forked from docs/cloud-firewall
Update content
This commit is contained in:
parent
123a48b708
commit
641b5a4ef0
Binary file not shown.
|
Before Width: | Height: | Size: 116 B |
Binary file not shown.
|
Before Width: | Height: | Size: 547 B |
@ -1,6 +1,6 @@
|
||||
:original_name: cfw_01_0277.html
|
||||
:original_name: cfw_01_0200.html
|
||||
|
||||
.. _cfw_01_0277:
|
||||
.. _cfw_01_0200:
|
||||
|
||||
Attack Defense Overview
|
||||
=======================
|
||||
@ -10,13 +10,12 @@ CFW can defend against network attacks and virus files. You are advised to set *
|
||||
Prerequisites
|
||||
-------------
|
||||
|
||||
Traffic protection has been enabled.
|
||||
At least one type of traffic protection has been enabled.
|
||||
|
||||
- For details about how to enable EIP traffic protection, see :ref:`Enabling Internet Border Traffic Protection <cfw_01_0031>`.
|
||||
- For details about how to enable VPC traffic protection, see :ref:`Enabling VPC Border Traffic Protection <cfw_01_0078>`.
|
||||
- For details about how to enable traffic protection for private IP addresses, see :ref:`Enabling NAT Gateway Traffic Protection <cfw_01_0266>`.
|
||||
|
||||
.. _cfw_01_0277__section19642352202214:
|
||||
.. _cfw_01_0200__section19642352202214:
|
||||
|
||||
Defense Against Network Attacks and Virus Files
|
||||
-----------------------------------------------
|
||||
@ -34,9 +33,9 @@ The following methods can be used:
|
||||
- **Intercept mode - moderate**: The protection granularity is medium. This mode meets protection requirements in most scenarios.
|
||||
- **Intercept mode - strict**: The protection granularity is fine-grained, and all attack requests are intercepted.
|
||||
|
||||
- IPS provides multiple types of rule libraries. For details, see :ref:`Table 1 <cfw_01_0277__table1655118365215>`. Different rules are enabled for different interception modes. For details, see :ref:`Default Actions of Rule Groups in Different Protection Modes <cfw_01_0168__section875111419156>`.
|
||||
- IPS provides multiple types of rule libraries. For details, see :ref:`Table 1 <cfw_01_0200__table1655118365215>`. Different rules are enabled for different interception modes. For details, see :ref:`Default Actions of Rule Groups in Different Protection Modes <cfw_01_0168__section875111419156>`.
|
||||
|
||||
.. _cfw_01_0277__table1655118365215:
|
||||
.. _cfw_01_0200__table1655118365215:
|
||||
|
||||
.. table:: **Table 1** Intrusion prevention rule libraries
|
||||
|
||||
|
||||
@ -5,7 +5,7 @@
|
||||
Blocking Network Attacks
|
||||
========================
|
||||
|
||||
CFW provides :ref:`attack defense <cfw_01_0277__section19642352202214>` to help you detect common network attacks.
|
||||
CFW provides :ref:`attack defense <cfw_01_0200__section19642352202214>` to help you detect common network attacks.
|
||||
|
||||
.. _cfw_01_0032__section385820543273:
|
||||
|
||||
@ -39,7 +39,7 @@ Enabling Sensitive Directory Scan Defense
|
||||
#. In the navigation pane on the left, click |image2| and choose **Security** > **Cloud Firewall**. The **Dashboard** page will be displayed.
|
||||
#. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click **View** in the **Operation** column of a firewall to go to its details page.
|
||||
#. In the navigation pane, choose **Attack Defense** > **Intrusion Prevention**.
|
||||
#. In the **Sensitive Directory Scan Defense** area, click |image3| to enable protection.
|
||||
#. Click **Advanced**. In the **Sensitive Directory Scan Defense** area, click |image3| to enable protection.
|
||||
|
||||
- **Action**:
|
||||
|
||||
@ -59,7 +59,7 @@ Enabling Reverse Shell Defense
|
||||
#. In the navigation pane on the left, click |image4| and choose **Security** > **Cloud Firewall**. The **Dashboard** page will be displayed.
|
||||
#. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click **View** in the **Operation** column of a firewall to go to its details page.
|
||||
#. In the navigation pane, choose **Attack Defense** > **Intrusion Prevention**.
|
||||
#. In the **Reverse Shell Defense** module, click |image5| to enable defense.
|
||||
#. Click **Advanced**. In the **Reverse Shell Defense** module, click |image5| to enable defense.
|
||||
|
||||
- **Action**:
|
||||
|
||||
|
||||
@ -5,7 +5,7 @@
|
||||
Attack Defense
|
||||
==============
|
||||
|
||||
- :ref:`Attack Defense Overview <cfw_01_0277>`
|
||||
- :ref:`Attack Defense Overview <cfw_01_0200>`
|
||||
- :ref:`Blocking Network Attacks <cfw_01_0032>`
|
||||
- :ref:`Blocking Virus-infected Files <cfw_01_0195>`
|
||||
- :ref:`Viewing Attack Defense Information on the Dashboard <cfw_01_0228>`
|
||||
|
||||
@ -8,6 +8,12 @@ Change History
|
||||
+-----------------------------------+------------------------------------------------------------------------------------------+
|
||||
| Date | Description |
|
||||
+===================================+==========================================================================================+
|
||||
| 2024-09-19 | This is the fourth official release. |
|
||||
| | |
|
||||
| | Added: |
|
||||
| | |
|
||||
| | - Advanced settings in :ref:`Blocking Network Attacks <cfw_01_0032>`. |
|
||||
+-----------------------------------+------------------------------------------------------------------------------------------+
|
||||
| 2024-07-29 | This is the third official release. |
|
||||
| | |
|
||||
| | Optimized: |
|
||||
|
||||
@ -5,7 +5,7 @@
|
||||
Checking the Dashboard
|
||||
======================
|
||||
|
||||
On the **Dashboard** page, you can view the basic information, overall protection capabilities, statistics, and traffic topology of firewall instances to learn about the security status and traffic of cloud assets at any time.
|
||||
On the **Dashboard** page, you can view the basic information, overall protection capabilities, and statistics of firewall instances to learn about the security status and traffic of cloud assets at any time.
|
||||
|
||||
Constraints
|
||||
-----------
|
||||
@ -117,7 +117,7 @@ Checking the Dashboard
|
||||
|
||||
.. _cfw_01_0009__table184404359171:
|
||||
|
||||
.. table:: **Table 4**
|
||||
.. table:: **Table 4** Operations Dashboard
|
||||
|
||||
+-----------------------+-------------------------------------------------------------------+
|
||||
| Parameter | Description |
|
||||
|
||||
@ -16,6 +16,8 @@
|
||||
|
||||
import os
|
||||
import sys
|
||||
from git import Repo
|
||||
from datetime import datetime
|
||||
|
||||
extensions = [
|
||||
'otcdocstheme',
|
||||
@ -115,3 +117,9 @@ latex_documents = [
|
||||
u'Cloud Firewall - User Guide',
|
||||
u'OpenTelekomCloud', 'manual'),
|
||||
]
|
||||
|
||||
# Get the Git commit values for last updated timestamp on each page
|
||||
repo = Repo(search_parent_directories=True)
|
||||
commit = repo.head.commit
|
||||
current_commit_hash = commit.hexsha
|
||||
current_commit_time = commit.committed_datetime.strftime('%Y-%m-%d %H:%M')
|
||||
@ -0,0 +1,76 @@
|
||||
:original_name: cfw_01_0262.html
|
||||
|
||||
.. _cfw_01_0262:
|
||||
|
||||
Access Control Policy Overview
|
||||
==============================
|
||||
|
||||
After protection is enabled, CFW access control policies allow all traffic by default. Proper access control policies help you implement refined management and control on traffic between internal servers and the Internet, prevent internal threats from spreading, and enhance in-depth security.
|
||||
|
||||
Access Control Policy Types
|
||||
---------------------------
|
||||
|
||||
Access control policies are classified into protection rules and blacklist/whitelist. :ref:`Differences between protection rules and blacklist/whitelist <cfw_01_0262__table1185931821515>` shows more details. If traffic hits a policy, the action of the policy will be taken.
|
||||
|
||||
.. _cfw_01_0262__table1185931821515:
|
||||
|
||||
.. table:: **Table 1** Differences between protection rules and blacklist/whitelist
|
||||
|
||||
+------------------+----------------------------------------+-----------------------+-------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------+
|
||||
| Type | Protected Object | Network Type | Action | Configuration Method |
|
||||
+==================+========================================+=======================+=====================================================================================================================================+====================================================================================+
|
||||
| Protection rules | - 5-tuple | - EIP | - If **Block** is selected, traffic will be blocked. | :ref:`Adding Protection Rules to Block or Allow Traffic <cfw_01_0030>` |
|
||||
| | - IP address groups | - Private IP address | - If **Allow** is selected, traffic will be allowed by protection rules and then checked by the intrusion prevention system (IPS). | |
|
||||
| | - Geographical locations | | | |
|
||||
| | - Domain names and domain name groups | | | |
|
||||
+------------------+----------------------------------------+-----------------------+-------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------+
|
||||
| Blacklist | - 5-tuple | | Traffic is blocked directly. | :ref:`Adding Blacklist or Whitelist Items to Block or Allow Traffic <cfw_01_0065>` |
|
||||
| | - IP address groups | | | |
|
||||
+------------------+----------------------------------------+-----------------------+-------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------+
|
||||
| Whitelist | | | Traffic is allowed by CFW and not checked by other functions. | |
|
||||
+------------------+----------------------------------------+-----------------------+-------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------+
|
||||
|
||||
Specification Limitations
|
||||
-------------------------
|
||||
|
||||
To enable VPC border protection and NAT protection, use the CFW professional edition and enable :ref:`VPC firewall <cfw_01_0078>` protection.
|
||||
|
||||
Precautions for Configuring a Blocking Policy
|
||||
---------------------------------------------
|
||||
|
||||
The precautions for configuring a protection rule or a blacklist item for blocking IP addresses are as follows:
|
||||
|
||||
#. You are advised to preferentially configure specific IP addresses (for example, 192.168.10.5) to reduce network segment configurations and avoid improper blocking.
|
||||
#. Exercise caution when configuring protection rules to block reverse proxy IP addresses, such as the WAF back-to-source IP addresses. You are advised to configure protection rules or whitelist to permit reverse proxy IP addresses.
|
||||
#. Blocking forward proxy IP addresses (such as company egress IP addresses) can have a large impact. Exercise caution when configuring protection rules to block forward proxy IP addresses.
|
||||
#. When configuring region protection, take possible EIP changes into consideration.
|
||||
|
||||
Wildcard Rule
|
||||
-------------
|
||||
|
||||
+-------------------------------------------+-----------------------+---------------------------------------------------------------------------------+
|
||||
| Parameter | Input | Description |
|
||||
+===========================================+=======================+=================================================================================+
|
||||
| Source/Destination | 0.0.0.0/0 | All IP addresses |
|
||||
+-------------------------------------------+-----------------------+---------------------------------------------------------------------------------+
|
||||
| Domain name | www.example.com | Domain name www.example.com |
|
||||
+-------------------------------------------+-----------------------+---------------------------------------------------------------------------------+
|
||||
| Domain name | \*.example.com | All domain names ending with **example.com**, for example, **test.example.com** |
|
||||
+-------------------------------------------+-----------------------+---------------------------------------------------------------------------------+
|
||||
| Service - Source port or destination port | 1-65535 | All ports |
|
||||
+-------------------------------------------+-----------------------+---------------------------------------------------------------------------------+
|
||||
| Service - Source port or destination port | 80-443 | All ports in the range 80 to 443 |
|
||||
+-------------------------------------------+-----------------------+---------------------------------------------------------------------------------+
|
||||
| Service - Source port or destination port | - 80 | Ports 80 and 443 |
|
||||
| | - 443 | |
|
||||
+-------------------------------------------+-----------------------+---------------------------------------------------------------------------------+
|
||||
|
||||
References
|
||||
----------
|
||||
|
||||
- For details about how to add a single rule to protect traffic, see :ref:`Adding Protection Rules to Block or Allow Traffic <cfw_01_0030>`. For details about how to add a single blacklist or whitelist item to protect traffic, see :ref:`Adding Blacklist or Whitelist Items to Block or Allow Traffic <cfw_01_0065>`.
|
||||
- For details about how to add protection policies in batches, see :ref:`Importing and Exporting Protection Policies <cfw_01_0129>`.
|
||||
- Follow-up operations after adding a policy:
|
||||
|
||||
- Policy hits: For details about the protection overview, see :ref:`Viewing Protection Information Using the Policy Assistant <cfw_01_0226>`. For details about logs, see :ref:`Access Control Logs <cfw_01_0139__section8485135919336>`.
|
||||
- For details about the traffic trend and statistics, see :ref:`Viewing Traffic Statistics <cfw_01_0011>`. For details about traffic records, see :ref:`Traffic Logs <cfw_01_0139__section8581131111344>`.
|
||||
@ -7,6 +7,8 @@ Adding Blacklist or Whitelist Items to Block or Allow Traffic
|
||||
|
||||
After protection is enabled, CFW allows all traffic by default. You can configure the blacklist to block access requests from IP addresses or configure the whitelist to allow them.
|
||||
|
||||
This topic describes how to add a single blacklist or whitelist item. For details about how to add items in batches, see :ref:`Importing and Exporting Protection Policies <cfw_01_0129>`.
|
||||
|
||||
.. caution::
|
||||
|
||||
If your IP address is a back-to-source WAF IP address, you are advised to configure a protection rule or the whitelist to allow its access. Exercise caution when configuring the blacklist, which may affect your services.
|
||||
@ -38,7 +40,7 @@ Adding Blacklist or Whitelist Items to Block or Allow Traffic
|
||||
|
||||
#. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click **View** in the **Operation** column of a firewall to go to its details page.
|
||||
|
||||
#. In the navigation pane, choose **Access Control** > **Access Policies**. Click the **Blacklist** or **Whitelist** tab.
|
||||
#. In the navigation pane, choose **Access Control** > **Access Policies**. Click the tab of a protected object, and then click the **Blacklist** or **Whitelist** tab.
|
||||
|
||||
#. Click **Add**. Set the address direction, IP address, protocol type, and port number. For details, see :ref:`Table 1 <cfw_01_0065__table12707131818297>`.
|
||||
|
||||
@ -80,6 +82,7 @@ Adding Blacklist or Whitelist Items to Block or Allow Traffic
|
||||
Related Operations
|
||||
------------------
|
||||
|
||||
For details about how to edit and remove blacklist or whitelist items, see :ref:`Managing the Blacklist and the Whitelist <cfw_01_0035>`.
|
||||
- For details about how to edit and remove blacklist or whitelist items, see :ref:`Managing the Blacklist and the Whitelist <cfw_01_0035>`.
|
||||
- For details about how to add blacklist or whitelist items in batches, see :ref:`Importing and Exporting Protection Policies <cfw_01_0129>`.
|
||||
|
||||
.. |image1| image:: /_static/images/en-us_image_0000001259322747.png
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@ -5,22 +5,24 @@
|
||||
Configuring Access Control Policies to Control Traffic
|
||||
======================================================
|
||||
|
||||
- :ref:`Access Control Policy Overview <cfw_01_0262>`
|
||||
- :ref:`Configuring Protection Rules to Block or Allow Traffic <cfw_01_0271>`
|
||||
- :ref:`Adding Blacklist or Whitelist Items to Block or Allow Traffic <cfw_01_0065>`
|
||||
- :ref:`Viewing Protection Information Using the Policy Assistant <cfw_01_0226>`
|
||||
- :ref:`Managing Access Control Policies <cfw_01_0227>`
|
||||
- :ref:`Managing IP Address Groups <cfw_01_0036>`
|
||||
- :ref:`Service Group Management <cfw_01_0037>`
|
||||
- :ref:`Domain Name Management <cfw_01_0182>`
|
||||
- :ref:`Service Group Management <cfw_01_0037>`
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 1
|
||||
:hidden:
|
||||
|
||||
access_control_policy_overview
|
||||
configuring_protection_rules_to_block_or_allow_traffic/index
|
||||
adding_blacklist_or_whitelist_items_to_block_or_allow_traffic
|
||||
viewing_protection_information_using_the_policy_assistant
|
||||
managing_access_control_policies/index
|
||||
managing_ip_address_groups/index
|
||||
service_group_management/index
|
||||
domain_name_management/index
|
||||
service_group_management/index
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@ -7,7 +7,7 @@ Managing Access Control Policies
|
||||
|
||||
- :ref:`Importing and Exporting Protection Policies <cfw_01_0129>`
|
||||
- :ref:`Adjusting the Priority of a Protection Rule <cfw_01_0063>`
|
||||
- :ref:`Managing Protection Rules <cfw_01_0062>`
|
||||
- :ref:`Managing Protection Rules <cfw_01_0061>`
|
||||
- :ref:`Managing the Blacklist and the Whitelist <cfw_01_0035>`
|
||||
|
||||
.. toctree::
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
:original_name: cfw_01_0062.html
|
||||
:original_name: cfw_01_0061.html
|
||||
|
||||
.. _cfw_01_0062:
|
||||
.. _cfw_01_0061:
|
||||
|
||||
Managing Protection Rules
|
||||
=========================
|
||||
|
||||
@ -18,7 +18,7 @@ Editing the Blacklist or Whitelist
|
||||
|
||||
#. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click **View** in the **Operation** column of a firewall to go to its details page.
|
||||
|
||||
#. In the navigation pane, choose **Access Control** > **Access Policies**. Click the **Blacklist** or **Whitelist** tab.
|
||||
#. In the navigation pane, choose **Access Control** > **Access Policies**. Click the tab of a protected object, and then click the **Blacklist** or **Whitelist** tab.
|
||||
|
||||
#. In the row containing the desired rule, click **Edit** in the **Operation** column.
|
||||
|
||||
@ -65,7 +65,7 @@ Removing a Blacklisted or Whitelisted Item
|
||||
#. Log in to the management console.
|
||||
#. In the navigation pane on the left, click |image2| and choose **Security** > **Cloud Firewall**. The **Dashboard** page will be displayed.
|
||||
#. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click **View** in the **Operation** column of a firewall to go to its details page.
|
||||
#. In the navigation pane, choose **Access Control** > **Access Policies**. Click the **Blacklist** or **Whitelist** tab.
|
||||
#. In the navigation pane, choose **Access Control** > **Access Policies**. Click the tab of a protected object, and then click the **Blacklist** or **Whitelist** tab.
|
||||
#. In the row of an IP address, click **Delete** in the **Operation** column.
|
||||
#. In the **Remove from Blacklist** or **Remove from Whitelist** dialog box, click **OK**.
|
||||
|
||||
|
||||
@ -25,7 +25,7 @@ Adding Custom Address Groups
|
||||
|
||||
#. In the navigation pane, choose **Access Control** > **IP Address Groups**.
|
||||
|
||||
#. Click **Add IP Address Group** and configure parametersin the **Basic Information** area. For more information, see :ref:`IP address group parameters <cfw_01_0068__table12707131818297>`.
|
||||
#. Click **Add IP Address Group** and configure parameters in the **Basic Information** area. For more information, see :ref:`IP address group parameters <cfw_01_0068__table12707131818297>`.
|
||||
|
||||
.. _cfw_01_0068__table12707131818297:
|
||||
|
||||
@ -58,13 +58,12 @@ Adding an IP Address
|
||||
#. In the navigation pane on the left, click |image2| and choose **Security** > **Cloud Firewall**. The **Dashboard** page will be displayed.
|
||||
#. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click **View** in the **Operation** column of a firewall to go to its details page.
|
||||
#. In the navigation pane, choose **Access Control** > **IP Address Groups**.
|
||||
#. Click the name of an IP address group. The **Basic Information** and **IP Addresses** areas are displayed..
|
||||
#. Click the name of an IP address group. The **Basic Information** and **IP Addresses** areas are displayed.
|
||||
#. Click **Add IP Address** under the IP address list.
|
||||
|
||||
- To add IP addresses in batches, enter the IP addresses in the text box and click **Parse**.
|
||||
- To add a single IP address, click **Add**, and enter the IP address and description.
|
||||
|
||||
#. You can click |image3| to add more IP addresses.
|
||||
#. Confirm the information and click **OK**.
|
||||
|
||||
Related Operations
|
||||
@ -79,4 +78,3 @@ An IP address group takes effect only after it is set in a protection rule. For
|
||||
|
||||
.. |image1| image:: /_static/images/en-us_image_0000001259322747.png
|
||||
.. |image2| image:: /_static/images/en-us_image_0000001259322747.png
|
||||
.. |image3| image:: /_static/images/en-us_image_0000001988385489.png
|
||||
|
||||
@ -21,7 +21,7 @@ Deleting IP Address Groups
|
||||
#. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click **View** in the **Operation** column of a firewall to go to its details page.
|
||||
#. In the navigation pane, choose **Access Control** > **IP Address Groups**.
|
||||
#. In the **Operation** column of an IP address group, click **Delete**.
|
||||
#. In the **Delete IP Address Group** dialog box, click **OK**.
|
||||
#. In the displayed dialog box, confirm the information, enter **DELETE**, and click **OK**.
|
||||
|
||||
.. warning::
|
||||
|
||||
|
||||
@ -23,7 +23,7 @@ Deleting a Service Group
|
||||
#. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click **View** in the **Operation** column of a firewall to go to its details page.
|
||||
#. In the navigation pane, choose **Access Control** > **Service Groups**.
|
||||
#. In the **Operation** column of a service group, click **Delete**.
|
||||
#. In the displayed dialog box, confirm the deletion information and click **OK**.
|
||||
#. In the displayed dialog box, confirm the information, enter **DELETE**, and click **OK**.
|
||||
|
||||
.. warning::
|
||||
|
||||
|
||||
@ -15,7 +15,7 @@ The current account has the BSS Administrator and CFW FullAccess permissions.
|
||||
Constraints
|
||||
-----------
|
||||
|
||||
- CFW can be used only in the region where it was purchased. To use CFW in another region, switch to that region and purchase it.
|
||||
- CFW can be used only in the region where it was created. To use CFW in another region, switch to that region and create it.
|
||||
|
||||
Creating a Pay-per-Use Professional CFW
|
||||
---------------------------------------
|
||||
@ -30,33 +30,27 @@ Creating a Pay-per-Use Professional CFW
|
||||
|
||||
.. table:: **Table 1** Parameters for creating CFW
|
||||
|
||||
+-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||
| Parameter | Description |
|
||||
+===================================+=================================================================================================================================================================================================================================+
|
||||
| Billing Mode | **Pay-per-use** indicates that you will be charged for the protection on your workloads. |
|
||||
+-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||
| Region | Region where the CFW is to be purchased. |
|
||||
+-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||
| Edition | Currently, only the professional edition is supported. |
|
||||
+-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||
| Firewall Name | Firewall name. |
|
||||
| | |
|
||||
| | It must meet the following requirements: |
|
||||
| | |
|
||||
| | - Only letters (A to Z and a to z), numbers (0 to 9), spaces, and the following characters are allowed: -\_ |
|
||||
| | - The value can contain 1 to 48 characters. |
|
||||
+-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||
| Enterprise Project | Select the enterprise project to which you belong from the drop-down list. The purchased CFW then belongs to that enterprise project and protects all resources in that project. |
|
||||
| | |
|
||||
| | This option is only available if you have logged in using an enterprise account, or if you have enabled enterprise projects. You can use an enterprise project to centrally manage your cloud resources and members by project. |
|
||||
| | |
|
||||
| | .. note:: |
|
||||
| | |
|
||||
| | Value **default** indicates the default enterprise project. Resources that are not allocated to any enterprise projects under your account are displayed in the default enterprise project. |
|
||||
+-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||
| Tags | It is recommended that you use the TMS predefined tag function to add the same tag to different cloud resources. |
|
||||
+-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|
||||
+-----------------------------------+------------------------------------------------------------------------------------------------------------------+
|
||||
| Parameter | Description |
|
||||
+===================================+==================================================================================================================+
|
||||
| Billing Mode | **Pay-per-use** indicates that you will be charged for the protection on your workloads. |
|
||||
+-----------------------------------+------------------------------------------------------------------------------------------------------------------+
|
||||
| Region | Region where the CFW is to be purchased. |
|
||||
+-----------------------------------+------------------------------------------------------------------------------------------------------------------+
|
||||
| Edition | Currently, only the professional edition is supported. |
|
||||
+-----------------------------------+------------------------------------------------------------------------------------------------------------------+
|
||||
| Firewall Name | Firewall name. |
|
||||
| | |
|
||||
| | It must meet the following requirements: |
|
||||
| | |
|
||||
| | - Only letters (A to Z and a to z), numbers (0 to 9), spaces, and the following characters are allowed: -\_ |
|
||||
| | - The value can contain 1 to 48 characters. |
|
||||
+-----------------------------------+------------------------------------------------------------------------------------------------------------------+
|
||||
| Enterprise Project | |
|
||||
+-----------------------------------+------------------------------------------------------------------------------------------------------------------+
|
||||
| Tags | It is recommended that you use the TMS predefined tag function to add the same tag to different cloud resources. |
|
||||
+-----------------------------------+------------------------------------------------------------------------------------------------------------------+
|
||||
|
||||
#. Confirm the purchase information and click **Create Firewall**.
|
||||
#. Confirm the information and click **Create Firewall**.
|
||||
|
||||
.. |image1| image:: /_static/images/en-us_image_0000001259322747.png
|
||||
|
||||
@ -66,8 +66,15 @@ After protection is enabled, all traffic is allowed by default. CFW will block t
|
||||
|
||||
- To implement traffic control, configure a protection policy. For details, see :ref:`Adding an Internet Boundary Protection Rule <cfw_01_0030__section8135741192619>` or :ref:`Adding Blacklist or Whitelist Items to Block or Allow Traffic <cfw_01_0065>`.
|
||||
|
||||
- Allow or block traffic based on protection rules. Allowed traffic will be checked by IPS and antivirus functions.
|
||||
- Allow or block traffic based on the blacklist and whitelist. Traffic allowed or blocked in this way will not be checked by other functions.
|
||||
- Allow or block traffic based on protection rules.
|
||||
|
||||
- Traffic allowing rule: The allowed traffic will be checked by functions such as intrusion prevention system (IPS) and antivirus.
|
||||
- Traffic blocking rule: Traffic will be directly blocked.
|
||||
|
||||
- Allow or block traffic based on the blacklist and whitelist:
|
||||
|
||||
- Whitelist: Traffic will be directly allowed without being checked by other functions.
|
||||
- Blacklist: Traffic will be directly blocked.
|
||||
|
||||
- For details about how to block network attacks, see :ref:`Blocking Network Attacks <cfw_01_0032>`.
|
||||
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@ -7,15 +7,6 @@ VPC Border Firewall Overview
|
||||
|
||||
The VPC border firewall supports access control for communication traffic between VPCs, visualizing and protecting internal service access.
|
||||
|
||||
Supported Protected Objects
|
||||
---------------------------
|
||||
|
||||
- VPC
|
||||
- Virtual gateway (VGW) attachment
|
||||
- VPN gateway
|
||||
- Enterprise Connect Network (ECN)
|
||||
- Global DC gateways (DGW)
|
||||
|
||||
Association Modes
|
||||
-----------------
|
||||
|
||||
|
||||
@ -5,6 +5,8 @@
|
||||
Configuring VPC Route
|
||||
=====================
|
||||
|
||||
Configure routes on the VPC side.
|
||||
|
||||
Procedure
|
||||
---------
|
||||
|
||||
|
||||
@ -35,9 +35,4 @@ Procedure
|
||||
|
||||
#. Click **OK**.
|
||||
|
||||
Related Operations
|
||||
------------------
|
||||
|
||||
Unsubscription: To unsubscribe from a VPC border firewall, you must unsubscribe from the CFW instance associated with it.
|
||||
|
||||
.. |image1| image:: /_static/images/en-us_image_0000001259322747.png
|
||||
|
||||
@ -12,7 +12,7 @@ If a VPC does not need to be protected, you can disassociate the VPC from the fi
|
||||
Constraints
|
||||
-----------
|
||||
|
||||
Before disassociating a protected VPC from a cloud firewall, delete the route pointing to the cloud firewall in :ref:`Configuring VPC Route <cfw_01_0204>`.
|
||||
Before disassociating a protected VPC from a firewall, delete the route pointing to the firewall in :ref:`Configuring VPC Route <cfw_01_0204>`.
|
||||
|
||||
.. _cfw_01_0203__section8154163010584:
|
||||
|
||||
@ -79,7 +79,7 @@ Disassociating a Protected VPC from a Firewall
|
||||
Follow-up Operations
|
||||
--------------------
|
||||
|
||||
After a VPC is added, perform the operations in :ref:`Configuring VPC Route <cfw_01_0204>`.
|
||||
After VPCs are associated, perform the operations in :ref:`Configuring VPC Route <cfw_01_0204>` to add routes.
|
||||
|
||||
.. |image1| image:: /_static/images/en-us_image_0000001259322747.png
|
||||
.. |image2| image:: /_static/images/en-us_image_0000001625198857.png
|
||||
|
||||
@ -5,4 +5,4 @@
|
||||
How Does CFW Control Access?
|
||||
============================
|
||||
|
||||
CFW allows you to configure ACL policies based on a 5-tuple, IP address group, service group, domain name, blacklist, and whitelist. You can also configure ACL policies based on the intrusion prevention system (IPS). The IPS can works in observation or block mode. In block mode, the firewall detects and blocks traffic that matches the IPS rules.
|
||||
CFW allows you to configure ACL policies based on a 5-tuple, IP address group, service group, domain name, blacklist, and whitelist. You can also configure ACL policies based on the intrusion prevention system (IPS). The IPS can work in observation or block mode. In block mode, the firewall detects and blocks traffic that matches the IPS rules.
|
||||
|
||||
@ -10,7 +10,6 @@ Cloud Firewall - User Guide
|
||||
creating_a_pay-per-use_cfw
|
||||
enabling_internet_border_traffic_protection
|
||||
enabling_vpc_border_traffic_protection/index
|
||||
enabling_nat_gateway_traffic_protection
|
||||
configuring_access_control_policies_to_control_traffic/index
|
||||
attack_defense/index
|
||||
viewing_traffic_statistics/index
|
||||
|
||||
@ -26,12 +26,12 @@ Protected bandwidth at the VPC border: the maximum total traffic of all VPCs pro
|
||||
Internet Border Firewall
|
||||
------------------------
|
||||
|
||||
An Internet border firewall is a cluster firewall used to detect north-south traffic. It supports intrusion detection and prevention (IPS) and network antivirus based on EIPs.
|
||||
An Internet border firewall is used to detect north-south traffic. It supports intrusion detection and prevention (IPS) and network antivirus based on EIPs.
|
||||
|
||||
VPC Border Firewall
|
||||
-------------------
|
||||
|
||||
A VPC border firewall is a distributed firewall used to detect communication traffic between two VPCs (east-west traffic), visualizing and protecting internal access activities.
|
||||
A VPC border firewall is used to detect communication traffic between two VPCs (east-west traffic), visualizing and protecting internal access activities.
|
||||
|
||||
IPS
|
||||
---
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
:original_name: cfw_01_0270.html
|
||||
:original_name: cfw_01_0189.html
|
||||
|
||||
.. _cfw_01_0270:
|
||||
.. _cfw_01_0189:
|
||||
|
||||
Constraints and Limitations
|
||||
===========================
|
||||
@ -12,7 +12,6 @@ CFW Usage Restrictions
|
||||
|
||||
- Only the services deployed on the cloud platform can be protected. Cross-cloud access is not supported.
|
||||
- Traffic protection supports EIPs, but does not support global EIPs or the EIPs bound to API Gateway.
|
||||
- VPC border protection depends on the enterprise router for traffic diversion. To use this function, ensure your account has at least one enterprise router.
|
||||
|
||||
Protection Policy Quota Limit
|
||||
-----------------------------
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@ -8,7 +8,7 @@ Product Overview
|
||||
- :ref:`What Is CFW? <cfw_01_0002>`
|
||||
- :ref:`Features <cfw_01_0003>`
|
||||
- :ref:`Application Scenarios <cfw_01_0005>`
|
||||
- :ref:`Constraints and Limitations <cfw_01_0270>`
|
||||
- :ref:`Constraints and Limitations <cfw_01_0189>`
|
||||
- :ref:`Related Services <cfw_01_0007>`
|
||||
- :ref:`Basic Concepts <cfw_01_0057>`
|
||||
|
||||
|
||||
@ -8,7 +8,7 @@ Protection Log Overview
|
||||
This section describes the following content:
|
||||
|
||||
- The two log storage modes provided by CFW. For details, see :ref:`Log Storage Mode <cfw_01_0278__section863819309356>`.
|
||||
- Three log types. For details, see :ref:`Log Types <cfw_01_0278__section157305387362>`.
|
||||
- Supported log types. For details, see :ref:`Log Types <cfw_01_0278__section157305387362>`.
|
||||
- How to handle improper blocking recorded in logs. For details, see :ref:`Handling Improper Blocking <cfw_01_0278__section6537461243>`.
|
||||
|
||||
.. _cfw_01_0278__section863819309356:
|
||||
@ -34,7 +34,7 @@ Log Types
|
||||
The following types of logs are provided:
|
||||
|
||||
- Attack event log: Events detected by attack defense functions, such as IPS, are recorded. You can modify the protection action if traffic is improperly blocked. For details, see :ref:`Modifying the Protection Action of an Intrusion Prevention Rule <cfw_01_0168>`. For details about how to modify the protection action of antivirus, see :ref:`Modifying the Virus Defense Action for Better Protection Effect <cfw_01_0195__section115051117231>`.
|
||||
- Access control logs: All traffic that matches the access control policies are recorded. For details about how to modify a protection rule, see :ref:`Managing Protection Rules <cfw_01_0062>`. For details about how to modify the blacklist or whitelist, see :ref:`Editing the Blacklist or Whitelist <cfw_01_0035__section510452611127>`.
|
||||
- Access control logs: All traffic that matches the access control policies are recorded. For details about how to modify a protection rule, see :ref:`Managing Protection Rules <cfw_01_0061>`. For details about how to modify the blacklist or whitelist, see :ref:`Editing the Blacklist or Whitelist <cfw_01_0035__section510452611127>`.
|
||||
- Traffic logs: All traffic passing through the firewall is recorded.
|
||||
|
||||
.. _cfw_01_0278__section6537461243:
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@ -20,17 +20,33 @@ Viewing Inbound Traffic
|
||||
#. In the navigation pane on the left, click |image1| and choose **Security** > **Cloud Firewall**. The **Dashboard** page will be displayed.
|
||||
#. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click **View** in the **Operation** column of a firewall to go to its details page.
|
||||
#. In the navigation pane, choose **Traffic Analysis** > **Inbound Traffic**.
|
||||
#. View the statistics on the traffic passing through the firewall. You can select the query duration from the drop-down list.
|
||||
#. Check statistics on the traffic passing through the firewall within a time range, from 5 minutes to 7 days.
|
||||
|
||||
- **Traffic Dashboard**: Information about the highest traffic from the Internet to internal servers.
|
||||
|
||||
- **Inbound Traffic**: Inbound request traffic and response traffic. The traffic statistics of up to 30 EIPs can be queried at a time.
|
||||
|
||||
- **Visualizations**: Top 5 items ranked by certain parameters regarding inbound traffic within a specified time range. For more information, see :ref:`Table 1 <cfw_01_0230__table12362103114169>`. You can click a data record to view the traffic details. A maximum of 50 data records can be viewed.
|
||||
.. table:: **Table 1** Value description
|
||||
|
||||
+-----------------------------------+-----------------------------------------------------------------------------+
|
||||
| Time Range | Value |
|
||||
+===================================+=============================================================================+
|
||||
| Last 1 hour | Average value within every minute |
|
||||
+-----------------------------------+-----------------------------------------------------------------------------+
|
||||
| Last 24 hours | Average value within every 5 minutes |
|
||||
+-----------------------------------+-----------------------------------------------------------------------------+
|
||||
| Last 7 days | Average value within every hour |
|
||||
+-----------------------------------+-----------------------------------------------------------------------------+
|
||||
| Custom | - 5 minutes to 6 hours: average value within every minute |
|
||||
| | - 6 hours (included) to 3 days: average value within every 5 minutes |
|
||||
| | - 3 (included) to 7 days (included): average value within every 30 minutes |
|
||||
+-----------------------------------+-----------------------------------------------------------------------------+
|
||||
|
||||
- **Visualizations**: Top 5 items ranked by certain parameters regarding inbound traffic within a specified time range. For more information, see :ref:`Table 2 <cfw_01_0230__table12362103114169>`. You can click a data record to view the traffic details. A maximum of 50 data records can be viewed.
|
||||
|
||||
.. _cfw_01_0230__table12362103114169:
|
||||
|
||||
.. table:: **Table 1** Inbound traffic parameters
|
||||
.. table:: **Table 2** Inbound traffic parameters
|
||||
|
||||
+--------------------------------+-----------------------------------------------------------------------+
|
||||
| Parameter | Description |
|
||||
|
||||
@ -20,17 +20,33 @@ Viewing Inter-VPC Traffic
|
||||
#. In the navigation pane on the left, click |image1| and choose **Security** > **Cloud Firewall**. The **Dashboard** page will be displayed.
|
||||
#. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click **View** in the **Operation** column of a firewall to go to its details page.
|
||||
#. In the navigation pane, choose **Traffic Analysis** > **Inter-VPC Access**.
|
||||
#. View the statistics on the traffic passing through the CFW. You can select the query duration from the drop-down list.
|
||||
#. Check statistics on the traffic passing through the cloud firewall within a time range, from 5 minutes to 7 days.
|
||||
|
||||
- **Traffic Dashboard**: Information about the maximum traffic between VPCs.
|
||||
|
||||
- **Inter-VPC Access**: Request and response traffic between VPCs.
|
||||
|
||||
- **Visualizations**: Top 5 items ranked by certain parameters regarding inter-VPC traffic within a specified time range. For more information, see :ref:`Table 1 <cfw_01_0232__table12362103114169>`. You can click a data record to view the traffic details. A maximum of 50 data records can be viewed.
|
||||
.. table:: **Table 1** Value description
|
||||
|
||||
+-----------------------------------+-----------------------------------------------------------------------------+
|
||||
| Time Range | Value |
|
||||
+===================================+=============================================================================+
|
||||
| Last 1 hour | Average value within every minute |
|
||||
+-----------------------------------+-----------------------------------------------------------------------------+
|
||||
| Last 24 hours | Average value within every 5 minutes |
|
||||
+-----------------------------------+-----------------------------------------------------------------------------+
|
||||
| Last 7 days | Average value within every hour |
|
||||
+-----------------------------------+-----------------------------------------------------------------------------+
|
||||
| Custom | - 5 minutes to 6 hours: average value within every minute |
|
||||
| | - 6 hours (included) to 3 days: average value within every 5 minutes |
|
||||
| | - 3 (included) to 7 days (included): average value within every 30 minutes |
|
||||
+-----------------------------------+-----------------------------------------------------------------------------+
|
||||
|
||||
- **Visualizations**: Top 5 items ranked by certain parameters regarding inter-VPC traffic within a specified time range. For more information, see :ref:`Table 2 <cfw_01_0232__table12362103114169>`. You can click a data record to view the traffic details. A maximum of 50 data records can be viewed.
|
||||
|
||||
.. _cfw_01_0232__table12362103114169:
|
||||
|
||||
.. table:: **Table 1** Inter-VPC traffic parameters
|
||||
.. table:: **Table 2** Inter-VPC traffic parameters
|
||||
|
||||
+--------------------------------+--------------------------------------------------+
|
||||
| Parameter | Description |
|
||||
|
||||
@ -20,17 +20,33 @@ Viewing Outbound Traffic
|
||||
#. In the navigation pane on the left, click |image1| and choose **Security** > **Cloud Firewall**. The **Dashboard** page will be displayed.
|
||||
#. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click **View** in the **Operation** column of a firewall to go to its details page.
|
||||
#. In the navigation pane, choose **Traffic Analysis** > **Outbound Traffic**.
|
||||
#. View the statistics on the traffic passing through the firewall. You can select the query duration from the drop-down list.
|
||||
#. Check statistics on the traffic passing through the firewall within a time range, from 5 minutes to 7 days.
|
||||
|
||||
- **Traffic Dashboard**: Information about the highest traffic when internal servers access the Internet.
|
||||
|
||||
- **Outbound Traffic**: Outbound request traffic and response traffic. The traffic statistics of up to 30 EIPs can be queried at a time.
|
||||
|
||||
- **Visualizations**: Top 5 items ranked by certain parameters regarding outbound traffic within a specified time range. For more information, see :ref:`Table 1 <cfw_01_0231__table12362103114169>`. You can click a data record to view the traffic details. A maximum of 50 data records can be viewed.
|
||||
.. table:: **Table 1** Value description
|
||||
|
||||
+-----------------------------------+-----------------------------------------------------------------------------+
|
||||
| Time Range | Value |
|
||||
+===================================+=============================================================================+
|
||||
| Last 1 hour | Average value within every minute |
|
||||
+-----------------------------------+-----------------------------------------------------------------------------+
|
||||
| Last 24 hours | Average value within every 5 minutes |
|
||||
+-----------------------------------+-----------------------------------------------------------------------------+
|
||||
| Last 7 days | Average value within every hour |
|
||||
+-----------------------------------+-----------------------------------------------------------------------------+
|
||||
| Custom | - 5 minutes to 6 hours: average value within every minute |
|
||||
| | - 6 hours (included) to 3 days: average value within every 5 minutes |
|
||||
| | - 3 (included) to 7 days (included): average value within every 30 minutes |
|
||||
+-----------------------------------+-----------------------------------------------------------------------------+
|
||||
|
||||
- **Visualizations**: Top 5 items ranked by certain parameters regarding outbound traffic within a specified time range. For more information, see :ref:`Table 2 <cfw_01_0231__table12362103114169>`. You can click a data record to view the traffic details. A maximum of 50 data records can be viewed.
|
||||
|
||||
.. _cfw_01_0231__table12362103114169:
|
||||
|
||||
.. table:: **Table 1** Outbound traffic parameters
|
||||
.. table:: **Table 2** Outbound traffic parameters
|
||||
|
||||
+--------------------------------+------------------------------------------------------------------------+
|
||||
| Parameter | Description |
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user