Network Firewall Policy Default Action for Full Packets

Overview

This check verifies that your AWS Network Firewall policy has its default stateless action for full packets set to drop or forward to stateful rule groups rather than allowing packets to pass through unchecked.

AWS Network Firewall processes traffic using stateless rules first. When a packet does not match any stateless rule, the firewall applies the default action. Setting this default to "pass" means unmatched traffic bypasses your firewall protections entirely.

Risk

If the default action is set to Pass, unmatched packets can:

• Bypass security filtering - Malicious traffic that does not match explicit rules will flow through unchecked
• Enable reconnaissance - Attackers can probe your network without triggering firewall rules
• Allow data exfiltration - Covert channels using unusual protocols may go undetected
• Deliver malware - Packets carrying malicious payloads could reach your resources

A deny-by-default approach (drop or forward for inspection) follows the principle of least privilege and ensures only explicitly allowed traffic can pass.

Remediation Steps

Prerequisites

You need permission to modify Network Firewall policies in your AWS account. Specifically, you need the network-firewall:UpdateFirewallPolicy permission.

Required IAM permissions

Your IAM user or role needs these permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "network-firewall:DescribeFirewallPolicy",
        "network-firewall:UpdateFirewallPolicy"
      ],
      "Resource": "*"
    }
  ]
}

AWS Console Method

1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
2. In the left navigation pane, under Network Firewall, choose Firewall policies
3. Select the firewall policy you want to modify
4. In the Stateless default actions section, find Default actions for full packets
5. Choose Edit
6. Change the action from "Pass" to one of:
   • Drop - Silently discard unmatched packets (recommended for strict security)
   • Forward to stateful rule groups - Send packets to stateful inspection (recommended if you have stateful rules)
7. Choose Save

AWS CLI (optional)

First, retrieve the current policy configuration and update token:

aws network-firewall describe-firewall-policy \
  --firewall-policy-name <your-policy-name> \
  --region us-east-1

Note the UpdateToken value from the response. Then update the policy with secure default actions:

Option 1: Drop unmatched packets

aws network-firewall update-firewall-policy \
  --firewall-policy-name <your-policy-name> \
  --update-token <update-token> \
  --firewall-policy '{
    "StatelessDefaultActions": ["aws:drop"],
    "StatelessFragmentDefaultActions": ["aws:drop"]
  }' \
  --region us-east-1

Option 2: Forward to stateful rule groups

aws network-firewall update-firewall-policy \
  --firewall-policy-name <your-policy-name> \
  --update-token <update-token> \
  --firewall-policy '{
    "StatelessDefaultActions": ["aws:forward_to_sfe"],
    "StatelessFragmentDefaultActions": ["aws:forward_to_sfe"]
  }' \
  --region us-east-1

Important: If your existing policy has stateless rule group references, stateful rule group references, or other configuration, you must include them in the --firewall-policy parameter to avoid removing them. Retrieve the full policy first and modify only the default actions.

CloudFormation (optional)

Use this template to create a firewall policy with secure default actions:

AWSTemplateFormatVersion: '2010-09-09'
Description: AWS Network Firewall Policy with secure default actions

Parameters:
  FirewallPolicyName:
    Type: String
    Description: Name for the firewall policy

Resources:
  SecureFirewallPolicy:
    Type: AWS::NetworkFirewall::FirewallPolicy
    Properties:
      FirewallPolicyName: !Ref FirewallPolicyName
      FirewallPolicy:
        StatelessDefaultActions:
          - aws:drop
        StatelessFragmentDefaultActions:
          - aws:drop

Outputs:
  FirewallPolicyArn:
    Description: ARN of the firewall policy
    Value: !Ref SecureFirewallPolicy

To forward to stateful rule groups instead, replace aws:drop with aws:forward_to_sfe:

FirewallPolicy:
  StatelessDefaultActions:
    - aws:forward_to_sfe
  StatelessFragmentDefaultActions:
    - aws:forward_to_sfe

Deploy with:

aws cloudformation deploy \
  --template-file template.yaml \
  --stack-name secure-firewall-policy \
  --parameter-overrides FirewallPolicyName=my-secure-policy \
  --region us-east-1

Terraform (optional)

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

variable "firewall_policy_name" {
  description = "Name for the firewall policy"
  type        = string
  default     = "secure-firewall-policy"
}

resource "aws_networkfirewall_firewall_policy" "secure_policy" {
  name = var.firewall_policy_name

  firewall_policy {
    stateless_default_actions          = ["aws:drop"]
    stateless_fragment_default_actions = ["aws:drop"]
  }

  tags = {
    Environment = "production"
    ManagedBy   = "Terraform"
  }
}

output "firewall_policy_arn" {
  description = "ARN of the firewall policy"
  value       = aws_networkfirewall_firewall_policy.secure_policy.arn
}

To forward to stateful rule groups instead:

firewall_policy {
  stateless_default_actions          = ["aws:forward_to_sfe"]
  stateless_fragment_default_actions = ["aws:forward_to_sfe"]
}

Verification

After making changes, verify the configuration:

1. In the VPC console, navigate to Network Firewall > Firewall policies
2. Select your policy and check the Stateless default actions section
3. Confirm that Default actions for full packets shows either "Drop" or "Forward to stateful rule groups"

CLI verification

aws network-firewall describe-firewall-policy \
  --firewall-policy-name <your-policy-name> \
  --region us-east-1 \
  --query 'FirewallPolicy.StatelessDefaultActions'

The output should show either:

• ["aws:drop"] - Packets are dropped
• ["aws:forward_to_sfe"] - Packets are forwarded to stateful rule groups

Additional Resources

• AWS Network Firewall Developer Guide
• Firewall policies in AWS Network Firewall
• Stateless default actions
• AWS Network Firewall best practices

Notes

• Drop vs Forward: Choose "Drop" for a strict deny-by-default posture. Choose "Forward to stateful rule groups" if you want deeper inspection of unmatched traffic using stateful rules (such as Suricata-compatible rules).

• Fragment actions: This tutorial also sets StatelessFragmentDefaultActions to match the full packet action. Fragmented packets should receive the same treatment as full packets for consistent security.

• Existing policies: When updating an existing policy via CLI, include all existing configuration (rule group references, etc.) in your update command to avoid accidentally removing them.

• Traffic impact: Changing from "Pass" to "Drop" may block legitimate traffic that was previously allowed by default. Review your firewall logs and ensure you have explicit allow rules for required traffic before making this change in production.