Help Center/ Cloud Firewall/ User Guide/ Access Control/ Managing Object Groups/ Managing Service Groups
Updated on 2025-07-23 GMT+08:00
View PDF

Managing Service Groups

Scenario

A service group is a collection of services (protocols, source ports, and destination ports). You can reference a service group in an access rule to implement unified traffic control for that group. The updates of the service group will be automatically synchronized to all the policies associated with it. This helps you quickly modify policies and avoid repeated configuration, improving O&M efficiency.

Constraints

  • For adding a user-defined service group and services:
    • A service group can have up to 64 services.
    • A firewall instance can have up to 512 service groups.
    • A firewall instance can have up to 900 services.
  • You can only view predefined service groups, but cannot add services to it, or modify or delete it.
  • The service group referenced by a protection rule cannot be deleted. Modify or delete the rule first.

Adding a User-defined Service Group

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
  4. (Optional) Switch to another firewall instance. Select a firewall from the drop-down list in the upper left corner of the page.
  5. In the navigation pane, choose Access Control > Object Groups. Click the Service Groups tab.
  6. On the User-defined Service Groups sub-tab, click Add Service Group. On the Add Service Group page, enter the service group information.

    Table 1 Service group parameters

    Parameter

    Description

    Service Group Name

    Name of a service group

    Services
    • Protocol: Select a protocol from TCP, UDP, and ICMP.
    • Source Port: Set the source port to be allowed or blocked. You can configure a single port or consecutive port groups (example: 80-443).
    • Destination Port: Set the destination port to be allowed or blocked. You can configure a single port or consecutive port groups (example: 80-443).
    • Description: Usage and application scenario of the service group

    Description

    Usage and application scenario

  7. Confirm the information and click OK.

    A service group takes effect only after it is set in a protection rule. For more information, see Configuring Protection Rules to Block or Allow Internet Border Traffic.

Adding a Service to a User-defined Service Group

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
  4. (Optional) Switch to another firewall instance. Select a firewall from the drop-down list in the upper left corner of the page.
  5. In the navigation pane, choose Access Control > Object Groups. Click the Service Groups tab.
  6. On the User-defined Service Groups sub-tab, click the name of a service group. The service group details page is displayed.
  7. Click Add Service. On the page that is displayed, enter the service information.

    Table 2 Adding a service

    Parameter

    Description

    Example Value

    Protocol

    Its value can be TCP, UDP, or ICMP.

    TCP

    Source Port

    Source ports to be allowed or blocked. You can configure a single port or consecutive port groups (example: 80-443).

    If Protocol is set to ICMP, you do not need to specify any port number.

    80

    Destination Port

    Destination ports to be allowed or blocked. You can configure a single port or consecutive port groups (example: 80-443).

    If Protocol is set to ICMP, you do not need to specify any port number.

    80

    Description

    Usage and application scenario

    -

  8. To add multiple services, click Add.
  9. Confirm the information and click OK.

Viewing a Predefined Service Group

CFW provides predefined service groups, including Web Service, Database, and Remote Login and Ping, suitable for protecting web services, databases, and servers, respectively.

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
  4. (Optional) Switch to another firewall instance. Select a firewall from the drop-down list in the upper left corner of the page.
  5. In the navigation pane, choose Access Control > Object Groups. Click the Service Groups tab.
  6. Click the Pre-defined Service Groups sub-tab and click the name of a service group. On the details page that is displayed, view the service group information.

Deleting a User-defined Service Group

Deleted service groups cannot be restored. Exercise caution when performing this operation.

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
  4. (Optional) Switch to another firewall instance. Select a firewall from the drop-down list in the upper left corner of the page.
  5. In the navigation pane, choose Access Control > Object Groups. Click the Service Groups tab.
  6. On the User-defined Service Groups tab page, click Delete in the Operation column of a service group.
  7. In the displayed dialog box, confirm the information, enter DELETE, and click OK.

Related Operations

  • Exporting service groups: Click Export above the list and select a data range.
  • Batch deleting domain names: On the service group details page, select services, click Delete above the list, confirm the information, and click OK.
Parent Topic: Managing Object Groups