Overview of Network Firewalls
Learn about the Network Firewall Service.
Oracle Cloud InfrastructureNetwork Firewall is a next-generation managed network firewall and intrusion detection and prevention service for your Oracle Cloud Infrastructure VCN, powered by Palo Alto Networks®. The Network Firewall service offers simple setup and deployment and gives you visibility into traffic entering your cloud environment (North-south network traffic) as well traffic between subnets (East-west network traffic).
Use network firewall and its advanced features together with other Oracle Cloud Infrastructure security services to create a layered network security solution.
A network firewall is a highly available and scalable instance that you create in the subnet of your choice. The firewall applies business logic to traffic that is specified in an attached firewall policy. Routing in the VCN is used to direct network traffic to and from the firewall.
Security Features
- Stateful network filtering: Create stateful network filtering rules that allow or deny network traffic based on source IP (IPv4 and IPv6), destination IP (IPv4 and IPv6), port, and protocol.
- Custom URL and FQDN filtering : Restrict ingress and egress traffic to a specified list of fully qualified domain names (FQDNs), including wild cards and custom URLs.
- Intrusion Detection and Prevention (IDPS): Monitor your network for malicious activity. Log information, report, or block the activity.
- SSL inspection: Decrypt and inspect TLS-encrypted traffic with ESNI support for security vulnerabilities. Encrypted Server Name Indication (ESNI) is a TLSv1.3 extension that encrypts the Server Name Indication (SNI) in the TLS handshake.
- Intra-VCN subnet traffic inspection: Route traffic between two VCN subnets through a network firewall.
- Inter-VCN traffic inspection: Route traffic between two VCNs through a network firewall.
Network Firewall Use Cases
Here are some common use cases for network firewall. Each scenario uses intra-VCN routing to route traffic to the firewall. See Intra-VCN Routing for more information.
Securing traffic between an on-premises network and a VCN
| Destination CIDR | Route target |
|---|---|
| 0.0.0.0/0 | Network Firewall (10.0.2.2) |
| Destination CIDR | Route target |
|---|---|
| 0.0.0.0/0 | DRG |
| Destination CIDR | Route target |
|---|---|
| 0.0.0.0/0 | Network Firewall (10.0.2.2) |
Securing traffic between the internet and a VCN
In this example, routing is configured from the internet to the firewall. Traffic is routed from the IGW, through the firewall, and then from the firewall subnet to a public subnet.
| Destination CIDR | Route target |
|---|---|
| VCN (10.0.0.0/16) | Network Firewall (10.0.2.2) |
| Destination CIDR | Route target |
|---|---|
| 0.0.0.0/0 | IGW |
| Destination CIDR | Route target |
|---|---|
| 0.0.0.0/0 | Network Firewall (10.0.2.2) |
Securing traffic between subnets in a VCN
In this example, routing is configured from a subnet to the firewall. Traffic is routed from Subnet A, through the firewall, and then from the firewall subnet to Subnet B.
| Destination CIDR | Route target |
|---|---|
| Subnet B (10.0.1.0/24) | Network Firewall (10.0.2.2) |
| Destination CIDR | Route target |
|---|---|
| Subnet A (10.0.3.0/24) | Network Firewall (10.0.2.2) |
Network Firewall Concepts
- firewall
- A security resource that exists in a subnet of your choice and controls incoming and outgoing network traffic based on a set of security rules. Traffic is routed to and from the firewall from resources such as internet gateways and dynamic routing gateways (DRGs). To create a firewall, you must have at least one policy that you can attach to the firewall. If you're using the console, you can create a policy as part of the workflow.
- policy
- A policy contains all the configuration used by a firewall to process network traffic. A policy contains rules that control how the firewall inspects, allows, or denies network traffic. Rule components like lists, secrets, and decryption profiles help you build rules for the policy. A policy can be associated with one or more firewalls.
- availability domain
- The Oracle Cloud Infrastructure data center within your geographical region that hosts cloud resources. For more information, see Regions and Availability Domains. A firewall exists in a single availability domain in a region.
- north-south network traffic
- Traffic that enters your network from an external source. See North-south network traffic.
- east-west network traffic
- Traffic that travels between workloads and subnets within a VCN. See East-west network traffic.
- DMZ (demilitarized zone)
- A subnet that contains a firewall and adds a layer of security to the network.
Ways to Access Network Firewall
You can access Oracle Cloud Infrastructure using the Console (a browser-based interface), or the REST API. Instructions for the Console and API are included in topics throughout this guide.
To access the Console, you must use a supported browser. You can use the Console link at the top of this page to go to the sign-in page. Enter your tenancy, user name, and your password.
Authentication and Authorization
Each service in Oracle Cloud Infrastructure integrates with IAM for authentication and authorization, for all interfaces (the Console, SDK or CLI, and REST API).
An administrator in your organization needs to set up groups , compartments , and policies that control which users can access which services, which resources, and the type of access. For example, the policies control who can create new users, create and manage the cloud network, launch instances, create buckets, download objects, etc.
If you’re a regular user (not an administrator) who needs to use the Oracle Cloud Infrastructure resources that your company owns, contact your administrator to set up a user ID for you. The administrator can confirm which compartment or compartments you should be using.
Required IAM Service Policy
To use Oracle Cloud Infrastructure Network Firewall, you must be given access in a policy . If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you've been granted and which compartment you should work in.
Policy examples:
- For Administrators: To give a group access to Network Firewall resources, use
Allow group <GroupName> to manage network-firewall-family in compartment <CompartmentName>
If you're new to policies, see Getting Started with Policies. For more details about policies for Network Firewall, see Network Firewall Identity and Access Management (IAM) Policies.
Moving Firewalls and Policies to a Different Compartment
You can move network firewalls and policies from one compartment to another. After you move a firewall or policy to the new compartment, inherent policies apply immediately and affect access to the firewall or policy through the Console, SDK or CLI. For more information, see Managing Compartments.
Monitoring Resources
You can monitor the health, capacity, and performance of your Oracle Cloud Infrastructure resources by using metrics, alarms, and notifications. For more information, see Monitoring and Notifications.
Creating Automation with Events
Tagging Resources
You can apply tags to your resources to help you organize them according to your business needs. You can apply tags at the time you create a resource, or you can update the resource later with the wanted tags. For general information about applying tags, see Overview of Tagging.
Next Steps
- (Optional) Review and understand Network Policy Rules and Rule Components.
-
(Optional) If you plan on using SSL forward proxy or SSL inbound inspection, see Setting up Certificate Authentication.
- Create a network firewall policy.
- Create a network firewall.
- Route traffic to the network firewall.