelessRule
- StatelessRuleGroupReference
- StatelessRulesAndCustomActions
- SubnetMapping
- SyncState
- TCPFlagField
- Tag
Description
Synopsis
- defaultService :: Service
- _LogDestinationPermissionException :: AsError a => Getting (First ServiceError) a ServiceError
- _InvalidRequestException :: AsError a => Getting (First ServiceError) a ServiceError
- _UnsupportedOperationException :: AsError a => Getting (First ServiceError) a ServiceError
- _ResourceOwnerCheckException :: AsError a => Getting (First ServiceError) a ServiceError
- _InvalidResourcePolicyException :: AsError a => Getting (First ServiceError) a ServiceError
- _ThrottlingException :: AsError a => Getting (First ServiceError) a ServiceError
- _InternalServerError :: AsError a => Getting (First ServiceError) a ServiceError
- _InvalidTokenException :: AsError a => Getting (First ServiceError) a ServiceError
- _InvalidOperationException :: AsError a => Getting (First ServiceError) a ServiceError
- _InsufficientCapacityException :: AsError a => Getting (First ServiceError) a ServiceError
- _ResourceNotFoundException :: AsError a => Getting (First ServiceError) a ServiceError
- _LimitExceededException :: AsError a => Getting (First ServiceError) a ServiceError
- newtype AttachmentStatus where
- AttachmentStatus' { }
- pattern AttachmentStatus_CREATING :: AttachmentStatus
- pattern AttachmentStatus_DELETING :: AttachmentStatus
- pattern AttachmentStatus_READY :: AttachmentStatus
- pattern AttachmentStatus_SCALING :: AttachmentStatus
- newtype ConfigurationSyncState where
- newtype FirewallStatusValue where
- newtype GeneratedRulesType where
- newtype LogDestinationType where
- newtype LogType where
- LogType' {
- fromLogType :: Text
- pattern LogType_ALERT :: LogType
- pattern LogType_FLOW :: LogType
- LogType' {
- newtype PerObjectSyncStatus where
- newtype ResourceStatus where
- ResourceStatus' { }
- pattern ResourceStatus_ACTIVE :: ResourceStatus
- pattern ResourceStatus_DELETING :: ResourceStatus
- newtype RuleGroupType where
- RuleGroupType' { }
- pattern RuleGroupType_STATEFUL :: RuleGroupType
- pattern RuleGroupType_STATELESS :: RuleGroupType
- newtype RuleOrder where
- RuleOrder' { }
- pattern RuleOrder_DEFAULT_ACTION_ORDER :: RuleOrder
- pattern RuleOrder_STRICT_ORDER :: RuleOrder
- newtype StatefulAction where
- StatefulAction' { }
- pattern StatefulAction_ALERT :: StatefulAction
- pattern StatefulAction_DROP :: StatefulAction
- pattern StatefulAction_PASS :: StatefulAction
- newtype StatefulRuleDirection where
- newtype StatefulRuleProtocol where
- StatefulRuleProtocol' { }
- pattern StatefulRuleProtocol_DCERPC :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_DHCP :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_DNS :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_FTP :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_HTTP :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_ICMP :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_IKEV2 :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_IMAP :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_IP :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_KRB5 :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_MSN :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_NTP :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_SMB :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_SMTP :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_SSH :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_TCP :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_TFTP :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_TLS :: StatefulRuleProtocol
- pattern StatefulRuleProtocol_UDP :: StatefulRuleProtocol
- newtype TCPFlag where
- TCPFlag' {
- fromTCPFlag :: Text
- pattern TCPFlag_ACK :: TCPFlag
- pattern TCPFlag_CWR :: TCPFlag
- pattern TCPFlag_ECE :: TCPFlag
- pattern TCPFlag_FIN :: TCPFlag
- pattern TCPFlag_PSH :: TCPFlag
- pattern TCPFlag_RST :: TCPFlag
- pattern TCPFlag_SYN :: TCPFlag
- pattern TCPFlag_URG :: TCPFlag
- TCPFlag' {
- newtype TargetType where
- TargetType' { }
- pattern TargetType_HTTP_HOST :: TargetType
- pattern TargetType_TLS_SNI :: TargetType
- data ActionDefinition = ActionDefinition' {}
- newActionDefinition :: ActionDefinition
- actionDefinition_publishMetricAction :: Lens' ActionDefinition (Maybe PublishMetricAction)
- data Address = Address' {}
- newAddress :: Text -> Address
- address_addressDefinition :: Lens' Address Text
- data Attachment = Attachment' {}
- newAttachment :: Attachment
- attachment_status :: Lens' Attachment (Maybe AttachmentStatus)
- attachment_subnetId :: Lens' Attachment (Maybe Text)
- attachment_endpointId :: Lens' Attachment (Maybe Text)
- data CustomAction = CustomAction' {}
- newCustomAction :: Text -> ActionDefinition -> CustomAction
- customAction_actionName :: Lens' CustomAction Text
- customAction_actionDefinition :: Lens' CustomAction ActionDefinition
- data Dimension = Dimension' {}
- newDimension :: Text -> Dimension
- dimension_value :: Lens' Dimension Text
- data Firewall = Firewall' {
- firewallArn :: Maybe Text
- firewallPolicyChangeProtection :: Maybe Bool
- subnetChangeProtection :: Maybe Bool
- deleteProtection :: Maybe Bool
- description :: Maybe Text
- tags :: Maybe (NonEmpty Tag)
- firewallName :: Maybe Text
- firewallPolicyArn :: Text
- vpcId :: Text
- subnetMappings :: [SubnetMapping]
- firewallId :: Text
- newFirewall :: Text -> Text -> Text -> Firewall
- firewall_firewallArn :: Lens' Firewall (Maybe Text)
- firewall_firewallPolicyChangeProtection :: Lens' Firewall (Maybe Bool)
- firewall_subnetChangeProtection :: Lens' Firewall (Maybe Bool)
- firewall_deleteProtection :: Lens' Firewall (Maybe Bool)
- firewall_description :: Lens' Firewall (Maybe Text)
- firewall_tags :: Lens' Firewall (Maybe (NonEmpty Tag))
- firewall_firewallName :: Lens' Firewall (Maybe Text)
- firewall_firewallPolicyArn :: Lens' Firewall Text
- firewall_vpcId :: Lens' Firewall Text
- firewall_subnetMappings :: Lens' Firewall [SubnetMapping]
- firewall_firewallId :: Lens' Firewall Text
- data FirewallMetadata = FirewallMetadata' {}
- newFirewallMetadata :: FirewallMetadata
- firewallMetadata_firewallArn :: Lens' FirewallMetadata (Maybe Text)
- firewallMetadata_firewallName :: Lens' FirewallMetadata (Maybe Text)
- data FirewallPolicy = FirewallPolicy' {
- statefulEngineOptions :: Maybe StatefulEngineOptions
- statefulRuleGroupReferences :: Maybe [StatefulRuleGroupReference]
- statelessRuleGroupReferences :: Maybe [StatelessRuleGroupReference]
- statelessCustomActions :: Maybe [CustomAction]
- statefulDefaultActions :: Maybe [Text]
- statelessDefaultActions :: [Text]
- statelessFragmentDefaultActions :: [Text]
- newFirewallPolicy :: FirewallPolicy
- firewallPolicy_statefulEngineOptions :: Lens' FirewallPolicy (Maybe StatefulEngineOptions)
- firewallPolicy_statefulRuleGroupReferences :: Lens' FirewallPolicy (Maybe [StatefulRuleGroupReference])
- firewallPolicy_statelessRuleGroupReferences :: Lens' FirewallPolicy (Maybe [StatelessRuleGroupReference])
- firewallPolicy_statelessCustomActions :: Lens' FirewallPolicy (Maybe [CustomAction])
- firewallPolicy_statefulDefaultActions :: Lens' FirewallPolicy (Maybe [Text])
- firewallPolicy_statelessDefaultActions :: Lens' FirewallPolicy [Text]
- firewallPolicy_statelessFragmentDefaultActions :: Lens' FirewallPolicy [Text]
- data FirewallPolicyMetadata = FirewallPolicyMetadata' {}
- newFirewallPolicyMetadata :: FirewallPolicyMetadata
- firewallPolicyMetadata_arn :: Lens' FirewallPolicyMetadata (Maybe Text)
- firewallPolicyMetadata_name :: Lens' FirewallPolicyMetadata (Maybe Text)
- data FirewallPolicyResponse = FirewallPolicyResponse' {}
- newFirewallPolicyResponse :: Text -> Text -> Text -> FirewallPolicyResponse
- firewallPolicyResponse_consumedStatelessRuleCapacity :: Lens' FirewallPolicyResponse (Maybe Int)
- firewallPolicyResponse_numberOfAssociations :: Lens' FirewallPolicyResponse (Maybe Int)
- firewallPolicyResponse_firewallPolicyStatus :: Lens' FirewallPolicyResponse (Maybe ResourceStatus)
- firewallPolicyResponse_consumedStatefulRuleCapacity :: Lens' FirewallPolicyResponse (Maybe Int)
- firewallPolicyResponse_description :: Lens' FirewallPolicyResponse (Maybe Text)
- firewallPolicyResponse_tags :: Lens' FirewallPolicyResponse (Maybe (NonEmpty Tag))
- firewallPolicyResponse_firewallPolicyName :: Lens' FirewallPolicyResponse Text
- firewallPolicyResponse_firewallPolicyArn :: Lens' FirewallPolicyResponse Text
- firewallPolicyResponse_firewallPolicyId :: Lens' FirewallPolicyResponse Text
- data FirewallStatus = FirewallStatus' {}
- newFirewallStatus :: FirewallStatusValue -> ConfigurationSyncState -> FirewallStatus
- firewallStatus_syncStates :: Lens' FirewallStatus (Maybe (HashMap Text SyncState))
- firewallStatus_status :: Lens' FirewallStatus FirewallStatusValue
- firewallStatus_configurationSyncStateSummary :: Lens' FirewallStatus ConfigurationSyncState
- data Header = Header' {}
- newHeader :: StatefulRuleProtocol -> Text -> Text -> StatefulRuleDirection -> Text -> Text -> Header
- header_protocol :: Lens' Header StatefulRuleProtocol
- header_source :: Lens' Header Text
- header_sourcePort :: Lens' Header Text
- header_direction :: Lens' Header StatefulRuleDirection
- header_destination :: Lens' Header Text
- header_destinationPort :: Lens' Header Text
- data IPSet = IPSet' {
- definition :: [Text]
- newIPSet :: IPSet
- iPSet_definition :: Lens' IPSet [Text]
- data LogDestinationConfig = LogDestinationConfig' {}
- newLogDestinationConfig :: LogType -> LogDestinationType -> LogDestinationConfig
- logDestinationConfig_logType :: Lens' LogDestinationConfig LogType
- logDestinationConfig_logDestinationType :: Lens' LogDestinationConfig LogDestinationType
- logDestinationConfig_logDestination :: Lens' LogDestinationConfig (HashMap Text Text)
- data LoggingConfiguration = LoggingConfiguration' {}
- newLoggingConfiguration :: LoggingConfiguration
- loggingConfiguration_logDestinationConfigs :: Lens' LoggingConfiguration [LogDestinationConfig]
- data MatchAttributes = MatchAttributes' {
- protocols :: Maybe [Natural]
- tCPFlags :: Maybe [TCPFlagField]
- destinationPorts :: Maybe [PortRange]
- sources :: Maybe [Address]
- sourcePorts :: Maybe [PortRange]
- destinations :: Maybe [Address]
- newMatchAttributes :: MatchAttributes
- matchAttributes_protocols :: Lens' MatchAttributes (Maybe [Natural])
- matchAttributes_tCPFlags :: Lens' MatchAttributes (Maybe [TCPFlagField])
- matchAttributes_destinationPorts :: Lens' MatchAttributes (Maybe [PortRange])
- matchAttributes_sources :: Lens' MatchAttributes (Maybe [Address])
- matchAttributes_sourcePorts :: Lens' MatchAttributes (Maybe [PortRange])
- matchAttributes_destinations :: Lens' MatchAttributes (Maybe [Address])
- data PerObjectStatus = PerObjectStatus' {}
- newPerObjectStatus :: PerObjectStatus
- perObjectStatus_updateToken :: Lens' PerObjectStatus (Maybe Text)
- perObjectStatus_syncStatus :: Lens' PerObjectStatus (Maybe PerObjectSyncStatus)
- data PortRange = PortRange' {}
- newPortRange :: Natural -> Natural -> PortRange
- portRange_fromPort :: Lens' PortRange Natural
- portRange_toPort :: Lens' PortRange Natural
- data PortSet = PortSet' {
- definition :: Maybe [Text]
- newPortSet :: PortSet
- portSet_definition :: Lens' PortSet (Maybe [Text])
- data PublishMetricAction = PublishMetricAction' {}
- newPublishMetricAction :: NonEmpty Dimension -> PublishMetricAction
- publishMetricAction_dimensions :: Lens' PublishMetricAction (NonEmpty Dimension)
- data RuleDefinition = RuleDefinition' {}
- newRuleDefinition :: MatchAttributes -> RuleDefinition
- ruleDefinition_matchAttributes :: Lens' RuleDefinition MatchAttributes
- ruleDefinition_actions :: Lens' RuleDefinition [Text]
- data RuleGroup = RuleGroup' {}
- newRuleGroup :: RulesSource -> RuleGroup
- ruleGroup_statefulRuleOptions :: Lens' RuleGroup (Maybe StatefulRuleOptions)
- ruleGroup_ruleVariables :: Lens' RuleGroup (Maybe RuleVariables)
- ruleGroup_rulesSource :: Lens' RuleGroup RulesSource
- data RuleGroupMetadata = RuleGroupMetadata' {}
- newRuleGroupMetadata :: RuleGroupMetadata
- ruleGroupMetadata_arn :: Lens' RuleGroupMetadata (Maybe Text)
- ruleGroupMetadata_name :: Lens' RuleGroupMetadata (Maybe Text)
- data RuleGroupResponse = RuleGroupResponse' {}
- newRuleGroupResponse :: Text -> Text -> Text -> RuleGroupResponse
- ruleGroupResponse_numberOfAssociations :: Lens' RuleGroupResponse (Maybe Int)
- ruleGroupResponse_capacity :: Lens' RuleGroupResponse (Maybe Int)
- ruleGroupResponse_consumedCapacity :: Lens' RuleGroupResponse (Maybe Int)
- ruleGroupResponse_ruleGroupStatus :: Lens' RuleGroupResponse (Maybe ResourceStatus)
- ruleGroupResponse_type :: Lens' RuleGroupResponse (Maybe RuleGroupType)
- ruleGroupResponse_description :: Lens' RuleGroupResponse (Maybe Text)
- ruleGroupResponse_tags :: Lens' RuleGroupResponse (Maybe (NonEmpty Tag))
- ruleGroupResponse_ruleGroupArn :: Lens' RuleGroupResponse Text
- ruleGroupResponse_ruleGroupName :: Lens' RuleGroupResponse Text
- ruleGroupResponse_ruleGroupId :: Lens' RuleGroupResponse Text
- data RuleOption = RuleOption' {}
- newRuleOption :: Text -> RuleOption
- ruleOption_settings :: Lens' RuleOption (Maybe [Text])
- ruleOption_keyword :: Lens' RuleOption Text
- data RuleVariables = RuleVariables' {}
- newRuleVariables :: RuleVariables
- ruleVariables_portSets :: Lens' RuleVariables (Maybe (HashMap Text PortSet))
- ruleVariables_iPSets :: Lens' RuleVariables (Maybe (HashMap Text IPSet))
- data RulesSource = RulesSource' {}
- newRulesSource :: RulesSource
- rulesSource_rulesString :: Lens' RulesSource (Maybe Text)
- rulesSource_rulesSourceList :: Lens' RulesSource (Maybe RulesSourceList)
- rulesSource_statefulRules :: Lens' RulesSource (Maybe [StatefulRule])
- rulesSource_statelessRulesAndCustomActions :: Lens' RulesSource (Maybe StatelessRulesAndCustomActions)
- data RulesSourceList = RulesSourceList' {}
- newRulesSourceList :: GeneratedRulesType -> RulesSourceList
- rulesSourceList_targets :: Lens' RulesSourceList [Text]
- rulesSourceList_targetTypes :: Lens' RulesSourceList [TargetType]
- rulesSourceList_generatedRulesType :: Lens' RulesSourceList GeneratedRulesType
- data StatefulEngineOptions = StatefulEngineOptions' {}
- newStatefulEngineOptions :: StatefulEngineOptions
- statefulEngineOptions_ruleOrder :: Lens' StatefulEngineOptions (Maybe RuleOrder)
- data StatefulRule = StatefulRule' {
- action :: StatefulAction
- header :: Header
- ruleOptions :: [RuleOption]
- newStatefulRule :: StatefulAction -> Header -> StatefulRule
- statefulRule_action :: Lens' StatefulRule StatefulAction
- statefulRule_header :: Lens' StatefulRule Header
- statefulRule_ruleOptions :: Lens' StatefulRule [RuleOption]
- data StatefulRuleGroupReference = StatefulRuleGroupReference' {
- priority :: Maybe Natural
- resourceArn :: Text
- newStatefulRuleGroupReference :: Text -> StatefulRuleGroupReference
- statefulRuleGroupReference_priority :: Lens' StatefulRuleGroupReference (Maybe Natural)
- statefulRuleGroupReference_resourceArn :: Lens' StatefulRuleGroupReference Text
- data StatefulRuleOptions = StatefulRuleOptions' {}
- newStatefulRuleOptions :: StatefulRuleOptions
- statefulRuleOptions_ruleOrder :: Lens' StatefulRuleOptions (Maybe RuleOrder)
- data StatelessRule = StatelessRule' {}
- newStatelessRule :: RuleDefinition -> Natural -> StatelessRule
- statelessRule_ruleDefinition :: Lens' StatelessRule RuleDefinition
- statelessRule_priority :: Lens' StatelessRule Natural
- data StatelessRuleGroupReference = StatelessRuleGroupReference' {
- resourceArn :: Text
- priority :: Natural
- newStatelessRuleGroupReference :: Text -> Natural -> StatelessRuleGroupReference
- statelessRuleGroupReference_resourceArn :: Lens' StatelessRuleGroupReference Text
- statelessRuleGroupReference_priority :: Lens' StatelessRuleGroupReference Natural
- data StatelessRulesAndCustomActions = StatelessRulesAndCustomActions' {}
- newStatelessRulesAndCustomActions :: StatelessRulesAndCustomActions
- statelessRulesAndCustomActions_customActions :: Lens' StatelessRulesAndCustomActions (Maybe [CustomAction])
- statelessRulesAndCustomActions_statelessRules :: Lens' StatelessRulesAndCustomActions [StatelessRule]
- data SubnetMapping = SubnetMapping' {}
- newSubnetMapping :: Text -> SubnetMapping
- subnetMapping_subnetId :: Lens' SubnetMapping Text
- data SyncState = SyncState' {}
- newSyncState :: SyncState
- syncState_config :: Lens' SyncState (Maybe (HashMap Text PerObjectStatus))
- syncState_attachment :: Lens' SyncState (Maybe Attachment)
- data TCPFlagField = TCPFlagField' {}
- newTCPFlagField :: TCPFlagField
- tCPFlagField_masks :: Lens' TCPFlagField (Maybe [TCPFlag])
- tCPFlagField_flags :: Lens' TCPFlagField [TCPFlag]
- data Tag = Tag' {}
- newTag :: Text -> Text -> Tag
- tag_key :: Lens' Tag Text
- tag_value :: Lens' Tag Text
Service Configuration
defaultService :: Service Source #
API version 2020-11-12 of the Amazon Network Firewall SDK configuration.
Errors
_LogDestinationPermissionException :: AsError a => Getting (First ServiceError) a ServiceError Source #
Unable to send logs to a configured logging destination.
_InvalidRequestException :: AsError a => Getting (First ServiceError) a ServiceError Source #
The operation failed because of a problem with your request. Examples include:
- You specified an unsupported parameter name or value.
- You tried to update a property with a value that isn't among the available types.
- Your request references an ARN that is malformed, or corresponds to a resource that isn't valid in the context of the request.
_UnsupportedOperationException :: AsError a => Getting (First ServiceError) a ServiceError Source #
The operation you requested isn't supported by Network Firewall.
_ResourceOwnerCheckException :: AsError a => Getting (First ServiceError) a ServiceError Source #
Unable to change the resource because your account doesn't own it.
_InvalidResourcePolicyException :: AsError a => Getting (First ServiceError) a ServiceError Source #
The policy statement failed validation.
_ThrottlingException :: AsError a => Getting (First ServiceError) a ServiceError Source #
Unable to process the request due to throttling limitations.
_InternalServerError :: AsError a => Getting (First ServiceError) a ServiceError Source #
Your request is valid, but Network Firewall couldn’t perform the operation because of a system problem. Retry your request.
_InvalidTokenException :: AsError a => Getting (First ServiceError) a ServiceError Source #
The token you provided is stale or isn't valid for the operation.
_InvalidOperationException :: AsError a => Getting (First ServiceError) a ServiceError Source #
The operation failed because it's not valid. For example, you might have tried to delete a rule group or firewall policy that's in use.
_InsufficientCapacityException :: AsError a => Getting (First ServiceError) a ServiceError Source #
AWS doesn't currently have enough available capacity to fulfill your request. Try your request later.
_ResourceNotFoundException :: AsError a => Getting (First ServiceError) a ServiceError Source #
Unable to locate a resource using the parameters that you provided.
_LimitExceededException :: AsError a => Getting (First ServiceError) a ServiceError Source #
Unable to perform the operation because doing so would violate a limit setting.
AttachmentStatus
newtype AttachmentStatus Source #
Constructors
| AttachmentStatus' | |
Fields | |
Bundled Patterns
| pattern AttachmentStatus_CREATING :: AttachmentStatus | |
| pattern AttachmentStatus_DELETING :: AttachmentStatus | |
| pattern AttachmentStatus_READY :: AttachmentStatus | |
| pattern AttachmentStatus_SCALING :: AttachmentStatus |
Instances
ConfigurationSyncState
newtype ConfigurationSyncState Source #
Constructors
| ConfigurationSyncState' | |
Fields | |
Bundled Patterns
| pattern ConfigurationSyncState_IN_SYNC :: ConfigurationSyncState | |
| pattern ConfigurationSyncState_PENDING :: ConfigurationSyncState |
Instances
FirewallStatusValue
newtype FirewallStatusValue Source #
Constructors
| FirewallStatusValue' | |
Fields | |
Bundled Patterns
| pattern FirewallStatusValue_DELETING :: FirewallStatusValue | |
| pattern FirewallStatusValue_PROVISIONING :: FirewallStatusValue | |
| pattern FirewallStatusValue_READY :: FirewallStatusValue |
Instances
GeneratedRulesType
newtype GeneratedRulesType Source #
Constructors
| GeneratedRulesType' | |
Fields | |
Bundled Patterns
| pattern GeneratedRulesType_ALLOWLIST :: GeneratedRulesType | |
| pattern GeneratedRulesType_DENYLIST :: GeneratedRulesType |
Instances
LogDestinationType
newtype LogDestinationType Source #
Constructors
| LogDestinationType' | |
Fields | |
Bundled Patterns
| pattern LogDestinationType_CloudWatchLogs :: LogDestinationType | |
| pattern LogDestinationType_KinesisDataFirehose :: LogDestinationType | |
| pattern LogDestinationType_S3 :: LogDestinationType |
Instances
LogType
Constructors
| LogType' | |
Fields
| |
Bundled Patterns
| pattern LogType_ALERT :: LogType | |
| pattern LogType_FLOW :: LogType |
Instances
PerObjectSyncStatus
newtype PerObjectSyncStatus Source #
Constructors
| PerObjectSyncStatus' | |
Fields | |
Bundled Patterns
| pattern PerObjectSyncStatus_IN_SYNC :: PerObjectSyncStatus | |
| pattern PerObjectSyncStatus_PENDING :: PerObjectSyncStatus |
Instances
ResourceStatus
newtype ResourceStatus Source #
Constructors
| ResourceStatus' | |
Fields | |
Bundled Patterns
| pattern ResourceStatus_ACTIVE :: ResourceStatus | |
| pattern ResourceStatus_DELETING :: ResourceStatus |
Instances
RuleGroupType
newtype RuleGroupType Source #
Constructors
| RuleGroupType' | |
Fields | |
Bundled Patterns
| pattern RuleGroupType_STATEFUL :: RuleGroupType | |
| pattern RuleGroupType_STATELESS :: RuleGroupType |
Instances
RuleOrder
Constructors
| RuleOrder' | |
Fields | |
Bundled Patterns
| pattern RuleOrder_DEFAULT_ACTION_ORDER :: RuleOrder | |
| pattern RuleOrder_STRICT_ORDER :: RuleOrder |
Instances
StatefulAction
newtype StatefulAction Source #
Constructors
| StatefulAction' | |
Fields | |
Bundled Patterns
| pattern StatefulAction_ALERT :: StatefulAction | |
| pattern StatefulAction_DROP :: StatefulAction | |
| pattern StatefulAction_PASS :: StatefulAction |
Instances
StatefulRuleDirection
newtype StatefulRuleDirection Source #
Constructors
| StatefulRuleDirection' | |
Fields | |
Bundled Patterns
| pattern StatefulRuleDirection_ANY :: StatefulRuleDirection | |
| pattern StatefulRuleDirection_FORWARD :: StatefulRuleDirection |
Instances
StatefulRuleProtocol
newtype StatefulRuleProtocol Source #
Constructors
| StatefulRuleProtocol' | |
Fields | |
Bundled Patterns
Instances
TCPFlag
Constructors
| TCPFlag' | |
Fields
| |
Bundled Patterns
| pattern TCPFlag_ACK :: TCPFlag | |
| pattern TCPFlag_CWR :: TCPFlag | |
| pattern TCPFlag_ECE :: TCPFlag | |
| pattern TCPFlag_FIN :: TCPFlag | |
| pattern TCPFlag_PSH :: TCPFlag | |
| pattern TCPFlag_RST :: TCPFlag | |
| pattern TCPFlag_SYN :: TCPFlag | |
| pattern TCPFlag_URG :: TCPFlag |
Instances
TargetType
newtype TargetType Source #
Constructors
| TargetType' | |
Fields | |
Bundled Patterns
| pattern TargetType_HTTP_HOST :: TargetType | |
| pattern TargetType_TLS_SNI :: TargetType |
Instances
ActionDefinition
data ActionDefinition Source #
A custom action to use in stateless rule actions settings. This is used in CustomAction.
See: newActionDefinition smart constructor.
Constructors
| ActionDefinition' | |
Fields
| |
Instances
newActionDefinition :: ActionDefinition Source #
Create a value of ActionDefinition with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:publishMetricAction:ActionDefinition', actionDefinition_publishMetricAction - Stateless inspection criteria that publishes the specified metrics to
Amazon CloudWatch for the matching packet. This setting defines a
CloudWatch dimension value to be published.
You can pair this custom action with any of the standard stateless rule actions. For example, you could pair this in a rule action with the standard action that forwards the packet for stateful inspection. Then, when a packet matches the rule, Network Firewall publishes metrics for the packet and forwards it.
actionDefinition_publishMetricAction :: Lens' ActionDefinition (Maybe PublishMetricAction) Source #
Stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. This setting defines a CloudWatch dimension value to be published.
You can pair this custom action with any of the standard stateless rule actions. For example, you could pair this in a rule action with the standard action that forwards the packet for stateful inspection. Then, when a packet matches the rule, Network Firewall publishes metrics for the packet and forwards it.
Address
A single IP address specification. This is used in the MatchAttributes source and destination specifications.
See: newAddress smart constructor.
Constructors
| Address' | |
Fields
| |
Instances
| Eq Address Source # | |
| Read Address Source # | |
| Show Address Source # | |
| Generic Address Source # | |
| NFData Address Source # | |
Defined in Amazonka.NetworkFirewall.Types.Address | |
| Hashable Address Source # | |
Defined in Amazonka.NetworkFirewall.Types.Address | |
| ToJSON Address Source # | |
Defined in Amazonka.NetworkFirewall.Types.Address | |
| FromJSON Address Source # | |
| type Rep Address Source # | |
Defined in Amazonka.NetworkFirewall.Types.Address type Rep Address = D1 ('MetaData "Address" "Amazonka.NetworkFirewall.Types.Address" "libZSservicesZSamazonka-network-firewallZSamazonka-network-firewall" 'False) (C1 ('MetaCons "Address'" 'PrefixI 'True) (S1 ('MetaSel ('Just "addressDefinition") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Text))) | |
Create a value of Address with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:addressDefinition:Address', address_addressDefinition - Specify an IP address or a block of IP addresses in Classless
Inter-Domain Routing (CIDR) notation. Network Firewall supports all
address ranges for IPv4.
Examples:
- To configure Network Firewall to inspect for the IP address
192.0.2.44, specify
192.0.2.44/32. - To configure Network Firewall to inspect for IP addresses from
192.0.2.0 to 192.0.2.255, specify
192.0.2.0/24.
For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.
address_addressDefinition :: Lens' Address Text Source #
Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. Network Firewall supports all address ranges for IPv4.
Examples:
- To configure Network Firewall to inspect for the IP address
192.0.2.44, specify
192.0.2.44/32. - To configure Network Firewall to inspect for IP addresses from
192.0.2.0 to 192.0.2.255, specify
192.0.2.0/24.
For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.
Attachment
data Attachment Source #
The configuration and status for a single subnet that you've specified for use by the AWS Network Firewall firewall. This is part of the FirewallStatus.
See: newAttachment smart constructor.
Constructors
| Attachment' | |
Fields
| |
Instances
newAttachment :: Attachment Source #
Create a value of Attachment with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:status:Attachment', attachment_status - The current status of the firewall endpoint in the subnet. This value
reflects both the instantiation of the endpoint in the VPC subnet and
the sync states that are reported in the Config settings. When this
value is READY, the endpoint is available and configured properly to
handle network traffic. When the endpoint isn't available for traffic,
this value will reflect its state, for example CREATING, DELETING,
or FAILED.
$sel:subnetId:Attachment', attachment_subnetId - The unique identifier of the subnet that you've specified to be used
for a firewall endpoint.
$sel:endpointId:Attachment', attachment_endpointId - The identifier of the firewall endpoint that Network Firewall has
instantiated in the subnet. You use this to identify the firewall
endpoint in the VPC route tables, when you redirect the VPC traffic
through the endpoint.
attachment_status :: Lens' Attachment (Maybe AttachmentStatus) Source #
The current status of the firewall endpoint in the subnet. This value
reflects both the instantiation of the endpoint in the VPC subnet and
the sync states that are reported in the Config settings. When this
value is READY, the endpoint is available and configured properly to
handle network traffic. When the endpoint isn't available for traffic,
this value will reflect its state, for example CREATING, DELETING,
or FAILED.
attachment_subnetId :: Lens' Attachment (Maybe Text) Source #
The unique identifier of the subnet that you've specified to be used for a firewall endpoint.
attachment_endpointId :: Lens' Attachment (Maybe Text) Source #
The identifier of the firewall endpoint that Network Firewall has instantiated in the subnet. You use this to identify the firewall endpoint in the VPC route tables, when you redirect the VPC traffic through the endpoint.
CustomAction
data CustomAction Source #
An optional, non-standard action to use for stateless packet handling. You can define this in addition to the standard action that you must specify.
You define and name the custom actions that you want to be able to use, and then you reference them by name in your actions settings.
You can use custom actions in the following places:
- In a rule group's StatelessRulesAndCustomActions specification. The
custom actions are available for use by name inside the
StatelessRulesAndCustomActionswhere you define them. You can use them for your stateless rule actions to specify what to do with a packet that matches the rule's match attributes. - In a FirewallPolicy specification, in
StatelessCustomActions. The custom actions are available for use inside the policy where you define them. You can use them for the policy's default stateless actions settings to specify what to do with packets that don't match any of the policy's stateless rules.
See: newCustomAction smart constructor.
Constructors
| CustomAction' | |
Fields
| |
Instances
Arguments
| :: Text | |
| -> ActionDefinition | |
| -> CustomAction |
Create a value of CustomAction with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:actionName:CustomAction', customAction_actionName - The descriptive name of the custom action. You can't change the name of
a custom action after you create it.
$sel:actionDefinition:CustomAction', customAction_actionDefinition - The custom action associated with the action name.
customAction_actionName :: Lens' CustomAction Text Source #
The descriptive name of the custom action. You can't change the name of a custom action after you create it.
customAction_actionDefinition :: Lens' CustomAction ActionDefinition Source #
The custom action associated with the action name.
Dimension
The value to use in an Amazon CloudWatch custom metric dimension. This
is used in the PublishMetrics CustomAction. A CloudWatch custom metric
dimension is a name/value pair that's part of the identity of a
metric.
AWS Network Firewall sets the dimension name to CustomAction and you
provide the dimension value.
For more information about CloudWatch custom metric dimensions, see Publishing Custom Metrics in the Amazon CloudWatch User Guide.
See: newDimension smart constructor.
Constructors
| Dimension' | |
Instances
| Eq Dimension Source # | |
| Read Dimension Source # | |
| Show Dimension Source # | |
| Generic Dimension Source # | |
| NFData Dimension Source # | |
Defined in Amazonka.NetworkFirewall.Types.Dimension | |
| Hashable Dimension Source # | |
Defined in Amazonka.NetworkFirewall.Types.Dimension | |
| ToJSON Dimension Source # | |
Defined in Amazonka.NetworkFirewall.Types.Dimension | |
| FromJSON Dimension Source # | |
| type Rep Dimension Source # | |
Defined in Amazonka.NetworkFirewall.Types.Dimension type Rep Dimension = D1 ('MetaData "Dimension" "Amazonka.NetworkFirewall.Types.Dimension" "libZSservicesZSamazonka-network-firewallZSamazonka-network-firewall" 'False) (C1 ('MetaCons "Dimension'" 'PrefixI 'True) (S1 ('MetaSel ('Just "value") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Text))) | |
Create a value of Dimension with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:value:Dimension', dimension_value - The value to use in the custom metric dimension.
Firewall
The firewall defines the configuration settings for an AWS Network Firewall firewall. These settings include the firewall policy, the subnets in your VPC to use for the firewall endpoints, and any tags that are attached to the firewall AWS resource.
The status of the firewall, for example whether it's ready to filter network traffic, is provided in the corresponding FirewallStatus. You can retrieve both objects by calling DescribeFirewall.
See: newFirewall smart constructor.
Constructors
| Firewall' | |
Fields
| |
Instances
Create a value of Firewall with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:firewallArn:Firewall', firewall_firewallArn - The Amazon Resource Name (ARN) of the firewall.
$sel:firewallPolicyChangeProtection:Firewall', firewall_firewallPolicyChangeProtection - A setting indicating whether the firewall is protected against a change
to the firewall policy association. Use this setting to protect against
accidentally modifying the firewall policy for a firewall that is in
use. When you create a firewall, the operation initializes this setting
to TRUE.
$sel:subnetChangeProtection:Firewall', firewall_subnetChangeProtection - A setting indicating whether the firewall is protected against changes
to the subnet associations. Use this setting to protect against
accidentally modifying the subnet associations for a firewall that is in
use. When you create a firewall, the operation initializes this setting
to TRUE.
$sel:deleteProtection:Firewall', firewall_deleteProtection - A flag indicating whether it is possible to delete the firewall. A
setting of TRUE indicates that the firewall is protected against
deletion. Use this setting to protect against accidentally deleting a
firewall that is in use. When you create a firewall, the operation
initializes this flag to TRUE.
$sel:description:Firewall', firewall_description - A description of the firewall.
$sel:tags:Firewall', firewall_tags -
$sel:firewallName:Firewall', firewall_firewallName - The descriptive name of the firewall. You can't change the name of a
firewall after you create it.
$sel:firewallPolicyArn:Firewall', firewall_firewallPolicyArn - The Amazon Resource Name (ARN) of the firewall policy.
The relationship of firewall to firewall policy is many to one. Each firewall requires one firewall policy association, and you can use the same firewall policy for multiple firewalls.
$sel:vpcId:Firewall', firewall_vpcId - The unique identifier of the VPC where the firewall is in use.
$sel:subnetMappings:Firewall', firewall_subnetMappings - The public subnets that Network Firewall is using for the firewall. Each
subnet must belong to a different Availability Zone.
$sel:firewallId:Firewall', firewall_firewallId - The unique identifier for the firewall.
firewall_firewallArn :: Lens' Firewall (Maybe Text) Source #
The Amazon Resource Name (ARN) of the firewall.
firewall_firewallPolicyChangeProtection :: Lens' Firewall (Maybe Bool) Source #
A setting indicating whether the firewall is protected against a change
to the firewall policy association. Use this setting to protect against
accidentally modifying the firewall policy for a firewall that is in
use. When you create a firewall, the operation initializes this setting
to TRUE.
firewall_subnetChangeProtection :: Lens' Firewall (Maybe Bool) Source #
A setting indicating whether the firewall is protected against changes
to the subnet associations. Use this setting to protect against
accidentally modifying the subnet associations for a firewall that is in
use. When you create a firewall, the operation initializes this setting
to TRUE.
firewall_deleteProtection :: Lens' Firewall (Maybe Bool) Source #
A flag indicating whether it is possible to delete the firewall. A
setting of TRUE indicates that the firewall is protected against
deletion. Use this setting to protect against accidentally deleting a
firewall that is in use. When you create a firewall, the operation
initializes this flag to TRUE.
firewall_firewallName :: Lens' Firewall (Maybe Text) Source #
The descriptive name of the firewall. You can't change the name of a firewall after you create it.
firewall_firewallPolicyArn :: Lens' Firewall Text Source #
The Amazon Resource Name (ARN) of the firewall policy.
The relationship of firewall to firewall policy is many to one. Each firewall requires one firewall policy association, and you can use the same firewall policy for multiple firewalls.
firewall_vpcId :: Lens' Firewall Text Source #
The unique identifier of the VPC where the firewall is in use.
firewall_subnetMappings :: Lens' Firewall [SubnetMapping] Source #
The public subnets that Network Firewall is using for the firewall. Each subnet must belong to a different Availability Zone.
FirewallMetadata
data FirewallMetadata Source #
High-level information about a firewall, returned by operations like create and describe. You can use the information provided in the metadata to retrieve and manage a firewall.
See: newFirewallMetadata smart constructor.
Constructors
| FirewallMetadata' | |
Fields
| |
Instances
newFirewallMetadata :: FirewallMetadata Source #
Create a value of FirewallMetadata with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:firewallArn:FirewallMetadata', firewallMetadata_firewallArn - The Amazon Resource Name (ARN) of the firewall.
$sel:firewallName:FirewallMetadata', firewallMetadata_firewallName - The descriptive name of the firewall. You can't change the name of a
firewall after you create it.
firewallMetadata_firewallArn :: Lens' FirewallMetadata (Maybe Text) Source #
The Amazon Resource Name (ARN) of the firewall.
firewallMetadata_firewallName :: Lens' FirewallMetadata (Maybe Text) Source #
The descriptive name of the firewall. You can't change the name of a firewall after you create it.
FirewallPolicy
data FirewallPolicy Source #
The firewall policy defines the behavior of a firewall using a collection of stateless and stateful rule groups and other settings. You can use one firewall policy for multiple firewalls.
This, along with FirewallPolicyResponse, define the policy. You can retrieve all objects for a firewall policy by calling DescribeFirewallPolicy.
See: newFirewallPolicy smart constructor.
Constructors
| FirewallPolicy' | |
Fields
| |
Instances
newFirewallPolicy :: FirewallPolicy Source #
Create a value of FirewallPolicy with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:statefulEngineOptions:FirewallPolicy', firewallPolicy_statefulEngineOptions - Additional options governing how Network Firewall handles stateful
rules. The stateful rule groups that you use in your policy must have
stateful rule options settings that are compatible with these settings.
$sel:statefulRuleGroupReferences:FirewallPolicy', firewallPolicy_statefulRuleGroupReferences - References to the stateful rule groups that are used in the policy.
These define the inspection criteria in stateful rules.
$sel:statelessRuleGroupReferences:FirewallPolicy', firewallPolicy_statelessRuleGroupReferences - References to the stateless rule groups that are used in the policy.
These define the matching criteria in stateless rules.
$sel:statelessCustomActions:FirewallPolicy', firewallPolicy_statelessCustomActions - The custom action definitions that are available for use in the firewall
policy's StatelessDefaultActions setting. You name each custom action
that you define, and then you can use it by name in your default actions
specifications.
$sel:statefulDefaultActions:FirewallPolicy', firewallPolicy_statefulDefaultActions - The default actions to take on a packet that doesn't match any stateful
rules.
$sel:statelessDefaultActions:FirewallPolicy', firewallPolicy_statelessDefaultActions - The actions to take on a packet if it doesn't match any of the
stateless rules in the policy. If you want non-matching packets to be
forwarded for stateful inspection, specify aws:forward_to_sfe.
You must specify one of the standard actions: aws:pass, aws:drop, or
aws:forward_to_sfe. In addition, you can specify custom actions that
are compatible with your standard section choice.
For example, you could specify ["aws:pass"] or you could specify
["aws:pass", “customActionName”]. For information about
compatibility, see the custom action descriptions under CustomAction.
$sel:statelessFragmentDefaultActions:FirewallPolicy', firewallPolicy_statelessFragmentDefaultActions - The actions to take on a fragmented UDP packet if it doesn't match any
of the stateless rules in the policy. Network Firewall only manages UDP
packet fragments and silently drops packet fragments for other
protocols. If you want non-matching fragmented UDP packets to be
forwarded for stateful inspection, specify aws:forward_to_sfe.
You must specify one of the standard actions: aws:pass, aws:drop, or
aws:forward_to_sfe. In addition, you can specify custom actions that
are compatible with your standard section choice.
For example, you could specify ["aws:pass"] or you could specify
["aws:pass", “customActionName”]. For information about
compatibility, see the custom action descriptions under CustomAction.
firewallPolicy_statefulEngineOptions :: Lens' FirewallPolicy (Maybe StatefulEngineOptions) Source #
Additional options governing how Network Firewall handles stateful rules. The stateful rule groups that you use in your policy must have stateful rule options settings that are compatible with these settings.
firewallPolicy_statefulRuleGroupReferences :: Lens' FirewallPolicy (Maybe [StatefulRuleGroupReference]) Source #
References to the stateful rule groups that are used in the policy. These define the inspection criteria in stateful rules.
firewallPolicy_statelessRuleGroupReferences :: Lens' FirewallPolicy (Maybe [StatelessRuleGroupReference]) Source #
References to the stateless rule groups that are used in the policy. These define the matching criteria in stateless rules.
firewallPolicy_statelessCustomActions :: Lens' FirewallPolicy (Maybe [CustomAction]) Source #
The custom action definitions that are available for use in the firewall
policy's StatelessDefaultActions setting. You name each custom action
that you define, and then you can use it by name in your default actions
specifications.
firewallPolicy_statefulDefaultActions :: Lens' FirewallPolicy (Maybe [Text]) Source #
The default actions to take on a packet that doesn't match any stateful rules.
firewallPolicy_statelessDefaultActions :: Lens' FirewallPolicy [Text] Source #
The actions to take on a packet if it doesn't match any of the
stateless rules in the policy. If you want non-matching packets to be
forwarded for stateful inspection, specify aws:forward_to_sfe.
You must specify one of the standard actions: aws:pass, aws:drop, or
aws:forward_to_sfe. In addition, you can specify custom actions that
are compatible with your standard section choice.
For example, you could specify ["aws:pass"] or you could specify
["aws:pass", “customActionName”]. For information about
compatibility, see the custom action descriptions under CustomAction.
firewallPolicy_statelessFragmentDefaultActions :: Lens' FirewallPolicy [Text] Source #
The actions to take on a fragmented UDP packet if it doesn't match any
of the stateless rules in the policy. Network Firewall only manages UDP
packet fragments and silently drops packet fragments for other
protocols. If you want non-matching fragmented UDP packets to be
forwarded for stateful inspection, specify aws:forward_to_sfe.
You must specify one of the standard actions: aws:pass, aws:drop, or
aws:forward_to_sfe. In addition, you can specify custom actions that
are compatible with your standard section choice.
For example, you could specify ["aws:pass"] or you could specify
["aws:pass", “customActionName”]. For information about
compatibility, see the custom action descriptions under CustomAction.
FirewallPolicyMetadata
data FirewallPolicyMetadata Source #
High-level information about a firewall policy, returned by operations like create and describe. You can use the information provided in the metadata to retrieve and manage a firewall policy. You can retrieve all objects for a firewall policy by calling DescribeFirewallPolicy.
See: newFirewallPolicyMetadata smart constructor.
Constructors
| FirewallPolicyMetadata' | |
Instances
newFirewallPolicyMetadata :: FirewallPolicyMetadata Source #
Create a value of FirewallPolicyMetadata with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:arn:FirewallPolicyMetadata', firewallPolicyMetadata_arn - The Amazon Resource Name (ARN) of the firewall policy.
$sel:name:FirewallPolicyMetadata', firewallPolicyMetadata_name - The descriptive name of the firewall policy. You can't change the name
of a firewall policy after you create it.
firewallPolicyMetadata_arn :: Lens' FirewallPolicyMetadata (Maybe Text) Source #
The Amazon Resource Name (ARN) of the firewall policy.
firewallPolicyMetadata_name :: Lens' FirewallPolicyMetadata (Maybe Text) Source #
The descriptive name of the firewall policy. You can't change the name of a firewall policy after you create it.
FirewallPolicyResponse
data FirewallPolicyResponse Source #
The high-level properties of a firewall policy. This, along with the FirewallPolicy, define the policy. You can retrieve all objects for a firewall policy by calling DescribeFirewallPolicy.
See: newFirewallPolicyResponse smart constructor.
Constructors
| FirewallPolicyResponse' | |
Fields
| |
Instances
newFirewallPolicyResponse Source #
Arguments
| :: Text | |
| -> Text | |
| -> Text | |
| -> FirewallPolicyResponse |
Create a value of FirewallPolicyResponse with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:consumedStatelessRuleCapacity:FirewallPolicyResponse', firewallPolicyResponse_consumedStatelessRuleCapacity - The number of capacity units currently consumed by the policy's
stateless rules.
$sel:numberOfAssociations:FirewallPolicyResponse', firewallPolicyResponse_numberOfAssociations - The number of firewalls that are associated with this firewall policy.
$sel:firewallPolicyStatus:FirewallPolicyResponse', firewallPolicyResponse_firewallPolicyStatus - The current status of the firewall policy. You can retrieve this for a
firewall policy by calling DescribeFirewallPolicy and providing the
firewall policy's name or ARN.
$sel:consumedStatefulRuleCapacity:FirewallPolicyResponse', firewallPolicyResponse_consumedStatefulRuleCapacity - The number of capacity units currently consumed by the policy's
stateful rules.
$sel:description:FirewallPolicyResponse', firewallPolicyResponse_description - A description of the firewall policy.
$sel:tags:FirewallPolicyResponse', firewallPolicyResponse_tags - The key:value pairs to associate with the resource.
$sel:firewallPolicyName:FirewallPolicyResponse', firewallPolicyResponse_firewallPolicyName - The descriptive name of the firewall policy. You can't change the name
of a firewall policy after you create it.
$sel:firewallPolicyArn:FirewallPolicyResponse', firewallPolicyResponse_firewallPolicyArn - The Amazon Resource Name (ARN) of the firewall policy.
If this response is for a create request that had DryRun set to
TRUE, then this ARN is a placeholder that isn't attached to a valid
resource.
$sel:firewallPolicyId:FirewallPolicyResponse', firewallPolicyResponse_firewallPolicyId - The unique identifier for the firewall policy.
firewallPolicyResponse_consumedStatelessRuleCapacity :: Lens' FirewallPolicyResponse (Maybe Int) Source #
The number of capacity units currently consumed by the policy's stateless rules.
firewallPolicyResponse_numberOfAssociations :: Lens' FirewallPolicyResponse (Maybe Int) Source #
The number of firewalls that are associated with this firewall policy.
firewallPolicyResponse_firewallPolicyStatus :: Lens' FirewallPolicyResponse (Maybe ResourceStatus) Source #
The current status of the firewall policy. You can retrieve this for a firewall policy by calling DescribeFirewallPolicy and providing the firewall policy's name or ARN.
firewallPolicyResponse_consumedStatefulRuleCapacity :: Lens' FirewallPolicyResponse (Maybe Int) Source #
The number of capacity units currently consumed by the policy's stateful rules.
firewallPolicyResponse_description :: Lens' FirewallPolicyResponse (Maybe Text) Source #
A description of the firewall policy.
firewallPolicyResponse_tags :: Lens' FirewallPolicyResponse (Maybe (NonEmpty Tag)) Source #
The key:value pairs to associate with the resource.
firewallPolicyResponse_firewallPolicyName :: Lens' FirewallPolicyResponse Text Source #
The descriptive name of the firewall policy. You can't change the name of a firewall policy after you create it.
firewallPolicyResponse_firewallPolicyArn :: Lens' FirewallPolicyResponse Text Source #
The Amazon Resource Name (ARN) of the firewall policy.
If this response is for a create request that had DryRun set to
TRUE, then this ARN is a placeholder that isn't attached to a valid
resource.
firewallPolicyResponse_firewallPolicyId :: Lens' FirewallPolicyResponse Text Source #
The unique identifier for the firewall policy.
FirewallStatus
data FirewallStatus Source #
Detailed information about the current status of a Firewall. You can retrieve this for a firewall by calling DescribeFirewall and providing the firewall name and ARN.
See: newFirewallStatus smart constructor.
Constructors
| FirewallStatus' | |
Fields
| |
Instances
Arguments
| :: FirewallStatusValue | |
| -> ConfigurationSyncState | |
| -> FirewallStatus |
Create a value of FirewallStatus with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:syncStates:FirewallStatus', firewallStatus_syncStates - The subnets that you've configured for use by the Network Firewall
firewall. This contains one array element per Availability Zone where
you've configured a subnet. These objects provide details of the
information that is summarized in the ConfigurationSyncStateSummary
and Status, broken down by zone and configuration object.
$sel:status:FirewallStatus', firewallStatus_status - The readiness of the configured firewall to handle network traffic
across all of the Availability Zones where you've configured it. This
setting is READY only when the ConfigurationSyncStateSummary value
is IN_SYNC and the Attachment Status values for all of the
configured subnets are READY.
$sel:configurationSyncStateSummary:FirewallStatus', firewallStatus_configurationSyncStateSummary - The configuration sync state for the firewall. This summarizes the sync
states reported in the Config settings for all of the Availability
Zones where you have configured the firewall.
When you create a firewall or update its configuration, for example by adding a rule group to its firewall policy, Network Firewall distributes the configuration changes to all zones where the firewall is in use. This summary indicates whether the configuration changes have been applied everywhere.
This status must be IN_SYNC for the firewall to be ready for use, but
it doesn't indicate that the firewall is ready. The Status setting
indicates firewall readiness.
firewallStatus_syncStates :: Lens' FirewallStatus (Maybe (HashMap Text SyncState)) Source #
The subnets that you've configured for use by the Network Firewall
firewall. This contains one array element per Availability Zone where
you've configured a subnet. These objects provide details of the
information that is summarized in the ConfigurationSyncStateSummary
and Status, broken down by zone and configuration object.
firewallStatus_status :: Lens' FirewallStatus FirewallStatusValue Source #
The readiness of the configured firewall to handle network traffic
across all of the Availability Zones where you've configured it. This
setting is READY only when the ConfigurationSyncStateSummary value
is IN_SYNC and the Attachment Status values for all of the
configured subnets are READY.
firewallStatus_configurationSyncStateSummary :: Lens' FirewallStatus ConfigurationSyncState Source #
The configuration sync state for the firewall. This summarizes the sync
states reported in the Config settings for all of the Availability
Zones where you have configured the firewall.
When you create a firewall or update its configuration, for example by adding a rule group to its firewall policy, Network Firewall distributes the configuration changes to all zones where the firewall is in use. This summary indicates whether the configuration changes have been applied everywhere.
This status must be IN_SYNC for the firewall to be ready for use, but
it doesn't indicate that the firewall is ready. The Status setting
indicates firewall readiness.
Header
The basic rule criteria for AWS Network Firewall to use to inspect packet headers in stateful traffic flow inspection. Traffic flows that match the criteria are a match for the corresponding StatefulRule.
See: newHeader smart constructor.
Constructors
| Header' | |
Fields
| |
Instances
Arguments
| :: StatefulRuleProtocol | |
| -> Text | |
| -> Text | |
| -> StatefulRuleDirection | |
| -> Text | |
| -> Text | |
| -> Header |
Create a value of Header with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:protocol:Header', header_protocol - The protocol to inspect for. To specify all, you can use IP, because
all traffic on AWS and on the internet is IP.
$sel:source:Header', header_source - The source IP address or address range to inspect for, in CIDR notation.
To match with any address, specify ANY.
Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. Network Firewall supports all address ranges for IPv4.
Examples:
- To configure Network Firewall to inspect for the IP address
192.0.2.44, specify
192.0.2.44/32. - To configure Network Firewall to inspect for IP addresses from
192.0.2.0 to 192.0.2.255, specify
192.0.2.0/24.
For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.
$sel:sourcePort:Header', header_sourcePort - The source port to inspect for. You can specify an individual port, for
example 1994 and you can specify a port range, for example
1990:1994. To match with any port, specify ANY.
$sel:direction:Header', header_direction - The direction of traffic flow to inspect. If set to ANY, the
inspection matches bidirectional traffic, both from the source to the
destination and from the destination to the source. If set to FORWARD,
the inspection only matches traffic going from the source to the
destination.
$sel:destination:Header', header_destination - The destination IP address or address range to inspect for, in CIDR
notation. To match with any address, specify ANY.
Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. Network Firewall supports all address ranges for IPv4.
Examples:
- To configure Network Firewall to inspect for the IP address
192.0.2.44, specify
192.0.2.44/32. - To configure Network Firewall to inspect for IP addresses from
192.0.2.0 to 192.0.2.255, specify
192.0.2.0/24.
For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.
$sel:destinationPort:Header', header_destinationPort - The destination port to inspect for. You can specify an individual port,
for example 1994 and you can specify a port range, for example
1990:1994. To match with any port, specify ANY.
header_protocol :: Lens' Header StatefulRuleProtocol Source #
The protocol to inspect for. To specify all, you can use IP, because
all traffic on AWS and on the internet is IP.
header_source :: Lens' Header Text Source #
The source IP address or address range to inspect for, in CIDR notation.
To match with any address, specify ANY.
Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. Network Firewall supports all address ranges for IPv4.
Examples:
- To configure Network Firewall to inspect for the IP address
192.0.2.44, specify
192.0.2.44/32. - To configure Network Firewall to inspect for IP addresses from
192.0.2.0 to 192.0.2.255, specify
192.0.2.0/24.
For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.
header_sourcePort :: Lens' Header Text Source #
The source port to inspect for. You can specify an individual port, for
example 1994 and you can specify a port range, for example
1990:1994. To match with any port, specify ANY.
header_direction :: Lens' Header StatefulRuleDirection Source #
The direction of traffic flow to inspect. If set to ANY, the
inspection matches bidirectional traffic, both from the source to the
destination and from the destination to the source. If set to FORWARD,
the inspection only matches traffic going from the source to the
destination.
header_destination :: Lens' Header Text Source #
The destination IP address or address range to inspect for, in CIDR
notation. To match with any address, specify ANY.
Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. Network Firewall supports all address ranges for IPv4.
Examples:
- To configure Network Firewall to inspect for the IP address
192.0.2.44, specify
192.0.2.44/32. - To configure Network Firewall to inspect for IP addresses from
192.0.2.0 to 192.0.2.255, specify
192.0.2.0/24.
For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.
header_destinationPort :: Lens' Header Text Source #
The destination port to inspect for. You can specify an individual port,
for example 1994 and you can specify a port range, for example
1990:1994. To match with any port, specify ANY.
IPSet
A list of IP addresses and address ranges, in CIDR notation. This is part of a RuleVariables.
See: newIPSet smart constructor.
Constructors
| IPSet' | |
Fields
| |
Instances
| Eq IPSet Source # | |
| Read IPSet Source # | |
| Show IPSet Source # | |
| Generic IPSet Source # | |
| NFData IPSet Source # | |
Defined in Amazonka.NetworkFirewall.Types.IPSet | |
| Hashable IPSet Source # | |
Defined in Amazonka.NetworkFirewall.Types.IPSet | |
| ToJSON IPSet Source # | |
Defined in Amazonka.NetworkFirewall.Types.IPSet | |
| FromJSON IPSet Source # | |
| type Rep IPSet Source # | |
Defined in Amazonka.NetworkFirewall.Types.IPSet type Rep IPSet = D1 ('MetaData "IPSet" "Amazonka.NetworkFirewall.Types.IPSet" "libZSservicesZSamazonka-network-firewallZSamazonka-network-firewall" 'False) (C1 ('MetaCons "IPSet'" 'PrefixI 'True) (S1 ('MetaSel ('Just "definition") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 [Text]))) | |
Create a value of IPSet with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:definition:IPSet', iPSet_definition - The list of IP addresses and address ranges, in CIDR notation.
iPSet_definition :: Lens' IPSet [Text] Source #
The list of IP addresses and address ranges, in CIDR notation.
LogDestinationConfig
data LogDestinationConfig Source #
Defines where AWS Network Firewall sends logs for the firewall for one log type. This is used in LoggingConfiguration. You can send each type of log to an Amazon S3 bucket, a CloudWatch log group, or a Kinesis Data Firehose delivery stream.
Network Firewall generates logs for stateful rule groups. You can save
alert and flow log types. The stateful rules engine records flow logs
for all network traffic that it receives. It records alert logs for
traffic that matches stateful rules that have the rule action set to
DROP or ALERT.
See: newLogDestinationConfig smart constructor.
Constructors
| LogDestinationConfig' | |
Fields
| |
Instances
newLogDestinationConfig Source #
Arguments
| :: LogType | |
| -> LogDestinationType | |
| -> LogDestinationConfig |
Create a value of LogDestinationConfig with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:logType:LogDestinationConfig', logDestinationConfig_logType - The type of log to send. Alert logs report traffic that matches a
StatefulRule with an action setting that sends an alert log message.
Flow logs are standard network traffic flow logs.
$sel:logDestinationType:LogDestinationConfig', logDestinationConfig_logDestinationType - The type of storage destination to send these logs to. You can send logs
to an Amazon S3 bucket, a CloudWatch log group, or a Kinesis Data
Firehose delivery stream.
$sel:logDestination:LogDestinationConfig', logDestinationConfig_logDestination - The named location for the logs, provided in a key:value mapping that is
specific to the chosen destination type.
For an Amazon S3 bucket, provide the name of the bucket, with key
bucketName, and optionally provide a prefix, with keyprefix. The following example specifies an Amazon S3 bucket namedDOC-EXAMPLE-BUCKETand the prefixalerts:"LogDestination": { "bucketName": "DOC-EXAMPLE-BUCKET", "prefix": "alerts" }For a CloudWatch log group, provide the name of the CloudWatch log group, with key
logGroup. The following example specifies a log group namedalert-log-group:"LogDestination": { "logGroup": "alert-log-group" }For a Kinesis Data Firehose delivery stream, provide the name of the delivery stream, with key
deliveryStream. The following example specifies a delivery stream namedalert-delivery-stream:"LogDestination": { "deliveryStream": "alert-delivery-stream" }
logDestinationConfig_logType :: Lens' LogDestinationConfig LogType Source #
The type of log to send. Alert logs report traffic that matches a StatefulRule with an action setting that sends an alert log message. Flow logs are standard network traffic flow logs.
logDestinationConfig_logDestinationType :: Lens' LogDestinationConfig LogDestinationType Source #
The type of storage destination to send these logs to. You can send logs to an Amazon S3 bucket, a CloudWatch log group, or a Kinesis Data Firehose delivery stream.
logDestinationConfig_logDestination :: Lens' LogDestinationConfig (HashMap Text Text) Source #
The named location for the logs, provided in a key:value mapping that is specific to the chosen destination type.
For an Amazon S3 bucket, provide the name of the bucket, with key
bucketName, and optionally provide a prefix, with keyprefix. The following example specifies an Amazon S3 bucket namedDOC-EXAMPLE-BUCKETand the prefixalerts:"LogDestination": { "bucketName": "DOC-EXAMPLE-BUCKET", "prefix": "alerts" }For a CloudWatch log group, provide the name of the CloudWatch log group, with key
logGroup. The following example specifies a log group namedalert-log-group:"LogDestination": { "logGroup": "alert-log-group" }For a Kinesis Data Firehose delivery stream, provide the name of the delivery stream, with key
deliveryStream. The following example specifies a delivery stream namedalert-delivery-stream:"LogDestination": { "deliveryStream": "alert-delivery-stream" }
LoggingConfiguration
data LoggingConfiguration Source #
Defines how AWS Network Firewall performs logging for a Firewall.
See: newLoggingConfiguration smart constructor.
Constructors
| LoggingConfiguration' | |
Fields
| |
Instances
newLoggingConfiguration :: LoggingConfiguration Source #
Create a value of LoggingConfiguration with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:logDestinationConfigs:LoggingConfiguration', loggingConfiguration_logDestinationConfigs - Defines the logging destinations for the logs for a firewall. Network
Firewall generates logs for stateful rule groups.
loggingConfiguration_logDestinationConfigs :: Lens' LoggingConfiguration [LogDestinationConfig] Source #
Defines the logging destinations for the logs for a firewall. Network Firewall generates logs for stateful rule groups.
MatchAttributes
data MatchAttributes Source #
Criteria for Network Firewall to use to inspect an individual packet in stateless rule inspection. Each match attributes set can include one or more items such as IP address, CIDR range, port number, protocol, and TCP flags.
See: newMatchAttributes smart constructor.
Constructors
| MatchAttributes' | |
Fields
| |
Instances
newMatchAttributes :: MatchAttributes Source #
Create a value of MatchAttributes with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:protocols:MatchAttributes', matchAttributes_protocols - The protocols to inspect for, specified using each protocol's assigned
internet protocol number (IANA). If not specified, this matches with any
protocol.
$sel:tCPFlags:MatchAttributes', matchAttributes_tCPFlags - The TCP flags and masks to inspect for. If not specified, this matches
with any settings. This setting is only used for protocol 6 (TCP).
$sel:destinationPorts:MatchAttributes', matchAttributes_destinationPorts - The destination ports to inspect for. If not specified, this matches
with any destination port. This setting is only used for protocols 6
(TCP) and 17 (UDP).
You can specify individual ports, for example 1994 and you can specify
port ranges, for example 1990:1994.
$sel:sources:MatchAttributes', matchAttributes_sources - The source IP addresses and address ranges to inspect for, in CIDR
notation. If not specified, this matches with any source address.
$sel:sourcePorts:MatchAttributes', matchAttributes_sourcePorts - The source ports to inspect for. If not specified, this matches with any
source port. This setting is only used for protocols 6 (TCP) and 17
(UDP).
You can specify individual ports, for example 1994 and you can specify
port ranges, for example 1990:1994.
$sel:destinations:MatchAttributes', matchAttributes_destinations - The destination IP addresses and address ranges to inspect for, in CIDR
notation. If not specified, this matches with any destination address.
matchAttributes_protocols :: Lens' MatchAttributes (Maybe [Natural]) Source #
The protocols to inspect for, specified using each protocol's assigned internet protocol number (IANA). If not specified, this matches with any protocol.
matchAttributes_tCPFlags :: Lens' MatchAttributes (Maybe [TCPFlagField]) Source #
The TCP flags and masks to inspect for. If not specified, this matches with any settings. This setting is only used for protocol 6 (TCP).
matchAttributes_destinationPorts :: Lens' MatchAttributes (Maybe [PortRange]) Source #
The destination ports to inspect for. If not specified, this matches with any destination port. This setting is only used for protocols 6 (TCP) and 17 (UDP).
You can specify individual ports, for example 1994 and you can specify
port ranges, for example 1990:1994.
matchAttributes_sources :: Lens' MatchAttributes (Maybe [Address]) Source #
The source IP addresses and address ranges to inspect for, in CIDR notation. If not specified, this matches with any source address.
matchAttributes_sourcePorts :: Lens' MatchAttributes (Maybe [PortRange]) Source #
The source ports to inspect for. If not specified, this matches with any source port. This setting is only used for protocols 6 (TCP) and 17 (UDP).
You can specify individual ports, for example 1994 and you can specify
port ranges, for example 1990:1994.
matchAttributes_destinations :: Lens' MatchAttributes (Maybe [Address]) Source #
The destination IP addresses and address ranges to inspect for, in CIDR notation. If not specified, this matches with any destination address.
PerObjectStatus
data PerObjectStatus Source #
Provides configuration status for a single policy or rule group that is used for a firewall endpoint. Network Firewall provides each endpoint with the rules that are configured in the firewall policy. Each time you add a subnet or modify the associated firewall policy, Network Firewall synchronizes the rules in the endpoint, so it can properly filter network traffic. This is part of a SyncState for a firewall.
See: newPerObjectStatus smart constructor.
Constructors
| PerObjectStatus' | |
Fields
| |
Instances
newPerObjectStatus :: PerObjectStatus Source #
Create a value of PerObjectStatus with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:updateToken:PerObjectStatus', perObjectStatus_updateToken - The current version of the object that is either in sync or pending
synchronization.
$sel:syncStatus:PerObjectStatus', perObjectStatus_syncStatus - Indicates whether this object is in sync with the version indicated in
the update token.
perObjectStatus_updateToken :: Lens' PerObjectStatus (Maybe Text) Source #
The current version of the object that is either in sync or pending synchronization.
perObjectStatus_syncStatus :: Lens' PerObjectStatus (Maybe PerObjectSyncStatus) Source #
Indicates whether this object is in sync with the version indicated in the update token.
PortRange
A single port range specification. This is used for source and
destination port ranges in the stateless rule MatchAttributes,
SourcePorts, and DestinationPorts settings.
See: newPortRange smart constructor.
Constructors
| PortRange' | |
Instances
| Eq PortRange Source # | |
| Read PortRange Source # | |
| Show PortRange Source # | |
| Generic PortRange Source # | |
| NFData PortRange Source # | |
Defined in Amazonka.NetworkFirewall.Types.PortRange | |
| Hashable PortRange Source # | |
Defined in Amazonka.NetworkFirewall.Types.PortRange | |
| ToJSON PortRange Source # | |
Defined in Amazonka.NetworkFirewall.Types.PortRange | |
| FromJSON PortRange Source # | |
| type Rep PortRange Source # | |
Defined in Amazonka.NetworkFirewall.Types.PortRange type Rep PortRange = D1 ('MetaData "PortRange" "Amazonka.NetworkFirewall.Types.PortRange" "libZSservicesZSamazonka-network-firewallZSamazonka-network-firewall" 'False) (C1 ('MetaCons "PortRange'" 'PrefixI 'True) (S1 ('MetaSel ('Just "fromPort") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Natural) :*: S1 ('MetaSel ('Just "toPort") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Natural))) | |
Create a value of PortRange with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:fromPort:PortRange', portRange_fromPort - The lower limit of the port range. This must be less than or equal to
the ToPort specification.
$sel:toPort:PortRange', portRange_toPort - The upper limit of the port range. This must be greater than or equal to
the FromPort specification.
portRange_fromPort :: Lens' PortRange Natural Source #
The lower limit of the port range. This must be less than or equal to
the ToPort specification.
portRange_toPort :: Lens' PortRange Natural Source #
The upper limit of the port range. This must be greater than or equal to
the FromPort specification.
PortSet
A set of port ranges for use in the rules in a rule group.
See: newPortSet smart constructor.
Constructors
| PortSet' | |
Fields
| |
Instances
| Eq PortSet Source # | |
| Read PortSet Source # | |
| Show PortSet Source # | |
| Generic PortSet Source # | |
| NFData PortSet Source # | |
Defined in Amazonka.NetworkFirewall.Types.PortSet | |
| Hashable PortSet Source # | |
Defined in Amazonka.NetworkFirewall.Types.PortSet | |
| ToJSON PortSet Source # | |
Defined in Amazonka.NetworkFirewall.Types.PortSet | |
| FromJSON PortSet Source # | |
| type Rep PortSet Source # | |
Defined in Amazonka.NetworkFirewall.Types.PortSet type Rep PortSet = D1 ('MetaData "PortSet" "Amazonka.NetworkFirewall.Types.PortSet" "libZSservicesZSamazonka-network-firewallZSamazonka-network-firewall" 'False) (C1 ('MetaCons "PortSet'" 'PrefixI 'True) (S1 ('MetaSel ('Just "definition") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 (Maybe [Text])))) | |
newPortSet :: PortSet Source #
Create a value of PortSet with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:definition:PortSet', portSet_definition - The set of port ranges.
PublishMetricAction
data PublishMetricAction Source #
Stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. This setting defines a CloudWatch dimension value to be published.
See: newPublishMetricAction smart constructor.
Constructors
| PublishMetricAction' | |
Fields | |
Instances
newPublishMetricAction Source #
Create a value of PublishMetricAction with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:dimensions:PublishMetricAction', publishMetricAction_dimensions -
RuleDefinition
data RuleDefinition Source #
The inspection criteria and action for a single stateless rule. AWS Network Firewall inspects each packet for the specified matching criteria. When a packet matches the criteria, Network Firewall performs the rule's actions on the packet.
See: newRuleDefinition smart constructor.
Constructors
| RuleDefinition' | |
Fields
| |
Instances
Create a value of RuleDefinition with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:matchAttributes:RuleDefinition', ruleDefinition_matchAttributes - Criteria for Network Firewall to use to inspect an individual packet in
stateless rule inspection. Each match attributes set can include one or
more items such as IP address, CIDR range, port number, protocol, and
TCP flags.
$sel:actions:RuleDefinition', ruleDefinition_actions - The actions to take on a packet that matches one of the stateless rule
definition's match attributes. You must specify a standard action and
you can add custom actions.
Network Firewall only forwards a packet for stateful rule inspection if
you specify aws:forward_to_sfe for a rule that the packet matches, or
if the packet doesn't match any stateless rule and you specify
aws:forward_to_sfe for the StatelessDefaultActions setting for the
FirewallPolicy.
For every rule, you must specify exactly one of the following standard actions.
- aws:pass - Discontinues all inspection of the packet and permits it to go to its intended destination.
- aws:drop - Discontinues all inspection of the packet and blocks it from going to its intended destination.
- aws:forward_to_sfe - Discontinues stateless inspection of the packet and forwards it to the stateful rule engine for inspection.
Additionally, you can specify a custom action. To do this, you define a
custom action by name and type, then provide the name you've assigned
to the action in this Actions setting. For information about the
options, see CustomAction.
To provide more than one action in this setting, separate the settings
with a comma. For example, if you have a custom PublishMetrics action
that you've named MyMetricsAction, then you could specify the
standard action aws:pass and the custom action with
[“aws:pass”, “MyMetricsAction”].
ruleDefinition_matchAttributes :: Lens' RuleDefinition MatchAttributes Source #
Criteria for Network Firewall to use to inspect an individual packet in stateless rule inspection. Each match attributes set can include one or more items such as IP address, CIDR range, port number, protocol, and TCP flags.
ruleDefinition_actions :: Lens' RuleDefinition [Text] Source #
The actions to take on a packet that matches one of the stateless rule definition's match attributes. You must specify a standard action and you can add custom actions.
Network Firewall only forwards a packet for stateful rule inspection if
you specify aws:forward_to_sfe for a rule that the packet matches, or
if the packet doesn't match any stateless rule and you specify
aws:forward_to_sfe for the StatelessDefaultActions setting for the
FirewallPolicy.
For every rule, you must specify exactly one of the following standard actions.
- aws:pass - Discontinues all inspection of the packet and permits it to go to its intended destination.
- aws:drop - Discontinues all inspection of the packet and blocks it from going to its intended destination.
- aws:forward_to_sfe - Discontinues stateless inspection of the packet and forwards it to the stateful rule engine for inspection.
Additionally, you can specify a custom action. To do this, you define a
custom action by name and type, then provide the name you've assigned
to the action in this Actions setting. For information about the
options, see CustomAction.
To provide more than one action in this setting, separate the settings
with a comma. For example, if you have a custom PublishMetrics action
that you've named MyMetricsAction, then you could specify the
standard action aws:pass and the custom action with
[“aws:pass”, “MyMetricsAction”].
RuleGroup
The object that defines the rules in a rule group. This, along with RuleGroupResponse, define the rule group. You can retrieve all objects for a rule group by calling DescribeRuleGroup.
AWS Network Firewall uses a rule group to inspect and control network traffic. You define stateless rule groups to inspect individual packets and you define stateful rule groups to inspect packets in the context of their traffic flow.
To use a rule group, you include it by reference in an Network Firewall firewall policy, then you use the policy in a firewall. You can reference a rule group from more than one firewall policy, and you can use a firewall policy in more than one firewall.
See: newRuleGroup smart constructor.
Constructors
| RuleGroup' | |
Fields
| |
Instances
Arguments
| :: RulesSource | |
| -> RuleGroup |
Create a value of RuleGroup with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:statefulRuleOptions:RuleGroup', ruleGroup_statefulRuleOptions - Additional options governing how Network Firewall handles stateful
rules. The policies where you use your stateful rule group must have
stateful rule options settings that are compatible with these settings.
$sel:ruleVariables:RuleGroup', ruleGroup_ruleVariables - Settings that are available for use in the rules in the rule group. You
can only use these for stateful rule groups.
$sel:rulesSource:RuleGroup', ruleGroup_rulesSource - The stateful rules or stateless rules for the rule group.
ruleGroup_statefulRuleOptions :: Lens' RuleGroup (Maybe StatefulRuleOptions) Source #
Additional options governing how Network Firewall handles stateful rules. The policies where you use your stateful rule group must have stateful rule options settings that are compatible with these settings.
ruleGroup_ruleVariables :: Lens' RuleGroup (Maybe RuleVariables) Source #
Settings that are available for use in the rules in the rule group. You can only use these for stateful rule groups.
ruleGroup_rulesSource :: Lens' RuleGroup RulesSource Source #
The stateful rules or stateless rules for the rule group.
RuleGroupMetadata
data RuleGroupMetadata Source #
High-level information about a rule group, returned by ListRuleGroups. You can use the information provided in the metadata to retrieve and manage a rule group.
See: newRuleGroupMetadata smart constructor.
Constructors
| RuleGroupMetadata' | |
Instances
newRuleGroupMetadata :: RuleGroupMetadata Source #
Create a value of RuleGroupMetadata with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:arn:RuleGroupMetadata', ruleGroupMetadata_arn - The Amazon Resource Name (ARN) of the rule group.
$sel:name:RuleGroupMetadata', ruleGroupMetadata_name - The descriptive name of the rule group. You can't change the name of a
rule group after you create it.
ruleGroupMetadata_arn :: Lens' RuleGroupMetadata (Maybe Text) Source #
The Amazon Resource Name (ARN) of the rule group.
ruleGroupMetadata_name :: Lens' RuleGroupMetadata (Maybe Text) Source #
The descriptive name of the rule group. You can't change the name of a rule group after you create it.
RuleGroupResponse
data RuleGroupResponse Source #
The high-level properties of a rule group. This, along with the RuleGroup, define the rule group. You can retrieve all objects for a rule group by calling DescribeRuleGroup.
See: newRuleGroupResponse smart constructor.
Constructors
| RuleGroupResponse' | |
Fields
| |
Instances
Arguments
| :: Text | |
| -> Text | |
| -> Text | |
| -> RuleGroupResponse |
Create a value of RuleGroupResponse with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:numberOfAssociations:RuleGroupResponse', ruleGroupResponse_numberOfAssociations - The number of firewall policies that use this rule group.
$sel:capacity:RuleGroupResponse', ruleGroupResponse_capacity - The maximum operating resources that this rule group can use. Rule group
capacity is fixed at creation. When you update a rule group, you are
limited to this capacity. When you reference a rule group from a
firewall policy, Network Firewall reserves this capacity for the rule
group.
You can retrieve the capacity that would be required for a rule group
before you create the rule group by calling CreateRuleGroup with
DryRun set to TRUE.
$sel:consumedCapacity:RuleGroupResponse', ruleGroupResponse_consumedCapacity - The number of capacity units currently consumed by the rule group rules.
$sel:ruleGroupStatus:RuleGroupResponse', ruleGroupResponse_ruleGroupStatus - Detailed information about the current status of a rule group.
$sel:type':RuleGroupResponse', ruleGroupResponse_type - Indicates whether the rule group is stateless or stateful. If the rule
group is stateless, it contains stateless rules. If it is stateful, it
contains stateful rules.
$sel:description:RuleGroupResponse', ruleGroupResponse_description - A description of the rule group.
$sel:tags:RuleGroupResponse', ruleGroupResponse_tags - The key:value pairs to associate with the resource.
$sel:ruleGroupArn:RuleGroupResponse', ruleGroupResponse_ruleGroupArn - The Amazon Resource Name (ARN) of the rule group.
If this response is for a create request that had DryRun set to
TRUE, then this ARN is a placeholder that isn't attached to a valid
resource.
$sel:ruleGroupName:RuleGroupResponse', ruleGroupResponse_ruleGroupName - The descriptive name of the rule group. You can't change the name of a
rule group after you create it.
$sel:ruleGroupId:RuleGroupResponse', ruleGroupResponse_ruleGroupId - The unique identifier for the rule group.
ruleGroupResponse_numberOfAssociations :: Lens' RuleGroupResponse (Maybe Int) Source #
The number of firewall policies that use this rule group.
ruleGroupResponse_capacity :: Lens' RuleGroupResponse (Maybe Int) Source #
The maximum operating resources that this rule group can use. Rule group capacity is fixed at creation. When you update a rule group, you are limited to this capacity. When you reference a rule group from a firewall policy, Network Firewall reserves this capacity for the rule group.
You can retrieve the capacity that would be required for a rule group
before you create the rule group by calling CreateRuleGroup with
DryRun set to TRUE.
ruleGroupResponse_consumedCapacity :: Lens' RuleGroupResponse (Maybe Int) Source #
The number of capacity units currently consumed by the rule group rules.
ruleGroupResponse_ruleGroupStatus :: Lens' RuleGroupResponse (Maybe ResourceStatus) Source #
Detailed information about the current status of a rule group.
ruleGroupResponse_type :: Lens' RuleGroupResponse (Maybe RuleGroupType) Source #
Indicates whether the rule group is stateless or stateful. If the rule group is stateless, it contains stateless rules. If it is stateful, it contains stateful rules.
ruleGroupResponse_description :: Lens' RuleGroupResponse (Maybe Text) Source #
A description of the rule group.
ruleGroupResponse_tags :: Lens' RuleGroupResponse (Maybe (NonEmpty Tag)) Source #
The key:value pairs to associate with the resource.
ruleGroupResponse_ruleGroupArn :: Lens' RuleGroupResponse Text Source #
The Amazon Resource Name (ARN) of the rule group.
If this response is for a create request that had DryRun set to
TRUE, then this ARN is a placeholder that isn't attached to a valid
resource.
ruleGroupResponse_ruleGroupName :: Lens' RuleGroupResponse Text Source #
The descriptive name of the rule group. You can't change the name of a rule group after you create it.
ruleGroupResponse_ruleGroupId :: Lens' RuleGroupResponse Text Source #
The unique identifier for the rule group.
RuleOption
data RuleOption Source #
Additional settings for a stateful rule. This is part of the StatefulRule configuration.
See: newRuleOption smart constructor.
Instances
Arguments
| :: Text | |
| -> RuleOption |
Create a value of RuleOption with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
ruleOption_settings :: Lens' RuleOption (Maybe [Text]) Source #
RuleVariables
data RuleVariables Source #
Settings that are available for use in the rules in the RuleGroup where this is defined.
See: newRuleVariables smart constructor.
Constructors
| RuleVariables' | |
Instances
newRuleVariables :: RuleVariables Source #
Create a value of RuleVariables with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:portSets:RuleVariables', ruleVariables_portSets - A list of port ranges.
$sel:iPSets:RuleVariables', ruleVariables_iPSets - A list of IP addresses and address ranges, in CIDR notation.
ruleVariables_portSets :: Lens' RuleVariables (Maybe (HashMap Text PortSet)) Source #
A list of port ranges.
ruleVariables_iPSets :: Lens' RuleVariables (Maybe (HashMap Text IPSet)) Source #
A list of IP addresses and address ranges, in CIDR notation.
RulesSource
data RulesSource Source #
The stateless or stateful rules definitions for use in a single rule
group. Each rule group requires a single RulesSource. You can use an
instance of this for either stateless rules or stateful rules.
See: newRulesSource smart constructor.
Constructors
| RulesSource' | |
Fields
| |
Instances
newRulesSource :: RulesSource Source #
Create a value of RulesSource with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:rulesString:RulesSource', rulesSource_rulesString - Stateful inspection criteria, provided in Suricata compatible intrusion
prevention system (IPS) rules. Suricata is an open-source network IPS
that includes a standard rule-based language for network traffic
inspection.
These rules contain the inspection criteria and the action to take for traffic that matches the criteria, so this type of rule group doesn't have a separate action setting.
$sel:rulesSourceList:RulesSource', rulesSource_rulesSourceList - Stateful inspection criteria for a domain list rule group.
$sel:statefulRules:RulesSource', rulesSource_statefulRules - An array of individual stateful rules inspection criteria to be used
together in a stateful rule group. Use this option to specify simple
Suricata rules with protocol, source and destination, ports, direction,
and rule options. For information about the Suricata Rules format, see
Rules Format.
$sel:statelessRulesAndCustomActions:RulesSource', rulesSource_statelessRulesAndCustomActions - Stateless inspection criteria to be used in a stateless rule group.
rulesSource_rulesString :: Lens' RulesSource (Maybe Text) Source #
Stateful inspection criteria, provided in Suricata compatible intrusion prevention system (IPS) rules. Suricata is an open-source network IPS that includes a standard rule-based language for network traffic inspection.
These rules contain the inspection criteria and the action to take for traffic that matches the criteria, so this type of rule group doesn't have a separate action setting.
rulesSource_rulesSourceList :: Lens' RulesSource (Maybe RulesSourceList) Source #
Stateful inspection criteria for a domain list rule group.
rulesSource_statefulRules :: Lens' RulesSource (Maybe [StatefulRule]) Source #
An array of individual stateful rules inspection criteria to be used
together in a stateful rule group. Use this option to specify simple
Suricata rules with protocol, source and destination, ports, direction,
and rule options. For information about the Suricata Rules format, see
Rules Format.
rulesSource_statelessRulesAndCustomActions :: Lens' RulesSource (Maybe StatelessRulesAndCustomActions) Source #
Stateless inspection criteria to be used in a stateless rule group.
RulesSourceList
data RulesSourceList Source #
Stateful inspection criteria for a domain list rule group.
For HTTPS traffic, domain filtering is SNI-based. It uses the server name indicator extension of the TLS handshake.
By default, Network Firewall domain list inspection only includes
traffic coming from the VPC where you deploy the firewall. To inspect
traffic from IP addresses outside of the deployment VPC, you set the
HOME_NET rule variable to include the CIDR range of the deployment VPC
plus the other CIDR ranges. For more information, see RuleVariables in
this guide and
Stateful domain list rule groups in AWS Network Firewall
in the Network Firewall Developer Guide.
See: newRulesSourceList smart constructor.
Constructors
| RulesSourceList' | |
Fields
| |
Instances
Create a value of RulesSourceList with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:targets:RulesSourceList', rulesSourceList_targets - The domains that you want to inspect for in your traffic flows. To
provide multiple domains, separate them with commas. Valid domain
specifications are the following:
- Explicit names. For example,
abc.example.commatches only the domainabc.example.com. - Names that use a domain wildcard, which you indicate with an initial
'
.'. For example,.example.commatchesexample.comand matches all subdomains ofexample.com, such asabc.example.comandwww.example.com.
$sel:targetTypes:RulesSourceList', rulesSourceList_targetTypes - The protocols you want to inspect. Specify TLS_SNI for HTTPS.
Specify HTTP_HOST for HTTP. You can specify either or both.
$sel:generatedRulesType:RulesSourceList', rulesSourceList_generatedRulesType - Whether you want to allow or deny access to the domains in your target
list.
rulesSourceList_targets :: Lens' RulesSourceList [Text] Source #
The domains that you want to inspect for in your traffic flows. To provide multiple domains, separate them with commas. Valid domain specifications are the following:
- Explicit names. For example,
abc.example.commatches only the domainabc.example.com. - Names that use a domain wildcard, which you indicate with an initial
'
.'. For example,.example.commatchesexample.comand matches all subdomains ofexample.com, such asabc.example.comandwww.example.com.
rulesSourceList_targetTypes :: Lens' RulesSourceList [TargetType] Source #
The protocols you want to inspect. Specify TLS_SNI for HTTPS.
Specify HTTP_HOST for HTTP. You can specify either or both.
rulesSourceList_generatedRulesType :: Lens' RulesSourceList GeneratedRulesType Source #
Whether you want to allow or deny access to the domains in your target list.
StatefulEngineOptions
data StatefulEngineOptions Source #
Configuration settings for the handling of the stateful rule groups in a firewall policy.
See: newStatefulEngineOptions smart constructor.
Constructors
| StatefulEngineOptions' | |
Fields
| |
Instances
newStatefulEngineOptions :: StatefulEngineOptions Source #
Create a value of StatefulEngineOptions with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:ruleOrder:StatefulEngineOptions', statefulEngineOptions_ruleOrder - Indicates how to manage the order of stateful rule evaluation for the
policy. By default, Network Firewall leaves the rule evaluation order up
to the Suricata rule processing engine. If you set this to
STRICT_ORDER, your rules are evaluated in the exact order that you
provide them in the policy. With strict ordering, the rule groups are
evaluated by order of priority, starting from the lowest number, and the
rules in each rule group are processed in the order that they're
defined.
statefulEngineOptions_ruleOrder :: Lens' StatefulEngineOptions (Maybe RuleOrder) Source #
Indicates how to manage the order of stateful rule evaluation for the
policy. By default, Network Firewall leaves the rule evaluation order up
to the Suricata rule processing engine. If you set this to
STRICT_ORDER, your rules are evaluated in the exact order that you
provide them in the policy. With strict ordering, the rule groups are
evaluated by order of priority, starting from the lowest number, and the
rules in each rule group are processed in the order that they're
defined.
StatefulRule
data StatefulRule Source #
A single Suricata rules specification, for use in a stateful rule group.
Use this option to specify a simple Suricata rule with protocol, source
and destination, ports, direction, and rule options. For information
about the Suricata Rules format, see
Rules Format.
See: newStatefulRule smart constructor.
Constructors
| StatefulRule' | |
Fields
| |
Instances
Arguments
| :: StatefulAction | |
| -> Header | |
| -> StatefulRule |
Create a value of StatefulRule with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:action:StatefulRule', statefulRule_action - Defines what Network Firewall should do with the packets in a traffic
flow when the flow matches the stateful rule criteria. For all actions,
Network Firewall performs the specified action and discontinues stateful
inspection of the traffic flow.
The actions for a stateful rule are defined as follows:
- PASS - Permits the packets to go to the intended destination.
- DROP - Blocks the packets from going to the intended destination and sends an alert log message, if alert logging is configured in the Firewall LoggingConfiguration.
ALERT - Permits the packets to go to the intended destination and sends an alert log message, if alert logging is configured in the Firewall LoggingConfiguration.
You can use this action to test a rule that you intend to use to drop traffic. You can enable the rule with
ALERTaction, verify in the logs that the rule is filtering as you want, then change the action toDROP.
$sel:header:StatefulRule', statefulRule_header - The stateful inspection criteria for this rule, used to inspect traffic
flows.
$sel:ruleOptions:StatefulRule', statefulRule_ruleOptions - Additional options for the rule. These are the Suricata RuleOptions
settings.
statefulRule_action :: Lens' StatefulRule StatefulAction Source #
Defines what Network Firewall should do with the packets in a traffic flow when the flow matches the stateful rule criteria. For all actions, Network Firewall performs the specified action and discontinues stateful inspection of the traffic flow.
The actions for a stateful rule are defined as follows:
- PASS - Permits the packets to go to the intended destination.
- DROP - Blocks the packets from going to the intended destination and sends an alert log message, if alert logging is configured in the Firewall LoggingConfiguration.
ALERT - Permits the packets to go to the intended destination and sends an alert log message, if alert logging is configured in the Firewall LoggingConfiguration.
You can use this action to test a rule that you intend to use to drop traffic. You can enable the rule with
ALERTaction, verify in the logs that the rule is filtering as you want, then change the action toDROP.
statefulRule_header :: Lens' StatefulRule Header Source #
The stateful inspection criteria for this rule, used to inspect traffic flows.
statefulRule_ruleOptions :: Lens' StatefulRule [RuleOption] Source #
Additional options for the rule. These are the Suricata RuleOptions
settings.
StatefulRuleGroupReference
data StatefulRuleGroupReference Source #
Identifier for a single stateful rule group, used in a firewall policy to refer to a rule group.
See: newStatefulRuleGroupReference smart constructor.
Constructors
| StatefulRuleGroupReference' | |
Fields
| |
Instances
newStatefulRuleGroupReference Source #
Create a value of StatefulRuleGroupReference with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:priority:StatefulRuleGroupReference', statefulRuleGroupReference_priority - An integer setting that indicates the order in which to run the stateful
rule groups in a single FirewallPolicy. This setting only applies to
firewall policies that specify the STRICT_ORDER rule order in the
stateful engine options settings.
Network Firewall evalutes each stateful rule group against a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy.
You can change the priority settings of your rule groups at any time. To make it easier to insert rule groups later, number them so there's a wide range in between, for example use 100, 200, and so on.
$sel:resourceArn:StatefulRuleGroupReference', statefulRuleGroupReference_resourceArn - The Amazon Resource Name (ARN) of the stateful rule group.
statefulRuleGroupReference_priority :: Lens' StatefulRuleGroupReference (Maybe Natural) Source #
An integer setting that indicates the order in which to run the stateful
rule groups in a single FirewallPolicy. This setting only applies to
firewall policies that specify the STRICT_ORDER rule order in the
stateful engine options settings.
Network Firewall evalutes each stateful rule group against a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy.
You can change the priority settings of your rule groups at any time. To make it easier to insert rule groups later, number them so there's a wide range in between, for example use 100, 200, and so on.
statefulRuleGroupReference_resourceArn :: Lens' StatefulRuleGroupReference Text Source #
The Amazon Resource Name (ARN) of the stateful rule group.
StatefulRuleOptions
data StatefulRuleOptions Source #
Additional options governing how Network Firewall handles the rule group. You can only use these for stateful rule groups.
See: newStatefulRuleOptions smart constructor.
Constructors
| StatefulRuleOptions' | |
Fields
| |
Instances
newStatefulRuleOptions :: StatefulRuleOptions Source #
Create a value of StatefulRuleOptions with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:ruleOrder:StatefulRuleOptions', statefulRuleOptions_ruleOrder - Indicates how to manage the order of the rule evaluation for the rule
group. By default, Network Firewall leaves the rule evaluation order up
to the Suricata rule processing engine. If you set this to
STRICT_ORDER, your rules are evaluated in the exact order that
they're listed in your Suricata rules string.
statefulRuleOptions_ruleOrder :: Lens' StatefulRuleOptions (Maybe RuleOrder) Source #
Indicates how to manage the order of the rule evaluation for the rule
group. By default, Network Firewall leaves the rule evaluation order up
to the Suricata rule processing engine. If you set this to
STRICT_ORDER, your rules are evaluated in the exact order that
they're listed in your Suricata rules string.
StatelessRule
data StatelessRule Source #
A single stateless rule. This is used in StatelessRulesAndCustomActions.
See: newStatelessRule smart constructor.
Constructors
| StatelessRule' | |
Fields
| |
Instances
Arguments
| :: RuleDefinition | |
| -> Natural | |
| -> StatelessRule |
Create a value of StatelessRule with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:ruleDefinition:StatelessRule', statelessRule_ruleDefinition - Defines the stateless 5-tuple packet inspection criteria and the action
to take on a packet that matches the criteria.
$sel:priority:StatelessRule', statelessRule_priority - Indicates the order in which to run this rule relative to all of the
rules that are defined for a stateless rule group. Network Firewall
evaluates the rules in a rule group starting with the lowest priority
setting. You must ensure that the priority settings are unique for the
rule group.
Each stateless rule group uses exactly one
StatelessRulesAndCustomActions object, and each
StatelessRulesAndCustomActions contains exactly one StatelessRules
object. To ensure unique priority settings for your rule groups, set
unique priorities for the stateless rules that you define inside any
single StatelessRules object.
You can change the priority settings of your rules at any time. To make it easier to insert rules later, number them so there's a wide range in between, for example use 100, 200, and so on.
statelessRule_ruleDefinition :: Lens' StatelessRule RuleDefinition Source #
Defines the stateless 5-tuple packet inspection criteria and the action to take on a packet that matches the criteria.
statelessRule_priority :: Lens' StatelessRule Natural Source #
Indicates the order in which to run this rule relative to all of the rules that are defined for a stateless rule group. Network Firewall evaluates the rules in a rule group starting with the lowest priority setting. You must ensure that the priority settings are unique for the rule group.
Each stateless rule group uses exactly one
StatelessRulesAndCustomActions object, and each
StatelessRulesAndCustomActions contains exactly one StatelessRules
object. To ensure unique priority settings for your rule groups, set
unique priorities for the stateless rules that you define inside any
single StatelessRules object.
You can change the priority settings of your rules at any time. To make it easier to insert rules later, number them so there's a wide range in between, for example use 100, 200, and so on.
StatelessRuleGroupReference
data StatelessRuleGroupReference Source #
Identifier for a single stateless rule group, used in a firewall policy to refer to the rule group.
See: newStatelessRuleGroupReference smart constructor.
Constructors
| StatelessRuleGroupReference' | |
Fields
| |
Instances
newStatelessRuleGroupReference Source #
Arguments
| :: Text | |
| -> Natural | |
| -> StatelessRuleGroupReference |
Create a value of StatelessRuleGroupReference with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:resourceArn:StatelessRuleGroupReference', statelessRuleGroupReference_resourceArn - The Amazon Resource Name (ARN) of the stateless rule group.
$sel:priority:StatelessRuleGroupReference', statelessRuleGroupReference_priority - An integer setting that indicates the order in which to run the
stateless rule groups in a single FirewallPolicy. Network Firewall
applies each stateless rule group to a packet starting with the group
that has the lowest priority setting. You must ensure that the priority
settings are unique within each policy.
statelessRuleGroupReference_resourceArn :: Lens' StatelessRuleGroupReference Text Source #
The Amazon Resource Name (ARN) of the stateless rule group.
statelessRuleGroupReference_priority :: Lens' StatelessRuleGroupReference Natural Source #
An integer setting that indicates the order in which to run the stateless rule groups in a single FirewallPolicy. Network Firewall applies each stateless rule group to a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy.
StatelessRulesAndCustomActions
data StatelessRulesAndCustomActions Source #
Stateless inspection criteria. Each stateless rule group uses exactly one of these data types to define its stateless rules.
See: newStatelessRulesAndCustomActions smart constructor.
Constructors
| StatelessRulesAndCustomActions' | |
Fields
| |
Instances
newStatelessRulesAndCustomActions :: StatelessRulesAndCustomActions Source #
Create a value of StatelessRulesAndCustomActions with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:customActions:StatelessRulesAndCustomActions', statelessRulesAndCustomActions_customActions - Defines an array of individual custom action definitions that are
available for use by the stateless rules in this
StatelessRulesAndCustomActions specification. You name each custom
action that you define, and then you can use it by name in your
StatelessRule RuleDefinition Actions specification.
$sel:statelessRules:StatelessRulesAndCustomActions', statelessRulesAndCustomActions_statelessRules - Defines the set of stateless rules for use in a stateless rule group.
statelessRulesAndCustomActions_customActions :: Lens' StatelessRulesAndCustomActions (Maybe [CustomAction]) Source #
Defines an array of individual custom action definitions that are
available for use by the stateless rules in this
StatelessRulesAndCustomActions specification. You name each custom
action that you define, and then you can use it by name in your
StatelessRule RuleDefinition Actions specification.
statelessRulesAndCustomActions_statelessRules :: Lens' StatelessRulesAndCustomActions [StatelessRule] Source #
Defines the set of stateless rules for use in a stateless rule group.
SubnetMapping
data SubnetMapping Source #
The ID for a subnet that you want to associate with the firewall. This is used with CreateFirewall and AssociateSubnets. AWS Network Firewall creates an instance of the associated firewall in each subnet that you specify, to filter traffic in the subnet's Availability Zone.
See: newSubnetMapping smart constructor.
Constructors
| SubnetMapping' | |
Instances
Arguments
| :: Text | |
| -> SubnetMapping |
Create a value of SubnetMapping with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:subnetId:SubnetMapping', subnetMapping_subnetId - The unique identifier for the subnet.
subnetMapping_subnetId :: Lens' SubnetMapping Text Source #
The unique identifier for the subnet.
SyncState
The status of the firewall endpoint and firewall policy configuration for a single VPC subnet.
For each VPC subnet that you associate with a firewall, AWS Network Firewall does the following:
- Instantiates a firewall endpoint in the subnet, ready to take traffic.
- Configures the endpoint with the current firewall policy settings, to provide the filtering behavior for the endpoint.
When you update a firewall, for example to add a subnet association or change a rule group in the firewall policy, the affected sync states reflect out-of-sync or not ready status until the changes are complete.
See: newSyncState smart constructor.
Constructors
| SyncState' | |
Fields
| |
Instances
| Eq SyncState Source # | |
| Read SyncState Source # | |
| Show SyncState Source # | |
| Generic SyncState Source # | |
| NFData SyncState Source # | |
Defined in Amazonka.NetworkFirewall.Types.SyncState | |
| Hashable SyncState Source # | |
Defined in Amazonka.NetworkFirewall.Types.SyncState | |
| FromJSON SyncState Source # | |
| type Rep SyncState Source # | |
Defined in Amazonka.NetworkFirewall.Types.SyncState type Rep SyncState = D1 ('MetaData "SyncState" "Amazonka.NetworkFirewall.Types.SyncState" "libZSservicesZSamazonka-network-firewallZSamazonka-network-firewall" 'False) (C1 ('MetaCons "SyncState'" 'PrefixI 'True) (S1 ('MetaSel ('Just "config") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 (Maybe (HashMap Text PerObjectStatus))) :*: S1 ('MetaSel ('Just "attachment") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 (Maybe Attachment)))) | |
newSyncState :: SyncState Source #
Create a value of SyncState with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:config:SyncState', syncState_config - The configuration status of the firewall endpoint in a single VPC
subnet. Network Firewall provides each endpoint with the rules that are
configured in the firewall policy. Each time you add a subnet or modify
the associated firewall policy, Network Firewall synchronizes the rules
in the endpoint, so it can properly filter network traffic. This is part
of the FirewallStatus.
$sel:attachment:SyncState', syncState_attachment - The attachment status of the firewall's association with a single VPC
subnet. For each configured subnet, Network Firewall creates the
attachment by instantiating the firewall endpoint in the subnet so that
it's ready to take traffic. This is part of the FirewallStatus.
syncState_config :: Lens' SyncState (Maybe (HashMap Text PerObjectStatus)) Source #
The configuration status of the firewall endpoint in a single VPC subnet. Network Firewall provides each endpoint with the rules that are configured in the firewall policy. Each time you add a subnet or modify the associated firewall policy, Network Firewall synchronizes the rules in the endpoint, so it can properly filter network traffic. This is part of the FirewallStatus.
syncState_attachment :: Lens' SyncState (Maybe Attachment) Source #
The attachment status of the firewall's association with a single VPC subnet. For each configured subnet, Network Firewall creates the attachment by instantiating the firewall endpoint in the subnet so that it's ready to take traffic. This is part of the FirewallStatus.
TCPFlagField
data TCPFlagField Source #
TCP flags and masks to inspect packets for, used in stateless rules MatchAttributes settings.
See: newTCPFlagField smart constructor.
Constructors
| TCPFlagField' | |
Fields
| |
Instances
newTCPFlagField :: TCPFlagField Source #
Create a value of TCPFlagField with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:masks:TCPFlagField', tCPFlagField_masks - The set of flags to consider in the inspection. To inspect all flags in
the valid values list, leave this with no setting.
$sel:flags:TCPFlagField', tCPFlagField_flags - Used in conjunction with the Masks setting to define the flags that
must be set and flags that must not be set in order for the packet to
match. This setting can only specify values that are also specified in
the Masks setting.
For the flags that are specified in the masks setting, the following must be true for the packet to match:
- The ones that are set in this flags setting must be set in the packet.
- The ones that are not set in this flags setting must also not be set in the packet.
tCPFlagField_masks :: Lens' TCPFlagField (Maybe [TCPFlag]) Source #
The set of flags to consider in the inspection. To inspect all flags in the valid values list, leave this with no setting.
tCPFlagField_flags :: Lens' TCPFlagField [TCPFlag] Source #
Used in conjunction with the Masks setting to define the flags that
must be set and flags that must not be set in order for the packet to
match. This setting can only specify values that are also specified in
the Masks setting.
For the flags that are specified in the masks setting, the following must be true for the packet to match:
- The ones that are set in this flags setting must be set in the packet.
- The ones that are not set in this flags setting must also not be set in the packet.
Tag
A key:value pair associated with an AWS resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as "environment") and the tag value represents a specific value within that category (such as "test," "development," or "production"). You can add up to 50 tags to each AWS resource.
See: newTag smart constructor.
Constructors
| Tag' | |
Fields
| |
Instances
| Eq Tag Source # | |
| Read Tag Source # | |
| Show Tag Source # | |
| Generic Tag Source # | |
| NFData Tag Source # | |
Defined in Amazonka.NetworkFirewall.Types.Tag | |
| Hashable Tag Source # | |
Defined in Amazonka.NetworkFirewall.Types.Tag | |
| ToJSON Tag Source # | |
Defined in Amazonka.NetworkFirewall.Types.Tag | |
| FromJSON Tag Source # | |
| type Rep Tag Source # | |
Defined in Amazonka.NetworkFirewall.Types.Tag type Rep Tag = D1 ('MetaData "Tag" "Amazonka.NetworkFirewall.Types.Tag" "libZSservicesZSamazonka-network-firewallZSamazonka-network-firewall" 'False) (C1 ('MetaCons "Tag'" 'PrefixI 'True) (S1 ('MetaSel ('Just "key") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Text) :*: S1 ('MetaSel ('Just "value") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Text))) | |
Create a value of Tag with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:key:Tag', tag_key - The part of the key:value pair that defines a tag. You can use a tag key
to describe a category of information, such as "customer." Tag keys
are case-sensitive.
$sel:value:Tag', tag_value - The part of the key:value pair that defines a tag. You can use a tag
value to describe a specific value within a category, such as
"companyA" or "companyB." Tag values are case-sensitive.