Configuring a Protection Rule to Allow the Inbound Traffic to a Specified EIP

Process

Making Preparations

1. Before purchasing CFW, create a Huawei account and subscribe to Huawei Cloud. For details, see Registering a HUAWEI ID and Enabling HUAWEI CLOUD Services and Real-Name Authentication.

   If you have enabled Huawei Cloud services and completed real-name authentication, skip this step.

2. Make sure that your account has sufficient balance, or you may fail to pay to your CFW orders.
3. Make sure your account has CFW permissions assigned. For details, see Creating a User Group and Granting Permissions.

   Table 1 System policies supported by CFW

   Role Name	Description	Category	Dependency
   CFW FullAccess	All permissions for CFW	System-defined policy	None
   CFW ReadOnlyAccess	Read-only permissions for CFW	System-defined policy	None

Step 1: Purchase the CFW Standard Edition

CFW provides the standard edition, and the professional edition. You can use access control, intrusion prevention, traffic analysis, and log audit functions on the console.

This section describes how to purchase the CFW standard edition. For details about how to purchase other editions, see Purchasing CFW. For details about the function differences between editions, see Editions.

1. Log in to the management console. In the navigation pane, click in the upper left corner and choose Security & Compliance > Cloud Firewall.
2. Click Buy CFW . On the displayed page, configure the following parameters:
   This example only introduces mandatory parameters. Configure other parameters as needed.

   Parameter	Example Value	Description
   Region	AP-Singapore	Select the region where the EIP is located. CFW can be used in the selected region only. To use CFW in another region, switch to the corresponding region and then purchase it. For details about the regions where CFW is available, see Can CFW Be Used Across Clouds or Regions?
   Editions	Standard	Select an edition.

3. Confirm the information and click Buy Now.
4. Confirm the order details, select I have read and agreed to the Huawei Cloud Firewall Service Statement, and click Next.
5. Select a payment method and pay for your order.

Step 2: Enable Protection for a Specified EIP

1. In the navigation pane on the left, choose Assets > EIPs.
2. Enable EIP protection.
   • Enable protection for a single EIP: In the row of the EIP, click Enable Protection in the Operation column.
   • Enable protection for multiple EIPs: Select the EIPs that you want to enable protection and click Enable Protection above the list.
   

   • Currently, IPv6 addresses cannot be protected.
   • An EIP can only be protected by one firewall.
   • Only EIPs in the enterprise project to which the current account belongs can be protected.
3. On the page that is displayed, check the information and click Bind and Enable. Then the Protection Status changes to Protected.
   

   After EIP protection is enabled, the default action of the access control policy is Allow.

Step 3: Add a Protection Rule to Block All Inbound Traffic

1. In the navigation pane, choose Access Control > Access Policies.
2. Click Add Rule. In the Add Rule dialog box, configure parameters.

   In this example, only necessary parameters are described. For details about other parameters, see Adding Protection Rules to Block or Allow Traffic.

   Figure 1 Blocking all traffic
   

   Parameter	Example Value	Description
   Direction	Inbound (indicating inbound traffic)	Select the traffic direction. Inbound: Cloud assets (EIPs) are accessed from the Internet. Outbound: Cloud assets (EIPs) access the Internet.
   Source	Any	Source address of access traffic.
   Destination	Any	Destination address of access traffic.
   Service	Any	Set Protocol, Source Port, and Destination Port.
   Application	Any	Configure protection policies for application-layer protocols.
   Action	Block	Set the action to be taken when traffic passes through the firewall. Allow: Traffic is forwarded. Block: Traffic is not forwarded.
   Priority	Pin on top (If there are other protection rules, select Lower than the selected rule to set the rule priority to the lowest.)	Set the priority of the rule. Its value can be: Pin on top, indicating that the priority of the policy is set to the highest. Lower than the selected rule: indicating that the policy priority is lower than a specified rule.

3. Click OK to complete the protection rule configuration.

Step 4: Add a Protection Rule to Allow Inbound Traffic to a Specified EIP

1. Choose Access Policies and click the Protection Rules tab, click Add. In the displayed Add Rule dialog box, configure the following parameters:
   Figure 2 Allowing a specified IP address
   

   Parameter	Example Value	Description
   Direction	Inbound (indicating inbound traffic)	Select the traffic direction. Inbound: Cloud assets (EIPs) are accessed from the Internet. Outbound: Cloud assets (EIPs) access the Internet.
   Source	Any	Source address of access traffic.
   Destination	xx.xx.xx.1	Destination address of access traffic.
   Service	Any	Set Protocol, Source Port, and Destination Port.
   Application	Any	Configure protection policies for application-layer protocols.
   Action	Allow	Set the action to be taken when traffic passes through the firewall. Allow: Traffic is forwarded. Block: Traffic is not forwarded.
   Priority	Pin on top (or at least higher than the previous blocking rule)	Set the priority of the rule. Its value can be: Pin on top, indicating that the priority of the policy is set to the highest. Lower than the selected rule: indicating that the policy priority is lower than a specified rule.

2. Click OK to complete the protection rule configuration.

Step 5: Viewing Rule Hits in Access Control Logs

In the navigation pane, choose Log Audit > Log Query. Click the Access Control Logs tab.

References

• For details about protection rule parameters, see Adding a Protection Rule.
• To protect the EIPs under other accounts, add these accounts on the Multi-Account Management page of the current firewall instance. For details, see Adding an Organization Member Account.