AWS Network Firewall defaults to safer stateful drop action
AWS Network Firewall has updated its default stateful action for new policies from 'Application drop established (bidirectional)' to 'Application drop established (server-directed only)'. This change improves connection reliability by preventing accidental drops of legitimate server-to-client packets that previously caused intermittent failures. Existing policies are unaffected, but users requiring the previous behavior for specific scenarios like PQC handshakes can consult documentation for guidance. The update is available across all AWS Regions.
- →New policies use safer stateful drop action by default
- →Guidance for existing environments needing bidirectional drops
Enhancements (1) ›
- New policies use safer stateful drop action by default
AWS Network Firewall now defaults to 'Application drop established (server-directed only)' for new firewall policies. This replaces the previous 'Application drop established (bidirectional)' default. The change aims to prevent silent drops of legitimate server-to-client TCP packets, which could lead to intermittent connection failures.
Notes (1) ›
- Guidance for existing environments needing bidirectional drops
Existing firewall policies are not affected by this change. Environments that specifically require the 'Application drop established (bidirectional)' action, such as for post-quantum cryptography fragmented TLS handshakes, can follow AWS documentation. Options include switching to 'Application drop established (server-directed only)' or adjusting TCP drop rules with the 'to_server' flag to permit flow control packets.
https://aws.amazon.com/about-aws/whats-new/2026/06/aws-network-firewall-updates-default-drop-action