New release of Network Firewall

API versions affected: 20230501

This release includes the following enhancements:

Added support for inspecting tunnel traffic: Firewall policy components now inspect mirror out-of-band traffic in addition to inspecting in-line traffic paths. Inspect your clear-text tunnel traffic with VxLAN protocol using tunnel inspection rules and analyze your traffic.

Access to mapped secrets using resource principal-based policies: For certificate authentication, now you can manage your mapped secrets in the Vault service using resource principal-based policies.

Enhanced firewall logging: Now we support logging over 5000 loglines within 5-minute intervals in conjunction to higher shape firewalls.

Enhanced bulk importing for firewall policy components: You can now import tunnel inspection rules in bulk with the bulk import template.

New log for monitoring tunnel inspection for firewalls: Monitor your tunnel inspection with the help of the new tunnel inspection log.

IAM policy deprecation for Certificate Authentication: If you are using Certificate Authentication to decrypt firewall policy rules, IAM policies were changed to give you more control when allowing the Network Firewall service access to Vault service secrets. One IAM policy was deprecated and two new IAM policies were added. Update your policies in the IAM service.

allow service ngfw-sp-prod to read secret-family in compartment <compartment_name>

New policies:

Allow any-user to read secret-family in compartment <compartment_ID> where ALL {request.principal.type='networkfirewallpolicy', request.principal.id='<Network Firewall Policy OCID>'}

Allow any-user to read secret-family in compartment <compartment_ID> where ALL {request.principal.type='networkfirewallpolicy', request.principal.id='<Network Firewall Policy OCID>'}