Help Center/ Cloud Firewall/ User Guide/ Access Control/ Configuring an Access Control Policy/ Configuring Protection Rules to Block or Allow Internet Border Traffic
Updated on 2025-07-23 GMT+08:00
View PDF

Configuring Protection Rules to Block or Allow Internet Border Traffic

After protection is enabled, CFW allows all traffic by default. You can configure protection rules to block or allow traffic.

Protection Rule Description

The protected objects, actions, and application scenarios of protection rules are as follows.

Name

Description

Protected object
  • 5-tuples
  • IP address groups
  • Geographical locations
  • Domain names and domain name groups (layer-4 and layer-7 traffic)
  • Applications

Network type
  • EIP
  • Private IP address

Action
  • If Block is selected, traffic will be blocked.
  • If Allow is selected, traffic will be allowed by protection rules and then checked by IPS.

Scenario
You can configure protection rules in the following scenarios:
CAUTION:
If your IP address is a back-to-source WAF IP address, you are advised to configure a protection rule or the whitelist to allow its access. Exercise caution when configuring a protection rule to block access, which may affect your services.

Specification Limitations

Only the professional edition supports VPC border protection and NAT traffic (private IP address) protection.

Constraints

  • CFW does not support application-level gateways (ALGs). If ALG-related services (such as SIP and FTP) are available, you are advised to add a rule to allow the traffic to pass through all the ports of data channels (that is, set Service to Any and Protective Action to Allow).
  • To use CFW persistent connections, enable a bidirectional bypass policy. If you only enable a unidirectional policy, the client will need to re-initiate connections in certain scenarios, such as enabling or disabling protection, and expanding engine capacities. You can also create a service ticket to evaluate the risks of related issues.
  • Quota:
    • Up to 20,000 protection rules can be added.
    • The restrictions on a single protection rule are as follows:
      • A maximum of 20 source IP addresses and 20 destination IP addresses can be added.
      • A maximum of two source IP address groups and two destination IP address groups can be associated.
      • A maximum of five service groups can be associated.
  • Restrictions on domain name protection:
    • Domain names in Chinese are not supported.
    • Restrictions on application-layer domain name reference:
      • Each firewall instance can reference up to 60,000 domain names.
      • Each firewall instance can reference up to 1,000 wildcard domain names.
      • Each protection rule can reference up to 20,000 domain names.
      • Each protection rule can reference up to 128 wildcard domain names.

      Calculation: If both rule A and rule B of a firewall reference domain name 1 and domain name group A (containing domain names 2 and 3), then the number of domain names referenced by rule A or rule B is 3, and the number of domain names referenced by the firewall instance is 6.

    • Domain name protection depends on the DNS server you configure. The default DNS server may be unable resolute complete IP addresses. You are advised to configure DNS resolution if the domain names of your services need to be accessed.
  • Predefined address groups can be configured only for the source addresses in inbound rules (whose Direction is set to Inbound).
  • If NAT 64 protection is enabled and IPv6 access is used, allow traffic from the 198.19.0.0/16 CIDR block to pass through. NAT64 will translate source IP addresses into the CIDR block 198.19.0.0/16 for ACL access control.

Impacts on Services

When configuring a blocking rule, if address translation or proxy is involved, evaluate the impact of blocking IP addresses with caution.

Adding an Internet Border Protection Rule

The procedures for adding a protection rule in scenarios are as follows.

  1. Enable EIP protection. For details, see Enabling Internet Border Traffic Protection.
  2. (Optional) To add multiple IP addresses, domain names, and services (protocols, source ports, and destination ports), add their groups first.

  3. In the navigation pane on the left of the CFW console, choose Access Control > Internet Border Protection Rules.
  4. Add a protection rule.

    On the Protection Rules > EIP tab, click Add Rule. Configure protection parameters. For details, see Table 1.

    Table 1 Internet boundary rule parameters (inbound direction)

    Parameter

    Description

    Rule Type

    To protect EIP traffic, select EIP by default. Only EIPs can be configured in this case.

    NOTE:

    For the standard edition firewall, the rule type parameter is not involved. Only EIP rules can be configured.

    IP Type

    IP type of the security policy.

    Name

    Name of the custom security policy.

    Direction
    Traffic direction of the protection rule. Select Inbound.
    • Inbound: Cloud assets (EIPs) are accessed from the Internet.
    • Outbound: Cloud assets (EIPs) access the Internet.

    Source
    Set the party that originates a session.
    • IP Address: Enter EIPs. This parameter can be configured in the following formats:
      • A single EIP, for example, xx.xx.10.5
      • Consecutive EIPs, for example, xx.xx.0.2-xx.xx.0.10
      • EIP segment, for example, xx.xx.2.0/24
      • Multiple inconsecutive IP addresses can be added one by one.
    • IP address group. You can configure multiple EIPs.

      If Direction is set to Inbound, a predefined address group can be configured for the source address.

      For details about how to add a user-defined IP address group, see Adding an IP Address Group. For details about how to view a predefined IP address group, see Viewing a Predefined Address Group.

    • Countries and regions: If Direction is set to Inbound, you can control access based on continents, countries, and regions.
    • Any: any source address

    Destination
    Set the recipient of a session.
    • IP Address: Enter EIPs. This parameter can be configured in the following formats:
      • A single EIP, for example, xx.xx.10.5
      • Consecutive EIPs, for example, xx.xx.0.2-xx.xx.0.10
      • EIP segment, for example, xx.xx.2.0/24
      • Multiple inconsecutive IP addresses can be added one by one.
    • IP address group. You can configure multiple EIPs.

      For details about how to add a custom IP address group, see Adding a User-defined IP Address Group.

    • Any: any destination address

    Service
    • Service: Set Protocol Type, Source Port, and Destination Port.
      • Protocol: The value can be TCP, UDP, or ICMP.
      • Source/Destination Port: If Protocol is set to TCP or UDP, you need to set the port number.
        • To specify all the ports of an IP address, set Port to 1-65535.
        • You can specify a single port. For example, to manage access on port 22, set Port to 22.
        • To set a port range, use a hyphen (-) between the starting and ending ports. For example, to manage access on ports 80 to 443, set Port to 80-443.
    • Service group: A collection of services (protocols, source ports, and destination ports).

      For details about how to add a custom service group, see Adding a Service Group. For details about predefined service groups, see Viewing a Predefined Service Group.

    • Any: any protocol type or port number

    Protection Action
    Set the action to be taken when traffic passes through the firewall.
    • Allow: Traffic is forwarded.
    • Block: Traffic is not forwarded.

    Status
    Whether a policy is enabled.
    • : indicates that the policy takes effect immediately after being configured.
    • : disabled

    Priority
    Priority of the rule. Its value can be:
    • Pin on top: indicates that the priority of the policy is set to the highest.
    • Lower than the selected rule: indicates that the policy priority is lower than a specified rule.

    A smaller value indicates a higher priority.

    The default priority of the first protection rule is 1. You do not need to configure its priority.

    Allow Long Connection

    If only one service is configured in the current protection rule and Protocol is set to TCP or UDP, you can configure the service session aging time (unit: second).

    Up to 50 rules can be configured with persistent connections.
    • Yes: Configure the persistent connection duration.
    • No: Retain the default durations. The default connection durations for different protocols are as follows:
      • TCP: 1800s
      • UDP: 60s

    Long Connection Duration

    If Allow Long Connection is set to Yes, you need to set the persistent connection duration and set hour, minute, and second.

    The duration range is 1 second to 1,000 days.

    Tags

    (Optional) Tags are used to identify rules. You can use tags to classify and search for security policies.

    Description

    (Optional) Usage and application scenario

  5. Click OK to complete the protection rule configuration.

    After a protection rule is configured and enabled, it takes effect immediately.

  1. Enable EIP protection. For details, see Enabling Internet Border Traffic Protection.
  2. (Optional) To add multiple IP addresses, domain names, and services (protocols, source ports, and destination ports), add their groups first.

  3. In the navigation pane on the left of the CFW console, choose Access Control > Internet Border Protection Rules.
  4. Add a protection rule.

    On the EIP tab, click Add Rule. In the displayed dialog box, enter information. For details, see Table 2.

    Table 2 Internet boundary rule parameters (outbound direction)

    Parameter

    Description

    Rule Type

    To protect EIP traffic, select EIP by default. Only EIPs can be configured in this case.

    NOTE:

    For the standard edition firewall, the rule type parameter is not involved. Only EIP rules can be configured.

    IP Type

    IP type of the security policy.

    Name

    Name of the custom security policy.

    Direction
    Traffic direction of the protection rule. Select Outbound.
    • Inbound: Cloud assets (EIPs) are accessed from the Internet.
    • Outbound: Cloud assets (EIPs) access the Internet.

    Source
    Set the party that originates a session.
    • IP Address: Enter EIPs. This parameter can be configured in the following formats:
      • A single EIP, for example, xx.xx.10.5
      • Consecutive EIPs, for example, xx.xx.0.2-xx.xx.0.10
      • EIP segment, for example, xx.xx.2.0/24
      • Multiple inconsecutive IP addresses can be added one by one.
    • IP address group. You can configure multiple EIPs.

      If Direction is set to Inbound, a predefined address group can be configured for the source address.

      For details about how to add a user-defined IP address group, see Adding an IP Address Group. For details about how to view a predefined IP address group, see Viewing a Predefined Address Group.

    • Any: any source address

    Destination
    Set the recipient of a session.
    • IP Address: Enter EIPs. This parameter can be configured in the following formats:
      • A single EIP, for example, xx.xx.10.5
      • Consecutive EIPs, for example, xx.xx.0.2-xx.xx.0.10
      • EIP segment, for example, xx.xx.2.0/24
      • Multiple inconsecutive IP addresses can be added one by one.
    • IP address group. You can configure multiple EIPs.

      For details about how to add a custom IP address group, see Adding a User-defined IP Address Group.

    • Countries and regions: A continent, a country, or a region
    • Domain Name/Domain Name Group: Domain names or domain groups can be protected.
      • Application: Domain names or wildcard domain names can be protected. Application-layer protocols such as HTTP, HTTPS, TLS, SMTPS, and POPS are supported. Domain names are used for matching.
      • Network: One or multiple domain names can be protected. It applies to network-layer protocols and supports all protocols. The resolved IP addresses are used for matching.
      NOTE:
      • To protect the domain names of HTTP, HTTPS, TLS, SMTPS, and POPS applications, you can select any options.
      • To protect the wildcard domain names of HTTP, HTTPS, TLS, SMTPS, or POPS, you select any option under Application. (A wildcard domain name is in the format of *.Domain name. The wildcard character * matches any character or string. For example, *.example.com.)
      • To protect a single domain name of other application types (such as FTP, MySQL, and SMTP), select Network and select any option from the drop-down list. (If Domain name is selected, up to 600 IP addresses can be resolved.)
      • To protect multiple domain names of other application types (such as FTP, MySQL, and SMTP), select Network and Network Domain Name Group from the drop-down list.
      • If you need to configure the wildcard domain names or application domain name groups of the HTTP, HTTPS, TLS, SMTPS, and POPS applications, and the network domain groups of other application types for the same domain name, ensure that the priority of the Network protection rule is higher than that of the Application protection rule.
      • For details about application- and network-type domain names, see Managing Domain Name Groups.
    • Any: any destination address

    Service
    • Service: Set Protocol Type, Source Port, and Destination Port.
      • Protocol: The value can be TCP, UDP, or ICMP.
      • Source/Destination Port: If Protocol is set to TCP or UDP, you need to set the port number.
        • To specify all the ports of an IP address, set Port to 1-65535.
        • You can specify a single port. For example, to manage access on port 22, set Port to 22.
        • To set a port range, use a hyphen (-) between the starting and ending ports. For example, to manage access on ports 80 to 443, set Port to 80-443.
    • Service group: A collection of services (protocols, source ports, and destination ports).

      For details about how to add a custom service group, see Adding a Service Group. For details about predefined service groups, see Viewing a Predefined Service Group.

    • Any: any protocol type or port number

    Protection Action
    Set the action to be taken when traffic passes through the firewall.
    • Allow: Traffic is forwarded.
    • Block: Traffic is not forwarded.

    Status
    Whether a policy is enabled.
    • : indicates that the policy takes effect immediately after being configured.
    • : disabled

    Priority
    Priority of the rule. Its value can be:
    • Pin on top: indicates that the priority of the policy is set to the highest.
    • Lower than the selected rule: indicates that the policy priority is lower than a specified rule.

    A smaller value indicates a higher priority.

    The default priority of the first protection rule is 1. You do not need to configure its priority.

    Allow Long Connection

    If only one service is configured in the current protection rule and Protocol is set to TCP or UDP, you can configure the service session aging time (unit: second).

    Long Connection Duration

    If Allow Long Connection is set to Yes, you need to set the persistent connection duration and set hour, minute, and second.

    Tags

    (Optional) Tags are used to identify rules. You can use tags to classify and search for security policies.

    Description

    (Optional) Usage and application scenario

  5. Click OK to complete the protection rule configuration.

    After a protection rule is configured and enabled, it takes effect immediately.

Viewing Protection Rule Hits

After your services run for a period of time, you can view the number of rule hits in the Hits column of the protection rule list.

Follow-up Operations

Checking protection outcomes

References

Parent Topic: Configuring an Access Control Policy