Help Center/ Cloud Firewall/ Best Practices/ Migrating Security Policies to CFW in Batches
Updated on 2026-03-25 GMT+08:00
View PDF

Migrating Security Policies to CFW in Batches

Application Scenarios

If services need to be migrated to Huawei Cloud, or security policies need to be replaced with CFW, you can import security policies in batches.

Precautions

  • If the networking changes during rules migration, you need to rewrite the network information (such as the IP address) in the original policy.
  • To reduce the impact of security rules migration on services, you are advised to disable all rules (especially the blocking rules). After the template is imported and the rules are correctly configured, enable the rules.
  • The priority of the imported rules is lower than that of the created rules.

    To allow specified traffic, configure the rules of CFW, network ACL, and security groups to allow the traffic.

  • To import and reference an object group (such as an IP address group), enter the group information in the corresponding information table (such as the address information table) and then reference the group in the protection rule table.

Migrating Outbound Blocking Rules in Batches

  1. Export the rule configuration file from other firewalls through the API/policy backup function.

    For example, export the following rule.
    Table 1 Exporting a rule

    Parameter

    Parameter Value

    rule id

    123

    src-zone

    trust

    dst-zone

    untrust

    src-addr

    0.0.0.0/0

    dst-addr

    xx.xx.xx.9

    service

    SSH

    action

    deny

    name

    example123

  2. Log in to the CFW console.
  3. Click in the upper left corner of the management console and select a region or project.
  4. (Optional) Switch to another firewall instance. Select a firewall from the drop-down list in the upper left corner of the page.
  5. In the navigation pane, choose Access Control > Internet Border Protection Rules.
  6. Click Download Center in the upper right corner of the list.
  7. Click Download Template to download the rule import template to the local host.
  8. In the Rule-Acl-Table sheet of the template, set the parameters.

    Table 2 Filling in the rule template

    Parameter

    Example Value

    Description

    Order

    1

    Order number of a rule.

    Acl Name

    example123

    Name of the rule.

    Protection Rule

    EIP protection
    Protection type of a rule.
    • EIP protection: Protect EIP traffic. Only EIPs can be configured.
    • NAT protection: Protect NAT traffic. Private IP addresses can be configured.

    Direction

    Outbound

    Direction of protected traffic.

    • Inbound: Traffic from external networks to the internal server.
    • Outbound: Traffic from the customer server to external networks.

    Action Type

    Block

    How the firewall handles traffic. Select Allow or Block.

    Acl Address Type

    IPv4

    IP address type. Select IPv4.

    Status

    Disable

    Whether a policy is enabled.

    • Enable: The rule is enabled immediately and takes effect.
    • Disable: The rule is not in effect.

    Description

    Example

    Rule description.

    Source Address Type

    IP address

    Select the type of the party that initiates a session.

    • IP address. You can configure a single IP address, consecutive IP addresses, or an IP address segment.
    • IP Address Group. You can configure multiple IP addresses.
    • Region: Protection can be performed by region.

    Source Address

    0.0.0.0/0

    If Source Address Type is set to IP Address, you need to configure this parameter.

    The following input formats are supported:

    • A single IP address, for example, 192.168.10.5
    • Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10
    • A single address segment, for example, 192.168.2.0/24

    To specify multiple IP addresses or IP address segments, configure multiple rules. Specify different IP addresses (segments) in these rules but use the same settings for other parameters.

    Source Address Group Name

    --

    If Source Address Type is set to IP Address Group, you must configure this parameter.

    The following input formats are supported:
    • The value can contain letters, digits, underscores (_), hyphens (-), or spaces.
    • The name can contain up to 255 characters.

    Source Continent Region

    --

    If Source Address Type is set to Region, you need to configure Source Continent Region.

    Enter continent information based on the continent-region-info sheet.

    Source Country Region

    --

    If Source Address Type is set to Region, you need to configure Source Country Region.

    Enter country and region information based on the country-region-info sheet.

    Source Province Region

    --

    If Source Address Type is set to Region, you need to configure Source Province Region.

    Enter province information based on the province-region-info sheet.

    Destination Address Type

    IP address
    Select the type of the recipient of a session.
    • IP address. You can configure a single IP address, consecutive IP addresses, or an IP address segment.
    • IP address group. You can configure multiple IP addresses.
    • Domain name: A domain name consists of letters separated by dots (.). It is a human readable address that maps to the machine readable IP address of your server.
    • Domain name group. You can set a collection of domain names.
    • Region: Protection can be performed by region.

    Destination Address

    xx.xx.xx.9

    If Destination Address Type is set to IP Address, you must configure this parameter.

    It can be:

    • A single IP address, for example, 192.168.10.5
    • Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10
    • A single address segment, for example, 192.168.2.0/24

    To specify multiple IP addresses or IP address segments, configure multiple rules. Specify different IP addresses (segments) in these rules but use the same settings for other parameters.

    Destination Address Group Name

    --

    If Destination Address Type is set to IP Address Group, you must configure this parameter.

    The following input formats are supported:
    • The value can contain letters, digits, underscores (_), hyphens (-), or spaces.
    • The name can contain up to 255 characters.

    Destination Continent Region

    --

    If Destination Address Type is set to Region, you need to set Destination Continent Region.

    Enter continent information based on the continent-region-info sheet.

    Destination Country Region

    --

    If Destination Address Type is set to Region, you need to set Destination Country Region.

    Enter country and region information based on the country-region-info sheet.

    Destination Province Region

    --

    If Destination Address Type is set to Region, you need to set Destination Province Region.

    Enter province information based on the province-region-info sheet.

    Domain Name

    --

    If Destination Address Type is set to Domain Name, you must configure this parameter.

    A domain name consists of letters separated by dots (.). It is a human readable address that maps to the machine readable IP address of your server.

    Destination Domain Group Name

    --

    If Destination Address Type is set to Domain Group Name, you need to configure Destination Domain Group Name.

    Enter a domain group name.

    Service Type

    Service

    Service type. It can be:

    • Service. You can configure a single service.
    • Service Group. You can configure multiple services.

    Protocol/Source Port/Destination Port

    TCP/1-65535/22

    Type to be put under access control.

    • Its value can be TCP, UDP, ICMP, or Any.
    • Source ports to be enabled or disabled. You can configure a single port or a port group range (example: 80-443).
    • Destination ports to be enabled or disabled. You can configure a single port or a port group range (example: 80-443).

    Service Group Name

    --

    Service group name.

    The name can contain up to 255 characters, including letters, numbers, underscores (_), hyphens (-), and spaces.

    Group Tag

    --

    Tags are used to identify rules. You can use tags to classify and search for security policies.

  9. After filling in the template, click Import Rule to import the template.
  10. Enable the policy. You are advised to enable the policies that do not affect main services.
  11. Check whether there are rule matching records in the logs. For details about how to query access logs, see Querying Logs.

    • If there are hit records, the rule has taken effect.
    • If there are no hit records, perform the following steps:
      1. Enable protection on the resources specified in the policy. For details about how to enable protection for EIPs, see Enabling EIP Protection.
      2. Check whether a rule with a higher priority is matched. For details about how to set the priority of rules, see Configuring a Rule Priority.
      3. On the Internet Border Protection Rules page, check whether any rule delivery error is reported.

Migrating Address Group Members and Domain Group Members in Batches

  1. Export the rule configuration file from other firewalls through the API/policy backup function.
  2. Log in to the CFW console.
  3. Click in the upper left corner of the management console and select a region or project.
  4. (Optional) Switch to another firewall instance. Select a firewall from the drop-down list in the upper left corner of the page.
  5. In the navigation pane, choose Access Control > Internet Border Protection Rules.
  6. Click Download Center in the upper right corner of the list.
  7. Click Download Template to download the rule import template to the local host.
  8. Set parameters in the template.

    • Address-Table:
      Table 3 Address-Table

      Parameter

      Example Value

      Description

      IP Address Group Name

      Address group 1

      Name of an IP address group.

      IP Address Group Description

      --

      Usage and application scenario of a rule.

      Address Set Address Type

      IPv4

      Address group type. The value can be IPv4 or IPv6.

      IP Address Items

      IP Address: 10.1.1.2; Description: ECS1

      Add IP addresses to be managed.

      IP Address: 10.1.1.3; Description: ECS2

      IP Address: 10.1.1.4; Description: ECS3
    • Domain-Table:
      Table 4 Domain-Table

      Parameter

      Example Value

      Description

      Domain Set Name

      Domain group 1

      Name of a user-defined domain name group.

      Domain Set Type

      Application-layer Domain set

      Domain name group type. It can be Application-layer Domain set or Network-layer Domain set.

      Domain Set Description

      External domain name of service A

      Enter remarks for the domain name group.

      Domain Items

      Domain Address: www.example.test.api; Domain Description: api

      Enter domain name group members and their description.

      Domain Address: www.test.example.com; Domain Description: a domain name

      Domain Address: www.example.example.test; Domain Description: XX system
    • Rule-ACL-Table:
      Table 5 Rule-ACL-Table

      Parameter

      Example Value

      Description

      Order

      1

      Order number of a rule.

      Acl Name

      Service_A_Outbound

      Name of the rule.

      Protection Rule

      NAT Protection
      Protection type of a rule.
      • EIP Protection: Protect EIP traffic. Only EIPs can be configured.
      • NAT Protection: Protect NAT traffic. Private IP addresses can be configured.

      Direction

      Outbound

      Direction of protected traffic.

      • Inbound: Traffic from external networks to the internal server.
      • Outbound: Traffic from the customer server to external networks.

      Action Type

      Allow

      How the firewall handles traffic. Select Allow or Block.

      Acl Address Type

      IPv4

      IP address type. Select IPv4.

      Status

      Disable

      Whether a policy is enabled.

      • Enable: The rule is enabled immediately and takes effect.
      • Disable: The rule is not in effect.

      Description

      --

      Rule description.

      Source Address Type

      IP address group

      Select the type of the party that initiates a session.

      • IP Address. You can configure a single IP address, consecutive IP addresses, or an IP address segment.
      • IP Address Group. You can configure multiple IP addresses.
      • Region: Protection can be performed by region.

      Source Address

      --

      If Source Address Type is set to IP Address, you need to configure this parameter.

      The following input formats are supported:

      • A single IP address, for example, 192.168.10.5
      • Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10
      • A single address segment, for example, 192.168.2.0/24

      To specify multiple IP addresses or IP address segments, configure multiple rules. Specify different IP addresses (segments) in these rules but use the same settings for other parameters.

      Source Address Group Name

      Address group 1

      If Source Address Type is set to IP Address Group, you must configure this parameter.

      The following input formats are supported:
      • The value can contain letters, digits, underscores (_), hyphens (-), or spaces.
      • The name can contain up to 255 characters.

      Source Continent Region

      --

      If Source Address Type is set to Region, you need to configure Source Continent Region.

      Enter continent information based on the continent-region-info sheet.

      Source Country Region

      --

      If Source Address Type is set to Region, you need to configure Source Country Region.

      Enter country and region information based on the country-region-info sheet.

      Source Province Region

      --

      If Source Address Type is set to Region, you need to configure Source Province Region.

      Enter province information based on the province-region-info sheet.

      Destination Type

      Domain name group
      Select the type of the recipient of a session.
      • IP Address. You can configure a single IP address, consecutive IP addresses, or an IP address segment.
      • IP Address Group. You can configure multiple IP addresses.
      • Domain Name: A domain name consists of letters separated by dots (.). It is a human readable address that maps to the machine readable IP address of your server.
      • Domain Name Group. You can set a collection of domain names.
      • Region: Protection can be performed by region.

      Destination IP Address

      --

      If Destination Address Type is set to IP Address, you must configure this parameter.

      It can be:

      • A single IP address, for example, 192.168.10.5
      • Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10
      • A single address segment, for example, 192.168.2.0/24

      To specify multiple IP addresses or IP address segments, configure multiple rules. Specify different IP addresses (segments) in these rules but use the same settings for other parameters.

      Destination Address Group Name

      --

      If Destination Address Type is set to IP Address Group, you must configure this parameter.

      The following input formats are supported:
      • The value can contain letters, digits, underscores (_), hyphens (-), or spaces.
      • The name can contain up to 255 characters.

      Destination Continent Region

      --

      If Destination Address Type is set to Region, you need to set Destination Continent Region.

      Enter continent information based on the continent-region-info sheet.

      Destination Country Region

      --

      If Destination Address Type is set to Region, you need to set Destination Country Region.

      Enter country and region information based on the country-region-info sheet.

      Destination Province Region

      --

      If Destination Address Type is set to Region, you need to set Destination Province Region.

      Enter province information based on the province-region-info sheet.

      Domain Name

      --

      If Destination Address Type is set to Domain Name, you must configure this parameter.

      A domain name consists of letters separated by dots (.). It is a human readable address that maps to the machine readable IP address of your server.

      Destination Domain Group Name

      Domain group 1

      If Destination Address Type is set to Domain Group Name, you need to configure Destination Domain Group Name.

      Enter a domain group name.

      Service Type

      Service

      Service type. It can be:

      • Service. You can configure a single service.
      • Service Group. You can configure multiple services.

      Protocol/Source Port/Destination Port

      TCP/0-65535/8080

      Type to be put under access control.

      • Its value can be TCP, UDP, ICMP, or Any.
      • Source ports to be enabled or disabled. You can configure a single port or a port group range (example: 80-443).
      • Destination ports to be enabled or disabled. You can configure a single port or a port group range (example: 80-443).

      Service Group Name

      --

      Service group name.

      The name can contain up to 255 characters, including letters, numbers, underscores (_), hyphens (-), and spaces.

      Group Tag

      --

      Tags are used to identify rules. You can use tags to classify and search for security policies.

  9. After filling in the template, click Import Rule to import the template.
  10. Enable the policy. You are advised to enable the policies that do not affect main services.
  11. Check whether there are rule matching records in the logs. For details about how to query access logs, see Querying Logs.

    • If there are hit records, the rule has taken effect.
    • If there are no hit records, perform the following steps:
      1. Enable protection on the resources specified in the policy. For details about how to enable protection for EIPs, see Enabling EIP Protection.
      2. Check whether a rule with a higher priority is matched. For details about how to set the priority of rules, see Configuring a Rule Priority.
      3. On the Internet Border Protection Rules page, check whether any rule delivery error is reported.

References

  • Import security policy parameters. For details about the parameters, see Parameters of Rule Import Template.
  • Periodically check rule hits on the policy assistant page or in custom security reports.

    The policy assistant and security reports display the rule matching trend and top N matched rules, helping you locate abnormal rules in a timely manner.