Help Center> Cloud Firewall> Best Practices> CFW Best Practices
Updated on 2023-12-06 GMT+08:00
View PDF

CFW Best Practices

Enabling EIP Protection

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed, as shown in Figure 1.

    Figure 1 CFW Dashboard

  4. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click View in the Operation column to go to the details page.
  5. In the navigation pane, choose Assets > EIPs. The EIPs page is displayed.

    (Optional) Manually refresh the list. Click Synchronize EIP in the upper right corner of the page to import your EIP information to the list and refresh the EIP list.

    Figure 2 EIPs
    • Currently, IPv6 addresses cannot be protected.

  1. Enable EIP protection.

    • Enable protection for a single EIP. In the row of the EIP, click Enable Protection in the Operation column.
    • Enable protection for multiple EIPs. Select the EIPs to be protected and click Enable Protection above the table.

  2. On the page that is displayed, check the information and click Bind and Enable. Then the Protection Status changes to Protected.

    After EIP protection is enabled, the default access control policy is Allow.

Enabling Intrusion Prevention

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed, as shown in Figure 3.

    Figure 3 CFW Dashboard

  4. In the navigation pane, choose Attack Defense > Intrusion Prevention.
  5. On the Intrusion Prevention page, select the Protection Mode.

    • Observe: Attacks are detected and recorded in logs.
    • Intercept: Attacks and abnormal IP address access are automatically intercepted.
      • Intercept mode-loose: The protection granularity is coarse. In this mode, only attacks with high threat and high certainty are blocked.
      • Intercept mode-moderate: The protection granularity is medium. This mode meets protection requirements in most scenarios.
      • Intercept mode-strict: The protection granularity is fine-grained, and all attack requests are intercepted. Configure false alarm masking rules after the service has been running for a period of time, and then enable strict mode.

Configuring an Inbound Access Policy

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed, as shown in Figure 4.

    Figure 4 CFW Dashboard

  4. In the navigation pane, choose Access Control > Access Policies.
  5. Click Add Rule. Configure parameters in the Add Rule dialog box.

    • Add a protection rule to allow certain traffic. In the Add Rule dialog box, configure the source IP address. Set Destination and Service to ANY and set Action to Allow.
      Figure 5 Allowing a specified IP address
    • Add a rule to block all traffic. In the Add Rule dialog box, set the addresses to Any and Action to Block. Ensure that the rule has the lowest priority.
      Figure 6 Blocking all traffic

Configuring an Outbound Access Policy

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed, as shown in Figure 7.

    Figure 7 CFW Dashboard

  4. In the navigation pane, choose Access Control > Access Policies.
  5. Click Add Rule. Configure parameters in the Add Rule dialog box.

    • Add a protection rule to allow certain traffic. In the Add Rule dialog box, configure the source IP address. Set Destination and Service to ANY and set Action to Allow.
      Figure 8 Allowing a specific IP address (outbound)
    • In the Add Rule dialog box, set Source to Any, Destination to Domain name, Service to Any, and Action to Allow.
      Figure 9 Configuring a policy to allow outbound traffic (domain name specified)
    • Add a rule to block all traffic. In the Add Rule dialog box, set Source, Destination, and Service to ANY and set Action to Block. Ensure that the rule has the lowest priority.
      Figure 10 Blocking all traffic (outbound)

Viewing Protection Details

Perform the operations in View Protection Details.