Creating Firewall Policy Lists
Lists are building blocks that let you group applications, services, URLs, or addresses for use in a rule.
All items in a list are treated the same way when they're used in a rule. For example, to create a rule that denies access to known malicious URLs, you can create a URL list called Malicious URLs. Then, you can create a rule that denies access to the entire list as a group.
To include any item in a rule, it must first be added to a list. The list can then be referenced in a rule. You can create a list that contains a single item.
About application lists
Create applications and application lists to allow or deny traffic to a group of applications.
An application is defined by a signature based on the protocols that it uses. Layer 7 inspection is used to identify matching applications.
The following parameters are used to define an application:
- Name: A unique name you define for the application
- Protocol: ICMP, or ICMPv6
- ICMP or ICMPv6 Type: For example, 0-Echo reply, 3-Destination unreachable, 5-Redirect, 8-Echo
- ICMP or ICMPv6 Code: For example, 0-Net unreachable, 1-Host unreachable, 2-Protocol unreachable, 3-Port unreachable
For more information about ICMP types and codes, see Internet Control Message Protocol (ICMP) Parameters.
- Maximum number of application lists for each policy: 2,500
- Maximum number of applications in a single list: 200
- Maximum total number of applications for a policy: 6,000
After you create applications, you can add them to an application list in the policy. You can't add applications from one policy to a list in a different policy. The application must be created within each policy you want to use it in.
To create an application list, see Create an Application List.
About service lists
Create services and service lists to allow or deny traffic to a group of services. A service is identified by a signature based on the ports that it uses. Layer 4 inspection is used to identify matching services.
- Name: A unique name that you define for the service.
- Protocol: TCP or UDP.
- Port range:A port number or range, for example, "1433," "80-8080," or "22-22." Each service can contain a maximum of 10 port ranges.
- Maximum number of service lists for each policy: 2,000
- Maximum number of services in a single list: 200
- Maximum total number of services for a policy: 1,900
After you create services, you can add them to a service list in the policy. You can't add services from one policy to a list in a different policy. The service must be created within each policy you want to use it in.
To create a service list, see Create a Service List.
About URL lists
Create URL lists to allow or deny traffic to a group of URLs. You can create up to 1,000 URL lists in a policy. Each list can contain a maximum of 1,000 URLs. Each URL is entered on its own line in the list. You can use wildcards such as asterisks (*) and caret (^) in a URL to customize matching. Don't enter protocol information such as http:// or https://.
-
An asterisk (*) wildcard indicates one or more variable subdomains. The entry matches any other subdomains at the beginning or end of the URL. For example:
*.example.com matches www.example.com, www.docs.example.com, and www.example.com.ua.
*.example.com/ matches www.example.com and www.docs.example.com but not www.example.com.ua.
- A caret (^) wildcard indicates a single variable subdomain. For example, mail.^.com matches mail.example.com but not mail.example.sso.com.
See also Examples of using wildcards in URL filtering profiles.
www.example.com
production1.example.com
production2.example.com
www.example.net
www.example.biz
[1080:0:0:0:8:800:200C:417A]:8080/index.html
1080:0:0:0:8:800:200C:417A/index.html
*.example.com
- Maximum number of URL lists for each policy: 1,000
- Maximum number of URLs in a single list: 1,000
- Maximum total number of URLs for a policy: 25,000
To create a URL list, see Create a URL List.
About address lists
Create a list of addresses that you want to allow or deny access to. You can specify individual IPv4 or IPv6 IP addresses, or use CIDR blocks in an IP address list. Each address is entered on its own line in the list.
FQDN addresses are available only for specific use cases. To use FQDN addresses for address lists, Create a service request.
Here's an example of an IP address list:
10.0.0.0/16
10.1.0.0/24
10.2.0.0/24
10.3.0.0/24
10.4.0.0/24
10.5.0.0/24
2001:DB8::/32
2603:c020:0:6a00::/56
2603:c020:0:6aa1::/64
Here's an example of an FQDN address list:
mymail.example1.edu
server.example.org
myhost.mydomain.net
database1.privatesubnet1.abccorpvcn1.oraclevcn.com
subneta.vcn1.oraclevcn.com
- Maximum number of address lists for each policy: 20,000 IP address lists, 2,000 FQDN lists
- Maximum number of addresses in a single list: 1,000
To create an address list, see Create an Address List.
About bulk importing lists
You can use a JSON file to bulk import address lists, URL lists, services and service lists, applications and application lists.
To bulk import a list, see Bulk Import Firewall Policy Components.