Help Center> Cloud Firewall> Best Practices> Precautions for Using CFW with WAF, Advanced Anti-DDoS, and CDN

Updated on 2024-01-12 GMT+08:00

View PDF

Precautions for Using CFW with WAF, Advanced Anti-DDoS, and CDN

This section describes where CFW is deployed in the network architecture and how to configure CFW when it is used with other Huawei Cloud services.

Application Scenarios

If you purchase other Huawei Cloud products, service traffic is protected by multiple layers. In this case, reverse proxies may translate request IP addresses.

If a reverse proxy service (such as CDN, Advanced Anti-DDoS, or cloud WAF) is deployed before CFW, you need to configure a policy to permit the back-to-origin IP addresses so that traffic can be forwarded to and checked by CFW. For details, see Configuring Policies. If you purchase dedicated or ELB-mode WAF instances, configure policies based on service requirements.

If you purchase dedicated WAF instances, there are two protection scenarios:

You have enabled CFW protection for the EIPs bound to public network ELB load balancers.
If there is an attack from the client, CFW prints the attack event on the Internet Border Firewall tab under Attack Event Logs.

The destination IP address of the event is the EIP bound to the public ELB load balancer, and the source IP address is the IP address of the client.
You have enabled VPC border firewall and associated with the VPC where the origin server resides. No protection is enabled for EIPs bound to the ELB load balancer.
If there is an attack from the client, CFW prints the attack event on the VPC Border Firewall tab under Attack Event Logs.

The destination IP address of the event is the private IP address of the origin server, and the source IP address is the private IP address of the traffic ingress (such as the Nginx server).

After the traffic passes through the reverse proxy, the source IP address is translated into the back-to-origin IP address. In this case, if an external attack occurs, CFW cannot obtain the real IP address of the attacker. You can obtain the real IP address based on the X-Forwarded-For field. For details, see Viewing X-Forwarded-For.

Traffic Flow

Web Application Firewall (WAF), Advanced Anti-DDoS (AAD), and Content Delivery Network (CDN) work as reverse proxies. If these services are deployed, the source IP addresses received by CFW is the back-to-origin IP addresses returned by these services.

WAF supports three modes: cloud, dedicated, and ELB modes. The architecture varies depending on the mode, but the deployment positions of Advanced Anti-DDoS and CDN are fixed.

The following figures show the traffic flow.

Cloud WAF
Dedicated WAF
ELB-mode WAF

Configuring Policies

You are advised to create a policy with the highest priority to permit all back-to-origin IP addresses. In this way, traffic still goes to CFW for check.
If you whitelist back-to-origin IP addresses, the traffic is directly permitted to pass through and will not be checked by CFW.

You are not advised to block back-to-origin IP addresses or add them to a blacklist. Otherwise, all traffic from such IP addresses will be blocked and your services may be affected.

For details about how to add a protection rule, see Adding a Protection Rule.
For details about how to set the whitelist, see Managing the Blacklist and the Whitelist.
For details about the protection priority of CFW, see What Are the Priorities of the Protection Settings in CFW?
For details about how to obtain the back-to-origin IP addresses of WAF, see Step 2: Whitelisting WAF IP Addresses.

Viewing X-Forwarded-For

Log in to the management console.
Click in the upper left corner of the management console and select a region or project.
In the navigation pane, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed, as shown in Figure 1.

Figure 1 CFW Dashboard
(Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click View in the Operation column to go to the details page.
In the navigation pane, choose Log Audit > Log Query. Click Attack Event Logs tab. In the Operation column of the target event, click Details.

Figure 2 Viewing attack event log details
In the Details page, click the Attack Payload tab, and obtain the value of X-Forwarded-For field.
- Method 1: Check X-Forwarded-For (all IP addresses from the client to the last proxy server) in the Payload Content area.
  Figure 3 X-Forwarded-For in the payload
- Method 2: Copy the Payload Content and use the Base64 tool to obtain the decoding result.
  - X-Forwarded-For: all IP addresses from the client to the last proxy server
  For example, the client IP address obtained in Example of the Base64 decoding result is xx.xx.xx.89, and only cloud WAF is used.
  
  Figure 4 Example of the Base64 decoding result