Example 3: Allowing Traffic from a Service to a Platform

This section describes how to allow traffic from a service to a platform. For more parameter settings, see Configuring Protection Rules to Block or Allow Internet Border Traffic.

Domain Name Group Types

CFW provides two types of domain name groups: application domain name groups (layer 7 protocol parsing) and network domain name groups (layer 4 protocol parsing). Table 1 describes the differences between them.

**Table 1** Domain name group types
-	Application Domain Name Group (Layer 7 Protocol Parsing)	Network Domain Name Group (Layer 4 Protocol Parsing)
Protected object	Domain names Wildcard domain names	A single domain name Multiple domain names
Protocol Type	Application layer protocols, including HTTP, HTTPS, TLS, SMTPS, and POPS.	Network layer protocols. All protocol types are supported.
Match rule	The match is based on domain name. The service compares the HOST field in sessions with the application domain names. If they are consistent, the corresponding protection rule is hit.	The filtering is based on the resolved IP addresses. The service obtains the IP addresses resolved by DNS every 15 seconds, if the four-tuple of a session matches the network domain name rule and the resolved address has been saved (that is, the IP address has been obtained from the DNS server), the corresponding protection rule is hit.
Suggestion	You are advised to use the application domain name group (for example, the domain name accelerated by CDN) for the domain names that have a large number of mapping addresses or rapidly changing mapping results.

Allowing Traffic from a Service to a Platform

To allow an EIP (xx.xx.xx.48) to access cfw-test.com and *.example.com, configure parameters as follows. The parameters not mentioned below can be configured as needed.

Create an application domain name group and configure the platform domain names. An example is as follows:

**Table 2** Adding the domain name group of a platform
Parameter	Example Value	Description
Domain Name Group Types	Application	Select a domain name group type.
Group Name	Platform_A	Name of a user-defined domain name group.
Domain names	cfw-test.com *.example.com	Enter a domain name or wildcard domain name. Use commas (,), line breaks, semicolons (;), or spaces to separate multiple domain names.
Description	Allow traffic from a service to a platform.	Describe the content and application scenarios of the current domain name group.

Configure the following protection rules:

The following rule blocks all traffic and has the lowest priority.

**Table 3** Blocking all traffic
Parameter	Example Value	Description
Direction	Outbound	Direction of the protected traffic.
Source	Any	Origin of network traffic.
Destination	Any	Receiver of network traffic.
Service	Any	Protocol, source port, and destination port of network traffic.
Application	Any	Protection policy for application layer protocols.
Action	Block	Action taken when traffic passes through the firewall.

The other rule allows the traffic from the EIP to the platform. The priority is the highest. An example is as follows:

**Table 4** Allowing the traffic from an EIP to a platform
Parameter	Example Value	Description
Direction	Outbound	Direction of the protected traffic.
Source	IP Address xx.xx.xx.48	Origin of network traffic.
Destination	Domain Name/Domain Name Group Application, Application Domain Name Group, X_platform	Receiver of network traffic.
Service	Service. Retain the default values for other parameters.	Protocol, source port, and destination port of network traffic.
Application	Application: HTTP and HTTPS	Protection policy for application layer protocols.
Action	Allow	Action taken when traffic passes through the firewall.

Follow-up Operations

Checking protection outcomes

Policy hits: For details about the protection overview, see Viewing Protection Information Using the Policy Assistant. For details about logs, see Access Control Logs.
For details about the traffic trend and statistics, see Traffic Analysis. For details about traffic records, see Traffic Logs.