Example 3: Allowing Traffic from a Service to a Platform
This section describes how to allow traffic from a service to a platform. For more parameter settings, see Configuring Protection Rules to Block or Allow Internet Border Traffic.
Domain Name Group Types
CFW provides two types of domain name groups: application domain name groups (layer 7 protocol parsing) and network domain name groups (layer 4 protocol parsing). Table 1 describes the differences between them.
- |
Application Domain Name Group (Layer 7 Protocol Parsing) |
Network Domain Name Group (Layer 4 Protocol Parsing) |
---|---|---|
Protected object |
|
|
Protocol Type |
Application layer protocols, including HTTP, HTTPS, TLS, SMTPS, and POPS. |
Network layer protocols. All protocol types are supported. |
Match rule |
The match is based on domain name. The service compares the HOST field in sessions with the application domain names. If they are consistent, the corresponding protection rule is hit. |
The filtering is based on the resolved IP addresses. The service obtains the IP addresses resolved by DNS every 15 seconds, if the four-tuple of a session matches the network domain name rule and the resolved address has been saved (that is, the IP address has been obtained from the DNS server), the corresponding protection rule is hit. |
Suggestion |
You are advised to use the application domain name group (for example, the domain name accelerated by CDN) for the domain names that have a large number of mapping addresses or rapidly changing mapping results. |
Allowing Traffic from a Service to a Platform
- Create an application domain name group and configure the platform domain names. An example is as follows:
Table 2 Adding the domain name group of a platform Parameter
Example Value
Description
Domain Name Group Types
Application
Select a domain name group type.
Group Name
Platform_A
Name of a user-defined domain name group.
Domain names
cfw-test.com
*.example.com
Enter a domain name or wildcard domain name. Use commas (,), line breaks, semicolons (;), or spaces to separate multiple domain names.
Description
Allow traffic from a service to a platform.
Describe the content and application scenarios of the current domain name group.
- Configure the following protection rules:
- The following rule blocks all traffic and has the lowest priority.
Table 3 Blocking all traffic Parameter
Example Value
Description
Direction
Outbound
Direction of the protected traffic.
Source
Any
Origin of network traffic.
Destination
Any
Receiver of network traffic.
Service
Any
Protocol, source port, and destination port of network traffic.
Application
Any
Protection policy for application layer protocols.
Action
Block
Action taken when traffic passes through the firewall.
- The other rule allows the traffic from the EIP to the platform. The priority is the highest. An example is as follows:
Table 4 Allowing the traffic from an EIP to a platform Parameter
Example Value
Description
Direction
Outbound
Direction of the protected traffic.
Source
IP Address
xx.xx.xx.48
Origin of network traffic.
Destination
Domain Name/Domain Name Group
Application, Application Domain Name Group, X_platform
Receiver of network traffic.
Service
Service. Retain the default values for other parameters.
Protocol, source port, and destination port of network traffic.
Application
Application: HTTP and HTTPS
Protection policy for application layer protocols.
Action
Allow
Action taken when traffic passes through the firewall.
- The following rule blocks all traffic and has the lowest priority.
Follow-up Operations
- Policy hits: For details about the protection overview, see Viewing Protection Information Using the Policy Assistant. For details about logs, see Access Control Logs.
- For details about the traffic trend and statistics, see Traffic Analysis. For details about traffic records, see Traffic Logs.
References
- For details about protection rule parameters, see Configuring Protection Rules to Block or Allow Internet Border Traffic.
- For details about blacklist and whitelist configuration, see Adding Blacklist or Whitelist Items to Block or Allow Traffic.
- For details about how to batch add protection policies, see Importing and Exporting Protection Policies.
- For details about how to block network attacks, see Configuring Intrusion Prevention.
- For details about antivirus, see Configuring Virus Defense.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.