What Is CFW?
Tencent Cloud Firewall (CFW) is a SaaS-based firewall in the public cloud environment. It mainly provides Internet boundary protection for users and meets the security and management needs of unified management of access control, log audit, etc. on the cloud. CFW not only has features of traditional firewalls, but also supports cloud multi-tenancy and elastic scale-out features. It is the first network security infrastructure for user business cloud migration.
Is It Possible for CFW to Protect Assets on Non-Tencent Cloud?
The firewall can only protect IP assets under Tencent Cloud accounts and does not support assets on Non-Tencent Cloud.
Can CFW Be Deployed on Private Cloud?
Starting from version 380, TCE supports the cloud firewall service.
What Are the Differences between CFW and Security Group?
CFW and security group are two independent systems. When the Internet switch of the public network EIP is turned on and the policy is enabled at the same time, the traffic will be allowed.
The objectives controlled by the two are different. The Internet edge firewall controls the access traffic of public IP addresses, and the security group controls all traffic of the CVM network interface card.
The granularity of the functions of the cloud firewall and security group is different. The security group acts on instances, and the cloud firewall acts on public IPS, NAT Boundary Protection, peering connections between VPCs or Cloud Connect Network.
Security group ACL is merely the most basic feature of CFW. More importantly, CFW has the capacity for real-time blocking of intrusion detection/prevention (IPS) and full traffic log audit.
Differences between CFW and WAF Products?
The Web Application Firewall (WAF) only provides protection for web business. It has no protection capability for non-web business and only protects against attacks from outside to inside. It has no monitoring and protection capabilities for malicious outgoing requests from the business.
CFW includes all business protection. It supports basic protection for Web vulnerabilities and simultaneously supports active detection of outbound traffic from internal to external. It supports automatic interception of compromised hosts and malicious outbound connections.
Both CFW and SOC Have Traffic Threat Awareness Functionality. What Are the Differences between Them?
CFW integrates enterprise-level IPS functionality and IDS functionality. It has hour-level virtual patching capabilities for 0day vulnerabilities. There is no need to restart the business after an upgrade. These capabilities are not available in SOC.
Can CFW Protect CDN or COS?
CFW does not support the protection of SaaS services such as CDN, COS, Anti-DDoS IP, SaaS-WAF, and CDB.
Does Traffic Transit through the Firewall before Going through Other Products? Will CDN Traffic Be Protected by the Firewall?
CDN node IPs belong to CDN carriers and are not within the protection scope of your Cloud Firewall.
For the serial firewall, traffic will be detected by Cloud Wall only when CDN sources back to CLB/CVM. High-defense IP sourcing back to CLB will also pass through the Cloud Wall, but what is seen is the source address of the high-defense IP.
The bypass firewall cannot obtain CDN origin-pull traffic due to architectural reasons. It is recommended to switch to a serial firewall.
The public IP type supported in the current version is BGP IP. Three-network IPs are not supported yet. When identifying user assets, CFW will automatically filter three-network IPs.
Does CFW Have a QPS Limit?
CFW is a SaaS feature. It has no limit on the concurrency, new connection creation, QPS, etc. of traditional hardware firewalls. The only performance metric to measure CFW is the actual bandwidth throughput.
Does External Inbound Traffic Go through CFW or WAF First?
For Inbound Traffic
The Web Application Firewall (WAF) and CFW jointly compose the overall boundary protection of cloud cybersecurity. WAF tends to provide protection for encrypted HTTPS traffic. Unencrypted traffic is protected by the basic rules and virtual patching of the IPS (Intrusion Prevention System) integrated in CFW.
For different types of WAF and different types of Internet edge firewalls, their working modes are as shown in the table below:
Firewall Type | Internet Boundary Bypass Firewall | Internet Boundary Serial Firewall |
SaaS-WAF | Work in parallel, traffic will not pass through firewall | Work in serial, traffic first passes through WAF, then through the firewall, and all firewall source IPs are origin-pull IPs. |
CLB-WAF | Work in serial, traffic first passes through the firewall, then through CLB-WAF. | Work in serial, traffic first transits the firewall, then transits CLB-WAF. |
For Outbound Traffic
Can implement Proactive Outbound Connection Control based on the granularity of Cloud Virtual Machine (CVM) through NAT boundary firewall, and support access control based on the domain name. Combined with Tencent Threat Intelligence, malicious IPs and domain names of proactive outbound connections can be automatically intercepted.
If the NAT boundary firewall is not enabled, access control can only be performed on the traffic behind the NAT gateway at the Internet edge firewall. At this point, the CFW sees the public IP.