Help Center> Cloud Firewall> User Guide> Managing ACL Rules> Adding a Protection Rule
Updated on 2024-07-05 GMT+08:00
View PDF

Adding a Protection Rule

Access control policies can help you manage and control the traffic between servers and external networks in a refined manner, prevent the spread of internal threats, and enhance the depth of security strategies.

After EIP protection is enabled, the default status of the access control policy is Allow. If you want to allow only several EIPs, you are advised to add a protection rule with the lowest priority to block all traffic.

  • CFW does not support ALG. If an ALG rule is used, configure it to allow traffic from all ports.
  • Domain name protection depends on the DNS server you configure. The default DNS server may be unable resolute complete IP addresses. You are advised to configure DNS resolution if the domain names of your services need to be accessed.
  • To use CFW persistent connections, enable a bidirectional bypass policy. If you only enable a unidirectional policy, the client will need to re-initiate connections in certain scenarios, such as enabling or disabling protection, and expanding engine capacities. You can also create a service ticket to evaluate the risks of related issues.
  • If your IP address is a back-to-source WAF IP address, you are advised to configure a protection rule or the whitelist to allow its access. Exercise caution when configuring a protection rule to block access, which may affect your services.

Prerequisites

You have synchronized assets and enabled EIP protection. See Enabling EIP Protection.

Specification Limitations

To enable VPC border protection and NAT protection, use the professional edition of CFW and enable the VPC firewall protection.

Constraints

  • GEIPs cannot be protected by traffic diversion.
  • Up to 20,000 protection rules can be added.
  • A single protection rule can be associated with a maximum of five service groups.
  • Each protection rule can be associated with up to two IP address groups.
  • Up to 20 source/destination IP addresses can be added to a protection rule.
  • Domain names in Chinese are not supported.
  • Predefined address groups can be configured only for the source addresses in inbound rules (whose Direction is set to Inbound).
  • If NAT 64 protection is enabled and IPv6 access is used, allow traffic from the 198.19.0.0/16 CIDR block to pass through. NAT64 will translate source IP addresses into the CIDR block 198.19.0.0/16 for ACL access control.

Adding an Internet Boundary Protection Rule

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
  4. (Optional) Switch firewall instance: Select a firewall from the drop-down list in the upper left corner of the page.
  5. In the navigation pane, choose Access Control > Access Policies.
  6. Add a protection rule.

    Click Add Rule. In the displayed page, enter new protection information. For details, see Table 1.
    Table 1 Internet boundary rule parameters

    Parameter

    Description

    Rule Type

    To protect EIP traffic, select EIP. Only EIPs can be configured in this case. For details about how to configure private IP addresses, see Configuration Example - NAT Protection.

    NOTE:
    • Only the professional edition supports the configuration of rule types.

    Name

    Name of the custom security policy.

    Direction
    Select a traffic direction if the protection rule is set to EIP.
    • Inbound: Cloud assets (EIPs) are accessed from the Internet.
    • Outbound: Cloud assets (EIPs) access the Internet.

    Source
    Source address of access traffic.
    • IP address can be configured in the following formats:
      • A single IP address, for example, 192.168.10.5
      • Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10
      • Address segment, for example, 192.168.2.0/24
    • IP address group: A collection of IP addresses. For details about how to add custom IP address groups, see Adding Custom IP Address Groups. For details about how to add a predefined address group, see Viewing a Predefined Address Group.
      NOTE:

      If Direction is set to Inbound, a predefined address group can be configured for the source address.

    • Countries and regions: If Direction is set to Inbound, you can control access based on continents, regions, and countries.
    • Any: any source address

    Destination
    Destination address of access traffic.
    • IP address: You can set a single IP address, consecutive IP addresses, or an IP address segment.
      • A single IP address, for example, 192.168.10.5
      • Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10
      • Address segment, for example, 192.168.2.0/24
    • IP address group: A collection of IP addresses. For details about how to add custom IP address groups, see Adding an IP Address Group.
    • Countries and regions: If Direction is set to Outbound, you can control access based on continents, regions, countries.
    • Domain name/Domain name group: When Direction is set to Outbound, the protection of the domain name or domain name group is supported.
      • Application: Supports the protection for domain names or wildcard domain names. Application-layer protocols such as HTTP and HTTPS are supported. Domain names are used for matching.
      • Network: Supports protection for one or multiple domain names. Applies to network-layer protocols and supports all protocols. The resolved IP addresses are used for matching.
      NOTE:
      • To protect the domain names of HTTP and HTTPS applications, you can select any options.
      • To protect the wildcard domain names of HTTP and HTTPS applications, select Application and then select any option from the drop-down list.
      • To protect a single domain name of other application types (such as FTP, MySQL, and SMTP), select Network and select any option from the drop-down list. (If Application Domain Name Group is selected, up to 600 IP addresses can be resolved.)
      • To protect multiple domain names of other application types (such as FTP, MySQL, and SMTP), select Network and Network Domain Group from the drop-down list.
      • If you need to configure the wildcard domain names or application domain name groups of the HTTP/HTTPS applications, and the network domain groups of other application types for the same domain name, ensure that the priority of the Network protection rule is higher than that of the Application protection rule.
      • For details about application and network types, see Adding a Domain Name Group.
    • Any: any destination address

    Service
    • Service: Set Protocol Type, Source Port, and Destination Port.
      • Protocol Type: The value can be TCP, UDP, or ICMP.
      • Source/Destination Port: If Protocol Type is set to TCP or UDP, you need to set the port number.
      NOTE:
      • To specify all the ports of an IP address, set Port to 1-65535.
      • You can specify a single port. For example, to manage access on port 22, set Port to 22.
      • To set a port range, use a hyphen (-) between the starting and ending ports. For example, to manage access on ports 80 to 443, set Port to 80-443.
    • Service group: A collection of services (protocols, source ports, and destination ports) is supported. For details about how to add a custom service group, see Adding a Service Group. For details about a pre-defined service group, see Viewing a Predefined Service Group.
    • Any: any protocol type or port number

    Action

    Set the action to be taken when traffic passes through the firewall.

    • Allow: Traffic is forwarded.
    • Block: Traffic is not forwarded.

    Schedule

    (Optional) Click Schedule and configure when the rule is in effect. Select or add a schedule.

    Allow Long Connection
    If only one service is configured in the current protection rule and Protocol Type is set to TCP or UDP, you can configure the service session aging time.
    • Yes: Configure the long connection duration.
    • No: Retain the default durations. The default connection durations for different protocols are as follows:
      • TCP: 1800s
      • UDP: 60s
    NOTE:

    Up to 50 rules can be configured with long connections.

    Long Connection Duration

    This parameter is mandatory if Allow Long Connection is set to Yes.

    Configure the long connection duration. Configure the hour, minute, and second.

    NOTE:

    The duration range is 1 second to 1000 days.

    Tags

    (Optional) Tags are used to identify rules. You can use tags to classify and search for security policies.

    Priority

    Priority of the rule. Its value can be:

    • Pin on top: indicates that the priority of the policy is set to the highest.
    • Lower than the selected rule: indicates that the policy priority is lower than a specified rule.

    Status

    Whether a policy is enabled.

    : enabled

    : disabled

    Description

    (Optional) Usage and application scenario

  7. Click OK to complete the protection rule configuration.

    After EIP protection is enabled, the default status of the access control policy is Allow. If you want to allow only several EIPs, you are advised to add a protection rule with the lowest priority to block all traffic.

Adding a VPC Border Protection Rule

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
  4. (Optional) Switch firewall instance: Select a firewall from the drop-down list in the upper left corner of the page.
  5. In the navigation pane, choose Access Control > Access Policies. Click the Inter-VPC Borders tab.
  1. Add a protection rule.

    Click Add Rule. In the displayed dialog box, enter new protection information. For details, see Table 2.
    Table 2 VPC border protection rule parameters

    Parameter

    Description

    Name

    Name of the custom security policy.

    Source
    Source address of access traffic.
    • IP address: You can set a single IP address, consecutive IP addresses, or an IP address segment.
      • A single IP address, for example, 192.168.10.5
      • Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10
      • Address segment, for example, 192.168.2.0/24
    • IP address group: A collection of IP addresses. For details, see Adding an IP Address Group.
    • Any: any source address

    Destination
    Destination address of access traffic.
    • IP address: You can set a single IP address, consecutive IP addresses, or an IP address segment.
      • A single IP address, for example, 192.168.10.5
      • Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10
      • Address segment, for example, 192.168.2.0/24

    Service
    Set the protocol type and port number of the access traffic.
    • Service: Set Protocol Type, Source Port, and Destination Port.
      • Protocol Type: The value can be TCP, UDP, or ICMP.
      • Source/Destination Port: If Protocol Type is set to TCP or UDP, you need to set the port number.
      NOTE:
      • To specify all the ports of an IP address, set Port to 1-65535.
      • You can specify a single port. For example, to manage access on port 22, set Port to 22.
      • To set a port range, use a hyphen (-) between the starting and ending ports. For example, to manage access on ports 80 to 443, set Port to 80-443.
    • Service group: A collection of services (protocols, source ports, and destination ports) is supported. For details about how to add a custom service group, see Adding a Custom Service Group.For details about predefined service groups, see .
    • Any: any protocol type or port number

    Action

    Set the action to be taken when traffic passes through the firewall.

    • Allow: Traffic is forwarded.
    • Block: Traffic is not forwarded.

    Schedule

    (Optional) Click Schedule and configure when the rule is in effect. Select or add a schedule.

    Allow Long Connection
    If only one service is configured in the current protection rule and Protocol Type is set to TCP or UDP, you can configure the service session aging time.
    • Yes: Configure the long connection duration.
    • No: Retain the default durations. The default connection durations for different protocols are as follows:
      • TCP: 1800s
      • UDP: 60s
    NOTE:

    Up to 50 rules can be configured with long connections.

    Long Connection Duration

    This parameter is mandatory if Allow Long Connection is set to Yes.

    Configure the long connection duration. Configure the hour, minute, and second.

    NOTE:

    The duration range is 1 second to 1000 days.

    Tag

    (Optional) Tags are used to identify rules. You can use tags to classify and search for security policies.

    Priority

    Priority of the rule. Its value can be:

    • Pin on top: indicates that the priority of the policy is set to the highest.
    • Lower than the selected rule: indicates that the policy priority is lower than a specified rule.
      NOTE:

      A smaller value indicates a higher priority.

    Status

    Whether a policy is enabled.

    : enabled

    : disabled

    Description

    (Optional) Usage and application scenario

  2. Click OK to complete the protection rule configuration.

    The default action of the access control policy is Allow.

Adding a NAT Traffic Protection Rule

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
  4. (Optional) Switch firewall instance: Select a firewall from the drop-down list in the upper left corner of the page.
  5. In the navigation pane, choose Access Control > Access Policies.
  6. Add a protection rule.

    Click Add Rule. In the displayed Add Rule page, enter the protection information.
    • For details about how to set this parameter in DNAT scenarios, see Table 3.
    • For details about how to set this parameter in DNAT scenarios, see Table 4.
    Table 3 DNAT protection rule parameters

    Parameter

    Description

    Rule Type

    Select NAT to protect the traffic of the NAT gateway. Private IP addresses can be configured.

    NOTE:
    • Only the professional edition supports the configuration of rule types.
    • To select NAT, ensure that:

    Name

    Name of the custom security policy.

    Direction

    Select DNAT.

    Source
    Source address of access traffic.
    • IP address can be configured in the following formats:
      • A single IP address, for example, 192.168.10.5
      • Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10
      • Address segment, for example, 192.168.2.0/24
    • IP address group: A collection of IP addresses. For details about how to add custom IP address groups, see Adding Custom IP Address Groups. For details about how to add a predefined address group, see Viewing a Predefined Address Group.
      NOTE:

      If Direction is set to Inbound, a predefined address group can be configured for the source address.

    • Countries and regions: A continent, a region, or a country
    • Any: any source address

    Destination
    Destination address of access traffic.
    • IP address: You can set a single IP address, consecutive IP addresses, or an IP address segment.
      • A single IP address, for example, 192.168.10.5
      • Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10
      • Address segment, for example, 192.168.2.0/24
    • IP address group: A collection of IP addresses. For details about how to add custom IP address groups, see Adding an IP Address Group.
    • Any: any destination address

    Service
    • Service: Set Protocol Type, Source Port, and Destination Port.
      • Protocol Type: The value can be TCP, UDP, or ICMP.
      • Source/Destination Port: If Protocol Type is set to TCP or UDP, you need to set the port number.
      NOTE:
      • To specify all the ports of an IP address, set Port to 1-65535.
      • You can specify a single port. For example, to manage access on port 22, set Port to 22.
      • To set a port range, use a hyphen (-) between the starting and ending ports. For example, to manage access on ports 80 to 443, set Port to 80-443.
    • Service group: A collection of services (protocols, source ports, and destination ports) is supported. For details about how to add a custom service group, see Adding a Service Group. For details about a pre-defined service group, see Viewing a Predefined Service Group.
    • Any: any protocol type or port number

    Action

    Set the action to be taken when traffic passes through the firewall.

    • Allow: Traffic is forwarded.
    • Block: Traffic is not forwarded.

    Schedule

    (Optional) Click Schedule and configure when the rule is in effect. Select or add a schedule.

    Allow Long Connection
    If only one service is configured in the current protection rule and Protocol Type is set to TCP or UDP, you can configure the service session aging time.
    • Yes: Configure the long connection duration.
    • No: Retain the default durations. The default connection durations for different protocols are as follows:
      • TCP: 1800s
      • UDP: 60s
    NOTE:

    Up to 50 rules can be configured with long connections.

    Long Connection Duration

    This parameter is mandatory if Allow Long Connection is set to Yes.

    Configure the long connection duration. Configure the hour, minute, and second.

    NOTE:

    The duration range is 1 second to 1000 days.

    Tags

    (Optional) Tags are used to identify rules. You can use tags to classify and search for security policies.

    Priority

    Priority of the rule. Its value can be:

    • Pin on top: indicates that the priority of the policy is set to the highest.
    • Lower than the selected rule: indicates that the policy priority is lower than a specified rule.

    Status

    Whether a policy is enabled.

    : enabled

    : disabled

    Description

    (Optional) Usage and application scenario
    Table 4 SNAT protection rule parameters

    Parameter

    Description

    Rule Type

    Select NAT to protect the traffic of the NAT gateway. Private IP addresses can be configured.

    NOTE:
    • Only the professional edition supports the configuration of rule types.
    • To select NAT, ensure that:

    Name

    Name of the custom security policy.

    Direction

    Select SNAT.

    Source
    Source address of access traffic.
    • IP address can be configured in the following formats:
      • A single IP address, for example, 192.168.10.5
      • Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10
      • Address segment, for example, 192.168.2.0/24
    • IP address group: A collection of IP addresses. For details about how to add custom IP address groups, see Adding Custom IP Address Groups. For details about how to add a predefined address group, see Viewing a Predefined Address Group.
      NOTE:

      If Direction is set to Inbound, a predefined address group can be configured for the source address.

    • Any: any source address

    Destination
    Destination address of access traffic.
    • IP address: You can set a single IP address, consecutive IP addresses, or an IP address segment.
      • A single IP address, for example, 192.168.10.5
      • Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10
      • Address segment, for example, 192.168.2.0/24
    • IP address group: A collection of IP addresses. For details about how to add custom IP address groups, see Adding an IP Address Group.
    • Countries and regions: A continent, a region, or a country
    • Domain Name/Domain Name Group: When Direction is set to Outbound, the protection of a domain name or domain name group is supported.
      • Application: Supports the protection for domain names or wildcard domain names. Application-layer protocols such as HTTP and HTTPS are supported. Domain names are used for matching.
      • Network: Supports protection for one or multiple domain names. Applies to network-layer protocols and supports all protocols. The resolved IP addresses are used for matching.
      NOTE:
      • To protect the domain names of HTTP and HTTPS applications, you can select any options.
      • To protect the wildcard domain names of HTTP and HTTPS applications, select Application and then select any option from the drop-down list.
      • To protect a single domain name of other application types (such as FTP, MySQL, and SMTP), select Network and select any option from the drop-down list. (If Application Domain Name Group is selected, up to 600 IP addresses can be resolved.)
      • To protect multiple domain names of other application types (such as FTP, MySQL, and SMTP), select Network and Network Domain Group from the drop-down list.
      • If you need to configure the wildcard domain names or application domain name groups of the HTTP/HTTPS applications, and the network domain groups of other application types for the same domain name, ensure that the priority of the Network protection rule is higher than that of the Application protection rule.
      • For details about application and network types, see Adding a Domain Name Group.
    • Any: any destination address

    Service
    • Service: Set Protocol Type, Source Port, and Destination Port.
      • Protocol Type: The value can be TCP, UDP, or ICMP.
      • Source/Destination Port: If Protocol Type is set to TCP or UDP, you need to set the port number.
      NOTE:
      • To specify all the ports of an IP address, set Port to 1-65535.
      • You can specify a single port. For example, to manage access on port 22, set Port to 22.
      • To set a port range, use a hyphen (-) between the starting and ending ports. For example, to manage access on ports 80 to 443, set Port to 80-443.
    • Service group: A collection of services (protocols, source ports, and destination ports) is supported. For details about how to add a custom service group, see Adding a Service Group. For details about a pre-defined service group, see Viewing a Predefined Service Group.
    • Any: any protocol type or port number

    Action

    Set the action to be taken when traffic passes through the firewall.

    • Allow: Traffic is forwarded.
    • Block: Traffic is not forwarded.

    Schedule

    (Optional) Click Schedule and configure when the rule is in effect. Select or add a schedule.

    Allow Long Connection
    If only one service is configured in the current protection rule and Protocol Type is set to TCP or UDP, you can configure the service session aging time.
    • Yes: Configure the long connection duration.
    • No: Retain the default durations. The default connection durations for different protocols are as follows:
      • TCP: 1800s
      • UDP: 60s
    NOTE:

    Up to 50 rules can be configured with long connections.

    Long Connection Duration

    This parameter is mandatory if Allow Long Connection is set to Yes.

    Configure the long connection duration. Configure the hour, minute, and second.

    NOTE:

    The duration range is 1 second to 1000 days.

    Tags

    (Optional) Tags are used to identify rules. You can use tags to classify and search for security policies.

    Priority

    Priority of the rule. Its value can be:

    • Pin on top: indicates that the priority of the policy is set to the highest.
    • Lower than the selected rule: indicates that the policy priority is lower than a specified rule.

    Status

    Whether a policy is enabled.

    : enabled

    : disabled

    Description

    (Optional) Usage and application scenario

  7. Click OK to complete the protection rule configuration.

    The default action of the access control policy is Allow.

Configuration Example - Allowing the Inbound Traffic from a Specified IP Address

Configure two protection rules. One of them blocks all traffic, as shown in Figure 1. Its priority is the lowest. The other allows the traffic of a specified IP address, as shown in Figure 2. Its priority is the highest.
Figure 1 Blocking all traffic
Figure 2 Allowing a specified IP address

Configuration Example - Blocking Access from a Region

The following figure shows a rule that blocks all access traffic from Singapore.
Figure 3 Intercepting the access traffic from Singapore

Configuration Example - Allowing Traffic from a Service to a Platform

To allow an EIP (xx.xx.xx.185) to access ports 80 and 443 of cfw-test.com and *.example.com, configure parameters as follows. The parameters not mentioned below can be configured as needed.
  • Create an application domain name group and configure the platform domain names, as shown in Figure 4.
  • Configure the following protection rules:
    • One of the rule blocks all traffic, as shown in Figure 5. The priority is the lowest.
    • The other rule allows the traffic from the EIP to the platform, as shown in Figure 6. The priority is the highest.
Figure 4 Adding the domain name group of a platform
Figure 5 Blocking all traffic
Figure 6 Allowing the EIP to access ports 80 and 443 of the platform

Configuration Example - NAT Protection

Assume your private IP address is 10.1.1.2 and the external domain name accessed through the NAT gateway is www.example.com. Configure NAT protection as follows and set other parameters based on your deployment:

Figure 7 Configuring a NAT protection rule

Follow-up Operations

Configuration failure: If a rule fail to be delivered, troubleshoot the fault by following the instructions in Failed Configurations.

Parent topic: Managing ACL Rules