Create a Firewall

Use the Network Firewall service to create a firewall.

Important

For better performance, don't add stateful rules to the security list attached to the firewall subnet or include the firewall in a network security group (NSG) that contains stateful rules.
Security list or NSG rules associated with the firewall subnet and VNICs are evaluated before the firewall. Ensure that security list or NSG rules allow the traffic to enter the firewall so that it can be evaluated appropriately.
If the policy that you use with the firewall doesn't have any rules specified, the firewall denies all traffic.

1. On the navigation menu, select Identity & Security. Go to Firewalls, select Network Firewalls.
2. Select Create network firewall.
3. In the Name box, enter a name.
4. In the Create in compartment list, select a compartment to create the firewall in.
5. In the Network firewall policy list, select a firewall policy to associate with this firewall. If no policies display, try checking the compartment.
  
  Note
  
  If you associate this firewall with a new or upgraded policy, the firewall only uses the new or upgraded policy. You can't later associate this firewall with an old, non-upgraded policy.
6. In the Virtual cloud network list, select a VCN.
7. In the Subnet list, select a subnet. You can select public or private regular or regional subnets.
8. To choose a network security group (NSG) to control traffic to and from the firewall, select the Use network security groups to control traffic checkbox. To add more NSGs, select +Add another network security group.
9. To enter an IPv4 address, an IPv6 address, or both, select the I want to manually assign the IP address from the subnet to the firewall checkbox. If you don't select this option, the IP address is automatically assigned.
10. (Optional) Select Show advanced options: and provide the following values:
  
  On the Firewall Scope tab, select Deploy to a single Availability domain in the region to deploy the firewall to a specific Availability domain.
  
  Regional firewalls are deployed across all availability domains in a region. Availability domain-specific firewalls are deployed within a specific AD. For more information about availability domains, see Regions and Availability Domains.
  Important
  
  A firewall that's deployed to a single Availability domain can't be changed to regional later.
  
  To create tags for the firewall, go to the Tagging tab.
11. Select Create network firewall.
  
  A work request is created to provision a firewall resource to the Cloud account. To view the work request, under Resources, select Work requests. You'll know when the firewall is created when it appears as Active.
Use the network-firewall network-firewall create command and required parameters to create a firewall.
```
oci network-firewall network-firewall create --compartment-id compartment_id
 --subnet-id subnet_id --network-firewall-policy-id network_firewall_policy_id[OPTIONS]
```
For a complete list of flags and variable options for CLI commands, see the Command Line Reference.
Use the CreateNetworkFirewall operation to create a firewall.

Next Step

Route traffic to the firewall

Oracle Cloud Infrastructure Documentation

Create a Firewall

Next Step 🔗

Next Step