Help Center> Cloud Firewall> Service Overview> Constraints and Limitations
Updated on 2024-01-12 GMT+08:00
View PDF

Constraints and Limitations

Constraints and Limitations describes the overall constraints of CFW. Function Constraints and Limitations describes the constraints of each function. For details about the differences between editions, see Editions.

Constraints and Limitations

  • The CFW ALG tag function is restricted.
  • By default, the network-layer defense against DDoS attacks and IP spoofing is disabled on CFW.
  • Domain name protection depends on the DNS server you configure. The IP address of a default server may be incorrectly resolved. You are advised to use a custom server.
  • To use CFW persistent connections, enable a bidirectional out-of-path policy. If you only enable a unidirectional policy, the client will need to re-initiate connections in certain scenarios, such as enabling or disabling protection, and expanding engine capacities. You can also create a service ticket to evaluate the risks of related issues.
  • The maximum bandwidth of a pay-per-use firewall (total traffic that can pass through the firewall) is 1 Gbit/s.

Function Constraints and Limitations

Table 1 Function constraints and limitations of CFW

Function

Constraint and Limitation

HUAWEI Ads Account Registration Place

CFW can be used in the selected region only. To use CFW in another region, switch to the corresponding region and then purchase it. For details about the regions where CFW can be purchased, see Function Overview.

Protection rules
  • Up to 20,000 protection rules can be added.
  • A single protection rule can be associated with a maximum of five service groups.
  • Each protection rule can be associated with up to two IP address groups.
  • Domain names in Chinese are not supported.
  • Predefined address groups can be configured only for the source addresses in inbound rules (whose Direction is set to Inbound).
  • If NAT 64 protection is enabled and IPv6 access is used, allow traffic from the 192.19.0.0/16 CIDR block to pass through. NAT64 will translate source IP addresses into the CIDR block 198.19.0.0/16 for ACL access control.

Blacklist and whitelist parameters
  • Up to 2000 items can be added to the blacklist.
  • Up to 2000 items can be added to the whitelist.

IP address groups
  • An IP address group can contain up to 640 IP addresses.
  • A firewall instance can contain up to 3800 IP address groups.
  • A firewall instance can contain up to 30,000 IP addresses.

Service groups
  • A service group can have up to 64 services.
  • A firewall instance can have up to 512 service groups.
  • A firewall instance can have up to 900 services.

Domain name groups
  • Domain names in Chinese cannot be added to domain name groups.
  • The domain names in a domain name group can be referenced by protection rules for up to 40,000 times, and wildcard domain names can be referenced for up to 2,000 times.
URL Filtering (Layer 7 Protocol Parsing)
  • A domain name group can have up to 1,500 domain names.
  • A firewall instance can have up to 500 domain name groups.
  • A firewall instance can have up to 2,500 domain names.
Address Resolution (Layer 4 Protocol Parsing)
  • A domain name group can have up to 15 domain names.
  • Each domain name can resolve up to 1000 IP addresses.
  • Each domain name group can resolve up to 1,500 IP addresses.
  • A firewall instance can have up to 1000 domain names.

Changing the action of a basic protection rule
  • The action of a manually modified rule remains unchanged even if Protection Mode is changed.
  • The constraints on manually modified actions are as follows:
    • The actions of up to 3000 rules can be manually changed to observation.
    • The actions of up to 3000 rules can be manually changed to interception.
    • The actions of up to 128 rules can be manually changed to disabling.

Customizing IPS signatures
  • Only the professional edition supports custom IPS signatures.
  • A maximum of 500 features can be added.
  • Custom IPS signatures are not affected by the change of the basic protection mode.
  • Content can be set to URI only if Direction is set to Client to server and Protocol Type is set to HTTP.

Querying logs
  • Logs can be stored for up to seven days.
  • Up to 100,000 records can be exported for a single log.

Network packet capture
  • Only one packet capture task can be executed at a time.
  • Up to 20 packet capture tasks can be created every day.
  • Up to 1 million packets can be captured.

Configuring DNS resolution

A maximum of two DNS servers can be customized.