Updated on 2024-11-04 GMT+08:00

Adding Protection Rules to Block or Allow Traffic

After protection is enabled, CFW allows all traffic by default. You can configure protection rules to block or allow traffic.

You can configure protection rules in the following scenarios:
If your IP address is a back-to-source WAF IP address, you are advised to configure a protection rule or the whitelist to allow its access. Exercise caution when configuring a protection rule to block access, which may affect your services.

Prerequisites

EIP protection must be enabled for Internet border traffic protection (EIP protection). For details, see Enabling Internet Border Traffic Protection.

Specification Limitations

To enable VPC border protection and NAT (private IP address) protection, use the CFW professional edition and enable VPC firewall protection. For details, see VPC Border Firewall.

Constraints

  • CFW does not support application-level gateways (ALGs). ALG can analyze the fields in application-layer payloads and dynamically adjust policies for multi-channel protocols (such as FTP and SIP) whose payloads contain port numbers and IP addresses. However, CFW only support static policies for ports. To allow multi-channel protocol communication, you are advised to configure a rule to allow traffic from all ports.
  • To use CFW persistent connections, enable a bidirectional bypass policy. If you only enable a unidirectional policy, the client will need to re-initiate connections in certain scenarios, such as enabling or disabling protection, and expanding engine capacities. You can also create a service ticket to evaluate the risks of related issues.
  • Up to 20,000 protection rules can be added.
  • The restrictions on a single protection rule are as follows:
    • A maximum of 20 source IP addresses and 20 destination IP addresses can be added.
    • A maximum of two source IP address groups and two destination IP address groups can be associated.
    • A maximum of five service groups can be associated.
  • Domain name protection depends on the DNS server you configure. The default DNS server may be unable resolute complete IP addresses. You are advised to configure DNS resolution if the domain names of your services need to be accessed.
  • Predefined address groups can be configured only for the source addresses in inbound rules (whose Direction is set to Inbound).
  • If NAT 64 protection is enabled and IPv6 access is used, allow traffic from the 198.19.0.0/16 CIDR block to pass through. NAT64 will translate source IP addresses into the CIDR block 198.19.0.0/16 for ACL access control.

Related Operations

For details about how to add protection rules in batches, see Importing and Exporting Protection Policies.