Configuring Protection Rules to Block or Allow VPC Border Traffic

After protection is enabled, CFW allows all traffic by default. You can configure protection rules to block or allow traffic.

Protection Rule Description

The protected objects, actions, and application scenarios of protection rules are as follows.

Name	Description
Protected object	5-tuples IP address groups Geographical locations Domain names and domain name groups (layer-4 and layer-7 traffic) Applications
Network type	EIP Private IP address
Action	If Block is selected, traffic will be blocked. If Allow is selected, traffic will be allowed by protection rules and then checked by IPS.
Scenario	You can configure protection rules in the following scenarios: This section describes how to protect the access traffic between VPCs, or between a VPC and an IDC. Protect the traffic of public network assets (EIPs) at the Internet border. For details, see Configuring Protection Rules to Block or Allow Internet Border Traffic. CAUTION: If your IP address is a back-to-source WAF IP address, you are advised to configure a protection rule or the whitelist to allow its access. Exercise caution when configuring a protection rule to block access, which may affect your services. For details about back-to-source IP addresses, see What Are Back-to-Source IP Addresses?. For details about how to configure the whitelist, see Adding Blacklist or Whitelist Items to Block or Allow Traffic.

Specification Limitations

Only the professional edition supports VPC border traffic protection.

Constraints

CFW does not support application-level gateways (ALGs). If ALG-related services (such as SIP and FTP) are available, you are advised to add a rule to allow the traffic to pass through all the ports of data channels (that is, set Service to Any and Protective Action to Allow).
To use CFW persistent connections, enable a bidirectional bypass policy. If you only enable a unidirectional policy, the client will need to re-initiate connections in certain scenarios, such as enabling or disabling protection, and expanding engine capacities. You can also create a service ticket to evaluate the risks of related issues.
Quota:
- Up to 20,000 protection rules can be added.
- The restrictions on a single protection rule are as follows:
  - A maximum of 20 source IP addresses and 20 destination IP addresses can be added.
  - A maximum of two source IP address groups and two destination IP address groups can be associated.
  - A maximum of five service groups can be associated.
Restrictions on domain name protection:
- Domain names in Chinese are not supported.
- Restrictions on application-layer domain name reference:
  - Each firewall instance can reference up to 60,000 domain names.
  - Each firewall instance can reference up to 1,000 wildcard domain names.
  - Each protection rule can reference up to 20,000 domain names.
  - Each protection rule can reference up to 128 wildcard domain names.
  Calculation: If both rule A and rule B of a firewall reference domain name 1 and domain name group A (containing domain names 2 and 3), then the number of domain names referenced by rule A or rule B is 3, and the number of domain names referenced by the firewall instance is 6.
- Domain name protection depends on the DNS server you configure. The default DNS server may be unable resolute complete IP addresses. You are advised to configure DNS resolution if the domain names of your services need to be accessed.
If NAT 64 protection is enabled and IPv6 access is used, allow traffic from the 198.19.0.0/16 CIDR block to pass through. NAT64 will translate source IP addresses into the CIDR block 198.19.0.0/16 for ACL access control.

Impacts on Services

When configuring a blocking rule, if address translation or proxy is involved, evaluate the impact of blocking IP addresses with caution.

Adding a VPC Border Protection Rule

Enable VPC border firewall protection. For details, see Enabling VPC Border Traffic Protection.
(Optional) To add multiple IP addresses, domain names, and services (protocols, source ports, and destination ports), add their groups first.
- For details about how to add multiple IP addresses, see Managing IP Address Groups.
- For details about how to add multiple domain names, see Managing Domain Name Groups.
- For details about how to add multiple services, see Managing Service Groups.
In the navigation pane on the left of the CFW console, choose Access Control > VPC Border Protection Rules.

Add a protection rule.

On the Protection Rules tab, click Add Rule. On the displayed page, enter information. For details, see Table 1.

**Table 1** VPC border protection rule parameters
Parameter	Description
Name	Name of the custom security policy.
Source	Set the party that originates a session. IP Address: You can set a single IP address, consecutive IP addresses, or an IP address segment. A single IP address, for example, 192.168.10.5 Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10 Address segment, for example, 192.168.2.0/24 IP address group: A collection of IP addresses. For details, see Adding an IP Address Group. Any: any source address
Destination	Set the recipient of a session. IP Address: You can set a single IP address, consecutive IP addresses, or an IP address segment. A single IP address, for example, 192.168.10.5 Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10 Address segment, for example, 192.168.2.0/24 IP address group: A collection of IP addresses. For details, see Adding an IP Address Group. Domain Name/Domain Name Group: Domain names or domain groups can be protected. Application: Domain names or wildcard domain names can be protected. Application-layer protocols such as HTTP, HTTPS, TLS, SMTPS, and POPS are supported. Domain names are used for matching. Any: any destination address
Service	Service: Set Protocol Type, Source Port, and Destination Port. Protocol: The value can be TCP, UDP, or ICMP. Source/Destination Port: If Protocol is set to TCP or UDP, you need to set the port number. To specify all the ports of an IP address, set Port to 1-65535. You can specify a single port. For example, to manage access on port 22, set Port to 22. To set a port range, use a hyphen (-) between the starting and ending ports. For example, to manage access on ports 80 to 443, set Port to 80-443. Service group: A collection of services (protocols, source ports, and destination ports). For details about how to add a custom service group, see Adding a Service Group. For details about predefined service groups, see Viewing a Predefined Service Group. Any: any protocol type or port number
Application	(Optional) Configure a protection policy for application-layer protocols. This parameter is mandatory when Destination is set to Domain Name/domain Group. If Service is set to Any, all application types are supported. If Service is set to Service and Protocol is set to TCP, TCP applications, such as HTTP and HTTPS, are supported. If Service is set to Service and Protocol is set to UDP, UDP applications, such as DNS and RDP, are supported.
Protection Action	Set the action to be taken when traffic passes through the firewall. Allow: Traffic is forwarded. Block: Traffic is not forwarded.
Status	Whether a policy is enabled. : indicates that the policy takes effect immediately after being configured. : disabled
Priority	Priority of the rule. Its value can be: Pin on top: indicates that the priority of the policy is set to the highest. Lower than the selected rule: indicates that the policy priority is lower than a specified rule.
Allow Long Connection	If only one service is configured in the current protection rule and Protocol is set to TCP or UDP, you can configure the service session aging time (unit: second).
Long Connection Duration	If Allow Long Connection is set to Yes, you need to set the persistent connection duration and set hour, minute, and second.
Tag	(Optional) Tags are used to identify rules. You can use tags to classify and search for security policies.
Description	(Optional) Usage and application scenario

Click OK to complete the protection rule configuration.

Viewing Protection Rule Hits

After your services run for a period of time, you can view the number of rule hits in the Hits column of the protection rule list.

Follow-up Operations

Checking protection outcomes

Policy hits: For details about the protection overview, see Viewing Protection Information Using the Policy Assistant. For details about logs, see Access Control Logs.
For details about the traffic trend and statistics, see Traffic Analysis. For details about traffic records, see Traffic Logs.