Managing Security Protocols for IP Networks

Creating a Security Protocol for IP Networks

A security protocol allows you to specify a transport protocol and the source and destination ports to be used with the specified protocol. When you create a security rule, you can specify the security protocols that you want to use to permit traffic. Only packets that match the transport protocol and ports in any of the specified security protocols will be permitted.

In a security protocol, you can specify a maximum of 32 port numbers or port range strings for Source Port Set and Destination Port Set.

To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud My Services. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. In the Network drop-down list, expand IP Network, and then click Security Protocols.
  4. Click Create Security Protocol.
  5. Select or enter the required information:
    • Name: Enter a name for the security protocol.
    • IP Protocol: Select a protocol or enter a number in the range 0–254 to represent the protocol that you want to specify. See Assigned Internet Protocol Numbers (http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml).

      Traffic is enabled by a security rule when the protocol in the packet matches the protocol specified here. If no protocol is specified, all protocols are allowed.

    • Source Port Set: Enter a list of port numbers or port range strings. Traffic is enabled by a security rule when a packet's source port matches the ports specified here.

      For TCP, SCTP, and UDP, each port is a source transport port, between 0 and 65535, inclusive. For ICMP, each port is an ICMP type, between 0 and 255, inclusive.

      If no source ports are specified, all source ports or ICMP types are allowed.

    • Destination Port Set: Enter a list of port numbers or port range strings. Traffic is enabled by a security rule when a packet's destination port matches the ports specified here.

      For TCP, SCTP, and UDP, each port is a destination transport port, between 0 and 65535, inclusive. For ICMP, each port is an ICMP type, between 0 and 255, inclusive.

      If no destination ports are specified, all destination ports or ICMP types are allowed.

    • Description: Enter a meaningful description for the security protocol.
    • Tags: Enter one or more tags to help you identify the security protocol.
  6. Click Create.
    The security protocol is created.

To create a security protocol using the CLI, use the opc compute security—protocol add command. For help with that command, run the command with the -h option. For the instructions to install the CLI client, see Preparing to Use the Compute Classic CLI in CLI Reference for Oracle Cloud Infrastructure Compute Classic.

To create a security protocol using the API, use the POST /network/v1/secprotocol/ method. See REST API for Oracle Cloud Infrastructure Compute Classic.

You can also create a security protocol by using an orchestration. See Orchestration v1 Attributes Specific to Each Object Type or Orchestration v2 Attributes Specific to Each Object Type.

After creating a security protocol, to update or delete a security protocol, see Updating a Security Protocol for IP Networks or Deleting a Security Protocol for IP Networks. To use a security protocol in a security rule, see Creating a Security Rule for IP Networks.

Listing Security Protocols for IP Networks

After creating security protocols for IP networks, you can view a list of security protocols along with information about each security protocol, such as the specified transport protocol and source and destination ports.

To complete this task, you must have the Compute_Monitor or Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud My Services. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. In the Network drop-down list, expand IP Network, and then click Security Protocols.
The Security Protocols page displays a list of security protocols, along with information about each protocol.

To list security protocols using the CLI, use the opc compute security—protocol list command. For help with that command, run the command with the -h option. For the instructions to install the CLI client, see Preparing to Use the Compute Classic CLI in CLI Reference for Oracle Cloud Infrastructure Compute Classic.

To list security protocols using the API, use the GET /network/v1/secprotocol/container/ method. See REST API for Oracle Cloud Infrastructure Compute Classic.

After listing security protocols, to update or delete a security protocol, see Updating a Security Protocol for IP Networks or Deleting a Security Protocol for IP Networks. To use a security protocol in a security rule, see Creating a Security Rule for IP Networks.

Updating a Security Protocol for IP Networks

After creating a security protocol, if required, you can change the transport protocol or the source and destination ports specified in the security protocol.

In a security protocol, you can specify a maximum of 32 port numbers or port range strings for Source Port Set and Destination Port Set.

Prerequisites

  • To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud My Services. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

Note:

You should always use your orchestrations to manage resources that you’ve created using orchestrations. Don’t, for example, use the web console or the CLI or REST API to update an object that you created using an orchestration. This could cause your orchestration to either attempt to re-create the object and associated resources, or to go into an error state. See Workflows for Updating Orchestrations v2.

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. In the Network drop-down list, expand IP Network, and then click Security Protocols.
  4. Go to the security protocol that you want to update, and from the menu icon menu, select Update.
  5. Update the information, as required:
    • IP Protocol: Select a protocol or enter a number between 0 and 254. Traffic is enabled by a security rule when the protocol in the packet matches the protocol specified here. If no protocol is specified, all protocols are allowed.
    • Source Port Set: Enter a list of port numbers or port range strings. Traffic is enabled by a security rule when a packet's source port matches the ports specified here.

      For TCP, SCTP, and UDP, each port is a source transport port, between 0 and 65535, inclusive. For ICMP, each port is an ICMP type, between 0 and 255, inclusive.

      If no source ports are specified, all source ports or ICMP types are allowed.

    • Destination Port Set: Enter a list of port numbers or port range strings. Traffic is enabled by a security rule when a packet's destination port matches the ports specified here.

      For TCP, SCTP, and UDP, each port is a destination transport port, between 0 and 65535, inclusive. For ICMP, each port is an ICMP type, between 0 and 255, inclusive.

      If no destination ports are specified, all destination ports or ICMP types are allowed.

    • Description: Update the description, if required.
    • Tags: Update the tags, if required.
  6. Click Update.
    The security protocol is updated.

To update a security protocol using the CLI, use the opc compute security—protocol update command. For help with that command, run the command with the -h option. For the instructions to install the CLI client, see Preparing to Use the Compute Classic CLI in CLI Reference for Oracle Cloud Infrastructure Compute Classic.

To update a security protocol using the API, use the PUT /network/v1/secprotocol/name method. See REST API for Oracle Cloud Infrastructure Compute Classic.

After updating a security protocol, to use the security protocol in a security rule, see Creating a Security Rule for IP Networks.

Deleting a Security Protocol for IP Networks

If you no longer use a security protocol in any security rule, you can delete the security protocol.

Prerequisites

  • Ensure that the security protocol that you want to delete isn’t referenced in any security rule. If you delete a security protocol that is referenced in a security rule, that security rule won’t be used.

  • To complete this task, you must have the Compute_Operations role. If this role isn’t assigned to you or you’re not sure, then ask your system administrator to ensure that the role is assigned to you in Oracle Cloud My Services. See Modifying User Roles in Managing and Monitoring Oracle Cloud.

Note:

You should always use your orchestrations to manage resources that you’ve created using orchestrations. Don’t, for example, use the web console or the CLI or REST API to delete an object that you created using an orchestration. This could cause your orchestration to either attempt to re-create the object and associated resources, or to go into an error state.

If you created the object using orchestration v1, then you can delete the object by terminating the orchestration. See Terminating an Orchestration v1.

If you created the object using an orchestration v2, then you can delete the object by suspending, terminating, or updating the orchestration. See Suspending an Orchestration v2, Terminating an Orchestration v2, or Updating an Orchestration v2.

Procedure

  1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
  2. Click the Network tab.
  3. In the Network drop-down list, expand IP Network, and then click Security Protocols.
  4. Go to the security protocol that you want to delete, and from the menu icon menu, select Delete.

To delete a security protocol using the CLI, use the opc compute security—protocol delete command. For help with that command, run the command with the -h option. For the instructions to install the CLI client, see Preparing to Use the Compute Classic CLI in CLI Reference for Oracle Cloud Infrastructure Compute Classic.

To delete a security protocol using the API, use the DELETE /network/v1/secprotocol/name method. See REST API for Oracle Cloud Infrastructure Compute Classic.