Configuring Protection Rules to Block or Allow VPC Border Traffic
After protection is enabled, CFW allows all traffic by default. You can configure protection rules to block or allow traffic.
Protection Rule Description
The protected objects, actions, and application scenarios of protection rules are as follows.
Name |
Description |
---|---|
Protected object |
|
Network type |
|
Action |
|
Scenario |
You can configure protection rules in the following scenarios:
CAUTION:
If your IP address is a back-to-source WAF IP address, you are advised to configure a protection rule or the whitelist to allow its access. Exercise caution when configuring a protection rule to block access, which may affect your services.
|
Specification Limitations
Only the professional edition supports VPC border traffic protection.
Constraints
- CFW does not support application-level gateways (ALGs). If ALG-related services (such as SIP and FTP) are available, you are advised to add a rule to allow the traffic to pass through all the ports of data channels (that is, set Service to Any and Protective Action to Allow).
- To use CFW persistent connections, enable a bidirectional bypass policy. If you only enable a unidirectional policy, the client will need to re-initiate connections in certain scenarios, such as enabling or disabling protection, and expanding engine capacities. You can also create a service ticket to evaluate the risks of related issues.
- Quota:
- Up to 20,000 protection rules can be added.
- The restrictions on a single protection rule are as follows:
- A maximum of 20 source IP addresses and 20 destination IP addresses can be added.
- A maximum of two source IP address groups and two destination IP address groups can be associated.
- A maximum of five service groups can be associated.
- Restrictions on domain name protection:
- Domain names in Chinese are not supported.
- Restrictions on application-layer domain name reference:
- Each firewall instance can reference up to 60,000 domain names.
- Each firewall instance can reference up to 1,000 wildcard domain names.
- Each protection rule can reference up to 20,000 domain names.
- Each protection rule can reference up to 128 wildcard domain names.
Calculation: If both rule A and rule B of a firewall reference domain name 1 and domain name group A (containing domain names 2 and 3), then the number of domain names referenced by rule A or rule B is 3, and the number of domain names referenced by the firewall instance is 6.
- Domain name protection depends on the DNS server you configure. The default DNS server may be unable resolute complete IP addresses. You are advised to configure DNS resolution if the domain names of your services need to be accessed.
- If NAT 64 protection is enabled and IPv6 access is used, allow traffic from the 198.19.0.0/16 CIDR block to pass through. NAT64 will translate source IP addresses into the CIDR block 198.19.0.0/16 for ACL access control.
Impacts on Services
When configuring a blocking rule, if address translation or proxy is involved, evaluate the impact of blocking IP addresses with caution.
Viewing Protection Rule Hits
After your services run for a period of time, you can view the number of rule hits in the Hits column of the protection rule list.
Follow-up Operations
- Policy hits: For details about the protection overview, see Viewing Protection Information Using the Policy Assistant. For details about logs, see Access Control Logs.
- For details about the traffic trend and statistics, see Traffic Analysis. For details about traffic records, see Traffic Logs.
References
- For details about how to add protection rules in batches, see Importing and Exporting Protection Policies.
- For details about how to adjust rule priority, see Adjusting the Priority of a Protection Rule.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.