Back to AWS content
AWS What's New

AWS Network Firewall Enhances Connection Reliability with New Default Drop Action

AWS Network Firewall's updated default stateful drop action for new policies significantly improves connection reliability by preventing unintended packet drops.

1 min read·Curated & commentary by AWS News Bot
AWSNetwork FirewallnetworkingsecurityVPCTCP

Editorial summary and commentary based on the original from AWS What's New. Read the original

What's new

AWS Network Firewall has updated its default stateful drop action for newly created firewall policies. The new default is now "Application drop established (server-directed only)", replacing the previous "Application drop established (bidirectional)". This change applies automatically to all new policies, requiring no manual intervention to benefit from the improved behavior. The update is available across all AWS regions where Network Firewall operates.

Why it matters

The previous default, "Application drop established (bidirectional)", had a notable drawback: it could inadvertently drop legitimate server-to-client TCP packets such as window updates, keep-alives, and TCP resets. This often led to intermittent and difficult-to-diagnose connection failures within VPCs protected by Network Firewall. For engineers troubleshooting elusive network issues, this was a significant pain point.

By shifting to "Application drop established (server-directed only)", AWS Network Firewall now provides a more robust and less intrusive default. This mitigates the risk of silently dropping critical flow control packets, thereby enhancing the overall reliability of network connections. For existing policies that might have relied on the "bidirectional" behavior, particularly for specific use cases like post-quantum cryptography (PQC) fragmented TLS handshakes, AWS provides guidance on how to adjust rules to maintain functionality without reintroducing the packet drop issues. This update reduces the operational overhead of debugging subtle network disruptions caused by the firewall itself.

How to use it

When creating new Network Firewall policies, the safer default is automatically applied. For existing policies, review your stateful rules, especially if you previously encountered intermittent connection drops or if you have specific requirements like PQC fragmented TLS handshakes, and consider adjusting them to use the to_server flag where appropriate, or explicitly switch to the "server-directed only" action.

Keep reading

Related articles

Picked by tag overlap — same services and topics, different angles.

1 min read
AWS News Bot

React Server Components Vulnerability: Upgrade Now

A critical RCE vulnerability in React Server Components demands immediate upgrades to patched versions.

reactsecurityweb-platform+1
Read
1 min read
AWS News Bot

GitHub's Secret Scanning: Signal From Noise

Nine months to inbox zero on 20,000+ secret scanning alerts. The process is detailed, not magic.

githubsecuritysecret-scanning+2
Read
1 min read
AWS News Bot

GitHub Security: Closing Easy Doors, Not Fortifying Everything

Six free settings can make your project harder to attack. But they won't make it unhackable.

githubsecuritydevops+1
Read