Configuring Intrusion Prevention to Protect EIPs

Process

Making Preparations

1. Before purchasing CFW, create a Huawei account and subscribe to Huawei Cloud. For details, see Registering a HUAWEI ID and Enabling HUAWEI CLOUD Services and Real-Name Authentication.

   If you have enabled Huawei Cloud services and completed real-name authentication, skip this step.

2. Make sure that your account has sufficient balance, or you may fail to pay to your CFW orders.
3. Make sure your account has CFW permissions assigned. For details, see Creating a User Group and Granting Permissions.

   Table 1 System policies supported by CFW

   Role Name	Description	Category	Dependency
   CFW FullAccess	All permissions for CFW	System-defined policy	None
   CFW ReadOnlyAccess	Read-only permissions for CFW	System-defined policy	None

Step 1: Purchase the CFW Standard Edition

CFW provides the standard edition, and the professional edition. You can use access control, intrusion prevention, traffic analysis, and log audit functions on the console.

This section describes how to purchase the CFW standard edition. For details about how to purchase other editions, see Purchasing CFW. For details about the function differences between editions, see Editions.

1. Log in to the management console. In the navigation pane, click in the upper left corner and choose Security & Compliance > Cloud Firewall.
2. Click Buy CFW . On the displayed page, configure the following parameters:
   • Region: Select the region where the resource (EIP) is located, for example, AP-Singapore.

     CFW can be used in the selected region only. To use CFW in another region, switch to the corresponding region and then purchase it. For details about the regions where CFW can be purchased, see Function Overview.

   • Edition: Select Standard.
   • Set other parameters as needed.
3. Confirm the information and click Buy Now.
4. Confirm the order details, select I have read and agreed to the Huawei Cloud Firewall Service Statement, and click Next.
5. Select a payment method and pay for your order.

Step 2: Enable Protection for an EIP

1. In the navigation pane on the left, choose Assets > EIPs.
2. Enable EIP protection.
   • Enable protection for a single EIP: In the row of the EIP, click Enable Protection in the Operation column.
   • Enable protection for multiple EIPs: Select the EIPs that you want to enable protection and click Enable Protection above the list.
   

   • Currently, IPv6 addresses cannot be protected.
   • An EIP can only be protected by one firewall.
   • Only EIPs in the enterprise project to which the current account belongs can be protected.
3. On the page that is displayed, check the information and click Bind and Enable. Then the Protection Status changes to Protected.
   

   After EIP protection is enabled, the default action of the access control policy is Allow.

Step 3: Set the Intrusion Prevention Mode to Observe

1. In the navigation pane, choose Attack Defense > Intrusion Prevention.
2. In the Protection Mode area, select Observe.
   

   This document uses the Observe mode as an example. If your workloads need stronger protection, you can change to the Intercept mode. You are advised to select a loose interception mode (for example, Intercept mode - loose) and observe its effects for a period of time before using a mode with higher granularity.

Step 4: Periodically View Attack Event Logs to Check for Incorrect Blocking

1. In the navigation pane, choose Log Audit > Log Query.
2. On the Attack Event Logs tab, check whether any traffic was improperly blocked based on the Direction, Source IP Address, and Destination IP Address recorded in logs. If there is improperly blocked traffic, record the corresponding rule ID.

   For example, the traffic from an external IP address xx.xx.xx.82 to an internal IP address xx.xx.xx.58 is normal, but is blocked by the IPS rule whose ID is 806310. This means such traffic was blocked by rule 806310 in Intercept mode. Record the rule ID.

   Figure 1 Viewing attack event logs
   

Step 5: Modify the Improper IPS Rule and Set the Protection Action to Block

1. In the navigation pane, choose Attack Defense > Intrusion Prevention.
2. Click View Effective Rules under Basic Protection. The Basic Protection tab is displayed.
3. Filter out the rule whose ID is 806310, click Observe in the Operation column, and change Current Action to Observe.
   Figure 2 Modifying a basic protection action
   
4. Return to the Intrusion Prevention page. In the Protection Mode area, select Intercept mode - medium.

Step 6: View the Protection Effect Through Attack Event Logs

1. In the navigation pane, choose Log Audit > Log Query.
2. On the Attack Event Logs tab page, view logs to check whether normal service traffic is identified as an attack event, that is, whether the Action for the traffic is Block.

References

• For details about intrusion prevention parameters, see Blocking Network Attacks .
• To protect the EIPs under other accounts, add these accounts on the Multi-Account Management page of the current firewall instance. For details, see Adding an Organization Member Account.