Adding Protection Rules to Block or Allow Traffic
After protection is enabled, CFW allows all traffic by default. You can configure protection rules to block or allow traffic.
- Protect the traffic of public network assets at the Internet border. For details, see Adding an Internet Boundary Protection Rule.
- Protect the access traffic between VPCs, or between a VPC and an IDC. For details, see Adding a VPC Border Protection Rule.
- For details about back-to-source IP addresses, see What Are Back-to-Source IP Addresses?.
- For details about how to configure the whitelist, see Adding Blacklist or Whitelist Items to Block or Allow Traffic.
Prerequisites
EIP protection must be enabled for Internet border traffic protection (EIP protection). For details, see Enabling Internet Border Traffic Protection.
Specification Limitations
To enable VPC border protection and NAT (private IP address) protection, use the CFW professional edition and enable VPC firewall protection. For details, see VPC Border Firewall.
Constraints
- CFW does not support application-level gateways (ALGs). ALG can analyze the fields in application-layer payloads and dynamically adjust policies for multi-channel protocols (such as FTP and SIP) whose payloads contain port numbers and IP addresses. However, CFW only support static policies for ports. To allow multi-channel protocol communication, you are advised to configure a rule to allow traffic from all ports.
- To use CFW persistent connections, enable a bidirectional bypass policy. If you only enable a unidirectional policy, the client will need to re-initiate connections in certain scenarios, such as enabling or disabling protection, and expanding engine capacities. You can also create a service ticket to evaluate the risks of related issues.
- Up to 20,000 protection rules can be added.
- The restrictions on a single protection rule are as follows:
- A maximum of 20 source IP addresses and 20 destination IP addresses can be added.
- A maximum of two source IP address groups and two destination IP address groups can be associated.
- A maximum of five service groups can be associated.
- Domain name protection depends on the DNS server you configure. The default DNS server may be unable resolute complete IP addresses. You are advised to configure DNS resolution if the domain names of your services need to be accessed.
- Predefined address groups can be configured only for the source addresses in inbound rules (whose Direction is set to Inbound).
- If NAT 64 protection is enabled and IPv6 access is used, allow traffic from the 198.19.0.0/16 CIDR block to pass through. NAT64 will translate source IP addresses into the CIDR block 198.19.0.0/16 for ACL access control.
Related Operations
For details about how to add protection rules in batches, see Importing and Exporting Protection Policies.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.