Oracle Cloud Infrastructure Documentation

Templates for Bulk Importing Firewall Policy Components

Download JSON file templates and use them to bulk import network firewall policy components such as address lists, URL lists, services and service lists, applications and application lists, decryption rules and profiles, mapped secrets, and security rules.

JSON templates help you to bulk import network firewall policy components such as address lists, URL lists, services and service lists, applications and application lists, decryption rules and profiles, mapped secrets, and security rules in.

This page provides a JSON template for each component type, required parameters, and any constraints that you need to be aware of when you use the template.

Instructions for uploading the completed JSON files are provided in Bulk Import Firewall Policy Components.

Important

  • Resources that are included in a JSON file for upload must already exist in the policy before being referenced in another resource. For example, before you can upload an application list, you must first upload all the applications that you want to use in the list.
  • The maximum file size that you can upload is 5 MB.

Address List Template

Create a list of addresses that you want to allow or deny access to. You can specify individual IPv4 or IPv6 IP addresses, CIDR blocks, or FQDN addresses.

Each address list can contain a maximum of 1,000 addresses. A policy can contain a maximum of 20,000 IP address lists and 2,000 FQDN address lists. For more information, see Firewall Policy Rules.

Required parameters:
  • name
  • type (IP or FQDN only)
  • addresses
Additional constraints:
  • The Name must be unique within the policy, start with a letter, and can contain only letters, numbers, spaces, a hyphen (-), or an underscore (_). A hyphen must be followed by an alphanumeric character. Minimum: 2 characters; maximum: 28 characters.
  • Addresses are validated based on the type provided. Don't add invalid addresses for a type.

Application List Template

Create a list of applications that you want to allow or deny access to. A policy can contain a maximum of 2,500 application lists. Each application list can contain a maximum of 200 applications. For more information, see Firewall Policy Rules.

Required parameters:
  • name
Additional constraints:
  • The Name must be unique within the policy, start with a letter, and can contain only letters, numbers, spaces, a hyphen (-), or an underscore (_). A hyphen must be followed by an alphanumeric character. Minimum: 2 characters; maximum: 28 characters.
  • If you don't list any applications, provide an empty array for the "apps" parameter in the template.
  • Applications must already exist in the policy before being referenced in the imported list.

Application Template

An application is defined by a signature based on the protocols that it uses. Layer 7 inspection is used to identify matching applications. Each policy can contain a maximum of 6,000 applications. For more information, see Firewall Policy Rules.

Required parameters:
  • name
  • type (ICMP or ICMP_V6 only)
  • icmpType

For more information about ICMP types and codes, see Internet Control Message Protocol (ICMP) Parameters.

Additional constraints:

  • The Name must be unique within the policy, start with a letter, and can contain only letters, numbers, spaces, a hyphen (-), or an underscore (_). A hyphen must be followed by an alphanumeric character. Minimum: 2 characters; maximum: 28 characters.

Service List Template

Create a list of services that you want to allow or deny access to, and define port ranges for each. A policy can contain a maximum of 2,000 service lists. A service list can contain a maximum of 200 services. For more information, see Firewall Policy Rules.

Required parameters:
  • name

Additional constraints:

  • The Name must be unique within the policy, start with a letter, and can contain only letters, numbers, spaces, a hyphen (-), or an underscore (_). A hyphen must be followed by an alphanumeric character. Minimum: 2 characters; maximum: 28 characters.
  • If you don't list any services, provide an empty array for the services parameter in the template.
  • Services must already exist in the policy before being referenced in the imported list.

Service Template

A service is identified by a signature based on the ports that it uses. Layer 4 inspection is used to identify matching services. Each policy can contain a maximum of 1,900 services. For more information, see Firewall Policy Rules.

Required parameters:
  • name
  • type (TCP or UDP only)
  • portRanges

Additional constraints:

  • The Name must be unique within the policy, start with a letter, and can contain only letters, numbers, spaces, a hyphen (-), or an underscore (_). A hyphen must be followed by an alphanumeric character. Minimum: 2 characters; maximum: 28 characters.
  • You can define a maximum of 10 port ranges for each service.

URL List Template

Create a list of URLs that you want to allow or deny access to. A policy can contain a maximum of 1,000 URL lists. Each list can contain a maximum of 1,000 URLs. The total maximum number of URLs allowed in a policy is 25,000. For more information, see Firewall Policy Rules.

Required parameters:
  • name
  • urls
  • type (SIMPLE only)

Additional constraints:

  • The Name must be unique within the policy, start with a letter, and can contain only letters, numbers, spaces, a hyphen (-), or an underscore (_). A hyphen must be followed by an alphanumeric character. Minimum: 2 characters; maximum: 28 characters.
  • The urls can't be an empty array. Provide multiple URL objects to contain those URLs in the list.

Mapped Secret Template

Mapped secrets are secrets that you create in Oracle Cloud Infrastructure Vault and then map to inbound or outbound SSL keys. The secrets are used to decrypt and inspect SSL/TLS traffic with SSL forward proxy or SSL inbound inspection. A policy can contain a maximum of 300 SSL inbound inspection mapped secrets and a maximum of one SSL forward proxy mapped secret. For more information, see Firewall Policy Rules.

Required parameters:
  • name
  • source (OCI_VAULT only)
  • type (SSL_INBOUND_INSPECTION or SSL_FORWARD_PROXY only)
  • vaultSecretId
  • versionNumber

Additional constraints:

  • The Name must be unique within the policy, start with a letter, and can contain only letters, numbers, spaces, a hyphen (-), or an underscore (_). A hyphen must be followed by an alphanumeric character. Minimum: 6 characters; maximum: 58 characters.
  • You can create a maximum of one mapped secret of type SSL_FORWARD_PROXY for each policy.

Decryption Profile Template

Create decryption profiles to control how SSL forward proxy and SSL inbound inspection perform session mode checks, server checks, and failure checks. A policy can contain a maximum of 500 decryption profiles. For more information, see Firewall Policy Rules

Required parameters:
  • name
  • type (SSL_INBOUND_INSPECTION or SSL_FORWARD_PROXY only)

Additional required parameters:

When type is "SSL_INBOUND_INSPECTION", the following parameters are required:
  • isUnsupportedVersionBlocked (true or false)
  • isUnsupportedCipherBlocked (true or false)
  • isOutOfCapacityBlocked (true or false)
When type is "SSL_FORWARD_PROXY", the following parameters are required:
  • isExpiredCertificateBlocked (true or false)
  • isUntrustedIssuerBlocked (true or false)
  • isRevocationStatusTimeoutBlocked (true or false)
  • isUnsupportedVersionBlocked (true or false)
  • isUnsupportedCipherBlocked (true or false)
  • isUnknownRevocationStatusBlocked (true or false)
  • areCertificateExtensionsRestricted (true or false)
  • isAutoIncludeAltName (true or false)
  • isOutOfCapacityBlocked (true or false)

Additional constraints:

  • The Name must be unique within the policy, start with a letter, and can contain only letters, numbers, spaces, a hyphen (-), or an underscore (_). A hyphen must be followed by an alphanumeric character. Minimum: 2 characters; maximum: 63 characters.

Security Rule Template

Security rules are enforced after decryption rules. A policy can contain a maximum of 10,000 security rules. For more information, see Firewall Policy Rules.

Required parameters:
  • name
  • condition
  • position
  • action (ALLOW, REJECT, DROP, or INSPECT only)

Additional constraints:

  • The Name must be unique within the policy, start with a letter, and can contain only letters, numbers, spaces, a hyphen (-), or an underscore (_). A hyphen must be followed by an alphanumeric character. Minimum: 2 characters; maximum: 63 characters.
  • If the position parameter is empty, the rule is created as first rule in the list.
  • If a match condition field has an empty value, provide an empty array for that field.
  • If ACTION is specified as INSPECT, then the parameter inspection is required. Allowed values for inspection are INTRUSION_DETECTION and INTRUSION_PREVENTION.

Decryption Rule Template

Decryption rules are enforced before security rules. A policy can have a maximum of 1,000 decryption rules. For more information, see Firewall Policy Rules.

Required parameters:
  • name
  • condition
  • action (NO_DECRYPT or DECRYPT only)
  • position

Additional constraints:

  • The Name must be unique within the policy, start with a letter, and can contain only letters, numbers, spaces, a hyphen (-), or an underscore (_). A hyphen must be followed by an alphanumeric character. Minimum: 2 characters; maximum: 63 characters.
  • If ACTION is specified as DECRYPT, then the decryptionProfile and mappedSecret parameters are required. The TYPE values for the specified decryptionProfile and mappedSecret must be the same (SSL_INBOUND_INSPECTION or SSL_FORWARD_PROXY).

Tunnel Inspection Rule Template

Use tunnel inspection rules to inspect traffic mirrored to an Oracle resource using the OCI Virtual Test Access Point (VTAP) service. Traffic captured at the VTAP source is encapsulated in VXLAN and then sent to the VTAP target. See RFC 7348. A policy can have a maximum of 500 tunnel inspection rules. For more information, see Firewall Policy Rules.

Required parameters:
  • name
  • condition (sourceAddress, destinationAddress)
  • action (INSPECT or INSPECT_AND_CAPTURE_LOG only)
  • position
  • protocol (VXLAN only)
  • profile ("mustReturnTrafficToSource":true only)

Additional constraints:

  • The Name must be unique within the policy, start with a letter, and can contain only letters, numbers, spaces, a hyphen (-), or an underscore (_). A hyphen must be followed by an alphanumeric character. Minimum: 2 characters; maximum: 63 characters.