Help Center/ Cloud Firewall/ Getting Started/ Configuring Intrusion Prevention to Protect EIPs
Updated on 2024-11-27 GMT+08:00

Configuring Intrusion Prevention to Protect EIPs

CFW provides intrusion prevention functions, and, with many years of attack defense experience, it detects and defends against a wide range of common network attacks and effectively protects your assets.

This document describes how to use the standard edition firewall and protect EIPs through intrusion prevention in Intercept mode - medium mode, flexibly protecting cloud assets.

Process

Procedure

Description

Making Preparations

Sign up for a HUAWEI ID, enable Huawei Cloud services, top up your account, and assign CFW permissions to the account.

Step 1: Purchase the CFW Standard Edition

Purchase CFW. Select a region and an edition (for example, the standard edition), and configure other parameters.

Step 2: Enable Protection for an EIP

Enable protection for an EIP to divert traffic to CFW.

Step 3: Set the Intrusion Prevention Mode to Observe

In Observe mode, if the firewall detects an attack event, it records the event in the attack event log and does not block traffic. This can prevent traffic interruption caused by incorrect blocking.

Step 4: Periodically View Attack Event Logs to Check for Incorrect Blocking

View attack event logs to check whether there is normal traffic that was incorrectly blocked and record the corresponding rule ID.

Step 5: Modify the Improper IPS Rule and Set the Protection Action to Block

Change the protection action of the rule and change the intrusion prevention mode to Intercept (for example, Intercept mode - medium.)

Step 6: View the Protection Effect Through Attack Event Logs

View attack event logs to check whether normal traffic is allowed.

Making Preparations

  1. Before purchasing CFW, create a Huawei account and subscribe to Huawei Cloud. For details, see Registering a HUAWEI ID and Enabling HUAWEI CLOUD Services and Real-Name Authentication.

    If you have enabled Huawei Cloud services and completed real-name authentication, skip this step.

  2. Make sure that your account has sufficient balance, or you may fail to pay to your CFW orders.
  3. Make sure your account has CFW permissions assigned.
    Table 1 System policies supported by CFW

    Role Name

    Description

    Category

    Dependency

    CFW FullAccess

    All permissions for CFW

    System-defined policy

    None

    CFW ReadOnlyAccess

    Read-only permissions for CFW

    System-defined policy

    None

Step 1: Purchase the CFW Standard Edition

CFW provides the standard edition, and the professional edition. You can use access control, intrusion prevention, traffic analysis, and log audit functions on the console.

This section describes how to purchase the CFW standard edition. For details about how to purchase other editions, see Purchasing CFW. For details about the function differences between editions, see Editions.

  1. Log in to the management console. In the navigation pane, click in the upper left corner and choose Security & Compliance > Cloud Firewall.
  2. Click Buy CFW . On the displayed page, configure the following parameters:
    This example only introduces mandatory parameters. Configure other parameters as needed.

    Parameter

    Example Value

    Description

    Region

    EU-Dublin

    Select the region where the EIP is located.

    CFW can be used in the selected region only. To use CFW in another region, switch to the corresponding region and then purchase it. For details about the regions where CFW is available, see Can CFW Be Used Across Clouds or Regions?

    Editions

    Standard

    Select an edition.

  3. Confirm the information and click Buy Now.
  4. Confirm the order details, select I have read and agreed to the Huawei Cloud Firewall Service Statement, and click Next.
  5. Select a payment method and pay for your order.

Step 2: Enable Protection for an EIP

  1. In the navigation pane on the left, choose Assets > EIPs.
  2. Enable EIP protection.
    • Enable protection for a single EIP: In the row of the EIP, click Enable Protection in the Operation column.
    • Enable protection for multiple EIPs: Select the EIPs that you want to enable protection and click Enable Protection above the list.
    • Currently, IPv6 addresses cannot be protected.
    • An EIP can only be protected by one firewall.
    • Only EIPs in the enterprise project to which the current account belongs can be protected.
  3. On the page that is displayed, check the information and click Bind and Enable. Then the Protection Status changes to Protected.

    After EIP protection is enabled, the default action of the access control policy is Allow.

Step 3: Set the Intrusion Prevention Mode to Observe

  1. In the navigation pane, choose Attack Defense > Intrusion Prevention.
  2. In the Protection Mode area, select Observe.

    This document uses the Observe mode as an example. If your workloads need stronger protection, you can change to the Intercept mode. You are advised to select a loose interception mode (for example, Intercept mode - loose) and observe its effects for a period of time before using a mode with higher granularity.

Step 4: Periodically View Attack Event Logs to Check for Incorrect Blocking

  1. In the navigation pane, choose Log Audit > Log Query.
  2. On the Attack Event Logs tab, check whether any traffic was improperly blocked based on the Direction, Source IP Address, and Destination IP Address recorded in logs. If there is improperly blocked traffic, record the corresponding rule ID.

    For example, the traffic from an external IP address xx.xx.xx.82 to an internal IP address xx.xx.xx.58 is normal, but is blocked by the IPS rule whose ID is 806310. This means such traffic was blocked by rule 806310 in Intercept mode. Record the rule ID.

    Figure 1 Viewing attack event logs

Step 5: Modify the Improper IPS Rule and Set the Protection Action to Block

  1. In the navigation pane, choose Attack Defense > Intrusion Prevention.
  2. Click Check Rules under Basic Protection. The Basic Protection tab is displayed.
  3. Filter out the rule whose ID is 806310, click Observe in the Operation column, and change Current Action to Observe.
    Figure 2 Modifying a basic protection action
  4. Return to the Intrusion Prevention page. In the Protection Mode area, select Intercept mode - medium.

Step 6: View the Protection Effect Through Attack Event Logs

  1. In the navigation pane, choose Log Audit > Log Query.
  2. On the Attack Event Logs tab page, view logs to check whether normal service traffic is identified as an attack event, that is, whether the Action for the traffic is Block.

References