Oracle Cloud Infrastructure Documentation

Add a Tunnel Inspection Rule to a Firewall Policy

Tunnel inspection rules contain a set of criteria against which a network packet is matched and then inspected.

Before you can create a tunnel inspection rule, you must create address lists.

The specified source and destination match condition for the traffic consists of lists that you configure in the policy before you construct the rule. You can create a maximum of 500 tunnel inspection rules for each policy.

When the specified source and destination match condition is met, the firewall applies a default Palo Alto Networks® tunnel inspection profile. The profile has the following characteristics, and isn't editable:

  • Protocol: VXLAN
  • Maximum Tunnel Inspection Levels: One level of encapsulation is inspected
  • Return scanned VXLAN tunnel to source: True. Returns the encapsulated packet to the originating VXLAN tunnel endpoint (VTEP).
    1. Open the navigation menu, and select Identity & Security. Under Firewalls, select Network Firewall policies.
    2. Select the compartment that contains the firewall policy that you want to add a decryption rule to.
    3. Select the policy.
    4. On the details page, select the Rules tab.
    5. From within the Tunnel inspection rules table, select Create tunnel inspection rule.
    6. Enter information for the rule:
      • Name: Enter a name for the tunnel inspection rule. Avoid entering confidential information.
      • Match condition: Specify source and destination addresses that must match for the rule to take effect. You can select any of the address lists that you created. If you haven't already created any address lists, select Create address list from the Actions menu and see Create an Address List.
      • Rule action: Specify the action that you want to take if the match condition is met:
        • Inspect: Performs tunnel inspection on matching traffic.
        • Inspect and capture log: Performs tunnel inspection on matching traffic and generates logs for the tunnel session.
      • Rule order: Select the position of the rule in relation to other tunnel inspection rules in the policy. The firewall applies the tunnel inspection rules in the specified order from first to last.

        Custom position is enabled only if you create more than one tunnel inspection rule. If you select it, specify whether you want this rule to come before an existing rule, or after an existing rule. Then, specify the existing rule you want the new rule to come before or after.

    7. Select Create tunnel inspection rule.

  • Use the network-firewall tunnel-inspection-rule create command and required parameters to create a tunnel inspection rule:

    oci network-firewall tunnel-inspection-rule create --name my_tunnel-inspection_rule --network-firewall-policy-id network firewall policy OCID
--condition '[{"sourceAddress":"IP_address"},{"destinationAddress":"IP_address"}]' ...[OPTIONS]

    For a complete list of parameters and values for CLI commands, see the CLI Command Reference.

  • Run the <<<API LINK PLACEHOLDER>> operation to create a tunnel inspection rule.