Oracle Cloud Infrastructure Documentation

Templates for Importing Firewall Policy Components

Download JSON file templates and use them to import network firewall policy components such as address lists, URL lists, services and service lists, applications and application lists, decryption rules and profiles, mapped secrets, NAT rules, and security rules.

JSON templates help you to bulk import network firewall policy components such as address lists, URL lists, services and service lists, applications and application lists, decryption rules and profiles, mapped secrets, and security rules in.

This page provides a JSON template for each component type, required parameters, and any constraints that you need to be aware of when you use the template.

To upload the completed JSON files, see Import Firewall Policy Components.

Important

  • Resources that are included in a JSON file for upload must already exist in the policy before being referenced in another resource. For example, before you can upload an application list, you must first upload all the applications that you want to use in the list.
  • The maximum file size that you can upload is 5 MB.

Template to import address lists

Create a list of addresses that you want to allow or deny access to. You can specify individual IPv4 or IPv6 IP addresses, CIDR blocks, or FQDN addresses.

Each address list can contain a maximum of 1,000 addresses. A policy can contain a maximum of 20,000 IP address lists and 2,000 FQDN address lists.

Required parameters:
  • name
  • type (IP or FQDN only)
  • addresses
Additional constraints:
  • The Name must be unique within the policy, start with a letter, and can contain only letters, numbers, spaces, a hyphen (-), or an underscore (_). A hyphen must be followed by an alphanumeric character. Minimum: 2 characters; maximum: 28 characters.
  • Addresses are validated based on the type provided. Don't add invalid addresses for a type.

Template to import application lists

Create a list of applications that you want to allow or deny access to. A policy can contain a maximum of 2,500 application lists. Each application list can contain a maximum of 200 applications.

Required parameters:
  • name
Additional constraints:
  • The Name must be unique within the policy, start with a letter, and can contain only letters, numbers, spaces, a hyphen (-), or an underscore (_). A hyphen must be followed by an alphanumeric character. Minimum: 2 characters; maximum: 28 characters.
  • If you don't list any applications, provide an empty array for the "apps" parameter in the template.
  • Applications must already exist in the policy before being referenced in the imported list.

Template to import applications

An application is defined by a signature based on the protocols that it uses. Layer 7 inspection is used to identify matching applications. Each policy can contain a maximum of 6,000 applications.

Required parameters:
  • name
  • type (ICMP or ICMP_V6 only)
  • icmpType

Additional constraints:

  • The Name must be unique within the policy, start with a letter, and can contain only letters, numbers, spaces, a hyphen (-), or an underscore (_). A hyphen must be followed by an alphanumeric character. Minimum: 2 characters; maximum: 28 characters.

Template to import service lists

Create a list of services that you want to allow or deny access to, and define port ranges for each. A policy can contain a maximum of 2,000 service lists. A service list can contain a maximum of 200 services.

Required parameters:
  • name

Additional constraints:

  • The Name must be unique within the policy, start with a letter, and can contain only letters, numbers, spaces, a hyphen (-), or an underscore (_). A hyphen must be followed by an alphanumeric character. Minimum: 2 characters; maximum: 28 characters.
  • If you don't list any services, provide an empty array for the services parameter in the template.
  • Services must already exist in the policy before being referenced in the imported list.

Template to import services

A service is identified by a signature based on the ports that it uses. Layer 4 inspection is used to identify matching services. Each policy can contain a maximum of 1,900 services.

Required parameters:
  • name
  • type (TCP or UDP only)
  • portRanges

Additional constraints:

  • The Name must be unique within the policy, start with a letter, and can contain only letters, numbers, spaces, a hyphen (-), or an underscore (_). A hyphen must be followed by an alphanumeric character. Minimum: 2 characters; maximum: 28 characters.
  • You can define a maximum of 10 port ranges for each service.

Template to import URL lists

Create a list of URLs that you want to allow or deny access to. A policy can contain a maximum of 1,000 URL lists. Each list can contain a maximum of 1,000 URLs. The maximum number of URLs allowed in a policy is 25,000.

Required parameters:
  • name
  • urls
  • type (SIMPLE only)

Additional constraints:

  • The Name must be unique within the policy, start with a letter, and can contain only letters, numbers, spaces, a hyphen (-), or an underscore (_). A hyphen must be followed by an alphanumeric character. Minimum: 2 characters; maximum: 28 characters.
  • The urls can't be an empty array. Provide multiple URL objects to contain those URLs in the list.

Template to import mapped secrets

Mapped secrets are secrets that you create in the Vault service and then map to inbound or outbound SSL keys. The secrets are used to decrypt and inspect SSL/TLS traffic with SSL forward proxy or SSL inbound inspection. A policy can contain a maximum of 300 SSL inbound inspection mapped secrets and a maximum of one SSL forward proxy mapped secret.

Required parameters:
  • name
  • source (OCI_VAULT only)
  • type (SSL_INBOUND_INSPECTION or SSL_FORWARD_PROXY only)
  • vaultSecretId
  • versionNumber

Additional constraints:

  • The Name must be unique within the policy, start with a letter, and can contain only letters, numbers, spaces, a hyphen (-), or an underscore (_). A hyphen must be followed by an alphanumeric character. Minimum: 6 characters; maximum: 58 characters.
  • You can create a maximum of one mapped secret of type SSL_FORWARD_PROXY for each policy.

Template to import decryption profiles

Create decryption profiles to control how SSL forward proxy and SSL inbound inspection perform session mode checks, server checks, and failure checks. A policy can contain a maximum of 500 decryption profiles.

Required parameters:
  • name
  • type (SSL_INBOUND_INSPECTION or SSL_FORWARD_PROXY only)

Additional required parameters:

When type is "SSL_INBOUND_INSPECTION", the following parameters are required:
  • isUnsupportedVersionBlocked (true or false)
  • isUnsupportedCipherBlocked (true or false)
  • isOutOfCapacityBlocked (true or false)
When type is "SSL_FORWARD_PROXY", the following parameters are required:
  • isExpiredCertificateBlocked (true or false)
  • isUntrustedIssuerBlocked (true or false)
  • isRevocationStatusTimeoutBlocked (true or false)
  • isUnsupportedVersionBlocked (true or false)
  • isUnsupportedCipherBlocked (true or false)
  • isUnknownRevocationStatusBlocked (true or false)
  • areCertificateExtensionsRestricted (true or false)
  • isAutoIncludeAltName (true or false)
  • isOutOfCapacityBlocked (true or false)

Additional constraints:

  • The Name must be unique within the policy, start with a letter, and can contain only letters, numbers, spaces, a hyphen (-), or an underscore (_). A hyphen must be followed by an alphanumeric character. Minimum: 2 characters; maximum: 63 characters.

Template to import security rules

Security rules are enforced after decryption rules. A policy can contain a maximum of 10,000 security rules.

Required parameters:
  • name
  • condition
  • position
  • action (ALLOW, REJECT, DROP, or INSPECT only)

Additional constraints:

  • The Name must be unique within the policy, start with a letter, and can contain only letters, numbers, spaces, a hyphen (-), or an underscore (_). A hyphen must be followed by an alphanumeric character. Minimum: 2 characters; maximum: 63 characters.
  • If the position parameter is empty, the rule is created as first rule in the list.
  • If a match condition field has an empty value, provide an empty array for that field.
  • If ACTION is specified as INSPECT, then the parameter inspection is required. Allowed values for inspection are INTRUSION_DETECTION and INTRUSION_PREVENTION.

Template to import decryption rules

Decryption rules are enforced before security rules. A policy can have a maximum of 1,000 decryption rules.

Required parameters:
  • name
  • condition
  • action (NO_DECRYPT or DECRYPT only)
  • position

Additional constraints:

  • The Name must be unique within the policy, start with a letter, and can contain only letters, numbers, spaces, a hyphen (-), or an underscore (_). A hyphen must be followed by an alphanumeric character. Minimum: 2 characters; maximum: 63 characters.
  • If ACTION is specified as DECRYPT, then the decryptionProfile and mappedSecret parameters are required. The TYPE values for the specified decryptionProfile and mappedSecret must be the same (SSL_INBOUND_INSPECTION or SSL_FORWARD_PROXY).

Template to import tunnel inspection rules

Use tunnel inspection rules to inspect traffic mirrored to an Oracle resource using the OCI Virtual Test Access Point (VTAP) service. Traffic captured at the VTAP source is encapsulated in VXLAN and then sent to the VTAP target. See RFC 7348. A policy can have a maximum of 500 tunnel inspection rules.

Required parameters:
  • name
  • condition (sourceAddress, destinationAddress)
  • action (INSPECT or INSPECT_AND_CAPTURE_LOG only)
  • position
  • protocol (VXLAN only)
  • profile ("mustReturnTrafficToSource":true only)

Additional constraints:

  • The Name must be unique within the policy, start with a letter, and can contain only letters, numbers, spaces, a hyphen (-), or an underscore (_). A hyphen must be followed by an alphanumeric character. Minimum: 2 characters; maximum: 63 characters.

Template to import NAT rules

Use NAT rules to map a set of IP addresses to a corresponding set of network address translation (NAT) IP addresses.

Required parameters:
  • Name:
  • Type:
  • Condition:
  • Position:

Additional constraints:

  • The Name must be unique within the policy, start with a letter, and can contain only letters, numbers, spaces, a hyphen (-), or an underscore (_). A hyphen must be followed by an alphanumeric character. Minimum: 2 characters; maximum: 63 characters.
  • Maximum number of NAT rules for each firewall policy: 2000