Create a Tunnel Inspection Rule

Create tunnel inspection rules that contain a set of criteria against which a network packet is matched and then inspected.

Before you can create a tunnel inspection rule:

Create address lists to use when creating the rule.

The specified source and destination match condition for the traffic consists of lists that you configure in the policy before you construct the rule. You can create a maximum of 500 tunnel inspection rules for each policy.

When the specified source and destination match condition is met, the firewall applies a default Palo Alto Networks® tunnel inspection profile. The profile has the following characteristics, and isn't editable:

Protocol: VXLAN
Maximum Tunnel Inspection Levels: One level of encapsulation is inspected
Return scanned VXLAN tunnel to source: True. Returns the encapsulated packet to the originating VXLAN tunnel endpoint (VTEP).

1. On the navigation menu, click Identity & Security. Under Firewalls, click Network Firewall Policies.
2. Click the policy.
3. Under Policy resources, click Tunnel inspection rules.
4. Click Create tunnel inspection rule.
5. Enter the information for the security rule:
  
  Name: Enter a friendly name for the tunnel inspection rule. Avoid entering confidential information.
  
  Match condition: Specify source and destination addresses that much match for the rule to take effect. You can select any of the address lists you created. If you haven't already created any address lists, click Create address list and use these instructions to create one.
  
  Rule order: Select the position of the rule in relation to other tunnel inspection rules in the policy. The firewall applies the tunnel inspection rules in the specified order from first to last. You can specify the following rule positions:
  
  First rule in the list
  
  Last rule in the list
  
  Custom position (Only enabled if you create more than one tunnel inspection rule.)
  
  If you select Custom position, specify whether you want this rule to come Before an existing rule, or After an existing rule. Then, specify the existing rule you want the new rule to come before or after.
6. Click Create tunnel inspection rule.

Use the <<CLI LINK PLACEHOLDER>> command and required parameters to create a tunnel inspection rule:

oci network-firewall tunnel-inspection-rule create --name my_tunnel-inspection_rule --network-firewall-policy-id network firewall policy OCID
--condition '[{"sourceAddress":"IP_address"},{"destinationAddress":"IP_address"}]' ...[OPTIONS]

For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

Run the <<<API LINK PLACEHOLDER>> operation to create a tunnel inspection rule.

Oracle Cloud Infrastructure Documentation

Create a Tunnel Inspection Rule