Network Firewall

Oracle Cloud Infrastructure (OCI) Network Firewall is a cloud native, machine learning–powered firewall with advanced intrusion detection and prevention capabilities, supported by Palo Alto Networks® NGFW technology that scales automatically.

Use cases for OCI Network Firewall

View more OCI Network Firewall scenarios

OCI Network Firewall use case diagram, description below

This image shows four common use cases for OCI Network Firewall:

  1. Use a native, managed network firewall service
  2. Secure traffic between on-premises environments and OCI
  3. Secure traffic between OCI and the internet
  4. Secure traffic between virtual cloud networks

Use a native, managed network firewall service
In this first use case, a network firewall is shown in a virtual cloud network along with other cloud native services that include virtual machines and object storage.

OCI Network Firewall is a cloud native, managed service that is fully integrated into Oracle Cloud Infrastructure.

Secure traffic between on-premises environments and OCI
In the second use case, a virtual cloud network is logically connected to a customer’s on-premises environment. The virtual cloud network has a network firewall where network traffic logically enters from the on-premises environment before it can reach the resources in the virtual cloud network, shown as virtual machines.

The network firewall inspects all traffic entering from and exiting to the on-premises environment. It protects resources in OCI from actions and traffic in the on-premises environment.

Secure traffic between OCI and the internet
In the third use case, a virtual cloud network is logically connected to the internet. The virtual cloud network has a network firewall where network traffic logically enters from the internet.

This virtual cloud network is then logically connected to another virtual cloud network, which has resources, shown here as virtual machines.

The network firewall inspects all traffic entering from and exiting to the internet. It protects resources in OCI from actions and traffic from the internet that are accessing the capabilities of resources in a virtual cloud network.

Secure traffic between virtual cloud networks
In the fourth use case, there are three virtual cloud networks. The first and third virtual cloud networks are both logically connected to the second virtual cloud network. The first and third virtual cloud networks have resources, shown here as virtual machines.

All traffic between resources in the first and third virtual cloud network must pass through the second virtual cloud network, which has a network firewall.

The network firewall inspects all traffic between the first and third virtual cloud networks, protecting resources in each virtual cloud network from malicious activity in the other.

Benefits of OCI Network Firewall


1. A transparent addition to your OCI network

You can add OCI Network Firewall to your environment without disturbing existing network flows.

2. Customizable, granular security policies

OCI Network Firewall offers granular security policies that include traditional protocol filtering and (as of mid-2024) application-specific traffic recognition, reducing the attack surface beyond just protocols and ports.

3. Advanced threat protection and prevention

OCI Network Firewall offers a best-in-class threat engine designed to automatically act against known malware, spyware, command-and-control attacks, and vulnerability exploits. Benefit from Palo Alto Networks’ advanced technology to detect and prevent intrusions.

How does OCI Network Firewall work?

OCI Network Firewall is a next-generation, managed network firewall and intrusion detection and prevention service for OCI VCNs, powered by Palo Alto Networks.

OCI Network Firewall is a highly available and scalable instance that you create in a subnet. The firewall applies business logic specified in a firewall policy attached to the network traffic. Routing in the VCN is used to direct traffic to and from the firewall. OCI Network Firewall provides a throughput of 4 Gb/sec, but you can request an increase up to 25 Gb/sec. The first 10 TB of data is processed at no additional charge.

Firewall policies identify traffic based on a combination of attributes: network protocol types, TCP or UDP protocols with port numbers, fully qualified domain names with optional wildcards, URLs, and IP addresses (both IPv4 and IPv6 are supported). A policy can accept traffic, reject traffic, inspect it for intrusion, or actively defend against intrusion.

OCI Network Firewall is typically deployed to secure traffic between OCI and external environments, such as on-premises systems, the internet, and other clouds. The firewall can also secure internal OCI traffic, e.g., between two VCNs.

Read the documentation

Network Firewall diagram, description below

This image features a logical layout of resources and connections to show how OCI Network Firewall can be deployed to inspect and protect network traffic.

A typical OCI region is shown, which contains a single virtual cloud network. There are three subnets within the virtual cloud network. The first subnet is accessible from outside the virtual cloud network and contains the network firewall. The network firewall has an IP address of 192.168.0.10.

This subnet also has a resource, shown here as a virtual machine. The virtual machine has an IP address of 192.168.0.97.

The second subnet is private and contains a flexible load balancer. It is bidirectionally connected with the subnet containing the network firewall. The flexible load balancer has an IP address of 192.168.1.15.

The third subnet is private and contains resources, shown here as two virtual machines. The virtual machines have the IP addresses 192.168.20.1 and 192.168.20.2. The subnet is bidirectionally connected to the second subnet.

The network firewall in the first subnet is connected to an internet gateway and a dynamic routing gateway, both of which are available in the containing virtual cloud network.

The internet gateway is bidirectionally connected to the internet.

The dynamic routing gateway is bidirectionally connected to customer premises equipment in an on-premises environment.

Traffic from the internet first passes through the internet gateway and then to the network firewall. Traffic is inspected by the network firewall. If the traffic is allowed, it may pass to resources in the same subnet or it may pass to the load balancer in the second subnet, which will then forward the traffic to resources in the third subnet.

Alternatively, traffic from the on-premises enviornment passes first through the dynamic routing gateway and then to the network firewall. Traffic is inspected by the network firewall. If the traffic is allowed, it may pass to resources in the same subnet or it may pass to the load balancer in the second subnet, which will then forward the traffic to resources in the third subnet.

Product tour

Set up your ML-powered network defense

Create network firewall view

Create a network firewall

A network firewall instance connects a policy, a VCN, and a subnet within the VCN. You can specify additional options, limit the scope, and attach tags.

Create security rule view

Create a security rule

Security policies are made up of security rules. Security rules connect a combination of source addresses, destination addresses, applications, services, and URLs with an action.

Create application view

Create an application list

Applications are a selection of protocol types that you can use to identify traffic for security policies. You can select from a list of common types or enter a protocol number.

You can also combine multiple applications into a convenient application list (not shown).

Create service view

Create a service list

Services are a selection of TCP or UDP protocols that you can use to identify traffic for security policies. You can enter a range or multiple ranges.

You can also combine multiple services into a convenient service list (not shown).

Create URL list view

Create a URL list

URLs are lists of resource names, often web addresses, that you can use to identify traffic for security policies. You can enter up to a 1,000 URLs in a single list.

Create service view

Create an address list

Create a list of IP addresses, both IPv4 and IPv6, or a CIDR block range that you can use to identify traffic for security policies. You can enter up to 1,000 addresses (or ranges) in a single list.

Reference architectures

A well-planned network design can set the stage for a successful implementation—and make the network easier for your team and organization to use. By planning your network design before deployment, you can ensure that your design meets all your requirements and avoid potential barriers to a successful deployment later on.

OCI Network Firewall – Concepts and Deployment

This blog covers the general functions of OCI Network Firewall and how to deploy it.

Protect Websites and Applications with OCI Network Firewall

This hands-on tutorial shows how to protect traffic directed to multiple websites and applications deployed in multiple backends using OCI Network Firewall and OCI Load Balancers.

OCI Network Firewall Traffic Decryption with SSL Inbound Inspection

This blog covers the inbound SSL decryption in OCI Network Firewall using an RSA public certificate.

Get started with Network Firewall


Oracle Cloud Free Tier

Build, test, and deploy applications on Oracle Cloud—for free. Sign up once, get access to two free offers.


Contact sales

Interested in learning more about Oracle Cloud Infrastructure? Let one of our experts help.

* Network Firewall requires a paid OCI account, either as a pay-as-you-go or Universal Credits contract.

注:为免疑义,本网页所用以下术语专指以下含义:

  1. Oracle专指Oracle境外公司而非甲骨文中国。
  2. 相关Cloud或云术语均指代Oracle境外公司提供的云技术或其解决方案。