Simplifying OCI Network Firewall Policy Management with a Python Tool — Part I

Managing network security policies in firewalls efficiently is crucial for ensuring robust security posture. With the Oracle Cloud Infrastructure (OCI) Network Firewall, users can now streamline the management of IP addresses, services, application lists, and security rules through bulk imports. However, to leverage this feature, users must provide configurations in JSON format. This requirement can pose challenges, especially when dealing with large-scale policy changes or migrations from existing on-premises firewalls or marketplace solutions.

To address these challenges, I have come up with an OCI Network Firewall Policy Configuration Tool — a Python script designed to simplify the creation and management of OCI Network Firewall policies. This tool automates the conversion of firewall policy configurations stored in Excel sheets into JSON format, enabling seamless bulk imports into OCI Network Firewall policies.

Features and Benefits:

• Streamlined Policy Management: The tool enables users to efficiently manage OCI Network Firewall policies by automating the conversion of configuration data into a format suitable for bulk import.
• Time-Saving Bulk Operations: Users can make bulk changes to their firewall policies, saving time and effort that would otherwise be spent on manual configurations.
• Seamless Migration: Whether migrating from on-premises firewalls or other cloud providers, the tool facilitates the migration process by simplifying the conversion of security rules to OCI Network Firewall-compatible JSON format.

Key Considerations:

Please do not change the structure of the excel file. Here’s why adhering to the correct input format is essential:

1. Data Parsing Accuracy: The tool parses data from predefined sheets such as ‘iplist’, ‘service’, and ‘security-rules’. Any deviation from these expected sheet names can lead to parsing errors and hinder the conversion process.

2. Column Structure Consistency: Each sheet within the Excel file must adhere to a predefined column structure expected by the tool. Any discrepancies in column names or data types can result in misinterpretation of configuration data, leading to inaccurate JSON output.

Data for ‘iplist’ Sheet:

(i) Names of IP Addresses or Services must be unique, start with a letter, and can only contain letters, numbers, spaces, a hyphen ‘-’, or an underscore. The hyphen must be followed by an alphanumeric character. Names must be between 2 and 28 characters long.

(ii) IP Addresses for each name can range from 1 (address or CIDR) to a maximum of 1,000 (address or CIDR), separated by commas.

Example — iplist sheet format and sample input

Data for ‘service’ Sheet:

This sheet is used to generate both TCP/UDP services, service lists, ICMP applications, and application lists JSON files based on its ‘type’.

(i) Choose ‘TCP_SERVICE’ or ‘UDP_SERVICE’ in the ‘type’ column. Update the name of the service to ensure compliance with naming requirements mentioned earlier. Specify the ‘minimumPort’ and ‘maximumPort’ as the same port number for specific ports, or mention the lower and higher end ports.

(ii) To create a group of services, select ‘SERVICE_GROUP’ in the ‘type’ column, provide a compliant name, and add service names of TCP/UDP_Services under the ‘services’ column, separated by commas.

(iii) Choose ‘ICMP_TYPE’ to create ICMP applications, and update the ‘icmpType’ column with appropriate codes (available codes: 0, 3, 5, 8, 9, 10, 11, 12, 13, 14, 40, 42, 43).

(iv) To create a group of ICMP applications, select ‘ICMP_GROUP’, provide a compliant name, and add the names of ICMP applications added earlier. The example input sheet provides a list of services and applications for ease of understanding.

Example — service sheet format and sample input

3. Compatibility with Tool Logic: The tool’s logic is tailored to process firewall policy configurations based on specific column names and data structures. Deviating from the expected format may lead to unexpected output or failure to recognize essential configuration parameters.

Following the correct input format is essential to prevent errors and ensures a smoother conversion process, reducing the likelihood of encountering parsing errors, missing data, or inconsistencies in the generated JSON output.

When converting Excel sheet ‘security-rules’ to securityrules.json:

(i) The ‘Source’ and ‘Destination’ columns can accommodate multiple IP addresses or CIDR ranges separated by commas. If using an address group with multiple IP addresses under the same name in the ‘iplist’ sheet, ensure consistency by using the address name in these columns.

(ii) TCP/UDP application or application groups’ names must solely be specified in the ‘Port’ column. Similarly, ICMP application or group names must be referenced in the ‘Application’ column. Interchanging them will result in errors during bulk import.

Example — security-rules format and sample input.

It’s vital to grasp that OCI security rules operate using ‘AND’ logic. If intending to allow SSH service and ICMP application between a source and destination, writing them in a single rule is technically feasible but may not align with your intention. To allow both SSH and ICMP between networks, separate rules are required.

If you prefer a guided explanation, you can also consult this video for instructor-led insights into understanding the Firewall Excel template.

The tool now includes support for exporting current OCI firewall policies to the same Excel template mentioned earlier. For further details, please refer to Part II of the blog post.

Note : During bulk import, the OCI console will detect input errors and inconsistencies while importing the address, service, and rule objects. If possible, OCI will also skip or ignore these errors during the import process. However, be prepared to address and fix these issues in your Excel inputs and generate JSON files again.

It’s important to note that this code does not perform input checks, as I felt it was redundant.

By following the instructions mentioned above, you can ensure a cleaner experience during the import process and minimize potential issues with your firewall configurations.

Installation Instructions:

1. Clone the Repository (or) download the files from github

• git clone https://github.com/karthikmani84/OCI-Network-Firewall-Policy-Configuration-Tool

This command will clone the repository containing the OCI Network Firewall Policy Configuration Tool to your local machine.

2. Navigate to the Project Directory:

• cd OCI-Network-Firewall-Policy-Configuration-Tool

Change into the directory of the cloned repository.

3. Install Dependencies:

• pip install -r Requirements.txt

This command will install the necessary dependencies required by the tool.

4. Run the Tool:

• python3 Firewall-import.py -i input_file.xlsx
• Replace input_file.xlsx with the path to your input Excel file containing firewall policy configurations.

Expected Outcome:
Upon successful completion of the tool, it will generate the necessary JSON files in the directory where the script was executed. These JSON files include:
- “iplist.json”
- “services.json”
- “servicelist.json”
- “application.json”
- “applicationlist.json”
- “securityrules.json”

Upload these files to the OCI firewall policy in the specified order. For guidance on bulk-importing policy objects, refer to this link for detailed instructions. Below is a quick demo:

Known Limitations:

1. Tool Validity and Future Updates: The validity of the tool is subject to changes made to the JSON file format by OCI Firewall. However, I anticipate that the tool should remain valid for at least another year. I will try my best to keep the code updated to accommodate any future changes.
2. Limited Support for IPv6, URL, and Certificate Imports: The current version of the tool does not include support for importing IPv6 addresses, URLs, or certificates. While these features were not required in the engagements I have encountered thus far, future updates may address these limitations based on user demand and feedback. If you have specific requirements for IPv6, URL, or certificate imports, you’re welcome to fork the repository and make the necessary changes. Your contributions and feedback are greatly appreciated in improving the tool’s functionality and versatility.
3. Limited Actions for Security Rules: The tool currently supports only ‘ALLOW’ and ‘DROP’ actions for security rules. Other options such as intrusion detection and prevention are available in the OCI console but are not included in the tool at this stage. This decision was made to maintain simplicity and ease of use. The tool may be expanded to include additional options in the future based on user feedback.

Conclusion:

This OCI Network Firewall Policy Configuration Tool empowers users to efficiently manage OCI Network Firewall policies, facilitating bulk imports of IP addresses, services, application lists, and security rules. Whether making bulk changes or migrating from existing firewalls, this tool offers a streamlined solution for enhancing network security within Oracle Cloud Infrastructure.

I hope this tool proves valuable in simplifying your OCI Network Firewall policy management tasks. Feel free to contribute, provide feedback, or report any issues on GitHub.

Happy firewall policy management!

Credits :

Thanks James George for your review, and valuable feedback :)