export declare const FirewallEnabledAnalysisType: { readonly TlsSni: "TLS_SNI"; readonly HttpHost: "HTTP_HOST"; }; /** * An analysis type. */ export type FirewallEnabledAnalysisType = (typeof FirewallEnabledAnalysisType)[keyof typeof FirewallEnabledAnalysisType]; export declare const FirewallPolicyOverrideAction: { readonly DropToAlert: "DROP_TO_ALERT"; }; export type FirewallPolicyOverrideAction = (typeof FirewallPolicyOverrideAction)[keyof typeof FirewallPolicyOverrideAction]; export declare const FirewallPolicyRuleOrder: { readonly DefaultActionOrder: "DEFAULT_ACTION_ORDER"; readonly StrictOrder: "STRICT_ORDER"; }; export type FirewallPolicyRuleOrder = (typeof FirewallPolicyRuleOrder)[keyof typeof FirewallPolicyRuleOrder]; export declare const FirewallPolicyStreamExceptionPolicy: { readonly Drop: "DROP"; readonly Continue: "CONTINUE"; readonly Reject: "REJECT"; }; export type FirewallPolicyStreamExceptionPolicy = (typeof FirewallPolicyStreamExceptionPolicy)[keyof typeof FirewallPolicyStreamExceptionPolicy]; export declare const LoggingConfigurationLogDestinationConfigLogDestinationType: { readonly S3: "S3"; readonly CloudWatchLogs: "CloudWatchLogs"; readonly KinesisDataFirehose: "KinesisDataFirehose"; }; /** * The type of storage destination to send these logs to. You can send logs to an Amazon S3 bucket, a CloudWatch log group, or a Firehose delivery stream. */ export type LoggingConfigurationLogDestinationConfigLogDestinationType = (typeof LoggingConfigurationLogDestinationConfigLogDestinationType)[keyof typeof LoggingConfigurationLogDestinationConfigLogDestinationType]; export declare const LoggingConfigurationLogDestinationConfigLogType: { readonly Alert: "ALERT"; readonly Flow: "FLOW"; readonly Tls: "TLS"; }; /** * The type of log to record. You can record the following types of logs from your Network Firewall stateful engine. * * - `ALERT` - Logs for traffic that matches your stateful rules and that have an action that sends an alert. A stateful rule sends alerts for the rule actions DROP, ALERT, and REJECT. For more information, see the `StatefulRule` property. * - `FLOW` - Standard network traffic flow logs. The stateful rules engine records flow logs for all network traffic that it receives. Each flow log record captures the network flow for a specific standard stateless rule group. * - `TLS` - Logs for events that are related to TLS inspection. For more information, see [Inspecting SSL/TLS traffic with TLS inspection configurations](https://docs.aws.amazon.com/network-firewall/latest/developerguide/tls-inspection-configurations.html) in the *Network Firewall Developer Guide* . */ export type LoggingConfigurationLogDestinationConfigLogType = (typeof LoggingConfigurationLogDestinationConfigLogType)[keyof typeof LoggingConfigurationLogDestinationConfigLogType]; export declare const RuleGroupGeneratedRulesType: { readonly Allowlist: "ALLOWLIST"; readonly Denylist: "DENYLIST"; readonly Alertlist: "ALERTLIST"; readonly Rejectlist: "REJECTLIST"; }; export type RuleGroupGeneratedRulesType = (typeof RuleGroupGeneratedRulesType)[keyof typeof RuleGroupGeneratedRulesType]; export declare const RuleGroupHeaderDirection: { readonly Forward: "FORWARD"; readonly Any: "ANY"; }; /** * The direction of traffic flow to inspect. If set to `ANY` , the inspection matches bidirectional traffic, both from the source to the destination and from the destination to the source. If set to `FORWARD` , the inspection only matches traffic going from the source to the destination. */ export type RuleGroupHeaderDirection = (typeof RuleGroupHeaderDirection)[keyof typeof RuleGroupHeaderDirection]; export declare const RuleGroupHeaderProtocol: { readonly Ip: "IP"; readonly Tcp: "TCP"; readonly Udp: "UDP"; readonly Icmp: "ICMP"; readonly Http: "HTTP"; readonly Ftp: "FTP"; readonly Tls: "TLS"; readonly Smb: "SMB"; readonly Dns: "DNS"; readonly Dcerpc: "DCERPC"; readonly Ssh: "SSH"; readonly Smtp: "SMTP"; readonly Imap: "IMAP"; readonly Msn: "MSN"; readonly Krb5: "KRB5"; readonly Ikev2: "IKEV2"; readonly Tftp: "TFTP"; readonly Ntp: "NTP"; readonly Dhcp: "DHCP"; }; /** * The protocol to inspect for. To specify all, you can use `IP` , because all traffic on AWS and on the internet is IP. */ export type RuleGroupHeaderProtocol = (typeof RuleGroupHeaderProtocol)[keyof typeof RuleGroupHeaderProtocol]; export declare const RuleGroupRuleOrder: { readonly DefaultActionOrder: "DEFAULT_ACTION_ORDER"; readonly StrictOrder: "STRICT_ORDER"; }; export type RuleGroupRuleOrder = (typeof RuleGroupRuleOrder)[keyof typeof RuleGroupRuleOrder]; export declare const RuleGroupStatefulRuleAction: { readonly Pass: "PASS"; readonly Drop: "DROP"; readonly Alert: "ALERT"; readonly Reject: "REJECT"; }; /** * Defines what Network Firewall should do with the packets in a traffic flow when the flow matches the stateful rule criteria. For all actions, Network Firewall performs the specified action and discontinues stateful inspection of the traffic flow. * * The actions for a stateful rule are defined as follows: * * - *PASS* - Permits the packets to go to the intended destination. * - *DROP* - Blocks the packets from going to the intended destination and sends an alert log message, if alert logging is configured in the firewall logging configuration. * - *REJECT* - Drops traffic that matches the conditions of the stateful rule and sends a TCP reset packet back to sender of the packet. A TCP reset packet is a packet with no payload and a `RST` bit contained in the TCP header flags. `REJECT` is available only for TCP traffic. * - *ALERT* - Permits the packets to go to the intended destination and sends an alert log message, if alert logging is configured in the firewall logging configuration. * * You can use this action to test a rule that you intend to use to drop traffic. You can enable the rule with `ALERT` action, verify in the logs that the rule is filtering as you want, then change the action to `DROP` . * - *REJECT* - Drops TCP traffic that matches the conditions of the stateful rule, and sends a TCP reset packet back to sender of the packet. A TCP reset packet is a packet with no payload and a `RST` bit contained in the TCP header flags. Also sends an alert log mesage if alert logging is configured in the firewall logging configuration. * * `REJECT` isn't currently available for use with IMAP and FTP protocols. */ export type RuleGroupStatefulRuleAction = (typeof RuleGroupStatefulRuleAction)[keyof typeof RuleGroupStatefulRuleAction]; export declare const RuleGroupSummaryRuleOption: { readonly Sid: "SID"; readonly Msg: "MSG"; readonly Metadata: "METADATA"; }; export type RuleGroupSummaryRuleOption = (typeof RuleGroupSummaryRuleOption)[keyof typeof RuleGroupSummaryRuleOption]; export declare const RuleGroupTargetType: { readonly TlsSni: "TLS_SNI"; readonly HttpHost: "HTTP_HOST"; }; export type RuleGroupTargetType = (typeof RuleGroupTargetType)[keyof typeof RuleGroupTargetType]; export declare const RuleGroupTcpFlag: { readonly Fin: "FIN"; readonly Syn: "SYN"; readonly Rst: "RST"; readonly Psh: "PSH"; readonly Ack: "ACK"; readonly Urg: "URG"; readonly Ece: "ECE"; readonly Cwr: "CWR"; }; export type RuleGroupTcpFlag = (typeof RuleGroupTcpFlag)[keyof typeof RuleGroupTcpFlag]; export declare const RuleGroupTypeEnum: { readonly Stateless: "STATELESS"; readonly Stateful: "STATEFUL"; }; /** * Indicates whether the rule group is stateless or stateful. If the rule group is stateless, it contains * stateless rules. If it is stateful, it contains stateful rules. */ export type RuleGroupTypeEnum = (typeof RuleGroupTypeEnum)[keyof typeof RuleGroupTypeEnum]; export declare const TlsInspectionConfigurationRevokedStatusAction: { readonly Pass: "PASS"; readonly Drop: "DROP"; readonly Reject: "REJECT"; }; export type TlsInspectionConfigurationRevokedStatusAction = (typeof TlsInspectionConfigurationRevokedStatusAction)[keyof typeof TlsInspectionConfigurationRevokedStatusAction]; export declare const TlsInspectionConfigurationUnknownStatusAction: { readonly Pass: "PASS"; readonly Drop: "DROP"; readonly Reject: "REJECT"; }; export type TlsInspectionConfigurationUnknownStatusAction = (typeof TlsInspectionConfigurationUnknownStatusAction)[keyof typeof TlsInspectionConfigurationUnknownStatusAction];