AWS Config Rule: NETFW Policy Default Action Fragment Packets
NETFW_POLICY_DEFAULT_ACTION_FRAGMENT_PACKETS
Eduardo Van Cauteren
Last Update 4 months ago
Description: Checks if an AWS Network Firewall policy is configured with a user defined stateless default action for fragmented packets. The rule is NON_COMPLIANT if stateless default action for fragmented packets does not match with user defined default action.
Trigger type: Configuration changes
AWS Region: All supported AWS regions
How to Resolve Manually
In AWS Console this parameter can be one of three options:
- Pass
- Drop
- Forward to stateful rule groups
When this AWS Config Rule references "Stateless Fragments Default Actions", it means your chosen parameter from the three above. By default, StackZone sets this to aws:pass, but you can define up to two parameters for this Config Rule.
In order to resolve this manually, you will need to head over VPC service within your AWS Console. Ensure to select the correct region for where your Network Firewall is located.
Once there, from the left-hand side menu, find Network Firewall and click on Firewall Policies. Locate the policy that is out of compliance and click on its name.
Under the Stateless default actions card, make sure that the default action for the Actions for fragmented packets is set to one of the already defined options from within the StackZone Console when you enabled the rule.
To modify it, click on Edit button and set the rule to one of the expected values. Alternatively, you can delete the policy if not being used, to make the rule compliant.
Want to know more about StackZone and how to make your cloud management simple and secure?
Check our how it works section with easy to follow videos or just create your own StackZone Account here
