Creating a Policy

Learn how to create a policy that you can associate with a network firewall.

Note

Before you begin:

    1. Open the navigation menu and click Identity and Security. Under Firewalls, click Network Firewall Policies.
    2. Click Create network firewall policy.
    3. In Basic Information, enter values for the following:
      • Name: Enter a friendly name for the policy.
      • Choose a compartment for the policy.
      • (Optional) Show tagging options: See Overview of Tagging for more information.
    4. Click Next.
    5. (Optional) Create Application Lists
      1. Click Add application list.
      2. Enter a Name for the application list that can help you identify it later.
      3. Select a Protocol Type for the first application.
      4. Depending on the selected Protocol Type, specify additional information:
        • Port Number: For TCP and UDP protocol, enter a port range or a single port number. For example, "80-8080", "22".
        • ICMP Type: For ICMPv4 and ICMPv6, select a type. For example, "3- Destination unreachable".
        • ICMP Code: For ICMPv4 and ICMPv6, select a code. For example, "3- Port unreachable"
    6. Click +Another application to specify more applications in the list. You can include up to 25 applications in a list.
    7. Click Add application list to finish.
    8. (Optional) Create URL lists:
      1. Click Add URL list. You can use wildcards in the URLs.
      2. Enter a Name for the URL list that can help you identify it later.
      3. Enter a maximum of 25 URLs, one on each line. You can use wildcards like asterisks (*) and caret (^) in a URL to customize matching. Don't enter protocol information like "http://" or "https://". For an example list of valid URLs, see URL lists.
      4. Click Add URL list to finish.
    9. (Optional) Create IP address lists:
      1. Click Add IP address list.
      2. Enter a Name for the IP address list that can help you identify it later.
      3. Enter a maximum of 25 IP addresses or CIDR blocks, one on each line.
      4. Click Add IP address list to finish.
    10. Click Next.
    11. (Optional) Create mapped secrets:
      Note

      Before you can complete this section, you must first set up certificate authentication.
      1. Click Add mapped secret.
      2. Enter a Name for the mapped secret that can help you identify it later.
      3. Select a Mapped secret type, SSL inbound inspection or SSL forward proxy.
      4. Select the Oracle Cloud Infrastructure Vault that contains the secret you want to map to the inbound or outbound key.
      5. Select the secret.
      6. Select a version number for the secret.
      7. Click Add mapped secret.
    12. (Optional) Create decryption profiles:
      Note

      Before you can complete this section, you must first set up certificate authentication. and a mapped secret.
      1. Click Add decryption profile.
      2. Enter a Name for the decryption profile that can help you identify it later.
      3. Choose the profile Type: SSL inbound inspection or SSL forward proxy.
      4. Specify the session mode checks, server checks, and failure checks that you want the decryption profile to perform on decrypted traffic.
      5. Click Add decryption profile.
    13. Click Next.
    14. (Optional) Create decryption rules that instruct the firewall how to behave when decrypting traffic:
      1. Click Add decryption rule.
        Note

        Before you can complete this section, you must first set up certificate authentication, mapped secrets, and decryption profiles.
      2. Enter a Name for the decryption rule that can help you identify it later.
      3. Specify source and destination IP addresses that much match for the rule to take effect. You can select any of the IP address lists you created.
      4. Specify the action that you want to take if the match condition is met:
        • Decrypt with SSL forward proxy
        • Decrypt with SSL inbound inspection
        • Do not decrypt
      5. Select the decryption profile and mapped secret that the firewall must apply.
        Note

        The decryption profiles available for you to select depends on the action specified. For example, if you selected "Decrypt with SSL forward proxy", only decryption profiles that you created with the type "SSL forward proxy" are available for you to choose.

        If no decryption profile or mapped secret is available for your selected action create them before proceeding.

      6. Click Add decryption rule.
      7. (Optional) Create additional decryption rules. Click Reorder to change the priority order for each rule.
    15. (Optional) Create security rules that instruct the firewall whether to allow or deny traffic:
      1. Click Add security rule.
      2. Enter a Name for the security rule that can help you identify it later.
      3. Specify source and destination IP addresses that must match for the rule to take effect. You can select any of the IP address lists you created.
      4. Specify Applications that must match for the rule to take effect. You can select any of the applications lists you created.
      5. Specify URLs that must match for the rule to take effect. You can select any of the URL lists you created.
      6. Specify the action that you want to take if the match condition is met:
        • Allow traffic
        • Drop traffic
        • Intrusion detection
        • Intrusion prevention
        • Reject traffic
      7. Click Add security rule.
      8. (Optional) Create more security rules. Click Reorder to change the priority order for each rule.
        Note

        Security rules are enforced after decryption rules, regardless of priority.
    16. Click Next. Review the profile information. To edit the information, click Previous.
    17. Click Create network firewall policy.

      A work request is created. To view the work request, under Resources click Work requests. When the policy is created, it appears as Active.

  • Use the oci network-firewall network-firewall-policy create command and required parameters to create a policy.
    oci network-firewall network-firewall-policy create 
    --compartment-id compartment_id[OPTIONS]

    For a complete list of flags and variable options for CLI commands, see the Command Line Reference.

  • Use the CreateNetworkFirewallPolicy operation to create a policy.