Amazon Network Firewall updates default drop action for improved connection reliability
Amazon Network Firewall now uses “Application drop established (server-directed only)" as the default stateful action for all newly created firewall policies, replacing the previous default of "Application drop established (bidirectional)" (formerly named "Application layer drop established"). No action is required to benefit from this change when creating new policies.
Amazon Network Firewall is a managed service that lets you deploy network protections across your Amazon VPCs. Previously, the “Application drop established (bidirectional)” default could silently drop legitimate server-to-client TCP packets, such as window updates, keep-alives, and resets — causing intermittent connection failures that were difficult to diagnose. With the safer default now in place, new policies avoid this issue.
If your existing environment requires “Application drop established (bidirectional)” to support post-quantum cryptography (PQC) fragmented TLS handshakes, refer to our documentation for guidance on switching to "Application drop established (server-directed only)" or adding the “to_server” flag to your TCP drop rules so legitimate flow control packets are not blocked.
This update is available in the Amazon Web Services China (Beijing) Region, operated by Sinnet, and the Amazon Web Services China (Ningxia) Region, operated by NWCD. To get started, see the Amazon Network Firewall product page.