Oracle Cloud Infrastructure Documentation

Creating a Network Firewall

Use the Network Firewall service to create a network firewall.

Before you begin, you'll need the following resources:
  • Required IAM Service Policy permissions for Network Firewall resources, and permission to work in the compartment you want to use.
  • A separate compartment for network firewalls and policies so that management is easier and more secure. A separate compartment is optional but recommended.
  • An Oracle Cloud Infrastructure (OCI) virtual cloud network (VCN) and subnets. For more information, VCNs and Subnets.

  • A policy to attach to the firewall.

Important

  • For better performance, don't add stateful rules to the security list attached to the firewall subnet or include the firewall in a network security group (NSG) that contains stateful rules.
  • Security list or NSG rules associated with the firewall subnet and VNICs are evaluated before the firewall. Ensure that security list or NSG rules allow the traffic to enter the firewall so that it can be evaluated appropriately.
  • If the policy that you use with the firewall doesn't have any rules specified, the firewall denies all traffic.
    1. Open the navigation menu and click Identity & Security. Under Firewalls, click Network Firewalls.
    2. Click Create network firewall.
    3. Enter a descriptive name for the firewall. Avoid entering confidential information.
      If you don't enter a name, the service automatically generates one for you.
    4. Select a compartment to create the firewall in.
    5. Select a policy to associate with this firewall. If no policies are shown, change the compartment that you're working inor create a policy.
      Note

      If you associate this firewall with a new or upgraded policy, the firewall can only ever use new or upgraded policies. You can't later associate this firewall with an old, nonupgraded policy. See Upgrading a Policy.

    6. Select a VCN for the firewall.
    7. Select a subnet for the firewall. You can select public or private regular or regional subnets.
    8. (Optional) Select I want to manually assign the IP address from the subnet to the firewall and enter an IPv4 address, an IPv6 address, or both. If you don't select this option, the IP address is automatically assigned.
    9. (Optional) Select Use network security groups to control traffic and choose an NSG to control traffic to and from the firewall. Click +Add another network security group to add more NSGs. For more information, see Network Security Groups.
    10. (Optional) Click Show advanced options: and provide the following values:

      • On the Firewall Scope tab, select Deploy to a single Availability domain in the regionto deploy the firewall to a specific Availability domain.

        Regional firewalls are deployed across all availability domains in a region. Availability domain-specific firewalls are deployed within a specific AD. See Regions and Availability Domains for more information.
        Important

        A firewall that is deployed to a single Availability domain can't be changed to regional later.
      • On the Tagging tab, create tags for the firewall. For more information, see Overview of Tagging.
    11. Click Create network firewall.

      A work request is created. To view the work request, under Resources, click Work requests. When the firewall is created, it appears as Active.

  • Use the network-firewall network-firewall create command and required parameters to create a network firewall.
    oci network-firewall network-firewall create --compartment-id compartment_id
 --subnet-id subnet_id --network-firewall-policy-id network_firewall_policy_id[OPTIONS]

    For a complete list of flags and variable options for CLI commands, see the Command Line Reference.

  • Use the CreateNetworkFirewall operation to create a network firewall.