AWS has announced a significant update to its managed AWS Network Firewall service, shifting the default stateful action for all newly created firewall policies to “Application drop established (server-directed only)”. The new default replaces the old one, “Application drop established (bidirectional)”, which is referred to as “Application layer drop established”. In terms of B2B network management, this change solves one of the most significant obstacles that has been encountered before, namely that the previous bidirectional default has led to many connection failures due to dropping of valid packets coming from the server to the client side like window, keepalives, and reset packets making it very hard to diagnose such problems. The new default policy does this automatically without any additional configuration.
Also Read: Siemens, Databricks, and FFT Unite to Scale Cloud Integration for Scalable Industrial AI
For enterprises managing existing environments, AWS notes that the legacy bidirectional setting may still be required to support post-quantum cryptography (PQC) fragmented TLS handshakes. Consequently, the company advises administrators to review their documentation for precise guidance on switching existing configurations to “Application drop established (server-directed only)” or applying the “to_server” flag to TCP drop rules to ensure flow control packets remain unblocked. This architectural refinement is immediately available across all global AWS Regions where the AWS Network Firewall service is currently offered.