AWS Network Firewall Enhances Connection Reliability with New Default Drop Action
AWS Network Firewall's updated default stateful drop action for new policies significantly improves connection reliability by preventing unintended packet drops.
Editorial summary and commentary based on the original from AWS What's New. Read the original
What's new
AWS Network Firewall has updated its default stateful drop action for newly created firewall policies. The new default is now "Application drop established (server-directed only)", replacing the previous "Application drop established (bidirectional)". This change applies automatically to all new policies, requiring no manual intervention to benefit from the improved behavior. The update is available across all AWS regions where Network Firewall operates.
Why it matters
The previous default, "Application drop established (bidirectional)", had a notable drawback: it could inadvertently drop legitimate server-to-client TCP packets such as window updates, keep-alives, and TCP resets. This often led to intermittent and difficult-to-diagnose connection failures within VPCs protected by Network Firewall. For engineers troubleshooting elusive network issues, this was a significant pain point.
By shifting to "Application drop established (server-directed only)", AWS Network Firewall now provides a more robust and less intrusive default. This mitigates the risk of silently dropping critical flow control packets, thereby enhancing the overall reliability of network connections. For existing policies that might have relied on the "bidirectional" behavior, particularly for specific use cases like post-quantum cryptography (PQC) fragmented TLS handshakes, AWS provides guidance on how to adjust rules to maintain functionality without reintroducing the packet drop issues. This update reduces the operational overhead of debugging subtle network disruptions caused by the firewall itself.
How to use it
When creating new Network Firewall policies, the safer default is automatically applied. For existing policies, review your stateful rules, especially if you previously encountered intermittent connection drops or if you have specific requirements like PQC fragmented TLS handshakes, and consider adjusting them to use the to_server flag where appropriate, or explicitly switch to the "server-directed only" action.
Source (AWS What's New): AWS Network Firewall updates default drop action for improved connection reliability