Importing and Exporting Protection Policies

You can add and export protection rules, blacklist/whitelist items, IP address groups, domain name groups, and service groups in batches.

Specification Limitations

To import and export VPC border protection policies, use the Professional edition.

Importing Protection Rules in Batches

Log in to the management console.
Click in the upper left corner of the management console and select a region or project.
In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
(Optional) Switch to another firewall instance. Select a firewall from the drop-down list in the upper left corner of the page.
In the navigation pane on the left, choose Access Control, and then choose Internet Border Protection Rules or VPC Border Protection Rules.
Click Download Center on the upper right corner of the list.
Click Download Template to download the rule import template to the local host.
Configure protection policy information as required.
- Import restrictions:
  - A maximum of 640 rules and members can be imported at a time on each tab page.
  - Do not change the template file format, or it may fail to be imported.
- Parameter description:
  - Protection rule parameters:
    - For details about Internet border protection rule parameters, see Parameters of Rule Import Template - Rule-Acl-Table (Internet Border Protection Rules).
    - For details about VPC border protection rule parameters, see Parameters of Rule Import Template - Vpc-Rule-Acl-Table (VPC Border Protection Rule).
  - For details about the blacklist and whitelist parameters, see Adding Blacklist or Whitelist Items to Block or Allow Traffic.
  - For details about IP address group parameters, see Managing IP Address Groups.
  - For details about service group parameters, see Managing Service Groups.
  - For details about domain name group parameters, see Managing Domain Name Groups.
After filling in the template, click Import Rule to import the template.
- Rule import takes several minutes.
- During rule import, you cannot add, edit, or delete access policies, IP address groups, and service groups.
- The priority of the imported policies is lower than that of the created policies.
Click Download Center to view the status of the rule import task. If the Status is Imported, the import succeeded.
Return to the protection rule list to view the imported protection rule.

Exporting Protection Rules in Batches

Log in to the management console.
Click in the upper left corner of the management console and select a region or project.
In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
(Optional) Switch to another firewall instance. Select a firewall from the drop-down list in the upper left corner of the page.
In the navigation pane, choose Access Control > Access Policies.
Click Download Center on the upper right corner of the list.
Click Export Rule to export rules to a local PC.

Parameters for Importing a Rule Template

Fill in the template by referring to the following parameter descriptions.

Parameters of Rule Import Template - Rule-Acl-Table (Internet Border Protection Rules)

**Table 1** Internet border protection rule table parameters
Parameter	Description	Example Value
Order	Order number of a rule.	1
Acl Name	Name of the rule. The name can contain up to 255 characters, including letters, numbers, underscores (_), hyphens (-), and spaces.	test
Protection Rule	Protection type of a security policy. EIP protection: Protect EIP traffic. Only EIPs can be configured. NAT protection: Protect NAT traffic. Private IP addresses can be configured.	EIP protection
Direction	Direction of protected traffic. Inbound: Traffic from external networks to the internal server. Outbound: Traffic from the customer server to external networks.	Outbound
Action Type	Allow or Block. It specifies the action taken by the firewall to process traffic.	Allow
ACL Address Type	Select IPv4. It is the type of IP addresses to be protected.	IPv4
Status	Whether a policy is enabled. Enable: The rule is enabled immediately and takes effect. Disabled: The rule is not in effect.	Enabled
Description	Rule description	test
Source Address Type	Select the type of the party that originates a session. IP Address. You can configure a single IP address, consecutive IP addresses, or an IP address segment. IP Address Group. You can configure multiple IP addresses. Region: Protection can be performed by region.	IP Address
Source Address	If Source Address Type is set to IP Address, you need to configure this parameter. The following input formats are supported: A single IP address, for example, 192.168.10.5 Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10 A single address segment, for example, 192.168.2.0/24 To specify multiple IP addresses or IP address segments, configure multiple rules. Specify different IP addresses (segments) in these rules but use the same settings for other parameters.	192.168.10.5
Source Address Group Name	If Source Address Type is set to IP Address Group, you must configure this parameter. The following input formats are supported: The value can contain letters, digits, underscores (_), hyphens (-), or spaces. The name can contain up to 255 characters.	s_test
Source Continent Region	If Source Address Type is set to Region, you need to configure Source Continent Region. Enter continent information based on the continent-region-info sheet.	AS: Asia
Source Country Region	If Source Address Type is set to Region, you need to configure Source Country Region. Enter country and region information based on the country-region-info sheet.	CN: Chinese mainland
Destination Address Type	Select the type of the recipient of a session. IP Address. You can configure a single IP address, consecutive IP addresses, or an IP address segment. IP Address Group. You can configure multiple IP addresses. Domain name: A domain name consists of letters separated by dots (.). It is a human readable address that maps to the machine readable IP address of your server. Domain name group. You can set a collection of domain names. Region: Protection can be performed by region.	IP Address Group
Destination Address	If Destination Address Type is set to IP Address, you must configure this parameter. It can be: A single IP address, for example, 192.168.10.5 Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10 A single address segment, for example, 192.168.2.0/24 To specify multiple IP addresses or IP address segments, configure multiple rules. Specify different IP addresses (segments) in these rules but use the same settings for other parameters.	192.168.10.6
Destination Address Group Name	If Destination Address Type is set to IP Address Group, you must configure this parameter. The following input formats are supported: The value can contain letters, digits, underscores (_), hyphens (-), or spaces. The name can contain up to 255 characters.	d_test
Destination Continent Region	If Destination Address Type is set to Region, you need to set Destination Continent Region. Enter continent information based on the continent-region-info sheet.	AS: Asia
Destination Country Region	If Destination Address Type is set to Region, you need to set Destination Country Region. Enter country and region information based on the country-region-info sheet.	CN: Chinese mainland
Domain Name	If Destination Address Type is set to Domain Name, you must configure this parameter. The domain name is used by visitors to access your website. A domain name consists of letters separated by dots (.). It is a human readable address that maps to the machine readable IP address of your server.	www.example.com
Destination Domain Group Name	If Destination Address Type is set to Domain Group Name, you need to configure Destination Domain Group Name. Enter a domain group name.	Domain group 1
Service Type	Service type. It can be: Service. You can configure a single service. Service Group. You can configure multiple services.	Service
Protocol/Source Port/Destination Port	Type to be put under access control. Its value can be TCP, UDP, ICMP, or Any. Source ports to be allowed or blocked. You can configure a single port or consecutive port groups (example: 80-443). Destination ports to be allowed or blocked. You can configure a single port or consecutive port groups (example: 80-443).	TCP/443/443
Service Group Name	Service group name. The name can contain up to 255 characters, including letters, numbers, underscores (_), hyphens (-), and spaces.	service_test
Group Tag	Tags are used to identify rules. You can use tags to classify and search for security policies.	k=a

Parameters of Rule Import Template - Vpc-Rule-Acl-Table (VPC Border Protection Rule)

**Table 2** VPC border protection rule table parameters
Parameter	Description	Example Value
Order	Order number of a rule.	1
Acl Name	Name of the rule. The name can contain up to 255 characters, including letters, numbers, underscores (_), hyphens (-), and spaces.	test
Action Type	Allow or Block. It specifies the action taken by the firewall to process traffic.	Allow
Status	Whether a policy is enabled. Enabled: The rule is in effect. Disabled: The rule is not in effect.	Enabled
Description	Rule description	test
Source Address Type	Set the type of the party that originates a session. IP Address. You can configure a single IP address, consecutive IP addresses, or an IP address segment. IP Address Group. You can configure multiple IP addresses.	IP Address
Source Address	If Source Address Type is set to IP Address, you need to configure this parameter. The following input formats are supported: A single IP address, for example, 192.168.10.5 Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10 A single address segment, for example, 192.168.2.0/24 To specify multiple IP addresses or IP address segments, configure multiple rules. Specify different IP addresses (segments) in these rules but use the same settings for other parameters.	192.168.10.5
Source Address Group Name	If Source Address Type is set to IP Address Group, you must configure this parameter. The following input formats are supported: The value can contain letters, digits, underscores (_), hyphens (-), or spaces. The name can contain up to 255 characters.	s_test
Destination Address Type	Select the type of the recipient of a session. IP Address. You can configure a single IP address, consecutive IP addresses, or an IP address segment. IP Address Group. You can configure multiple IP addresses.	IP Address Group
Destination Address	If Destination Address Type is set to IP Address, you must configure this parameter. It can be: A single IP address, for example, 192.168.10.5 Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10 A single address segment, for example, 192.168.2.0/24 To specify multiple IP addresses or IP address segments, configure multiple rules. Specify different IP addresses (segments) in these rules but use the same settings for other parameters.	192.168.10.6
Destination Address Group Name	If Destination Address Type is set to IP Address Group, you must configure this parameter. The following input formats are supported: The value can contain letters, digits, underscores (_), hyphens (-), or spaces. The name can contain up to 255 characters.	d_test
Service Type	Service type. It can be: Service. You can configure a single service. Service Group. You can configure multiple services.	Service
Protocol/Source Port/Destination Port	Type to be put under access control. Its value can be TCP, UDP, ICMP, or Any. Source ports to be allowed or blocked. You can configure a single port or consecutive port groups (example: 80-443). Destination ports to be allowed or blocked. You can configure a single port or consecutive port groups (example: 80-443).	TCP/443/443
Service Group Name	Service group name. The name can contain up to 255 characters, including letters, numbers, underscores (_), hyphens (-), and spaces.	service_test
Group Tag	Tags are used to identify rules. You can use tags to classify and search for security policies.	k=a