Upgrading a Policy
A new version of the network firewall policy is available. The upgrade contains new features that give you greater flexibility and higher component limits for policies.
New Features for Oracle Cloud Infrastructure Network Firewall
- Increased limits for policy components: Policy components were previously configured as attributes of the policy. The new version refactors policy components as separate objects with their own names. This allows for a large increase in the number of components you can have in each associated policy, and the ability to move components between lists within the policy. See the table later in this topic that shows details about each component and its limits.
- Operational improvements: Updating a firewall no longer causes a connection reset.
- Bulk import policy components: You can now bulk import policy components using a
.json
file. You can import the maximum allowed components in one file. The Network Firewall service provides a.json
template for each component type that you can download and use to construct an import file. See Bulk Importing Network Firewall Policy Components for more information. - Easily reorder security and decryption rules: When you create or edit a rule, you can specify its position of the rule in relation to other rules in the policy. In addition to specifying the rule as the first or last rule in the list, you can specify a Custom position for the rule. A custom position lets you set the rule position as being before or after another rule in the list. You can reorder rules during creation, when editing a rule, or you can reorder rules within the list shown in the policy details page. See Creating a Decryption Rule and Creating a Security Rule for more information.
- Search for components: Because components are now independent objects, you can use the Search function to find them by Name.
- Easy migration: Use the provided upgrade workflow to quickly and easily upgrade your policies to the new version. When you upgrade a policy, any associated firewalls are also upgraded. For more information, see the instructions included later in this document.
Policy Component Details
The following table shows the different components with previous and current maximum and API object name. For more information about the attributes and dependencies of each component and instructions about how to create them, see Creating Network Firewall Policy Components.
Component | Previous max | New max | APIs |
---|---|---|---|
Security rule | 25 for each policy | 10,000 for each policy |
|
Decryption rule | 25 for each policy | 1,000 for each policy |
|
Application Lists | 25 for each policy | 2,500 for each policy |
|
Applications | NOT APPLICABLE (New component: previously an attribute of application lists) | 1,000 for each application list. 6,000 applications for each policy. |
|
Service Lists | NOT APPLICABLE (New component) | 2,500 for each policy |
|
Services | NOT APPLICABLE (New component) | 1,000 for each service list. 1,900 services for each policy. |
|
URL Lists | 25 for each policy |
|
|
Address Lists | 25 for each policy |
|
|
Mapped Secrets | 25 for each policy | 300 for each policy |
|
Decryption Profiles | 25 for each policy | 500 for each policy |
|
Upgrading Network Firewall Policies
All new firewalls and policies that you create automatically use the new version of the service. Firewalls and policies that existed before the new version was released continue to use the old version of the service until you upgrade them. Each policy that uses the previous version has a notation next to it in the Policy List page so you can easily tell which policies are using the old or new version.
The upgrade process takes several minutes to complete but does not affect the traffic on any firewalls that use the policy.
Important
- During the upgrade process, you can't edit the policy or its components.
- After you upgrade a policy to use the new version, it can't be downgraded back to the old version.
- When you upgrade a policy, any associated firewall is also upgraded automatically. After the upgrade is complete, the attached firewalls can no longer use old versions of policies.
- After a firewall is upgraded, it can't be downgraded back to the old version. A firewall is upgraded when its attached policy is upgraded, or when it's switched from an old policy to an upgraded policy.