Oracle Cloud Infrastructure Documentation

Overview of Network Firewall

Learn about the Network Firewall Service.

Oracle Cloud InfrastructureNetwork Firewall is a next-generation managed network firewall and intrusion detection and prevention service for Oracle Cloud Infrastructure VCNs, powered by Palo Alto Networks®. The Network Firewall service gives you visibility into traffic entering cloud environments (North-south network traffic) as well traffic between subnets (East-west network traffic).

Use network firewall and its advanced features together with other Oracle Cloud Infrastructure security services to create a layered network security solution.

A network firewall is a highly available and scalable instance that you create in the subnet of choice. The firewall applies business logic specified in an attached firewall policy to the network traffic. Routing in the VCN is used to direct traffic to and from the firewall.

By default, the Network Firewall service provides a throughput rate of 4 Gbps. However, you can request an increase to 25 Gbps. To request an increase, Open a Support Request.

Security Features

Oracle Cloud Infrastructure Network Firewall provides the following security features:
  • Stateful network filtering: Create stateful network filtering rules that allow or deny network traffic based on source IP (IPv4 and IPv6), destination IP (IPv4 and IPv6), port, and protocol.
  • Custom URL and FQDN filtering: Restrict ingress and egress traffic to a specified list of fully qualified domain names (FQDNs), including wild cards and custom URLs.
  • Intrusion Detection and Prevention (IDPS): Monitor networks for malicious activity. Log information, report, or block the activity.
  • SSL inspection: Decrypt and inspect TLS-encrypted traffic with ESNI support for security vulnerabilities. Encrypted Server Name Indication (ESNI) is a TLSv1.3 extension that encrypts the Server Name Indication (SNI) in the TLS handshake.
  • Intra VCN subnet traffic inspection: Route traffic between two VCN subnets through a network firewall.
  • Inter VCN traffic inspection: Route traffic between two VCNs through a network firewall.

Network Firewall Use Cases

Here are some common use cases for network firewall. Each scenario uses intra VCN routing to route traffic to the firewall. See Intra VCN Routing for more information.

Securing traffic between an on-premises network and a VCN

In this example, routing is configured from an on-premises network through a dynamic routing gateway (DRG) to the firewall. Traffic is routed from the DRG, through the firewall, and then from the firewall subnet to a private subnet.
Diagram of routing from a DRG through a firewall, and then to a private subnet.
Callout 1: Dynamic routing gateway (DRG) route table
Destination CIDR Route target
0.0.0.0/0 Network Firewall (10.0.2.2)
Callout 2: DMZ subnet route table
Destination CIDR Route target
0.0.0.0/0 DRG
Callout 3: DMZ subnet route table
Destination CIDR Route target
0.0.0.0/0 Network Firewall (10.0.2.2)

Securing traffic between the internet and a VCN

In this example, routing is configured from the internet to the firewall. Traffic is routed from the IGW, through the firewall, and then from the firewall subnet to a public subnet.

This diagram shows routing from the internet, through a firewall, and then to a public subnet.
Callout 1: Internet gateway (IGW) route table
Destination CIDR Route target
VCN (10.0.0.0/16) Network Firewall (10.0.2.2)
Callout 2: Public DMZ subnet route table
Destination CIDR Route target
0.0.0.0/0 IGW
Callout 3: Public subnet route table
Destination CIDR Route target
0.0.0.0/0 Network Firewall (10.0.2.2)

Securing traffic between subnets in a VCN

In this example, routing is configured from a subnet to the firewall. Traffic is routed from Subnet A, through the firewall, and then from the firewall subnet to Subnet B.

This diagram shows routing from Subnet A, through a firewall, and then to Subnet B.
Callout 1: Regional private subnet A route table
Destination CIDR Route target
Subnet B (10.0.1.0/24) Network Firewall (10.0.2.2)
Callout 2: Regional private subnet B route table
Destination CIDR Route target
Subnet A (10.0.3.0/24) Network Firewall (10.0.2.2)

Regions and Availability Domains

You can use the Network Firewall service in all regions. For a list of supported regions and general information, see Regions and Availability Domains.

When you create a firewall, you can create it in a region or a specific Availability domain within a region. The default when you create a firewall is regional.

When planning a network firewall, be sure to take the following factors into consideration:
  • Regional firewall instances are distributed across all availability domains in the region, which reduces the risk of AD failure.
  • Regional firewalls are high-availability, and have high fault tolerance.
  • Using regional firewalls might add minor inter Availability domain latencies. For example, if the client or server is in a different Availability domain than the firewall instance, there can be latency in milliseconds. If the client or server is in the same Availability domain as the firewall instance, then latency is in microseconds.
  • Availability domain-specific firewall instances are distributed across many fault domains within a single specified Availability domain.
  • Availability domain-specific firewalls might cause redirection of traffic if it comes from a regional subnet.

Network Firewall Concepts

Following are brief descriptions of key concepts and the main components of Network Firewall:
firewall
A security resource that exists in a chosen subnet and controls incoming and outgoing network traffic based on a set of security rules. Traffic is routed to and from the firewall from resources such as internet gateways and dynamic routing gateways (DRGs). To create a firewall, you must have at least one policy that you can attach to the firewall. For information about how to create and manage this resource, see Firewalls.
policy
A policy contains the rules that control how an associated firewall inspects, allows, or denies network traffic. Rule components such as lists, secrets, and decryption profiles help you build rules for the policy. You can associate a policy to many firewalls. Policies that are associated with one or more firewalls can't be deleted. To delete the policy, first associate the firewall to a different policy, then delete the original policy. For information about how to create and manage this resource, see Policies and Creating Network Firewall Policy Components.
availability domain
The Oracle Cloud Infrastructure data center within a geographical region that hosts cloud resources. For more information, see Regions and Availability Domains. A firewall exists in a single Availability domain in a region.
north-south network traffic
Traffic that enters the network from an external source. See North-south network traffic.
east-west network traffic
Traffic that travels between workloads and subnets within a VCN. See East-west network traffic.
DMZ (demilitarized zone)
A subnet that contains a firewall and adds a layer of security to the network.

Ways to Access Network Firewall

You can access Oracle Cloud Infrastructure using the Console (a browser-based interface), or the REST API. Instructions for the Console and API are included in topics throughout this guide.

To access the Console, you must use a supported browser. You can use the Console link at the top of this page to go to the sign-in page. Enter tenancy, username, and password.

Authentication and Authorization

Each service in Oracle Cloud Infrastructure integrates with IAM for authentication and authorization, for all interfaces (the Console, SDK or CLI, and REST API).

An administrator in your organization needs to set up groups , compartments , and policies  that control which users can access which services, which resources, and the type of access. For example, the policies control who can create new users, create and manage the cloud network, create instances, create buckets, download objects, and so on. See How Policies Work for more information.

If you're a regular user (not an administrator) who needs to use the Oracle Cloud Infrastructure resources that your company owns, contact an administrator to set up a user ID for you. The administrator can confirm which compartment or compartments you can use.

Moving Firewalls and Policies to a Different Compartment

You can move network firewalls and policies from one compartment to another. After you move a firewall or policy to the new compartment, inherent policies apply immediately and affect access to the firewall or policy through the Console, SDK or CLI.  For more information, see Managing Compartments.

Monitoring Resources

You can monitor the health, capacity, and performance of your Oracle Cloud Infrastructure resources by using metrics, alarms, and notifications. For more information, see Monitoring and Notifications.

For information about available Network Firewall service metrics and how to view them, see Metrics.

Creating Automation with Events

You can create automation based on state changes for your Oracle Cloud Infrastructure resources by using event types, rules, and actions. For more information, see Overview of Events.

Tagging Resources

You can apply tags to your resources to help you organize them according to your business needs. You can apply tags at the time you create a resource, or you can update the resource later with the wanted tags. For general information about applying tags, see Overview of Tagging.