Help Center> Cloud Firewall> FAQs> Troubleshooting> Why Does a Configured Policy Not Take Effect?
Updated on 2024-03-08 GMT+08:00

Why Does a Configured Policy Not Take Effect?

All Traffic Is Allowed Even If a Rule Is Configured to Allow Only Several EIPs

After EIP protection is enabled on CFW, the access control policy allows all traffic by default. If you want to allow traffic of only several EIPs, you need to configure a protection rule to block all traffic and set the lowest priority.

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed, as shown in Figure 1.

    Figure 1 CFW Dashboard

  4. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click View in the Operation column to go to the details page.
  5. In the navigation pane, choose Access Control > Access Policies. The Access Policies page is displayed. Click the Internet Boundaries or Inter-VPC Borders tab.
  1. Configure a global blocking rule. Click Add Rule. Use the parameter settings shown in Figure 2 and configure other parameters as needed.

    Figure 2 Blocking all traffic

    You are advised to enable the rules after adding all required ones.

  2. Configure an allow rule. For details about how to add a protection rule, see Adding a Protection Rule.
  3. Set the priority of the global blocking rule in the 6 to the lowest. For details, see Setting the Priority.
  4. Enable all rules. You are advised to enable the allow rules prior to the blocking rules.

Blocked IP Addresses Are Still Allowed Through Even If a Global Blocking Rule Is Configured

The protection rules configured on CFW are applied based on the EIP management list. If you have enabled global blocking (0.0.0.0/0) but the traffic of EIPs not in an allow rule is allowed through, check whether the IP addresses are in the EIP list. If not, synchronize the resource configuration. For details, see Enabling EIP Protection.

Troubleshooting FAQs

more