Help Center/ Cloud Firewall/ User Guide/ Access Control/ Configuring Internet Border Protection Rules/ Configuring Protection Rules to Block or Allow Internet Border Traffic
Updated on 2026-05-09 GMT+08:00
View PDF
Share

Configuring Protection Rules to Block or Allow Internet Border Traffic

After protection is enabled, CFW allows all traffic by default. You can configure protection rules to block or allow traffic.

Protection Rule Description

The protected objects, actions, and application scenarios of protection rules are as follows.

Name

Description

Protected object
  • 5-tuples
  • IP address groups
  • Geographical locations
  • Domain names and domain name groups (layer-4 and layer-7 traffic)
  • Applications

Network type
  • EIP
  • Private IP address

Action
  • If Block is selected, traffic will be blocked.
  • If Allow is selected, traffic will be allowed by protection rules and then checked by IPS.

Scenario
You can configure protection rules in the following scenarios:
CAUTION:

If your IP address is a back-to-source WAF IP address, you are advised to configure a protection rule or the whitelist to allow its access. Exercise caution when configuring a protection rule to block access, which may affect your services.

Constraints

Type

Description

Quota limit
  • A maximum of 20,000 protection policies (protection rules and blacklist/whitelist rules) can be added to a firewall instance.
  • The restrictions on a single protection rule are as follows:
    • For IPv4, up to 4,000 source and 4,000 destination IP addresses are allowed. For IPv6, up to 2,000 source and 2,000 destination IP addresses are allowed.
    • A maximum of 20 source IP addresses and 20 destination IP addresses can be added.
    • A maximum of 10 source IP address groups and 10 destination IP address groups can be associated.
    • A maximum of 10 services can be added.
    • A maximum of 10 service groups can be associated.
    • Up to 10 application domain names can be added to each protection rule.
    • Up to 8 application domain name groups can be associated with each protection rule.
    • Up to three network domain names can be added to each protection rule.
    • Only one network domain name group can be associated with each protection rule.

Restrictions on domain name protection
  • Domain names in Chinese are not supported.
  • Restrictions on application-layer domain name reference:
    • Each firewall instance can reference up to 60,000 domain names.
    • Each firewall instance can reference up to 1,000 wildcard domain names.
    • Each protection rule can reference up to 20,000 domain names.
    • Each protection rule can reference up to 128 wildcard domain names.

    Calculation: If both rule A and rule B of a firewall reference domain name 1 and domain name group A (containing domain names 2 and 3), then the number of domain names referenced by rule A or rule B is 3, and the number of domain names referenced by the firewall instance is 6.

  • A network domain name group can resolve up to 4,000 IP addresses (depending on the numbers of IP addresses and IP address groups). Each domain name can have a maximum of 1,000 resolution results. If the number of DNS resolution results exceeds this number, domain names may fail to be accessed. For domain names with a large number of resolution results or frequent changes, to protect HTTP or HTTPS traffic, you are advised to use the application domain name group to add policies.

    The total quota available for a network domain name group is calculated as follows: Assume we have a protection rule that has 10 IP addresses and references an IP address group (A) and a network domain name group (B). The IP address group A contains five IP addresses, and the network domain name group B contains 15 domain names. In this case, the total quota available for the network domain name group B = 4,000 (total quota) – 10 (number of IP addresses) – 5 (number of IP address group members) = 3,985.

  • Domain name protection depends on the DNS server you configure. The default DNS server may be unable to resolve complete IP addresses. You are advised to configure DNS resolution if the domain names of your services need to be accessed.

Restrictions on regions

A protection rule with its source or destination set to a region (geographical location) takes effect only for IPv4 protected objects.

Restrictions on the use of predefined address groups

Predefined address groups can be configured only for the source addresses in inbound rules (whose Direction is set to Inbound).

Other restrictions
  • CFW does not support application-level gateways (ALGs). If ALG-related services (such as SIP and FTP) are available, you are advised to add a rule to allow the traffic to pass through all the ports of data channels (that is, set Service to Any and Protection Action to Allow).
  • To use CFW persistent connections, enable a bidirectional bypass policy. If you only enable a unidirectional policy, the client will need to re-initiate connections in certain scenarios, such as enabling or disabling protection, and expanding engine capacity. You can also create a service ticket to evaluate the risks of related issues.
  • If NAT 64 protection is enabled and IPv6 access is used, allow traffic from the 198.19.0.0/16 CIDR block to pass through. NAT64 will translate source IP addresses into the CIDR block 198.19.0.0/16 for ACL access control.

Impacts on Services

When configuring a blocking rule, if address translation or proxy is involved, evaluate the impact of blocking IP addresses with caution.

Adding an Internet Border Protection Rule

The procedures for adding a protection rule in scenarios are as follows.

  1. Enable EIP protection. For details, see Enabling Internet Border Traffic Protection.
  2. (Optional) To add multiple IP addresses and services (protocols, source ports, and destination ports), add their groups first.

  3. In the navigation pane on the left of the CFW console, choose Access Control > Internet Border Protection Rules.
  4. Add a protection rule.

    On the Protection Rules > EIP tab, click Add Rule. Configure protection parameters. For details, see Table 1.

    You can configure one or more types for a rule, but only the following type combinations are allowed:
    • IP address and IP address group
    • IP address, IP address group, and network domain name
    • IP address, IP address group, and network domain name group
    • Application domain name and application domain name group
    • Service and service group
    Table 1 Internet boundary rule parameters (inbound direction)

    Parameter

    Description

    IP Type

    IP type of the security policy.

    Name
    Name of a custom protection rule. It must meet the following requirements:
    • It can contain 1 to 255 characters.
    • The name can contain only letters, numbers, underscores (_), and hyphens (-).

    Direction
    Traffic direction of the protection rule. Select Inbound.
    • Inbound: Cloud assets (EIPs) are accessed from the Internet.
    • Outbound: Cloud assets (EIPs) access the Internet.

    Source
    Set the party that initiates a session.
    • IP Address/IP address group/Countries and regions:
      • IP address: Enter EIPs. This parameter can be configured in the following formats:
        • A single EIP, for example, xx.xx.10.5
        • Consecutive EIPs, for example, xx.xx.0.2-xx.xx.0.10
        • EIP segment, for example, xx.xx.2.0/24
        • Multiple inconsecutive IP addresses can be added one by one.
      • IP address group. You can configure multiple EIPs.

        If Direction is set to Inbound, a predefined address group can be configured as the source address.

        For details about how to add a user-defined IP address group, see Adding an IP Address Group. For details about how to view a predefined IP address group, see Viewing a Predefined Address Group.

      • Countries and regions: If Direction is set to Inbound, you can control access based on continents, countries, and regions.
    • Any: any source address

    Destination
    Set the recipient of a session.
    • IP Address/IP address group:
      • IP address: Enter EIPs. This parameter can be configured in the following formats:
        • A single EIP, for example, xx.xx.10.5
        • Consecutive EIPs, for example, xx.xx.0.2-xx.xx.0.10
        • EIP segment, for example, xx.xx.2.0/24
        • Multiple inconsecutive IP addresses can be added one by one.
    • Any: any destination address

    Service
    • Service/Service group:
      • Service: Set Protocol, Source Port, and Destination Port.
        • Protocol: The value can be TCP, UDP, or ICMP.
        • Source/Destination Port: If Protocol is set to TCP or UDP, you need to set the port number.

          To specify all the ports of an IP address, set Port to 1-65535.

          You can specify a single port. For example, to manage access on port 22, set Port to 22.

          To set a port range, use a hyphen (-) between the starting and ending ports. For example, to manage access on ports 80 to 443, set Port to 80-443.

      • Service group: A collection of services (protocols, source ports, and destination ports).

        For details about how to add a custom service group, see Adding a Service Group. For details about predefined service groups, see Viewing a Predefined Service Group.

    • Any: any protocol type or port number

    Application
    (Optional) Configure protection rules for application-layer protocols.
    • When Service is set to Any, all application types are supported.
    • If Service is set to Service and Protocol is set to TCP, TCP applications, such as HTTP and HTTPS, are supported.
    • If Service is set to Service and Protocol is set to UDP, UDP applications, such as DNS and RDP, are supported.

    Select an application-layer protocol based on the value of Protocol under Service. If no protocol is selected, this parameter is set to Any by default.

    Protection Action
    Set the action to be taken when traffic passes through the firewall.
    • Allow: Traffic is forwarded.
    • Block: Traffic is not forwarded.

    Status
    Whether a protection rule is applied immediately.
    • : The policy takes effect immediately after being configured.
    • : The policy is disabled.

    Priority
    Set the priority of the rule. If multiple security policies are configured, the security policies will be matched based on their priorities. Once traffic matches a security policy, it will not be checked against others. Assign priorities carefully. Specific policies should take precedence over general ones.
    • Pin on top: indicates that the priority of the policy is set to the highest.
    • Lower than the selected rule: indicates that the policy priority is lower than a specified rule.

    A smaller value indicates a higher priority.

    The default priority of the first protection rule is 1. You do not need to configure its priority.

    Schedule Management

    (Optional) Click Schedule Management to configure when the rule will be applied. Select a schedule or click Add Schedule to add one. For details, see Adding a Schedule.

    Allow Long Connection

    If only one service is configured in the current protection rule and Protocol is set to TCP or UDP, you can configure the service session aging time (unit: second).

    Up to 50 rules can be configured with persistent connections.
    • Yes: Configure the persistent connection duration.
    • No: Retain the default durations. The default connection durations for different protocols are as follows:
      • TCP: 1800s
      • UDP: 60s

    Long Connection Duration

    If Allow Long Connection is set to Yes, you need to set the persistent connection duration and set hour, minute, and second.

    The duration range is 1 second to 1,000 days.

    Tags

    (Optional) Tags are used to identify rules. You can use tags to classify and search for protection rules.

    Description

    (Optional) Usage and application scenario

  5. Click OK to complete the protection rule configuration.

    After a protection rule is configured and enabled, it takes effect immediately.

  1. Enable EIP protection. For details, see Enabling Internet Border Traffic Protection.
  2. (Optional) To add multiple IP addresses, domain names, and services (protocols, source ports, and destination ports), add their groups first.

  3. In the navigation pane on the left of the CFW console, choose Access Control > Internet Border Protection Rules.
  4. Add a protection rule.

    On the EIP tab, click Add Rule. In the displayed dialog box, configure parameters. For details, see Table 2.

    You can configure one or more types for a rule, but only the following type combinations are allowed:
    • IP address and IP address group
    • IP address, IP address group, and network domain name
    • IP address, IP address group, and network domain name group
    • Application domain name and application domain name group
    • Service and service group
    Table 2 Internet boundary rule parameters (outbound direction)

    Parameter

    Description

    IP Type

    IP type of the security policy.

    Name

    Name of a custom protection rule. It must meet the following requirements:

    • It can contain 1 to 255 characters.
    • The name can contain only letters, numbers, underscores (_), and hyphens (-).

    Direction
    Traffic direction of the protection rule. Select Outbound.
    • Inbound: Cloud assets (EIPs) are accessed from the Internet.
    • Outbound: Cloud assets (EIPs) access the Internet.

    Source
    Set the party that initiates a session.
    • IP Address/IP address group:
      • IP address: Enter EIPs. This parameter can be configured in the following formats:
        • A single EIP, for example, xx.xx.10.5
        • Consecutive EIPs, for example, xx.xx.0.2-xx.xx.0.10
        • EIP segment, for example, xx.xx.2.0/24
        • Multiple inconsecutive IP addresses can be added one by one.
    • Any: any source address

    Destination
    Set the recipient of a session.
    • IP Address/IP address group/Countries and regions/Domain name/Domain name group:
      • IP address: Enter EIPs. This parameter can be configured in the following formats:
        • A single EIP, for example, xx.xx.10.5
        • Consecutive EIPs, for example, xx.xx.0.2-xx.xx.0.10
        • EIP segment, for example, xx.xx.2.0/24
        • Multiple inconsecutive IP addresses can be added one by one.
      • IP address group. You can configure multiple EIPs.

        For details about how to add a custom IP address group, see Adding a User-defined IP Address Group.

      • Countries and regions: A continent, a country, or a region
      • Domain name/Domain name group: Domain names or domain groups can be protected.
        • Application Domain Name/Application Domain Name Group: One or multiple domain names or wildcard domain names can be protected. The setting applies to application-layer protocols, including HTTP, HTTPS, TLS1, SMTPS, and POP3S. Domain names are used for matching.
        • Network Domain Name/Network Domain Name Group: One or multiple domain names. Applies to network-layer protocols and supports all protocols. The resolved IP addresses are used for matching.
        NOTE:
        • To protect the domain names of HTTP, HTTPS, TLS1, SMTPS, and POP3S applications, you can select any options.
        • To protect the wildcard domain names of HTTP, HTTPS, TLS1, SMTPS, or POP3S, you select any option under Application. (A wildcard domain name is in the format of *.Domain name. The wildcard character * matches any character or string. For example, *.example.com.)
        • To protect a single domain name of other application types (such as FTP, MySQL, and SMTP), select Network and select any option from the drop-down list. (If Domain name is selected, up to 600 IP addresses can be resolved.)
        • To protect multiple domain names of other application types (such as FTP, MySQL, and SMTP), select Network and Network Domain Name Group from the drop-down list.
        • If you need to configure the wildcard domain names or application domain name groups of the HTTP, HTTPS, TLS1, SMTPS, and POP3S applications, and the network domain groups of other application types for the same domain name, ensure that the priority of the Network protection rule is higher than that of the Application protection rule.
        • For details about application- and network-type domain names, see Managing Domain Name Groups.
        • For details about how to verify the policy validity after the outbound HTTP or HTTPS domain name or domain name group is configured, see How Do I Verify the Validity of an Outbound HTTP/HTTPS Domain Name Protection Rule?
    • Any: any destination address

    Service
    • Service/Service group:
      • Service: Set Protocol, Source Port, and Destination Port.
        • Protocol: The value can be TCP, UDP, or ICMP.
        • Source/Destination Port: If Protocol is set to TCP or UDP, you need to set the port number.

          To specify all the ports of an IP address, set Port to 1-65535.

          You can specify a single port. For example, to manage access on port 22, set Port to 22.

          To set a port range, use a hyphen (-) between the starting and ending ports. For example, to manage access on ports 80 to 443, set Port to 80-443.

      • Service group: A collection of services (protocols, source ports, and destination ports).

        For details about how to add a custom service group, see Adding a Service Group. For details about predefined service groups, see Viewing a Predefined Service Group.

    • Any: any protocol type or port number

    Application
    (Optional) Configure a protection rule for application-layer protocols. This parameter is mandatory when Destination is set to Domain Name/domain Group.
    • When Service is set to Any, all application types are supported.
    • If Service is set to Service and Protocol is set to TCP, TCP applications, such as HTTP and HTTPS, are supported.
    • If Service is set to Service and Protocol is set to UDP, UDP applications, such as DNS and RDP, are supported.

    Select an application-layer protocol based on the value of Protocol under Service. If no protocol is selected, this parameter is set to Any by default.

    Protection Action
    Set the action to be taken when traffic passes through the firewall.
    • Allow: Traffic is forwarded.
    • Block: Traffic is not forwarded.

    Status
    Whether a protection rule is applied immediately.
    • : The policy takes effect immediately after being configured.
    • : The policy is disabled.

    Priority
    Set the priority of the rule. If multiple security policies are configured, the security policies will be matched based on their priorities. Once traffic matches a security policy, it will not be checked against others. Assign priorities carefully. Specific policies should take precedence over general ones.
    • Pin on top: indicates that the priority of the policy is set to the highest.
    • Lower than the selected rule: indicates that the policy priority is lower than a specified rule.

    A smaller value indicates a higher priority.

    The default priority of the first protection rule is 1. You do not need to configure its priority.

    Schedule Management

    (Optional) Click Schedule Management to configure when the rule will be applied. Select a schedule or click Add Schedule to add one. For details, see Adding a Schedule.

    Allow Long Connection

    If only one service is configured in the current protection rule and Protocol is set to TCP or UDP, you can configure the service session aging time (unit: second).

    Long Connection Duration

    If Allow Long Connection is set to Yes, you need to set the persistent connection duration and set hour, minute, and second.

    Tags

    (Optional) Tags are used to identify rules. You can use tags to classify and search for protection rules.

    Description

    (Optional) Usage and application scenario

  5. Click OK to complete the protection rule configuration.

    After a protection rule is configured and enabled, it takes effect immediately.

Viewing Protection Rule Hits

After your services run for a period of time, you can view the number of rule hits in the Hits column of the protection rule list.

You can click a number in the Hits column to go to the Access Control Logs tab page and view log details. For details, see Querying Logs.

Figure 1 Viewing logs

Follow-up Operations

Checking protection outcomes: After your services run for a period of time, you can check the protection rule hits and adjust them in time.

Related Operations/Documents

After adding a protection rule, you can edit, delete, and adjust the priority of the rule in the rule list.

Parent Topic: Configuring Internet Border Protection Rules