To use the container firewall feature of Security Center, you must create a source network object and a destination network object. This topic describes how to create a network object.

Prerequisites

The behavior prevention feature that defends against malicious network behavior is enabled for your assets. For more information about how to enable the behavior prevention feature, see Use proactive defense.

Limits

Only Security Center Ultimate supports this feature. If you do not use the Ultimate edition, you must upgrade Security Center to the Ultimate edition before you can use this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center. For more information about the features that each edition supports, see Features.

Procedure

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Defense > Container Firewall.
  3. On the Container Firewall page, click the Object tab.
  4. On the Object tab, click Add Network Object.
  5. In the Add Network Object panel, configure the following parameters. Add Object
    Parameter Description
    Object name Enter the name of the network object.
    NameSpace Select or enter the namespace to which the network object belongs.
    Note You can enter the namespace of a cluster. Fuzzy match is supported. Example: a*.
    AppName Select or enter the name of the application to which the network object belongs.
    Note You can enter the label value of a pod whose label key is app. Fuzzy match by suffix is supported. Example: abc*.
    Image Select or enter the image of the network object.
    Label Select or enter the label of the pod that you want to protect. 
 You can select one or more labels.
  6. Click OK.
    The new network object appears on the Object tab.
    • You can click Edit or Delete in the Operation column of the network object to modify or delete the network object.
    • You can also select multiple network objects and click Batch delete below the network object list to delete the network objects at a time.
      Note You can delete a network object only when the network object is not added to a defense rule.

What to do next

After you create a source network object and a destination network object, you can create a defense rule to control traffic from the source network object to the destination network object. The defense rule can be used to allow, block, or generate alerts for unusual traffic from the source network object to the destination network object. For more information about how to create a defense rule, see Create a defense rule.