Our Blog

AWS Network Firewall updates default drop action for improved connection reliability

Published
June 22, 2026
https://aws.amazon.com/about-aws/whats-new/2026/06/aws-network-firewall-updates-default-drop-action

AWS Network Firewall Updates

AWS Network Firewall now uses "Application drop established (server-directed only)" as the default stateful action for all newly created firewall policies, replacing the previous default of "Application drop established (bidirectional)". This change avoids silently dropping legitimate server-to-client TCP packets, such as window updates, keep-alives, and resets, which could cause intermittent connection failures.

No action is required to benefit from this change when creating new policies. However, if your existing environment requires "Application drop established (bidirectional)" to support post-quantum cryptography (PQC) fragmented TLS handshakes, refer to the documentation for guidance on switching to "Application drop established (server-directed only)" or adding the “to_server” flag to your TCP drop rules.

What to do

  • Create new policies to benefit from the safer default.
  • Review existing policies if you require "Application drop established (bidirectional)" for PQC fragmented TLS handshakes.
  • Follow the documentation for guidance on switching to "Application drop established (server-directed only)" or adding the “to_server” flag.

Source: AWS release notes




If you need further guidance on AWS, our experts are available at AWS@westloop.io. You may also reach us by submitting the Contact Us form.

Follow our blog

Get the latest insights and advice on AWS services from our experts.

By clicking Sign Up you're confirming that you agree with our Terms and Conditions.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Related posts

Check out other insights from the team at West Loop Strategy.

View all
https://aws.amazon.com/about-aws/whats-new/2025/11/amazon-ec2-i8g-instances-additional-aws-regions

Amazon EC2 I8g instances now available in additional AWS regions

AWS is announcing the general availability of Amazon EC2 Storage Optimized I8g instances in Europe (Stockholm) and Asia Pacific (Osaka) regions
Read more
https://aws.amazon.com/about-aws/whats-new/2026/05/aws-glue-zero-etl-mumbai-region

AWS Glue zero-ETL is now available in Asia Pacific (Mumbai) region

AWS Glue zero-ETL integrations are now available in the Asia Pacific (Mumbai) region
Read more
https://aws.amazon.com/about-aws/whats-new/2025/10/twelvelabs-pegasus-model-in-additional-aws-regions/

TwelveLabs’ Pegasus 1.2 model now available in three additional AWS regions

Amazon announces the expansion of the TwelveLabs’ Pegasus 1
Read more
View all