You can create a defense rule to control traffic from a source network object to a destination network object. This topic describes how to create a defense rule.

Background information

A defense rule that is created in the container firewall module is used to implement network isolation. A defense rule consists of a source network object, a destination network object, one or more port ranges, an action, and a priority.

Procedure

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Protection Configuration > Container Protection > Container Firewall.
  3. On the Container Firewall page, click the Protection management tab.
  4. In the cluster list of the Protection management tab, find the cluster for which you want to create a defense rule and click Rule management in the Operation column.
  5. In the Defense rules panel, click Create rules.
  6. In the Create rules panel, create a defense rule for the cluster.
    1. Configure a source network object.
      The following list describes the parameters:
      • Rule name: Enter the name of the defense rule.
      • Network object: Select a source network object as the source of traffic.
    2. Click Next.
    3. Configure a destination network object. Defense rule
      The following table describes the parameters.
      Parameter Description
      Network object Select the destination network object as the destination of traffic.
      Port Enter the destination port range of traffic.
      Note You can enter eight port ranges. The port ranges cannot overlap. Separate multiple port ranges with commas (,). Example: 20/30,80/90.
      Action Specify the action on traffic. Valid values:
      • Intercept: blocks traffic.
      • Alert: allows traffic and generates alerts.
      • Release: allows traffic and does not generate alerts.
      Rule status Specify the status of the defense rule. Valid values:
      • Open: The rule is enabled after it is created.
      • Close: The rule is not enabled after it is created.
      Priority Specify the priority of the defense rule. Valid values: 1 to 1000. A smaller value indicates a higher priority.
  7. Click Determine.

    The defense rules that you create are displayed in the defense rule list in descending order of priority. By default, a newly created defense rule is disabled. You must enable the defense rule to allow the rule to take effect. For information about how to enable a defense rule, see Manage the defense status and defense rules of a cluster.

    After you enable the defense rules of a cluster, the rules are applied in sequence based on the priorities that you specify.
    Note If the traffic from the source network object does not match the first defense rule, the subsequent rules are used until a rule is hit. Then, the hit rule processes traffic based on the action that you specify in the hit rule. If no defense rules are hit, container firewall allows the traffic.