Default Action for Fragmented Packets Should Drop or Forward

Overview

This check verifies that your AWS Network Firewall policy handles fragmented UDP packets securely. Fragmented packets should either be dropped or forwarded to stateful rule groups for inspection rather than passed through without any filtering.

Network Firewall only manages UDP packet fragments. When fragmented packets are allowed to pass through uninspected, attackers can potentially use fragmentation techniques to bypass your firewall rules.

Risk

If the default action for fragmented packets is set to "Pass," your network is exposed to several security threats:

• Data exfiltration: Attackers can use fragmentation-based evasion to send data out of your network undetected
• Payload smuggling: Malicious payloads can be split across fragments to avoid detection
• Denial of service: Fragment flood attacks can degrade network performance
• Lateral movement: Attackers who have breached one system may use fragmentation to move to others without detection

Remediation Steps

Prerequisites

You need access to the AWS Console with permissions to modify Network Firewall policies, or AWS CLI configured with appropriate credentials.

Required IAM permissions

Your IAM user or role needs the following permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "network-firewall:DescribeFirewallPolicy",
        "network-firewall:UpdateFirewallPolicy"
      ],
      "Resource": "*"
    }
  ]
}

AWS Console Method

1. Open the Amazon VPC Console at https://console.aws.amazon.com/vpc/
2. In the left navigation, under Network Firewall, select Firewall policies
3. Click on the policy name that needs to be updated
4. In the Stateless default actions section, find Fragmented packets
5. Click Edit
6. Change the action from "Pass" to one of:
   • Drop - Silently discards the fragmented packets
   • Forward to stateful rule groups - Sends fragments for deeper inspection
7. Click Save

Recommendation: Choose "Forward to stateful rule groups" if you have stateful rules that can inspect the reassembled traffic. Choose "Drop" if you want to block all fragmented UDP traffic.

AWS CLI (optional)

First, retrieve the current policy configuration and update token:

aws network-firewall describe-firewall-policy \
  --firewall-policy-name <your-policy-name> \
  --region us-east-1

Note the UpdateToken value from the response. Then update the policy with secure fragment handling:

aws network-firewall update-firewall-policy \
  --firewall-policy-name <your-policy-name> \
  --update-token <update-token-from-describe> \
  --firewall-policy '{
    "StatelessDefaultActions": ["aws:forward_to_sfe"],
    "StatelessFragmentDefaultActions": ["aws:drop"],
    "StatefulDefaultActions": ["aws:drop_established"],
    "StatelessRuleGroupReferences": [],
    "StatefulRuleGroupReferences": []
  }' \
  --region us-east-1

Important: The --firewall-policy parameter must include all existing rule group references from your current policy. The example above shows empty arrays, but you should preserve your existing rule groups.

To forward fragments to stateful inspection instead of dropping, use:

"StatelessFragmentDefaultActions": ["aws:forward_to_sfe"]

CloudFormation (optional)

Use this CloudFormation template to create or update a firewall policy with secure fragment handling:

AWSTemplateFormatVersion: '2010-09-09'
Description: Network Firewall Policy with secure fragmented packet handling

Parameters:
  PolicyName:
    Type: String
    Description: Name for the firewall policy
    Default: secure-firewall-policy

Resources:
  FirewallPolicy:
    Type: AWS::NetworkFirewall::FirewallPolicy
    Properties:
      FirewallPolicyName: !Ref PolicyName
      FirewallPolicy:
        StatelessDefaultActions:
          - aws:forward_to_sfe
        StatelessFragmentDefaultActions:
          - aws:drop
        StatefulDefaultActions:
          - aws:drop_established
        StatefulRuleGroupReferences: []
        StatelessRuleGroupReferences: []
      Tags:
        - Key: Environment
          Value: Production

Outputs:
  PolicyArn:
    Description: ARN of the created firewall policy
    Value: !Ref FirewallPolicy

Deploy the template:

aws cloudformation deploy \
  --template-file firewall-policy.yaml \
  --stack-name secure-firewall-policy \
  --parameter-overrides PolicyName=my-secure-policy \
  --region us-east-1

Note: Modifying an existing policy via CloudFormation will replace the entire policy configuration. Ensure you include all existing rule group references.

Terraform (optional)

Use this Terraform configuration to create or manage a firewall policy with secure fragment handling:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

variable "policy_name" {
  description = "Name of the firewall policy"
  type        = string
  default     = "secure-firewall-policy"
}

resource "aws_networkfirewall_firewall_policy" "secure_policy" {
  name = var.policy_name

  firewall_policy {
    stateless_default_actions          = ["aws:forward_to_sfe"]
    stateless_fragment_default_actions = ["aws:drop"]

    stateful_engine_options {
      rule_order = "STRICT_ORDER"
    }
  }

  tags = {
    Environment = "Production"
  }
}

output "policy_arn" {
  description = "ARN of the firewall policy"
  value       = aws_networkfirewall_firewall_policy.secure_policy.arn
}

Apply the configuration:

terraform init
terraform plan
terraform apply

To forward fragments to stateful inspection instead of dropping:

stateless_fragment_default_actions = ["aws:forward_to_sfe"]

Verification

After making changes, verify the policy is correctly configured:

1. In the VPC Console, navigate to Network Firewall > Firewall policies
2. Select your policy and check the Stateless default actions section
3. Confirm that Fragmented packets shows either "Drop" or "Forward to stateful rule groups"

CLI verification

aws network-firewall describe-firewall-policy \
  --firewall-policy-name <your-policy-name> \
  --region us-east-1 \
  --query 'FirewallPolicy.StatelessFragmentDefaultActions'

The output should show either:

• ["aws:drop"] - Fragments are dropped
• ["aws:forward_to_sfe"] - Fragments are forwarded to stateful inspection

If the output shows ["aws:pass"], the policy is still insecure and needs to be updated.

Additional Resources

• AWS Network Firewall Developer Guide
• Firewall policies in AWS Network Firewall
• Stateless default actions
• AWS Network Firewall Terraform resource

Notes

• Valid actions for fragmented packets: aws:drop, aws:pass, or aws:forward_to_sfe. Only aws:drop and aws:forward_to_sfe are considered secure.
• Impact consideration: Dropping all fragmented UDP traffic may affect legitimate applications that use UDP fragmentation. Consider forwarding to stateful inspection first to monitor before implementing a drop policy.
• Policy updates require tokens: When using the CLI, you must provide the current UpdateToken to prevent concurrent modification conflicts.
• Rule group preservation: When updating policies via CLI, CloudFormation, or Terraform, ensure you preserve existing rule group references to avoid accidentally removing security rules.
• Compliance frameworks: This check is relevant for C5, KISA-ISMS-P, NIS2, and PCI compliance requirements.