Setting Up Network Traffic Decryption and Inspection
Set up certificate authentication and Vault secrets to decrypt and inspect network traffic.
Vault secrets are used to decrypt and inspect SSL/TLS traffic.
SSL inbound inspection decrypts and inspects inbound SSL/TLS traffic from a client to a targeted network server. For more information on SSL inbound inspection, see SSL Inbound Inspection.
SSL forward proxy decrypts and inspect SSL/TLS traffic from internal users to the web. Only one SSL forward proxy secret is allowed for each firewall policy. For more information on SSL forward proxy, see SSL Forward Proxy,
After you create a firewall policy, you'll create a mapped secret to map the Vault secret to an inbound or outbound SSL key. Then you'll create a decryption profile to control how SSL forward proxy and SSL inbound inspection perform session mode checks, server checks, and failure checks.
For more information about how the certificate is used with a firewall policy, see Mapped Secrets and Decryption Profiles.
Create an IAM policy to allow the firewall policy to access and use Vault secrets.
Allow any-user to read secret-family in compartment <compartment_ID> where ALL {request.principal.type='networkfirewallpolicy'}
Allow any-user to read secret-family in compartment <compartment_ID> where ALL {request.principal.type='networkfirewallpolicy', request.principal.id='<Network Firewall Policy OCID>'}
If this permission is revoked later, the firewall will stop decrypting traffic because the service won't be able to access the mapped secret.
These policies replace the deprecated policy to access Vault secrets:
allow service ngfw-sp-prod to read secret-family in compartment <compartment_name>
- Create a vault to store the certificate in.
- Create a master encryption key in the vault.Important
The master key must be a symmetric key. You can't encrypt secrets with asymmetric keys.
You can use a self-signed or ca-signed certificate with OCI Network Firewall Service.
- The Network Firewall service validates the provided certificate and stores it in the trustroot. To validate the certificate, provide the entire SSL certificate chain, including the intermediate certificates root certificate and private key. Upload certificates in
.pem
format which are wrapped in the following.json
template. -
If the leaf certificate specified in the
"certKeyPair"
is a forward-trust certificate, then it should have Certificate Authority Signing capability. Set theCA
flag to"true"
.In this example, if"LEAF_CERT_01_PEM_CONTENT"
is a forward-trust certificate, itsCA
flag must be set to"true"
.{ "caCertOrderedList" : [ "ROOT_CERT01_PEM_CONTENT", "INTERMEDIATE_CERT01_PEM_CONTENT", "INTERMEDIATE_CERT02_PEM_CONTENT", ], "certKeyPair": { "cert" : "LEAF_CERT_01_PEM_CONTENT", "key": "PRIVATE_KEY_01_PEM_CONTENT" } }
- Download and install OpenSSL.
- Download and install Perl.
- Download the script from the Oracle GitHub repository.
- Run the script using the following command. Replace <test.test.com> with the DNS name of the webserver you need to protect:
or./create-certificate inbound <test.test.com>
./create-certificate forward <test.test.com>
Create a secret in the vault for each certificate you want to use.
- Open the navigation menu, go to Identity & Security, and then select Vault.
- Under List Scope, in the Compartment list, select the compartment.
-
Choose the vault you created in Task 2: Create a vault and master key to store the certificate.
- Select Secrets, and then select Create Secret.
- In the Create Secret dialog box, choose a compartment from the Create in Compartment list. (Secrets can exist outside the compartment the vault is in.)
- Select Name, and then enter a name. Use a name that corresponds to the type of certificate the secret contains. For example, "ssl-inbound-inspection-certificate."
- Select Description, and then enter a description.
- Choose the master encryption key you created in Task 2: Create a vault and master key to store the certificate.
- Specify the format of the secret contents as Plain-Text.
- Select Secret Contents, and then copy the certificate contents into the field. (The maximum allowable size for a secret bundle is 25 KB.)
- Select Create Secret.