Network Firewall Policy Default Action Should Be Set For Fragmented Packets
More Info:
This rule checks if an AWS Network Firewall policy is configured with a user-defined stateless default action for fragmented packets. It ensures that the stateless default action for fragmented packets matches the user-defined default action. The rule is marked as non-compliant if the stateless default action for fragmented packets does not match the user-defined default action.Risk Level
MediumAddress
SecurityCompliance Standards
CBPTriage and Remediation
Remediation
Using Console
Using Console
To remediate the issue of the Network Firewall Policy Default Action not being set for fragmented packets in AWS EC2, you can follow these steps using the AWS Management Console:
- Sign in to the AWS Management Console: Go to https://aws.amazon.com/ and sign in to your AWS account.
- Navigate to the Amazon VPC Console: Click on the “Services” dropdown menu at the top of the page, select “VPC” under the Networking & Content Delivery section.
- Select the VPC: In the VPC dashboard, click on the VPC ID where your EC2 instance is located.
- Go to the Network ACLs: In the left-hand menu, click on “Network ACLs” to view the list of Network Access Control Lists associated with the selected VPC.
- Identify the Default Network ACL: Locate the default Network ACL associated with the VPC. The default Network ACL is named “default” and is automatically associated with all subnets in the VPC unless explicitly changed.
-
Edit the Network ACL Rules:
- Click on the default Network ACL ID to view its inbound and outbound rules.
- Look for the rule that controls fragmented packets. By default, AWS allows fragmented packets.
- If there is an explicit rule denying fragmented packets, edit the rule to allow them. If there is no specific rule, you may need to add a new rule to allow fragmented packets.
-
Add or Edit Rule for Fragmented Packets:
- Click on the “Edit” button to modify the inbound or outbound rules of the Network ACL.
- Add a new entry or edit an existing rule to allow fragmented packets. Set the rule to allow fragmented packets by setting the rule number, type (inbound or outbound), protocol (e.g., all protocols or specific protocols that use fragmented packets), port range if applicable, source or destination IP range, and action to “Allow”.
- Save the Changes: After adding or editing the rule to allow fragmented packets, click on the “Save” button to apply the changes to the default Network ACL.
Using CLI
Using CLI
To remediate the issue of Network Firewall Policy Default Action not being set for fragmented packets in AWS EC2 using AWS CLI, follow these steps:Replace Replace
- Open the AWS CLI on your local machine.
- Run the following command to describe the current Network Firewall Policy for your VPC:
<your-vpc-id> with the ID of your VPC.- Identify the Network ACL that needs to be updated based on the output of the previous command.
- Run the following command to update the Network ACL entry for fragmented packets:
<your-network-acl-id> with the ID of the Network ACL that needs to be updated, and <rule-number> with the appropriate rule number in the Network ACL.- Verify that the update was successful by running the describe-network-acls command again.
Using Python
Using Python
To remediate the network firewall policy default action for fragmented packets in AWS EC2 using Python, you can use the AWS SDK for Python (Boto3) to update the Network ACL associated with the VPC. Here are the step-by-step instructions to remediate this misconfiguration:
- Install Boto3: If you haven’t already installed Boto3, you can install it using pip:
- Use the following Python script to update the default action for fragmented packets in the Network ACL associated with your VPC:
-
Replace
'your_vpc_id'and'your_network_acl_id'with your actual VPC ID and Network ACL ID. - Run the Python script to update the default action for fragmented packets in the specified Network ACL.