Configuring Intrusion Prevention to Protect EIPs
CFW provides intrusion prevention functions, and, with many years of attack defense experience, it detects and defends against a wide range of common network attacks and effectively protects your assets.
This document describes how to use the standard edition firewall and protect EIPs through intrusion prevention in Intercept mode - medium mode, flexibly protecting cloud assets.
Process
Procedure |
Description |
---|---|
Sign up for a HUAWEI ID, enable Huawei Cloud services, top up your account, and assign CFW permissions to the account. |
|
Purchase CFW. Select a region and an edition (for example, the standard edition), and configure other parameters. |
|
Enable protection for an EIP to divert traffic to CFW. |
|
In Observe mode, if the firewall detects an attack event, it records the event in the attack event log and does not block traffic. This can prevent traffic interruption caused by incorrect blocking. |
|
Step 4: Periodically View Attack Event Logs to Check for Incorrect Blocking |
View attack event logs to check whether there is normal traffic that was incorrectly blocked and record the corresponding rule ID. |
Step 5: Modify the Improper IPS Rule and Set the Protection Action to Block |
Change the protection action of the rule and change the intrusion prevention mode to Intercept (for example, Intercept mode - medium.) |
Step 6: View the Protection Effect Through Attack Event Logs |
View attack event logs to check whether normal traffic is allowed. |
Making Preparations
- Before purchasing CFW, create a Huawei account and subscribe to Huawei Cloud. For details, see Registering a HUAWEI ID and Enabling HUAWEI CLOUD Services and Real-Name Authentication.
If you have enabled Huawei Cloud services and completed real-name authentication, skip this step.
- Make sure that your account has sufficient balance, or you may fail to pay to your CFW orders.
- Make sure your account has CFW permissions assigned. For details, see Creating a User Group and Granting Permissions.
Table 1 System policies supported by CFW Role Name
Description
Category
Dependency
CFW FullAccess
All permissions for CFW
System-defined policy
None
CFW ReadOnlyAccess
Read-only permissions for CFW
System-defined policy
None
Step 1: Purchase the CFW Standard Edition
CFW provides the standard edition, and the professional edition. You can use access control, intrusion prevention, traffic analysis, and log audit functions on the console.
This section describes how to purchase the CFW standard edition. For details about how to purchase other editions, see Purchasing CFW. For details about the function differences between editions, see Editions.
- Log in to the management console. In the navigation pane, click in the upper left corner and choose .
- Click Buy CFW . On the displayed page, configure the following parameters:
This example only introduces mandatory parameters. Configure other parameters as needed.
Parameter
Example Value
Description
Region
AP-Singapore
Select the region where the EIP is located.
CFW can be used in the selected region only. To use CFW in another region, switch to the corresponding region and then purchase it. For details about the regions where CFW is available, see Can CFW Be Used Across Clouds or Regions?
Editions
Standard
Select an edition.
- Confirm the information and click Buy Now.
- Confirm the order details, select I have read and agreed to the Huawei Cloud Firewall Service Statement, and click Next.
- Select a payment method and pay for your order.
Step 2: Enable Protection for an EIP
- In the navigation pane on the left, choose .
- Enable EIP protection.
- Enable protection for a single EIP: In the row of the EIP, click Enable Protection in the Operation column.
- Enable protection for multiple EIPs: Select the EIPs that you want to enable protection and click Enable Protection above the list.
- Currently, IPv6 addresses cannot be protected.
- An EIP can only be protected by one firewall.
- Only EIPs in the enterprise project to which the current account belongs can be protected.
- On the page that is displayed, check the information and click Bind and Enable. Then the Protection Status changes to Protected.
After EIP protection is enabled, the default action of the access control policy is Allow.
Step 3: Set the Intrusion Prevention Mode to Observe
- In the navigation pane, choose Attack Defense > Intrusion Prevention.
- In the Protection Mode area, select Observe.
This document uses the Observe mode as an example. If your workloads need stronger protection, you can change to the Intercept mode. You are advised to select a loose interception mode (for example, Intercept mode - loose) and observe its effects for a period of time before using a mode with higher granularity.
Step 4: Periodically View Attack Event Logs to Check for Incorrect Blocking
- In the navigation pane, choose Log Audit > Log Query.
- On the Attack Event Logs tab, check whether any traffic was improperly blocked based on the Direction, Source IP Address, and Destination IP Address recorded in logs. If there is improperly blocked traffic, record the corresponding rule ID.
For example, the traffic from an external IP address xx.xx.xx.82 to an internal IP address xx.xx.xx.58 is normal, but is blocked by the IPS rule whose ID is 806310. This means such traffic was blocked by rule 806310 in Intercept mode. Record the rule ID.
Figure 1 Viewing attack event logs
Step 5: Modify the Improper IPS Rule and Set the Protection Action to Block
- In the navigation pane, choose Attack Defense > Intrusion Prevention.
- Click View Effective Rules under Basic Protection. The Basic Protection tab is displayed.
- Filter out the rule whose ID is 806310, click Observe in the Operation column, and change Current Action to Observe.
Figure 2 Modifying a basic protection action
- Return to the Intrusion Prevention page. In the Protection Mode area, select Intercept mode - medium.
Step 6: View the Protection Effect Through Attack Event Logs
- In the navigation pane, choose Log Audit > Log Query.
- On the Attack Event Logs tab page, view logs to check whether normal service traffic is identified as an attack event, that is, whether the Action for the traffic is Block.
References
- For details about intrusion prevention parameters, see Blocking Network Attacks .
- To protect the EIPs under other accounts, add these accounts on the Multi-Account Management page of the current firewall instance. For details, see Adding an Organization Member Account.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot