Add a Decryption Rule to a Firewall Policy

Decryption rules contain a set of criteria against which a network packet is matched and decrypted.

Before you can create a decryption rule, you must complete these tasks:

Set up certificate authentication using the Oracle Cloud Infrastructure Vault service to use in a mapped secret.
Create a mapped secret to use in the decryption rule.
Create a decryption profile to use when decrypting traffic.

If you choose to decrypt, you then choose a decryption profile and mapped secret to apply when decrypting traffic. You configure decryption profiles and mapped secrets in the policy before you construct the rule.

You can have a maximum of 1,000 decryption rules for each policy. By default, each new rule you create becomes the first in the list. You can change the order of priority.

1. Open the navigation menu, and select Identity & Security. Under Firewalls, select Network Firewall policies.
2. Select the compartment that contains the firewall policy that you want to add a decryption rule to.
3. Select the firewall policy.
4. On the details page, select the Rules tab.
5. Select Create decryption rule.
6. In the Name box, enter a name for the rule. Avoid entering confidential information.
7. Under Source addresses, do one of the following:
  
  To match any source address for the rule to take effect, select Any source address matches the rule.
  
  To match addresses defined in an address list for the rule to take effect, select Create or select a list of source addresses to match the rule. Then, select an address list or create a new one by selecting Create address list from the Actions menu. To learn how to create an address list, see Create an Address List.
8. Under Destination addresses, select one of the following options:
  
  To match any destination address for the rule to take effect, select Any destination address matches the rule.
  
  To match addresses defined in an address list for the rule to take effect, select Create or select a list of destination addresses to match the rule. Then select an address list or create a new one by selecting Create address list from the Actions menu. To learn how to create an address list, see Create an Address List.
9. Enter the information for the decryption rule:
  
  Rule action: Specify the action that you want to take if the match condition is met:
  
  Rule order: Select the position of the rule in relation to other decryption rules in the policy. The firewall applies the decryption rules in the specified order from first to last.
  
  Custom position is enabled only if you create more than one decryption rule. If you select it, specify whether you want this rule to come before an existing rule, or after an existing rule. Then, specify the existing rule that you want the new rule to come before or after.
10. Select Create decryption rule.

Use the network-firewall decryption-rule create command and required parameters to create a decryption rule:

oci network-firewall decryption-rule create --name my_decryption_rule --network-firewall-policy-id network firewall policy OCID
--decryption-profile decryption_profile --action DECRYPT --condition '[{"sourceAddress":"IP_address"}]' ...[OPTIONS]

For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

Run the CreateDecryptionRule operation to create a decryption rule.

Oracle Cloud Infrastructure Documentation

Add a Decryption Rule to a Firewall Policy