Help Center> Cloud Firewall> Best Practices> Configuring Access Policies for IP Address Groups and Service Groups
Updated on 2023-03-01 GMT+08:00
View PDF

Configuring Access Policies for IP Address Groups and Service Groups

After a protected object is connected to CFW, you can configure access control policies for IP address groups and service groups, and verify the effect of the policies. This section uses the configuration of IP address and service groups as an example to describe how to configure IP address and service access control policies in batches.

Scenario

If your service is deployed in an enterprise that has many IP addresses and services, you need to configure access control policies for users' IP address groups and service groups to permit or block certain access requests.

Prerequisites

  • A website to be protected has been connected to CFW.
  • Intrusion prevention has been enabled and Action has been set to Block.

    For details about how to configure IP address and service access control policies, see Configuring an Access Control Policy.

Configuring an Access Control Policy

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed, as shown in Dashboard, as shown in Figure 1.

    Figure 1 CFW Dashboard

  4. Choose Access Control > IP Address Group Management, and add two IP address groups sourceA and destB. Add IP addresses to the IP address groups.

    Figure 2 Adding an IP address group

  5. Choose Access Control > Service Groups, add a service group, and add a protocol to the service group.

    Figure 3 Adding a service group

  6. Choose Access Control > Access Policies.

    Figure 4 Access policies

  7. Click Add Rule. Configure parameters in the Add Rule dialog box. For more information, see Table 1.

    Figure 5 Protection rule
    Table 1 Internet boundary rule parameters

    Parameter

    Description

    Example Value

    Direction

    Direction of protected traffic.

    • Outbound: Traffic from external networks to the internal server.
    • Inbound: Traffic from the customer server to external networks.

    Outbound

    Name

    Name of the rule

    test

    Source Type

    Select a type. Its value can be:

    • IP Address. You can configure a single IP address, consecutive IP addresses, or an IP address segment.
    • IP Address Group. You can configure multiple IP addresses.

    IP Address

    Source Address

    Data packet source.

    It can be:

    • A single IP address, for example, 192.168.10.5
    • Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10
    • Address segment, for example, 192.168.2.0/24

    192.168.10.5

    Destination Type

    Select a type. Its value can be:

    • IP Address. You can configure a single IP address, consecutive IP addresses, or an IP address segment.
    • IP Address Group. You can configure multiple IP addresses.
    • Domain name: A domain name consists of letters separated by dots (.). It is a human readable address that maps to the machine readable IP address of your server.

    IP Address

    Destination Address

    Data packet destination.

    It can be:

    • A single IP address, for example, 192.168.10.5
    • Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10
    • Address segment, for example, 192.168.2.0/24
    • Domain name. It can consist of multiple levels. For example, it can be a level-1 domain name (example.com) or a level-2 domain name (www.example.com). After entering a domain name, click Test on the right to check whether it is valid.
      NOTE:

      If Destination Address is set to a domain name, you need to configure DNS resolution. For more information, see Configuring DNS Resolution.

    192.168.10.6

    Service Type

    Service type. It can be:

    • Service. You can configure a single service.
    • Service Group. You can configure multiple services.

    Service

    Protocol Type

    Its value can be TCP, UDP, ICMP, Any, or ICMPV6.

    TCP

    Source Port

    Source ports to be enabled or disabled. You can configure a single port or consecutive port groups (example: 80-443).

    80

    Destination Port

    Destination ports to be enabled or disabled. You can configure a single port or consecutive port groups (example: 80-443).

    443

    Action

    Allow or Block. Determines whether to allow the traffic to pass through the cloud firewall.

    Allow

    Priority

    Priority of the rule. Its value can be:

    • Pin on top: indicates that the policy is set to the highest priority.
    • Lower than the selected rule: indicates that the policy priority is lower than a specified rule.
      NOTE:

      A smaller value indicates a higher priority.

    Pin on top

    Status

    Whether a policy is enabled.

    : enabled

    : disabled

    Description

    Usage and application scenario of a rule

    -

  8. Click OK.

Verifying a Rule

After an access control policy is configured, perform the following steps to verify it:

  1. In the navigation pane, choose Traffic Analysis. Check the Internet inbound and outbound traffic, attack trend, and frequently accessed IP addresses.

    Figure 6 Internet access

  2. Click the Server Originated Access tab. Check server originated traffic and the attack trend.

    Figure 7 Server originated access

  3. In the navigation pane, choose Log Audit. On the Attack Event Logs tab, check the details about attack events in the past week.

    Figure 8 Attack event logs

  4. In the navigation pane, choose Traffic Analysis. Check the Internet inbound and outbound traffic, attack trend, and frequently accessed IP addresses.

    Figure 9 Internet access

  5. Click the Traffic Logs tab and check the bytes and packets in the past week.

    Figure 10 Traffic logs