Help Center> Cloud Firewall> User Guide> Managing ACL Rules> Managing Protection Rules in Batches

Updated on 2024-05-10 GMT+08:00

View PDF

Managing Protection Rules in Batches

You can add and export protection rules in batches.

Constraints

Only the professional edition supports the import and export of VPC border protection policies.

Importing Protection Rules in Batches

Log in to the management console.
Click in the upper left corner of the management console and select a region or project.
In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
(Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click View in the Operation column to go to the details page.
In the navigation pane, choose Access Control > Access Policies.
Click Download Center on the upper right of the list.
Click Download Template to download the rule import template to the local host.
Fill in the template. For details, see Parameters of Rule Import Template - Protection Rule Table (Internet Border Protection Rule) and Parameters of Rule Import Template - VPC Protection Rule Table (VPC Border Protection Rule).
- A maximum of 640 rules and members can be imported at a time on each tab page.
- Do not change the template file format, or it may fail to be imported.
After filling in the template, click Import Rule to import the template.
- Rule import takes several minutes.
- During rule import, you cannot add, edit, or delete access policies, IP address groups, and service groups.
- The priority of the imported policies is lower than that of the created policies.
Click Download Center to view the status of the rule import task. If the Status is Imported, the import succeeded.
Return to the protection rule list to view the imported protection rule.

Exporting Protection Rules in Batches

Log in to the management console.
Click in the upper left corner of the management console and select a region or project.
In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
(Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click View in the Operation column to go to the details page.
In the navigation pane, choose Access Control > Access Policies.
Click Download Center on the upper right of the list.
Click Export Rule to export rules to a local PC.

Parameters of Rule Import Template - Protection Rule Table (Internet Border Protection Rule)

**Table 1** Protection rule table parameters
Parameter	Description	Example Value
Order	Order number of a rule.	1
Acl Name	Name of the rule. The name can contain up to 255 characters, including letters, numbers, underscores (_), hyphens (-), and spaces.	test
Protection Rule	Protection type of a security policy. EIP protection: Protect EIP traffic. Only EIPs can be configured. NAT protection: Protect NAT traffic. Private IP addresses can be configured.	EIP protection
Direction	Direction of protected traffic. Inbound: Traffic from external networks to the internal server. Outbound: Traffic from the customer server to external networks.	Outbound
Action Type	Allow or Block. It specifies the action taken by the firewall to process traffic.	Allow
ACL Address Type	Select IPv4. It is the type of IP addresses to be protected.	IPv4
Status	Whether a policy is enabled. Enable: The rule is enabled. Disabled: The rule is not in effect.	Enabled
Description	Rule description	test
Source Address Type	Source address type of data packets in the access traffic. IP Address. You can configure a single IP address, consecutive IP addresses, or an IP address segment. IP Address Group. You can configure multiple IP addresses. Region: Protection can be performed by region.	IP Address
Source Address	If Source Address Type is set to IP Address, you need to configure this parameter. The following input formats are supported: A single IP address, for example, 192.168.10.5 Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10 Address segment, for example, 192.168.2.0/24	192.168.10.5
Source Address Group Name	If Source Address Type is set to IP Address Group, you must configure this parameter. The following input formats are supported: The value can contain letters, digits, underscores (_), hyphens (-), or spaces. The name can contain up to 255 characters.	s_test
Source Continent Region	If Source Address Type is set to Region, you need to configure Source Continent Region. Enter the continent information according to the continent-region-info sheet of the template table.	AS: Asia
Source Country Region	If Source Address Type is set to Region, you need to configure Source Country Region. Enter the country information according to the country-region-info sheet of the template table.	CN: Chinese mainland
Destination Address Type	Destination address type of data packets in the access traffic. IP Address. You can configure a single IP address, consecutive IP addresses, or an IP address segment. IP Address Group. You can configure multiple IP addresses. Domain name: A domain name consists of letters separated by dots (.). It is a human readable address that maps to the machine readable IP address of your server. Domain name group. You can set a collection of domain names. Region: Protection can be performed by region.	IP Address Group
Destination Address	If Destination Address Type is set to IP Address, you must configure this parameter. It can be: A single IP address, for example, 192.168.10.5 Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10 Address segment, for example, 192.168.2.0/24	192.168.10.6
Destination Address Group Name	If Destination Address Type is set to IP Address Group, you must configure this parameter. The following input formats are supported: The value can contain letters, digits, underscores (_), hyphens (-), or spaces. The name can contain up to 255 characters.	d_test
Destination Continent Region	If Destination Address Type is set to Region, you need to set Destination Continent Region. Enter the continent information according to the continent-region-info sheet of the template table.	AS: Asia
Destination Country Region	If Destination Address Type is set to Region, you need to set Destination Country Region. Enter the country information according to the country-region-info sheet of the template table.	CN: Chinese mainland
Domain Name	If Destination Address Type is set to Domain Name, you must configure this parameter. The domain name is used by visitors to access your website. A domain name consists of letters separated by dots (.). It is a human readable address that maps to the machine readable IP address of your server.	www.example.com
Destination Domain Group Name	If Destination Address Type is set to Domain Group Name, you need to configure Destination Domain Group Name. Enter a domain group name.	Domain group 1
Service Type	Service type. It can be: Service. You can configure a single service. Service Group. You can configure multiple services.	Service
Protocol/Source Port/Destination Port	Type to be put under access control. Its value can be TCP, UDP, ICMP, or Any. Source ports to be allowed or blocked. You can configure a single port or consecutive port groups (example: 80-443). Destination ports to be allowed or blocked. You can configure a single port or consecutive port groups (example: 80-443).	TCP/443/443
Service Group Name	Service group name. The name can contain up to 255 characters, including letters, numbers, underscores (_), hyphens (-), and spaces.	service_test
Group Tag	Tags are used to identify rules. You can use tags to classify and search for security policies.	k=a

Parameters of Rule Import Template - VPC Protection Rule Table (VPC Border Protection Rule)

**Table 2** VPC protection rule table parameters
Parameter	Description	Example Value
Order	Order number of a rule.	1
Acl Name	Name of the rule. The name can contain up to 255 characters, including letters, numbers, underscores (_), hyphens (-), and spaces.	test
Action Type	Allow or Block. It specifies the action taken by the firewall to process traffic.	Allow
Status	Whether a policy is enabled. Enabled: The rule is in effect. Disabled: The rule is not in effect.	Enabled
Description	Rule description	test
Source Address Type	Source address type of data packets in the access traffic. IP Address. You can configure a single IP address, consecutive IP addresses, or an IP address segment. IP Address Group. You can configure multiple IP addresses.	IP Address
Source Address	If Source Address Type is set to IP Address, you need to configure this parameter. The following input formats are supported: A single IP address, for example, 192.168.10.5 Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10 Address segment, for example, 192.168.2.0/24	192.168.10.5
Source Address Group Name	If Source Address Type is set to IP Address Group, you must configure this parameter. The following input formats are supported: The value can contain letters, digits, underscores (_), hyphens (-), or spaces. The name can contain up to 255 characters.	s_test
Destination Address Type	Destination address type of data packets in the access traffic. IP Address. You can configure a single IP address, consecutive IP addresses, or an IP address segment. IP Address Group. You can configure multiple IP addresses.	IP Address Group
Destination Address	If Destination Address Type is set to IP Address, you must configure this parameter. It can be: A single IP address, for example, 192.168.10.5 Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10 Address segment, for example, 192.168.2.0/24	192.168.10.6
Destination Address Group Name	If Destination Address Type is set to IP Address Group, you must configure this parameter. The following input formats are supported: The value can contain letters, digits, underscores (_), hyphens (-), or spaces. The name can contain up to 255 characters.	d_test
Service Type	Service type. It can be: Service. You can configure a single service. Service Group. You can configure multiple services.	Service
Protocol/Source Port/Destination Port	Type to be put under access control. Its value can be TCP, UDP, ICMP, or Any. Source ports to be allowed or blocked. You can configure a single port or consecutive port groups (example: 80-443). Destination ports to be allowed or blocked. You can configure a single port or consecutive port groups (example: 80-443).	TCP/443/443
Service Group Name	Service group name. The name can contain up to 255 characters, including letters, numbers, underscores (_), hyphens (-), and spaces.	service_test
Group Tag	Tags are used to identify rules. You can use tags to classify and search for security policies.	k=a

Parent topic: Managing ACL Rules

Previous topic: Adding a Protection Rule

Next topic: Configuring a Rule Priority

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot