Create a Tunnel Inspection Rule

Create tunnel inspection rules that contain a set of criteria against which a network packet is matched and then inspected.

Before you can create a tunnel inspection rule:

The specified source and destination match condition for the traffic consists of lists that you configure in the policy before you construct the rule. You can create a maximum of 500 tunnel inspection rules for each policy.

When the specified source and destination match condition is met, the firewall applies a default Palo Alto Networks® tunnel inspection profile. The profile has the following characteristics, and isn't editable:

  • Protocol: VXLAN
  • Maximum Tunnel Inspection Levels: One level of encapsulation is inspected
  • Return scanned VXLAN tunnel to source: True. Returns the encapsulated packet to the originating VXLAN tunnel endpoint (VTEP).
    1. On the navigation menu, select Identity & Security. Go to Firewalls, select Network Firewall Policies.
    2. Select the policy.
    3. Under Policy resources, select Tunnel inspection rules.
    4. Select Create tunnel inspection rule.
    5. Enter information for the security rule:
      • Name: Enter a name for the tunnel inspection rule.
      • Match condition: Specify source and destination addresses that much match for the rule to take effect. You can select any of the address lists you created. If you haven't already created any address lists, select Create address list and use these instructions to create one.
      • Rule order: Select the position of the rule in relation to other tunnel inspection rules in the policy. The firewall applies the tunnel inspection rules in the specified order from first to last. You can specify the following rule positions:
        • First rule in the list
        • Last rule in the list
        • Custom position (Only enabled if you create more than one tunnel inspection rule.)
        If you select Custom position, specify whether you want this rule to come Before an existing rule, or After an existing rule. Then, specify the existing rule you want the new rule to come before or after.
    6. Select Create tunnel inspection rule.
  • Use the <<CLI LINK PLACEHOLDER>> command and required parameters to create a tunnel inspection rule:

    oci network-firewall tunnel-inspection-rule create --name my_tunnel-inspection_rule --network-firewall-policy-id network firewall policy OCID
    --condition '[{"sourceAddress":"IP_address"},{"destinationAddress":"IP_address"}]' ...[OPTIONS]

    For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

  • Run the <<<API LINK PLACEHOLDER>> operation to create a tunnel inspection rule.