AWS Network Firewall

2025/03/20 - AWS Network Firewall - 5 new api methods

Changes  You can now use flow operations to either flush or capture traffic monitored in your firewall's flow table.

StartFlowFlush (new) Link ¶

Begins the flushing of traffic from the firewall, according to the filters you define. When the operation starts, impacted flows are temporarily marked as timed out before the Suricata engine prunes, or flushes, the flows from the firewall table.

See also: AWS API Documentation

Request Syntax

client.start_flow_flush(
    FirewallArn='string',
    AvailabilityZone='string',
    MinimumFlowAgeInSeconds=123,
    FlowFilters=[
        {
            'SourceAddress': {
                'AddressDefinition': 'string'
            },
            'DestinationAddress': {
                'AddressDefinition': 'string'
            },
            'SourcePort': 'string',
            'DestinationPort': 'string',
            'Protocols': [
                'string',
            ]
        },
    ]
)
type FirewallArn:

string

param FirewallArn:

[REQUIRED]

The Amazon Resource Name (ARN) of the firewall.

type AvailabilityZone:

string

param AvailabilityZone:

The ID of the Availability Zone where the firewall is located. For example, us-east-2a.

Defines the scope a flow operation. You can use up to 20 filters to configure a single flow operation.

type MinimumFlowAgeInSeconds:

integer

param MinimumFlowAgeInSeconds:

The reqested FlowOperation ignores flows with an age (in seconds) lower than MinimumFlowAgeInSeconds. You provide this for start commands.

type FlowFilters:

list

param FlowFilters:

[REQUIRED]

Defines the scope a flow operation. You can use up to 20 filters to configure a single flow operation.

  • (dict) --

    Defines the scope a flow operation. You can use up to 20 filters to configure a single flow operation.

    • SourceAddress (dict) --

      A single IP address specification. This is used in the MatchAttributes source and destination specifications.

      • AddressDefinition (string) -- [REQUIRED]

        Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. Network Firewall supports all address ranges for IPv4 and IPv6.

        Examples:

        • To configure Network Firewall to inspect for the IP address 192.0.2.44, specify 192.0.2.44/32.

        • To configure Network Firewall to inspect for IP addresses from 192.0.2.0 to 192.0.2.255, specify 192.0.2.0/24.

        • To configure Network Firewall to inspect for the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify 1111:0000:0000:0000:0000:0000:0000:0111/128.

        • To configure Network Firewall to inspect for IP addresses from 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify 1111:0000:0000:0000:0000:0000:0000:0000/64.

        For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.

    • DestinationAddress (dict) --

      A single IP address specification. This is used in the MatchAttributes source and destination specifications.

      • AddressDefinition (string) -- [REQUIRED]

        Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. Network Firewall supports all address ranges for IPv4 and IPv6.

        Examples:

        • To configure Network Firewall to inspect for the IP address 192.0.2.44, specify 192.0.2.44/32.

        • To configure Network Firewall to inspect for IP addresses from 192.0.2.0 to 192.0.2.255, specify 192.0.2.0/24.

        • To configure Network Firewall to inspect for the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify 1111:0000:0000:0000:0000:0000:0000:0111/128.

        • To configure Network Firewall to inspect for IP addresses from 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify 1111:0000:0000:0000:0000:0000:0000:0000/64.

        For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.

    • SourcePort (string) --

      The source port to inspect for. You can specify an individual port, for example 1994 and you can specify a port range, for example 1990:1994. To match with any port, specify ANY.

    • DestinationPort (string) --

      The destination port to inspect for. You can specify an individual port, for example 1994 and you can specify a port range, for example 1990:1994. To match with any port, specify ANY.

    • Protocols (list) --

      The protocols to inspect for, specified using the assigned internet protocol number (IANA) for each protocol. If not specified, this matches with any protocol.

      • (string) --

rtype:

dict

returns:

Response Syntax

{
    'FirewallArn': 'string',
    'FlowOperationId': 'string',
    'FlowOperationStatus': 'COMPLETED'|'IN_PROGRESS'|'FAILED'|'COMPLETED_WITH_ERRORS'
}

Response Structure

  • (dict) --

    • FirewallArn (string) --

      The Amazon Resource Name (ARN) of the firewall.

    • FlowOperationId (string) --

      A unique identifier for the flow operation. This ID is returned in the responses to start and list commands. You provide to describe commands.

    • FlowOperationStatus (string) --

      Returns the status of the flow operation. This string is returned in the responses to start, list, and describe commands.

      If the status is COMPLETED_WITH_ERRORS, results may be returned with any number of Flows missing from the response. If the status is FAILED, Flows returned will be empty.

StartFlowCapture (new) Link ¶

Begins capturing the flows in a firewall, according to the filters you define. Captures are similar, but not identical to snapshots. Capture operations provide visibility into flows that are not closed and are tracked by a firewall's flow table. Unlike snapshots, captures are a time-boxed view.

A flow is network traffic that is monitored by a firewall, either by stateful or stateless rules. For traffic to be considered part of a flow, it must share Destination, DestinationPort, Direction, Protocol, Source, and SourcePort.

See also: AWS API Documentation

Request Syntax

client.start_flow_capture(
    FirewallArn='string',
    AvailabilityZone='string',
    MinimumFlowAgeInSeconds=123,
    FlowFilters=[
        {
            'SourceAddress': {
                'AddressDefinition': 'string'
            },
            'DestinationAddress': {
                'AddressDefinition': 'string'
            },
            'SourcePort': 'string',
            'DestinationPort': 'string',
            'Protocols': [
                'string',
            ]
        },
    ]
)
type FirewallArn:

string

param FirewallArn:

[REQUIRED]

The Amazon Resource Name (ARN) of the firewall.

type AvailabilityZone:

string

param AvailabilityZone:

The ID of the Availability Zone where the firewall is located. For example, us-east-2a.

Defines the scope a flow operation. You can use up to 20 filters to configure a single flow operation.

type MinimumFlowAgeInSeconds:

integer

param MinimumFlowAgeInSeconds:

The reqested FlowOperation ignores flows with an age (in seconds) lower than MinimumFlowAgeInSeconds. You provide this for start commands.

type FlowFilters:

list

param FlowFilters:

[REQUIRED]

Defines the scope a flow operation. You can use up to 20 filters to configure a single flow operation.

  • (dict) --

    Defines the scope a flow operation. You can use up to 20 filters to configure a single flow operation.

    • SourceAddress (dict) --

      A single IP address specification. This is used in the MatchAttributes source and destination specifications.

      • AddressDefinition (string) -- [REQUIRED]

        Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. Network Firewall supports all address ranges for IPv4 and IPv6.

        Examples:

        • To configure Network Firewall to inspect for the IP address 192.0.2.44, specify 192.0.2.44/32.

        • To configure Network Firewall to inspect for IP addresses from 192.0.2.0 to 192.0.2.255, specify 192.0.2.0/24.

        • To configure Network Firewall to inspect for the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify 1111:0000:0000:0000:0000:0000:0000:0111/128.

        • To configure Network Firewall to inspect for IP addresses from 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify 1111:0000:0000:0000:0000:0000:0000:0000/64.

        For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.

    • DestinationAddress (dict) --

      A single IP address specification. This is used in the MatchAttributes source and destination specifications.

      • AddressDefinition (string) -- [REQUIRED]

        Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. Network Firewall supports all address ranges for IPv4 and IPv6.

        Examples:

        • To configure Network Firewall to inspect for the IP address 192.0.2.44, specify 192.0.2.44/32.

        • To configure Network Firewall to inspect for IP addresses from 192.0.2.0 to 192.0.2.255, specify 192.0.2.0/24.

        • To configure Network Firewall to inspect for the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify 1111:0000:0000:0000:0000:0000:0000:0111/128.

        • To configure Network Firewall to inspect for IP addresses from 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify 1111:0000:0000:0000:0000:0000:0000:0000/64.

        For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.

    • SourcePort (string) --

      The source port to inspect for. You can specify an individual port, for example 1994 and you can specify a port range, for example 1990:1994. To match with any port, specify ANY.

    • DestinationPort (string) --

      The destination port to inspect for. You can specify an individual port, for example 1994 and you can specify a port range, for example 1990:1994. To match with any port, specify ANY.

    • Protocols (list) --

      The protocols to inspect for, specified using the assigned internet protocol number (IANA) for each protocol. If not specified, this matches with any protocol.

      • (string) --

rtype:

dict

returns:

Response Syntax

{
    'FirewallArn': 'string',
    'FlowOperationId': 'string',
    'FlowOperationStatus': 'COMPLETED'|'IN_PROGRESS'|'FAILED'|'COMPLETED_WITH_ERRORS'
}

Response Structure

  • (dict) --

    • FirewallArn (string) --

      The Amazon Resource Name (ARN) of the firewall.

    • FlowOperationId (string) --

      A unique identifier for the flow operation. This ID is returned in the responses to start and list commands. You provide to describe commands.

    • FlowOperationStatus (string) --

      Returns the status of the flow operation. This string is returned in the responses to start, list, and describe commands.

      If the status is COMPLETED_WITH_ERRORS, results may be returned with any number of Flows missing from the response. If the status is FAILED, Flows returned will be empty.

ListFlowOperationResults (new) Link ¶

Returns the results of a specific flow operation.

Flow operations let you manage the flows tracked in the flow table, also known as the firewall table.

A flow is network traffic that is monitored by a firewall, either by stateful or stateless rules. For traffic to be considered part of a flow, it must share Destination, DestinationPort, Direction, Protocol, Source, and SourcePort.

See also: AWS API Documentation

Request Syntax

client.list_flow_operation_results(
    FirewallArn='string',
    FlowOperationId='string',
    NextToken='string',
    MaxResults=123,
    AvailabilityZone='string'
)
type FirewallArn:

string

param FirewallArn:

[REQUIRED]

The Amazon Resource Name (ARN) of the firewall.

type FlowOperationId:

string

param FlowOperationId:

[REQUIRED]

A unique identifier for the flow operation. This ID is returned in the responses to start and list commands. You provide to describe commands.

type NextToken:

string

param NextToken:

When you request a list of objects with a MaxResults setting, if the number of objects that are still available for retrieval exceeds the maximum you requested, Network Firewall returns a NextToken value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

type MaxResults:

integer

param MaxResults:

The maximum number of objects that you want Network Firewall to return for this request. If more objects are available, in the response, Network Firewall provides a NextToken value that you can use in a subsequent call to get the next batch of objects.

type AvailabilityZone:

string

param AvailabilityZone:

The ID of the Availability Zone where the firewall is located. For example, us-east-2a.

Defines the scope a flow operation. You can use up to 20 filters to configure a single flow operation.

rtype:

dict

returns:

Response Syntax

{
    'FirewallArn': 'string',
    'AvailabilityZone': 'string',
    'FlowOperationId': 'string',
    'FlowOperationStatus': 'COMPLETED'|'IN_PROGRESS'|'FAILED'|'COMPLETED_WITH_ERRORS',
    'StatusMessage': 'string',
    'FlowRequestTimestamp': datetime(2015, 1, 1),
    'Flows': [
        {
            'SourceAddress': {
                'AddressDefinition': 'string'
            },
            'DestinationAddress': {
                'AddressDefinition': 'string'
            },
            'SourcePort': 'string',
            'DestinationPort': 'string',
            'Protocol': 'string',
            'Age': 123,
            'PacketCount': 123,
            'ByteCount': 123
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • FirewallArn (string) --

      The Amazon Resource Name (ARN) of the firewall.

    • AvailabilityZone (string) --

      The ID of the Availability Zone where the firewall is located. For example, us-east-2a.

      Defines the scope a flow operation. You can use up to 20 filters to configure a single flow operation.

    • FlowOperationId (string) --

      A unique identifier for the flow operation. This ID is returned in the responses to start and list commands. You provide to describe commands.

    • FlowOperationStatus (string) --

      Returns the status of the flow operation. This string is returned in the responses to start, list, and describe commands.

      If the status is COMPLETED_WITH_ERRORS, results may be returned with any number of Flows missing from the response. If the status is FAILED, Flows returned will be empty.

    • StatusMessage (string) --

      If the asynchronous operation fails, Network Firewall populates this with the reason for the error or failure. Options include Flow operation error and Flow timeout.

    • FlowRequestTimestamp (datetime) --

      A timestamp indicating when the Suricata engine identified flows impacted by an operation.

    • Flows (list) --

      Any number of arrays, where each array is a single flow identified in the scope of the operation. If multiple flows were in the scope of the operation, multiple Flows arrays are returned.

      • (dict) --

        Any number of arrays, where each array is a single flow identified in the scope of the operation. If multiple flows were in the scope of the operation, multiple Flows arrays are returned.

        • SourceAddress (dict) --

          A single IP address specification. This is used in the MatchAttributes source and destination specifications.

          • AddressDefinition (string) --

            Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. Network Firewall supports all address ranges for IPv4 and IPv6.

            Examples:

            • To configure Network Firewall to inspect for the IP address 192.0.2.44, specify 192.0.2.44/32.

            • To configure Network Firewall to inspect for IP addresses from 192.0.2.0 to 192.0.2.255, specify 192.0.2.0/24.

            • To configure Network Firewall to inspect for the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify 1111:0000:0000:0000:0000:0000:0000:0111/128.

            • To configure Network Firewall to inspect for IP addresses from 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify 1111:0000:0000:0000:0000:0000:0000:0000/64.

            For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.

        • DestinationAddress (dict) --

          A single IP address specification. This is used in the MatchAttributes source and destination specifications.

          • AddressDefinition (string) --

            Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. Network Firewall supports all address ranges for IPv4 and IPv6.

            Examples:

            • To configure Network Firewall to inspect for the IP address 192.0.2.44, specify 192.0.2.44/32.

            • To configure Network Firewall to inspect for IP addresses from 192.0.2.0 to 192.0.2.255, specify 192.0.2.0/24.

            • To configure Network Firewall to inspect for the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify 1111:0000:0000:0000:0000:0000:0000:0111/128.

            • To configure Network Firewall to inspect for IP addresses from 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify 1111:0000:0000:0000:0000:0000:0000:0000/64.

            For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.

        • SourcePort (string) --

          The source port to inspect for. You can specify an individual port, for example 1994 and you can specify a port range, for example 1990:1994. To match with any port, specify ANY.

        • DestinationPort (string) --

          The destination port to inspect for. You can specify an individual port, for example 1994 and you can specify a port range, for example 1990:1994. To match with any port, specify ANY.

        • Protocol (string) --

          The protocols to inspect for, specified using the assigned internet protocol number (IANA) for each protocol. If not specified, this matches with any protocol.

        • Age (integer) --

          Returned as info about age of the flows identified by the flow operation.

        • PacketCount (integer) --

          Returns the total number of data packets received or transmitted in a flow.

        • ByteCount (integer) --

          Returns the number of bytes received or transmitted in a specific flow.

    • NextToken (string) --

      When you request a list of objects with a MaxResults setting, if the number of objects that are still available for retrieval exceeds the maximum you requested, Network Firewall returns a NextToken value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

ListFlowOperations (new) Link ¶

Returns a list of all flow operations ran in a specific firewall. You can optionally narrow the request scope by specifying the operation type or Availability Zone associated with a firewall's flow operations.

Flow operations let you manage the flows tracked in the flow table, also known as the firewall table.

A flow is network traffic that is monitored by a firewall, either by stateful or stateless rules. For traffic to be considered part of a flow, it must share Destination, DestinationPort, Direction, Protocol, Source, and SourcePort.

See also: AWS API Documentation

Request Syntax

client.list_flow_operations(
    FirewallArn='string',
    AvailabilityZone='string',
    FlowOperationType='FLOW_FLUSH'|'FLOW_CAPTURE',
    NextToken='string',
    MaxResults=123
)
type FirewallArn:

string

param FirewallArn:

[REQUIRED]

The Amazon Resource Name (ARN) of the firewall.

type AvailabilityZone:

string

param AvailabilityZone:

The ID of the Availability Zone where the firewall is located. For example, us-east-2a.

Defines the scope a flow operation. You can use up to 20 filters to configure a single flow operation.

type FlowOperationType:

string

param FlowOperationType:

An optional string that defines whether any or all operation types are returned.

type NextToken:

string

param NextToken:

When you request a list of objects with a MaxResults setting, if the number of objects that are still available for retrieval exceeds the maximum you requested, Network Firewall returns a NextToken value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

type MaxResults:

integer

param MaxResults:

The maximum number of objects that you want Network Firewall to return for this request. If more objects are available, in the response, Network Firewall provides a NextToken value that you can use in a subsequent call to get the next batch of objects.

rtype:

dict

returns:

Response Syntax

{
    'FlowOperations': [
        {
            'FlowOperationId': 'string',
            'FlowOperationType': 'FLOW_FLUSH'|'FLOW_CAPTURE',
            'FlowRequestTimestamp': datetime(2015, 1, 1),
            'FlowOperationStatus': 'COMPLETED'|'IN_PROGRESS'|'FAILED'|'COMPLETED_WITH_ERRORS'
        },
    ],
    'NextToken': 'string'
}

Response Structure

  • (dict) --

    • FlowOperations (list) --

      Flow operations let you manage the flows tracked in the flow table, also known as the firewall table.

      A flow is network traffic that is monitored by a firewall, either by stateful or stateless rules. For traffic to be considered part of a flow, it must share Destination, DestinationPort, Direction, Protocol, Source, and SourcePort.

      • (dict) --

        An array of objects with metadata about the requested FlowOperation.

        • FlowOperationId (string) --

          A unique identifier for the flow operation. This ID is returned in the responses to start and list commands. You provide to describe commands.

        • FlowOperationType (string) --

          Defines the type of FlowOperation.

        • FlowRequestTimestamp (datetime) --

          A timestamp indicating when the Suricata engine identified flows impacted by an operation.

        • FlowOperationStatus (string) --

          Returns the status of the flow operation. This string is returned in the responses to start, list, and describe commands.

          If the status is COMPLETED_WITH_ERRORS, results may be returned with any number of Flows missing from the response. If the status is FAILED, Flows returned will be empty.

    • NextToken (string) --

      When you request a list of objects with a MaxResults setting, if the number of objects that are still available for retrieval exceeds the maximum you requested, Network Firewall returns a NextToken value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.

DescribeFlowOperation (new) Link ¶

Returns key information about a specific flow operation.

See also: AWS API Documentation

Request Syntax

client.describe_flow_operation(
    FirewallArn='string',
    AvailabilityZone='string',
    FlowOperationId='string'
)
type FirewallArn:

string

param FirewallArn:

[REQUIRED]

The Amazon Resource Name (ARN) of the firewall.

type AvailabilityZone:

string

param AvailabilityZone:

The ID of the Availability Zone where the firewall is located. For example, us-east-2a.

Defines the scope a flow operation. You can use up to 20 filters to configure a single flow operation.

type FlowOperationId:

string

param FlowOperationId:

[REQUIRED]

A unique identifier for the flow operation. This ID is returned in the responses to start and list commands. You provide to describe commands.

rtype:

dict

returns:

Response Syntax

{
    'FirewallArn': 'string',
    'AvailabilityZone': 'string',
    'FlowOperationId': 'string',
    'FlowOperationType': 'FLOW_FLUSH'|'FLOW_CAPTURE',
    'FlowOperationStatus': 'COMPLETED'|'IN_PROGRESS'|'FAILED'|'COMPLETED_WITH_ERRORS',
    'StatusMessage': 'string',
    'FlowRequestTimestamp': datetime(2015, 1, 1),
    'FlowOperation': {
        'MinimumFlowAgeInSeconds': 123,
        'FlowFilters': [
            {
                'SourceAddress': {
                    'AddressDefinition': 'string'
                },
                'DestinationAddress': {
                    'AddressDefinition': 'string'
                },
                'SourcePort': 'string',
                'DestinationPort': 'string',
                'Protocols': [
                    'string',
                ]
            },
        ]
    }
}

Response Structure

  • (dict) --

    • FirewallArn (string) --

      The Amazon Resource Name (ARN) of the firewall.

    • AvailabilityZone (string) --

      The ID of the Availability Zone where the firewall is located. For example, us-east-2a.

      Defines the scope a flow operation. You can use up to 20 filters to configure a single flow operation.

    • FlowOperationId (string) --

      A unique identifier for the flow operation. This ID is returned in the responses to start and list commands. You provide to describe commands.

    • FlowOperationType (string) --

      Defines the type of FlowOperation.

    • FlowOperationStatus (string) --

      Returns the status of the flow operation. This string is returned in the responses to start, list, and describe commands.

      If the status is COMPLETED_WITH_ERRORS, results may be returned with any number of Flows missing from the response. If the status is FAILED, Flows returned will be empty.

    • StatusMessage (string) --

      If the asynchronous operation fails, Network Firewall populates this with the reason for the error or failure. Options include Flow operation error and Flow timeout.

    • FlowRequestTimestamp (datetime) --

      A timestamp indicating when the Suricata engine identified flows impacted by an operation.

    • FlowOperation (dict) --

      Returns key information about a flow operation, such as related statuses, unique identifiers, and all filters defined in the operation.

      • MinimumFlowAgeInSeconds (integer) --

        The reqested FlowOperation ignores flows with an age (in seconds) lower than MinimumFlowAgeInSeconds. You provide this for start commands.

      • FlowFilters (list) --

        Defines the scope a flow operation. You can use up to 20 filters to configure a single flow operation.

        • (dict) --

          Defines the scope a flow operation. You can use up to 20 filters to configure a single flow operation.

          • SourceAddress (dict) --

            A single IP address specification. This is used in the MatchAttributes source and destination specifications.

            • AddressDefinition (string) --

              Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. Network Firewall supports all address ranges for IPv4 and IPv6.

              Examples:

              • To configure Network Firewall to inspect for the IP address 192.0.2.44, specify 192.0.2.44/32.

              • To configure Network Firewall to inspect for IP addresses from 192.0.2.0 to 192.0.2.255, specify 192.0.2.0/24.

              • To configure Network Firewall to inspect for the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify 1111:0000:0000:0000:0000:0000:0000:0111/128.

              • To configure Network Firewall to inspect for IP addresses from 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify 1111:0000:0000:0000:0000:0000:0000:0000/64.

              For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.

          • DestinationAddress (dict) --

            A single IP address specification. This is used in the MatchAttributes source and destination specifications.

            • AddressDefinition (string) --

              Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. Network Firewall supports all address ranges for IPv4 and IPv6.

              Examples:

              • To configure Network Firewall to inspect for the IP address 192.0.2.44, specify 192.0.2.44/32.

              • To configure Network Firewall to inspect for IP addresses from 192.0.2.0 to 192.0.2.255, specify 192.0.2.0/24.

              • To configure Network Firewall to inspect for the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify 1111:0000:0000:0000:0000:0000:0000:0111/128.

              • To configure Network Firewall to inspect for IP addresses from 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify 1111:0000:0000:0000:0000:0000:0000:0000/64.

              For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.

          • SourcePort (string) --

            The source port to inspect for. You can specify an individual port, for example 1994 and you can specify a port range, for example 1990:1994. To match with any port, specify ANY.

          • DestinationPort (string) --

            The destination port to inspect for. You can specify an individual port, for example 1994 and you can specify a port range, for example 1990:1994. To match with any port, specify ANY.

          • Protocols (list) --

            The protocols to inspect for, specified using the assigned internet protocol number (IANA) for each protocol. If not specified, this matches with any protocol.

            • (string) --