Oracle Cloud Infrastructure Documentation

Add a Security Rule to a Firewall Policy

Security rules contain a set of criteria against which a network packet is matched and then allowed or blocked.

Before you can create a security rule, you must create application lists, service lists, address lists, and URL lists to use when creating the rule.
The specified source and destination match condition for the traffic consists of lists that you configure in the policy before you construct the rule. You can create a maximum of 10,000 security rules for each policy.
Important

If no match criteria are defined in the security rule (an empty list is specified for the rule), then the rule matches to wildcard ("any") criteria. This behavior applies to all traffic examined in the rule.
    1. Open the navigation menu, and select Identity & Security. Under Firewalls, select Network Firewall policies.
    2. Select the compartment that contains the firewall policy that you want to add a security rule to.
    3. Select the policy.
    4. On the details page, select the Rules tab.
    5. From within the Security rules table, select Create security rule.
    6. Enter the information for the security rule:
      • Name: Enter a name for the rule. Avoid entering confidential information.
      • Match condition: Specify that the rule matches Any address, application, service, or URL. Alternatively, specify source and destination addresses, applications, services, or URLs that much match for the rule to take effect. You can select any of the lists that you created. If you haven't previously created any lists, select Create address list, Create application list, Create service list, or Create URL list from the Actions menu and see one of the following pages:.
      • Rule action: Specify the action that you want to take if the match condition is met:
        • Allow traffic: The traffic is allowed to proceed.
        • Drop traffic: The traffic is dropped silently, and no notification of reset is sent.
        • Intrusion detection: The traffic is logged.
        • Intrusion prevention: The traffic is blocked.
          Important

          To use intrusion detection and prevention, you must also enable logging. See Logging Firewall Activity. For information about intrusion detection, see the Intrusion Detection and Prevention section in OCI Network Firewall with Examples.
        • Reject traffic: The traffic is dropped and a reset notification is sent.
      • Rule order: Select the position of the rule in relation to other security rules in the policy. The firewall applies the security rules in the specified order from first to last.
      • Custom position is enabled only if you create more than one security rule. If you select it, specify whether you want this rule to come before an existing rule, or after an existing rule. Then, specify the existing rule that you want the new rule to come before or after.
    7. Select Create security rule.

  • Use the network-firewall security-rule create command and required parameters to create a decryption rule:

    oci network-firewall security-rule create --name my_security_rule --network-firewall-policy-id network firewall policy OCID
--action ALLOW --condition '[{"sourceAddress":"IP_address"}]' ...[OPTIONS]

    For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

  • Run the CreateSecurityRule operation to create a security rule.