Oracle Cloud Infrastructure Documentation

Create a Firewall

Use the Network Firewall service to create a firewall.

Important

  • For better performance, don't add stateful rules to the security list attached to the firewall subnet or include the firewall in a network security group (NSG) that contains stateful rules.
  • Security list or NSG rules associated with the firewall subnet and VNICs are evaluated before the firewall. Ensure that security list or NSG rules allow the traffic to enter the firewall so that it can be evaluated appropriately.
  • If the policy that you use with the firewall doesn't have any rules specified, the firewall denies all traffic.
Note

To enable NAT on firewalls, ensure at least four spare IPs are available on the firewall subnet for a 4 Gbps firewall and a minimum of five spare IPs for a 25 Gbps firewall.
    1. On the navigation menu, select Identity & Security. Go to Firewalls, select Network Firewalls.
    2. Select Create network firewall.
    3. In the Name box, enter a name.
    4. In the Create in compartment list, select a compartment to create the firewall in.
    5. In the Network firewall policy list, select a firewall policy to associate with this firewall. If no policies display, try checking the compartment.
      Note

      If you associate this firewall with a new or upgraded policy, the firewall only uses the new or upgraded policy. You can't later associate this firewall with an old, non-upgraded policy.

    6. In the Virtual cloud network list, select a VCN.
    7. In the Subnet list, select a subnet. You can select public or private regular or regional subnets.
    8. To use a network security group (NSG) to control traffic to and from the firewall, select the Use network security groups to control traffic checkbox. To add more NSGs, select +Add another network security group.
    9. To enter an IPv4 address, an IPv6 address, or both, select the I want to manually assign the IP address from the subnet to the firewall checkbox. If you don't select this option, the IP address is automatically assigned.
    10. Observe the Enable NAT on firewall toggle. If the Network firewall policy you selected earlier contains NAT rules, this option is automatically enabled for you. To disable NAT on this firewall, you must either remove the NAT rules from the policy or select a different policy.
      See About NAT rules and Add a NAT Rule to a Firewall Policy for more about NAT rules. To delete a NAT rule from a firewall policy, see Delete a Rule from a Firewall Policy.
    11. (Optional) Select Show advanced options: and provide the following values:

      • On the Firewall Scope tab, select Deploy to a single Availability domain in the region to deploy the firewall to a specific Availability domain.

        Regional firewalls are deployed across all availability domains in a region. Availability domain-specific firewalls are deployed within a specific AD. For more information about availability domains, see Regions and Availability Domains.
        Important

        A firewall that's deployed to a single Availability domain can't be changed to regional later.
      • To create tags for the firewall, go to the Tagging tab.
    12. Select Create network firewall.

      A work request is created to provision a firewall resource to the Cloud account. To view the work request, under Resources, select Work requests. You can verify that the firewall is created when it appears as Active.

  • Use the network-firewall network-firewall create command and required parameters to create a firewall.
    oci network-firewall network-firewall create --compartment-id compartment_id
 --subnet-id subnet_id --network-firewall-policy-id network_firewall_policy_id[OPTIONS]

    For a complete list of flags and variable options for CLI commands, see the Command Line Reference.

  • Use the CreateNetworkFirewall operation to create a firewall.