What Are the Precautions for Configuring a NAT64 Defense Policy?
A firewall instance cannot protect the real source IP address before NAT64 translation. If you enable IPv6 translation for EIPs, NAT64 will translate a source IP address into a CIDR block of 198.19.0.0/16 for ACL access control.
For IPv6 access, you are advised to allow traffic from the predefined address group NAT64 Address Set. Access from all the IP addresses in the 198.19.0.0/16 CIDR block will be allowed. You can configure the blacklist or a blocking policy to block specific IP addresses.
- For details about the IPv6 EIP function, see Assigning or Releasing an IPv6 EIP.
- For details about NAT64 Address Set, see NAT64 Address Set.
- For details about how to configure the blacklist, see Adding an Item to the Blacklist or Whitelist.
- For details about how to configure a blocking policy, see Adding a Protection Rule.
Troubleshooting FAQs
- How Do I Troubleshoot CFW Protection When Service Traffic Is Abnormal?
- Why Are Traffic and Attack Logs Incomplete on the Traffic Analysis Page?
- Why Does a Configured Policy Not Take Effect?
- What Do I Do If IPS Blocks Normal Services?
- What Do I Do If There Is No Data in Access Control Logs?
- What Are the Precautions for Configuring a NAT64 Defense Policy?
- Why Some Permissions Become Invalid After a System Policy Is Granted to an Enterprise Project?
- How Does Huawei Cloud CFW Detect and Defend Against Attacks Exploiting the Apache Log4j Remote Code Execution Vulnerability?
- How Does Huawei Cloud CFW Detect and Defend Against Attacks Exploiting the Spring Framework Remote Code Execution Vulnerability?
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbotmore