Network Firewall policies should have default stateless action set to drop or forward for fragmented packets

Fragmented packets are a classic attack vector. Attackers split malicious payloads across fragments to evade inspection engines that only examine complete packets. When the default stateless action is aws:pass, fragmented traffic bypasses all firewall rule evaluation entirely, creating a blind spot in your perimeter.

Setting the default to aws:drop blocks unrecognized fragmented traffic outright. Setting it to aws:forward_to_sfe sends fragments to the stateful engine for deep inspection and reassembly. Either option ensures fragments don't silently traverse the firewall uninspected.

Retrofit consideration

Changing the default from pass to drop may immediately block legitimate fragmented traffic such as large DNS responses or IPsec. Test in a non-production environment first.

Implementation

Choose the approach that matches how you manage Terraform.

Compliance.tfOpen source moduleTerraform resources

Use the compliance.tf module to enforce this control by default. See get started with compliance.tf.

PCI DSS v4.0NIST Cybersecurity Framework v2.0NIST Cybersecurity Framework v1.1

module "network_firewall" {
  source  = "pcidss.compliance.tf/terraform-aws-modules/network-firewall/aws//modules/policy"
  version = ">=1.0.0"

  name = "abc123-policy"
}

module "network_firewall" {
  source  = "nistcsf.compliance.tf/terraform-aws-modules/network-firewall/aws//modules/policy"
  version = ">=1.0.0"

  name = "abc123-policy"
}

module "network_firewall" {
  source  = "nistcsfv11.compliance.tf/terraform-aws-modules/network-firewall/aws//modules/policy"
  version = ">=1.0.0"

  name = "abc123-policy"
}

If you use terraform-aws-modules/network-firewall/aws//modules/policy, set the right module inputs for this control. You can later migrate to the compliance.tf module with minimal changes because it is compatible by design.

module "network_firewall" {
  source  = "terraform-aws-modules/network-firewall/aws//modules/policy"
  version = ">=1.0.0"

  name = "abc123-policy"
}

Use AWS provider resources directly. See docs for the resources involved: aws_networkfirewall_firewall_policy.

resource "aws_networkfirewall_firewall_policy" "this" {
  firewall_policy {
    stateless_default_actions          = ["aws:drop"]
    stateless_fragment_default_actions = ["aws:drop"]
  }
  name = "pofix-abc123"
}

What this control checks

The aws_networkfirewall_firewall_policy resource defines behavior in a firewall_policy block. stateless_fragment_default_actions controls how the firewall handles fragments that don't match any stateless rule. Setting it to ["aws:drop"] or ["aws:forward_to_sfe"] passes the control. ["aws:pass"] fails it, since fragments traverse the firewall without inspection. Note that stateless_default_actions (full packets) is evaluated by a separate control and doesn't affect this check.

Common pitfalls

Confusing full packet and fragment default actions
The aws_networkfirewall_firewall_policy resource has two separate arguments: stateless_default_actions (full packets) and stateless_fragment_default_actions (fragments). Setting only the full-packet action to aws:drop does not satisfy this control. You must explicitly set stateless_fragment_default_actions.
Breaking MTU-sensitive workloads
Switching from aws:pass to aws:drop can silently break protocols and applications that produce fragmented traffic, such as certain VPN tunnels or large UDP payloads. If you need inspection without outright blocking, use aws:forward_to_sfe to let the stateful engine reassemble and evaluate fragments.
Custom action names added alongside the default
stateless_fragment_default_actions accepts a list. You can include a custom action name (for CloudWatch metrics publishing) alongside aws:drop or aws:forward_to_sfe. Including aws:pass anywhere in that list will cause the control to fail.

Audit evidence

Config rule NETWORK_FIREWALL_POLICY_DEFAULT_ACTION_FRAGMENT_PACKETS evaluation results showing all Network Firewall policies COMPLIANT. Supplement with console screenshots of each policy's stateless default actions section confirming "Drop" or "Forward to stateful rule groups" for fragmented packets. CloudTrail UpdateFirewallPolicy and CreateFirewallPolicy events cover the change history, confirming no policy was set or changed to aws:pass for fragment handling.

Framework-specific interpretation

PCI DSS v4.0: Requirement 1 expects firewall policies to deny all traffic not explicitly permitted. Default-pass for fragmented packets violates that principle directly and opens a path for attackers to bypass the network segmentation protecting cardholder data.

NIST Cybersecurity Framework v2.0: PR.IR and the broader Protect function both call for controlling traffic at network boundaries. Dropping or forwarding fragments for stateful inspection is exactly the kind of filtering these sub-categories expect, specifically preventing unauthorized data flows through uninspected channels.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

Compliance.tf Control: networkfirewall_firewall_policy_default_stateless_action_check_fragmented_packets
AWS Config Managed Rule: NETFW_POLICY_DEFAULT_ACTION_FRAGMENT_PACKETS
Powerpipe Control: aws_compliance.control.networkfirewall_firewall_policy_default_stateless_action_check_fragmented_packets
Prowler Check: networkfirewall_policy_default_action_fragmented_packets
AWS Security Hub Control: NetworkFirewall.5

Last reviewed: 2026-03-09