Importing and Exporting Protection Policies
You can add and export protection rules, blacklist/whitelist items, IP address groups, domain name groups, and service groups in batches.
Specification Limitations
To import and export VPC border protection policies, use the Professional edition.
Importing Protection Rules in Batches
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- In the navigation pane on the left, click and choose . The Dashboard page will be displayed.
- (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click View in the Operation column of a firewall to go to its details page.
- In the navigation pane, choose .
- Click Download Center on the upper right corner of the list.
- Click Download Template to download the rule import template to the local host.
- Configure protection policy information as required.
- Protection rule parameters:
- For details about Internet border protection rule parameters, see Parameters of Rule Import Template - Rule-Acl-Table (Internet Border Protection Rules).
- For details about VPC border protection rule parameters, see Parameters of Rule Import Template - Vpc-Rule-Acl-Table (VPC Border Protection Rule).
- For details about the blacklist and whitelist parameters, see Adding Blacklist or Whitelist Items to Block or Allow Traffic.
- For details about IP address group parameters, see Adding User-defined IP Addresses and Address Groups.
- For details about service group parameters, see Adding a User-defined Service Group.
- For details about domain name group parameters, see Domain Name Management.
- A maximum of 640 rules and members can be imported at a time on each tab page.
- Do not change the template file format, or it may fail to be imported.
- Protection rule parameters:
- After filling in the template, click Import Rule to import the template.
- Rule import takes several minutes.
- During rule import, you cannot add, edit, or delete access policies, IP address groups, and service groups.
- The priority of the imported policies is lower than that of the created policies.
- Click Download Center to view the status of the rule import task. If the Status is Imported, the import succeeded.
- Return to the protection rule list to view the imported protection rule.
Exporting Protection Rules in Batches
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- In the navigation pane on the left, click and choose . The Dashboard page will be displayed.
- (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click View in the Operation column of a firewall to go to its details page.
- In the navigation pane, choose .
- Click Download Center on the upper right corner of the list.
- Click Export Rule to export rules to a local PC.
Parameter |
Description |
Example Value |
---|---|---|
Order |
Order number of a rule. |
1 |
Acl Name |
Name of the rule. The name can contain up to 255 characters, including letters, numbers, underscores (_), hyphens (-), and spaces. |
test |
Protection Rule |
Protection type of a security policy.
|
EIP protection |
Direction |
Direction of protected traffic.
|
Outbound |
Action Type |
Allow or Block. It specifies the action taken by the firewall to process traffic. |
Allow |
ACL Address Type |
Select IPv4. It is the type of IP addresses to be protected. |
IPv4 |
Status |
Whether a policy is enabled.
|
Enabled |
Description |
Rule description |
test |
Source Address Type |
Source address type of data packets in the access traffic.
|
IP Address |
Source Address |
If Source Address Type is set to IP Address, you need to configure this parameter. The following input formats are supported:
NOTE:
To specify multiple IP addresses or IP address segments, configure multiple rules. Specify different IP addresses (segments) in these rules but use the same settings for other parameters. |
192.168.10.5 |
Source Address Group Name |
If Source Address Type is set to IP Address Group, you must configure this parameter.
The following input formats are supported:
|
s_test |
Source Continent Region |
If Source Address Type is set to Region, you need to configure Source Continent Region. Enter continent information based on the continent-region-info sheet. |
AS: Asia |
Source Country Region |
If Source Address Type is set to Region, you need to configure Source Country Region. Enter country and region information based on the country-region-info sheet. |
CN: Chinese mainland |
Destination Address Type |
Destination address type of data packets in the access traffic.
|
IP Address Group |
Destination Address |
If Destination Address Type is set to IP Address, you must configure this parameter. It can be:
NOTE:
To specify multiple IP addresses or IP address segments, configure multiple rules. Specify different IP addresses (segments) in these rules but use the same settings for other parameters. |
192.168.10.6 |
Destination Address Group Name |
If Destination Address Type is set to IP Address Group, you must configure this parameter.
The following input formats are supported:
|
d_test |
Destination Continent Region |
If Destination Address Type is set to Region, you need to set Destination Continent Region. Enter continent information based on the continent-region-info sheet. |
AS: Asia |
Destination Country Region |
If Destination Address Type is set to Region, you need to set Destination Country Region. Enter country and region information based on the country-region-info sheet. |
CN: Chinese mainland |
Domain Name |
If Destination Address Type is set to Domain Name, you must configure this parameter. The domain name is used by visitors to access your website. A domain name consists of letters separated by dots (.). It is a human readable address that maps to the machine readable IP address of your server. |
www.example.com |
Destination Domain Group Name |
If Destination Address Type is set to Domain Group Name, you need to configure Destination Domain Group Name. Enter a domain group name. |
Domain group 1 |
Service Type |
Service type. It can be:
|
Service |
Protocol/Source Port/Destination Port |
Type to be put under access control.
|
TCP/443/443 |
Service Group Name |
Service group name. The name can contain up to 255 characters, including letters, numbers, underscores (_), hyphens (-), and spaces. |
service_test |
Group Tag |
Tags are used to identify rules. You can use tags to classify and search for security policies. |
k=a |
Parameter |
Description |
Example Value |
---|---|---|
Order |
Order number of a rule. |
1 |
Acl Name |
Name of the rule. The name can contain up to 255 characters, including letters, numbers, underscores (_), hyphens (-), and spaces. |
test |
Action Type |
Allow or Block. It specifies the action taken by the firewall to process traffic. |
Allow |
Status |
Whether a policy is enabled.
|
Enabled |
Description |
Rule description |
test |
Source Address Type |
Source address type of data packets in the access traffic.
|
IP Address |
Source Address |
If Source Address Type is set to IP Address, you need to configure this parameter. The following input formats are supported:
NOTE:
To specify multiple IP addresses or IP address segments, configure multiple rules. Specify different IP addresses (segments) in these rules but use the same settings for other parameters. |
192.168.10.5 |
Source Address Group Name |
If Source Address Type is set to IP Address Group, you must configure this parameter.
The following input formats are supported:
|
s_test |
Destination Address Type |
Destination address type of data packets in the access traffic.
|
IP Address Group |
Destination Address |
If Destination Address Type is set to IP Address, you must configure this parameter. It can be:
NOTE:
To specify multiple IP addresses or IP address segments, configure multiple rules. Specify different IP addresses (segments) in these rules but use the same settings for other parameters. |
192.168.10.6 |
Destination Address Group Name |
If Destination Address Type is set to IP Address Group, you must configure this parameter.
The following input formats are supported:
|
d_test |
Service Type |
Service type. It can be:
|
Service |
Protocol/Source Port/Destination Port |
Type to be put under access control.
|
TCP/443/443 |
Service Group Name |
Service group name. The name can contain up to 255 characters, including letters, numbers, underscores (_), hyphens (-), and spaces. |
service_test |
Group Tag |
Tags are used to identify rules. You can use tags to classify and search for security policies. |
k=a |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.