Skip to main content


Network Security Group egress rule contains disallowed IP/port (Automated)


Alert when the egress rule for a network security group contains a disallowed destination IP address and port number.


This policy checks for a specific set of ports considered most commonly scanned. The disallowed ports are:

  • TCP: 11, 17-19, 21, 23-25, 43, 49, 53, 70-74, 79-81, 88, 111, 123, 389, 636, 445, 500, 3306, 3389, 5901, 5985, 5986, 7001, 8000, 8080, 8443, 8888

  • User Datagram Protocol (UDP): 11, 17-19, 49, 69, 80, 82, 83-85, 389, 443, 656, 8080

From Console:

  1. Login into the OCI Console.

  2. Click the search bar at the top of the screen.

  3. Type Advanced Resource Query and hit enter.

  4. Click the Advanced Resource Query button in the upper right corner of the screen.

  5. Enter the following query in the query box:

    query networksecuritygroup resources where lifeCycleState = 'AVAILABLE'
  6. For each of the network security groups in the returned results, click the name and inspect each of the security rules.

  7. Identify security rules with direction: Egress, Destination:, and Destination Port Range include the disallowed ports.

  8. Either Edit the Security rules to restrict the destination and/or port range or delete the rule.

From CLI:

  1. Execute the following command:

    for region in $(oci iam region list | jq -r '.data[] | .name')
    echo "Enumerating region $region"
    for compid in $(oci iam compartment list --include-root --compartment-id-in-subtree TRUE 2>/dev/null | jq -r '.data[] | .id')
    echo "Enumerating compartment $compid"
    for nsgid in $(oci network nsg list --compartment-id $compid --region $region --all 2>/dev/null | jq -r '.data[] | .id')
    output=$(oci network nsg rules list --nsg-id=$nsgid --all 2>/dev/null | jq -r '.data[] | select(.destination == "" and .direction == "EGRESS"')
    if [ ! -z "$output" ]; then echo "nsgid=", $nsgid, "Security Rules=", $output; fi
  2. For each of the network security group security rules identified, compare the ports against the disallowed ports and either:

    • Remove the security rules

      oci network nsg rules remove --nsg-id=<nsg-id>


    • Update the security rules

      oci network nsg rules update --nsg-id=<nsg-id> --security-rules='[<updated security-rules JSON (without isValid and TimeCreated fields)>]'

      For example:

      oci network nsg rules update --nsg-id=ocid1.networksecuritygroup.oc1.iad.xxxxxxxxxxxxxxxxxxxxxx --security-rules='[{ "description": null, "source": null, "source-type": null, "direction": "EGRESS", "icmp-options": null, "id": "709001", "is-stateless": null, "protocol": "6", "destination": "", "destination-type": "cidr_block", "tcp-options": { "destination-port-range": { "max": 29, "min": 29 }, "source-port-range": null }, "udp-options": null }]'