Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Situation Awareness
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive
Help Center/ Cloud Firewall/ Best Practices/ Migrating Security Policies to CFW in Batches

Migrating Security Policies to CFW in Batches

Updated on 2025-01-23 GMT+08:00

Application Scenarios

If services need to be migrated to Huawei Cloud, or security policies need to be replaced with CFW, you can quickly add security policies by importing security policies in batches.

Precautions

  • If the networking changes during rules migration, you need to rewrite the network information (such as the IP address) in the original policy.
  • To reduce the impact of security rules migration on services, you are advised to disable all rules (especially the blocking rules). After the template is imported and the rules are correctly configured, enable the rules.
  • The priority of the imported rules is lower than that of the created rules.

    If you need to allow specified traffic, allow the rules of CFW, network ACL, and security groups.

  • If you need to import and reference an object group (such as an IP address group), enter the group information in the corresponding information table (such as the address information table) and then reference the group in the protection rule table.

Migrating Outbound Blocking Rules in Batches

  1. Export the rule configuration file from other firewalls through the API/policy backup function.

    For example, export the following rule:
    • rule id: 123
    • src-zone: trust
    • dst-zone: untrust
    • src-addr: 0.0.0.0/0
    • dst-addr: xx.xx.xx.9
    • service: SSH
    • action: deny
    • name: example123

  2. Log in to the management console.
  3. Click in the upper left corner of the management console and select a region or project.
  4. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
  5. (Optional) Switch to another firewall instance: Select a firewall from the drop-down list in the upper left corner of the page.
  6. In the navigation pane, choose Access Control > Access Policies.
  7. Click Download Center on the upper right corner of the list.
  8. Click Download Template to download the rule import template to the local host.
  9. Set parameters in the template.

    • Order: 1
    • Acl Name: example123
    • Protection Rule: EIP protection
    • Direction: Outbound
    • Action Type: Block
    • ACL Address Type: IPv4
    • Status: Disable
    • Description: An example
    • Source Address Type: IP address
    • Source Address: 0.0.0.0/0
    • Destination Address Type: IP address
    • Destination Address: xx.xx.xx.9
    • Service Type: Service
    • Protocol/Source Port/Destination Port: TCP/1-65535/22

  10. After filling in the template, click Import Rule to import the template.
  11. Enable the policy. You are advised to enable the policies that do not affect main services.
  12. Check whether there are rule matching records in the logs. For details about how to query access logs, see Querying Logs.

    • If there are hit records, the rule has taken effect.
    • If there are no hit records, perform the following steps:
      1. Enable protection on the resources specified in the policy. For details about how to enable protection for EIPs, see Enabling EIP ProtectionFor details about how to enable protection for VPCs, see Adding a Protected VPC.
      2. Check whether a rule with a higher priority is matched. For details about how to set the priority of rules, see Configuring a Rule Priority.
      3. On the Access Policies page, check whether any delivery failure error is reported.

Migrating Address Group Members and Domain Group Members in Batches

  1. Export the rule configuration file from other firewalls through the API/policy backup function.
  2. Log in to the management console.
  3. Click in the upper left corner of the management console and select a region or project.
  4. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
  5. (Optional) Switch to another firewall instance: Select a firewall from the drop-down list in the upper left corner of the page.
  6. In the navigation pane, choose Access Control > Access Policies.
  7. Click Download Center on the upper right corner of the list.
  8. Click Download Template to download the rule import template to the local host.
  9. Set parameters in the template.

    • Address-Table:
      • IP Address Group Name: address group 1
      • IP Address Group Description: service A
      • Address Set Address Type: IPv4
      • IP Address Items
        • IP Address: 10.1.1.2; Description: ECS1
        • IP Address: 10.1.1.3; Description: ECS2
        • IP Address: 10.1.1.4; Description: ECS3
    • Domain-Table:
      • Domain Set Name: domain group 1
      • Domain Set Type: URL filtering
      • Domain Set Description: external access domain name of service A
      • Domain Items:
        • Domain Address: www.example.test.api; Domain Description: api
        • Domain Address: www.test.example.com; Domain Description: a domain name
        • Domain Address: www.example.example.test; Domain Description: XX system
    • Rule-ACL-Table:
      • Order: 1
      • ACL Name: service A external connection
      • Protection Rule: NAT protection
      • Direction: Outbound
      • Action Type: Allow
      • ACL Address Type: IPv4
      • Status: Disable
      • Source Address Type: IP address group
      • Source Address Group Name: address group 1
      • Destination Address Type: domain group
      • Destination Address Group Name: domain group 1
      • Service Type: Service
      • Protocol/Source Port/Destination Port: TCP/0-65535/8080

  10. After filling in the template, click Import Rule to import the template.
  11. Enable the policy. You are advised to enable the policies that do not affect main services.
  12. Check whether there are rule matching records in the logs. For details about how to query access logs, see Querying Logs.

    • If there are hit records, the rule has taken effect.
    • If there are no hit records, perform the following steps:
      1. Enable protection on the resources specified in the policy. For details about how to enable protection for EIPs, see Enabling EIP ProtectionFor details about how to enable protection for VPCs, see Adding a Protected VPC.
      2. Check whether a rule with a higher priority is matched. For details about how to set the priority of rules, see Configuring a Rule Priority.
      3. On the Access Policies page, check whether any delivery failure error is reported.

References

  • Import security policy parameters. For details about the parameters, see Parameters of Rule Import Template.
  • Periodically check rule hits on the policy assistant page or in custom security reports.

    The policy assistant and security reports display the rule matching trend and top N matched rules, helping you locate abnormal rules in a timely manner.

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback