Features

Cloud Firewall (CFW) comes in the standard edition. On the CFW console, you can check CFW status, access control, intrusion prevention, traffic analysis, and log audit statistics.

**Table 1** Features
Item	Description
Dashboard	You can check enabled and disabled firewalls.
Assets	You can check and manage EIPs.
Access Control	You can control access at Internet borders.
Intrusion Prevention	You can detect and prevent against intrusions from Internet traffic by selecting a protection mode and determining whether to enable basic protection. Basic protection includes threat detection and vulnerability scanning. Detects whether traffic contains phishing, Trojan horses, worms, hacker tools, spyware, password attacks, vulnerability attacks, SQL injection attacks, XSS attacks, and web attacks. Checks whether there are protocol anomalies, buffer overflow, access control, suspicious DNS activities, and other suspicious behaviors in traffic.
Traffic Analysis	You can check the following statistics: Internet access traffic in the last hour, last 24 hours, and last 7 days Intrusion events in the last hour, last 24 hours, and last 7 days
Log Audit	You can check the following types of logs: Attack event logs, which contain details about intrusions Access control logs, which contain details about what access is allowed and what is blocked Traffic logs, which contain the access traffic of specific services You can use Log Tank Service (LTS) on Huawei Cloud to record all CFW logs, including attack event, access control, and traffic logs.

**Table 2** Functions of Huawei bypass blocking engine
Menu	Tab	GUI Element	Restriction
Access Control > Access Policies	Protection Rules	Operation column of the rule list	Rule priority can be configured.
		Add Rule	Rule priority can be configured.
		Add Rule	Only the TCP protocol is supported.
	Blacklist	Add to Blacklist	Only the TCP protocol is supported.
	Whitelist	Add to Whitelist	Only the TCP protocol is supported.
NOTE: Huawei bypass blocking engine allows all traffic by default.

**Table 3** Hillstone engine and Huawei out-of-path engine
Engine	Function	Protocol	Scenario
Hillstone engine	The firewall in-path engine completes security detection and protection for user traffic and then sends the traffic to the target ECS. This engine provides various detection functions and flexible blocking policies.	TCP, UDP, ICMP, Any, and ICMPv6	Protection for Internet borders and VPC borders
Huawei engine	The firewall engine is deployed in out-of-path mode. It mirrors user traffic for analysis and delivers policies to block threat sessions. The out-of-path deployment does not change the direction of user traffic and has no impact on services.	TCP	Internet border protection