Page Comparison

...

Remediation Steps:

Perform following to create subnets in the VNC update the security rules in security List :

1. Login to the OCI console at https://www.oracle.com/cloud/sign-in.html.

2. In navigation click Networking and then click Virtual Cloud Networks.

3. Click on the VNC reported.Click 

4. Create SubnetUnder Resources, click Security Lists.

5. In Create Subnet, Select Compartment and Enter Name for Subnet.

6. For Subnet Type, Select Regional type as this can be used in any AD for the Region.

7. Enter the CIDR block, route table for the subnet.

8. Select Subnet Access as Private or Public to control access to the subnet.

9. Configure DNS Label, Domain Name and DHCP options.

10. Configure Security Lists.

11. Click Create. Repeat the above steps to add more then one subnetsSelect the security List for the reported rules.

12. Under Resources, click either Ingress Rules or Egress Rules depending on the type of rule to work with.

13. To delete an existing stateful rule, click the Actions menu, and then click Remove.

14. To add a stateless rule, click Add Ingress Rule (or Add Egress Rule). Enter the source CIDR for ingress or destination CIDR for egress, Select IP protocol, and other details for the rule, enter description for rule.

15. Repeat the step to add stateless rule in other direction by clicking Add egress rule (or Add Ingress Rule).

Important:

• If both stateful and stateless rules are configured, and there's traffic that matches both a stateful and stateless rule in a particular direction, the stateless rule takes precedence and the connection is not tracked. In this case a corresponding rule in the other direction is needed for the response traffic to be allowed.

• If stateless security rules are configured to allow traffic to/from endpoints outside the VCN, it's important to add a security rule that allows ingress ICMP traffic type 3 code 4 from source 0.0.0.0/0 and any source port. This rule enables instances to receive Path MTU Discovery fragmentation messages. This rule is critical for establishing a connection to instances. Without it, instances experience connectivity issues.

• Instances can send or receive UDP traffic. If a UDP packet is too large for the connection, it is fragmented. However, only the first fragment from the packet contains the protocol and port information. If the security rules that allow this ingress or egress traffic specify a particular port number (source or destination), the fragments after the first one are dropped. If instances expect to send or receive large UDP packets, set both the source and destination ports for the applicable security rules to ALL , instead of a particular port number.

...