Oracle Cloud Infrastructure Documentation

Known Issues for Network Firewall

Known issues have been identified for the Network Firewall service.

See also Troubleshooting Network Firewall.

Editing a firewall policy can cause a connection reset in certain circumstances

Details
When you make the following changes to a firewall, the update causes a connection reset in the firewall:
  • Updating mapped secret information in a policy attached to a firewall.
  • Changing the firewall policy to one that uses different mapped secret information than the old policy.

Editing other types of information in the attached policy besides mapped secrets will not result in a connection reset.

Security rule creation fails for ICMP with port-based services

Details

When you create or change a security rule, the operation fails if the rule matches a port-agnostic application such as ICMP or ICMPv6 together with a port-specific service in the same match criteria. To allow ICMP or ICMPv6 traffic to match the rule, set Services to Any, meaning no services are specified

Use separate rules for services and applications, as shown in the following examples.

Example: Rule with service only
resource "oci_network_firewall_network_firewall_policy_security_rule" "SECURITY-RULE" {
  action = "INSPECT"
  name   = "SECURITY-RULE"

  condition {
    application         = []
    destination_address = ["APP-IP-ADDRESS-LIST"]
    service             = ["SSH"]
    source_address      = ["CLIENT-IP-ADDRESS-LIST"]
    url                 = ["URL-LIST"]
  }

  network_firewall_policy_id = oci_network_firewall_network_firewall_policy.EXAMPLE-POLICY.id

  inspection = "INTRUSION_PREVENTION"
  position {
    after_rule  = var.network_firewall_policy_security_rule_position_after_rule
    before_rule = var.network_firewall_policy_security_rule_position_before_rule
  }
}
Example: Rule with application only
resource "oci_network_firewall_network_firewall_policy_security_rule" "SECURITY-RULE" {
  action = "INSPECT"
  name   = "SECURITY-RULE"

  condition {
    application         = ["ICMP"]
    destination_address = ["APP-IP-ADDRESS-LIST"]
    service             = []
    source_address      = ["CLIENT-IP-ADDRESS-LIST"]
    url                 = []
  }

  network_firewall_policy_id = oci_network_firewall_network_firewall_policy.EXAMPLE-POLICY.id

  inspection = "INTRUSION_PREVENTION"
  position {
    after_rule  = var.network_firewall_policy_security_rule_position_after_rule
    before_rule = var.network_firewall_policy_security_rule_position_before_rule
  }
}

Terraform times out firewall creation

Details

When the firewall creation task exceeds 30 to 35 minutes, Terraform times out before it completes because of the Terraform refreshing state.

Workaround
To avoid the timeout, set the timeout to 35 minutes plus buffer time for the Terraform state refresh at the oci_network_firewall_network_firewall resource level.

Policy upgrade failure

Details
To prevent failures during network firewall policy upgrades, ensure your policy meets the following criteria:

  • Application List: If a policy includes an application list with a name longer than 24 characters, it might cause an upgrade failure. We recommend shortening these application list names to 24 characters or less.

  • Security Rules: On the Security Rules tab, if any of the lists (Applications, URLs, Sources, or Destinations) contain more than 25 elements, split the rule into several rules.

  • Decryption Rules: Similarly on the Decryption Rules tab, if any of the Sources or Destinations lists for a rule exceeds 25 elements, divide the rules into several rules.