Oracle Cloud Infrastructure Documentation

Create a Firewall

Use the Network Firewall service to create a firewall.

Important

  • For better performance, don't add stateful rules to the security list attached to the firewall subnet or include the firewall in a network security group (NSG) that contains stateful rules.
  • Security list or NSG rules associated with the firewall subnet and VNICs are evaluated before the firewall. Ensure that security list or NSG rules allow the traffic to enter the firewall so that it can be evaluated appropriately.
  • If the policy that you use with the firewall doesn't have any rules specified, the firewall denies all traffic.
    1. On the navigation menu, click Identity & Security. Under Firewalls, click Network Firewalls.
    2. Click Create network firewall.
    3. In the Name box, enter a name.
    4. In the Create in compartment list, select a compartment to create the firewall in.
    5. In the Network firewall policy list, select a firewall policy to associate with this firewall. If no policies display, try checking the compartment.
      Note

      If you associate this firewall with a new or upgraded policy, the firewall only uses the new or upgraded policy. You can't later associate this firewall with an old, non-upgraded policy. See Upgrade a Firewall Policy.

    6. In the Virtual cloud network list, select a VCN.
    7. In the Subnet list, select a subnet. You can select public or private regular or regional subnets.
    8. If you want to choose a network security group (NSG) to control traffic to and from the firewall, click to select the Use network security groups to control traffic checkbox. Click +Add another network security group to add more NSGs.
    9. If you want to enter an IPv4 address, an IPv6 address, or both, click to select the I want to manually assign the IP address from the subnet to the firewall checkbox. If you don't select this option, the IP address is automatically assigned.
    10. (Optional) Click Show advanced options: and provide the following values:

      • On the Firewall Scope tab, select Deploy to a single Availability domain in the region to deploy the firewall to a specific Availability domain.

        Regional firewalls are deployed across all availability domains in a region. Availability domain-specific firewalls are deployed within a specific AD. See Regions and Availability Domains for more information.
        Important

        A firewall that is deployed to a single Availability domain can't be changed to regional later.
      • If you want to create tags for the firewall, click the Tagging tab.
    11. Click Create network firewall.

      A work request is created to provision a firewall resource to your Cloud account. To view the work request, under Resources, click Work requests. You'll know when the firewall is created when it appears as Active.

  • Use the network-firewall network-firewall create command and required parameters to create a firewall.
    oci network-firewall network-firewall create --compartment-id compartment_id
 --subnet-id subnet_id --network-firewall-policy-id network_firewall_policy_id[OPTIONS]

    For a complete list of flags and variable options for CLI commands, see the Command Line Reference.

  • Use the CreateNetworkFirewall operation to create a firewall.