- What's New
- Function Overview
- Service Overview
- Billing
- Getting Started
-
User Guide
- Creating a User Group and Granting Permissions
- Checking the Dashboard
- Purchasing and Changing the Specifications of CFW
- Enabling Internet Border Traffic Protection
- Enabling VPC Border Traffic Protection
- Enabling NAT Gateway Traffic Protection
-
Configuring Access Control Policies to Control Traffic
- Access Control Policy Overview
- Configuring Protection Rules to Block or Allow Traffic
- Adding Blacklist or Whitelist Items to Block or Allow Traffic
- Viewing Protection Information Using the Policy Assistant
- Managing Access Control Policies
- Managing IP Address Groups
- Domain Name Management
- Service Group Management
- Attack Defense
- Viewing Traffic Statistics
- Viewing CFW Protection Logs
- System Management
- Permissions Management
- Using Cloud Eye to Monitor CFW
- CTS Auditing
-
Best Practices
- CFW Best Practice Summary
- Purchasing and Querying CFW via API
- Migrating Security Policies to CFW in Batches
- Configuration Suggestions for Using CFW with WAF, Advanced Anti-DDoS, and CDN
- Allowing Internet Traffic Only to a Specified Port
- Allowing Outbound Traffic from Cloud Resources Only to a Specified Domain Name
- Using CFW to Defend Against Network Attacks
- Configuring a Protection Rule to Protect Traffic Between Two VPCs
- Configuring a Protection Rule to Protect SNAT Traffic
- Using CFW to Protect Enterprise Resources
- Using CFW to Protect EIPs Across Accounts
- Using CFW to Protect VPCs Across Accounts
-
API Reference
- Before You Start
- API Overview
- API Calling
-
API
-
Firewall Management
- Creating a Firewall
- Obtaining the Status of a CFW Task
- Deleting a Firewall
- Querying the Firewall List
- Changing the East-West Firewall Protection Status
- Querying Firewall Details
- Obtaining East-West Firewall Information
- Creating an East-West Firewall
- Querying the Number of Protected VPCs
- Creating a Tag
- Deleting a Tag
- EIP Management
-
ACL Rule Management
- Creating an ACL Rule
- Deleting an ACL Rule
- Deleting ACL Rules in Batches
- Deleting the Number of Rule Hits
- Updating an ACL Rule
- Updating Rule Actions in Batches
- Setting the Priority of an ACL Protection Rule
- Querying a Protection Rule
- Querying Rule Tags
- Obtaining the Number of Rule Hits
- Viewing the Region List
- Checking the ACL Import Status
- Blacklist/Whitelist Management
- Address Group Management
- Service Group Management
-
Domain Name Resolution and Domain Name Group Management
- Adding a Domain Name Group
- Deleting a Domain Name Group
- Updating a Domain Name Group
- Updating the DNS Server List
- Querying the Domain Name Group List
- Querying the DNS Server List
- Querying an IP Address for Domain Name Resolution
- Obtain the list of domain names in a domain name group
- Adding a Domain Name List
- Deleting a Domain Name List
- Viewing Domain Group Details
- Obtaining the DNS Resolution Result of a Domain Name
- Deleting Domain Groups in Batches
- IPS management
- Log Management
- Packet Capture Management
- Antivirus Management
- Alarm Configuration Management
- Tag Management
- IPS Management
-
Firewall Management
- Appendix
- SDK Reference
-
FAQs
-
About the Product
- Does CFW Support Off-Cloud Servers?
- What Are the QPS, New Connections, and Concurrent Connections Supported by CFW?
- Can CFW Be Shared Across Accounts?
- What Are the Differences Between CFW and WAF?
- What Are the Differences Between CFW, Security Groups, and Network ACLs?
- How Does CFW Control Access?
- What Are the Priorities of the Protection Settings in CFW?
- Can WAF, Advanced Anti-DDoS, and CFW Be Deployed Together?
- Can CFW Protect Resources Across Enterprise Projects?
- How Long Are CFW Logs Stored by Default?
- Regions and AZs
-
Troubleshooting
- What Do I Do If Service Traffic is Abnormal?
- Why Are Traffic and Attack Logs Incomplete?
- Why Does a Protection Rule Not Take Effect?
- What Do I Do If IPS Blocks Normal Services?
- Why Is No Data Displayed on the Access Control Logs Page?
- Why Is the IP Address Translated Using NAT64 Blocked?
- Why Some Permissions Become Invalid After a System Policy Is Granted to an Enterprise Project?
- What Do I Do If a Message Indicating Insufficient Permissions Is Displayed When I Configure LTS Logs?
-
Network Traffic
- How Do I Calculate the Number of Protected VPCs and the Peak Protection Traffic at the VPC Border?
- How Does CFW Collect Traffic Statistics?
- What Is the Protection Bandwidth Provided by CFW?
- What Do I Do If My Service Traffic Exceeds the Protection Bandwidth?
- What Are the Differences Between the Data Displayed in Traffic Trend Module and the Traffic Analysis Page?
- How Do I Verify the Validity of an Outbound HTTP/HTTPS Domain Protection Rule?
- How Do I Obtain the Real IP Address of an Attacker?
- What Do I Do If a High Traffic Warning Is Received?
-
About the Product
- Videos
-
More Documents
-
User Guide (Ankara Region)
- Product Overview
- Checking the Dashboard
- Creating Cloud Firewall
- Enabling Internet Border Traffic Protection
- Enabling VPC Border Traffic Protection
-
Configuring Access Control Policies to Control Traffic
- Access Control Policy Overview
- Configuring Protection Rules to Block or Allow Traffic
- Adding Blacklist or Whitelist Items to Block or Allow Traffic
- Viewing Protection Information Using the Policy Assistant
- Managing Access Control Policies
- Managing IP Address Groups
- Domain Name Management
- Service Group Management
- Attack Defense
- Viewing Traffic Statistics
- Viewing CFW Protection Logs
- System Management
-
FAQs
-
About the Product
- Does CFW Support Off-Cloud Servers?
- What Are the QPS, New Connections, and Concurrent Connections Supported by CFW?
- Can CFW Be Shared Across Accounts?
- What Are the Differences Between CFW and WAF?
- What Are the Differences Between CFW, Security Groups, and Network ACLs?
- How Does CFW Control Access?
- What Are the Priorities of the Protection Settings in CFW?
- Can WAF and CFW Be Deployed Together?
- Troubleshooting
- Network Traffic
-
About the Product
- Change History
- API Reference (Ankara Region)
-
User Guide (Ankara Region)
- General Reference
Copied.
Adding Protection Rules to Block or Allow Traffic
After protection is enabled, CFW allows all traffic by default. You can configure protection rules to block or allow traffic.
- Protect the traffic of public network assets at the Internet border. For details, see Adding an Internet Boundary Protection Rule.
- Protect the traffic of private network assets at the Internet border. For details, see Adding a NAT Traffic Protection Rule.
- Protect the access traffic between VPCs, or between a VPC and an IDC. For details, see Adding a VPC Border Protection Rule.
- For details about back-to-source IP addresses, see What Are Back-to-Source IP Addresses?.
- For details about how to configure the whitelist, see Adding Blacklist or Whitelist Items to Block or Allow Traffic.
Specification Limitations
Only the professional edition supports VPC border protection and NAT traffic (private IP address) protection.
Constraints
- CFW does not support application-level gateways (ALGs). ALG can analyze the fields in application-layer payloads and dynamically adjust policies for multi-channel protocols (such as FTP and SIP) whose payloads contain port numbers and IP addresses. However, CFW only support static policies for ports. To allow multi-channel protocol communication, you are advised to configure a rule to allow traffic from all ports.
- To use CFW persistent connections, enable a bidirectional bypass policy. If you only enable a unidirectional policy, the client will need to re-initiate connections in certain scenarios, such as enabling or disabling protection, and expanding engine capacities. You can also create a service ticket to evaluate the risks of related issues.
- Quota:
- Up to 20,000 protection rules can be added.
- The restrictions on a single protection rule are as follows:
- A maximum of 20 source IP addresses and 20 destination IP addresses can be added.
- A maximum of two source IP address groups and two destination IP address groups can be associated.
- A maximum of five service groups can be associated.
- Restrictions on domain name protection:
- Domain names in Chinese are not supported.
- A network domain name group can store up to 1000 DNS resolution results. If the number of DNS resolution results exceeds 1000, domain names may fail to be accessed. For domain names with a large number of resolution results or frequent changes, if the protected traffic is HTTP or HTTPS traffic, you are advised to use the application domain name group to add policies.
- Domain name protection depends on the DNS server you configure. The default DNS server may be unable resolute complete IP addresses. You are advised to configure DNS resolution if the domain names of your services need to be accessed.
- Predefined address groups can be configured only for the source addresses in inbound rules (whose Direction is set to Inbound).
- If NAT 64 protection is enabled and IPv6 access is used, allow traffic from the 198.19.0.0/16 CIDR block to pass through. NAT64 will translate source IP addresses into the CIDR block 198.19.0.0/16 for ACL access control.
Impacts on Services
When configuring a blocking rule, if address translation or proxy is involved, evaluate the impact of blocking IP addresses with caution.
Adding a Protection Rule
The procedures for adding a protection rule in scenarios are as follows.
Adding an Internet Boundary Protection Rule
- Enable EIP protection. For details, see Enabling Internet Border Traffic Protection.
- In the navigation pane, choose Access Control > Access Policies.
- Add a protection rule.
Click the Internet Boundaries tab and click Add Rule. In the displayed page, enter new protection information. For details, see Table 1.
Table 1 Internet boundary rule parameters Parameter
Description
Rule Type
To protect EIP traffic, select EIP. Only EIPs can be configured in this case. For details about how to configure private IP addresses, see Adding a NAT Traffic Protection Rule.
NOTE:
For the standard edition firewall, the rule type cannot be selected. Only EIP rules can be configured.
Name
Name of the custom security policy.
Direction
Select a traffic direction if you set Protection Rule to EIP protection.- Inbound: Cloud assets (EIPs) are accessed from the Internet.
- Outbound: Cloud assets (EIPs) access the Internet.
Source
Set the party that originates a session.- IP address: Enter EIPs. This parameter can be configured in the following formats:
- A single EIP, for example, xx.xx.10.5
- Consecutive EIPs, for example, xx.xx.0.2-xx.xx.0.10
- EIP segment, for example, xx.xx.2.0/24
- IP address group: A collection of EIPs. For details about how to add custom IP address groups, see Adding Custom IP Address Groups. For details about how to add a predefined address group, see Viewing a Predefined Address Group.
NOTE:
If Direction is set to Inbound, a predefined address group can be configured for the source address.
- Countries and regions: If Direction is set to Inbound, you can control access based on continents, countries, and regions.
- Any: any source address
Destination
Set the recipient of a session.- IP address: Enter EIPs. This parameter can be configured in the following formats:
- A single EIP, for example, xx.xx.10.5
- Consecutive EIPs, for example, xx.xx.0.2-xx.xx.0.10
- EIP segment, for example, xx.xx.2.0/24
- IP address group: You can add multiple EIPs to an IP address group. For details about how to add a custom IP address group, see Adding a Custom IP Address Group.
- Countries and regions: If Direction is set to Outbound, you can control access based on continents, countries, and regions.
- Domain name/Domain name group: When Direction is set to Outbound, the protection of the domain name or domain name group is supported.
- Application: Supports the protection for domain names or wildcard domain names. Application-layer protocols such as HTTP and HTTPS are supported. Domain names are used for matching.
- Network: Supports protection for one or multiple domain names. Applies to network-layer protocols and supports all protocols. The resolved IP addresses are used for matching.
NOTE:
- To protect the domain names of HTTP and HTTPS applications, you can select any options.
- To protect the wildcard domain names of HTTP and HTTPS applications, select Application and then select any option from the drop-down list.
- To protect a single domain name of other application types (such as FTP, MySQL, and SMTP), select Network and select any option from the drop-down list. (If Domain name is selected, up to 600 IP addresses can be resolved.)
- To protect multiple domain names of other application types (such as FTP, MySQL, and SMTP), select Network and Network Domain Group from the drop-down list.
- If you need to configure the wildcard domain names or application domain name groups of the HTTP/HTTPS applications, and the network domain groups of other application types for the same domain name, ensure that the priority of the Network protection rule is higher than that of the Application protection rule.
- For details about application and network types, see Adding a Domain Name Group.
- For details about how to verify the policy validity after the outbound HTTP or HTTPS domain name or domain name group is configured, see How Do I Verify the Validity of an Outbound HTTP/HTTPS Domain Name Protection Rule?
- Any: any destination address
Service
- Service: Set Protocol Type, Source Port, and Destination Port.
- Protocol Type: The value can be TCP, UDP, or ICMP.
- Source/Destination Port: If Protocol Type is set to TCP or UDP, you need to set the port number.
NOTE:
- To specify all the ports of an IP address, set Port to 1-65535.
- You can specify a single port. For example, to manage access on port 22, set Port to 22.
- To set a port range, use a hyphen (-) between the starting and ending ports. For example, to manage access on ports 80 to 443, set Port to 80-443.
- Service group: A service group is a set of services (protocols, source ports, and destination ports). For details about how to add a user-defined service group, see Adding a Service Group. For details about predefined service groups, see Viewing a Predefined Service Group.
- Any: any protocol type or port number
Application
(Optional) Configure a protection policy for application-layer protocols. This parameter is mandatory when Destination is set to Domain Name/domain Group.- When Service is set to Any, all application types are supported.
- If Service is set to Service and Protocol Type is set to TCP, TCP applications, such as HTTP and HTTPS, are supported.
- If Service is set to Service and Protocol Type is set to UDP, UDP applications, such as DNS and RDP, are supported.
Protective Action
Set the action to be taken when traffic passes through the firewall.
- Allow: Traffic is forwarded.
- Block: Traffic is not forwarded.
Status
Whether a policy is enabled.
: enabled
: disabled
Priority
Priority of the rule. Its value can be:
- Pin on top: indicates that the priority of the policy is set to the highest.
- Lower than the selected rule: indicates that the policy priority is lower than a specified rule.
NOTE:
- A smaller value indicates a higher priority.
- The default priority of the first protection rule is 1. You do not need to configure its priority.
Schedule
(Optional) Click Schedule and configure when the rule is in effect. Select or add a schedule.
Allow Long Connection
If only one service is configured in the current protection rule and Protocol Type is set to TCP or UDP, you can configure the service session aging time.- Yes: Configure the long connection duration.
- No: Retain the default durations. The default connection durations for different protocols are as follows:
- TCP: 1800s
- UDP: 60s
NOTE:
Up to 50 rules can be configured with long connections.
Long Connection Duration
This parameter is mandatory if Allow Long Connection is set to Yes.
Configure the long connection duration. Configure the hour, minute, and second.
NOTE:
The duration range is 1 second to 1000 days.
Tags
(Optional) Tags are used to identify rules. You can use tags to classify and search for security policies.
Description
(Optional) Usage and application scenario
- Click OK to complete the protection rule configuration.
Adding a VPC Border Protection Rule
- Enable VPC border firewall protection. For details, see Enabling VPC Border Traffic Protection.
- In the navigation pane, choose Access Control > Access Policies. Click the Inter-VPC Borders tab.
- Add a protection rule.
Click Add Rule. In the displayed dialog box, enter new protection information. For details, see Table 2.
Table 2 VPC border protection rule parameters Parameter
Description
Name
Name of the custom security policy.
Direction
You do not need to configure it for an inter-VPC protection rule.
Source
Set the party that originates a session.- IP address: You can set a single IP address, consecutive IP addresses, or an IP address segment.
- A single IP address, for example, 192.168.10.5
- Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10
- Address segment, for example, 192.168.2.0/24
- IP address group: A collection of IP addresses. For details, see Adding an IP Address Group.
- Any: any source address
Destination
Set the recipient of a session.- IP address: You can set a single IP address, consecutive IP addresses, or an IP address segment.
- A single IP address, for example, 192.168.10.5
- Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10
- Address segment, for example, 192.168.2.0/24
- IP address group: A collection of IP addresses. For details, see Adding an IP Address Group.
- Domain Name/Domain Name Group: Domain names or domain groups can be protected.
Application: Supports the protection for domain names or wildcard domain names. Application-layer protocols such as HTTP and HTTPS are supported. Domain names are used for matching.
- Any: any destination address
Service
Set the protocol type and port number of the access traffic.- Service: Set Protocol Type, Source Port, and Destination Port.
- Protocol Type: The value can be TCP, UDP, or ICMP.
- Source/Destination Port: If Protocol Type is set to TCP or UDP, you need to set the port number.
NOTE:
- To specify all the ports of an IP address, set Port to 1-65535.
- You can specify a single port. For example, to manage access on port 22, set Port to 22.
- To set a port range, use a hyphen (-) between the starting and ending ports. For example, to manage access on ports 80 to 443, set Port to 80-443.
- Service group: A collection of services (protocols, source ports, and destination ports) is supported. For details about how to add a custom service group, see Adding a User-defined Service Group. For details about predefined service groups, see Viewing a Predefined Service Group.
- Any: any protocol type or port number
Application
(Optional) Configure protection policies for application-layer protocols.- When Service is set to Any, all application types are supported.
- If Service is set to Service and Protocol Type is set to TCP, TCP applications, such as HTTP and HTTPS, are supported.
- If Service is set to Service and Protocol Type is set to UDP, UDP applications, such as DNS and RDP, are supported.
Protective Action
Set the action to be taken when traffic passes through the firewall.
- Allow: Traffic is forwarded.
- Block: Traffic is not forwarded.
Status
Whether a policy is enabled.
: enabled
: disabled
Priority
Priority of the rule. Its value can be:
- Pin on top: indicates that the priority of the policy is set to the highest.
- Lower than the selected rule: indicates that the policy priority is lower than a specified rule.
NOTE:
- A smaller value indicates a higher priority.
- The default priority of the first protection rule is 1. You do not need to configure its priority.
Schedule
(Optional) Click Schedule and configure when the rule is in effect. Select or add a schedule.
Allow Long Connection
If only one service is configured in the current protection rule and Protocol Type is set to TCP or UDP, you can configure the service session aging time.- Yes: Configure the long connection duration.
- No: Retain the default durations. The default connection durations for different protocols are as follows:
- TCP: 1800s
- UDP: 60s
NOTE:
Up to 50 rules can be configured with long connections.
Long Connection Duration
This parameter is mandatory if Allow Long Connection is set to Yes.
Configure the long connection duration. Configure the hour, minute, and second.
NOTE:
The duration range is 1 second to 1000 days.
Tag
(Optional) Tags are used to identify rules. You can use tags to classify and search for security policies.
Description
(Optional) Usage and application scenario
- IP address: You can set a single IP address, consecutive IP addresses, or an IP address segment.
- Click OK to complete the protection rule configuration.
Adding a NAT Traffic Protection Rule
- Enable VGW traffic protection. For details, see Enabling NAT Gateway Traffic Protection.
- In the navigation pane, choose Access Control > Access Policies.
- Add a protection rule.
Click Add Rule. In the displayed Add Rule page, enter the protection information.
- For details about how to set this parameter in DNAT scenarios, see Table 3.
- For details about how to set this parameter in SNAT scenarios, see Table 4.
Table 3 DNAT protection rule parameters Parameter
Description
Rule Type
Select NAT to protect the traffic of the NAT gateway. Private IP addresses can be configured.
NOTE:
To select NAT, ensure that:- The professional edition firewall is used. For details about how to upgrade your edition, see Upgrading a CFW.
- The VPC border firewalls have been configured. For details, see Managing VPC Border Firewalls.
Name
Name of the custom security policy.
Direction
Select DNAT.
Source
Set the party that originates a session.- IP address: Enter private IP addresses. You can set a single IP address, consecutive IP addresses, or an IP address segment.
- A single IP address, for example, 192.168.10.5
- Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10
- Address segment, for example, 192.168.2.0/24
- IP address group: You can add multiple private IP addresses to an IP address group. For details about how to add an IP address group, see Adding an IP Address Group.
- Countries and regions: A continent, a country, or a region
- Any: any source address
Destination
Set the recipient of a session.- IP address: Enter private IP addresses. You can set a single IP address, consecutive IP addresses, or an IP address segment.
- A single IP address, for example, 192.168.10.5
- Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10
- Address segment, for example, 192.168.2.0/24
- IP address group: A collection of private IP addresses. For details about how to add IP address groups, see Adding an IP Address Group.
- Any: any destination address
Service
- Service: Set Protocol Type, Source Port, and Destination Port.
- Protocol Type: The value can be TCP, UDP, or ICMP.
- Source/Destination Port: If Protocol Type is set to TCP or UDP, you need to set the port number.
NOTE:
- To specify all the ports of an IP address, set Port to 1-65535.
- You can specify a single port. For example, to manage access on port 22, set Port to 22.
- To set a port range, use a hyphen (-) between the starting and ending ports. For example, to manage access on ports 80 to 443, set Port to 80-443.
- Service group: A service group is a set of services (protocols, source ports, and destination ports). For details about how to add a user-defined service group, see Adding a Service Group. For details about predefined service groups, see Viewing a Predefined Service Group.
- Any: any protocol type or port number
Application
(Optional) Configure a protection policy for application-layer protocols. This parameter is mandatory when Destination is set to Domain Name/domain Group.- When Service is set to Any, all application types are supported.
- If Service is set to Service and Protocol Type is set to TCP, TCP applications, such as HTTP and HTTPS, are supported.
- If Service is set to Service and Protocol Type is set to UDP, UDP applications, such as DNS and RDP, are supported.
Protective Action
Set the action to be taken when traffic passes through the firewall.
- Allow: Traffic is forwarded.
- Block: Traffic is not forwarded.
Status
Whether a policy is enabled.
: enabled
: disabled
Priority
Priority of the rule. Its value can be:
- Pin on top: indicates that the priority of the policy is set to the highest.
- Lower than the selected rule: indicates that the policy priority is lower than a specified rule.
NOTE:
- A smaller value indicates a higher priority.
- The default priority of the first protection rule is 1. You do not need to configure its priority.
Schedule
(Optional) Click Schedule and configure when the rule is in effect. Select or add a schedule.
Allow Long Connection
If only one service is configured in the current protection rule and Protocol Type is set to TCP or UDP, you can configure the service session aging time.- Yes: Configure the long connection duration.
- No: Retain the default durations. The default connection durations for different protocols are as follows:
- TCP: 1800s
- UDP: 60s
NOTE:
Up to 50 rules can be configured with long connections.
Long Connection Duration
This parameter is mandatory if Allow Long Connection is set to Yes.
Configure the long connection duration. Configure the hour, minute, and second.
NOTE:
The duration range is 1 second to 1000 days.
Tags
(Optional) Tags are used to identify rules. You can use tags to classify and search for security policies.
Description
(Optional) Usage and application scenario
Table 4 SNAT protection rule parameters Parameter
Description
Rule Type
Select NAT to protect the traffic of the NAT gateway. Private IP addresses can be configured.
NOTE:
To select NAT, ensure that:- The professional edition firewall is used. For details about how to upgrade your edition, see Upgrading a CFW.
- The VPC border firewalls have been configured. For details, see Managing VPC Border Firewalls.
Name
Name of the custom security policy.
Direction
Select SNAT.
Source
Set the party that originates a session.- IP address: Enter private IP addresses. You can set a single IP address, consecutive IP addresses, or an IP address segment.
- A single IP address, for example, 192.168.10.5
- Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10
- Address segment, for example, 192.168.2.0/24
- IP address group: You can add multiple private IP addresses to an IP address group. For details about how to add an IP address group, see Adding an IP Address Group.
- Countries and regions: A continent, a country, or a region
- Any: any source address
Destination
Set the recipient of a session.- IP address: Enter private IP addresses. You can set a single IP address, consecutive IP addresses, or an IP address segment.
- A single IP address, for example, 192.168.10.5
- Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10
- Address segment, for example, 192.168.2.0/24
- IP address group: You can add multiple private IP addresses to an IP address group. For details about how to add an IP address group, see Adding a Custom IP Address Group.
- Countries and regions: A continent, a country, or a region
- Domain Name/Domain Name Group: When Direction is set to Outbound, the protection of a domain name or domain name group is supported.
- Application: Supports the protection for domain names or wildcard domain names. Application-layer protocols such as HTTP and HTTPS are supported. Domain names are used for matching.
- Network: Supports protection for one or multiple domain names. Applies to network-layer protocols and supports all protocols. The resolved IP addresses are used for matching.
NOTE:
- To protect the domain names of HTTP and HTTPS applications, you can select any options.
- To protect the wildcard domain names of HTTP and HTTPS applications, select Application and then select any option from the drop-down list.
- To protect a single domain name of other application types (such as FTP, MySQL, and SMTP), select Network and select any option from the drop-down list. (If Domain name is selected, up to 600 IP addresses can be resolved.)
- If you need to configure the wildcard domain names or application domain name groups of the HTTP/HTTPS applications, and the network domain groups of other application types for the same domain name, ensure that the priority of the Network protection rule is higher than that of the Application protection rule.
- For details about application and network types, see Adding a Domain Name Group.
- Any: any destination address
Service
- Service: Set Protocol Type, Source Port, and Destination Port.
- Protocol Type: The value can be TCP, UDP, or ICMP.
- Source/Destination Port: If Protocol Type is set to TCP or UDP, you need to set the port number.
NOTE:
- To specify all the ports of an IP address, set Port to 1-65535.
- You can specify a single port. For example, to manage access on port 22, set Port to 22.
- To set a port range, use a hyphen (-) between the starting and ending ports. For example, to manage access on ports 80 to 443, set Port to 80-443.
- Service group: A service group is a set of services (protocols, source ports, and destination ports). For details about how to add a user-defined service group, see Adding a Service Group. For details about predefined service groups, see Viewing a Predefined Service Group.
- Any: any protocol type or port number
Application
(Optional) Configure a protection policy for application-layer protocols. This parameter is mandatory when Destination is set to Domain Name/domain Group.- When Service is set to Any, all application types are supported.
- If Service is set to Service and Protocol Type is set to TCP, TCP applications, such as HTTP and HTTPS, are supported.
- If Service is set to Service and Protocol Type is set to UDP, UDP applications, such as DNS and RDP, are supported.
Protective Action
Set the action to be taken when traffic passes through the firewall.
- Allow: Traffic is forwarded.
- Block: Traffic is not forwarded.
Status
Whether a policy is enabled.
: enabled
: disabled
Priority
Priority of the rule. Its value can be:
- Pin on top: indicates that the priority of the policy is set to the highest.
- Lower than the selected rule: indicates that the policy priority is lower than a specified rule.
NOTE:
- A smaller value indicates a higher priority.
- The default priority of the first protection rule is 1. You do not need to configure its priority.
Schedule
(Optional) Click Schedule and configure when the rule is in effect. Select or add a schedule.
Allow Long Connection
If only one service is configured in the current protection rule and Protocol Type is set to TCP or UDP, you can configure the service session aging time.- Yes: Configure the long connection duration.
- No: Retain the default durations. The default connection durations for different protocols are as follows:
- TCP: 1800s
- UDP: 60s
NOTE:
Up to 50 rules can be configured with long connections.
Long Connection Duration
This parameter is mandatory if Allow Long Connection is set to Yes.
Configure the long connection duration. Configure the hour, minute, and second.
NOTE:
The duration range is 1 second to 1000 days.
Tags
(Optional) Tags are used to identify rules. You can use tags to classify and search for security policies.
Description
(Optional) Usage and application scenario
- Click OK to complete the protection rule configuration.
NOTE:
The default action of the access control policy is Allow.
Follow-up Operations
- Policy hits: For details about the protection overview, see Viewing Protection Information Using the Policy Assistant. For details about logs, see Access Control Logs.
- For details about the traffic trend and statistics, see Viewing Traffic Statistics. For details about traffic records, see Traffic Logs.
Related Operations
For details about how to add protection rules in batches, see Importing and Exporting Protection Policies.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot