Build OCI Network Firewall policy rules with IP lists, URL filtering, and TLS inspection.
Last verified: May 2026
Output will appear here...The builder constructs OCI Network Firewall policy configurations: policy resource (compartment, name), security rules (with action: ALLOW/DROP/REJECT/INSPECT, source/destination address lists, application lists, URL lists, IPS rule reference), application/URL/service/IP-list resources (reusable groupings), and decryption profiles for TLS inspection (with CA cert + private key reference). Output is generated as oci network-firewall commands and Terraform oci_network_firewall_network_firewall_policy resources.
OCI Network Firewall is a managed next-generation firewall service that provides deep packet inspection, intrusion detection and prevention (IDS/IPS), URL filtering, and TLS inspection for traffic flowing through your VCNs. Firewall policies define security rules, application lists, URL lists, and decryption profiles. This builder helps you configure Network Firewall policies with hierarchical rule sets, service lists, application groups, and inspection profiles for comprehensive network security.
Your team is hardening a 30-VCN production environment after a security audit. The builder generates a Network Firewall policy for the hub VCN: allow east-west between known service tiers, deny direct internet for all non-DMZ subnets, URL filtering with allowlist of approved external domains, IDS/IPS rules using Snort signatures from Oracle's curated set. DRG route tables steer all traffic through the firewall. Within hours of deploy, attempted outbound connections to non-approved domains are blocked at the firewall — preventing the entire class of 'compromised workload calls home' scenarios.
Network Firewall must be deployed inline (in the data path) to inspect traffic. The cleanest topology: hub VCN with a dedicated firewall subnet, DRG route tables steering all inter-VCN and internet-bound traffic through it. Trying to retrofit Network Firewall into existing flat-network VCNs is painful — design for it from the start.
TLS inspection is powerful but requires careful CA management. The forward proxy decryption uses YOUR CA to dynamically generate certificates for outbound HTTPS. If your CA cert isn't trusted by client devices, you'll see SSL errors everywhere. Test in a sandbox first; deploy to production only after CA distribution is validated.
URL filtering with allowlists is dramatically more secure than denylists. Allow `*.github.com, *.npmjs.org, *.docker.io, your-internal-services` and deny everything else. The denylist approach (block known-bad sites) is always playing catch-up; the allowlist approach prevents data exfiltration to ANY unapproved destination.
Deploy the Network Firewall in a dedicated firewall subnet within a hub VCN in a hub-and-spoke architecture. Configure DRG route tables to direct inter-VCN and internet-bound traffic through the firewall subnet. The firewall inspects traffic inline, so it must be in the data path. For north-south (internet) traffic, place it between the internet gateway and your application subnets. For east-west (VCN-to-VCN) traffic, place it in the hub VCN with DRG route tables directing spoke traffic through it.
Yes. OCI Network Firewall can decrypt TLS/SSL traffic for inspection using a decryption profile with your certificate authority (CA) certificate. Inbound decryption uses your server's certificate to inspect traffic destined for your applications. Outbound (forward proxy) decryption generates dynamic certificates signed by your CA to inspect traffic initiated by your workloads. TLS inspection is essential for detecting threats in encrypted traffic but requires careful certificate management.
Was this tool helpful?
Disclaimer: This tool runs entirely in your browser. No data is sent to our servers. Always verify outputs before using them in production. AWS, Azure, and GCP are trademarks of their respective owners.