diff --git a/umn/source/_static/images/en-us_image_0000001443711605.png b/umn/source/_static/images/en-us_image_0000001443711605.png new file mode 100644 index 0000000..e64877a Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001443711605.png differ diff --git a/umn/source/_static/images/en-us_image_0000001443792005.png b/umn/source/_static/images/en-us_image_0000001443792005.png new file mode 100644 index 0000000..e64877a Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001443792005.png differ diff --git a/umn/source/_static/images/en-us_image_0000001673130380.png b/umn/source/_static/images/en-us_image_0000001673130380.png new file mode 100644 index 0000000..e64877a Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001673130380.png differ diff --git a/umn/source/_static/images/en-us_image_0000001772296201.png b/umn/source/_static/images/en-us_image_0000001772296201.png deleted file mode 100644 index 7b4a81e..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001772296201.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001772299481.png b/umn/source/_static/images/en-us_image_0000001772299481.png deleted file mode 100644 index c9e2569..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001772299481.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001772301841.png b/umn/source/_static/images/en-us_image_0000001772301841.png deleted file mode 100644 index 2d7a8a8..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001772301841.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001772421057.png b/umn/source/_static/images/en-us_image_0000001772421057.png deleted file mode 100644 index b9aba91..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001772421057.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001936832142.png b/umn/source/_static/images/en-us_image_0000001936832142.png index 03f1d60..78afa71 100644 Binary files a/umn/source/_static/images/en-us_image_0000001936832142.png and b/umn/source/_static/images/en-us_image_0000001936832142.png differ diff --git a/umn/source/_static/images/en-us_image_0000001936832146.png b/umn/source/_static/images/en-us_image_0000001936832146.png index 96c82aa..6a307cf 100644 Binary files a/umn/source/_static/images/en-us_image_0000001936832146.png and b/umn/source/_static/images/en-us_image_0000001936832146.png differ diff --git a/umn/source/_static/images/en-us_image_0000001964045585.png b/umn/source/_static/images/en-us_image_0000001964045585.png index b33bff5..f14f84d 100644 Binary files a/umn/source/_static/images/en-us_image_0000001964045585.png and b/umn/source/_static/images/en-us_image_0000001964045585.png differ diff --git a/umn/source/_static/images/en-us_image_0000001986387925.png b/umn/source/_static/images/en-us_image_0000001986387925.png new file mode 100644 index 0000000..f79a55f Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001986387925.png differ diff --git a/umn/source/_static/images/en-us_image_0000001988385497.png b/umn/source/_static/images/en-us_image_0000001988385497.png deleted file mode 100644 index 5521f5f..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001988385497.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001988387381.png b/umn/source/_static/images/en-us_image_0000001988387381.png deleted file mode 100644 index 5521f5f..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001988387381.png and /dev/null differ diff --git a/umn/source/attack_defense/attack_defense_overview.rst b/umn/source/attack_defense/attack_defense_overview.rst index ecbe7fb..6f8611c 100644 --- a/umn/source/attack_defense/attack_defense_overview.rst +++ b/umn/source/attack_defense/attack_defense_overview.rst @@ -49,6 +49,8 @@ The following methods can be used: | Virtual patch | Hot patches are provided for IPS at the network layer to intercept high-risk remote attacks in real time and prevent service interruption during vulnerability fixing. | | | | | | | | | | Updated rules are added to the virtual patch library first. You can determine whether to add the rules to the basic defense library. | | | + | | | | | + | | To add defense rules, enable this function to apply virtual patch rules. The protection action can be manually modified. | | | +-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------+ | Custom IPS signature (supported only by the professional edition) | If the built-in rule library cannot meet your requirements, you can customize signature rules. | The check types are the same as those of **Basic defense**. | For details, see :ref:`Customizing IPS Signatures `. | | | | | | diff --git a/umn/source/attack_defense/blocking_network_attacks.rst b/umn/source/attack_defense/blocking_network_attacks.rst index 72f5ab1..099ebd6 100644 --- a/umn/source/attack_defense/blocking_network_attacks.rst +++ b/umn/source/attack_defense/blocking_network_attacks.rst @@ -27,7 +27,7 @@ Adjusting the IPS Protection Mode to Block Network Attacks .. note:: - - You are advised to use the **observe** mode for a period of time before using the **intercept** mode. For details about how to view attack event logs, see :ref:`Attack Event Logs ` + - You are advised to use the **observe** mode for a period of time before using the **intercept** mode. For details about how to view attack event logs, see :ref:`Attack Event Logs `. - If packets are incorrectly blocked by a defense rule, you can modify the action of the rule in the basic defense rule library. For details, see :ref:`IPS Rule Management `. .. _cfw_01_0032__section61321527141315: diff --git a/umn/source/change_history.rst b/umn/source/change_history.rst index 8d9c49a..25034a9 100644 --- a/umn/source/change_history.rst +++ b/umn/source/change_history.rst @@ -8,6 +8,12 @@ Change History +-----------------------------------+------------------------------------------------------------------------------------------+ | Date | Description | +===================================+==========================================================================================+ +| 2024-10-12 | This is the fifth official release. | +| | | +| | Optimized: | +| | | +| | Adapted to the new layout in :ref:`Checking the Dashboard `. | ++-----------------------------------+------------------------------------------------------------------------------------------+ | 2024-09-19 | This is the fourth official release. | | | | | | Added: | diff --git a/umn/source/checking_the_dashboard.rst b/umn/source/checking_the_dashboard.rst index 650f04d..bdb878d 100644 --- a/umn/source/checking_the_dashboard.rst +++ b/umn/source/checking_the_dashboard.rst @@ -20,154 +20,111 @@ Checking the Dashboard #. In the navigation pane on the left, click |image1| and choose **Security** > **Cloud Firewall**. The **Dashboard** page will be displayed. -#. (Optional) If the current account has only one firewall instance, the firewall details page will be automatically displayed. In this case, skip this step. +#. (Optional) Switch or view firewall instances. - Check the information about each firewall instance under the account. Click **View** in the **Operation** column. + - Switch to another firewall instance: Select a firewall from the drop-down list in the upper left corner of the page. - .. table:: **Table 1** Firewall instance parameters + - View firewall instance information: Click **Firewall List** in the upper right corner. For details about parameters, see :ref:`Firewall instance information `. - +--------------------------------+---------------------------------------------------------------+ - | Parameter | Description | - +================================+===============================================================+ - | Name/ID | Name and ID of the firewall. | - +--------------------------------+---------------------------------------------------------------+ - | Status | Firewall status. | - +--------------------------------+---------------------------------------------------------------+ - | Edition | Firewall edition. | - +--------------------------------+---------------------------------------------------------------+ - | Available EIP Protection Quota | Maximum number of EIPs that can be protected by the firewall. | - +--------------------------------+---------------------------------------------------------------+ - | Peak Traffic Protection | Maximum peak traffic that can be protected by the firewall. | - +--------------------------------+---------------------------------------------------------------+ - | Billing Mode | Billing mode of the current firewall. | - +--------------------------------+---------------------------------------------------------------+ - | Enterprise Project | Enterprise project that the firewall belongs to. | - +--------------------------------+---------------------------------------------------------------+ - | Operation | Check instance details. | - +--------------------------------+---------------------------------------------------------------+ + .. _cfw_01_0009__table14973162216315: -#. View details about the firewall. For more information, see :ref:`Table 2 `. + .. table:: **Table 1** Firewall instance information - .. _cfw_01_0009__table10415235151815: + +--------------------------------+---------------------------------------------------------------+ + | Parameter | Description | + +================================+===============================================================+ + | Firewall Name/ID | Name and ID of the firewall. | + +--------------------------------+---------------------------------------------------------------+ + | Status | Firewall status. | + +--------------------------------+---------------------------------------------------------------+ + | Edition | Edition of a firewall. | + +--------------------------------+---------------------------------------------------------------+ + | Available EIP Protection Quota | Maximum number of EIPs that can be protected by the firewall. | + +--------------------------------+---------------------------------------------------------------+ + | Peak Traffic Protection | Maximum peak traffic that can be protected by the firewall. | + +--------------------------------+---------------------------------------------------------------+ + | Billing Mode | Billing mode of the current firewall. | + +--------------------------------+---------------------------------------------------------------+ + | Enterprise Project | Enterprise project that the firewall belongs to. | + +--------------------------------+---------------------------------------------------------------+ + | Operation | Check instance details. | + +--------------------------------+---------------------------------------------------------------+ - .. table:: **Table 2** Detailed firewall information +#. In the **Resource Protection Overview** area, view the protection status of all cloud resources (EIPs and VPCs) in the current region under the current account. - +-------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+ - | Parameter | Description | - +=====================================+================================================================================================================================+ - | Firewall Name | Firewall instance name. | - +-------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+ - | Firewall ID | Firewall instance ID. | - +-------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+ - | Status | Firewall status. It takes about 5 minutes to update the firewall status after purchase or unsubscription. | - +-------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+ - | Engine | Firewall engine type. | - +-------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+ - | Used/Available EIP Protection Quota | *Number of protected EIPs*\ **/**\ *Total number of EIPs* under a CFW instance. | - +-------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+ - | Protected VPCs/VPC Protection Quota | *Number of protected VPCs*\ **/**\ *Total number of VPCs* under a firewall instance. | - +-------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+ - | Peak Traffic Protection | Peak north-south traffic that can be protected. | - +-------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+ - | Protected Peak Traffic Between VPCs | Peak east-west traffic that can be protected. | - +-------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+ - | Used/Available Protection Rules | *Number of created protection rules*\ **/**\ *Total number of protection rules that can be created* under a firewall instance. | - +-------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+ - | Billing Mode | Billing mode | - +-------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+ +#. View firewall instance information. -#. View firewall protection statistics. For more information, see :ref:`Table 3 `. + :ref:`Table 2 ` describes the parameters in the **Firewall Details** area on the right part of the page. - - EIP Protection - - Inter-VPC Protection + .. _cfw_01_0009__table16203648134114: + .. table:: **Table 2** Firewall instance details - .. figure:: /_static/images/en-us_image_0000001772296201.png - :alt: **Figure 1** Protection statistics + +-----------------------+--------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+ + | Parameter | | Description | + +=======================+======================================+================================================================================================================================+ + | Basic Information | Version | Firewall edition. Standard and professional editions are supported. | + +-----------------------+--------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+ + | | Firewall Name | Firewall instance name. You can click |image2| to change the name. | + +-----------------------+--------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+ + | | Firewall ID | Firewall instance ID. | + +-----------------------+--------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+ + | | Status | Firewall status. It takes about 5 minutes to update the firewall status after purchase or unsubscription. | + +-----------------------+--------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+ + | | Enterprise Project | Enterprise project that the firewall belongs to. | + +-----------------------+--------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+ + | Flavor | Used/Available EIP Protection Quota | *Number of protected EIPs*\ **/**\ *Total number of EIPs* under the current CFW instance. | + +-----------------------+--------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+ + | | Used/Available VPC Protection Quota | *Number of protected VPCs*\ **/**\ *Total number of VPCs* under a firewall instance. | + +-----------------------+--------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+ + | | Internet Border Protection Bandwidth | Maximum inbound or outbound traffic of all EIPs protected by CFW. | + +-----------------------+--------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+ + | | VPC Border Protection Bandwidth | Peak east-west traffic that can be protected. | + | | | | + | | | Maximum total traffic of all VPCs protected by CFW. | + +-----------------------+--------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+ + | | Used/Available Protection Rules | *Number of created protection rules*\ **/**\ *Total number of protection rules that can be created* under a firewall instance. | + +-----------------------+--------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+ + | Flavor | Available EIP Protection Quota | Number of EIPs protected by the current firewall instance. | + +-----------------------+--------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+ + | | Available VPC Protection Quotas | Total number of VPCs that can be protected by the current firewall instance. | + +-----------------------+--------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+ + | | CFW instance | Firewall instance specifications. | + +-----------------------+--------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+ + | | Used/Available Protection Rules | *Number of created protection rules*\ **/**\ *Total number of protection rules that can be created* under a firewall instance. | + +-----------------------+--------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+ + | Other Information | Billing Mode | Billing mode. | + +-----------------------+--------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+ + | Tags | | Configure tags to identify firewalls so that you can classify and trace firewall instances. | + +-----------------------+--------------------------------------+--------------------------------------------------------------------------------------------------------------------------------+ - **Figure 1** Protection statistics +#. On the **Operations Dashboard** page, view the overall protection data of cloud resources. - .. _cfw_01_0009__table107281510153: + Click the **Internet Boundaries** or **Inter-VPC Borders** tab to view the corresponding overall protection data. - .. table:: **Table 3** Firewall protection statistics + In the upper right corner, change the query range. - +-----------------+---------------------------------------------------------------------------------------+ - | Parameter | Description | - +=================+=======================================================================================+ - | Total EIPs | Total number of EIPs, both the protected and the unprotected. | - +-----------------+---------------------------------------------------------------------------------------+ - | Total VPCs | Total number of VPCs, both the protected and the unprotected. | - +-----------------+---------------------------------------------------------------------------------------+ - | Unprotected | The number of unprotected EIPs/VPCs. | - +-----------------+---------------------------------------------------------------------------------------+ - | Protected | Number of protected EIPs/VPCs. | - +-----------------+---------------------------------------------------------------------------------------+ - | Protection Rate | The percentage of the number of protected EIPs/VPCs to the total number of EIPs/VPCs. | - +-----------------+---------------------------------------------------------------------------------------+ + - View the blocking results of access control policies and the maximum inbound and outbound traffic. + - **Traffic Trend** displays the inbound, outbound, and overall traffic trends.. -#. **Operations Dashboard**: View the overall Internet border and VPC border protection details. For details about the parameters, see :ref:`Table 4 `. + .. table:: **Table 3** Values - The query time can be **Last 1 hour**, **Last 24 hours**, or **Last 7 days**. + +---------------+-----------------------------------+-----------------------------------+ + | Time Range | Average | Maximum | + +===============+===================================+===================================+ + | Last 1 hour | Average value within every minute | Maximum value within every minute | + +---------------+-----------------------------------+-----------------------------------+ + | Last 24 hours | Average value within 5 minutes | Maximum value within 5 minutes | + +---------------+-----------------------------------+-----------------------------------+ + | Last 7 days | Average value within one hour | Maximum value within one hour | + +---------------+-----------------------------------+-----------------------------------+ + .. note:: - .. figure:: /_static/images/en-us_image_0000001772299481.png - :alt: **Figure 2** Security Dashboard + Data is updated in real time based on traffic statistics. - **Figure 2** Security Dashboard - - .. _cfw_01_0009__table184404359171: - - .. table:: **Table 4** Operations Dashboard - - +-----------------------+-------------------------------------------------------------------+ - | Parameter | Description | - +=======================+===================================================================+ - | Blocked Accesses | Number of times accesses are blocked based on protection rules. | - +-----------------------+-------------------------------------------------------------------+ - | Intrusion Prevention | Intrusion prevention mode and the number of intercepted attacks. | - +-----------------------+-------------------------------------------------------------------+ - | Peak Outbound Traffic | Maximum traffic initiated from internal services to the Internet. | - +-----------------------+-------------------------------------------------------------------+ - | Peak Inbound Traffic | Maximum traffic initiated from the Internet to internal servers. | - +-----------------------+-------------------------------------------------------------------+ - -#. **Traffic Situation**: View the traffic trend at the Internet border and VPC border. For details, see :ref:`Table 5 `. - - The query time can be **Last 1 hour**, **Last 24 hours**, or **Last 7 days**. - - - .. figure:: /_static/images/en-us_image_0000001772421057.png - :alt: **Figure 3** Traffic Situation - - **Figure 3** Traffic Situation - - .. _cfw_01_0009__table111816441112: - - .. table:: **Table 5** Traffic trend parameters - - ============== ====================================================== - Parameter Description - ============== ====================================================== - Attacks Blocked and allowed accesses. - Access Control Traffic blocked and allowed based on protection rules. - ============== ====================================================== - -#. In the **Traffic Trend** area, click **Internet Boundaries** or **Inter-VPC Borders** to check the corresponding statistics. - - - .. figure:: /_static/images/en-us_image_0000001772301841.png - :alt: **Figure 4** Traffic Trend - - **Figure 4** Traffic Trend - - **Internet Boundaries**: Select an EIP and a query duration from the drop-down list boxes to view inbound and outbound traffic. - - VPC boundary: Select a query duration to view the traffic between VPCs. - - .. note:: - - The traffic data of all EIPs and VPCs under the current account is displayed. - -#. Configure tags to identify firewalls so that you can classify and trace firewall instances. + - **Attacks**: View the traffic blocked or allowed by intrusion prevention. + - **Access Control**: View the traffic blocked or allowed by access control policies. .. |image1| image:: /_static/images/en-us_image_0000001259322747.png +.. |image2| image:: /_static/images/en-us_image_0000001986387925.png diff --git a/umn/source/configuring_access_control_policies_to_control_traffic/adding_blacklist_or_whitelist_items_to_block_or_allow_traffic.rst b/umn/source/configuring_access_control_policies_to_control_traffic/adding_blacklist_or_whitelist_items_to_block_or_allow_traffic.rst index d128a1d..5abafad 100644 --- a/umn/source/configuring_access_control_policies_to_control_traffic/adding_blacklist_or_whitelist_items_to_block_or_allow_traffic.rst +++ b/umn/source/configuring_access_control_policies_to_control_traffic/adding_blacklist_or_whitelist_items_to_block_or_allow_traffic.rst @@ -20,7 +20,7 @@ Specification Limitations - CFW supports up to 2,000 blacklist items and 2,000 whitelist items. If there are too many IP addresses to be specified, you can put them in an IP address group and select the IP address group when configuring protection rules. - - For details about how to add an IP address group, see :ref:`Adding Custom IP Address and Address Groups `. + - For details about how to add an IP address group, see :ref:`Adding User-defined IP Addresses and Address Groups `. - For details about how to add a protection rule, see :ref:`Adding Protection Rules to Block or Allow Traffic `. - To protect private IP addresses, use the professional edition firewall and enable :ref:`VPC border firewall ` protection. diff --git a/umn/source/configuring_access_control_policies_to_control_traffic/configuring_protection_rules_to_block_or_allow_traffic/adding_protection_rules_to_block_or_allow_traffic.rst b/umn/source/configuring_access_control_policies_to_control_traffic/configuring_protection_rules_to_block_or_allow_traffic/adding_protection_rules_to_block_or_allow_traffic.rst index 1ddc750..9daa6dd 100644 --- a/umn/source/configuring_access_control_policies_to_control_traffic/configuring_protection_rules_to_block_or_allow_traffic/adding_protection_rules_to_block_or_allow_traffic.rst +++ b/umn/source/configuring_access_control_policies_to_control_traffic/configuring_protection_rules_to_block_or_allow_traffic/adding_protection_rules_to_block_or_allow_traffic.rst @@ -65,127 +65,127 @@ Adding an Internet Boundary Protection Rule .. table:: **Table 1** Internet boundary rule parameters - +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Parameter | Description | - +===================================+==========================================================================================================================================================================================================================================================================================================================================+ - | Rule Type | Protection type of a rule. | - | | | - | | - **EIP**: Protect EIP traffic. Only EIPs can be configured. | - | | - **NAT**: Protect NAT traffic. Private IP addresses can be configured. | - | | | - | | .. note:: | - | | | - | | By default, EIP rules are configured. NAT rules can be configured after the professional firewall and :ref:`VPC border firewall ` are configured. | - +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Name | Name of the custom security policy. | - +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Direction | Select a traffic direction if you set **Protection Rule** to **EIP protection**. | - | | | - | | - **Inbound**: Cloud assets (EIPs) are accessed from the Internet. | - | | - **Outbound**: Cloud assets (EIPs) access the Internet. | - +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Source | Source address of access traffic. | - | | | - | | - **IP address**: Enter EIPs. This parameter can be configured in the following formats: | - | | | - | | - A single EIP, for example, *xx.xx.*\ **10.5** | - | | - Consecutive EIPs, for example, *xx.xx.*\ **0.2-**\ *xx.xx.*\ **0.10** | - | | - EIP segment, for example, *xx.xx.*\ **2.0/24** | - | | | - | | - IP address group: A collection of EIPs. For details about how to add custom IP address groups, see :ref:`Adding Custom IP Address and Address Groups `. For details about how to add a predefined address group, see :ref:`Viewing a Predefined Address Group `. | - | | | - | | .. note:: | - | | | - | | If **Direction** is set to **Inbound**, a predefined address group can be configured for the source address. | - | | | - | | - **Countries and regions**: If **Direction** is set to **Inbound**, you can control access based on continents and countries. | - | | - **Any**: any source address | - +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Destination | Destination address of access traffic. | - | | | - | | - **IP address**: Enter EIPs. This parameter can be configured in the following formats: | - | | | - | | - A single EIP, for example, *xx.xx.*\ **10.5** | - | | - Consecutive EIPs, for example, *xx.xx.*\ **0.2-**\ *xx.xx.*\ **0.10** | - | | - EIP segment, for example, *xx.xx.*\ **2.0/24** | - | | | - | | - **IP address group**: A collection of EIPs. For details about how to add custom IP address groups, see :ref:`Adding Custom IP Address and Address Groups `. | - | | - **Countries and regions**: If **Direction** is set to **Outbound**, you can control access based on continents countries. | - | | - **Domain name/Domain name group**: When **Direction** is set to **Outbound**, the protection of the domain name or domain name group is supported. | - | | | - | | - **Application**: Supports the protection for domain names or wildcard domain names. Application-layer protocols such as HTTP and HTTPS are supported. Domain names are used for matching. | - | | - **Network**: Supports protection for one or multiple domain names. Applies to network-layer protocols and supports all protocols. The resolved IP addresses are used for matching. | - | | | - | | .. note:: | - | | | - | | - To protect the domain names of HTTP and HTTPS applications, you can select any options. | - | | - To protect the wildcard domain names of HTTP and HTTPS applications, select **Application** and then select any option from the drop-down list. | - | | - To protect a single domain name of other application types (such as FTP, MySQL, and SMTP), select **Network** and select any option from the drop-down list. (If **Application Domain Name Group** is selected, up to 600 IP addresses can be resolved.) | - | | - To protect multiple domain names of other application types (such as FTP, MySQL, and SMTP), select **Network** and **Network Domain Group** from the drop-down list. | - | | - If you need to configure the wildcard domain names or application domain name groups of the HTTP/HTTPS applications, and the network domain groups of other application types for the same domain name, ensure that the priority of the **Network** protection rule is higher than that of the **Application** protection rule. | - | | - For details about application and network types, see :ref:`Adding a Domain Name Group `. | - | | | - | | - **Any**: any destination address | - +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Service | - **Service**: Set **Protocol Type**, **Source Port**, and **Destination Port**. | - | | | - | | - **Protocol Type**: The value can be TCP, UDP, or ICMP. | - | | - **Source/Destination Port**: If **Protocol Type** is set to **TCP** or **UDP**, you need to set the port number. | - | | | - | | .. note:: | - | | | - | | - To specify all the ports of an IP address, set **Port** to **1-65535**. | - | | - You can specify a single port. For example, to manage access on port 22, set **Port** to **22**. | - | | - To set a port range, use a hyphen (-) between the starting and ending ports. For example, to manage access on ports 80 to 443, set **Port** to **80-443**. | - | | | - | | - **Service group**: A collection of services (protocols, source ports, and destination ports) is supported. For details about how to add a custom service group, see :ref:`Adding a Custom Service Group `. For details about a pre-defined service group, see :ref:`Viewing a Predefined Service Group `. | - | | - **Any**: any protocol type or port number | - +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Action | Set the action to be taken when traffic passes through the firewall. | - | | | - | | - **Allow**: Traffic is forwarded. | - | | - **Block**: Traffic is not forwarded. | - +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Allow Long Connection | If only one service is configured in the current protection rule and **Protocol Type** is set to **TCP** or **UDP**, you can configure the service session aging time. | - | | | - | | - **Yes**: Configure the long connection duration. | - | | - **No**: Retain the default durations. The default connection durations for different protocols are as follows: | - | | | - | | - TCP: 1800s | - | | - UDP: 60s | - | | | - | | .. note:: | - | | | - | | Up to 50 rules can be configured with long connections. | - +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Long Connection Duration | This parameter is mandatory if **Allow Long Connection** is set to **Yes**. | - | | | - | | Configure the long connection duration. Configure the hour, minute, and second. | - | | | - | | .. note:: | - | | | - | | The duration range is 1 second to 1000 days. | - +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Tags | (Optional) Tags are used to identify rules. You can use tags to classify and search for security policies. | - +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Priority | Priority of the rule. Its value can be: | - | | | - | | - **Pin on top**: indicates that the priority of the policy is set to the highest. | - | | - **Lower than the selected rule**: indicates that the policy priority is lower than a specified rule. | - | | | - | | .. note:: | - | | | - | | - A smaller value indicates a higher priority. | - | | - The default priority of the first protection rule is 1. You do not need to configure its priority. | - +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Status | Whether a policy is enabled. | - | | | - | | |image2|: enabled | - | | | - | | |image3|: disabled | - +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Description | (Optional) Usage and application scenario | - +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Parameter | Description | + +===================================+=================================================================================================================================================================================================================================================================================================================================================+ + | Rule Type | Protection type of a rule. | + | | | + | | - **EIP**: Protect EIP traffic. Only EIPs can be configured. | + | | - **NAT**: Protect NAT traffic. Private IP addresses can be configured. | + | | | + | | .. note:: | + | | | + | | By default, EIP rules are configured. NAT rules can be configured after the professional firewall and :ref:`VPC border firewall ` are configured. | + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Name | Name of the custom security policy. | + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Direction | Select a traffic direction if you set **Protection Rule** to **EIP protection**. | + | | | + | | - **Inbound**: Cloud assets (EIPs) are accessed from the Internet. | + | | - **Outbound**: Cloud assets (EIPs) access the Internet. | + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Source | Source address of access traffic. | + | | | + | | - **IP address**: Enter EIPs. This parameter can be configured in the following formats: | + | | | + | | - A single EIP, for example, *xx.xx.*\ **10.5** | + | | - Consecutive EIPs, for example, *xx.xx.*\ **0.2-**\ *xx.xx.*\ **0.10** | + | | - EIP segment, for example, *xx.xx.*\ **2.0/24** | + | | | + | | - IP address group: A collection of EIPs. For details about how to add custom IP address groups, see :ref:`Adding User-defined IP Addresses and Address Groups `. For details about how to add a predefined address group, see :ref:`Viewing a Predefined Address Group `. | + | | | + | | .. note:: | + | | | + | | If **Direction** is set to **Inbound**, a predefined address group can be configured for the source address. | + | | | + | | - **Countries and regions**: If **Direction** is set to **Inbound**, you can control access based on continents, countries, and regions. | + | | - **Any**: any source address | + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Destination | Destination address of access traffic. | + | | | + | | - **IP address**: Enter EIPs. This parameter can be configured in the following formats: | + | | | + | | - A single EIP, for example, *xx.xx.*\ **10.5** | + | | - Consecutive EIPs, for example, *xx.xx.*\ **0.2-**\ *xx.xx.*\ **0.10** | + | | - EIP segment, for example, *xx.xx.*\ **2.0/24** | + | | | + | | - **IP address group**: You can add multiple EIPs to an IP address group. For details about how to add a custom IP address group, see :ref:`Adding User-defined IP Addresses and Address Groups `. | + | | - **Countries and regions**: If **Direction** is set to **Outbound**, you can control access based on continents, countries, and regions. | + | | - **Domain name/Domain name group**: When **Direction** is set to **Outbound**, the protection of the domain name or domain name group is supported. | + | | | + | | - **Application**: Supports the protection for domain names or wildcard domain names. Application-layer protocols such as HTTP and HTTPS are supported. Domain names are used for matching. | + | | - **Network**: Supports protection for one or multiple domain names. Applies to network-layer protocols and supports all protocols. The resolved IP addresses are used for matching. | + | | | + | | .. note:: | + | | | + | | - To protect the domain names of HTTP and HTTPS applications, you can select any options. | + | | - To protect the wildcard domain names of HTTP and HTTPS applications, select **Application** and then select any option from the drop-down list. | + | | - To protect a single domain name of other application types (such as FTP, MySQL, and SMTP), select **Network** and select any option from the drop-down list. (If **Application Domain Name Group** is selected, up to 600 IP addresses can be resolved.) | + | | - To protect multiple domain names of other application types (such as FTP, MySQL, and SMTP), select **Network** and **Network Domain Group** from the drop-down list. | + | | - If you need to configure the wildcard domain names or application domain name groups of the HTTP/HTTPS applications, and the network domain groups of other application types for the same domain name, ensure that the priority of the **Network** protection rule is higher than that of the **Application** protection rule. | + | | - For details about application and network types, see :ref:`Adding a Domain Name Group `. | + | | | + | | - **Any**: any destination address | + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Service | - **Service**: Set **Protocol Type**, **Source Port**, and **Destination Port**. | + | | | + | | - **Protocol Type**: The value can be TCP, UDP, or ICMP. | + | | - **Source/Destination Port**: If **Protocol Type** is set to **TCP** or **UDP**, you need to set the port number. | + | | | + | | .. note:: | + | | | + | | - To specify all the ports of an IP address, set **Port** to **1-65535**. | + | | - You can specify a single port. For example, to manage access on port 22, set **Port** to **22**. | + | | - To set a port range, use a hyphen (-) between the starting and ending ports. For example, to manage access on ports 80 to 443, set **Port** to **80-443**. | + | | | + | | - **Service group**: A service group is a set of services (protocols, source ports, and destination ports). For details about how to add a user-defined service group, see :ref:`Adding a User-defined Service Group `. For details about predefined service groups, see :ref:`Viewing a Predefined Service Group `. | + | | - **Any**: any protocol type or port number | + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Action | Set the action to be taken when traffic passes through the firewall. | + | | | + | | - **Allow**: Traffic is forwarded. | + | | - **Block**: Traffic is not forwarded. | + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Allow Long Connection | If only one service is configured in the current protection rule and **Protocol Type** is set to **TCP** or **UDP**, you can configure the service session aging time. | + | | | + | | - **Yes**: Configure the long connection duration. | + | | - **No**: Retain the default durations. The default connection durations for different protocols are as follows: | + | | | + | | - TCP: 1800s | + | | - UDP: 60s | + | | | + | | .. note:: | + | | | + | | Up to 50 rules can be configured with long connections. | + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Long Connection Duration | This parameter is mandatory if **Allow Long Connection** is set to **Yes**. | + | | | + | | Configure the long connection duration. Configure the hour, minute, and second. | + | | | + | | .. note:: | + | | | + | | The duration range is 1 second to 1000 days. | + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Tags | (Optional) Tags are used to identify rules. You can use tags to classify and search for security policies. | + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Priority | Priority of the rule. Its value can be: | + | | | + | | - **Pin on top**: indicates that the priority of the policy is set to the highest. | + | | - **Lower than the selected rule**: indicates that the policy priority is lower than a specified rule. | + | | | + | | .. note:: | + | | | + | | - A smaller value indicates a higher priority. | + | | - The default priority of the first protection rule is 1. You do not need to configure its priority. | + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Status | Whether a policy is enabled. | + | | | + | | |image2|: enabled | + | | | + | | |image3|: disabled | + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Description | (Optional) Usage and application scenario | + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ #. Click **OK** to complete the protection rule configuration. @@ -207,96 +207,101 @@ Adding a VPC Border Protection Rule .. table:: **Table 2** VPC border protection rule parameters - +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Parameter | Description | - +===================================+=====================================================================================================================================================================================================================+ - | Name | Name of the custom security policy. | - +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Direction | You do not need to configure it for an inter-VPC protection rule. | - +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Source | Source address of access traffic. | - | | | - | | - **IP address**: You can set a single IP address, consecutive IP addresses, or an IP address segment. | - | | | - | | - A single IP address, for example, **192.168.10.5** | - | | - Consecutive IP addresses, for example, **192.168.0.2-192.168.0.10** | - | | - Address segment, for example, **192.168.2.0/24** | - | | | - | | - **IP address group**: A collection of IP addresses. For details, see :ref:`Adding an IP Address Group `. | - | | - **Any**: any source address | - +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Destination | Destination address of access traffic. | - | | | - | | - **IP address**: You can set a single IP address, consecutive IP addresses, or an IP address segment. | - | | | - | | - A single IP address, for example, **192.168.10.5** | - | | - Consecutive IP addresses, for example, **192.168.0.2-192.168.0.10** | - | | - Address segment, for example, **192.168.2.0/24** | - | | | - | | - **IP address group**: A collection of IP addresses. For details, see :ref:`Adding an IP Address Group `. | - | | - **Any**: any destination address | - +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Service | Set the protocol type and port number of the access traffic. | - | | | - | | - **Service**: Set **Protocol Type**, **Source Port**, and **Destination Port**. | - | | | - | | - **Protocol Type**: The value can be **TCP**, **UDP**, or **ICMP**. | - | | - **Source/Destination Port**: If **Protocol Type** is set to **TCP** or **UDP**, you need to set the port number. | - | | | - | | .. note:: | - | | | - | | - To specify all the ports of an IP address, set **Port** to **1-65535**. | - | | - You can specify a single port. For example, to manage access on port 22, set **Port** to **22**. | - | | - To set a port range, use a hyphen (-) between the starting and ending ports. For example, to manage access on ports 80 to 443, set **Port** to **80-443**. | - | | | - | | - **Service group**: A collection of services (protocols, source ports, and destination ports) is supported. For details about how to add a service group, see :ref:`Adding a Custom Service Group `. | - | | - **Any**: any protocol type or port number | - +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Action | Set the action to be taken when traffic passes through the firewall. | - | | | - | | - **Allow**: Traffic is forwarded. | - | | - **Block**: Traffic is not forwarded. | - +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Allow Long Connection | If only one service is configured in the current protection rule and **Protocol Type** is set to **TCP** or **UDP**, you can configure the service session aging time. | - | | | - | | - **Yes**: Configure the long connection duration. | - | | - **No**: Retain the default durations. The default connection durations for different protocols are as follows: | - | | | - | | - TCP: 1800s | - | | - UDP: 60s | - | | | - | | .. note:: | - | | | - | | Up to 50 rules can be configured with long connections. | - +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Long Connection Duration | This parameter is mandatory if **Allow Long Connection** is set to **Yes**. | - | | | - | | Configure the long connection duration. Configure the hour, minute, and second. | - | | | - | | .. note:: | - | | | - | | The duration range is 1 second to 1000 days. | - +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Tag | (Optional) Tags are used to identify rules. You can use tags to classify and search for security policies. | - +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Priority | Priority of the rule. Its value can be: | - | | | - | | - **Pin on top**: indicates that the priority of the policy is set to the highest. | - | | - **Lower than the selected rule**: indicates that the policy priority is lower than a specified rule. | - | | | - | | .. note:: | - | | | - | | - A smaller value indicates a higher priority. | - | | - The default priority of the first protection rule is 1. You do not need to configure its priority. | - +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Status | Whether a policy is enabled. | - | | | - | | |image5|: enabled | - | | | - | | |image6|: disabled | - +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Description | (Optional) Usage and application scenario | - +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Parameter | Description | + +===================================+============================================================================================================================================================================================================================================================================================================================================+ + | Name | Name of the custom security policy. | + +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Direction | You do not need to configure it for an inter-VPC protection rule. | + +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Source | Source address of access traffic. | + | | | + | | - **IP address**: You can set a single IP address, consecutive IP addresses, or an IP address segment. | + | | | + | | - A single IP address, for example, **192.168.10.5** | + | | - Consecutive IP addresses, for example, **192.168.0.2-192.168.0.10** | + | | - Address segment, for example, **192.168.2.0/24** | + | | | + | | - **IP address group**: A collection of IP addresses. For details, see :ref:`Adding an IP Address Group `. | + | | - **Any**: any source address | + +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Destination | Destination address of access traffic. | + | | | + | | - **IP address**: You can set a single IP address, consecutive IP addresses, or an IP address segment. | + | | | + | | - A single IP address, for example, **192.168.10.5** | + | | - Consecutive IP addresses, for example, **192.168.0.2-192.168.0.10** | + | | - Address segment, for example, **192.168.2.0/24** | + | | | + | | - **IP address group**: A collection of IP addresses. For details, see :ref:`Adding an IP Address Group `. | + | | | + | | - **Domain Name/Domain Name Group**: Domain names or domain groups can be protected. | + | | | + | | **Application**: Supports the protection for domain names or wildcard domain names. Application-layer protocols such as HTTP and HTTPS are supported. Domain names are used for matching. | + | | | + | | - **Any**: any destination address | + +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Service | Set the protocol type and port number of the access traffic. | + | | | + | | - **Service**: Set **Protocol Type**, **Source Port**, and **Destination Port**. | + | | | + | | - **Protocol Type**: The value can be **TCP**, **UDP**, or **ICMP**. | + | | - **Source/Destination Port**: If **Protocol Type** is set to **TCP** or **UDP**, you need to set the port number. | + | | | + | | .. note:: | + | | | + | | - To specify all the ports of an IP address, set **Port** to **1-65535**. | + | | - You can specify a single port. For example, to manage access on port 22, set **Port** to **22**. | + | | - To set a port range, use a hyphen (-) between the starting and ending ports. For example, to manage access on ports 80 to 443, set **Port** to **80-443**. | + | | | + | | - **Service group**: A collection of services (protocols, source ports, and destination ports) is supported. For details about how to add a custom service group, see :ref:`Adding a User-defined Service Group `. For details about predefined service groups, see :ref:`Viewing a Predefined Service Group `. | + | | - **Any**: any protocol type or port number | + +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Action | Set the action to be taken when traffic passes through the firewall. | + | | | + | | - **Allow**: Traffic is forwarded. | + | | - **Block**: Traffic is not forwarded. | + +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Allow Long Connection | If only one service is configured in the current protection rule and **Protocol Type** is set to **TCP** or **UDP**, you can configure the service session aging time. | + | | | + | | - **Yes**: Configure the long connection duration. | + | | - **No**: Retain the default durations. The default connection durations for different protocols are as follows: | + | | | + | | - TCP: 1800s | + | | - UDP: 60s | + | | | + | | .. note:: | + | | | + | | Up to 50 rules can be configured with long connections. | + +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Long Connection Duration | This parameter is mandatory if **Allow Long Connection** is set to **Yes**. | + | | | + | | Configure the long connection duration. Configure the hour, minute, and second. | + | | | + | | .. note:: | + | | | + | | The duration range is 1 second to 1000 days. | + +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Tag | (Optional) Tags are used to identify rules. You can use tags to classify and search for security policies. | + +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Priority | Priority of the rule. Its value can be: | + | | | + | | - **Pin on top**: indicates that the priority of the policy is set to the highest. | + | | - **Lower than the selected rule**: indicates that the policy priority is lower than a specified rule. | + | | | + | | .. note:: | + | | | + | | - A smaller value indicates a higher priority. | + | | - The default priority of the first protection rule is 1. You do not need to configure its priority. | + +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Status | Whether a policy is enabled. | + | | | + | | |image5|: enabled | + | | | + | | |image6|: disabled | + +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Description | (Optional) Usage and application scenario | + +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 6. Click **OK** to complete the protection rule configuration. @@ -319,105 +324,118 @@ Adding a NAT Traffic Protection Rule .. table:: **Table 3** SNAT protection rule parameters - +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Parameter | Description | - +===================================+========================================================================================================================================================================================================================================================================================================================================+ - | Rule Type | Select **NAT** to protect the traffic of the NAT gateway. Private IP addresses can be configured. | - | | | - | | .. note:: | - | | | - | | To select **NAT**, ensure that: | - | | | - | | - The professional edition firewall is used. | - | | - The VPC border firewalls have been configured. | - +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Name | Name of the custom security policy. | - +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Direction | Select **SNAT**. | - +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Source | Source address of access traffic. | - | | | - | | - **IP address**: Enter private IP addresses. You can set a single IP address, consecutive IP addresses, or an IP address segment. | - | | | - | | - A single IP address, for example, **192.168.10.5** | - | | - Consecutive IP addresses, for example, **192.168.0.2-192.168.0.10** | - | | - Address segment, for example, **192.168.2.0/24** | - | | | - | | - **IP address group**: A collection of private IP addresses. For details, see :ref:`Adding Custom IP Address and Address Groups `. | - | | - **Countries and regions**: A continent or a country | - | | - **Any**: any source address | - +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Destination | Destination address of access traffic. | - | | | - | | - **IP address**: Enter private IP addresses. You can set a single IP address, consecutive IP addresses, or an IP address segment. | - | | | - | | - A single IP address, for example, **192.168.10.5** | - | | - Consecutive IP addresses, for example, **192.168.0.2-192.168.0.10** | - | | - Address segment, for example, **192.168.2.0/24** | - | | | - | | - **IP address group**: A collection of private IP addresses. For details about how to add IP address groups, see :ref:`Adding Custom IP Address and Address Groups `. | - | | - **Countries and regions**: A continent or a country | - | | - **Any**: any destination address | - +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Service | - **Service**: Set **Protocol Type**, **Source Port**, and **Destination Port**. | - | | | - | | - **Protocol Type**: The value can be TCP, UDP, or ICMP. | - | | - **Source/Destination Port**: If **Protocol Type** is set to **TCP** or **UDP**, you need to set the port number. | - | | | - | | .. note:: | - | | | - | | - To specify all the ports of an IP address, set **Port** to **1-65535**. | - | | - You can specify a single port. For example, to manage access on port 22, set **Port** to **22**. | - | | - To set a port range, use a hyphen (-) between the starting and ending ports. For example, to manage access on ports 80 to 443, set **Port** to **80-443**. | - | | | - | | - **Service group**: A collection of services (protocols, source ports, and destination ports) is supported. For details about how to add a custom service group, see :ref:`Adding a Custom Service Group `. For details about a pre-defined service group, see :ref:`Viewing a Predefined Service Group `. | - | | - **Any**: any protocol type or port number | - +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Action | Set the action to be taken when traffic passes through the firewall. | - | | | - | | - **Allow**: Traffic is forwarded. | - | | - **Block**: Traffic is not forwarded. | - +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Allow Long Connection | If only one service is configured in the current protection rule and **Protocol Type** is set to **TCP** or **UDP**, you can configure the service session aging time. | - | | | - | | - **Yes**: Configure the long connection duration. | - | | - **No**: Retain the default durations. The default connection durations for different protocols are as follows: | - | | | - | | - TCP: 1800s | - | | - UDP: 60s | - | | | - | | .. note:: | - | | | - | | Up to 50 rules can be configured with long connections. | - +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Long Connection Duration | This parameter is mandatory if **Allow Long Connection** is set to **Yes**. | - | | | - | | Configure the long connection duration. Configure the hour, minute, and second. | - | | | - | | .. note:: | - | | | - | | The duration range is 1 second to 1000 days. | - +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Tags | (Optional) Tags are used to identify rules. You can use tags to classify and search for security policies. | - +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Priority | Priority of the rule. Its value can be: | - | | | - | | - **Pin on top**: indicates that the priority of the policy is set to the highest. | - | | - **Lower than the selected rule**: indicates that the policy priority is lower than a specified rule. | - | | | - | | .. note:: | - | | | - | | - A smaller value indicates a higher priority. | - | | - The default priority of the first protection rule is 1. You do not need to configure its priority. | - +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Status | Whether a policy is enabled. | - | | | - | | |image8|: enabled | - | | | - | | |image9|: disabled | - +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Description | (Optional) Usage and application scenario | - +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Parameter | Description | + +===================================+=================================================================================================================================================================================================================================================================================================================================================+ + | Rule Type | Select **NAT** to protect the traffic of the NAT gateway. Private IP addresses can be configured. | + | | | + | | .. note:: | + | | | + | | To select **NAT**, ensure that: | + | | | + | | - The professional edition firewall is used. | + | | - The VPC border firewalls have been configured. | + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Name | Name of the custom security policy. | + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Direction | Select **SNAT**. | + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Source | Source address of access traffic. | + | | | + | | - **IP address**: Enter private IP addresses. You can set a single IP address, consecutive IP addresses, or an IP address segment. | + | | | + | | - A single IP address, for example, **192.168.10.5** | + | | - Consecutive IP addresses, for example, **192.168.0.2-192.168.0.10** | + | | - Address segment, for example, **192.168.2.0/24** | + | | | + | | - **IP address group**: You can add multiple private IP addresses to an IP address group. For details about how to add a IP address group, see :ref:`Adding User-defined IP Addresses and Address Groups `. | + | | - **Countries and regions**: A continent, a country, or a region | + | | - **Any**: any source address | + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Destination | Destination address of access traffic. | + | | | + | | - **IP address**: Enter private IP addresses. You can set a single IP address, consecutive IP addresses, or an IP address segment. | + | | | + | | - A single IP address, for example, **192.168.10.5** | + | | - Consecutive IP addresses, for example, **192.168.0.2-192.168.0.10** | + | | - Address segment, for example, **192.168.2.0/24** | + | | | + | | - **IP address group**: You can add multiple private IP addresses to an IP address group. For details about how to add an IP address group, see :ref:`Adding User-defined IP Addresses and Address Groups `. | + | | - **Countries and regions**: A continent, a country, or a region | + | | - **Domain Name/Domain Name Group**: When **Direction** is set to **Outbound**, the protection of a domain name or domain name group is supported. | + | | | + | | - **Application**: Supports the protection for domain names or wildcard domain names. Application-layer protocols such as HTTP and HTTPS are supported. Domain names are used for matching. | + | | - **Network**: Supports protection for one or multiple domain names. Applies to network-layer protocols and supports all protocols. The resolved IP addresses are used for matching. | + | | | + | | .. note:: | + | | | + | | - To protect the domain names of HTTP and HTTPS applications, you can select any options. | + | | - To protect the wildcard domain names of HTTP and HTTPS applications, select **Application** and then select any option from the drop-down list. | + | | - To protect a single domain name of other application types (such as FTP, MySQL, and SMTP), select **Network** and select any option from the drop-down list. (If **Application Domain Name Group** is selected, up to 600 IP addresses can be resolved.) | + | | - If you need to configure the wildcard domain names or application domain name groups of the HTTP/HTTPS applications, and the network domain groups of other application types for the same domain name, ensure that the priority of the **Network** protection rule is higher than that of the **Application** protection rule. | + | | - For details about application and network types, see :ref:`Adding a Domain Name Group `. | + | | | + | | - **Any**: any destination address | + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Service | - **Service**: Set **Protocol Type**, **Source Port**, and **Destination Port**. | + | | | + | | - **Protocol Type**: The value can be TCP, UDP, or ICMP. | + | | - **Source/Destination Port**: If **Protocol Type** is set to **TCP** or **UDP**, you need to set the port number. | + | | | + | | .. note:: | + | | | + | | - To specify all the ports of an IP address, set **Port** to **1-65535**. | + | | - You can specify a single port. For example, to manage access on port 22, set **Port** to **22**. | + | | - To set a port range, use a hyphen (-) between the starting and ending ports. For example, to manage access on ports 80 to 443, set **Port** to **80-443**. | + | | | + | | - **Service group**: A service group is a set of services (protocols, source ports, and destination ports). For details about how to add a user-defined service group, see :ref:`Adding a User-defined Service Group `. For details about predefined service groups, see :ref:`Viewing a Predefined Service Group `. | + | | - **Any**: any protocol type or port number | + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Action | Set the action to be taken when traffic passes through the firewall. | + | | | + | | - **Allow**: Traffic is forwarded. | + | | - **Block**: Traffic is not forwarded. | + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Allow Long Connection | If only one service is configured in the current protection rule and **Protocol Type** is set to **TCP** or **UDP**, you can configure the service session aging time. | + | | | + | | - **Yes**: Configure the long connection duration. | + | | - **No**: Retain the default durations. The default connection durations for different protocols are as follows: | + | | | + | | - TCP: 1800s | + | | - UDP: 60s | + | | | + | | .. note:: | + | | | + | | Up to 50 rules can be configured with long connections. | + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Long Connection Duration | This parameter is mandatory if **Allow Long Connection** is set to **Yes**. | + | | | + | | Configure the long connection duration. Configure the hour, minute, and second. | + | | | + | | .. note:: | + | | | + | | The duration range is 1 second to 1000 days. | + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Tags | (Optional) Tags are used to identify rules. You can use tags to classify and search for security policies. | + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Priority | Priority of the rule. Its value can be: | + | | | + | | - **Pin on top**: indicates that the priority of the policy is set to the highest. | + | | - **Lower than the selected rule**: indicates that the policy priority is lower than a specified rule. | + | | | + | | .. note:: | + | | | + | | - A smaller value indicates a higher priority. | + | | - The default priority of the first protection rule is 1. You do not need to configure its priority. | + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Status | Whether a policy is enabled. | + | | | + | | |image8|: enabled | + | | | + | | |image9|: disabled | + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Description | (Optional) Usage and application scenario | + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ #. Click **OK** to complete the protection rule configuration. diff --git a/umn/source/configuring_access_control_policies_to_control_traffic/configuring_protection_rules_to_block_or_allow_traffic/example_4_configuring_snat_protection_rules.rst b/umn/source/configuring_access_control_policies_to_control_traffic/configuring_protection_rules_to_block_or_allow_traffic/example_4_configuring_snat_protection_rules.rst index 184420d..180d9f5 100644 --- a/umn/source/configuring_access_control_policies_to_control_traffic/configuring_protection_rules_to_block_or_allow_traffic/example_4_configuring_snat_protection_rules.rst +++ b/umn/source/configuring_access_control_policies_to_control_traffic/configuring_protection_rules_to_block_or_allow_traffic/example_4_configuring_snat_protection_rules.rst @@ -12,7 +12,7 @@ SNAT Protection Configuration Assume your private IP address is **10.1.1.2** and the external domain name accessed through the NAT gateway is **www.example.com**. Configure NAT protection as follows and set other parameters based on your deployment: -- **Rule Type**: **NAT** +- **Rule Type**: Select **NAT**. - **Direction**: Select **SNAT**. - **Source**: Select **IP address** and enter **10.1.1.2**. - **Destination**: Select **Domain Name/Domain Group** and **Network**, and enter **www.example.com**. diff --git a/umn/source/configuring_access_control_policies_to_control_traffic/domain_name_management/adding_a_domain_name_group.rst b/umn/source/configuring_access_control_policies_to_control_traffic/domain_name_management/adding_a_domain_name_group.rst index f852e95..ccfbe7f 100644 --- a/umn/source/configuring_access_control_policies_to_control_traffic/domain_name_management/adding_a_domain_name_group.rst +++ b/umn/source/configuring_access_control_policies_to_control_traffic/domain_name_management/adding_a_domain_name_group.rst @@ -17,13 +17,13 @@ Constraints - The domain names in a domain name group can be referenced by protection rules for up to 40,000 times, and wildcard domain names can be referenced for up to 2,000 times. -**Application Domain Name Group (Layer 7 Protocol Parsing)** +**Application domain name group (layer 7 protocol parsing)** - A firewall instance can have up to 500 domain name groups. - A firewall instance can have up to 2,500 domain names. - A domain name group can have up to 1,500 domain names. -**Network Domain Name Group (Layer 4 Protocol Parsing)** +**Network domain name group (layer 4 protocol parsing)** - A firewall instance can have up to 1,000 domain names. - A network domain name group can have up to 15 domain names. @@ -40,11 +40,11 @@ Adding a Domain Name Group #. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click **View** in the **Operation** column of a firewall to go to its details page. -#. In the navigation pane, choose **Access Control** > **Domain Name Groups**. +#. In the navigation pane, choose **Access Control** > **Object Groups**. #. (Optional) To add a network domain group, click the **Network Domain Name Group** tab. -#. Click **Add Domain Name Group** and configure :ref:`parameters `. +#. Click the **Domain Name Groups** tab. Click **Add Domain Name Group** and configure :ref:`parameters `. .. _cfw_01_0183__table12362103114169: @@ -53,10 +53,10 @@ Adding a Domain Name Group +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Parameter | Description | +===================================+====================================================================================================================================================================================================+ - | Group Name | Name of a user-defined domain name group. | - +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Domain Name Group Type | Application/Network | +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Group Name | Name of a user-defined domain name group. | + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Description | (Optional) Enter remarks for the domain name group. | +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Domain Name | Enter one or multiple domain names. | @@ -78,25 +78,25 @@ Adding a Domain Name to a Domain Group #. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click **View** in the **Operation** column of a firewall to go to its details page. -#. In the navigation pane, choose **Access Control** > **Service Groups**. +#. In the navigation pane, choose **Access Control** > **Object Groups**. -#. Click the name of a domain name group. The **Basic Information** and **Domain Names** areas are displayed. +#. Click the **Domain Name Groups** tab. Click the name of a domain name group. The **Domain Name Groups** dialog box is displayed. -#. Click **Add Domain** under the domain name list and enter domain name information. +#. Click **Add Domain** and enter domain name information. - You can click |image3| to add multiple services. + You can click **Add** to add multiple domain names. #. Confirm the information and click **OK**. Related Operation ----------------- -- Batch deleting domain names: Select domain names and click **Delete** above the list. +- Exporting domain name groups: Click **Export** above the list and select a data range. +- Batch deleting domain names: Select domain names in the domain name list and click **Delete** above the list. -- To edit a domain name group, click the name of the target domain name group and click **Edit** on the right of **Basic Information**. +- Editing a domain name group: Click the name of the target domain name group and click **Edit** on the right of **Basic Information**. - A domain name group takes effect only after it is set in a protection rule. For more information, see :ref:`Adding Protection Rules to Block or Allow Traffic `. -- To view the IP addresses resolved by a domain name group of the network domain name group type, click the domain name group name to go to the **Basic Information** page, and click **IP address** in the **Operation** column of the domain name list. +- Viewing the IP addresses resolved by a domain name group of the network domain name group type: Click a domain name group name to go to the **Basic Information** page, and click **IP address** in the **Operation** column of the domain name list. .. |image1| image:: /_static/images/en-us_image_0000001259322747.png .. |image2| image:: /_static/images/en-us_image_0000001259322747.png -.. |image3| image:: /_static/images/en-us_image_0000001988387381.png diff --git a/umn/source/configuring_access_control_policies_to_control_traffic/domain_name_management/deleting_a_domain_name_group.rst b/umn/source/configuring_access_control_policies_to_control_traffic/domain_name_management/deleting_a_domain_name_group.rst index caf74eb..d0777b4 100644 --- a/umn/source/configuring_access_control_policies_to_control_traffic/domain_name_management/deleting_a_domain_name_group.rst +++ b/umn/source/configuring_access_control_policies_to_control_traffic/domain_name_management/deleting_a_domain_name_group.rst @@ -17,9 +17,9 @@ Deleting a Domain Name Group #. Log in to the management console. #. In the navigation pane on the left, click |image1| and choose **Security** > **Cloud Firewall**. The **Dashboard** page will be displayed. #. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click **View** in the **Operation** column of a firewall to go to its details page. -#. In the navigation pane, choose **Access Control** > **Domain Name Groups**. +#. In the navigation pane, choose **Access Control** > **Object Groups**. #. (Optional) To delete a network domain group, click the **Network Domain Name Group** tab. -#. Locate the row that contains the item to be deleted. Click **Delete** in the **Operation** column. In the displayed dialog box, enter **DELETE** and click **OK**. +#. Click the **Domain Name Groups** tab. Locate the row that contains the item to be deleted. Click **Delete** in the **Operation** column. In the displayed dialog box, enter **DELETE** and click **OK**. .. warning:: diff --git a/umn/source/configuring_access_control_policies_to_control_traffic/managing_access_control_policies/importing_and_exporting_protection_policies.rst b/umn/source/configuring_access_control_policies_to_control_traffic/managing_access_control_policies/importing_and_exporting_protection_policies.rst index ad4ce83..27fc4e6 100644 --- a/umn/source/configuring_access_control_policies_to_control_traffic/managing_access_control_policies/importing_and_exporting_protection_policies.rst +++ b/umn/source/configuring_access_control_policies_to_control_traffic/managing_access_control_policies/importing_and_exporting_protection_policies.rst @@ -5,7 +5,7 @@ Importing and Exporting Protection Policies =========================================== -You can add and export protection rules, blacklist/whitelist items, IP address groups, service groups, and domain name groups in batches. +You can add and export protection rules, blacklist/whitelist items, IP address groups, domain name groups, and service groups in batches. Specification Limitations ------------------------- @@ -19,7 +19,7 @@ Importing Protection Rules in Batches #. In the navigation pane on the left, click |image1| and choose **Security** > **Cloud Firewall**. The **Dashboard** page will be displayed. #. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click **View** in the **Operation** column of a firewall to go to its details page. #. In the navigation pane, choose **Access Control** > **Access Policies**. -#. Click **Download Center** on the upper right of the list. +#. Click **Download Center** on the upper right corner of the list. #. Click **Download Template** to download the rule import template to the local host. #. Configure protection policy information as required. @@ -29,8 +29,8 @@ Importing Protection Rules in Batches - For details about VPC border protection rule parameters, see :ref:`Parameters of Rule Import Template - Vpc-Rule-Acl-Table (VPC Border Protection Rule) `. - For details about the blacklist and whitelist parameters, see :ref:`Adding Blacklist or Whitelist Items to Block or Allow Traffic `. - - For details about IP address group parameters, see :ref:`Adding Custom IP Address and Address Groups `. - - For details about service group parameters, see :ref:`Adding a Custom Service Group `. + - For details about IP address group parameters, see :ref:`Adding User-defined IP Addresses and Address Groups `. + - For details about service group parameters, see :ref:`Adding a User-defined Service Group `. - For details about domain name group parameters, see :ref:`Domain Name Management `. .. important:: @@ -56,7 +56,7 @@ Exporting Protection Rules in Batches #. In the navigation pane on the left, click |image2| and choose **Security** > **Cloud Firewall**. The **Dashboard** page will be displayed. #. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click **View** in the **Operation** column of a firewall to go to its details page. #. In the navigation pane, choose **Access Control** > **Access Policies**. -#. Click **Download Center** on the upper right of the list. +#. Click **Download Center** on the upper right corner of the list. #. Click **Export Rule** to export rules to a local PC. .. _cfw_01_0129__section738713134471: diff --git a/umn/source/configuring_access_control_policies_to_control_traffic/managing_access_control_policies/managing_protection_rules.rst b/umn/source/configuring_access_control_policies_to_control_traffic/managing_access_control_policies/managing_protection_rules.rst index c3868d0..bbb81c3 100644 --- a/umn/source/configuring_access_control_policies_to_control_traffic/managing_access_control_policies/managing_protection_rules.rst +++ b/umn/source/configuring_access_control_policies_to_control_traffic/managing_access_control_policies/managing_protection_rules.rst @@ -28,7 +28,9 @@ Viewing Protection Rules | | | | | A smaller value indicates a higher priority. | +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Name | Custom rule name | + | Name/Rule ID | Custom rule name and ID | + +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Rule Type | Protection type of the rule. It can be an EIP or NAT rule. | +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Direction | Traffic direction of the protection rule. | +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ diff --git a/umn/source/configuring_access_control_policies_to_control_traffic/managing_ip_address_groups/adding_custom_ip_address_and_address_groups.rst b/umn/source/configuring_access_control_policies_to_control_traffic/managing_ip_address_groups/adding_user-defined_ip_addresses_and_address_groups.rst similarity index 83% rename from umn/source/configuring_access_control_policies_to_control_traffic/managing_ip_address_groups/adding_custom_ip_address_and_address_groups.rst rename to umn/source/configuring_access_control_policies_to_control_traffic/managing_ip_address_groups/adding_user-defined_ip_addresses_and_address_groups.rst index b1fc8fc..f444ce8 100644 --- a/umn/source/configuring_access_control_policies_to_control_traffic/managing_ip_address_groups/adding_custom_ip_address_and_address_groups.rst +++ b/umn/source/configuring_access_control_policies_to_control_traffic/managing_ip_address_groups/adding_user-defined_ip_addresses_and_address_groups.rst @@ -2,15 +2,15 @@ .. _cfw_01_0068: -Adding Custom IP Address and Address Groups -=========================================== +Adding User-defined IP Addresses and Address Groups +=================================================== An IP address group contains multiple IP addresses. An IP address group frees you from repeatedly modifying access rules and allows you to manage access rules in batch. Constraints ----------- -- A firewall instance can contain up to 3898 IP address groups. +- A firewall instance can have up to 3800 IP address groups. - An IP address group can contain up to 640 IP addresses. - A firewall instance can contain up to 30,000 IP addresses. @@ -23,9 +23,9 @@ Adding Custom Address Groups #. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click **View** in the **Operation** column of a firewall to go to its details page. -#. In the navigation pane, choose **Access Control** > **IP Address Groups**. +#. In the navigation pane, choose **Access Control** > **Object Groups**. -#. Click **Add IP Address Group** and configure parameters in the **Basic Information** area. For more information, see :ref:`IP address group parameters `. +#. Click the **IP Address Groups** tab. Click **Add IP Address Group** and configure parameters on the **Add IP Address Group** slide-out panel. For more information, see :ref:`IP address group parameters `. .. _cfw_01_0068__table12707131818297: @@ -51,15 +51,15 @@ Adding Custom Address Groups #. Confirm the information and click **OK**. The IP address group is added. -Adding an IP Address --------------------- +Adding an IP address to a user-defined address group +---------------------------------------------------- #. Log in to the management console. #. In the navigation pane on the left, click |image2| and choose **Security** > **Cloud Firewall**. The **Dashboard** page will be displayed. #. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click **View** in the **Operation** column of a firewall to go to its details page. -#. In the navigation pane, choose **Access Control** > **IP Address Groups**. -#. Click the name of an IP address group. The **Basic Information** and **IP Addresses** areas are displayed. -#. Click **Add IP Address** under the IP address list. +#. In the navigation pane, choose **Access Control** > **Object Groups**. +#. Click the name of an IP address group on the **IP Address Groups** tab. The **IP Address Group Details** dialog box is displayed.. +#. Click **Add IP Address**. The **Add IP Address** slide-out panel is displayed. - To add IP addresses in batches, enter the IP addresses in the text box and click **Parse**. - To add a single IP address, click **Add**, and enter the IP address and description. @@ -69,7 +69,8 @@ Adding an IP Address Related Operations ------------------ -- Batch deleting IP addresses: In the IP address list, select IP addresses and click **Delete** above the list. +- Exporting IP address groups: Click **Export** above the list and select a data range. +- Batch deleting IP addresses: In the **IP Address Group Details** slide-out panel, select IP addresses and click **Delete** above the list. Follow-up Operations -------------------- diff --git a/umn/source/configuring_access_control_policies_to_control_traffic/managing_ip_address_groups/deleting_ip_address_groups.rst b/umn/source/configuring_access_control_policies_to_control_traffic/managing_ip_address_groups/deleting_ip_address_groups.rst index 818fbf5..ed50b53 100644 --- a/umn/source/configuring_access_control_policies_to_control_traffic/managing_ip_address_groups/deleting_ip_address_groups.rst +++ b/umn/source/configuring_access_control_policies_to_control_traffic/managing_ip_address_groups/deleting_ip_address_groups.rst @@ -19,8 +19,8 @@ Deleting IP Address Groups #. Log in to the management console. #. In the navigation pane on the left, click |image1| and choose **Security** > **Cloud Firewall**. The **Dashboard** page will be displayed. #. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click **View** in the **Operation** column of a firewall to go to its details page. -#. In the navigation pane, choose **Access Control** > **IP Address Groups**. -#. In the **Operation** column of an IP address group, click **Delete**. +#. In the navigation pane, choose **Access Control** > **Object Groups**. +#. Click the **IP Address Groups** tab. In the **Operation** column of an IP address group, click **Delete**. #. In the displayed dialog box, confirm the information, enter **DELETE**, and click **OK**. .. warning:: diff --git a/umn/source/configuring_access_control_policies_to_control_traffic/managing_ip_address_groups/index.rst b/umn/source/configuring_access_control_policies_to_control_traffic/managing_ip_address_groups/index.rst index 9bebe2d..5b79c50 100644 --- a/umn/source/configuring_access_control_policies_to_control_traffic/managing_ip_address_groups/index.rst +++ b/umn/source/configuring_access_control_policies_to_control_traffic/managing_ip_address_groups/index.rst @@ -5,7 +5,7 @@ Managing IP Address Groups ========================== -- :ref:`Adding Custom IP Address and Address Groups ` +- :ref:`Adding User-defined IP Addresses and Address Groups ` - :ref:`Viewing a Predefined Address Group ` - :ref:`Deleting IP Address Groups ` @@ -13,6 +13,6 @@ Managing IP Address Groups :maxdepth: 1 :hidden: - adding_custom_ip_address_and_address_groups + adding_user-defined_ip_addresses_and_address_groups viewing_a_predefined_address_group deleting_ip_address_groups diff --git a/umn/source/configuring_access_control_policies_to_control_traffic/managing_ip_address_groups/viewing_a_predefined_address_group.rst b/umn/source/configuring_access_control_policies_to_control_traffic/managing_ip_address_groups/viewing_a_predefined_address_group.rst index 9078766..291dfc6 100644 --- a/umn/source/configuring_access_control_policies_to_control_traffic/managing_ip_address_groups/viewing_a_predefined_address_group.rst +++ b/umn/source/configuring_access_control_policies_to_control_traffic/managing_ip_address_groups/viewing_a_predefined_address_group.rst @@ -29,7 +29,7 @@ Viewing a Predefined Address Group #. Log in to the management console. #. In the navigation pane on the left, click |image1| and choose **Security** > **Cloud Firewall**. The **Dashboard** page will be displayed. #. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click **View** in the **Operation** column of a firewall to go to its details page. -#. In the navigation pane, choose **Access Control** > **IP Address Groups**. -#. Click the **Pre-defined Address Group** tab and click the name of an address group. On the details page that is displayed, view the address group information. +#. In the navigation pane, choose **Access Control** > **Object Groups**. +#. Click the **IP Address Groups** tab. Click the **Pre-defined Address Groups** tab and click the name of an address group. On the details page that is displayed, view the address group information. .. |image1| image:: /_static/images/en-us_image_0000001259322747.png diff --git a/umn/source/configuring_access_control_policies_to_control_traffic/service_group_management/adding_a_custom_service_group.rst b/umn/source/configuring_access_control_policies_to_control_traffic/service_group_management/adding_a_user-defined_service_group.rst similarity index 86% rename from umn/source/configuring_access_control_policies_to_control_traffic/service_group_management/adding_a_custom_service_group.rst rename to umn/source/configuring_access_control_policies_to_control_traffic/service_group_management/adding_a_user-defined_service_group.rst index 64fdd19..37cf07a 100644 --- a/umn/source/configuring_access_control_policies_to_control_traffic/service_group_management/adding_a_custom_service_group.rst +++ b/umn/source/configuring_access_control_policies_to_control_traffic/service_group_management/adding_a_user-defined_service_group.rst @@ -2,8 +2,8 @@ .. _cfw_01_0070: -Adding a Custom Service Group -============================= +Adding a User-defined Service Group +=================================== A service group is a collection of services (protocols, source ports, and destination ports). A service group frees you from repeatedly modifying access rules and simplifies security group rule management. @@ -15,14 +15,14 @@ Constraints - A firewall instance can have up to 900 services. -Adding a Custom Service Group ------------------------------ +Adding a User-defined Service Group +----------------------------------- #. Log in to the management console. #. In the navigation pane on the left, click |image1| and choose **Security** > **Cloud Firewall**. The **Dashboard** page will be displayed. #. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click **View** in the **Operation** column of a firewall to go to its details page. -#. In the navigation pane, choose **Access Control** > **Service Groups**. -#. Click **Add Service Group** and configure parameters in the **Basic Information** area. Enter the service group name and description. +#. In the navigation pane, choose **Access Control** > **Object Groups**. +#. Click the **Service Groups** tab. Click **Add Service Group** and configure parameters in the **Add Service Group** area. Enter the service group name and description. .. table:: **Table 1** Service group parameters @@ -41,23 +41,21 @@ Adding a Custom Service Group #. Confirm the information and click **OK**. -Adding a Service ----------------- +Adding a Service to a User-defined Service Group +------------------------------------------------ #. Log in to the management console. #. In the navigation pane on the left, click |image2| and choose **Security** > **Cloud Firewall**. The **Dashboard** page will be displayed. #. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click **View** in the **Operation** column of a firewall to go to its details page. -#. In the navigation pane, choose **Access Control** > **Service Groups**. -#. Click the name of a service group. The **Basic Information** and **Services** areas are displayed. -#. Click **Add Service** in the **Services** area. The **Add Service** dialog box is displayed. +#. In the navigation pane, choose **Access Control** > **Object Groups**. +#. Click the **Service Groups** tab. Click the name of a service group. The **Service Group Details** dialog box is displayed.. +#. Click **Add Service**. .. table:: **Table 2** Adding a service +-----------------------+-------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | Parameter | Description | Example Value | +=======================+===============================================================================================================================+=======================+ - | Service Name | User-defined service name | test | - +-----------------------+-------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | Protocol | Its value can be **TCP**, **UDP**, or **ICMP**. | TCP | +-----------------------+-------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | Source Port | Source ports to be allowed or blocked. You can configure a single port or consecutive port groups (example: **80-443**). | 80 | @@ -75,13 +73,14 @@ Adding a Service | Description | Usage and application scenario | ``-`` | +-----------------------+-------------------------------------------------------------------------------------------------------------------------------+-----------------------+ -#. You can click |image3| to add multiple services. +#. You can click **Add** to add multiple services. #. Confirm the information and click **OK**. Related Operations ------------------ -- Batch deleting services: Select services in the service list and click **Delete** above the list. +- Exporting service groups: Click **Export** above the list and select a data range. +- Deleting services in batches: On the **Service Groups** tab, select services and click **Delete** above the list. Follow-up Operations -------------------- @@ -90,4 +89,3 @@ A service group takes effect only after it is set in a protection rule. For more .. |image1| image:: /_static/images/en-us_image_0000001259322747.png .. |image2| image:: /_static/images/en-us_image_0000001259322747.png -.. |image3| image:: /_static/images/en-us_image_0000001988385497.png diff --git a/umn/source/configuring_access_control_policies_to_control_traffic/service_group_management/deleting_a_service_group.rst b/umn/source/configuring_access_control_policies_to_control_traffic/service_group_management/deleting_a_user-defined_service_group.rst similarity index 72% rename from umn/source/configuring_access_control_policies_to_control_traffic/service_group_management/deleting_a_service_group.rst rename to umn/source/configuring_access_control_policies_to_control_traffic/service_group_management/deleting_a_user-defined_service_group.rst index 80973a8..1a3bdcf 100644 --- a/umn/source/configuring_access_control_policies_to_control_traffic/service_group_management/deleting_a_service_group.rst +++ b/umn/source/configuring_access_control_policies_to_control_traffic/service_group_management/deleting_a_user-defined_service_group.rst @@ -2,12 +2,12 @@ .. _cfw_01_0071: -Deleting a Service Group -======================== +Deleting a User-defined Service Group +===================================== A service group is a collection of ports. You can use service groups to easily protect high-risk ports and manage access rules, free from repeated editing of access rules. -This section describes how to delete a custom service group. +This section describes how to delete a user-defined service group. Constraints ----------- @@ -15,14 +15,14 @@ Constraints The service group referenced by a protection rule cannot be deleted. Modify or delete the rule first. -Deleting a Service Group ------------------------- +Deleting a User-defined Service Group +------------------------------------- #. Log in to the management console. #. In the navigation pane on the left, click |image1| and choose **Security** > **Cloud Firewall**. The **Dashboard** page will be displayed. #. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click **View** in the **Operation** column of a firewall to go to its details page. -#. In the navigation pane, choose **Access Control** > **Service Groups**. -#. In the **Operation** column of a service group, click **Delete**. +#. In the navigation pane, choose **Access Control** > **Object Groups**. +#. Click the **Service Groups** tab. In the **Operation** column of a service group, click **Delete**. #. In the displayed dialog box, confirm the information, enter **DELETE**, and click **OK**. .. warning:: diff --git a/umn/source/configuring_access_control_policies_to_control_traffic/service_group_management/index.rst b/umn/source/configuring_access_control_policies_to_control_traffic/service_group_management/index.rst index a7ad971..edf4b97 100644 --- a/umn/source/configuring_access_control_policies_to_control_traffic/service_group_management/index.rst +++ b/umn/source/configuring_access_control_policies_to_control_traffic/service_group_management/index.rst @@ -5,14 +5,14 @@ Service Group Management ======================== -- :ref:`Adding a Custom Service Group ` +- :ref:`Adding a User-defined Service Group ` - :ref:`Viewing a Predefined Service Group ` -- :ref:`Deleting a Service Group ` +- :ref:`Deleting a User-defined Service Group ` .. toctree:: :maxdepth: 1 :hidden: - adding_a_custom_service_group + adding_a_user-defined_service_group viewing_a_predefined_service_group - deleting_a_service_group + deleting_a_user-defined_service_group diff --git a/umn/source/configuring_access_control_policies_to_control_traffic/service_group_management/viewing_a_predefined_service_group.rst b/umn/source/configuring_access_control_policies_to_control_traffic/service_group_management/viewing_a_predefined_service_group.rst index c84b34f..1bbf081 100644 --- a/umn/source/configuring_access_control_policies_to_control_traffic/service_group_management/viewing_a_predefined_service_group.rst +++ b/umn/source/configuring_access_control_policies_to_control_traffic/service_group_management/viewing_a_predefined_service_group.rst @@ -16,7 +16,7 @@ Viewing a Predefined Service Group #. Log in to the management console. #. In the navigation pane on the left, click |image1| and choose **Security** > **Cloud Firewall**. The **Dashboard** page will be displayed. #. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click **View** in the **Operation** column of a firewall to go to its details page. -#. In the navigation pane, choose **Access Control** > **Service Groups**. -#. Click the **Pre-defined Service Groups** tab and click the name of a service group. On the details page that is displayed, view the service group information. +#. In the navigation pane, choose **Access Control** > **Object Groups**. +#. Click the **Service Groups** tab. Click the **Pre-defined Service Groups** tab and click the name of a service group. On the details page that is displayed, view the service group information. .. |image1| image:: /_static/images/en-us_image_0000001259322747.png diff --git a/umn/source/configuring_access_control_policies_to_control_traffic/viewing_protection_information_using_the_policy_assistant.rst b/umn/source/configuring_access_control_policies_to_control_traffic/viewing_protection_information_using_the_policy_assistant.rst index f1683f3..f20d420 100644 --- a/umn/source/configuring_access_control_policies_to_control_traffic/viewing_protection_information_using_the_policy_assistant.rst +++ b/umn/source/configuring_access_control_policies_to_control_traffic/viewing_protection_information_using_the_policy_assistant.rst @@ -41,6 +41,6 @@ Viewing Protection Information Using the Policy Assistant | Top Blocked IP Address Regions | Regions of blocked IP addresses. You can click **Destination of outbound access** or **Source of inbound access** to check IP addresses. | +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------+ - - **Inactive Policies**: Policies that have not been hit or enabled for more than three months. You are advised to modify or delete the policies in a timely manner. + - **Inactive Policies**: Policies that have not been hit or enabled for more than a week, a month, three months, or six months. You are advised to modify or delete the policies in a timely manner. .. |image1| image:: /_static/images/en-us_image_0000001259322747.png diff --git a/umn/source/creating_a_pay-per-use_cfw.rst b/umn/source/creating_a_pay-per-use_cfw.rst index a57b227..408454b 100644 --- a/umn/source/creating_a_pay-per-use_cfw.rst +++ b/umn/source/creating_a_pay-per-use_cfw.rst @@ -30,26 +30,32 @@ Creating a Pay-per-Use Professional CFW .. table:: **Table 1** Parameters for creating CFW - +-----------------------------------+------------------------------------------------------------------------------------------------------------------+ - | Parameter | Description | - +===================================+==================================================================================================================+ - | Billing Mode | **Pay-per-use** indicates that you will be charged for the protection on your workloads. | - +-----------------------------------+------------------------------------------------------------------------------------------------------------------+ - | Region | Region where the CFW is to be purchased. | - +-----------------------------------+------------------------------------------------------------------------------------------------------------------+ - | Edition | Currently, only the professional edition is supported. | - +-----------------------------------+------------------------------------------------------------------------------------------------------------------+ - | Firewall Name | Firewall name. | - | | | - | | It must meet the following requirements: | - | | | - | | - Only letters (A to Z and a to z), numbers (0 to 9), spaces, and the following characters are allowed: -\_ | - | | - The value can contain 1 to 48 characters. | - +-----------------------------------+------------------------------------------------------------------------------------------------------------------+ - | Enterprise Project | | - +-----------------------------------+------------------------------------------------------------------------------------------------------------------+ - | Tags | It is recommended that you use the TMS predefined tag function to add the same tag to different cloud resources. | - +-----------------------------------+------------------------------------------------------------------------------------------------------------------+ + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Parameter | Description | + +===================================+=======================================================================================================================================================================================================================================+ + | Billing Mode | **Pay-per-use** indicates that you will be charged for the protection on your workloads. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Region | Region where the CFW is to be purchased. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Edition | Currently, only the professional edition is supported. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Firewall Name | Firewall name. | + | | | + | | It must meet the following requirements: | + | | | + | | - Only letters (A to Z and a to z), numbers (0 to 9), spaces, and the following characters are allowed: -\_ | + | | - The value can contain 1 to 48 characters. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Enterprise Project | In the drop-down list, select the enterprise project that you belong to. The purchased CFW then belongs to that enterprise project and protects all resources in that project. | + | | | + | | This option is only available if you have enabled enterprise projects, or if you are logged in using an enterprise master account. You can use an enterprise project to centrally manage your cloud resources and members by project. | + | | | + | | .. note:: | + | | | + | | Value **default** indicates the default enterprise project. Resources that are not allocated to any enterprise projects under your account are displayed in the default enterprise project. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Tags | It is recommended that you use the TMS predefined tag function to add the same tag to different cloud resources. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ #. Confirm the information and click **Create Firewall**. diff --git a/umn/source/faqs/troubleshooting/what_do_i_do_if_service_traffic_is_abnormal.rst b/umn/source/faqs/troubleshooting/what_do_i_do_if_service_traffic_is_abnormal.rst index f5ab4e4..3f524b7 100644 --- a/umn/source/faqs/troubleshooting/what_do_i_do_if_service_traffic_is_abnormal.rst +++ b/umn/source/faqs/troubleshooting/what_do_i_do_if_service_traffic_is_abnormal.rst @@ -98,7 +98,7 @@ The firewall administrator took the following measures: **Figure 2** EIPs -#. The administrator chose **Log Audit** > **Log Query** and clicked the **Access Control Logs** tab. He searched for the blocking logs of the access source IP address **xx.xx.xx.126**. A blocking rule named **Block-Malicious-Outreach** was found, and this rule blocked the traffic from the EIP **xx.xx.xx.126** to the Internet. +#. The administrator chose **Log Audit** > **Log Query** and clicked the **Access Control Logs** tab. He searched for the blocking logs of the access source IP address **xx.xx.xx.126**. A blocking rule named **Block-Malicious-Outreach** was found, and this rule blocked the traffic from the attack source IP address to the Internet. .. figure:: /_static/images/en-us_image_0000001950170221.png @@ -164,7 +164,7 @@ The firewall administrator took the following measures: **Figure 5** Filtering attack event logs -#. The administrator clicked **Details** in the **Operation** column, clicked **Payload Content** in the display page, and created a packet capture task to determine that the service is normal. The administrator searched for the rule whose ID is 334841 from the list on the **Basic Protection** tab page by referring to :ref:`Modifying the Protection Action of an Intrusion Prevention Rule `. +#. The administrator clicked **Details** in the **Operation** column, clicked **Payload Content** in the display page, and created a packet capture task to verify that the service is normal. The administrator searched for the rule whose ID is 334841 from the list on the **Basic Protection** tab page by referring to :ref:`Modifying the Protection Action of an Intrusion Prevention Rule `. .. figure:: /_static/images/en-us_image_0000001950170229.png diff --git a/umn/source/product_overview/constraints_and_limitations.rst b/umn/source/product_overview/constraints_and_limitations.rst index 791e3ef..b503334 100644 --- a/umn/source/product_overview/constraints_and_limitations.rst +++ b/umn/source/product_overview/constraints_and_limitations.rst @@ -29,7 +29,7 @@ Protection Policy Quota Limit - IP address groups - - A firewall instance can contain up to 3898 IP address groups. + - A firewall instance can have up to 3800 IP address groups. - An IP address group can contain up to 640 IP addresses. - A firewall instance can contain up to 30,000 IP addresses. @@ -42,13 +42,13 @@ Protection Policy Quota Limit - Domain name groups - The domain names in a domain name group can be referenced by protection rules for up to 40,000 times, and wildcard domain names can be referenced for up to 2,000 times. - - **Application Domain Name Group (Layer 7 Protocol Parsing)** + - **Application domain name group (layer 7 protocol parsing)** - A firewall instance can have up to 500 domain name groups. - A firewall instance can have up to 2,500 domain names. - - A domain name group in application mode can have up to 1,500 domain names. + - A domain name group can have up to 1,500 domain names. - - **Network Domain Name Group (Layer 4 Protocol Parsing)** + - **Network domain name group (layer 4 protocol parsing)** - A firewall instance can have up to 1,000 domain names. - A network domain name group can have up to 15 domain names. diff --git a/umn/source/product_overview/related_services.rst b/umn/source/product_overview/related_services.rst index 0a783de..041c8c7 100644 --- a/umn/source/product_overview/related_services.rst +++ b/umn/source/product_overview/related_services.rst @@ -25,7 +25,7 @@ CTS records operations related to CFW, facilitating your further queries, audits Cloud Eye --------- -`Cloud Eye `__ provides a comprehensive monitoring platform for resources such as the ECS and bandwidth. Cloud Eye monitors the metrics of CFW, so that you can understand the protection status of CFW in a timely manner, and set protection policies accordingly. +`Cloud Eye `__ provides a comprehensive monitoring platform for resources such as the ECS and bandwidth. Cloud Eye monitors the metrics of CFW, so that you can understand the protection status of the service in a timely manner, and set protection policies accordingly. Log Tank Service (LTS) ---------------------- diff --git a/umn/source/system_management/alarm_notification.rst b/umn/source/system_management/alarm_notification.rst new file mode 100644 index 0000000..99a4e84 --- /dev/null +++ b/umn/source/system_management/alarm_notification.rst @@ -0,0 +1,146 @@ +:original_name: cfw_01_0166.html + +.. _cfw_01_0166: + +Alarm Notification +================== + +After alarm notification is enabled, CFW will send notifications to you through the method you specified (such as email or SMS) so that you can monitor the firewall status and quickly detect exceptions. + +CFW supports the following alarms: + +- Attack alarm: An alarm is triggered when the IPS detects an attack. +- High traffic warning: An alarm is triggered if the traffic reaches the specified percentage of the traffic processing capability you purchased. +- EIP not protected: An alarm is triggered when the current account has EIPs that are not protected. + +Prerequisites +------------- + +The SMN service has been enabled. + +Attack Alarm +------------ + +#. Log in to the management console. + +#. In the navigation pane on the left, click |image1| and choose **Security** > **Cloud Firewall**. The **Dashboard** page will be displayed. + +#. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click **View** in the **Operation** column of a firewall to go to its details page. + +#. In the navigation pane, choose **System Management** > **Notifications**. + +#. In the **Operation** column of **Attack alarm**, click **Edit**, and configure notification item parameters. For details, see :ref:`Table 1 `. + + .. _cfw_01_0166__table1854192020589: + + .. table:: **Table 1** Attack alarm parameters + + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Parameter | Description | + +===================================+=========================================================================================================================================================================+ + | Description | IPS attack alarm | + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Level | Select the risk levels that trigger notifications. | + | | | + | | The options are **Serious**, **High**, **Medium**, and **Low**. Multiple options can be selected. | + | | | + | | For example, if you select **High** and **Medium**, the firewall will notify you by SMS message or email when detecting an intrusion with a high- or medium-level risk. | + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Notification Time | Select a time range for sending notifications. | + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Trigger Condition | Configure the trigger condition. | + | | | + | | .. note:: | + | | | + | | Alarm notifications are sent if the number of attacks is at least equal to the threshold configured for a certain period. | + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Recipient Group | Select a topic from the drop-down list to configure the endpoints for receiving alarm notifications. | + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +#. Click **OK**. + +#. In the **Status** column of **Attack alarm**, click |image2| to enable it. + +High Traffic Warning +-------------------- + +#. Log in to the management console. + +#. In the navigation pane on the left, click |image3| and choose **Security** > **Cloud Firewall**. The **Dashboard** page will be displayed. + +#. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click **View** in the **Operation** column of a firewall to go to its details page. + +#. In the navigation pane, choose **System Management** > **Notifications**. + +#. In the **Operation** column of **High Traffic Warning**, click **Edit**, and configure notification item parameters. For details, see :ref:`Table 2 `. + + .. _cfw_01_0166__table20810102320332: + + .. table:: **Table 2** High traffic warning parameters + + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Parameter | Description | + +===================================+=======================================================================================================================================================================================+ + | Description | An alarm is generated if the traffic reaches the specified percentage of the traffic processing capability you purchased. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Level | Select a percentage. When the maximum peak inbound or outbound traffic reaches the percentage of the traffic processing capability you purchased, an alarm notification is triggered. | + | | | + | | For example, you can select **70%**, **80%**, or **90%**. | + | | | + | | If this parameter is set to **80%**, an alarm notification is sent when the used traffic reaches 80% of the purchased traffic. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Notification Time | Select a time range for sending notifications. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Trigger Condition | Once a day | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Recipient Group | Select a topic from the drop-down list to configure the endpoints for receiving alarm notifications. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +#. Click **OK**. + +#. In the **Status** column of **High Traffic Warning**, click |image4| to enable it. + +EIP Not Protected +----------------- + +#. Log in to the management console. + +#. In the navigation pane on the left, click |image5| and choose **Security** > **Cloud Firewall**. The **Dashboard** page will be displayed. + +#. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click **View** in the **Operation** column of a firewall to go to its details page. + +#. In the navigation pane, choose **System Management** > **Notifications**. + +#. In the **Operation** column of the **EIP Not Protected** alarm, click **Edit**, and configure notification item parameters. For details, see :ref:`Table 3 `. + + .. _cfw_01_0166__table19573228199: + + .. table:: **Table 3** Parameters of the alarm **EIP Not Protected** + + +-------------------+------------------------------------------------------------------------------------------------------+ + | Parameter | Description | + +===================+======================================================================================================+ + | Description | This alarm indicates there are unprotected EIPs. | + +-------------------+------------------------------------------------------------------------------------------------------+ + | Notification Time | Select a time range for sending notifications. | + +-------------------+------------------------------------------------------------------------------------------------------+ + | Trigger Condition | Once a day | + +-------------------+------------------------------------------------------------------------------------------------------+ + | Recipient Group | Select a topic from the drop-down list to configure the endpoints for receiving alarm notifications. | + +-------------------+------------------------------------------------------------------------------------------------------+ + +#. Click **OK**. + +#. In the **Status** column of **EIP Not Protected**, click |image6| to enable it. + +Related Operations +------------------ + +To add assets to the **EIP Not Protected** alarm whitelist, click **Add to Alarm Whitelist** in the **Operation** column of the alarm. Select EIPs, add them to the whitelist on the right, and click **OK**. The whitelisted EIPs will no longer trigger this alarm. + +.. |image1| image:: /_static/images/en-us_image_0000001259322747.png +.. |image2| image:: /_static/images/en-us_image_0000001443711605.png +.. |image3| image:: /_static/images/en-us_image_0000001259322747.png +.. |image4| image:: /_static/images/en-us_image_0000001443792005.png +.. |image5| image:: /_static/images/en-us_image_0000001259322747.png +.. |image6| image:: /_static/images/en-us_image_0000001673130380.png diff --git a/umn/source/system_management/index.rst b/umn/source/system_management/index.rst index 0dd2b7c..bc7db00 100644 --- a/umn/source/system_management/index.rst +++ b/umn/source/system_management/index.rst @@ -5,6 +5,8 @@ System Management ================= +- :ref:`Alarm Notification ` +- :ref:`Network Packet Capture ` - :ref:`Configuring a DNS Server ` - :ref:`Security Report Management ` @@ -12,5 +14,7 @@ System Management :maxdepth: 1 :hidden: + alarm_notification + network_packet_capture/index configuring_a_dns_server security_report_management/index diff --git a/umn/source/system_management/network_packet_capture/creating_a_packet_capture_task_to_check_the_network_status.rst b/umn/source/system_management/network_packet_capture/creating_a_packet_capture_task_to_check_the_network_status.rst new file mode 100644 index 0000000..699d524 --- /dev/null +++ b/umn/source/system_management/network_packet_capture/creating_a_packet_capture_task_to_check_the_network_status.rst @@ -0,0 +1,96 @@ +:original_name: cfw_01_0179.html + +.. _cfw_01_0179: + +Creating a Packet Capture Task to Check the Network Status +========================================================== + +You can create network packet capture tasks to locate network faults and attacks. + +Specification Limitations +------------------------- + +Only the professional edition instances can capture network packets. + +Constraints +----------- + +- Only one packet capture task can be executed at a time. +- A maximum of 20 packet capture tasks can be created every day. +- A maximum of 1 million packets can be captured. + + +Creating a Packet Capture Task to Check the Network Status +---------------------------------------------------------- + +#. Log in to the management console. + +#. In the navigation pane on the left, click |image1| and choose **Security** > **Cloud Firewall**. The **Dashboard** page will be displayed. + +#. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click **View** in the **Operation** column of a firewall to go to its details page. + +#. In the navigation tree on the left, choose **System Management** > **Packet Capture**. + +#. Click **Create Capture Task** and configure :ref:`parameters `. + + .. _cfw_01_0179__table20466164010119: + + .. table:: **Table 1** Packet capture task parameters + + +------------------------+-----------------------------------------------------------------------------------+-----------------------+ + | Parameter Name | Description | Example Value | + +========================+===================================================================================+=======================+ + | Task Name | Task name. | cfw | + +------------------------+-----------------------------------------------------------------------------------+-----------------------+ + | Max. Packets Captured | Maximum number of captured packets. Enter an integer in the range 1 to 1,000,000. | 100000 | + +------------------------+-----------------------------------------------------------------------------------+-----------------------+ + | Capture Duration (min) | Maximum duration for capturing packets. Enter an integer in the range 1 to 10. | 3 | + +------------------------+-----------------------------------------------------------------------------------+-----------------------+ + | IP Type | IP address type for packet capture. The value is **IPv4** by default. | IPv4 | + +------------------------+-----------------------------------------------------------------------------------+-----------------------+ + | Protocol Type | Protocol type of captured packets. It can be: | Any | + | | | | + | | - Any | | + | | - TCP | | + | | - UDP | | + | | - ICMP | | + +------------------------+-----------------------------------------------------------------------------------+-----------------------+ + | Source Address | It can be: | 192.168.10.5 | + | | | | + | | - A single IP address, for example, **192.168.10.5** | | + | | - Consecutive IP addresses, for example, **192.168.0.2-192.168.0.10** | | + | | - Address segment, for example, **192.168.2.0/24** | | + +------------------------+-----------------------------------------------------------------------------------+-----------------------+ + | Source Port | (Optional) Source port. | 80 | + | | | | + | | The input rules are as follows: | | + | | | | + | | - If this parameter is left blank, it indicates all port numbers (1 to 65535). | | + | | - Enter a single port number in the range 1 to 65535. | | + +------------------------+-----------------------------------------------------------------------------------+-----------------------+ + | Destination Address | It can be: | 192.168.10.6 | + | | | | + | | - A single IP address, for example, **192.168.10.5** | | + | | - Consecutive IP addresses, for example, **192.168.0.2-192.168.0.10** | | + | | - Address segment, for example, **192.168.2.0/24** | | + +------------------------+-----------------------------------------------------------------------------------+-----------------------+ + | Destination Port | (Optional) Destination port. | ``-`` | + | | | | + | | The input rules are as follows: | | + | | | | + | | - If this parameter is left blank, it indicates all port numbers (1 to 65535). | | + | | - Enter a single port number in the range 1 to 65535. | | + +------------------------+-----------------------------------------------------------------------------------+-----------------------+ + +#. Click **OK**. + +Related Operations +------------------ + +- To copy a task, click **Copy** in its **Operation** column. In the displayed dialog box, enter the task name and click **OK**. +- To stop a packet capture task, click **Stop** in its **Operation** column. +- To delete packet capture tasks, select them and click **Delete** above the list. +- :ref:`Viewing a Packet Capture Task ` +- :ref:`Downloading Packet Capture Results ` + +.. |image1| image:: /_static/images/en-us_image_0000001259322747.png diff --git a/umn/source/system_management/network_packet_capture/downloading_packet_capture_results.rst b/umn/source/system_management/network_packet_capture/downloading_packet_capture_results.rst new file mode 100644 index 0000000..a64859f --- /dev/null +++ b/umn/source/system_management/network_packet_capture/downloading_packet_capture_results.rst @@ -0,0 +1,45 @@ +:original_name: cfw_01_0181.html + +.. _cfw_01_0181: + +Downloading Packet Capture Results +================================== + +Constraints +----------- + +For an abnormal task, its possible packet capture results are as follows: + +- The packet capture data is completely lost and cannot be downloaded. +- Some packet capture data is lost. Existing data can be downloaded. + + +Downloading Packet Capture Results +---------------------------------- + +#. Log in to the management console. +#. In the navigation pane on the left, click |image1| and choose **Security** > **Cloud Firewall**. The **Dashboard** page will be displayed. +#. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click **View** in the **Operation** column of a firewall to go to its details page. +#. In the navigation tree on the left, choose **System Management** > **Packet Capture**. +#. In the row of a task, click **Download** in the **Operation** column to view the packet capture result. + + .. note:: + + For an abnormal task, its possible packet capture results are as follows: + + - The packet capture data is completely lost and cannot be downloaded. + - Some packet capture data is lost. Existing data can be downloaded. + +#. Obtain the packet capture result. + + - You can click **Copy all** to share the link with others. + - You can click **Open URL** to open it in a new browser tab. Switch back to this dialog box, click **Copy access code**, paste the copied code to the **Extraction Code** text box on the new tab, and click **Obtain Shared File List**. + - You can click **Copy link**, and paste and open the link it in a new browser tab. Switch back to this dialog box, click **Copy access code**, paste the copied code to the **Extraction Code** text box on the new tab, and click **Obtain Shared File List**. + + .. note:: + + You can switch between Chinese and English in the lower left corner of the browser. + +#. Click **Download** or **Download As**. + +.. |image1| image:: /_static/images/en-us_image_0000001259322747.png diff --git a/umn/source/system_management/network_packet_capture/index.rst b/umn/source/system_management/network_packet_capture/index.rst new file mode 100644 index 0000000..629f2ee --- /dev/null +++ b/umn/source/system_management/network_packet_capture/index.rst @@ -0,0 +1,18 @@ +:original_name: cfw_01_0178.html + +.. _cfw_01_0178: + +Network Packet Capture +====================== + +- :ref:`Creating a Packet Capture Task to Check the Network Status ` +- :ref:`Viewing a Packet Capture Task ` +- :ref:`Downloading Packet Capture Results ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + creating_a_packet_capture_task_to_check_the_network_status + viewing_a_packet_capture_task + downloading_packet_capture_results diff --git a/umn/source/system_management/network_packet_capture/viewing_a_packet_capture_task.rst b/umn/source/system_management/network_packet_capture/viewing_a_packet_capture_task.rst new file mode 100644 index 0000000..a5356c8 --- /dev/null +++ b/umn/source/system_management/network_packet_capture/viewing_a_packet_capture_task.rst @@ -0,0 +1,75 @@ +:original_name: cfw_01_0180.html + +.. _cfw_01_0180: + +Viewing a Packet Capture Task +============================= + + +Viewing a Packet Capture Task +----------------------------- + +#. Log in to the management console. + +#. In the navigation pane on the left, click |image1| and choose **Security** > **Cloud Firewall**. The **Dashboard** page will be displayed. + +#. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click **View** in the **Operation** column of a firewall to go to its details page. + +#. In the navigation tree on the left, choose **System Management** > **Packet Capture**. + +#. (Optional) Search for a task by task name or IP address. + + - Task name search supports fuzzy match. The input rules are as follows: + - To search by IP address, enter a single complete IP address, for example, 0.0.0.0. + +#. Check the packet capture task. For more information, see :ref:`Table 1 ` + + .. _cfw_01_0180__table1190315241617: + + .. table:: **Table 1** Packet capture task parameters + + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------+ + | Parameter Name | Description | + +===================================+===========================================================================================================================+ + | Task Name | Task name | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------+ + | Status | Task status. | + | | | + | | - **Running**: The packet capture command has been delivered and the task is in progress. | + | | - **Completed**: The packet capture result has been uploaded and the task is complete. | + | | - **Exception**: Packet capture data upload times out due to network problems, and some packet capture results are lost. | + | | | + | | .. note:: | + | | | + | | To retry a task, you can click **Copy** in its **Operation** column to create and execute it again. | + | | | + | | - **Stopping**: The task is being stopped and the packet capture result is being uploaded. | + | | - **Expired**: The packet capture result has been uploaded and the task has been manually stopped. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------+ + | Protocol Type | Protocol type specified for packet capture. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------+ + | IP Address | IP addresses specified for packet capture, including the source and destination addresses. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------+ + | Port | Ports specified for packet capture, including the source and destination ports. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------+ + | Max. Packets Captured | Maximum number of captured packets in the current task. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------+ + | Packet Capture Time | Start time and end time of a packet capture task. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------+ + | Capture Duration (min) | Duration of packet capture. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------+ + | Remaining Retention Period (Days) | Number of days for storing a packet capture task. The default value is 7. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------+ + | Capture Size | Size of captured packets. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------+ + +Related Operations +------------------ + +- To copy a task, click **Copy** in its **Operation** column. In the displayed dialog box, enter the task name and click **OK**. +- To stop a packet capture task, click **Stop** in its **Operation** column. +- To delete packet capture tasks, select them and click **Delete** above the list. +- :ref:`Creating a Packet Capture Task to Check the Network Status ` +- :ref:`Downloading Packet Capture Results ` + +.. |image1| image:: /_static/images/en-us_image_0000001259322747.png diff --git a/umn/source/viewing_cfw_protection_logs/querying_logs.rst b/umn/source/viewing_cfw_protection_logs/querying_logs.rst index c9e0b27..c5da69d 100644 --- a/umn/source/viewing_cfw_protection_logs/querying_logs.rst +++ b/umn/source/viewing_cfw_protection_logs/querying_logs.rst @@ -40,46 +40,54 @@ Attack Event Logs .. table:: **Table 1** Attack event log parameters - +-----------------------------------+-----------------------------------------------------------------------------------------+ - | Parameter | Description | - +===================================+=========================================================================================+ - | Time | Time when an attack occurred. | - +-----------------------------------+-----------------------------------------------------------------------------------------+ - | Attack Type | Type of the attack event, including IMAP, DNS, FTP, HTTP, POP3, TCP, and UDP. | - +-----------------------------------+-----------------------------------------------------------------------------------------+ - | Severity | It can be **Critical**, **High**, **Medium**, or **Low**. | - +-----------------------------------+-----------------------------------------------------------------------------------------+ - | Rule ID | Rule ID | - +-----------------------------------+-----------------------------------------------------------------------------------------+ - | Rule Name | Matched rule in the library. | - +-----------------------------------+-----------------------------------------------------------------------------------------+ - | Source IP Address | Source IP address of an attack event. | - +-----------------------------------+-----------------------------------------------------------------------------------------+ - | Source Country/Region | Geographical location of the attack source IP address. | - +-----------------------------------+-----------------------------------------------------------------------------------------+ - | Source Port | Source port of an attack. | - +-----------------------------------+-----------------------------------------------------------------------------------------+ - | Destination IP Address | Attacked IP address. | - +-----------------------------------+-----------------------------------------------------------------------------------------+ - | Destination Country/Region | Geographical location of the attack target IP address. | - +-----------------------------------+-----------------------------------------------------------------------------------------+ - | Destination Port | Destination port of an attack. | - +-----------------------------------+-----------------------------------------------------------------------------------------+ - | Protocol | Protocol type of an attack. | - +-----------------------------------+-----------------------------------------------------------------------------------------+ - | Application | Application type of an attack. | - +-----------------------------------+-----------------------------------------------------------------------------------------+ - | Direction | It can be outbound or inbound. | - +-----------------------------------+-----------------------------------------------------------------------------------------+ - | Action | Action of the firewall. It can be: | - | | | - | | - **Allow** | - | | - **Block** | - | | - **Block IP** | - | | - **Discard** | - +-----------------------------------+-----------------------------------------------------------------------------------------+ - | Operation | You can click **Details** to view the basic information and attack payload of an event. | - +-----------------------------------+-----------------------------------------------------------------------------------------+ + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Parameter | Description | + +===================================+==================================================================================================================================================================================================================================+ + | Time | Time when an attack occurred. | + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Attack Type | Type of the attack event, including IMAP, DNS, FTP, HTTP, POP3, TCP, and UDP. | + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Risk Level | It can be **Critical**, **High**, **Medium**, or **Low**. | + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Rule ID | Rule ID | + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Rule Name | Matched rule in the library. | + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Source IP Address | Source IP address of an attack event. | + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Tags | IP address type identifier. | + | | | + | | - Other tags: IP addresses that are not WAF back-to-source IP addresses. No special actions required. | + | | | + | | - **WAF back-to-source IP addresses**: **Source IP Address** is a WAF back-to-source IP address. If the **Action** of this record is **Block**, **Block IP**, or **Discard**, you need to manually set the action to **Allow**. | + | | | + | | Operation: Find the rule based on its ID. In the **Operation** column of the rule, click **Observe**. | + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Source Country/Region | Geographical location of the attack source IP address. | + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Source Port | Source port of an attack. | + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Destination IP Address | Attacked IP address. | + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Destination Country/Region | Geographical location of the attack target IP address. | + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Destination Port | Destination port of an attack. | + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Protocol | Protocol type of an attack. | + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Application | Application type of an attack. | + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Direction | It can be outbound or inbound. | + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Action | Action of the firewall. It can be: | + | | | + | | - **Allow** | + | | - **Block** | + | | - **Block IP** | + | | - **Discard** | + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Operation | You can click **View** to view the basic information and attack payload of an event. | + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ .. _cfw_01_0139__section8485135919336: @@ -103,13 +111,13 @@ Access Control Logs +============================+================================================================================================================+ | Hit Time | Time of access. | +----------------------------+----------------------------------------------------------------------------------------------------------------+ - | Source IP | Source IP address of the access. | + | Source IP Address | Source IP address of the access. | +----------------------------+----------------------------------------------------------------------------------------------------------------+ | Source Country/Region | Geographical location of the source IP address. | +----------------------------+----------------------------------------------------------------------------------------------------------------+ | Source Port | Source port for access control. It can be a single port or consecutive port groups (example: **80-443**). | +----------------------------+----------------------------------------------------------------------------------------------------------------+ - | Destination IP | Destination IP address. | + | Destination IP Address | Destination IP address. | +----------------------------+----------------------------------------------------------------------------------------------------------------+ | Destination Host | Destination domain name | +----------------------------+----------------------------------------------------------------------------------------------------------------+ @@ -143,13 +151,13 @@ Traffic Logs +----------------------------+--------------------------------------------------------+ | End Time | Time when traffic protection ended. | +----------------------------+--------------------------------------------------------+ - | Source | Source IP address of the traffic | + | Source IP Address | Source IP address of the traffic | +----------------------------+--------------------------------------------------------+ | Source Country/Region | Geographical location of the access source IP address. | +----------------------------+--------------------------------------------------------+ | Source Port | Source port of the traffic. | +----------------------------+--------------------------------------------------------+ - | Destination IP | Destination IP address. | + | Destination IP Address | Destination IP address. | +----------------------------+--------------------------------------------------------+ | Destination Country/Region | Geographical location of the destination IP address. | +----------------------------+--------------------------------------------------------+ @@ -167,6 +175,18 @@ Related Operations Exporting logs: Click |image4| in the upper right corner to export the logs in the list. +Follow-up Operations +-------------------- + +- If improper blocking is recorded in access control logs, check whether your protection rules, blacklist, and whitelist configurations are correct. +- If improper blocking is recorded in attack event logs, your normal workloads may be blocked by IPS. + + - If the traffic from an IP address is improperly blocked, add it to the whitelist. + - If the traffic from multiple IP addresses is blocked, check logs to see whether it is blocked by a single rule or multiple rules. + + - Blocked by a single rule: Modify the protection action of the rule. For details, see :ref:`Modifying the Action of a Basic Protection Rule `. + - Blocked by multiple rules: Modify the protection mode. For details, see :ref:`Adjusting the IPS Protection Mode to Block Network Attacks `. + .. |image1| image:: /_static/images/en-us_image_0000001259322747.png .. |image2| image:: /_static/images/en-us_image_0000001259322747.png .. |image3| image:: /_static/images/en-us_image_0000001259322747.png diff --git a/umn/source/viewing_traffic_statistics/viewing_inbound_traffic.rst b/umn/source/viewing_traffic_statistics/viewing_inbound_traffic.rst index 4727cf8..400f347 100644 --- a/umn/source/viewing_traffic_statistics/viewing_inbound_traffic.rst +++ b/umn/source/viewing_traffic_statistics/viewing_inbound_traffic.rst @@ -28,19 +28,13 @@ Viewing Inbound Traffic .. table:: **Table 1** Value description - +-----------------------------------+-----------------------------------------------------------------------------+ - | Time Range | Value | - +===================================+=============================================================================+ - | Last 1 hour | Average value within every minute | - +-----------------------------------+-----------------------------------------------------------------------------+ - | Last 24 hours | Average value within every 5 minutes | - +-----------------------------------+-----------------------------------------------------------------------------+ - | Last 7 days | Average value within every hour | - +-----------------------------------+-----------------------------------------------------------------------------+ - | Custom | - 5 minutes to 6 hours: average value within every minute | - | | - 6 hours (included) to 3 days: average value within every 5 minutes | - | | - 3 (included) to 7 days (included): average value within every 30 minutes | - +-----------------------------------+-----------------------------------------------------------------------------+ + ============= ==================================== + Time Range Value + ============= ==================================== + Last 1 hour Average value within every minute + Last 24 hours Average value within every 5 minutes + Last 7 days Average value within every hour + ============= ==================================== - **Visualizations**: Top 5 items ranked by certain parameters regarding inbound traffic within a specified time range. For more information, see :ref:`Table 2 `. You can click a data record to view the traffic details. A maximum of 50 data records can be viewed. diff --git a/umn/source/viewing_traffic_statistics/viewing_inter-vpc_traffic.rst b/umn/source/viewing_traffic_statistics/viewing_inter-vpc_traffic.rst index 92d9a8e..bece851 100644 --- a/umn/source/viewing_traffic_statistics/viewing_inter-vpc_traffic.rst +++ b/umn/source/viewing_traffic_statistics/viewing_inter-vpc_traffic.rst @@ -28,19 +28,13 @@ Viewing Inter-VPC Traffic .. table:: **Table 1** Value description - +-----------------------------------+-----------------------------------------------------------------------------+ - | Time Range | Value | - +===================================+=============================================================================+ - | Last 1 hour | Average value within every minute | - +-----------------------------------+-----------------------------------------------------------------------------+ - | Last 24 hours | Average value within every 5 minutes | - +-----------------------------------+-----------------------------------------------------------------------------+ - | Last 7 days | Average value within every hour | - +-----------------------------------+-----------------------------------------------------------------------------+ - | Custom | - 5 minutes to 6 hours: average value within every minute | - | | - 6 hours (included) to 3 days: average value within every 5 minutes | - | | - 3 (included) to 7 days (included): average value within every 30 minutes | - +-----------------------------------+-----------------------------------------------------------------------------+ + ============= ==================================== + Time Range Value + ============= ==================================== + Last 1 hour Average value within every minute + Last 24 hours Average value within every 5 minutes + Last 7 days Average value within every hour + ============= ==================================== - **Visualizations**: Top 5 items ranked by certain parameters regarding inter-VPC traffic within a specified time range. For more information, see :ref:`Table 2 `. You can click a data record to view the traffic details. A maximum of 50 data records can be viewed. diff --git a/umn/source/viewing_traffic_statistics/viewing_outbound_traffic.rst b/umn/source/viewing_traffic_statistics/viewing_outbound_traffic.rst index be0915b..6c42160 100644 --- a/umn/source/viewing_traffic_statistics/viewing_outbound_traffic.rst +++ b/umn/source/viewing_traffic_statistics/viewing_outbound_traffic.rst @@ -28,19 +28,13 @@ Viewing Outbound Traffic .. table:: **Table 1** Value description - +-----------------------------------+-----------------------------------------------------------------------------+ - | Time Range | Value | - +===================================+=============================================================================+ - | Last 1 hour | Average value within every minute | - +-----------------------------------+-----------------------------------------------------------------------------+ - | Last 24 hours | Average value within every 5 minutes | - +-----------------------------------+-----------------------------------------------------------------------------+ - | Last 7 days | Average value within every hour | - +-----------------------------------+-----------------------------------------------------------------------------+ - | Custom | - 5 minutes to 6 hours: average value within every minute | - | | - 6 hours (included) to 3 days: average value within every 5 minutes | - | | - 3 (included) to 7 days (included): average value within every 30 minutes | - +-----------------------------------+-----------------------------------------------------------------------------+ + ============= ==================================== + Time Range Value + ============= ==================================== + Last 1 hour Average value within every minute + Last 24 hours Average value within every 5 minutes + Last 7 days Average value within every hour + ============= ==================================== - **Visualizations**: Top 5 items ranked by certain parameters regarding outbound traffic within a specified time range. For more information, see :ref:`Table 2 `. You can click a data record to view the traffic details. A maximum of 50 data records can be viewed.