Adding a Protection Rule
Access control policies can help you manage and control the traffic between servers and external networks in a refined manner, prevent the spread of internal threats, and enhance the depth of security strategies.
After EIP protection is enabled, the default status of the access control policy is Allow. If you want to allow only several EIPs, you are advised to add a protection rule with the lowest priority to block all traffic.
![](https://support.huaweicloud.com/eu/usermanual-cfw/public_sys-resources/caution_3.0-en-us.png)
- For details back-to-source IP addresses, see What Are Back-to-Source IP Addresses?
- For details about how to configure the whitelist, see Adding an Item to the Blacklist or Whitelist.
Prerequisites
You have synchronized assets and enabled EIP protection. See Enabling EIP Protection.
Specification Limitations
To enable VPC border protection, NAT protection, and private IP address protection, use the professional edition of CFW and enable the VPC firewall protection.
Constraints
- Up to 20,000 protection rules can be added.
- A single protection rule can be associated with a maximum of five service groups.
- Each protection rule can be associated with up to two IP address groups.
- Domain names in Chinese are not supported.
- Predefined address groups can be configured only for the source addresses in inbound rules (whose Direction is set to Inbound).
- If NAT 64 protection is enabled and IPv6 access is used, allow traffic from the 192.19.0.0/16 CIDR block to pass through. NAT64 will translate source IP addresses into the CIDR block 198.19.0.0/16 for ACL access control.
Adding an Internet Boundary Protection Rule
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project.
- In the navigation pane, click
and choose . The Dashboard page will be displayed, as shown in Figure 1.
- (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click View in the Operation column to go to the details page.
- In the navigation pane, choose .
- Add a protection rule.
Click Add Rule. In the displayed page, enter new protection information. For details, see Table 1.
Table 1 Internet boundary rule parameters Parameter
Description
Example Value
Name
Rule name.
test
Direction
Select a traffic direction if the protection rule is set to EIP.- Inbound: Traffic from external networks to the internal server.
- Outbound: Traffic from internal servers to external networks.
Inbound
Source
Source address of access traffic.- IP address can be configured in the following formats:
- A single IP address, for example, 192.168.10.5
- Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10
- Address segment, for example, 192.168.2.0/24
- IP address group: A collection of IP addresses. For details about how to add custom IP address groups, see Adding an IP Address Group. For details about a pre-defined address group, see Viewing a Predefined Address Group.
NOTE:
If Direction is set to Inbound, a predefined address group can be configured for the source address.
- Countries and regions: If Direction is set to Inbound, you can control access based on continents, countries, and regions.
- Any: any source address
IP address, 192.168.10.5
Destination
Destination address of access traffic.- IP address: You can set a single IP address, consecutive IP addresses, or an IP address segment.
- A single IP address, for example, 192.168.10.5
- Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10
- Address segment, for example, 192.168.2.0/24
- IP address group: A collection of IP addresses. For details about how to add custom IP address groups, see Adding an IP Address Group.
- Countries and regions: If Direction is set to Outbound, you can control access based on continents, countries, and regions.
- Domain name: If Direction is set to Outbound, you can enter a multi-level single domain name (for example, top-level domain name example.com and level-2 domain name www.example.com) or a wildcard domain name (*.example.com).
NOTE:
- Mandatory for a single domain name. Click Test to check the validity of the domain name and perform DNS resolution. For details, see Configuring DNS Resolution. (Currently, up to 600 IP addresses can be resolved from a domain name.)
- If the domain name is a wildcard domain name, DNS resolution is not required. Only HTTP/HTTPS applications can be added.
- Domain name group: If Direction is set to Outbound, a collection of multiple domain names is supported.
NOTE:
To protect a domain name, you are advised to configure a domain name group.
- Any: any destination address
Any
Service
Set the protocol type and port number of the access traffic.- Service: Set Protocol Type, Source Port, and Destination Port.
- Protocol Type: The value can be TCP, UDP, or ICMP.
- Source/Destination Port: If Protocol Type is set to TCP or UDP, you need to set the port number.
NOTE:- To specify all the ports of an IP address, set Port to 1-65535.
- You can specify a single port. For example, to manage access on port 22, set Port to 22.
- To set a port range, use a hyphen (-) between the starting and ending ports. For example, to manage access on ports 80 to 443, set Port to 80-443.
- Service group: A collection of services (protocols, source ports, and destination ports) are supported. For details about how to add a custom service group, see Adding a Service Group. For details about a pre-defined service group, see Viewing a Predefined Service Group.
- Any: any protocol type or port number
Service
Protocol Type: TCP
Source Port: 80
Destination Port: 80-443
Action
Set the action to be taken when traffic passes through the firewall.
- Allow: Traffic is forwarded.
- Block: Traffic is not forwarded.
Allow
Allow Long Connection
If only one service is configured in the current protection rule and Protocol Type is set to TCP or UDP, you can configure the service session aging time.- Yes: Configure the long connection duration.
- No: Retain the default durations. The default connection durations for different protocols are as follows:
- TCP: 1800s
- UDP: 60s
NOTE:Up to 100 rules can be configured with long connections.
Yes
Long Connection Duration
This parameter is mandatory if Allow Long Connection is set to Yes.
Configure the long connection duration. Configure the hour, minute, and second.
NOTE:The duration range is 1 second to 1000 days.
60 hours 60 minutes 60 seconds
Tags
(Optional) Tags are used to identify rules. You can use tags to classify and search for security policies.
-
Priority
Priority of the rule. Its value can be:
- Pin on top: indicates that the priority of the policy is set to the highest.
- Lower than the selected rule: indicates that the policy priority is lower than a specified rule.
NOTE:A smaller value indicates a higher priority.
Pin on top
Status
Whether a policy is enabled.
: enabled
: disabled
Description
(Optional) Usage and application scenario
-
- Click OK.
After EIP protection is enabled, the default status of the access control policy is Allow. If you want to allow only several EIPs, you are advised to add a protection rule with the lowest priority to block all traffic.
Adding a VPC Border Protection Rule
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project.
- In the navigation pane, click
and choose . The Dashboard page will be displayed, as shown in Figure 2.
- (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click View in the Operation column to go to the details page.
- In the navigation pane, choose . Click the Inter-VPC Borders tab.
- Add a protection rule.
Click Add Rule. In the displayed dialog box, enter new protection information. For details, see Table 2.
Table 2 Adding a protection rule Parameter
Description
Example Value
Name
Name of the custom security policy.
test
Source
Source of data packets in the access traffic.- IP address: You can set a single IP address, consecutive IP addresses, or an IP address segment.
- A single IP address, for example, 192.168.10.5
- Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10
- Address segment, for example, 192.168.2.0/24
- IP address group: A collection of IP addresses. For details, see Adding an IP Address Group.
- Any: any source address
IP address, 192.168.10.5
Destination
Destination address of access traffic.- IP address: You can set a single IP address, consecutive IP addresses, or an IP address segment.
- A single IP address, for example, 192.168.10.5
- Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10
- Address segment, for example, 192.168.2.0/24
- IP address group: A collection of IP addresses. For details, see Adding an IP Address Group.
- Any: any destination address
Any
Service
Set the protocol type and port number of the access traffic.- Service: Set Protocol Type, Source Port, and Destination Port.
- Protocol Type: The value can be TCP, UDP, or ICMP.
- Source/Destination Port: If Protocol Type is set to TCP or UDP, you need to set the port number.
NOTE:- To specify all the ports of an IP address, set Port to 1-65535.
- You can specify a single port. For example, to manage access on port 22, set Port to 22.
- To set a port range, use a hyphen (-) between the starting and ending ports. For example, to manage access on ports 80 to 443, set Port to 80-443.
- Service group: A collection of services (protocols, source ports, and destination ports) is supported. For details about how to add a custom service group, see Adding a Custom Service Group.For details about predefined service groups, see Viewing a Predefined Service Group.
- Any: any protocol type or port number
Service
Protocol Type: TCP
Source Port: 80
Destination Port: 80-443
Action
Set the action to be taken when traffic passes through the firewall.
- Allow: Traffic is forwarded.
- Block: Traffic is not forwarded.
Allow
Allow Long Connection
If only one service is configured in the current protection rule and Protocol Type is set to TCP or UDP, you can configure the service session aging time.- Yes: Configure the long connection duration.
- No: Retain the default durations. The default connection durations for different protocols are as follows:
- TCP: 1800s
- UDP: 60s
NOTE:Up to 100 rules can be configured with long connections.
Yes
Long Connection Duration
This parameter is mandatory if Allow Long Connection is set to Yes.
Configure the long connection duration. Configure the hour, minute, and second.
NOTE:The duration range is 1 second to 1000 days.
60 hours 60 minutes 60 seconds
Tag
(Optional) Tags are used to identify rules. You can use tags to classify and search for security policies.
-
Priority
Priority of the rule. Its value can be:
- Pin on top: indicates that the priority of the policy is set to the highest.
- Lower than the selected rule: indicates that the policy priority is lower than a specified rule.
NOTE:
A smaller value indicates a higher priority.
Pin on top
Status
Whether a policy is enabled.
: enabled
: disabled
Description
(Optional) Usage and application scenario
-
- IP address: You can set a single IP address, consecutive IP addresses, or an IP address segment.
- Click OK.
After EIP protection is enabled, the default status of the access control policy is Allow. If you want to allow only several EIPs, you are advised to add a protection rule with the lowest priority to block all traffic.
Configuration Example - Allowing the Inbound Traffic from a Specified IP Address
Configuration Example - Blocking Access from a Region
![](https://support.huaweicloud.com/eu/usermanual-cfw/en-us_image_0000001771381669.png)
Configuration Example - NAT Protection
Assume your private IP address is 10.1.1.2 and the external domain name accessed through the NAT gateway is www.example.com. Configure NAT protection as follows and set other parameters based on your deployment:
![](https://support.huaweicloud.com/eu/usermanual-cfw/en-us_image_0000001810536689.png)
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.