Updated on 2024-11-04 GMT+08:00

Importing and Exporting Protection Policies

You can add and export protection rules, blacklist/whitelist items, IP address groups, domain name groups, and service groups in batches.

Specification Limitations

To import and export VPC border protection policies, use the Professional edition.

Importing Protection Rules in Batches

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
  4. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click View in the Operation column of a firewall to go to its details page.
  5. In the navigation pane, choose Access Control > Access Policies.
  6. Click Download Center on the upper right corner of the list.
  7. Click Download Template to download the rule import template to the local host.
  8. Configure protection policy information as required.

  9. After filling in the template, click Import Rule to import the template.

    • Rule import takes several minutes.
    • During rule import, you cannot add, edit, or delete access policies, IP address groups, and service groups.
    • The priority of the imported policies is lower than that of the created policies.

  10. Click Download Center to view the status of the rule import task. If the Status is Imported, the import succeeded.
  11. Return to the protection rule list to view the imported protection rule.

Exporting Protection Rules in Batches

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
  4. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click View in the Operation column of a firewall to go to its details page.
  5. In the navigation pane, choose Access Control > Access Policies.
  6. Click Download Center on the upper right corner of the list.
  7. Click Export Rule to export rules to a local PC.
Table 1 Internet border protection rule table parameters

Parameter

Description

Example Value

Order

Order number of a rule.

1

Acl Name

Name of the rule.

The name can contain up to 255 characters, including letters, numbers, underscores (_), hyphens (-), and spaces.

test

Protection Rule

Protection type of a security policy.
  • EIP protection: Protect EIP traffic. Only EIPs can be configured.
  • NAT protection: Protect NAT traffic. Private IP addresses can be configured.

EIP protection

Direction

Direction of protected traffic.

  • Inbound: Traffic from external networks to the internal server.
  • Outbound: Traffic from the customer server to external networks.

Outbound

Action Type

Allow or Block. It specifies the action taken by the firewall to process traffic.

Allow

ACL Address Type

Select IPv4. It is the type of IP addresses to be protected.

IPv4

Status

Whether a policy is enabled.

  • Enable: The rule is enabled.
  • Disabled: The rule is not in effect.

Enabled

Description

Rule description

test

Source Address Type

Source address type of data packets in the access traffic.

  • IP Address. You can configure a single IP address, consecutive IP addresses, or an IP address segment.
  • IP Address Group. You can configure multiple IP addresses.
  • Region: Protection can be performed by region.

IP Address

Source Address

If Source Address Type is set to IP Address, you need to configure this parameter.

The following input formats are supported:

  • A single IP address, for example, 192.168.10.5
  • Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10
  • A single address segment, for example, 192.168.2.0/24
NOTE:

To specify multiple IP addresses or IP address segments, configure multiple rules. Specify different IP addresses (segments) in these rules but use the same settings for other parameters.

192.168.10.5

Source Address Group Name

If Source Address Type is set to IP Address Group, you must configure this parameter.

The following input formats are supported:
  • The value can contain letters, digits, underscores (_), hyphens (-), or spaces.
  • The name can contain up to 255 characters.

s_test

Source Continent Region

If Source Address Type is set to Region, you need to configure Source Continent Region.

Enter continent information based on the continent-region-info sheet.

AS: Asia

Source Country Region

If Source Address Type is set to Region, you need to configure Source Country Region.

Enter country and region information based on the country-region-info sheet.

CN: Chinese mainland

Destination Address Type

Destination address type of data packets in the access traffic.
  • IP Address. You can configure a single IP address, consecutive IP addresses, or an IP address segment.
  • IP Address Group. You can configure multiple IP addresses.
  • Domain name: A domain name consists of letters separated by dots (.). It is a human readable address that maps to the machine readable IP address of your server.
  • Domain name group. You can set a collection of domain names.
  • Region: Protection can be performed by region.

IP Address Group

Destination Address

If Destination Address Type is set to IP Address, you must configure this parameter.

It can be:

  • A single IP address, for example, 192.168.10.5
  • Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10
  • A single address segment, for example, 192.168.2.0/24
NOTE:

To specify multiple IP addresses or IP address segments, configure multiple rules. Specify different IP addresses (segments) in these rules but use the same settings for other parameters.

192.168.10.6

Destination Address Group Name

If Destination Address Type is set to IP Address Group, you must configure this parameter.

The following input formats are supported:
  • The value can contain letters, digits, underscores (_), hyphens (-), or spaces.
  • The name can contain up to 255 characters.

d_test

Destination Continent Region

If Destination Address Type is set to Region, you need to set Destination Continent Region.

Enter continent information based on the continent-region-info sheet.

AS: Asia

Destination Country Region

If Destination Address Type is set to Region, you need to set Destination Country Region.

Enter country and region information based on the country-region-info sheet.

CN: Chinese mainland

Domain Name

If Destination Address Type is set to Domain Name, you must configure this parameter.

The domain name is used by visitors to access your website. A domain name consists of letters separated by dots (.). It is a human readable address that maps to the machine readable IP address of your server.

www.example.com

Destination Domain Group Name

If Destination Address Type is set to Domain Group Name, you need to configure Destination Domain Group Name.

Enter a domain group name.

Domain group 1

Service Type

Service type. It can be:

  • Service. You can configure a single service.
  • Service Group. You can configure multiple services.

Service

Protocol/Source Port/Destination Port

Type to be put under access control.

  • Its value can be TCP, UDP, ICMP, or Any.
  • Source ports to be allowed or blocked. You can configure a single port or consecutive port groups (example: 80-443).
  • Destination ports to be allowed or blocked. You can configure a single port or consecutive port groups (example: 80-443).

TCP/443/443

Service Group Name

Service group name.

The name can contain up to 255 characters, including letters, numbers, underscores (_), hyphens (-), and spaces.

service_test

Group Tag

Tags are used to identify rules. You can use tags to classify and search for security policies.

k=a

Table 2 VPC border protection rule table parameters

Parameter

Description

Example Value

Order

Order number of a rule.

1

Acl Name

Name of the rule.

The name can contain up to 255 characters, including letters, numbers, underscores (_), hyphens (-), and spaces.

test

Action Type

Allow or Block. It specifies the action taken by the firewall to process traffic.

Allow

Status

Whether a policy is enabled.

  • Enabled: The rule is in effect.
  • Disabled: The rule is not in effect.

Enabled

Description

Rule description

test

Source Address Type

Source address type of data packets in the access traffic.

  • IP Address. You can configure a single IP address, consecutive IP addresses, or an IP address segment.
  • IP Address Group. You can configure multiple IP addresses.

IP Address

Source Address

If Source Address Type is set to IP Address, you need to configure this parameter.

The following input formats are supported:

  • A single IP address, for example, 192.168.10.5
  • Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10
  • A single address segment, for example, 192.168.2.0/24
NOTE:

To specify multiple IP addresses or IP address segments, configure multiple rules. Specify different IP addresses (segments) in these rules but use the same settings for other parameters.

192.168.10.5

Source Address Group Name

If Source Address Type is set to IP Address Group, you must configure this parameter.

The following input formats are supported:
  • The value can contain letters, digits, underscores (_), hyphens (-), or spaces.
  • The name can contain up to 255 characters.

s_test

Destination Address Type

Destination address type of data packets in the access traffic.
  • IP Address. You can configure a single IP address, consecutive IP addresses, or an IP address segment.
  • IP Address Group. You can configure multiple IP addresses.

IP Address Group

Destination Address

If Destination Address Type is set to IP Address, you must configure this parameter.

It can be:

  • A single IP address, for example, 192.168.10.5
  • Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10
  • A single address segment, for example, 192.168.2.0/24
NOTE:

To specify multiple IP addresses or IP address segments, configure multiple rules. Specify different IP addresses (segments) in these rules but use the same settings for other parameters.

192.168.10.6

Destination Address Group Name

If Destination Address Type is set to IP Address Group, you must configure this parameter.

The following input formats are supported:
  • The value can contain letters, digits, underscores (_), hyphens (-), or spaces.
  • The name can contain up to 255 characters.

d_test

Service Type

Service type. It can be:

  • Service. You can configure a single service.
  • Service Group. You can configure multiple services.

Service

Protocol/Source Port/Destination Port

Type to be put under access control.

  • Its value can be TCP, UDP, ICMP, or Any.
  • Source ports to be allowed or blocked. You can configure a single port or consecutive port groups (example: 80-443).
  • Destination ports to be allowed or blocked. You can configure a single port or consecutive port groups (example: 80-443).

TCP/443/443

Service Group Name

Service group name.

The name can contain up to 255 characters, including letters, numbers, underscores (_), hyphens (-), and spaces.

service_test

Group Tag

Tags are used to identify rules. You can use tags to classify and search for security policies.

k=a