About Rulestacks and Rules on Cloud NGFW for AWS
Table of Contents
About Rulestacks and Rules on Cloud NGFW for AWS
Rulestacks defines access control (App-ID, URL Filtering)
and threat prevention behavior of Cloud NGFW resources. A Cloud
NGFW resource uses your rulestack definitions to protect the traffic
by a two-step process. First, it enforces your rules on the to allow
or deny your traffic. Second, it performs content inspection on
the allowed traffic based on what you specify on the Security Profiles.
A rulestack includes a set of security rules, associated objects,
and profiles similar to devices groups on Panorama.
There are two types of rulestacks.
- Local Rulestack—A Local Rulestack consists of local rules and manages the local rules. A local account administrator can associate a local rulestack to an NGFW in their AWS account. To create and manage local rulestacks, you must have the Local Rulestack Admin role.
- Global Rulestack—The AWS Firewall Manager administrator can author a Firewall Manager Service (FMS) policy and associate a Global Rulestack with it. AWS Firewall Manager manages the Global Rulestack across all these NGFWs in different AWS accounts of an AWS Organization. A Global Rulestack configures pre-rules and post-rules on each NGFW. To create and manage global rulestacks, you must have the Global Rulestack Admin role.
- Pre Rules—Rules that are added to the top of the rule order and are evaluated first.
- Post Rules—Rules that are added at the bottom of the rule order and are evaluated after the pre-rules and rules defined in a local rulestack applied to an individual NGFW.
When using Firewall Manager, a combination of local and global
rulestacks allows you to create a hierarchical rules model. The
pre-rules of a global rulestacks can act as global default rules
for all associated firewalls. Then you can use a local rulestack
to define rules for specific applications or users. The post rules
can be used to allow or deny traffic that does not match any pre-rules
or those rules defined in the local rulestack.
One global rulestack and one local rulestack can be applied
to each NGFW.
If you are using Multi-Account Tenant or Multi-VPC, consider
the following changes to rulestack behavior:
- when a rulestack is created, it is mapped to a specific account.
- you can now associate a rulestack with a firewall resource in any onboarded account.
- permissions are still mapped to the account associated with the rulestack; any modifications to the rulestack must be done by a user with LRA permissions in the rulestacks account.
Certificates from any onboarded account can be mapped to a rulestack.
For example, the certificate in account1 and the certificate
in account2 can be mapped to a rulestack in account3 which could
be associated with a firewall resource in account4. In this scenario,
all accounts (1-4) must be successfully onboarded.