Updated on 2022-12-13 GMT+08:00

Features

Cloud Firewall (CFW) comes in the standard edition. On the CFW console, you can check CFW status, access control, intrusion prevention, traffic analysis, and log audit statistics.

Table 1 Features

Item

Description

Dashboard

You can check enabled and disabled firewalls.

Assets

You can check and manage EIPs.

Access Control

You can control access at Internet borders.

Intrusion Prevention

You can detect and prevent against intrusions from Internet traffic by selecting a protection mode and determining whether to enable basic protection.

Basic protection includes threat detection and vulnerability scanning.

  • Detects whether traffic contains phishing, Trojan horses, worms, hacker tools, spyware, password attacks, vulnerability attacks, SQL injection attacks, XSS attacks, and web attacks.
  • Checks whether there are protocol anomalies, buffer overflow, access control, suspicious DNS activities, and other suspicious behaviors in traffic.

Traffic Analysis

You can check the following statistics:

  • Internet access traffic in the last hour, last 24 hours, and last 7 days
  • Intrusion events in the last hour, last 24 hours, and last 7 days

Log Audit

You can check the following types of logs:

  • Attack event logs, which contain details about intrusions
  • Access control logs, which contain details about what access is allowed and what is blocked
  • Traffic logs, which contain the access traffic of specific services

You can use Log Tank Service (LTS) on Huawei Cloud to record all CFW logs, including attack event, access control, and traffic logs.

Table 2 Functions of Huawei bypass blocking engine

Menu

Tab

GUI Element

Restriction

Access Control > Access Policies

Protection Rules

Operation column of the rule list

Rule priority can be configured.

Add Rule

Rule priority can be configured.

Add Rule

Only the TCP protocol is supported.

Blacklist

Add to Blacklist

Only the TCP protocol is supported.

Whitelist

Add to Whitelist

Only the TCP protocol is supported.

NOTE:

Huawei bypass blocking engine allows all traffic by default.

Table 3 Hillstone engine and Huawei out-of-path engine

Engine

Function

Protocol

Scenario

Hillstone engine

The firewall in-path engine completes security detection and protection for user traffic and then sends the traffic to the target ECS. This engine provides various detection functions and flexible blocking policies.

TCP, UDP, ICMP, Any, and ICMPv6

Protection for Internet borders and VPC borders

Huawei engine

The firewall engine is deployed in out-of-path mode. It mirrors user traffic for analysis and delivers policies to block threat sessions. The out-of-path deployment does not change the direction of user traffic and has no impact on services.

TCP

Internet border protection