Protection Rules
After the firewall is enabled, CFW allows all traffic by default. You can configure different protection rules to let the firewall block unauthorized traffic, implementing multi-dimensional traffic isolation and control.
Protected Objects
- Objects that can be protected: 5-tuples, IP address groups, geographical locations, domain name groups, and domain names
- Network types: EIPs and private IP addresses (only supported by the professional edition)
Protective Actions
- Allow: Traffic is forwarded.
- Block: Traffic is not forwarded. Note the following when configuring a blocking rule:
- You are advised to preferentially configure specific IP addresses (for example, 192.168.10.5) to reduce network segment configurations and avoid improper blocking.
- Exercise caution when configuring protection rules to block reverse proxy IP addresses, such as the CDN, Advanced Anti-DDoS, and WAF back-to-source IP addresses. You are advised to configure protection rules or whitelist to permit reverse proxy IP addresses.
- Blocking forward proxy IP addresses (such as company egress IP addresses) can have a large impact. Exercise caution when configuring protection rules to block forward proxy IP addresses.
- When configuring region protection, take possible EIP changes into consideration.
A protection rule with its source or destination set to a region (geographical location) takes effect only for IPv4 protected objects.
Wildcard Rules
Parameter | Input | Description |
|---|---|---|
Source/Destination | 0.0.0.0/0 | All IP addresses |
Domain name | www.example.com | Domain name www.example.com |
*.example.com | All domain names ending with example.com, for example, test.example.com | |
Service - Source port or destination port | 1-65535 | All ports |
80-443 | All ports in the range 80 to 443 | |
| Ports 80 and 443 |
Examples of Protection Rule Configuration
In this example, two protection rules are configured. One rule blocks all traffic and has the lowest priority. The other rule allows the traffic from a specified IP address and has the highest priority. Configure other parameters as needed. For details about parameter configuration, see Blocking or Allowing Traffic by Adding Protection Rules.
- One of them blocks all traffic and has the lowest priority. Configure the following parameters as suggested, and configure other parameters as needed. Figure 1 Blocking all traffic
Table 1 Blocking all traffic Parameter
Example Value
Description
Direction
Inbound
Direction of the protected traffic.
Source
Any
Origin of network traffic.
Destination
Any
Receiver of network traffic.
Service
Any
Protocol, source port, and destination port of network traffic.
Application
Any
Protection policy for application layer protocols.
Action
Block
Action taken when traffic passes through the firewall.
- The other rule allows traffic from a specified IP address to pass through and has the highest priority. Configure the following parameters as suggested, and configure other parameters as needed. Figure 2 Allowing a specified IP address
Table 2 Allowing a specified IP address Parameter
Example Value
Description
Direction
Inbound
Direction of the protected traffic.
Source
IP Address/IP address group/Countries and regions
IP Address
192.168.0.0
Origin of network traffic.
Destination
Any
Receiver of network traffic.
Service
Any
Protocol, source port, and destination port of network traffic.
Application
Any
Protection policy for application layer protocols.
Action
Allow
Action taken when traffic passes through the firewall.
Parameter | Example Value | Description |
|---|---|---|
Direction | Inbound | Direction of the protected traffic. |
Source | IP Address/IP address group/Countries and regions Countries and regions Singapore Select Countries and regions and specify a region. | Origin of network traffic. |
Destination | Any | Receiver of network traffic. |
Service | Any | Protocol, source port, and destination port of network traffic. |
Application | Any | Protection policy for application layer protocols. |
Action | Block | Action taken when traffic passes through the firewall. |
- Create an application domain name group and configure the platform domain names. An example is as follows: Figure 4 Adding the domain name group of a platform
Table 4 Adding the domain name group of a platform Parameter
Example Value
Description
Domain Name Group Types
Application
Select a domain name group type.
Group Name
Platform_A
Name of a user-defined domain name group.
Domain names
cfw-test.com
*.example.com
Enter a domain name or wildcard domain name. Use commas (,), line breaks, semicolons (;), or spaces to separate multiple domain names.
Description
Allow traffic from a service to a platform.
Describe the content and application scenarios of the current domain name group.
- Configure the following protection rules:
- The following rule blocks all traffic and has the lowest priority. Figure 5 Blocking all traffic
Table 5 Blocking all traffic Parameter
Example Value
Description
Direction
Outbound
Direction of the protected traffic.
Source
Any
Origin of network traffic.
Destination
Any
Receiver of network traffic.
Service
Any
Protocol, source port, and destination port of network traffic.
Application
Any
Protection policy for application layer protocols.
Action
Block
Action taken when traffic passes through the firewall.
- The other rule allows the traffic from the EIP to the platform. The priority is the highest. An example is as follows: Figure 6 Allowing the traffic from an EIP to a platform
Table 6 Allowing the traffic from an EIP to a platform Parameter
Example Value
Description
Direction
Outbound
Direction of the protected traffic.
Source
IP Address/IP address group/Countries and regions
IP Address
xx.xx.xx.48
Origin of network traffic.
Destination
IP Address/IP address group/Countries and regions/Domain name/Domain name group
Application, Application Domain Name Group, X_platform
Domain Name/Domain Name Group
Application, Application Domain Name Group, X_platform
Receiver of network traffic.
Service
Service. Retain the default values for other parameters.
Protocol, source port, and destination port of network traffic.
Application
Application: HTTP and HTTPS
Protection policy for application layer protocols.
Action
Allow
Action taken when traffic passes through the firewall.
- The following rule blocks all traffic and has the lowest priority.
The following uses SNAT as an example. If your private IP address is 10.1.1.2 and the external domain name accessible through the NAT gateway is www.example.com, you can configure NAT protection as follows. Configure other parameters as needed. For more information, see Blocking or Allowing Traffic Using Protection Rules.
Parameter | Example | Description |
|---|---|---|
Direction | SNAT | Direction of the protected traffic. |
Source | IP Address 10.1.1.2 | Origin of network traffic. |
Destination | Domain Name/Domain Name Group Network www.example.com | Receiver of network traffic. |
Service | Service TCP, 1-65535, 1-65535 | Protocol, source port, and destination port of network traffic. |
Application | Application HTTP, HTTPS | Protection policy for application layer protocols. |
Protective Action | Allow | Action taken when traffic passes through the firewall. |
References
- For details about how to add a single rule, see Blocking or Allowing Traffic by Adding Protection Rules.
- For details about how to add multiple policies at a time, see Importing and Exporting Protection Policies.
- Follow-up operations after adding a policy:
- Check the policy hits and protection overview. For details, see Viewing Protection Information Using the Policy Assistant. For details about logs, see Access Control Logs.
- For details about the traffic trend and statistical results, see Viewing Traffic Statistics. For details about traffic records, see Traffic Logs.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
