Installing OCI Network Firewall – Allowing traffic via policies

Now that we have designed and installed our OCI Network Firewall we’re ready to allow some traffic through the firewall. What you’ll end up doing is to modifying policies which are applied to the firewall.

How it works is that there’s always a single policy attached to the firewall, if you need to update the policy you have to clone it, modify it and then reapply it to the firewall. When attaching the new policy to a firewall, if you’re updating mapped secrets, it’ll create reset on the firewall.

More on policies here.

Policies

A policy always either inspects, allows or denies traffic coming to the firewall. You can actually attach same policy to multiple firewalls but like said above, one firewall has only one policy.

Policy has multiple components you can configure such as:

  • Applications and Application Lists
  • Services and Service Lists
  • URL and Address Lists
  • Mapped Secrets
  • Decryption Profiles and Decryption Rules
  • Security Rules

I’ll start modifying the existing policy, I’ll navigate to Network Firewalls and I’ll select the initially created policy. Once I go to policy, I see notification that I can’t modify the existing policy as it’s attached to a firewall. What’s needed is to clone it, and give the new policy a name.

You can’t modify existing policies

When creating a new policy, I’ve used numbering in the end to identify the policies. Any ideas on what other method you could use for naming the policy? Maybe it could be automatic as well?

Cloning policy is just giving it a new name

Now that I have a policy I can modify, let’s add a security rule which allows traffic from my compute VM towards my blog page.

What I’ll want to do is I’ll create address list with my compute IP (10.0.1.238) to be a source and add URL List www.thatfinnishguy.blog as destination.

Creating address list with my source compute VM IP
Creating URL list with my blog URL

Now that I have source and destination target defined I can create an actual security rule. I’ll define the rule as below and rule action is Allow traffic.

As you can see the rule is really simple (allow-tfg-blog), you might have hundred of rules in the end but this is just to show how you can allow traffic and modify the policy. Once you’re ready with the policy, it’s time to attach it to the firewall.

Attaching new policy to the firewall

It takes few minutes to apply the new policy to the firewall, old policy being then taken out. Note that if you don’t modify mapped secrets in your policy, there’s no reset for the firewall.

Testing connectivity

I’ll login to my 10.0.1.238 VM compute and run the same connectivity test as earlier, this time I’ll just add -I flag to curl as otherwise it would return the whole page and don’t want to paste that here.

[opc@server1 ~]$ curl -I https://www.thatfinnishguy.blog
HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Fri, 17 May 2024 19:25:46 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/7.1.24
Link: <https://www.thatfinnishguy.blog/wp-json/>; rel="https://api.w.org/"
Link: <https://wp.me/aXl1F>; rel=shortlink
X-Frame-Options: SAMEORIGIN

So I get a response, then I’ll validate what I see now in the firewall logs. Remember that it takes few minutes for the logs to be visible and you won’t see them appearing right away.

{
  "datetime": 1715973964000,
  "logContent": {
    "data": {
      "action": "allow",
      "bytes": "5688",
      "bytes_received": "4229",
      "bytes_sent": "1459",
      "dport": "443",
      "dst": "35.207.97.64",
      "receive_time": "2024/05/17 19:26:04",
      "rule": "allow-tfg-blog",
      "rule_uuid": "bd2402e8-7d38-4048-b485-ab27c1cf0c21",
      "src": "10.0.1.238",
      "srcloc": "10.0.0.0-10.255.255.255",
      "time_received": "2024/05/17 19:26:04",
      "tunnelid": "0"
     "time": "2024-05-17T19:26:04.000Z",
    "type": "com.oraclecloud.networkfirewall.traffic"
  },
  "regionId": "ca-toronto-1"
}

I took some of the JSON data out but you can see action is now allow and rule what is being used is allow-tfg-blog, so it’s hitting the allow rule defined!

Summary

I think managing policies needs some further thinking if you’re going to use OCI Network Firewalls, the obvious ones being who has access, how are they going to be named/labeled and when are you applying the changes (change control).

But it’s also how you’re going to name/build your lists and rules, think there needs to be some common design applied so it’s clear whenever new URL list is being added for example.

There was a recent update to policies, they support now far more rules and lists compared what they did previously.

In the last blog post on this series I’m going to hit one real world issue I recently encountered. What if I use OCI Network Firewall and need public access to some of my services, but I also need private subnet access outside from my VCNs as we’ve have in this example?

Simo

Recent Posts

Autonomous Database Audit Logs to Logging Service Part 1

I recently came across requirement to get OCI Oracle Autonomous Database audit logs to OCI…

3 weeks ago

Connecting to Autonomous Database Running on Google Cloud

Last time I showed how to provision Autonomous Database Serverless (ADB-S) on Google Cloud. This…

2 months ago

Can you believe it? Provisioning Autonomous Database in GCP!

I bet few years back folks didn't expect that by 2024 we would be able…

3 months ago

IP Address Insights with CLI

My previous post on IP Address Insights I mentioned it wasn't yet available with CLI…

7 months ago

Thoughts on Oracle Database@Azure

This will NOT be a technical walkthrough on Oracle Database@Azure but rather my opinions and…

7 months ago

OCI Vulnerability Scanning Setup

Many times when you work for someone, they already have their own vulnerability scanning throughout…

7 months ago