Migrating Security Rules

Application Scenarios

If you need to migrate security rules from other clouds to Huawei Cloud or from other firewalls to CFW, you can import the security rules in batches.

Procedure

1. Export the rules configuration file from other firewalls through the API/policy backup function.
2. Log in to the management console.
3. Click in the upper left corner of the management console and select a region or project.
4. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
5. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click View in the Operation column to go to the details page.
6. In the navigation pane, choose Access Control > Access Policies.
7. Click Download Center on the upper right of the list.
8. Click Download Template to download the rule import template to the local host.
9. Set parameters. For details about the parameters, see Parameters of Rule Import Template.
   • Example of Importing Parameters - Inbound Blocking Rule
   • Example of Importing Parameters - Access of Address Group Members to Domain Group Members
   

   • If the networking changes during rules migration, you need to rewrite the network information (such as the IP address) in the original policy.
   • To reduce the impact of security rules migration on services, you are advised to disable all rules (especially the blocking rules). After the template is imported and the rules are correctly configured, enable the rules.
   • The priority of the imported rules is lower than that of the created rules.
   • If you need to allow specified traffic, allow the rules of CFW, network ACL, and security groups.
   • If you need to import and reference an object group (such as an IP address group), enter the group information in the corresponding information table (such as the address information table) and then reference the object group in the protection rule table.

10. After filling in the template, click Import Rule to import the template.
11. Enable the policy. You are advised to enable the policies that do not affect main services.
12. Check whether there are rule matching records in the logs. For details about how to query access logs, see Querying Logs.
    • If there are hit records, the rule has taken effect.
    • If there are no hit records, perform the following steps:
      1. Check whether the resources corresponding to the protection rules are protected by CFW. For details about EIP resources, see Viewing EIP Information. For details about VPC resources, see Adding a Protected VPC.
      2. Check whether a rule with a higher priority is matched. For details about how to set the priority of rules, see Configuring a Rule Priority.
      3. On the Access Policies page, check whether any delivery failure error is reported.

13. (Optional) Periodically check the rule matching status by viewing the policy assistant or custom security reports.

    The policy assistant and security reports display the rule matching trend and top N matched rules, helping you locate abnormal rules in a timely manner.

    • For details about the policy assistant, visit Policy Assistant.
    • For details about security reports, see Security Reports.

Example of Importing Parameters - Inbound Blocking Rule

Original rule

• rule id: 123
• src-zone: trust
• dst-zone: untrust
• src-addr: 0.0.0.0/0
• dst-addr: xx.xx.xx.9
• service: SSH
• action: deny
• name: example123

Enter the converted rule.

• Order: 1
• Acl Name: example123
• Protection Rule: EIP protection
• Direction: Outbound
• Action Type: Block
• ACL Address Type: IPv4
• Status: Disable
• Description: An example
• Source Address Type: IP address
• Source Address: 0.0.0.0/0
• Destination Address Type: IP address
• Destination Address: xx.xx.xx.9
• Service Type: Service
• Protocol/Source Port/Destination Port: TCP/1-65535/22

Example of Importing Parameters - Access of Address Group Members to Domain Group Members