Oracle Cloud Infrastructure Documentation

Setting Up Network Traffic Decryption and Inspection

Set up certificate authentication and Vault secrets to decrypt and inspect network traffic.

Vault secrets are used to decrypt and inspect SSL/TLS traffic.

SSL inbound inspection decrypts and inspects inbound SSL/TLS traffic from a client to a targeted network server. For more information on SSL inbound inspection, see SSL Inbound Inspection.

SSL forward proxy decrypts and inspect SSL/TLS traffic from internal users to the web. Only one SSL forward proxy secret is allowed for each firewall policy. For more information on SSL forward proxy, see SSL Forward Proxy,

After you create a firewall policy, you'll create a mapped secret to map the Vault secret to an inbound or outbound SSL key. Then you'll create a decryption profile to control how SSL forward proxy and SSL inbound inspection perform session mode checks, server checks, and failure checks.

For more information about how the certificate is used with a firewall policy, see Mapped Secrets and Decryption Profiles.

Task 1: Allow the Network Firewall service to access Vault secrets

Create an IAM policy to allow the firewall policy to access and use Vault secrets.

To allow all firewall policies access to Vault service secrets:
Allow any-user to read secret-family in compartment <compartment_ID> where ALL {request.principal.type='networkfirewallpolicy'}
To allow one firewall policy access to Vault service secrets: 
Allow any-user to read secret-family in compartment <compartment_ID> where ALL {request.principal.type='networkfirewallpolicy', request.principal.id='<Network Firewall Policy OCID>'}
Warning

If this permission is revoked later, the firewall will stop decrypting traffic because the service won't be able to access the mapped secret.

These policies replace the deprecated policy to access Vault secrets:

allow service ngfw-sp-prod to read secret-family in compartment <compartment_name>
Task 2: Create a vault and master key to store the certificate
  1. Create a vault to store the certificate in.
  2. Create a master encryption key in the vault.
    Important

    The master key must be a symmetric key. You can't encrypt secrets with asymmetric keys.
Task 3: Store the certificate

You can use a self-signed or ca-signed certificate with OCI Network Firewall Service.

Oracle provides a script that you can use to generate a self-signed certificate.
Important

  • The Network Firewall service validates the provided certificate and stores it in the trustroot. To validate the certificate, provide the entire SSL certificate chain, including the intermediate certificates root certificate and private key. Upload certificates in .pem format which are wrapped in the following .json template.

  • If the leaf certificate specified in the "certKeyPair" is a forward-trust certificate, then it should have Certificate Authority Signing capability. Set the CA flag to "true".

    In this example, if "LEAF_CERT_01_PEM_CONTENT" is a forward-trust certificate, its CA flag must be set to "true". 
    {
  "caCertOrderedList" : [
    "ROOT_CERT01_PEM_CONTENT",
    "INTERMEDIATE_CERT01_PEM_CONTENT",
    "INTERMEDIATE_CERT02_PEM_CONTENT",
  ],
  "certKeyPair": {
    "cert" : "LEAF_CERT_01_PEM_CONTENT",
    "key":   "PRIVATE_KEY_01_PEM_CONTENT"
  }
}
To use a self-signed OpenSSL certificate, you can use an Oracle provided script to create one:
  1. Download and install OpenSSL.
  2. Download and install Perl.
  3. Download the script from the Oracle GitHub repository.
  4. Run the script using the following command. Replace <test.test.com> with the DNS name of the webserver you need to protect: 
    ./create-certificate inbound <test.test.com>
    or 
    ./create-certificate forward <test.test.com>
Task 4: Create secrets in the vault

Create a secret in the vault for each certificate you want to use.

  1. Open the navigation menu, click Identity & Security, and then click Vault.
  2. Under List Scope, in the Compartment list, click the name of the compartment.

  3. Choose the vault you created in Task 2: Create a vault and master key to store the certificate.

  4. Click Secrets, and then click Create Secret.
  5. In the Create Secret dialog box, choose a compartment from the Create in Compartment list. (Secrets can exist outside the compartment the vault is in.)
  6. Click Name, and then enter a name to identify the secret. Use a name that corresponds to the type of certificate the secret contains. For example, "ssl-inbound-inspection-certificate."
  7. Click Description, and then enter a description of the secret.
  8. Choose the master encryption key you created in Task 2: Create a vault and master key to store the certificate.
  9. Specify the format of the secret contents as Plain-Text.
  10. Click Secret Contents, and then copy the certificate contents into the field. (The maximum allowable size for a secret bundle is 25 KB.)
  11. Click Create Secret.