Home / Journal / OCI Security / OCI Web Application Firewall
OCI Security

OCI Web Application Firewall

Published Jan 24, 2025 · Updated Jan 27, 2026 · 9 min read · OCI Specialists · Independent OCI advisory
Code and traffic visualization representing web application filtering

Anything you expose to the internet gets attacked. Not occasionally, but constantly, by automated tools probing for known weaknesses, injection flaws, and the long list of common application attacks. A web application firewall sits in front of your applications and filters that traffic, blocking the malicious requests before they ever reach your code. The OCI web application firewall gives you this protection, but like any filter it is only useful if it is tuned to block the bad without blocking the good, and getting that balance right is the real work.

The firewall operates at the application layer, inspecting the actual web requests reaching your application rather than just the network packets. That distinction matters, because many application attacks look like perfectly normal traffic at the network level, a well formed request to a valid address, and only reveal themselves as malicious when you look at what the request is actually trying to do. The firewall looks at that content and applies rules to decide whether to let a request through, block it, or flag it.

What the firewall protects against

It is built to catch the common categories of web attack, the injection attempts, the cross site scripting, the malicious payloads, and the automated probing that every internet facing application faces. It does this with rule sets that recognise known attack patterns, combined with controls you can add for your own application, such as rate limiting to blunt brute force attempts and access rules to allow or deny based on origin. The point is to absorb the constant background noise of attacks so your application only ever sees traffic that has already been filtered.

This is a different job from the network firewall covered in our network firewall guide. The network firewall controls which traffic is allowed at the network layer, which addresses and ports can talk to what. The web application firewall inspects the content of the web requests that the network firewall has already allowed. They work at different layers and they complement each other, which is why a layered defence uses both rather than choosing between them.

A firewall that blocks real customers gets switched off. A firewall that lets attacks through protects nothing. The whole job is the balance between the two.

Where it fits in the layers

LayerControlWhat it inspects
NetworkNSGs and security listsAddresses, ports, protocols
Network perimeterNetwork firewallTraffic flows across boundaries
ApplicationWeb application firewallContent of web requests
Application codeSecure coding, input validationWhat the application itself accepts

The web application firewall is one layer, and it is important to remember it is not a substitute for the others. It reduces the volume and the severity of what reaches your application, but a secure application still needs to validate its own input and handle requests safely, because no filter is perfect and the firewall is your outer wall, not your only one. This layered view is the same one that runs through our complete security guide.

Tuning to avoid false positives

The defining challenge of any web application firewall is the false positive, the legitimate request that a rule mistakes for an attack and blocks. Block too aggressively and you turn away real customers, support tickets pile up, and the pressure to disable the firewall grows. Allow too freely and attacks slip through. So tuning is the heart of running one well. The sensible path is to start in a mode that observes and flags rather than blocks, learn what your legitimate traffic actually looks like, then progressively move rules to blocking as you gain confidence that they are not catching real users.

  1. Start by observing. Run rules in a flagging mode first to see what they would catch.
  2. Learn your real traffic. Understand what legitimate requests look like before you start blocking.
  3. Move to blocking gradually. Promote rules to blocking as you confirm they do not hit real users.
  4. Add application specific controls. Use rate limiting and access rules for your own risks.
  5. Review and adjust. Treat false positives as tuning tasks, not reasons to switch the firewall off.

When a false positive does appear, the response is to refine the rule, not to abandon the protection. This is the same discipline that runs through detective controls like our Cloud Guard guide, where a tool that floods or blocks indiscriminately loses the trust of the team and gets ignored or disabled. A web application firewall earns its place by protecting reliably while staying out of the way of real users.

Rate limiting and bot pressure

Beyond the classic injection and scripting attacks, a large share of the unwanted traffic any public application sees is automated, the scrapers, the credential stuffing attempts, and the brute force probing that never stop. Signature based rules catch the obviously malicious requests, but much of this automated pressure looks individually legitimate and only reveals itself as abuse in aggregate, in the volume and pattern of requests rather than in any single one. This is where rate limiting and the controls that recognise abnormal request patterns earn their place, because they address the threat that is defined by behaviour over time rather than by the content of one request. A login endpoint that quietly limits how many attempts a single source can make is far harder to brute force than one that answers every request as fast as it can.

The judgement here is the same balance as everywhere else in the firewall. Limits that are too tight frustrate legitimate bursts of activity, such as a genuine spike of real users, while limits that are too loose let abuse through. The way to get it right is to base the thresholds on what your real traffic actually does, which is another reason the observe first approach matters, and to keep the limits under review as your traffic grows and changes. Treated this way, rate limiting becomes a quiet and effective layer against the automated majority of attacks, complementing the signature based protection rather than competing with it, and reducing the load your application carries from traffic that was never going to be welcome.

Bringing it together

The web application firewall filters malicious traffic at the application layer, absorbing the constant background of injection attempts, cross site scripting, and automated probing so your application only sees filtered requests. It complements the network firewall rather than replacing it, sits as one layer among several, and lives or dies by tuning. Start by observing, learn your legitimate traffic, move to blocking gradually, add rate limiting against automated pressure, and treat false positives as tuning tasks. Done that way it protects without turning away real users. The network layer is in our network firewall guide, the full model is in our complete security guide, and the network context is in our networking solution.

Moving Oracle workloads to OCI, or already running on OCI and not sure the architecture or the spend is right? Most teams bring in a specialist before they commit to a region, a shape, or a Universal Credits number. OCISpecialists.com plans the landing zone, runs the migration, and manages the estate after go live, on a fixed project fee, a managed monthly retainer, or a cost optimization fee paid only on verified savings. For the Oracle licensing and BYOL side of any OCI move, Redress Compliance is the leading independent Oracle licensing and negotiation firm, with 500+ engagements across Oracle's full product line.