Updated on 2023-12-06 GMT+08:00

Configuring an Access Control Policy

The default status of the access control policy is Allow. Configure a proper access control policy for fine-grained management and control, preventing the spread of internal threats and enhancing security. For details about how to configure the access control policy, see Adding an Internet Boundary Protection Rule. . .

Adding an Internet Boundary Protection Rule

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed, as shown in Figure 1.

    Figure 1 CFW Dashboard

  4. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click View in the Operation column to go to the details page.
  5. In the navigation pane, choose Access Control > Access Policies.
  6. Add a protection rule.

    Click Add Rule. In the displayed dialog box, enter new protection information. For details, see Table 1.
    Table 1 Internet boundary rule parameters

    Parameter

    Description

    Example Value

    Name

    Rule name.

    test

    Direction

    Select a traffic direction.
    • Inbound: Traffic from external networks to the internal server.
    • Outbound: Traffic from internal servers to external networks.

    Inbound

    Source

    Source address of access traffic.
    • IP address can be configured in the following formats:
      • A single IP address, for example, 192.168.10.5
      • Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10
      • Address segment, for example, 192.168.2.0/24
    • IP address group: A collection of IP addresses. For more information, see Adding an IP Address Group.
    • Countries and regions: If Direction is set to Inbound, you can control access based on continents, countries, and regions.
    • Any: any source address

    IP address, 192.168.10.5

    Destination

    Destination address of access traffic.
    • IP address: You can set a single IP address, consecutive IP addresses, or an IP address segment.
      • A single IP address, for example, 192.168.10.5
      • Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10
      • Address segment, for example, 192.168.2.0/24
    • IP address group: A collection of IP addresses. For details, see Adding an IP Address Group.
    • Countries and regions: If Direction is set to Outbound, you can control access based on continents, countries, and regions.
    • Domain name: If Direction is set to Outbound, you can enter a multi-level single domain name (for example, top-level domain name example.com and level-2 domain name www.example.com) or a wildcard domain name (*.example.com).
      NOTE:
      • Click Test to check the validity of the domain name and perform DNS resolution. For details, see Configuring DNS Resolution. (Currently, up to 600 IP addresses can be resolved from a domain name.)
    • Domain name group: If Direction is set to Outbound, a collection of multiple domain names is supported.
      NOTE:

      To protect a domain name, you are advised to configure a domain name group.

    • Any: any destination address

    Any

    Service

    Set the protocol type and port number of the access traffic.
    • Service: Set Protocol Type, Source Port, and Destination Port.
      • Protocol Type: The value can be TCP, UDP, or ICMP.
      • Source/Destination Port: If Protocol Type is set to TCP or UDP, you need to set the port number.
      NOTE:
      • To specify all the ports of an IP address, set Port to 1-65535.
      • You can specify a single port. For example, to manage access on port 22, set Port to 22.
      • To set a port range, use a hyphen (-) between the starting and ending ports. For example, to manage access on ports 80 to 443, set Port to 80-443.
    • Service group: A collection of services (protocols, source ports, and destination ports) are supported. For more information, see Adding a Service Group.
    • Any: any protocol type or port number

    Service

    Protocol Type: TCP

    Source Port: 80

    Destination Port: 80-443

    Action

    Set the action to be taken when traffic passes through the firewall.

    • Allow: Traffic is forwarded.
    • Block: Traffic is not forwarded.

    Allow

    Allow Long Connection

    If only one service is configured in the current protection rule and Protocol Type is set to TCP or UDP, you can configure the service session aging time.
    • Yes: Configure the long connection duration.
    • No: Retain the default durations. The default connection durations for different protocols are as follows:
      • TCP: 1800s
      • UDP: 60s
    NOTE:

    Up to 100 rules can be configured with long connections.

    Yes

    Long Connection Duration

    This parameter is mandatory if Allow Long Connection is set to Yes.

    Configure the long connection duration. Configure the hour, minute, and second.

    NOTE:

    The duration range is 1 second to 1000 days.

    60 hours 60 minutes 60 seconds

    Tags

    (Optional) Tags are used to identify rules. You can use tags to classify and search for security policies.

    -

    Priority

    Priority of the rule. Its value can be:

    • Pin on top: indicates that the priority of the policy is set to the highest.
    • Lower than the selected rule: indicates that the policy priority is lower than a specified rule.
      NOTE:

      A smaller value indicates a higher priority.

    Pin on top

    Status

    Whether a policy is enabled.

    : enabled

    : disabled

    Description

    (Optional) Usage and application scenario

    -

  7. Click OK.

    After EIP protection is enabled, the default status of the access control policy is Allow. If you want to allow only several EIPs, you are advised to add a protection rule with the lowest priority to block all traffic.