Network Firewall FAQ


Overview of OCI Network Firewall

What is Oracle Cloud Infrastructure (OCI) Network Firewall?

OCI Network Firewall is a cloud native managed firewall service that’s built using industry-leading Palo Alto Networks’ next-generation firewall technology. It's a stateful network firewall service that is highly scalable, with built-in regional high availability. With Network Firewall’s flexible policy enforcement, you can easily apply granular security controls to inbound, outbound, and lateral traffic to your workloads on OCI. You can configure OCI Network Firewall to monitor (log), filter (allow/deny), and generate events and alarms based on match criteria such as IP address, URL, and application layer metadata.

What are the key benefits of OCI Network Firewall?

OCI Network Firewall offers best-in-class, machine learning–powered, next-generation firewall capabilities to protect your OCI workloads, and it’s extremely easy to consume. It’s a turnkey firewall-as-a-service offering that enables you to immediately take advantage of the firewall without the need to configure and manage additional security infrastructure. With OCI Network Firewall, you can quickly turn on and secure your applications and cloud environment with advanced firewall features and scale your security across your cloud deployment. You can centrally manage network firewall security policies and easily enforce them across your virtual cloud networks (VCNs).

Capabilities of OCI Network Firewall

What are the capabilities supported by OCI Network Firewall?

OCI Network Firewall allows you to monitor and apply granular security controls on your VCN to enable use cases such as segmenting workloads, protecting against both inbound and outbound threats, and meeting compliance requirements. It supports stateful filtering and advanced threat protection capabilities—including custom URL filtering, intrusion detection and prevention, and Transport Layer Security (TLS) inspection—to help prevent malicious traffic and malware propagation. To learn about OCI Network Firewall features, see the documentation.

What is the difference between security lists, network security groups (NSGs), and Network Firewall?

Security lists are regional-based and act as virtual firewalls for compute instances, with ingress and egress rules that specify the types of traffic allowed in and out. Each security list is enforced at the VNIC level. However, security lists are configured at the subnet level, which means that all VNICs in a given subnet are subject to the same set of security lists. Each subnet can have multiple security lists associated with it, and each list can have multiple rules. A packet in question is allowed if any rule in any of the lists allows the traffic, or if the traffic is part of an existing connection being tracked.

Network security groups are regional-based and act as virtual firewalls for your compute instances. An NSG consists of a set of ingress and egress rules where security rules apply only to a specific VNIC or set of VNICs in a single VCN. Both security lists and NSGs use security rules. Security rules allow a particular type of traffic in or out of a VNIC and operate at layer 3 or 4. For example, a commonly used security rule allows ingress TCP port 22 traffic for establishing Secure Shell (SSH) connections to the instance’s VNIC(s). Without security rules, no traffic is allowed in and out of VNICs in the VCN.

Network Firewall is a regional-based service that leverages advanced, next-generation firewall technology. It supports traditional firewall capabilities such as stateful filtering as well as intrusion detection and prevention, URL filtering, and intra-VCN traffic inspection and analysis. It can be configured to monitor (log), filter (allow/deny), and generate events and alarms based on layer 3 to layer 7 traffic match criteria such as IP address, URL, and application layer metadata.

What is the difference between OCI Web Application Firewall (WAF) and OCI Network Firewall?

OCI Web Application Firewall (WAF) is primarily focused on the security of web applications and operates at layer 7 (HTTP). A WAF sits between users and web applications to detect and block inbound malicious requests and exploits of security flaws in the web application. WAF helps stop specific layer 7 attacks against the web application, whether it’s an attempt to exploit code-level vulnerabilities, such as SQL injection and other OWASP Top 10 vulnerabilities, or a layer 7 DDoS attack. OCI Network Firewall enforces advanced security policies that provide inbound and outbound protection for layer 3 to layer 7. For example, OCI Network Firewall can be used for non-HTTP(S) protocols such as FTP, SSH, and Simple Mail Transfer Protocol (SMTP). OCI Network Firewall helps identify, monitor, and control applications, users, and content traversing the network.

What is the difference between OCI Network Firewall and the other firewall services in OCI Marketplace?

OCI Network Firewall complements and augments existing network and application security services such as security lists, NSGs, and WAF by providing control of and visibility into your layer 3 to layer 7 traffic. It’s a fully managed, cloud native security service with built-in high availability and on-demand cloud scalability. You may choose to deploy OCI Network Firewall along with your existing security controls or OCI Marketplace appliances depending on your use cases.

OCI Network Firewall deployment details

What is the typical deployment model for OCI Network Firewall?

You can configure VCN routing to compose OCI Network Firewall with other network functions—including, but not limited to, OCI gateways—for security enforcement in arbitrary network topologies. The most common deployment models for OCI Network Firewall are centralized (hub and spoke) and distributed. With the centralized model, OCI Network Firewall is deployed in a dedicated hub VCN, and the applications are deployed in spoke VCNs. You can leverage the VCN transit routing feature to route your traffic through the firewall instance before it can be sent to another network. With the distributed deployment model, you can deploy and enforce OCI Network Firewall within each of your VCNs or subnets with intra-VCN routing closer to the applications.

What is a network firewall policy?

A network firewall policy is a collection of rules that encompass the overall configuration of your OCI Network Firewall instance. It’s comprised of customer-defined rules governing inbound, outbound, and lateral network and application traffic. Examples of these rules include stateful network filtering, URL filtering, and intrusion detection and prevention.

Can OCI Network Firewall inspect encrypted traffic?

Yes, OCI Network Firewall can inspect both inbound and outbound encrypted traffic. It’s integrated with OCI Vault, enabling you to securely store your private keys. For more information, refer to the documentation.

Can I use OCI Network Firewall to inspect traffic passing through an OCI gateway?

Yes, you can inspect traffic entering or leaving a VCN through OCI gateways (including DRGs, IGWs, NAT GWs, SGWs, and LPGs) and private access (private endpoint) using Network Firewall before forwarding it to the destination. For more information, refer to the documentation.

Can I use OCI Network Firewall to inspect traffic passing between my subnets?

Yes, you can route and inspect intra-VCN traffic between two subnets through OCI Network Firewall. For more information, refer to the documentation.

Does OCI Network Firewall support logging and monitoring services?

Network Firewall is integrated with OCI monitoring and logging services. You can enable alerts based on the number of blocked requests and other firewall instance metrics and perform search, filter, and alert operations on the log metadata.

Does OCI Network Firewall support IPv6 traffic?

Yes. Network Firewall supports the inspection of IPv6 traffic.