Features

Dashboard

The dashboard displays the protection status and security risks in you cloud resources (EIPs and VPCs) in real time, helping you quickly learn the overall security and detect risks such as attack events and abnormal traffic, so that you can better adjust protection policies and troubleshoot security issues. For more information, see Dashboard.

Asset Management

It provides protection for cloud assets, effectively reducing security risks. The protected assets vary depending on the edition. For details, see Table 2. For details about the protection specifications in different editions, see Table 3.

• EIP management: You can view the total number of EIPs, the number of protected EIPs, the number of unprotected EIPs, and information about associated firewalls. You can enable protection for EIPs and check the EIP list to implement centralized and visualized management.
• VPC border firewall management: You can create a firewall to protect the border between VPCs. You can check firewall details and its protection list to implement basic configuration and status management.

If your actual service traffic exceeds the protection bandwidth you purchased, your traffic may be limited, packets may be discarded randomly, and CFW may be bypassed automatically. Some of your services may be unavailable, frozen, or may respond very slowly.

In this case, purchase more protection capacity as needed to provide sufficient protection bandwidth. If your service traffic fluctuates greatly, determine the protection bandwidth to purchase based on the maximum value of Outbound 95th Percentile Bandwidth or Inbound 95th Percentile Bandwidth in the Operations Dashboard of the Dashboard page.

For details about how to purchase an expansion package, see Adding the EIP Protection Capacity.

• You can configure high traffic warning in CFW. An alarm will be sent if your service traffic reaches the specified proportion of purchased bandwidth. For more information, see Alarm Notification.

Access Control

You can implement fine-grained management and control of cloud asset access traffic based on network borders and service requirements. It allows or blocks specific traffic based on preset rules to ensure your assets only accept authorized access. For more information, see Access Control Policies.

• Internet border protection rules: Fine-grained access control can be performed on north-south traffic on the cloud. You can block malicious traffic from Internet assets to prevent attacks, and can restrict outbound traffic to prevent non-trustworthy external connections.
  • Protection rules: You can flexibly manage and control access traffic based on IP addresses, domain names, domain groups, and geographical locations.
  • Blacklist/Whitelist: You can manage and control specific traffic based on 5-tuples.
• VPC border protection rules: You can implement fine-grained access control on east-west traffic on the cloud. You can configure traffic control rules between VPCs, or between VPCs and local integrated data centers (IDCs) to block unauthorized internal traffic and allow trustworthy.
  • Protection rules: You can flexibly manage and control access traffic based on IP addresses, domain names, domain groups, and geographical locations.
  • Blacklist/Whitelist: You can manage and control specific traffic based on 5-tuples.
• Object group management: You can customize IP address groups, domain name groups, and service groups (protocols, source ports, and destination ports). You can add objects of a group, and reference and update the group in one click on the access control page. This reduces repeated operations and facilitates policy management.
• Policy assistant: After you configure protection policies, you can view their statistics (protection rules, blacklist, and whitelist) within a specified period, including the total, allowed, and blocked traffic, as well as the policy matching details. You can adjust protection policies accordingly.

Attack Defense

You can use the intrusion prevention system (IPS), sensitive directory scan, antivirus, and reverse shell detection to observe or block network attacks and virus-infected files, and can disable protection actions as needed. For more information, see Attack Defense.

• IPS: It provides you with basic protection functions, and, with many years of attack defense experience, it detects and protects traffic and effectively protects your assets.
  • Basic protection: A built-in rule library. It covers common network attacks and provides basic protection capabilities for your assets.

    It can scan traffic for phishing, Trojans, worms, hacker tools, spyware, brute-force attacks, vulnerability exploits, SQL injection attacks, XSS attacks, and web attacks. It can also detect protocol anomalies, buffer overflow, access control, suspicious DNS activities, and other suspicious behaviors.

  • Virtual patching: Hot patches are provided for IPS at the network layer to intercept high-risk remote attacks in real time and prevent service interruption during vulnerability fixing.
  • Custom IPS signature database: If the built-in IPS rule library cannot meet your requirements, you can customize IPS signature rules. CFW will detect threats in traffic based on signatures.

    HTTP, TCP, UDP, POP3, SMTP and FTP protocols can be configured in user-defined IPS signatures.

  • Sensitive directory scan defense: It can accurately detect and defend against scan attacks on sensitive directories of cloud servers.
  • Reverse shell detection and defense: It can block attacks covertly initiated using reverse shells and disrupts associated attack chains.
• Antivirus: The service identifies and processes virus-infected files through virus feature detection to prevent data damage, permission change, and system breakdown caused by virus files.

  The HTTP, SMTP, POP3, FTP, IMAP4 and SMB protocol types can be detected.

• Security dashboard: It is a visualized management tool used for attack prevention. It allows you to quickly view protection information about defense functions, such as IPS, reverse shell detection, sensitive directory scan detection, and virus defense, so that you can adjust IPS protection policies in time.

Traffic Analysis

You can check the traffic data protected by the current firewall instance, including the traffic dashboard, visualized statistics, and asset analysis modules of Internet and VPC border protection. For more information, see Traffic Analysis.

• Inbound traffic: The service can monitor Internet access from public and private cloud assets in real time to detect abnormal traffic in a timely manner.
• Outbound traffic: The service can monitor the IP addresses, ports, and applications of your cloud assets that are exposed to the Internet and protected by CFW. It also provides analysis reports.
• Inter-VPC access: The service can monitor the traffic between interconnected VPCs and obtain VPC network traffic statistics in real time, helping you quickly identify and rectify abnormal traffic.

Log Audit

This function records details about attack events, access control policy matching details, and all traffic passing through the firewall to facilitate event backtracking and troubleshooting. For more information, see Log Audit.

• Log query: The firewall provides logs of the last seven days, helping you trace and analyze events. The following types of logs can be audited:
  • Attack event logs: They record all the configurations and operations in CFW, such as enabling or disabling the firewall and modifying intrusion prevention settings.
  • Access control logs: They record the traffic that passes through CFW and matches an access control policy. You can check the time, threat type, source IP address, destination IP address, application type, and severity of the traffic.
  • Traffic logs: They record all the traffic that passes through CFW. When a threat event occurs, you can analyze the traffic and access source based on traffic logs and check whether the configured access control policy takes effect.
• Log management: You can transfer your logs to Log Tank Service (LTS) on Huawei Cloud and view logs generated in the past 1 to 365 days.

System Management

This feature provides alarm notification, DNS configuration, and security reports, helping you manage and maintain the security of your cloud assets and detect exceptions in a timely manner. For more information, see System Management.

• Alarm notification: You can receive notifications by SMS or email when an asset is attacked or traffic exceeds the threshold.
• Network packet capture: It can accurately filter traffic by source/destination IP address, port, and protocol, and can capture data packets to quickly obtain the original data packet content, detect attacks, and check for risks.
• DNS configuration: You can specify a DNS server address for a firewall instance. The DNS server address can be manually added or automatically obtained to resolve domain names involved in firewall rules, so that domain name access control policies can be applied.
• Security report: The service provides daily and weekly reports, and allows you to customize the report period. The reports show the statistics on the security trend, key events, and risks of protected assets.