Ensure Default Stateless Action for Fragmented Packets Is Secure

Verifies that the default stateless action for fragmented packets in Network Firewall policies is set to drop or forward, preventing unauthorized traffic flow.

Rule	The default stateless action for Network Firewall policies should be drop or forward for fragmented packets
Framework	AWS Foundational Security Best Practices
Severity	✔ Medium

Rule Description:

By default, the stateless action for Network Firewall policies in AWS Foundational Security Best Practices should be set to either drop or forward for fragmented packets. This is crucial to ensure the security of your network and prevent potential vulnerabilities.

Troubleshooting Steps:

If you encounter any issues related to this rule, such as fragmented packets not being handled correctly, follow these troubleshooting steps:

1.
Check the current configuration of the Network Firewall policy.

2.
Ensure that the stateless action for fragmented packets is set to either drop or forward as per the best practices.

3.
Verify if any specific rules are conflicting with the default setting for fragmented packets.

4.
Monitor network traffic to identify any anomalies or inconsistencies that might indicate a problem with packet handling.

Necessary Codes:

If you need to modify the stateless action for fragmented packets in your Network Firewall policy, you can use the following AWS CLI command:

aws network-firewall update-firewall-policy --firewall-policy-name <policy-name> --update-token <update-token> --firewall-policy file://<policy-file.json>

Make sure to replace

<policy-name>

<update-token>

, and

<policy-file.json>

with your actual policy name, update token, and JSON file containing the updated policy configuration.

Step-by-Step Guide for Remediation:

To ensure that the stateless action for fragmented packets in your Network Firewall policy is set to either drop or forward, follow these steps:

1.
Open the AWS Management Console and navigate to the Network Firewall service.

2.
Select the appropriate Firewall policy that you want to modify.

3.
Locate the settings related to stateless actions for fragmented packets within the policy configuration.

4.
Update the configuration to set the stateless action to either drop or forward, depending on your security requirements.

5.
Save the changes and apply the updated policy to your network firewall.

By following these steps, you can ensure that the default stateless action for fragmented packets in your Network Firewall policy aligns with AWS Foundational Security Best Practices.

Ensure Default Stateless Action for Fragmented Packets Is Secure

.css-rso7cu{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#01130E;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Troubleshooting Steps:

.css-rso7cu{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#01130E;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Necessary Codes:

.css-rso7cu{margin:0;font-family:Inter;font-weight:400;font-size:1.2857142857142858rem;line-height:1.5;color:#01130E;text-align:left;font-size:26px;font-weight:700;margin-top:1rem;}Step-by-Step Guide for Remediation:

Is your System Free of Underlying Vulnerabilities? Find Out Now

Troubleshooting Steps:

Necessary Codes:

Step-by-Step Guide for Remediation:

Is your System Free of Underlying Vulnerabilities?
Find Out Now