Skip to content

Notes about setting up microsegmentation policies for Oracle Solaris

Oracle Solaris Firewall Support

  • Oracle Solaris PF Firewall: 12Port Horizon supports the Oracle Solaris 11.4 firewall, known as PF (Packet Filtering). Previous versions of Oracle Solaris used IPF (IP Filtering), which is incompatible with the PF firewall in 11.4.

  • Oracle Solaris Asset Type: 12Port Horizon includes an out-of-the-box, initially hidden asset type for Oracle Solaris. This asset type represents an Oracle Solaris host with user and password access, and includes all tasks necessary for microsegmentation and network monitoring on the Solaris host.

Tagging and Policy Application

  • Tagging with Component :: Server :: Linux: Tagging an Oracle Solaris asset with the Component :: Server :: Linux tag will trigger the default Management Server policy. This policy provisions a rule that grants management access to the Oracle Solaris host.

  • Tagging with Component :: Server :: Solaris: Alternatively, you can tag the Oracle Solaris asset with the Component :: Server :: Solaris tag and create a management access policy specific to Oracle Solaris, similar to the policy used for Linux servers. However, there is no functional benefit to this approach over using the default Linux policy, other than avoiding the Linux tag on Oracle Solaris assets (which may be preferred for organizational purposes).

Policy and Network Management

  • Network and Policy Management: The process for monitoring the network state, publishing policies, enforcing policies, resetting to the original state, enabling/disabling firewall logging, and handling service requests is the same for Oracle Solaris assets as it is for any other asset.

Managing Firewall: Useful Commands

Below are some useful commands for managing the firewall. Note that these commands must be executed with an account that has sudo privileges. Most of these commands are executed automatically by 12Port scripts, so direct execution is typically not necessary, though running them manually can assist with debugging.


Enable Firewall
To enable the firewall:

sudo svcadm enable network/firewall


Disable Firewall
To disable the firewall:

sudo svcadm disable network/firewall


Refresh Firewall Configuration
load current PF configuration to memory

sudo svcadm refresh network/firewall


Check PF Configuration Syntax
To check the correctness of the PF configuration without applying it:

pfctl -nf /etc/firewall/pf.conf


Edit PF Configuration
To edit the PF configuration file (opens the file in the vi editor; make sure you are familiar with vi navigation). To exit without saving, use :q!:

pfedit /etc/firewall/pf.conf


Enable PF Logging
To enable PF connection logging:

sudo svcadm enable svc:/network/firewall/pflog


Disable PF Logging
To disable PF connection logging:

sudo svcadm disable svc:/network/firewall/pflog


Read PF Connection Logs
To view the PF connection log:

sudo tcpdump -n -e -ttt -r /var/log/firewall/pflog/pflog0


Firewall Rule for Port 22
The following rule keeps port 22 open for all locations, ensuring access for development and QA. This rule is kept open as a precautionary measure. 12Port enable enforcement will check the policy for access to the 12Port computer, but this rule remains useful as we share this instance.

pass in log proto tcp to any port 22

Oracle Solaris Asset Type and Firewall Configuration

Solaris Asset Type and Scripts
12Port includes an initially hidden Oracle Solaris asset type, with all necessary scripts included as tasks. These Solaris scripts are architecturally similar to the Linux scripts but differ in content. Script names start with "Solaris" and include similar Linux tasks such as monitoring system status, interfaces, workloads, rules, and connections (including from logs), as well as enabling/disabling PF logging and managing the firewall (enforce/restore). Enforcement requires a published policy to enable 12Port access.

Managing Solaris Devices in 12Port Horizon
The process for managing Oracle Solaris devices in 12Port Horizon follows the same logic as managing Linux or Windows devices.

Adding/Removing Firewall Rules
12Port modifies the /etc/firewall/pf.conf configuration file to add or remove firewall rules and then refreshes the configuration. A typical rule looks like this:

pass in log proto tcp from 192.168.10.221 to any port 80 # ZTNA-RULE-123456790 Solaris Policy

The comment after # links to the policy ID and also includes the policy name, just like for Windows systems.

Other PF Configuration Comment Types
In addition to ZTNA-RULE records, the PF configuration file may also contain two other comment types:

  • ZTNA-BASE: These rules define the base configuration (e.g. DNS port open, outbound connection open, inbound connection closed, etc.):
block return log # ZTNA-BASE-BLOCK
pass out log # ZTNA-BASE-PASS-OUT
  • ZTNA-OPEN: These rules indicate an open state for the firewall:
pass out log # ZTNA-OPEN
pass in log # ZTNA-OPEN

block out log proto tcp from any to 199.16.173.110 port 443 # ZTNA-RULE-ZT-12345