Creating a Decryption Rule
Create decryption rules that contain a set of criteria against which a network packet is matched and decrypted.
- Create a policy to contain the decryption rule.
- Set up certificate authentication using the Oracle Cloud Infrastructure Vault service to use in a mapped secret.
- Create a mapped secret to use in the decryption rule.
- Create a decryption profile to use when decrypting traffic.
See Creating Network Firewall Policy Components for more information.
- Decrypt with SSL forward proxy
- Decrypt with SSL inspection
- Don't decrypt the traffic.
If you choose to decrypt, you then choose a decryption profile and mapped secret to apply when decrypting traffic. You configure decryption profiles and mapped secrets in the policy before you construct the rule.
You can have a maximum of 1,000 decryption rules for each policy. By default, each new rule you create becomes the first in the list. You can change the order of priority.
You can create decryption rules one at a time, or you can import many at once using a .json
file. See Bulk Importing Network Firewall Policy Components more information.
Some names are reserved by Palo Alto Networks®. If you create a policy component with a reserved name, the process fails with an error. See Reserved Names.
Use the network-firewall decryption-rule create command and required parameters to create a decryption rule:
oci network-firewall decryption-rule create --name my_decryption_rule --network-firewall-policy-id network firewall policy OCID --decryption-profile decryption_profile --action DECRYPT --condition '[{"sourceAddress":"IP_address"}]' ...[OPTIONS]
For a complete list of parameters and values for CLI commands, see the CLI Command Reference.
Run the CreateDecryptionRule operation to create a decryption rule.