- What's New
- Function Overview
- Service Overview
- Billing
- Getting Started
-
User Guide
- Creating a User Group and Granting Permissions
- Checking the Dashboard
- Purchasing and Changing the Specifications of CFW
- Enabling Internet Border Traffic Protection
- Enabling VPC Border Traffic Protection
- Enabling NAT Gateway Traffic Protection
-
Configuring Access Control Policies to Control Traffic
- Access Control Policy Overview
- Configuring Protection Rules to Block or Allow Traffic
- Adding Blacklist or Whitelist Items to Block or Allow Traffic
- Viewing Protection Information Using the Policy Assistant
- Managing Access Control Policies
- Managing IP Address Groups
- Domain Name Management
- Service Group Management
- Attack Defense
- Viewing Traffic Statistics
- Viewing CFW Protection Logs
- System Management
- Permissions Management
- Using Cloud Eye to Monitor CFW
- CTS Auditing
-
Best Practices
- CFW Best Practice Summary
- Purchasing and Querying CFW via API
- Migrating Security Policies to CFW in Batches
- Configuration Suggestions for Using CFW with WAF, Advanced Anti-DDoS, and CDN
- Allowing Internet Traffic Only to a Specified Port
- Allowing Outbound Traffic from Cloud Resources Only to a Specified Domain Name
- Using CFW to Defend Against Network Attacks
- Configuring a Protection Rule to Protect Traffic Between Two VPCs
- Configuring a Protection Rule to Protect SNAT Traffic
- Using CFW to Protect Enterprise Resources
- Using CFW to Protect EIPs Across Accounts
- Using CFW to Protect VPCs Across Accounts
-
API Reference
- Before You Start
- API Overview
- API Calling
-
API
-
Firewall Management
- Creating a Firewall
- Obtaining the Status of a CFW Task
- Deleting a Firewall
- Querying the Firewall List
- Changing the East-West Firewall Protection Status
- Querying Firewall Details
- Obtaining East-West Firewall Information
- Creating an East-West Firewall
- Querying the Number of Protected VPCs
- Creating a Tag
- Deleting a Tag
- EIP Management
-
ACL Rule Management
- Creating an ACL Rule
- Deleting an ACL Rule
- Deleting ACL Rules in Batches
- Deleting the Number of Rule Hits
- Updating an ACL Rule
- Updating Rule Actions in Batches
- Setting the Priority of an ACL Protection Rule
- Querying a Protection Rule
- Querying Rule Tags
- Obtaining the Number of Rule Hits
- Viewing the Region List
- Checking the ACL Import Status
- Blacklist/Whitelist Management
- Address Group Management
- Service Group Management
-
Domain Name Resolution and Domain Name Group Management
- Adding a Domain Name Group
- Deleting a Domain Name Group
- Updating a Domain Name Group
- Updating the DNS Server List
- Querying the Domain Name Group List
- Querying the DNS Server List
- Querying an IP Address for Domain Name Resolution
- Obtain the list of domain names in a domain name group
- Adding a Domain Name List
- Deleting a Domain Name List
- Viewing Domain Group Details
- Obtaining the DNS Resolution Result of a Domain Name
- Deleting Domain Groups in Batches
- IPS management
- Log Management
- Packet Capture Management
- Antivirus Management
- Alarm Configuration Management
- Tag Management
- IPS Management
-
Firewall Management
- Appendix
- SDK Reference
-
FAQs
-
About the Product
- Does CFW Support Off-Cloud Servers?
- What Are the QPS, New Connections, and Concurrent Connections Supported by CFW?
- Can CFW Be Shared Across Accounts?
- What Are the Differences Between CFW and WAF?
- What Are the Differences Between CFW, Security Groups, and Network ACLs?
- How Does CFW Control Access?
- What Are the Priorities of the Protection Settings in CFW?
- Can WAF, Advanced Anti-DDoS, and CFW Be Deployed Together?
- Can CFW Protect Resources Across Enterprise Projects?
- How Long Are CFW Logs Stored by Default?
- Regions and AZs
-
Troubleshooting
- What Do I Do If Service Traffic is Abnormal?
- Why Are Traffic and Attack Logs Incomplete?
- Why Does a Protection Rule Not Take Effect?
- What Do I Do If IPS Blocks Normal Services?
- Why Is No Data Displayed on the Access Control Logs Page?
- Why Is the IP Address Translated Using NAT64 Blocked?
- Why Some Permissions Become Invalid After a System Policy Is Granted to an Enterprise Project?
- What Do I Do If a Message Indicating Insufficient Permissions Is Displayed When I Configure LTS Logs?
-
Network Traffic
- How Do I Calculate the Number of Protected VPCs and the Peak Protection Traffic at the VPC Border?
- How Does CFW Collect Traffic Statistics?
- What Is the Protection Bandwidth Provided by CFW?
- What Do I Do If My Service Traffic Exceeds the Protection Bandwidth?
- What Are the Differences Between the Data Displayed in Traffic Trend Module and the Traffic Analysis Page?
- How Do I Verify the Validity of an Outbound HTTP/HTTPS Domain Protection Rule?
- How Do I Obtain the Real IP Address of an Attacker?
- What Do I Do If a High Traffic Warning Is Received?
-
About the Product
- Videos
-
More Documents
-
User Guide (Ankara Region)
- Product Overview
- Checking the Dashboard
- Creating Cloud Firewall
- Enabling Internet Border Traffic Protection
- Enabling VPC Border Traffic Protection
-
Configuring Access Control Policies to Control Traffic
- Access Control Policy Overview
- Configuring Protection Rules to Block or Allow Traffic
- Adding Blacklist or Whitelist Items to Block or Allow Traffic
- Viewing Protection Information Using the Policy Assistant
- Managing Access Control Policies
- Managing IP Address Groups
- Domain Name Management
- Service Group Management
- Attack Defense
- Viewing Traffic Statistics
- Viewing CFW Protection Logs
- System Management
-
FAQs
-
About the Product
- Does CFW Support Off-Cloud Servers?
- What Are the QPS, New Connections, and Concurrent Connections Supported by CFW?
- Can CFW Be Shared Across Accounts?
- What Are the Differences Between CFW and WAF?
- What Are the Differences Between CFW, Security Groups, and Network ACLs?
- How Does CFW Control Access?
- What Are the Priorities of the Protection Settings in CFW?
- Can WAF and CFW Be Deployed Together?
- Troubleshooting
- Network Traffic
-
About the Product
- Change History
- API Reference (Ankara Region)
-
User Guide (Ankara Region)
- General Reference
Show all
Copied.
Configuration Suggestions for Using CFW with WAF, Advanced Anti-DDoS, and CDN
This section describes where CFW is deployed in the network architecture for inbound cloud traffic protection and how to configure CFW when it is used with other Huawei Cloud services.
Overview
Web Application Firewall (WAF), Advanced Anti-DDoS (AAD), and Content Delivery Network (CDN) work as reverse proxies. If these services are deployed, the source IP addresses received by CFW is the back-to-origin IP addresses returned by these services.
If other Huawei Cloud products are configured, traffic will be protected by multiple services. For inbound traffic protection, if a reverse proxy service, such as Content Delivery Network (CDN), Anti-DDoS Service (AAD), or cloud Web Application Firewall (cloud WAF), is deployed before CFW, you need to configure a policy that allows back-to-source IP addresses to avoid misblocking. If a dedicated or load-balancing WAF instance is purchased, configure it as needed.
AAD/CDN
- Creating a rule: Create a policy with the highest priority to allow all back-to-origin IP addresses. In this way, traffic still goes to CFW for check.
- Adding to whitelist: After back-to-source IP addresses are added to the whitelist, the traffic will be directly allowed to pass through, and CFW does not perform any protection.
After traffic passes through the reverse proxy, a source IP address is translated into a back-to-source IP address. If an external attack occurs, CFW cannot obtain the real IP address of an attacker. In this case, you can obtain the real IP address based on the X-Forwarded-For field. For details, see How Do I Obtain the Real IP Address of an Attacker?
You are not advised to block back-to-origin IP addresses or add them to a blacklist. Otherwise, all traffic from such IP addresses will be blocked and your services may be affected.
Cloud WAF
- Creating a rule: Create a policy with the highest priority to allow all back-to-origin IP addresses. In this way, traffic still goes to CFW for check.
- Adding to whitelist: After back-to-source IP addresses are added to the whitelist, the traffic will be directly allowed to pass through, and CFW does not perform any protection.
After traffic passes through the reverse proxy, a source IP address is translated into a back-to-source IP address. If an external attack occurs, CFW cannot obtain the real IP address of an attacker. In this case, you can obtain the real IP address based on the X-Forwarded-For field. For details, see How Do I Obtain the Real IP Address of an Attacker?
You are not advised to block back-to-origin IP addresses or add them to a blacklist. Otherwise, all traffic from such IP addresses will be blocked and your services may be affected.
Dedicated WAF
- You have enabled CFW protection for the EIPs bound to public network ELB load balancers.
If there is an attack from the client, CFW prints the attack event on the Internet Border Firewall tab under Attack Event Logs.
The destination IP address of the event is the EIP bound to the public ELB load balancer, and the source IP address is the IP address of the client.
- You have enabled VPC border firewall and associated with the VPC where the origin server resides. No protection is enabled for EIPs bound to the ELB load balancer.
If there is an attack from the client, CFW prints the attack event on the VPC Border Firewall tab under Attack Event Logs.
The destination IP address of the event is the private IP address of the origin server, and the source IP address is the private IP address of the traffic ingress (such as the Nginx server).
ELB-mode WAF
The traffic passes through CFW and then WAF. Configure services as needed.
References
- Add a protection rule. For details, see Adding a Protection Rule.
- For details about how to set the whitelist, see Managing the Blacklist and the Whitelist.
- For details about the protection sequence, see What Are the Priorities of the Protection Settings in CFW?
- Obtain the back-to-source IP address of WAF. For details, see Step 2: Whitelisting WAF IP Addresses.
- Obtain the back-to-source IP address of Advanced Anti-DDoS. For details, see How Do I Query the Back-to-Origin IP Address Range?
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot