Configuring an Access Control Policy

Adding an Internet Boundary Protection Rule

1. Log in to the management console.
2. Click in the upper left corner of the management console and select a region or project.
3. In the navigation pane, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed, as shown in Figure 1.
   Figure 1 CFW Dashboard
   

4. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click View in the Operation column to go to the details page.
5. In the navigation pane, choose Access Control > Access Policies.
6. Add a protection rule.
   Click Add Rule. In the displayed dialog box, enter new protection information. For details, see Table 1.

   Table 1 Internet boundary rule parameters

   Parameter	Description	Example Value
   Name	Rule name.	test
   Direction	Select a traffic direction. Inbound: Traffic from external networks to the internal server. Outbound: Traffic from internal servers to external networks.	Inbound
   Source	Source address of access traffic. IP address can be configured in the following formats: A single IP address, for example, 192.168.10.5 Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10 Address segment, for example, 192.168.2.0/24 IP address group: A collection of IP addresses. For more information, see Adding an IP Address Group. Countries and regions: If Direction is set to Inbound, you can control access based on continents, countries, and regions. Any: any source address	IP address, 192.168.10.5
   Destination	Destination address of access traffic. IP address: You can set a single IP address, consecutive IP addresses, or an IP address segment. A single IP address, for example, 192.168.10.5 Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10 Address segment, for example, 192.168.2.0/24 IP address group: A collection of IP addresses. For details, see Adding an IP Address Group. Countries and regions: If Direction is set to Outbound, you can control access based on continents, countries, and regions. Domain name: If Direction is set to Outbound, you can enter a multi-level single domain name (for example, top-level domain name example.com and level-2 domain name www.example.com) or a wildcard domain name (*.example.com). NOTE: Click Test to check the validity of the domain name and perform DNS resolution. For details, see Configuring DNS Resolution. (Currently, up to 600 IP addresses can be resolved from a domain name.) Domain name group: If Direction is set to Outbound, a collection of multiple domain names is supported. NOTE: To protect a domain name, you are advised to configure a domain name group. Any: any destination address	Any
   Service	Set the protocol type and port number of the access traffic. Service: Set Protocol Type, Source Port, and Destination Port. Protocol Type: The value can be TCP, UDP, or ICMP. Source/Destination Port: If Protocol Type is set to TCP or UDP, you need to set the port number. NOTE: To specify all the ports of an IP address, set Port to 1-65535. You can specify a single port. For example, to manage access on port 22, set Port to 22. To set a port range, use a hyphen (-) between the starting and ending ports. For example, to manage access on ports 80 to 443, set Port to 80-443. Service group: A collection of services (protocols, source ports, and destination ports) are supported. For more information, see Adding a Service Group. Any: any protocol type or port number	Service Protocol Type: TCP Source Port: 80 Destination Port: 80-443
   Action	Set the action to be taken when traffic passes through the firewall. Allow: Traffic is forwarded. Block: Traffic is not forwarded.	Allow
   Allow Long Connection	If only one service is configured in the current protection rule and Protocol Type is set to TCP or UDP, you can configure the service session aging time. Yes: Configure the long connection duration. No: Retain the default durations. The default connection durations for different protocols are as follows: TCP: 1800s UDP: 60s NOTE: Up to 100 rules can be configured with long connections.	Yes
   Long Connection Duration	This parameter is mandatory if Allow Long Connection is set to Yes. Configure the long connection duration. Configure the hour, minute, and second. NOTE: The duration range is 1 second to 1000 days.	60 hours 60 minutes 60 seconds
   Tags	(Optional) Tags are used to identify rules. You can use tags to classify and search for security policies.	-
   Priority	Priority of the rule. Its value can be: Pin on top: indicates that the priority of the policy is set to the highest. Lower than the selected rule: indicates that the policy priority is lower than a specified rule. NOTE: A smaller value indicates a higher priority.	Pin on top
   Status	Whether a policy is enabled. : enabled : disabled
   Description	(Optional) Usage and application scenario	-

7. Click OK.
   

   After EIP protection is enabled, the default status of the access control policy is Allow. If you want to allow only several EIPs, you are advised to add a protection rule with the lowest priority to block all traffic.