Unified Management Rules
In multi-firewall perimeter scenarios, implement centralized policy management and unified distribution to reduce the costs of repeated configuration and console switching.
FWM provides a unified entry point for rule orchestration and distribution. It manages rules for internet boundaries, NAT boundaries, VPC boundaries, and enterprise security group policies, enabling you to view, orchestrate, and distribute multiple types of policies within a single console. The distribution status (such as not distributed, pending new distribution, effective, pending update distribution, failed) can be viewed in the list, facilitating the tracking of the distribution result for each rule.
Intelligent Rule Analysis and Risk Governance
Through automated rule inspection and risk identification, it helps administrators quickly discover and fix security group policy issues, reducing the exposure risk caused by configuration errors.
It supports scanning CFW - enterprise security groups and security group rules, identifying five common types of issues and providing remediation suggestions:
Allowlist and Blocklist Conflict: Contradictory allow and block configurations exist within the same rule set.
Security Baseline Deviation: Rules that do not comply with the security baseline, such as allowing all inbound traffic.
Duplicate and Redundant Rules: Fully duplicate / Mergeable / Partially duplicate.
High-Risk Allow Rules: For example, when threat intelligence is matched, or when high-risk ports such as SSH, RDP, MySQL, and Redis are exposed.
Invalid Rules: Expired templates / Overridden by higher-priority rules / Source and destination are identical.
It also supports multi-dimensional risk distribution presentation, sorting by risk level and handling status, real-time re-verification before handling, as well as ignore and false positive feedback.
Mult Account Management Specification Sharing
Manage firewall specifications across multiple accounts in a resource pool manner to improve resource utilization and reduce cost waste caused by separate provisioning for each account.
It allows the sharer account to centrally provision CFW specifications. Core specifications such as instances, bandwidth, number of rules, and log storage are presented in the form of a resource pool. User accounts occupy quotas from the resource pool on a first-come, first-served basis. New accounts do not need to be provisioned separately; the sharer centrally adjusts the total capacity of the resource pool. Before use, you must first set the sharer and user roles in member management.
Note:
Cloud Firewall is a paid product. In the specification sharing scenario, it is uniformly paid for and provisioned by the sharer account, and consumer accounts do not need to purchase it separately.