What Asset Types Are Supported by Enterprise Security Groups?
The current version of Enterprise Security Group supports the following asset types: VPC, Subnet, CVM, ENI, CLB, TDSQL, TDSQL-C, MySQL, MariaDB, SQL Server, PostgreSQL, Redis, MongoDB, and Lighthouse.
Will Security Groups Be Deleted After FWM Expires?
No. After the FWM product expires, the maintained security groups are not deleted. This includes the security group configurations in the VPC console and the security group configurations in the Lighthouse firewall.
Can I Modify FWM Security Groups in the VPC Console?
No. Rules delivered from FWM - Enterprise Security Group to VPC - Security Group cannot be modified directly in the VPC console. The reasons are as follows:
1. Rules manually modified in VPC - Security Group are not reflected on the FWM - Enterprise Security Group page. This results in inconsistent rule information display, which is detrimental to rule maintenance and management.
2. After rules are updated in FWM - Enterprise Security Group, they are synchronized and delivered to VPC - Security Group. This overwrites rules manually modified in VPC - Security Group, which impacts network security protection.
Is There a Limit on the Number of Rules That Enterprise Security Groups Can Apply to Lighthouse Firewalls?
The rule limit for Enterprise Security Group rules delivered to the Lighthouse firewall (Lighthouse) is the same as the rule limit of the Lighthouse firewall (Lighthouse) itself. This means the number of rules cannot exceed 100. After this limit is exceeded, rule delivery cannot be performed.
How Are Duplicate Rules Handled When Enterprise Security Group Rules Overlap with Existing Lighthouse Rules?
Because the Lighthouse firewall (Lighthouse) does not support delivering duplicate rules, when a rule from FWM - Enterprise Security Group duplicates an existing rule in the Lighthouse firewall, the system automatically deletes that existing Lighthouse firewall rule (and it cannot be recovered) and adds the higher-priority duplicate rule. You can view detailed change information in the preview of changes. If, after a comprehensive assessment, the change is not needed, you can delete the Enterprise Security Group rule and not deliver it.
Do Rules Applied from Enterprise Security Groups to Lighthouse Firewalls Support Parameter Templates?
Because the Lighthouse firewall (Lighthouse) does not support parameter templates, when you select Lighthouse as the effective scope for an FWM - Enterprise Security Group rule, the system performs parameter template validation. If you fill in a parameter template, an error message is displayed, and the rule cannot be saved.
Can I Delete an Enterprise Security Group Rule When It Is the Only Rule on a Lighthouse Firewall?
Do not delete it. If you delete this Enterprise Security Group rule, which means the Lighthouse firewall (Lighthouse) rules are cleared, you will be unable to deliver new Lighthouse firewall (Lighthouse) rules. This affects the configuration of security policies. Therefore, when you attempt to delete the last remaining Enterprise Security Group rule, a failure reminder is displayed.
How to Grant FWM Permissions to a Sub-account
First, you need to create an FWM role in CAM Roles. Then, add the following two permissions to the sub-account.
QcloudFWMFullAccess
QcloudAccessForFWMRole
Creating and authorizing a role does not affect normal business operations. This authorization allows the FWM backend system, with your permission, to read your cloud resources, VPC data, and other information. This data is used to construct the information required for page operations. No automated operations that affect business are performed.