Adding a Protection Rule

Prerequisites

You have synchronized assets and enabled EIP protection.

Adding an Internet Boundary Protection Rule

1. Log in to the management console.
2. Click in the upper left corner of the management console and select a region or project.
3. In the navigation pane, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed, as shown in Dashboard, as shown in Figure 1.
   Figure 1 CFW Dashboard
   

4. In the navigation pane on the left, choose Access Control > Access Policies. See Access policies.
   Figure 2 Access policies
   

5. Add a protection rule.
   Click Add Rule. In the Add Rule dialog box that is displayed, enter parameters. For details, see Internet boundary rule parameters.

   Figure 3 Protection rule
   

   Table 1 Internet boundary rule parameters

   Parameter	Description	Example Value
   Direction	Direction of protected traffic. Outbound: Traffic from external networks to the internal server. Inbound: Traffic from the customer server to external networks.	Outbound
   Name	Name of the rule	test
   Source Type	Select a type. Its value can be: IP Address. You can configure a single IP address, consecutive IP addresses, or an IP address segment. IP Address Group. You can configure multiple IP addresses.	IP Address
   Source Address	Data packet source. It can be: A single IP address, for example, 192.168.10.5 Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10 Address segment, for example, 192.168.2.0/24	192.168.10.5
   Destination Type	Select a type. Its value can be: IP Address. You can configure a single IP address, consecutive IP addresses, or an IP address segment. IP Address Group. You can configure multiple IP addresses. Domain name: A domain name consists of letters separated by dots (.). It is a human readable address that maps to the machine readable IP address of your server.	IP Address
   Destination Address	Data packet destination. It can be: A single IP address, for example, 192.168.10.5 Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10 Address segment, for example, 192.168.2.0/24 Domain name. It can consist of multiple levels. For example, it can be a level-1 domain name (example.com) or a level-2 domain name (www.example.com). After entering a domain name, click Test on the right to check whether it is valid. NOTE: If Destination Address is set to a domain name, you need to configure DNS resolution. For more information, see Configuring DNS Resolution.	192.168.10.6
   Service Type	Service type. It can be: Service. You can configure a single service. Service Group. You can configure multiple services.	Service
   Protocol Type	Its value can be TCP, UDP, ICMP, Any, or ICMPV6.	TCP
   Source Port	Source ports to be enabled or disabled. You can configure a single port or consecutive port groups (example: 80-443).	80
   Destination Port	Destination ports to be enabled or disabled. You can configure a single port or consecutive port groups (example: 80-443).	443
   Action	Allow or Block. Determines whether to allow the traffic to pass through the cloud firewall.	Allow
   Priority	Priority of the rule. Its value can be: Pin on top: indicates that the policy is set to the highest priority. Lower than the selected rule: indicates that the policy priority is lower than a specified rule. NOTE: A smaller value indicates a higher priority.	Pin on top
   Status	Whether a policy is enabled. : enabled : disabled
   Description	Usage and application scenario of a rule	-

6. Click OK.
   

   After EIP protection is enabled, the default status of the access control policy is Allow. If you want to allow only several EIPs, you are advised to add 0.0.0.0/0 to the protection rule with the lowest priority to block all traffic.