All Products
Search
Document Center

Security Center:Create a defense rule

Last Updated:May 21, 2024

You can create a defense rule to control traffic from a source network object to a destination network object. This topic describes how to create a defense rule.

Prerequisites

A source network object and a destination network object are created. For more information, see Create a network object.

Background information

A defense rule that is created in the container firewall module is used to implement network isolation. A defense rule consists of a source network object, a destination network object, one or more port ranges, an action, and a priority.

Procedure

  1. Log on to the Security Center console.

  2. In the left-side navigation pane, choose Protection Configuration > Container Protection > Container Firewall.

  3. On the Container Firewall page, click the Protection Management tab.

  4. In the cluster list of the Protection Management tab, find the cluster for which you want to create a defense rule and click Rule Management in the Actions column.

  5. In the Defense Rule panel, click Create Rule.

  6. In the Create Rule panel, create a defense rule for the cluster.

    1. Configure a source network object.

      The following list describes the parameters:

      • Rule name: Enter the name of the defense rule.

      • Network object: Select a network object as the source of traffic.

    2. Click Next.

    3. Configure a destination network object.

      防御规则

      The following table describes the parameters.

      Parameter

      Description

      Network Object

      Select a network object as the destination of traffic.

      Port

      Enter the destination port range of traffic.

      Note

      You can enter up to eight port ranges. The port ranges cannot overlap. Separate multiple port ranges with commas (,). Example: 20/30,80/90.

      Action

      Specify the action on traffic. Valid values:

      • Block: blocks traffic.

      • Alert: allows traffic and generates alerts.

      • Passed: allows traffic and does not generate alerts.

      Status

      Specify the status of the defense rule. Valid values:

      • Enable: The rule is enabled after it is created.

      • Disable: The rule is not enabled after it is created.

      Priority

      Specify the priority of the defense rule. Valid values: 1 to 1000. A smaller value indicates a higher priority.

  7. Click OK.

    The defense rules that you create are displayed in the defense rule list in descending order of priority. By default, a newly created defense rule is disabled. You must enable the defense rule to allow the rule to take effect. For more information about how to enable a defense rule, see Manage the defense status and defense rules of a cluster.

    After you enable the defense rules of a cluster, the rules are applied in sequence based on the priorities that you specify.

    Important

    If traffic from the source network object does not hit the first defense rule, the subsequent rules are used. When a rule is hit, the rule processes the traffic based on the action that you specify in the rule. If no defense rules are hit, the container firewall feature allows the traffic.