AWS Network Firewall now uses “Application drop established (server-directed only)” as the default stateful action for all newly created firewall policies, replacing the previous default of “Application drop established (bidirectional)” (formerly named “Application layer drop established”). No action is required to benefit from this change when creating new policies.
AWS Network Firewall is a managed service that lets you deploy network protections across your Amazon VPCs. Previously, the “Application drop established (bidirectional)” default could silently drop legitimate server-to-client TCP packets, such as window updates, keep-alives, and resets — causing intermittent connection failures that were difficult to diagnose. With the safer default now in place, new policies avoid this issue.
If your existing environment requires “Application drop established (bidirectional)” to support post-quantum cryptography (PQC) fragmented TLS handshakes, refer to our documentation for guidance on on switching to “Application drop established (server-directed only)” or adding the “to_server” flag to your TCP drop rules so legitimate flow control packets are not blocked.
This update is available in all AWS Regions where AWS Network Firewall is offered. To get started, see Managing evaluation order for Suricata compatible rules in the AWS Network Firewall service documentation.
Categories: marketing:marchitecture/security-identity-and-compliance,general:products/aws-network-firewall
Source: Amazon Web Services
Latest Posts
- (Updated) 2026 Microsoft 365 Packaging Update [MC1304290]
- Automatic recording and transcription for Teams Call Queues [MC1401299]
- (Updated) Copilot Cowork generally available today [MC1393471]
- Microsoft Teams: Location-Based Routing update blocks OS default location for Operator Connect in India [MC1401300]
