Creating a Security Rule

Create security rules that contain a set of criteria against which a network packet is matched and then allowed or blocked.

Before you can create a security rule:

See Creating Network Firewall Policy Components for more information.

The specified source and destination match condition for the traffic consists of lists that you configure in the policy before you construct the rule. You can create a maximum of 10,000 security rules for each policy.
Important

If no match criteria are defined in the security rule (an empty list is specified for the rule), then the rule matches to wildcard ("any") criteria. This behavior applies to all traffic examined in the rule.
The rule action defines how the firewall handles the packet if it matches the specified conditions. The firewall can perform the following actions:
  • Allow traffic: The traffic is allowed to proceed.
  • Drop traffic: The traffic is dropped silently, no notification of reset is sent.
  • Intrusion detection: Logs the traffic
  • Intrusion prevention: Blocks the traffic.
    Important

    If you want to use intrusion detection and prevention, you must also enable logging. See Logs.
  • Reject traffic: The traffic is dropped and a reset notification is sent.

You can create security rules one at a time, or you can import many at once using a .json file. See Bulk Importing Network Firewall Policy Components more information.

    1. Open the navigation menu and click Identity & Security. Under Firewalls, click Network Firewall Policies.
    2. Click on a policy in the list.
    3. In Policy resources, click on Security rules.
    4. Click Create security rule.
    5. Enter the information for the security rule:
      • Name: Enter a friendly name for the security rule. Avoid entering confidential information.
      • Match condition: Specify that the rule matches Any address, application, service, or URL. Alternatively, specify source and destination addresses, applications, services, or URLs that much match for the rule to take effect. You can select any of the lists you created. If you haven't previously created any lists, click Create address list, Create application list, Create service list, or Create URL list and use these instructions to create one.
      • Rule action: Specify the action that you want to take if the match condition is met:
        • Allow traffic: The traffic is allowed to proceed.
        • Drop traffic: The traffic is dropped silently, no notification of reset is sent.
        • Intrusion detection: Logs the traffic
        • Intrusion prevention: Blocks the traffic.
          Important

          If you want to use intrusion detection and prevention, you must also enable logging. See Logs.
        • Reject traffic: The traffic is dropped and a reset notification is sent.
      • Rule order: Select the position of the rule in relation to other security rules in the policy. The firewall will apply the security rules in the specified order from first to last. You can specify the following rule positions:
        • First rule in the list
        • Last rule in the list
        • Custom position
        If you select Custom position, specify whether you want this rule to come Before an existing rule, or After an existing rule. Then, specify the existing rule you want the new rule to come before or after.
    6. Click Create security rule.
  • Use the network-firewall security-rule create command and required parameters to create a decryption rule:

    oci network-firewall security-rule create --name my_security_rule --network-firewall-policy-id network firewall policy OCID
    --action ALLOW --condition '[{"sourceAddress":"IP_address"}]' ...[OPTIONS]

    For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

  • Run the CreateSecurityRule operation to create a security rule.