Adding Protection Rules to Block or Allow Traffic

After protection is enabled, CFW allows all traffic by default. You can configure protection rules to block or allow traffic.

You can configure protection rules in the following scenarios:

Caution

If your IP address is a back-to-source WAF IP address, you are advised to configure a protection rule or the whitelist to allow its access. Exercise caution when configuring a protection rule to block access, which may affect your services.

Specification Limitations

Only the professional edition supports VPC border protection and NAT traffic (private IP address) protection.

Constraints

  • CFW does not support application-level gateways (ALGs). ALG can analyze the fields in application-layer payloads and dynamically adjust policies for multi-channel protocols (such as FTP and SIP) whose payloads contain port numbers and IP addresses. However, CFW only support static policies for ports. To allow multi-channel protocol communication, you are advised to configure a rule to allow traffic from all ports.

  • To use CFW persistent connections, enable a bidirectional bypass policy. If you only enable a unidirectional policy, the client will need to re-initiate connections in certain scenarios, such as enabling or disabling protection.

  • Quota:

    • Up to 20,000 protection rules can be added.

    • The restrictions on a single protection rule are as follows:

      • A maximum of 20 source IP addresses and 20 destination IP addresses can be added.

      • A maximum of two source IP address groups and two destination IP address groups can be associated.

      • A maximum of five service groups can be associated.

  • Restrictions on domain name protection:

    • Domain name protection depends on the DNS server you configure. The default DNS server may be unable resolute complete IP addresses. You are advised to configure DNS resolution if the domain names of your services need to be accessed.

  • Predefined address groups can be configured only for the source addresses in inbound rules (whose Direction is set to Inbound).

Impacts on Services

When configuring a blocking rule, if address translation or proxy is involved, evaluate the impact of blocking IP addresses with caution.

Adding an Internet Boundary Protection Rule

  1. Enable EIP protection. For details, see Enabling Internet Border Traffic Protection.

  2. In the navigation pane, choose Access Control > Access Policies.

  3. Add a protection rule.

    Click the Internet Boundaries tab and click Add Rule. In the displayed page, enter new protection information. For details, see Table 1.

    Table 1 Internet boundary rule parameters

    Parameter

    Description

    Rule Type

    Protection type of a rule.

    • EIP: Protect EIP traffic. Only EIPs can be configured.

    • NAT: Protect NAT traffic. Private IP addresses can be configured.

    Note

    By default, EIP rules are configured. NAT rules can be configured after the professional firewall and VPC border firewall are configured.

    Name

    Name of the custom security policy.

    Direction

    Select a traffic direction if you set Protection Rule to EIP protection.

    • Inbound: Cloud assets (EIPs) are accessed from the Internet.

    • Outbound: Cloud assets (EIPs) access the Internet.

    Source

    Source address of access traffic.

    • IP address: Enter EIPs. This parameter can be configured in the following formats:

      • A single EIP, for example, xx.xx.10.5

      • Consecutive EIPs, for example, xx.xx.0.2-xx.xx.0.10

      • EIP segment, for example, xx.xx.2.0/24

    • IP address group: A collection of EIPs. For details about how to add custom IP address groups, see Adding User-defined IP Addresses and Address Groups. For details about how to add a predefined address group, see Viewing a Predefined Address Group.

      Note

      If Direction is set to Inbound, a predefined address group can be configured for the source address.

    • Countries and regions: If Direction is set to Inbound, you can control access based on continents, countries, and regions.

    • Any: any source address

    Destination

    Destination address of access traffic.

    • IP address: Enter EIPs. This parameter can be configured in the following formats:

      • A single EIP, for example, xx.xx.10.5

      • Consecutive EIPs, for example, xx.xx.0.2-xx.xx.0.10

      • EIP segment, for example, xx.xx.2.0/24

    • IP address group: You can add multiple EIPs to an IP address group. For details about how to add a custom IP address group, see Adding User-defined IP Addresses and Address Groups.

    • Countries and regions: If Direction is set to Outbound, you can control access based on continents, countries, and regions.

    • Domain name/Domain name group: When Direction is set to Outbound, the protection of the domain name or domain name group is supported.

      • Application: Supports the protection for domain names or wildcard domain names. Application-layer protocols such as HTTP and HTTPS are supported. Domain names are used for matching.

      • Network: Supports protection for one or multiple domain names. Applies to network-layer protocols and supports all protocols. The resolved IP addresses are used for matching.

      Note

      • To protect the domain names of HTTP and HTTPS applications, you can select any options.

      • To protect the wildcard domain names of HTTP and HTTPS applications, select Application and then select any option from the drop-down list.

      • To protect a single domain name of other application types (such as FTP, MySQL, and SMTP), select Network and select any option from the drop-down list. (If Domain name is selected, up to 600 IP addresses can be resolved.)

      • To protect multiple domain names of other application types (such as FTP, MySQL, and SMTP), select Network and Network Domain Group from the drop-down list.

      • If you need to configure the wildcard domain names or application domain name groups of the HTTP/HTTPS applications, and the network domain groups of other application types for the same domain name, ensure that the priority of the Network protection rule is higher than that of the Application protection rule.

      • For details about application and network types, see Adding a Domain Name Group.

    • Any: any destination address

    Service

    • Service: Set Protocol Type, Source Port, and Destination Port.

      • Protocol Type: The value can be TCP, UDP, or ICMP.

      • Source/Destination Port: If Protocol Type is set to TCP or UDP, you need to set the port number.

      Note

      • To specify all the ports of an IP address, set Port to 1-65535.

      • You can specify a single port. For example, to manage access on port 22, set Port to 22.

      • To set a port range, use a hyphen (-) between the starting and ending ports. For example, to manage access on ports 80 to 443, set Port to 80-443.

    • Service group: A service group is a set of services (protocols, source ports, and destination ports). For details about how to add a user-defined service group, see Adding a User-defined Service Group. For details about predefined service groups, see Viewing a Predefined Service Group.

    • Any: any protocol type or port number

    Action

    Set the action to be taken when traffic passes through the firewall.

    • Allow: Traffic is forwarded.

    • Block: Traffic is not forwarded.

    Allow Long Connection

    If only one service is configured in the current protection rule and Protocol Type is set to TCP or UDP, you can configure the service session aging time.

    • Yes: Configure the long connection duration.

    • No: Retain the default durations. The default connection durations for different protocols are as follows:

      • TCP: 1800s

      • UDP: 60s

    Note

    Up to 50 rules can be configured with long connections.

    Long Connection Duration

    This parameter is mandatory if Allow Long Connection is set to Yes.

    Configure the long connection duration. Configure the hour, minute, and second.

    Note

    The duration range is 1 second to 1000 days.

    Tags

    (Optional) Tags are used to identify rules. You can use tags to classify and search for security policies.

    Priority

    Priority of the rule. Its value can be:

    • Pin on top: indicates that the priority of the policy is set to the highest.

    • Lower than the selected rule: indicates that the policy priority is lower than a specified rule.

    Note

    • A smaller value indicates a higher priority.

    • The default priority of the first protection rule is 1. You do not need to configure its priority.

    Status

    Whether a policy is enabled.

    image1: enabled

    image2: disabled

    Description

    (Optional) Usage and application scenario

  4. Click OK to complete the protection rule configuration.

Adding a VPC Border Protection Rule

  1. Enable VPC border firewall protection. For details, see Enabling VPC Border Traffic Protection.

  2. In the navigation pane, choose Access Control > Access Policies. Click the Inter-VPC Borders tab.

  1. Add a protection rule.

    Click Add Rule. In the displayed dialog box, enter new protection information. For details, see Table 2.

    Table 2 VPC border protection rule parameters

    Parameter

    Description

    Name

    Name of the custom security policy.

    Direction

    You do not need to configure it for an inter-VPC protection rule.

    Source

    Source address of access traffic.

    • IP address: You can set a single IP address, consecutive IP addresses, or an IP address segment.

      • A single IP address, for example, 192.168.10.5

      • Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10

      • Address segment, for example, 192.168.2.0/24

    • IP address group: A collection of IP addresses. For details, see Adding an IP Address Group.

    • Any: any source address

    Destination

    Destination address of access traffic.

    • IP address: You can set a single IP address, consecutive IP addresses, or an IP address segment.

      • A single IP address, for example, 192.168.10.5

      • Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10

      • Address segment, for example, 192.168.2.0/24

    • IP address group: A collection of IP addresses. For details, see Adding an IP Address Group.

    • Domain Name/Domain Name Group: Domain names or domain groups can be protected.

      Application: Supports the protection for domain names or wildcard domain names. Application-layer protocols such as HTTP and HTTPS are supported. Domain names are used for matching.

    • Any: any destination address

    Service

    Set the protocol type and port number of the access traffic.

    • Service: Set Protocol Type, Source Port, and Destination Port.

      • Protocol Type: The value can be TCP, UDP, or ICMP.

      • Source/Destination Port: If Protocol Type is set to TCP or UDP, you need to set the port number.

      Note

      • To specify all the ports of an IP address, set Port to 1-65535.

      • You can specify a single port. For example, to manage access on port 22, set Port to 22.

      • To set a port range, use a hyphen (-) between the starting and ending ports. For example, to manage access on ports 80 to 443, set Port to 80-443.

    • Service group: A collection of services (protocols, source ports, and destination ports) is supported. For details about how to add a custom service group, see Adding a User-defined Service Group. For details about predefined service groups, see Viewing a Predefined Service Group.

    • Any: any protocol type or port number

    Action

    Set the action to be taken when traffic passes through the firewall.

    • Allow: Traffic is forwarded.

    • Block: Traffic is not forwarded.

    Allow Long Connection

    If only one service is configured in the current protection rule and Protocol Type is set to TCP or UDP, you can configure the service session aging time.

    • Yes: Configure the long connection duration.

    • No: Retain the default durations. The default connection durations for different protocols are as follows:

      • TCP: 1800s

      • UDP: 60s

    Note

    Up to 50 rules can be configured with long connections.

    Long Connection Duration

    This parameter is mandatory if Allow Long Connection is set to Yes.

    Configure the long connection duration. Configure the hour, minute, and second.

    Note

    The duration range is 1 second to 1000 days.

    Tag

    (Optional) Tags are used to identify rules. You can use tags to classify and search for security policies.

    Priority

    Priority of the rule. Its value can be:

    • Pin on top: indicates that the priority of the policy is set to the highest.

    • Lower than the selected rule: indicates that the policy priority is lower than a specified rule.

    Note

    • A smaller value indicates a higher priority.

    • The default priority of the first protection rule is 1. You do not need to configure its priority.

    Status

    Whether a policy is enabled.

    image3: enabled

    image4: disabled

    Description

    (Optional) Usage and application scenario

  2. Click OK to complete the protection rule configuration.

Adding a NAT Traffic Protection Rule

  1. In the navigation pane, choose Access Control > Access Policies.

  2. Add a protection rule.

    Click Add Rule. In the displayed Add Rule page, enter the protection information.

    Table 3 SNAT protection rule parameters

    Parameter

    Description

    Rule Type

    Select NAT to protect the traffic of the NAT gateway. Private IP addresses can be configured.

    Note

    To select NAT, ensure that:

    • The professional edition firewall is used.

    • The VPC border firewalls have been configured.

    Name

    Name of the custom security policy.

    Direction

    Select SNAT.

    Source

    Source address of access traffic.

    • IP address: Enter private IP addresses. You can set a single IP address, consecutive IP addresses, or an IP address segment.

      • A single IP address, for example, 192.168.10.5

      • Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10

      • Address segment, for example, 192.168.2.0/24

    • IP address group: You can add multiple private IP addresses to an IP address group. For details about how to add an IP address group, see Adding User-defined IP Addresses and Address Groups.

    • Countries and regions: A continent, a country, or a region

    • Any: any source address

    Destination

    Destination address of access traffic.

    • IP address: Enter private IP addresses. You can set a single IP address, consecutive IP addresses, or an IP address segment.

      • A single IP address, for example, 192.168.10.5

      • Consecutive IP addresses, for example, 192.168.0.2-192.168.0.10

      • Address segment, for example, 192.168.2.0/24

    • IP address group: You can add multiple private IP addresses to an IP address group. For details about how to add an IP address group, see Adding User-defined IP Addresses and Address Groups.

    • Countries and regions: A continent, a country, or a region

    • Domain Name/Domain Name Group: When Direction is set to Outbound, the protection of a domain name or domain name group is supported.

      • Application: Supports the protection for domain names or wildcard domain names. Application-layer protocols such as HTTP and HTTPS are supported. Domain names are used for matching.

      • Network: Supports protection for one or multiple domain names. Applies to network-layer protocols and supports all protocols. The resolved IP addresses are used for matching.

      Note

      • To protect the domain names of HTTP and HTTPS applications, you can select any options.

      • To protect the wildcard domain names of HTTP and HTTPS applications, select Application and then select any option from the drop-down list.

      • To protect a single domain name of other application types (such as FTP, MySQL, and SMTP), select Network and select any option from the drop-down list. (If Domain name is selected, up to 600 IP addresses can be resolved.)

      • If you need to configure the wildcard domain names or application domain name groups of the HTTP/HTTPS applications, and the network domain groups of other application types for the same domain name, ensure that the priority of the Network protection rule is higher than that of the Application protection rule.

      • For details about application and network types, see Adding a Domain Name Group.

    • Any: any destination address

    Service

    • Service: Set Protocol Type, Source Port, and Destination Port.

      • Protocol Type: The value can be TCP, UDP, or ICMP.

      • Source/Destination Port: If Protocol Type is set to TCP or UDP, you need to set the port number.

      Note

      • To specify all the ports of an IP address, set Port to 1-65535.

      • You can specify a single port. For example, to manage access on port 22, set Port to 22.

      • To set a port range, use a hyphen (-) between the starting and ending ports. For example, to manage access on ports 80 to 443, set Port to 80-443.

    • Service group: A service group is a set of services (protocols, source ports, and destination ports). For details about how to add a user-defined service group, see Adding a User-defined Service Group. For details about predefined service groups, see Viewing a Predefined Service Group.

    • Any: any protocol type or port number

    Action

    Set the action to be taken when traffic passes through the firewall.

    • Allow: Traffic is forwarded.

    • Block: Traffic is not forwarded.

    Allow Long Connection

    If only one service is configured in the current protection rule and Protocol Type is set to TCP or UDP, you can configure the service session aging time.

    • Yes: Configure the long connection duration.

    • No: Retain the default durations. The default connection durations for different protocols are as follows:

      • TCP: 1800s

      • UDP: 60s

    Note

    Up to 50 rules can be configured with long connections.

    Long Connection Duration

    This parameter is mandatory if Allow Long Connection is set to Yes.

    Configure the long connection duration. Configure the hour, minute, and second.

    Note

    The duration range is 1 second to 1000 days.

    Tags

    (Optional) Tags are used to identify rules. You can use tags to classify and search for security policies.

    Priority

    Priority of the rule. Its value can be:

    • Pin on top: indicates that the priority of the policy is set to the highest.

    • Lower than the selected rule: indicates that the policy priority is lower than a specified rule.

    Note

    • A smaller value indicates a higher priority.

    • The default priority of the first protection rule is 1. You do not need to configure its priority.

    Status

    Whether a policy is enabled.

    image5: enabled

    image6: disabled

    Description

    (Optional) Usage and application scenario

  3. Click OK to complete the protection rule configuration.

    Note

    The default action of the access control policy is Allow.

last updated: 2025-06-16 12:54 UTC - commit: 64ee2ea784a055ae921fa6f65035420eb1e7b796