Network Firewall Quick Start Guide

Learn how to get started using the Network Firewall service.


  • Required IAM Service Policy permissions for Network Firewall, and permission to work in the compartment you want to use.
  • A separate compartment for network firewalls and policies so that management is easier and more secure. This is optional, but recommended by Oracle.
  • An Oracle Cloud Infrastructure VCN and subnets. For more information, see VCNs and Subnets.
  • IP addresses, ports, and URLs that you want to allow or deny access to.
  • (Optional, for certificate authentication) Access to and IAM permissions for the OCI Vault service.

1. (Optional) Set Up Certificate Authentication

To use decryption rules in a firewall, you must set up mapped secrets to use in a decryption profile contained in the attached policy. You need to be signed up for the OCI Vault service to use certificate authentication.

2. Create a Policy

Create a policy to contain all the rules that control how the firewall inspects, allows, or denies network traffic.

3. (Optional) Create Policy Components and Rules

Use policy components such as lists and profiles to help you build rules. You can use application lists, service lists, URL lists, and address lists to build security and decryption rules. Use mapped secrets to with decryption profiles to define rule actions in decryption rules. Decryption rules are enforced before security rules. If you don't create rules in a policy, then any network firewall it's attached to denies all traffic by default.

4. Create a Firewall and Attach the Policy

The firewall exists in a subnet of choice and controls incoming and outgoing network traffic based on the security rules in an attached policy. If no rules exist in the attached policy, the firewall denies all traffic by default.

5. Route Network Traffic to the Firewall

After the network firewall is created, route traffic to it.