The container firewall feature controls access to containers and provides intelligent learning, alerting, and attack blocking. This feature identifies normal traffic among containerized applications and generates alerts for or blocks abnormal traffic based on machine learning. If an attacker exploits vulnerabilities or malicious images to intrude into container clusters, the container firewall feature generates alerts or blocks attacks.

Limits

Only Security Center Ultimate supports this feature. If you do not use the Ultimate edition, you must upgrade Security Center to the Ultimate edition before you can use this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center. For more information about the features that each edition supports, see Features.

Usage notes

If you have turned on Cluster defense switch on the Protection management tab of the Container Firewall page and have not created defense rules, the container firewall feature blocks all traffic destined for containers.

Step 1: Add a protection object

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Defense > Container Firewall.
  3. On the Container Firewall page, click the Object tab.
  4. On the Object tab, click Add Network Object.
  5. In the Add Network Object panel, configure the parameters.
    Parameter Description
    Name The name of the protection object.
    Type The type of the protection object. This parameter is fixed as Image.
    Image The image that you want to protect.
    Label The label of the image. 
 You can select one or more labels.
  6. Click OK.

Step 2: Create a defense rule

After you add a protection object, you must create a defense rule to filter the traffic destined for container images.

A defense rule is a logical unit for network isolation. Each rule consists of a source protection object, a destination protection object, and a set of port numbers. If a network connection matches a specific defense rule, the network connection is allowed. If a network connection does not match a specific defense rule, alerts are generated for the network connection or the network connection is blocked.

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Defense > Container Firewall.
  3. On the Container Firewall page, click the Protection management tab.
  4. In the Cluster list section, select a container cluster for which you want to create a defense rule.
  5. Click Create defense rules.
  6. In the Create defense rules panel, configure the parameters.

    The following table describes the parameters.

    Parameter Description
    Rule name The name of the defense rule.
    Access source The source of the traffic.
    Purpose The destination of the traffic. You must select the destination IP address of the traffic and enter the port number.
    Rule status The status of the defense rule. Valid values:
    • Open
    • Close
  7. Click OK.

Step 3: Enable cluster protection

After you add a protection object, you must turn on Cluster defense switch for the cluster that you want to protect. Turn on Cluster defense switch

After you turn on Cluster defense switch, the container firewall feature controls traffic destined for your containers.