Creating a Decryption Rule

Create decryption rules that contain a set of criteria against which a network packet is matched and decrypted.

Before you can create a decryption rule:

See Creating Network Firewall Policy Components for more information.

When the specified source and destination match condition is met, the firewall takes the Rule Action. You can choose to:
  • Decrypt with SSL forward proxy
  • Decrypt with SSL inspection
  • Don't decrypt the traffic.

If you choose to decrypt, you then choose a decryption profile and mapped secret to apply when decrypting traffic. You configure decryption profiles and mapped secrets in the policy before you construct the rule.

You can have a maximum of 1,000 decryption rules for each policy. By default, each new rule you create becomes the first in the list. You can change the order of priority.

You can create decryption rules one at a time, or you can import many at once using a .json file. See Bulk Importing Network Firewall Policy Components more information.

    1. Open the navigation menu and click Identity & Security. Under Firewalls, click Network Firewall Policies.
    2. Click on a policy in the list.
    3. In Policy resources, click on Decryption rules.
    4. Click Create decryption rule.
    5. Enter the information for the decryption rule:
      • Name: Enter a friendly name for the decryption rule. Avoid entering confidential information.
      • Match condition: Specify source and destination addresses that much match for the rule to take effect. You can select any of the address lists you created. If you haven't previously created any address lists, click Create address list and use these instructions to create one.
      • Rule action: Specify the action that you want to take if the match condition is met:
        • Decrypt with SSL forward proxy
        • Decrypt with SSL inbound inspection
        • Do not decrypt
      • Rule order: Select the position of the rule in relation to other decryption rules in the policy. The firewall will apply the decryption rules in the specified order from first to last. You can specify the following rule positions:
        • First rule in the list
        • Last rule in the list
        • Custom position
        If you select Custom position, specify whether you want this rule to come Before an existing rule, or After an existing rule. Then, specify the existing rule you want the new rule to come before or after.
    6. Click Create decryption rule.
  • Use the network-firewall decryption-rule create command and required parameters to create a decryption rule:

    oci network-firewall decryption-rule create --name my_decryption_rule --network-firewall-policy-id network firewall policy OCID
    --decryption-profile decryption_profile --action DECRYPT --condition '[{"sourceAddress":"IP_address"}]' ...[OPTIONS]

    For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

  • Run the CreateDecryptionRule operation to create a decryption rule.