AWS Network Firewall updates default drop action for improved connection reliability
AWS Network Firewall changes the default stateful action for new firewall policies to improve connection reliability and prevent dropped packets
AWS Network Firewall now uses "Application drop established (server-directed only)" as the default stateful action for all newly created firewall policies, replacing the previous default of "Application drop established (bidirectional)". This change prevents legitimate server-to-client TCP packets, such as window updates, keep-alives, and resets, from being silently dropped, which previously caused intermittent connection failures that were difficult to diagnose. If your existing environment requires "Application drop established (bidirectional)") to support post-quantum cryptography (PQC) fragmented TLS handshakes, refer to the documentation for guidance on switching to "Application drop established (server-directed only)") or adding the "to_server" flag to your TCP drop rules. This update is available in all AWS Regions where AWS Network Firewall is offered.