Oracle Cloud Infrastructure Documentation

Firewall Policy Rules

A firewall policy rule is a set of criteria against which a network packet is matched.

Rules are configured in a firewall policy, and the policy is then associated with a firewall. The firewall then allows or denies traffic according to the rules in its associated policy.

Rules are applied to a network packet using the following specific criteria:
  • Decryption rules are always applied before security rules.
  • Decryption rules and security rules are applied using a priority order that you can define
After you associate a policy with a firewall, the firewall begins to allow or deny traffic based on the rules in the policy as follows:
  1. The firewall evaluates the decryption rules in priority list order.
  2. When a decryption rule matches the packet information, the firewall applies the specified rule action.
  3. When a rule action is applied, the firewall doesn't evaluate any further decryption rules.
  4. If the packet information doesn't match any decryption rules, the firewall doesn't decrypt the packet.
  5. The firewall evaluates the security rules in priority list order.
  6. When a security rule matches the packet information, the firewall applies the specified rule action.
  7. When a rule action is applied, the firewall doesn't evaluate any further security rules.
  8. If the packet information doesn't match any security rules, the firewall drops the packet.
Important

  • Rules are optional, but if the policy that you use with a firewall doesn't have at least one rule specified, the firewall denies all network traffic.
  • By default, each new rule that you create becomes the first in the priority list. You can change the priority order at any time.

About decryption rules

Decryption rules decrypt traffic from a specified source, destination, or both. The specified source and destination match condition for the traffic consists of address lists that you configure in the policy before you construct the rule.

When the specified source and destination match condition is met, the firewall takes the rule action. You can choose to take the following actions:

  • Decrypt traffic with SSL forward proxy
  • Decrypt traffic with SSL inbound inspection
  • Don't decrypt traffic.

If you choose to decrypt, you then choose a decryption profile and mapped secret to apply when decrypting traffic. You configure decryption profiles and mapped secrets in the policy before you construct the rule. By default, the priority order of decryption rules is their order of creation. You can change the priority order.

Limits:
  • Maximum number of decryption rules for each policy: 1,000

To create decryption rules, see Create a Decryption Rule.

About security rules

Firewalls use security rules to decide what network traffic is allowed or blocked. Each rule contains a set of criteria that packet information must match to apply the rule. This is called the rule match condition.

You can configure a security rule to match based on source and destination address, application, service, or URL. The specified source and destination match condition for the traffic consists of lists that you configure in the policy before you construct the rule.

Important

If no match criteria are defined in the security rule (an empty list is specified for the rule), then the rule matches to wildcard ("any") criteria. This behavior applies to all traffic examined in the rule.
The rule action defines how the firewall handles the packet if it matches the specified conditions. The firewall can perform the following actions:
  • Allow traffic: The traffic is allowed to proceed.
  • Drop traffic: The traffic is dropped silently, and no notification of reset is sent.
  • Reject traffic: The traffic is dropped and a reset notification is sent.
  • Intrusion detection: The traffic is logged.
  • Intrusion prevention: The traffic is blocked.
    Important

    To use intrusion detection and prevention, you must also enable logging. See Logging Firewall Activity.
Limits:
  • Maximum number of security rules for each policy: 10,000

To create security rules, see Create a Security Rule.

About tunnel inspection rules

Use tunnel inspection rules to inspect traffic mirrored to an Oracle resource using the OCI Virtual Test Access Point (VTAP) service. Traffic captured at the VTAP source is encapsulated in VXLAN and then sent to the VTAP target. See RFC 7348.

You can mirror all traffic, or use a capture filter to only mirror traffic you're interested in. For more information, see Virtual Test Access Points Overview.

When the specified source and destination match condition is met, the firewall applies a default Palo Alto Networks® tunnel inspection profile. The profile has the following characteristics, and isn't editable:

  • Protocol: VXLAN
  • Maximum Tunnel Inspection Levels: One level of encapsulation is inspected
  • Return scanned VXLAN tunnel to source: True. Returns the encapsulated packet to the originating VXLAN tunnel endpoint (VTEP).

You can enable tunnel inspection logs that let you view and identify the VXLAN traffic.

Limits:
  • Maximum number of tunnel inspection rules for each policy: 500

To create tunnel inspection rules, see Create a Tunnel Inspection Rule.

Firewall policy rule components

Firewall policy rule components include firewall policy lists and decryption profiles. Create a firewall policy list to group applications, services, URLs, or addresses for use in a rule for a firewall policy. All items in a list are treated the same way when they're used in a rule. To include any item in a rule, it must first be added to a list. The list can then be referenced in a rule.

Create a decryption profile with a mapped secret to control how SSL forward proxy and SSL inbound inspection perform session mode checks, server checks, and failure checks.

Learn more about Creating Firewall Policy Rule Components.

Mapped Secrets and Decryption Profiles

If a firewall policy uses decryption rules that use certificate authentication, you must set up mapped secrets and decryption profiles.

Mapped secrets are secrets that you create in the Vault service and then map to inbound or outbound SSL keys. The secrets are used to decrypt and inspect SSL/TLS traffic with SSL forward proxy and SSL inbound inspection.

If you plan to use SSL forward proxy or SSL inbound inspection, set up a vault and secrets beforeyou begin configuring a policy with rules. See Setting Up Network Traffic Decryption and Inspection.

Decryption profiles control how SSL forward proxy and SSL inbound inspection perform session mode checks, server checks, and failure checks.

The following options are available for SSL forward proxy decryption profiles:
  • Block expired certificate: Blocks sessions if the server's certificate is expired. This option prevents access to potentially insecure sites. If this option isn't selected, users can connect with and transact with potentially malicious sites and see warning messages when they try to connect, but the connection isn't prevented.
  • Block untrusted issuer: Blocks sessions if the server's certificate is issued by an untrusted certificate authority (CA). An untrusted issuer might indicate a man-in-the-middle attack, a replay attack, or other attack.
  • Block timeout certificate: Blocks sessions if the certificate status check times out. Certificate status checks use the Certificate Revocation List (CRL) on a revocation server or use Online Certificate Status Protocol (OCSP) to see if the CA that issued the certificate has revoked it. Revocation servers can be slow to respond, which can cause the session to time out, even if the certificate is valid.
  • Block unsupported cipher: Blocks sessions if the SSL cipher suite specified in the SSL handshake isn't supported.
  • Block unsupported version: Blocks sessions if the SSL version specified in the SSL handshake isn't supported.
  • Block unknown certificate: Blocks sessions if the certificate status is returned as "unknown." Certificate status might be unknown for many reasons, so use this option in higher-security areas of the network instead of for general security.
  • Restrict certificate extensions: Restricts extensions to key usage and extended key usage. Use this option only if deployment requires no other certificate extensions.
  • Auto-include alternative name: Automatically appends a Subject Alternative Name (SAN) to the impersonation certificate if the server certificate is missing.
  • Block if no resources: Blocks sessions if not enough processing resources are available. If you don't use this option, encrypted traffic enters the network still encrypted, risking potentially dangerous connections. Using this option might affect the user experience by making sites temporarily unreachable.
The following options are available for SSL inbound inspection decryption profiles:
  • Block sessions with unsupported versions: Blocks sessions that have a weak, unsupported version of SSL protocol.
  • Block unsupported cipher: Blocks sessions if the SSL cipher suite specified in the SSL handshake isn't supported.
  • Block if no resources: Blocks sessions if not enough processing resources are available. If you don't use this option, encrypted traffic enters the network still encrypted, risking potentially dangerous connections. Using this option might affect the user experience by making sites temporarily unreachable.
Limits:
  • Maximum number of mapped secrets for each policy: 300
  • Maximum number of SSL inbound mapped secrets for each policy: 300
  • Maximum number of SSL forward proxy mapped secrets for each policy: 1
  • Maximum number of decryption profiles for each policy: 500

To create a mapped secret, see Create a Mapped Secret.

To create a decryption profile, see Create a Decryption Profile.