Access Control Policy Overview
After protection is enabled, CFW access control policies allow all traffic by default. Proper access control policies help you implement refined management and control on traffic between internal servers and the Internet, prevent internal threats from spreading, and enhance in-depth security.
Access Control Policy Types
Access control policies are classified into protection rules and blacklist/whitelist. Differences between protection rules and blacklist/whitelist shows more details. If traffic hits a policy, the action of the policy will be taken.
Type |
Protected Object |
Network Type |
Action |
Configuration Method |
---|---|---|---|---|
Protection rules |
|
|
|
|
Blacklist |
|
Traffic is blocked directly. |
Adding Blacklist or Whitelist Items to Block or Allow Traffic |
|
Whitelist |
Traffic is allowed by CFW and not checked by other functions. |
Specification Limitations
To enable VPC border protection and NAT protection, use the CFW professional edition and enable VPC firewall protection.
Precautions for Configuring a Blocking Policy
The precautions for configuring a protection rule or a blacklist item for blocking IP addresses are as follows:
- You are advised to preferentially configure specific IP addresses (for example, 192.168.10.5) to reduce network segment configurations and avoid improper blocking.
- Exercise caution when configuring protection rules to block reverse proxy IP addresses, such as the WAF back-to-source IP addresses. You are advised to configure protection rules or whitelist to permit reverse proxy IP addresses.
- Blocking forward proxy IP addresses (such as company egress IP addresses) can have a large impact. Exercise caution when configuring protection rules to block forward proxy IP addresses.
- When configuring region protection, take possible EIP changes into consideration.
Wildcard Rule
Parameter |
Input |
Description |
---|---|---|
Source/Destination |
0.0.0.0/0 |
All IP addresses |
Domain name |
www.example.com |
Domain name www.example.com |
Domain name |
*.example.com |
All domain names ending with example.com, for example, test.example.com |
Service - Source port or destination port |
1-65535 |
All ports |
Service - Source port or destination port |
80-443 |
All ports in the range 80 to 443 |
Service - Source port or destination port |
|
Ports 80 and 443 |
References
- For details about how to add a single rule to protect traffic, see Adding Protection Rules to Block or Allow Traffic. For details about how to add a single blacklist or whitelist item to protect traffic, see Adding Blacklist or Whitelist Items to Block or Allow Traffic.
- For details about how to add protection policies in batches, see Importing and Exporting Protection Policies.
- Follow-up operations after adding a policy:
- Policy hits: For details about the protection overview, see Viewing Protection Information Using the Policy Assistant. For details about logs, see Access Control Logs.
- For details about the traffic trend and statistics, see Viewing Traffic Statistics. For details about traffic records, see Traffic Logs.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.