Oracle Cloud Infrastructure Documentation

Create a Firewall

Use the Network Firewall service to create a firewall.

Before you create a firewall, consider these important points:
  • For better performance, don't add stateful rules to the security list attached to the firewall subnet or include the firewall in a network security group (NSG) that contains stateful rules.
  • Security list or NSG rules associated with the firewall subnet and VNICs are evaluated before the firewall. Ensure that security list or NSG rules allow the traffic to enter the firewall so that it can be evaluated appropriately.
  • If the policy that you use with the firewall doesn't have any rules specified, the firewall denies all traffic.
Note

To enable NAT on firewalls, ensure that at least four spare IP addresses are available on the firewall subnet for a 4-Gbps firewall, and a minimum of five spare IP addresses are available for a 25 Gbps firewall.
    1. Open the navigation menu, and select Identity & Security. Under Firewalls, select Network Firewalls policies.
    2. Select Create Network Firewall.
    3. In the Name box, enter a descriptive name for the firewall. Avoid entering confidential information.
    4. In the Create in compartment list, select a compartment to create the firewall in.
    5. In the Network Firewall policy list, select a firewall policy to associate with this firewall. If no policies are displayed, change the policy compartment.
      Note

      If you associate this firewall with a new or upgraded policy, the firewall only uses the new or upgraded policy. You can't later associate this firewall with an old, non-upgraded policy.

    6. In the Virtual cloud network list, select a VCN. Change the VCN compartment if needed.
    7. In the Subnet list, select a subnet. You can select public or private regular or regional subnets. Change the submet compartment if needed.
    8. To use a network security group (NSG) to control traffic to and from the firewall, select the Use network security groups to control traffic and then select NSG. To add more NSGs, select Add another network security group.
    9. To enter an IPv4 address, an IPv6 address, or both, select the I want to manually assign the IP address from the subnet to the firewall. If you don't select this option and enter an IP address, the IP address is automatically assigned.
    10. Observe the Enable NAT on firewall toggle. If the Network firewall policy you selected earlier contains NAT rules, this option is automatically enabled for you. To disable NAT on this firewall, you must either remove the NAT rules from the policy or select a different policy.
      See About NAT rules and Add a NAT Rule to a Firewall Policy for more about NAT rules. To delete a NAT rule from a firewall policy, see Delete a Rule from a Firewall Policy.
    11. Under the Firewall Scope, select Deploy to a single availability domain in the region to deploy the firewall to a specific availability domain.
      Regional firewalls are deployed across all availability domains in a region. Availability domain-specific firewalls are deployed within a specific AD. For more information about availability domains, see Regions and Availability Domains.
      Important

      A firewall that's deployed to a single availability domain can't be changed to a regional firewall later.
    12. In the Tags section, add one or more tags to the firewall.
      If you have permissions to create a resource, then you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you're not sure whether to apply tags, skip this option or ask an administrator. You can apply tags later.
    13. Select Create network firewall.

      A work request is created to provision a firewall resource to the Cloud account. To view the work request, select the Work requests tab on the details page for the firewall. You can verify that the firewall is created when its status is set to Active.

  • Use the network-firewall network-firewall create command and required parameters to create a firewall.
    oci network-firewall network-firewall create --compartment-id compartment_id
 --subnet-id subnet_id --network-firewall-policy-id network_firewall_policy_id[OPTIONS]

    For a complete list of flags and variable options for CLI commands, see the Command Line Reference.

  • Use the CreateNetworkFirewall operation to create a firewall.