Help Center/ Cloud Firewall/ User Guide/ Access Control/ Configuring an Access Control Policy/ Configuring Protection Rules to Block or Allow VPC Border Traffic
Updated on 2025-07-23 GMT+08:00

Configuring Protection Rules to Block or Allow VPC Border Traffic

After protection is enabled, CFW allows all traffic by default. You can configure protection rules to block or allow traffic.

Protection Rule Description

The protected objects, actions, and application scenarios of protection rules are as follows.

Name

Description

Protected object

  • 5-tuples
  • IP address groups
  • Geographical locations
  • Domain names and domain name groups (layer-4 and layer-7 traffic)
  • Applications

Network type

  • EIP
  • Private IP address

Action

  • If Block is selected, traffic will be blocked.
  • If Allow is selected, traffic will be allowed by protection rules and then checked by IPS.

Scenario

You can configure protection rules in the following scenarios:
CAUTION:
If your IP address is a back-to-source WAF IP address, you are advised to configure a protection rule or the whitelist to allow its access. Exercise caution when configuring a protection rule to block access, which may affect your services.

Specification Limitations

Only the professional edition supports VPC border traffic protection.

Constraints

  • CFW does not support application-level gateways (ALGs). If ALG-related services (such as SIP and FTP) are available, you are advised to add a rule to allow the traffic to pass through all the ports of data channels (that is, set Service to Any and Protective Action to Allow).
  • To use CFW persistent connections, enable a bidirectional bypass policy. If you only enable a unidirectional policy, the client will need to re-initiate connections in certain scenarios, such as enabling or disabling protection, and expanding engine capacities. You can also create a service ticket to evaluate the risks of related issues.
  • Quota:
    • Up to 20,000 protection rules can be added.
    • The restrictions on a single protection rule are as follows:
      • A maximum of 20 source IP addresses and 20 destination IP addresses can be added.
      • A maximum of two source IP address groups and two destination IP address groups can be associated.
      • A maximum of five service groups can be associated.
  • Restrictions on domain name protection:
    • Domain names in Chinese are not supported.
    • Restrictions on application-layer domain name reference:
      • Each firewall instance can reference up to 60,000 domain names.
      • Each firewall instance can reference up to 1,000 wildcard domain names.
      • Each protection rule can reference up to 20,000 domain names.
      • Each protection rule can reference up to 128 wildcard domain names.

      Calculation: If both rule A and rule B of a firewall reference domain name 1 and domain name group A (containing domain names 2 and 3), then the number of domain names referenced by rule A or rule B is 3, and the number of domain names referenced by the firewall instance is 6.

    • Domain name protection depends on the DNS server you configure. The default DNS server may be unable resolute complete IP addresses. You are advised to configure DNS resolution if the domain names of your services need to be accessed.
  • If NAT 64 protection is enabled and IPv6 access is used, allow traffic from the 198.19.0.0/16 CIDR block to pass through. NAT64 will translate source IP addresses into the CIDR block 198.19.0.0/16 for ACL access control.

Impacts on Services

When configuring a blocking rule, if address translation or proxy is involved, evaluate the impact of blocking IP addresses with caution.

Viewing Protection Rule Hits

After your services run for a period of time, you can view the number of rule hits in the Hits column of the protection rule list.

Follow-up Operations

Checking protection outcomes

References