Configuring Protection Rules to Block or Allow NAT Gateway Border Traffic

After protection is enabled, CFW allows all traffic by default. You can configure protection rules to block or allow traffic.

Protection Rule Description

The protected objects, actions, and application scenarios of protection rules are as follows.

Name	Description
Protected object	5-tuples IP address groups Geographical locations Domain names and domain name groups (layer-4 and layer-7 traffic) Applications
Network type	EIP Private IP address
Action	If Block is selected, traffic will be blocked. If Allow is selected, traffic will be allowed by protection rules and then checked by IPS.
Scenario	You can configure protection rules in the following scenarios: This section describes how to protect the traffic of private network assets at the Internet border. For details about DNAT traffic, see Adding a DNAT Traffic Protection Rule. For details about SNAT traffic, see Adding a SNAT Traffic Protection Rule. Protect the traffic of public network assets (EIPs) at the Internet border. For details, see Configuring Protection Rules to Block or Allow Internet Border Traffic. Protect the access traffic between VPCs, or between a VPC and an IDC. For details, see Configuring Protection Rules to Block or Allow VPC Border Traffic. CAUTION: If your IP address is a back-to-source WAF IP address, you are advised to configure a protection rule or the whitelist to allow its access. Exercise caution when configuring a protection rule to block access, which may affect your services. For details about back-to-source IP addresses, see What Are Back-to-Source IP Addresses?. For details about how to configure the whitelist, see Adding Blacklist or Whitelist Items to Block or Allow Traffic.

Specification Limitations

Only the professional edition supports NAT traffic (private IP address) protection.

Constraints

CFW does not support application-level gateways (ALGs). If ALG-related services (such as SIP and FTP) are available, you are advised to add a rule to allow the traffic to pass through all the ports of data channels (that is, set Service to Any and Protection Action to Allow).
To use CFW persistent connections, enable a bidirectional bypass policy. If you only enable a unidirectional policy, the client will need to re-initiate connections in certain scenarios, such as enabling or disabling protection, and expanding engine capacities. You can also create a service ticket to evaluate the risks of related issues.
Quota:
- Up to 20,000 protection rules can be added.
- The restrictions on a single protection rule are as follows:
  - For IPv4, up to 4,000 source and 4,000 destination IP addresses are allowed. For IPv6, up to 2,000 source and 2,000 destination IP addresses are allowed.
  - A maximum of 20 source IP addresses and 20 destination IP addresses can be added.
  - A maximum of 10 source IP address groups and 10 destination IP address groups can be associated.
  - A maximum of 10 services can be added.
  - A maximum of 10 service groups can be associated.
  - Up to 10 application domain names can be added to each protection rule.
  - Up to 8 application domain name groups can be associated with each protection rule.
  - Up to three network domain names can be added to each protection rule.
  - Only one network domain name group can be associated with each protection rule.
Restrictions on domain name protection:
- Domain names in Chinese are not supported.
- Restrictions on application-layer domain name reference:
  - Each firewall instance can reference up to 60,000 domain names.
  - Each firewall instance can reference up to 1,000 wildcard domain names.
  - Each protection rule can reference up to 20,000 domain names.
  - Each protection rule can reference up to 128 wildcard domain names.
  Calculation: If both rule A and rule B of a firewall reference domain name 1 and domain name group A (containing domain names 2 and 3), then the number of domain names referenced by rule A or rule B is 3, and the number of domain names referenced by the firewall instance is 6.
- A network domain name group can resolve up to 4,000 IP addresses (depending on the numbers of IP addresses and IP address groups). Each domain name can have a maximum of 1,000 resolution results. If the number of DNS resolution results exceeds this number, domain names may fail to be accessed. For domain names with a large number of resolution results or frequent changes, to protect HTTP or HTTPS traffic, you are advised to use the application domain name group to add policies.
  The total quota available for a network domain name group is calculated as follows: Assume we have a protection rule that has 10 IP addresses and references an IP address group (A) and a network domain name group (B). The IP address group A contains five IP addresses, and the network domain name group B contains 15 domain names. In this case, the total quota available for the network domain name group B = 4,000 (total quota) – 10 (number of IP addresses) – 5 (number of IP address group members) = 3,985.
- Domain name protection depends on the DNS server you configure. The default DNS server may be unable to resolve complete IP addresses. You are advised to configure DNS resolution if the domain names of your services need to be accessed.
Restriction on regions: A protection rule with its source or destination set to a region (geographical location) takes effect only for IPv4 protected objects.
Pre-defined Address Groups can be configured only for Source address for a DNAT rule.
If NAT 64 protection is enabled and IPv6 access is used, allow traffic from the 198.19.0.0/16 CIDR block to pass through. NAT64 will translate source IP addresses into the CIDR block 198.19.0.0/16 for ACL access control.

Impacts on Services

When configuring a blocking rule, if address translation or proxy is involved, evaluate the impact of blocking IP addresses with caution.

Adding a DNAT Traffic Protection Rule

Enable NAT traffic protection. For details, see Enabling NAT Gateway Traffic Protection.
(Optional) To add multiple IP addresses and services (protocols, source ports, and destination ports), add their groups first.
- For details about how to add multiple IP addresses, see Managing IP Address Groups.
- For details about how to add multiple services, see Managing Service Groups.
In the navigation pane on the left of the CFW console, choose Access Control > Internet Border Protection Rules.

Add a protection rule.

On the Protection Rules tab, click NAT. Click Add Rule and configure parameters. For details, see Table 1.

**Table 1** DNAT protection rule parameters
Parameter	Description
Name	Name of the custom security policy.
Direction	Select DNAT.
Source	Set the party that initiates a session. IP Address/IP address group/Countries and regions: IP Address: Enter EIPs. This parameter can be configured in the following formats: A single EIP, for example, xx.xx.10.5 Consecutive EIPs, for example, xx.xx.0.2-xx.xx.0.10 EIP segment, for example, xx.xx.2.0/24 IP address group. You can configure multiple EIPs. If Direction is set to Inbound, a predefined address group can be configured for the source address. For details about user-defined and predefined IP address groups, see Managing IP Address Groups. Countries and regions: A continent, a country, or a region Any: any source address
Destination	Set the recipient of a session. IP Address/IP address group: IP address: Enter private IP addresses. You can set a single IP address, consecutive IP addresses, or an IP address segment. A single IP address, for example, 192.168.10.5 Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10 Address segment, for example, 192.168.2.0/24 IP address group. You can configure multiple private IP addresses. For details about how to add an IP address group, see Adding a User-defined IP Address Group. Any: any destination address
Service	Service/Service group: Service: Set Protocol, Source Port, and Destination Port. Protocol: The value can be TCP, UDP, or ICMP. Source/Destination Port: If Protocol is set to TCP or UDP, you need to set the port number. To specify all the ports of an IP address, set Port to 1-65535. You can specify a single port. For example, to manage access on port 22, set Port to 22. To set a port range, use a hyphen (-) between the starting and ending ports. For example, to manage access on ports 80 to 443, set Port to 80-443. Service group: A collection of services (protocols, source ports, and destination ports). For details about how to add a custom service group, see Adding a Service Group. For details about predefined service groups, see Viewing a Predefined Service Group. Any: any protocol type or port number
Application	(Optional) Configure protection policies for application-layer protocols. When Service is set to Any, all application types are supported. If Service is set to Service and Protocol is set to TCP, TCP applications, such as HTTP and HTTPS, are supported. If Service is set to Service and Protocol is set to UDP, UDP applications, such as DNS and RDP, are supported.
Protection Action	Set the action to be taken when traffic passes through the firewall. Allow: Traffic is forwarded. Block: Traffic is not forwarded.
Status	Whether a policy is enabled. : The policy takes effect immediately after being configured. : The policy is disabled.
Priority	Priority of the rule. Its value can be: Pin on top: indicates that the priority of the policy is set to the highest. Lower than the selected rule: indicates that the policy priority is lower than a specified rule.
Schedule Management	(Optional) Click Schedule Management and configure when the rule is in effect. Select or add a schedule.
Allow Long Connection	If only one service is configured in the current protection rule and Protocol is set to TCP or UDP, you can configure the service session aging time (unit: second).
Long Connection Duration	If Allow Long Connection is set to Yes, you need to set the persistent connection duration and set hour, minute, and second.
Tag	(Optional) Tags are used to identify rules. You can use tags to classify and search for security policies.
Description	(Optional) Usage and application scenario

Click OK to complete the protection rule configuration.

Adding a SNAT Traffic Protection Rule

Enable NAT traffic protection. For details, see Enabling NAT Gateway Traffic Protection.
(Optional) To add multiple IP addresses and services (protocols, source ports, and destination ports), add their groups first.
- For details about how to add multiple IP addresses, see Managing IP Address Groups.
- For details about how to add multiple services, see Managing Service Groups.
In the navigation pane on the left of the CFW console, choose Access Control > Internet Border Protection Rules.

Add a protection rule.

On the Protection Rules tab, click NAT. Click Add Rule and configure parameters. For details, see Table 2.

**Table 2** SNAT protection rule parameters
Parameter	Description
Rule Type	Select NAT to protect the traffic of the NAT gateway. Private IP addresses can be configured. NOTE: To select the NAT rule, ensure that: The professional edition firewall is used. For details about how to upgrade your edition, see Upgrading a CFW. The VPC border firewalls have been configured. For details, see Managing VPC Border Firewalls.
Name	Name of the custom security policy.
Direction	Select SNAT.
Source	Set the party that initiates a session. IP Address/IP address group: IP Address: Enter private IP addresses. You can set a single IP address, consecutive IP addresses, or an IP address segment. A single IP address, for example, 192.168.10.5 Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10 Address segment, for example, 192.168.2.0/24 IP address group: You can add multiple private IP addresses to an IP address group. For details about how to add an IP address group, see Adding an IP Address Group. Any: any source address
Destination	Set the recipient of a session. IP Address/IP address group/Countries and regions/Domain name/Domain name group: IP Address: Enter EIPs. This parameter can be configured in the following formats: A single EIP, for example, xx.xx.10.5 Consecutive EIPs, for example, xx.xx.0.2-xx.xx.0.10 EIP segment, for example, xx.xx.2.0/24 IP address group. You can configure multiple EIPs. If Direction is set to Inbound, a predefined address group can be configured for the source address. For details about user-defined and predefined IP address groups, see Managing IP Address Groups. Countries and regions: A continent, a country, or a region Domain Name/Domain Name Group: Application: Supports the protection for domain names or wildcard domain names. Application-layer protocols such as HTTP, HTTPS, TLS, SMTPS, and POPS are supported. Domain names are used for matching. Network: Supports protection for one or multiple domain names. Applies to network-layer protocols and supports all protocols. The resolved IP addresses are used for matching. NOTE: To protect the domain names of HTTP, HTTPS, TLS, SMTPS, and POPS applications, you can select any options. To protect the wildcard domain names of HTTP, HTTPS, TLS, SMTPS, or POPS, you select any option under Application. (A wildcard domain name is in the format of .Domain_name. The wildcard character matches any character or string. For example, .example.com.) To protect a single domain name of other application types (such as FTP, MySQL, and SMTP), select Network* and select any option from the drop-down list. (If Domain name is selected, up to 600 IP addresses can be resolved.) If you need to configure the wildcard domain names or application domain name groups of the HTTP, HTTPS, TLS, SMTPS, and POPS applications, and the network domain groups of other application types for the same domain name, ensure that the priority of the Network protection rule is higher than that of the Application protection rule. For details about application- and network-type domain names, see Adding a Domain Name Group. Any: any destination address
Service	Service/Service group: Service: Set Protocol, Source Port, and Destination Port. Protocol: The value can be TCP, UDP, or ICMP. Source/Destination Port: If Protocol is set to TCP or UDP, you need to set the port number. To specify all the ports of an IP address, set Port to 1-65535. You can specify a single port. For example, to manage access on port 22, set Port to 22. To set a port range, use a hyphen (-) between the starting and ending ports. For example, to manage access on ports 80 to 443, set Port to 80-443. Service group: A collection of services (protocols, source ports, and destination ports). For details about how to add a custom service group, see Adding a Service Group. For details about predefined service groups, see Viewing a Predefined Service Group. Any: any protocol type or port number
Application	(Optional) Configure protection policies for application-layer protocols. When Service is set to Any, all application types are supported. If Service is set to Service and Protocol is set to TCP, TCP applications, such as HTTP and HTTPS, are supported. If Service is set to Service and Protocol is set to UDP, UDP applications, such as DNS and RDP, are supported.
Protection Action	Set the action to be taken when traffic passes through the firewall. Allow: Traffic is forwarded. Block: Traffic is not forwarded.
Status	Whether a policy is enabled. : The policy takes effect immediately after being configured. : The policy is disabled.
Priority	Priority of the rule. Its value can be: Pin on top: indicates that the priority of the policy is set to the highest. Lower than the selected rule: indicates that the policy priority is lower than a specified rule.
Schedule Management	(Optional) Click Schedule Management and configure when the rule is in effect. Select or add a schedule.
Allow Long Connection	If only one service is configured in the current protection rule and Protocol is set to TCP or UDP, you can configure the service session aging time (unit: second).
Long Connection Duration	If Allow Long Connection is set to Yes, you need to set the persistent connection duration and set hour, minute, and second.
Tag	(Optional) Tags are used to identify rules. You can use tags to classify and search for security policies.
Description	(Optional) Usage and application scenario

Click OK to complete the protection rule configuration.

The default action of the access control policy is Allow.

Viewing Protection Rule Hits

After your services run for a period of time, you can view the number of rule hits in the Hits column of the protection rule list.

You can click a number in the Hits column to go to the Access Control Logs tab page and view log details. For details, see Querying Logs.

Figure 1 Viewing logs
Click to enlarge

Follow-up Operations

Checking protection outcomes

Policy hits: For details about the protection overview, see Viewing Protection Information Using the Policy Assistant. For details about logs, see Access Control Logs.
For details about the traffic trend and statistics, see Traffic Analysis. For details about traffic records, see Traffic Logs.