Migrating Security Policies to CFW in Batches

Application Scenarios

If services need to be migrated to Huawei Cloud, or security policies need to be replaced with CFW, you can quickly add security policies by importing security policies in batches.

Precautions

• If the networking changes during rules migration, you need to rewrite the network information (such as the IP address) in the original policy.
• To reduce the impact of security rules migration on services, you are advised to disable all rules (especially the blocking rules). After the template is imported and the rules are correctly configured, enable the rules.
• The priority of the imported rules is lower than that of the created rules.

  If you need to allow specified traffic, allow the rules of CFW, network ACL, and security groups.

• If you need to import and reference an object group (such as an IP address group), enter the group information in the corresponding information table (such as the address information table) and then reference the group in the protection rule table.

Migrating Outbound Blocking Rules in Batches

1. Export the rule configuration file from other firewalls through the API/policy backup function.
   For example, export the following rule:

   • rule id: 123
   • src-zone: trust
   • dst-zone: untrust
   • src-addr: 0.0.0.0/0
   • dst-addr: xx.xx.xx.9
   • service: SSH
   • action: deny
   • name: example123

2. Log in to the management console.
3. Click in the upper left corner of the management console and select a region or project.
4. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
5. (Optional) Switch firewall instance: Select a firewall from the drop-down list in the upper left corner of the page.
6. In the navigation pane, choose Access Control > Access Policies.
7. Click Download Center on the upper right corner of the list.
8. Click Download Template to download the rule import template to the local host.
9. Set parameters in the template.
   • Order: 1
   • Acl Name: example123
   • Protection Rule: EIP protection
   • Direction: Outbound
   • Action Type: Block
   • ACL Address Type: IPv4
   • Status: Disable
   • Description: An example
   • Source Address Type: IP address
   • Source Address: 0.0.0.0/0
   • Destination Address Type: IP address
   • Destination Address: xx.xx.xx.9
   • Service Type: Service
   • Protocol/Source Port/Destination Port: TCP/1-65535/22

10. After filling in the template, click Import Rule to import the template.
11. Enable the policy. You are advised to enable the policies that do not affect main services.
12. Check whether there are rule matching records in the logs. For details about how to query access logs, see Querying Logs.
    • If there are hit records, the rule has taken effect.
    • If there are no hit records, perform the following steps:
      1. Enable protection on the resources specified in the policy. For details about how to enable protection for EIPs, see Enabling EIP ProtectionFor details about how to enable protection for VPCs, see Adding a Protected VPC.
      2. Check whether a rule with a higher priority is matched. For details about how to set the priority of rules, see Configuring a Rule Priority.
      3. On the Access Policies page, check whether any delivery failure error is reported.

Migrating Address Group Members and Domain Group Members in Batches

1. Export the rule configuration file from other firewalls through the API/policy backup function.
2. Log in to the management console.
3. Click in the upper left corner of the management console and select a region or project.
4. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
5. (Optional) Switch firewall instance: Select a firewall from the drop-down list in the upper left corner of the page.
6. In the navigation pane, choose Access Control > Access Policies.
7. Click Download Center on the upper right corner of the list.
8. Click Download Template to download the rule import template to the local host.
9. Set parameters in the template.
   • Address-Table:
     • IP Address Group Name: address group 1
     • IP Address Group Description: service A
     • Address Set Address Type: IPv4
     • IP Address Items
       • IP Address: 10.1.1.2; Description: ECS1
       • IP Address: 10.1.1.3; Description: ECS2
       • IP Address: 10.1.1.4; Description: ECS3
   • Domain-Table:
     • Domain Set Name: domain group 1
     • Domain Set Type: URL filtering
     • Domain Set Description: external access domain name of service A
     • Domain Items:
       • Domain Address: www.example.test.api; Domain Description: api
       • Domain Address: www.test.example.com; Domain Description: a domain name
       • Domain Address: www.example.example.test; Domain Description: XX system
   • Rule-ACL-Table:
     • Order: 1
     • ACL Name: service A external connection
     • Protection Rule: NAT protection
     • Direction: Outbound
     • Action Type: Allow
     • ACL Address Type: IPv4
     • Status: Disable
     • Source Address Type: IP address group
     • Source Address Group Name: address group 1
     • Destination Address Type: domain group
     • Destination Address Group Name: domain group 1
     • Service Type: Service
     • Protocol/Source Port/Destination Port: TCP/0-65535/8080

10. After filling in the template, click Import Rule to import the template.
11. Enable the policy. You are advised to enable the policies that do not affect main services.
12. Check whether there are rule matching records in the logs. For details about how to query access logs, see Querying Logs.
    • If there are hit records, the rule has taken effect.
    • If there are no hit records, perform the following steps:
      1. Enable protection on the resources specified in the policy. For details about how to enable protection for EIPs, see Enabling EIP ProtectionFor details about how to enable protection for VPCs, see Adding a Protected VPC.
      2. Check whether a rule with a higher priority is matched. For details about how to set the priority of rules, see Configuring a Rule Priority.
      3. On the Access Policies page, check whether any delivery failure error is reported.

References

• Import security policy parameters. For details about the parameters, see Parameters of Rule Import Template.
• Periodically check rule hits on the policy assistant page or in custom security reports.

  The policy assistant and security reports display the rule matching trend and top N matched rules, helping you locate abnormal rules in a timely manner.

  • For details about the policy assistant, visit Policy Assistant.
  • For details about security reports, see Security Reports.