Templates for Bulk Importing Firewall Policy Components
Download JSON file templates and use them to bulk import network firewall policy components such as address lists, URL lists, services and service lists, applications and application lists, decryption rules and profiles, mapped secrets, and security rules.
JSON templates help you to bulk import network firewall policy components such as address lists, URL lists, services and service lists, applications and application lists, decryption rules and profiles, mapped secrets, and security rules in.
This page provides a JSON template for each component type, required parameters, and any constraints that you need to be aware of when you use the template.
Instructions for uploading the completed JSON files are provided in Bulk Import Firewall Policy Components.
- Resources that are included in a JSON file for upload must already exist in the policy before being referenced in another resource. For example, before you can upload an application list, you must first upload all the applications that you want to use in the list.
- The maximum file size that you can upload is 5 MB.
Address List Template
Create a list of addresses that you want to allow or deny access to. You can specify individual IPv4 or IPv6 IP addresses, CIDR blocks, or FQDN addresses.
Each address list can contain a maximum of 1,000 addresses. A policy can contain a maximum of 20,000 IP address lists and 2,000 FQDN address lists. For more information, see Firewall Policy Rules.
- Download the Address List Template
name
type
(IP
orFQDN
only)addresses
- The Name must be unique within the policy, start with a letter, and can contain only letters, numbers, spaces, a hyphen (-), or an underscore (_). A hyphen must be followed by an alphanumeric character. Minimum: 2 characters; maximum: 28 characters.
- Addresses are validated based on the type provided. Don't add invalid addresses for a type.
Application List Template
Create a list of applications that you want to allow or deny access to. A policy can contain a maximum of 2,500 application lists. Each application list can contain a maximum of 200 applications. For more information, see Firewall Policy Rules.
- Download the Application List Template
name
- The Name must be unique within the policy, start with a letter, and can contain only letters, numbers, spaces, a hyphen (-), or an underscore (_). A hyphen must be followed by an alphanumeric character. Minimum: 2 characters; maximum: 28 characters.
- If you don't list any applications, provide an empty array for the
"apps"
parameter in the template. - Applications must already exist in the policy before being referenced in the imported list.
Application Template
An application is defined by a signature based on the protocols that it uses. Layer 7 inspection is used to identify matching applications. Each policy can contain a maximum of 6,000 applications. For more information, see Firewall Policy Rules.
- Download the Application Template
name
type
(ICMP
orICMP_V6
only)icmpType
For more information about ICMP types and codes, see Internet Control Message Protocol (ICMP) Parameters.
Additional constraints:
- The Name must be unique within the policy, start with a letter, and can contain only letters, numbers, spaces, a hyphen (-), or an underscore (_). A hyphen must be followed by an alphanumeric character. Minimum: 2 characters; maximum: 28 characters.
Service List Template
Create a list of services that you want to allow or deny access to, and define port ranges for each. A policy can contain a maximum of 2,000 service lists. A service list can contain a maximum of 200 services. For more information, see Firewall Policy Rules.
- Download the Service List Template
name
Additional constraints:
- The Name must be unique within the policy, start with a letter, and can contain only letters, numbers, spaces, a hyphen (-), or an underscore (_). A hyphen must be followed by an alphanumeric character. Minimum: 2 characters; maximum: 28 characters.
- If you don't list any services, provide an empty array for the
services
parameter in the template. - Services must already exist in the policy before being referenced in the imported list.
Service Template
A service is identified by a signature based on the ports that it uses. Layer 4 inspection is used to identify matching services. Each policy can contain a maximum of 1,900 services. For more information, see Firewall Policy Rules.
- Download the Service Template
name
type
(TCP
orUDP
only)portRanges
Additional constraints:
- The Name must be unique within the policy, start with a letter, and can contain only letters, numbers, spaces, a hyphen (-), or an underscore (_). A hyphen must be followed by an alphanumeric character. Minimum: 2 characters; maximum: 28 characters.
- You can define a maximum of 10 port ranges for each service.
URL List Template
Create a list of URLs that you want to allow or deny access to. A policy can contain a maximum of 1,000 URL lists. Each list can contain a maximum of 1,000 URLs. The total maximum number of URLs allowed in a policy is 25,000. For more information, see Firewall Policy Rules.
- Download the URL List Template
name
urls
type
(SIMPLE
only)
Additional constraints:
- The Name must be unique within the policy, start with a letter, and can contain only letters, numbers, spaces, a hyphen (-), or an underscore (_). A hyphen must be followed by an alphanumeric character. Minimum: 2 characters; maximum: 28 characters.
- The
urls
can't be an empty array. Provide multiple URL objects to contain those URLs in the list.
Mapped Secret Template
Mapped secrets are secrets that you create in Oracle Cloud Infrastructure Vault and then map to inbound or outbound SSL keys. The secrets are used to decrypt and inspect SSL/TLS traffic with SSL forward proxy or SSL inbound inspection. A policy can contain a maximum of 300 SSL inbound inspection mapped secrets and a maximum of one SSL forward proxy mapped secret. For more information, see Firewall Policy Rules.
- Download the Mapped Secret Template
name
source
(OCI_VAULT
only)type
(SSL_INBOUND_INSPECTION
orSSL_FORWARD_PROXY
only)vaultSecretId
versionNumber
Additional constraints:
- The Name must be unique within the policy, start with a letter, and can contain only letters, numbers, spaces, a hyphen (-), or an underscore (_). A hyphen must be followed by an alphanumeric character. Minimum: 6 characters; maximum: 58 characters.
- You can create a maximum of one mapped secret of type
SSL_FORWARD_PROXY
for each policy.
Decryption Profile Template
Create decryption profiles to control how SSL forward proxy and SSL inbound inspection perform session mode checks, server checks, and failure checks. A policy can contain a maximum of 500 decryption profiles. For more information, see Firewall Policy Rules
- Download the Decryption Profile Template
name
type
(SSL_INBOUND_INSPECTION
orSSL_FORWARD_PROXY
only)
Additional required parameters:
type
is "SSL_INBOUND_INSPECTION"
, the following parameters are required:isUnsupportedVersionBlocked
(true or false)isUnsupportedCipherBlocked
(true or false)isOutOfCapacityBlocked
(true or false)
type
is "SSL_FORWARD_PROXY"
, the following parameters are required:isExpiredCertificateBlocked
(true or false)isUntrustedIssuerBlocked
(true or false)isRevocationStatusTimeoutBlocked
(true or false)isUnsupportedVersionBlocked
(true or false)isUnsupportedCipherBlocked
(true or false)isUnknownRevocationStatusBlocked
(true or false)areCertificateExtensionsRestricted
(true or false)isAutoIncludeAltName
(true or false)isOutOfCapacityBlocked
(true or false)
Additional constraints:
- The Name must be unique within the policy, start with a letter, and can contain only letters, numbers, spaces, a hyphen (-), or an underscore (_). A hyphen must be followed by an alphanumeric character. Minimum: 2 characters; maximum: 63 characters.
Security Rule Template
Security rules are enforced after decryption rules. A policy can contain a maximum of 10,000 security rules. For more information, see Firewall Policy Rules.
- Download the Security Rule Template
name
condition
position
action
(ALLOW
,REJECT
,DROP
, orINSPECT
only)
Additional constraints:
- The Name must be unique within the policy, start with a letter, and can contain only letters, numbers, spaces, a hyphen (-), or an underscore (_). A hyphen must be followed by an alphanumeric character. Minimum: 2 characters; maximum: 63 characters.
- If the
position
parameter is empty, the rule is created as first rule in the list. - If a match condition field has an empty value, provide an empty array for that field.
- If
ACTION
is specified asINSPECT
, then the parameterinspection
is required. Allowed values forinspection
areINTRUSION_DETECTION
andINTRUSION_PREVENTION
.
Decryption Rule Template
Decryption rules are enforced before security rules. A policy can have a maximum of 1,000 decryption rules. For more information, see Firewall Policy Rules.
- Download the Decryption Rule Template
name
condition
action
(NO_DECRYPT
orDECRYPT
only)position
Additional constraints:
- The Name must be unique within the policy, start with a letter, and can contain only letters, numbers, spaces, a hyphen (-), or an underscore (_). A hyphen must be followed by an alphanumeric character. Minimum: 2 characters; maximum: 63 characters.
- If
ACTION
is specified asDECRYPT
, then thedecryptionProfile
andmappedSecret
parameters are required. TheTYPE
values for the specifieddecryptionProfile
andmappedSecret
must be the same (SSL_INBOUND_INSPECTION
orSSL_FORWARD_PROXY
).
Tunnel Inspection Rule Template
Use tunnel inspection rules to inspect traffic mirrored to an Oracle resource using the OCI Virtual Test Access Point (VTAP) service. Traffic captured at the VTAP source is encapsulated in VXLAN and then sent to the VTAP target. See RFC 7348. A policy can have a maximum of 500 tunnel inspection rules. For more information, see Firewall Policy Rules.
- Download the Tunnel Inspection Rule Template.
name
condition
(sourceAddress
,destinationAddress
)action
(INSPECT or INSPECT_AND_CAPTURE_LOG
only)position
protocol
(VXLAN
only)profile
("mustReturnTrafficToSource":true
only)
Additional constraints:
- The Name must be unique within the policy, start with a letter, and can contain only letters, numbers, spaces, a hyphen (-), or an underscore (_). A hyphen must be followed by an alphanumeric character. Minimum: 2 characters; maximum: 63 characters.