Configure access control policies to control mutual traffic between assets and the Internet - Cloud Firewall

By default, if you do not create any access control policies after enabling the Internet firewall, Cloud Firewall allows all traffic. You can create outbound and inbound access control policies for the Internet firewall to prevent unauthorized access between Internet-facing assets and the Internet. This topic describes how to create inbound and outbound access control policies for the Internet firewall.

Prerequisites

The Internet firewall is enabled for your Internet-facing assets. For more information about how to enable the Internet firewall, see Enable the Internet firewall.
For more information about the Internet-facing assets that can be protected by Cloud Firewall, see Protection scope.
Ensure that you have a sufficient quota for access control policies. You can view the quota usage on the Prevention Configuration > Access Control > Internet Border page. For more information about how to calculate quota usage, see Overview of access control policies.
If the remaining quota is insufficient, you can click Increase Quota to increase the value of Quota for Additional Policy. For more information, see Purchase Cloud Firewall.
If you want to add multiple objects as an access source or destination, make sure that an address book that contains the objects is created. For more information, see Manage address books.

Create access control policies for the Internet firewall

Cloud Firewall allows you to create custom policies and provides recommended policies that you can apply.

Create custom policies: You can create custom policies based on your business requirements.
Apply recommended intelligent policies: Cloud Firewall automatically learns your traffic within the previous 30 days and recommends multiple intelligent policies based on the traffic risks that are identified. You can determine whether to apply the policies.
Apply recommended common policies: Cloud Firewall recommends common policies. If the recommended common policies meet your business requirements, you can apply the policies.

Important

We recommend that you allow access to the open ports on which services are provided for an open public IP address on the Internet firewall and deny access to other ports. This reduces the exposure of your assets to the Internet.
If you want to allow access from trusted sources such as IP addresses or domain names and deny access to other sources, we recommend that you first create a policy that allows access from the trusted sources and has a higher priority and then create a policy that denies traffic from all sources and has a lower priority.
If you do not apply recommended intelligent policies or recommended common policies, the policies do not take effect.

Create a custom policy

You can create a custom outbound or inbound policy for the Internet firewall based on your business requirements.

Log on to the Cloud Firewall console.
In the left-side navigation pane, choose Protection Configuration > Access Control > Internet Border.
On the Outbound or Inbound tab, select IPV4 or IPV6 from the drop-down list and click Create Policy. By default, an access control policy for IPv4 addresses is created.
In the Create Outbound Policy or Create Inbound Policy panel, click the Create Policy tab.

Configure the policy based on the following table and click OK.

Create an access control policy to protect outbound traffic over the Internet

Parameter	Description
Source Type	The initiator of the network traffic. You need to select a source type and specify the source address based on the source type. If you select IP, you must enter CIDR blocks. Enter CIDR blocks in standard format, such as 192.168.0.0/16. You can enter up to 2,000 CIDR blocks. Separate multiple CIDR blocks with commas (,). If you enter multiple CIDR blocks at a time, Cloud Firewall automatically creates an address book that includes the entered CIDR blocks. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book. If you select Address Book, you must create an IP address book (IPv4 or IPv6) in advance. For more information about how to create an address book, see Manage address books.
Source
Destination Type	The receiver of the network traffic. You need to select a destination type and specify the destination address based on the destination type. If you select IP, you must enter CIDR blocks. Enter CIDR blocks in standard format, such as 192.168.0.0/16. You can enter up to 2,000 CIDR blocks. Separate multiple CIDR blocks with commas (,). If you enter multiple CIDR blocks at a time, Cloud Firewall automatically creates an address book that includes the entered CIDR blocks. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book. If you select Address Book, you must create an IP address book (IPv4 or IPv6) in advance. For more information about how to create an address book, see Manage address books. If you select Domain Name, you need to select a domain name resolution mode. Valid values: FQDN-based Resolution (Extract Host or SNI Field in Packets): We recommend that you select this mode to manage traffic of the HTTP, HTTPS, SMTP, SMTPS, SSL, POPS, and IMAPS protocols. DNS-based Dynamic Resolution: We recommend that you select this mode to manage traffic of protocols other than HTTP, HTTPS, SMTP, SMTPS, SSL, POPS, and IMAPS. Important This mode does not support wildcard domain names or address books that contain wildcard domain names. FQDN-based And DNS-based Dynamic Resolution: We recommend that you select this mode to manage traffic of the HTTP, HTTPS, SMTP, SMTPS, SSL, POPS, and IMAPS protocols if some or all of the traffic does not contain HOST or SNI fields. Important This mode takes effect only when the strict mode is enabled for ACL Engine Management. This mode does not support wildcard domain names or address books that contain wildcard domain names. If you select Region, you need to select the region where the destination address is located. You can select one or more regions inside or outside China.
Purpose
Protocol Type	The type of the transport-layer protocol. Valid values: TCP, UDP, ICMP, and ANY. If you are not sure about the protocol type, select ANY.
Port Type	The destination port type and destination port. If you select Port, you need to enter port ranges. Specify a port range in the Port number/Port number format. Examples: 22/22 or 80/88. You can specify up to 2,000 port ranges. Separate multiple port ranges with commas (,). If you enter multiple port ranges, Cloud Firewall automatically creates an address book that includes the entered port ranges. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book. Address Book: If you select Address Book, you must create a port address book in advance. For more information about how to create an address book, see Manage address books.
Port
Application	The application type of the traffic. The application types that you can select vary based on the destination type and protocol type. If Protocol Type is set to TCP: If Destination Type is set to IP, Address Book for IP addresses, or Region, you can select all application types. If Destination Type is set to Domain Name or Address Book for domain names: If Domain Name Resolution Mode is set to FQDN-based Dynamic Resolution (Extract Host and SNI Fields), you can select only HTTP, HTTPS, SMTP, SMTPS, SSL, POPS, and IMAPS. If Domain Name Resolution Mode is set to DNS-based Dynamic Resolution, you can select all application types. If Domain Name Resolution Mode is set to FQDN-based and DNS-based Dynamic Resolution, you can select only HTTP, HTTPS, SMTP, SMTPS, SSL, POPS, and IMAPS. If Protocol Type is set to UDP, you can select ANY or DNS for Application. If Protocol Type is set to ICMP or ANY, you can select only ANY for Application. Note Cloud Firewall identifies applications based on packet characteristics instead of port numbers. If Cloud Firewall fails to identify an application in a packet, Cloud Firewall allows the packet. If you want to block traffic from unknown applications, we recommend that you enable the strict mode for the Internet firewall. For more information, see Access control engine modes.
Action	The action on the traffic that matches the policy. Allow: allows the traffic. Deny: blocks the traffic without sending a notification. Monitor: allows the traffic and monitors the traffic. You can filter and monitor the traffic in traffic logs. After you monitor the traffic for a period of time, you can change the action to Allow or Deny based on your business requirements.
Description	The description of the policy. The description helps you identify the purpose of the policy when you view the policy later.
Priority	The priority of the policy. The default value is Lowest, which indicates the lowest priority. Highest: The policy has the highest priority and takes effect first. Lowest: The policy has the lowest priority and takes effect last.
Policy Validity Period	The validity period of the policy. The policy takes effect only within the validity period. Always Single Time Range: If you select this option, specify a single time range. Recurrence Cycle: If you select this option, specify the time range and date on which you want the policy to take effect. Note The start date must be earlier than the end date. The policy requires 3 minutes to 5 minutes to take effect. If you select Repeat Forever, the end date is automatically set to December 31, 2099. Related FAQ: Does a policy take effect if the recurrence cycle spans multiple days?
Status	Specifies whether to enable the policy. If you do not enable the policy when you create it, you can enable the policy in the policy list.

Create an access control policy to protect inbound traffic over the Internet

Parameter	Description
Source Type	The initiator of the network traffic. You need to select a source type and specify the source address based on the source type. If you select IP, you must enter CIDR blocks. Enter CIDR blocks in standard format, such as 192.168.0.0/16. You can enter up to 2,000 CIDR blocks. Separate multiple CIDR blocks with commas (,). If you enter multiple CIDR blocks at a time, Cloud Firewall automatically creates an address book that includes the entered CIDR blocks. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book. If you select Address Book, you must create an address book in advance. For more information about how to create an address book, see Manage address books. If you select Region, you need to select the region where the source address is located. You can select one or more regions inside or outside China.
Source
Destination Type	The receiver of the network traffic. You need to select a destination type and specify the destination address based on the destination type. If you select IP, you must enter CIDR blocks. Enter CIDR blocks in standard format, such as 192.168.0.0/16. You can enter up to 2,000 CIDR blocks. Separate multiple CIDR blocks with commas (,). If you enter multiple CIDR blocks at a time, Cloud Firewall automatically creates an address book that includes the entered CIDR blocks. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book. If you select Address Book, you must create an IP address book in advance. For more information about how to create an address book, see Manage address books.
Destination
Protocol Type	The type of the transport-layer protocol. Valid values: TCP, UDP, ICMP, and ANY. If you are not sure about the protocol type, select ANY.
Port Type	The destination port type and destination port. If you select Port, you need to enter port ranges. Specify a port range in the Port number/Port number format. Examples: 22/22 or 80/88. You can specify up to 2,000 port ranges. Separate multiple port ranges with commas (,). If you enter multiple port ranges, Cloud Firewall automatically creates an address book that includes the entered port ranges. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book. Address Book: If you select Address Book, you must create a port address book in advance. For more information about how to create an address book, see Manage address books.
Port
Application	The application type of the traffic. If Protocol Type is set to TCP, you can select all application types, such as HTTP, HTTPS, SMTP, SMTPS, SSL, and FTP. If Protocol Type is set to UDP, you can select ANY or DNS for Application. If Protocol Type is set to ICMP or ANY, you can select only ANY for Application. Note Cloud Firewall identifies applications based on packet characteristics instead of port numbers. If Cloud Firewall fails to identify an application in a packet, Cloud Firewall allows the packet. If you want to block traffic from unknown applications, we recommend that you enable the strict mode for the Internet firewall. For more information, see Access control engine modes.
Action	The action on the traffic that matches the policy. Allow: allows the traffic. Deny: blocks the traffic without sending a notification. Monitor: allows the traffic and monitors the traffic. You can filter and monitor the traffic in traffic logs. After you monitor the traffic for a period of time, you can change the action to Allow or Deny based on your business requirements.
Description	The description of the policy. The description helps you identify the purpose of the policy when you view the policy later.
Priority	The priority of the policy. The default value is Lowest, which indicates the lowest priority. Highest: The policy has the highest priority and takes effect first. Lowest: The policy has the lowest priority and takes effect last.
Policy Validity Period	The validity period of the policy. The policy takes effect only within the validity period. Always Single Time Range: If you select this option, specify a single time range. Recurrence Cycle: If you select this option, specify the time range and date on which you want the policy to take effect. Note The start date must be earlier than the end date. The policy requires 3 minutes to 5 minutes to take effect. If you select Repeat Forever, the end date is automatically set to December 31, 2099. Related FAQ: Does a policy take effect if the recurrence cycle spans multiple days?
Status	Specifies whether to enable the policy. If you do not enable the policy when you create it, you can enable the policy in the policy list.

Apply recommended intelligent policies

Cloud Firewall automatically learns your traffic from the previous 30 days and recommends multiple intelligent policies based on the traffic risks that are identified. If the recommended intelligent policies meet your business requirements, you can apply the policies.

You can apply both outbound and inbound intelligent policies that are recommended.

Warning

Before you apply a recommended policy, make sure that you understand its meaning and the possible impacts on services.
You can ignore recommended intelligent policies. After you ignore a recommended intelligent policy, the policy cannot be restored. Proceed with caution.

Check whether recommended intelligent policies exist

You can check whether recommended intelligent policies are generated by Cloud Firewall on the Internet Border page.

In the left-side navigation pane, choose Protection Configuration > Access Control > Internet Border.
Go to the Recommended Intelligent Policy page. You can use one of the following methods:
- In the upper-right corner above the policy list, click Intelligent Policy. In the panel that appears, click the Outbound or Inbound tab.
- On the Outbound or Inbound tab, click Create Policy. In the panel that appears, click the Recommended Intelligent Policy tab.
View and apply the recommended intelligent policies. You can find a policy and click Apply Policy. Alternatively, you can select multiple policies and click Batch Dispatch.

Apply recommended common policies

If the recommended common policies meet your business requirements, you can apply the policies.

Warning

Before you apply a recommended policy, make sure that you understand its meaning and the possible impacts on services.
You can ignore recommended common policies. After you ignore a recommended common policy, the policy cannot be restored. Proceed with caution. If you ignore all recommended common policies, the Recommended Common Policy tab is no longer displayed.

In the left-side navigation pane, choose Protection Configuration > Access Control > Internet Border.
On the Outbound or Inbound tab, click Create Policy. In the panel that appears, click the Recommended Common Policy tab.
View and apply the recommended common policies. You can find a policy and click Quick Apply.

Configure the access control engine mode

The access control engine supports the Loose Mode and Strict Mode.

Loose Mode (default): After you enable the loose mode, traffic whose application type or domain name is identified as Unknown is allowed. This ensures normal access.
Strict Mode: After you enable the strict mode, the traffic whose application type or domain name is identified as Unknown is matched against all policies you configured. If you configured a Deny policy, this type of traffic is denied.

Cloud Firewall allows you to configure the default access control engine mode for new assets, change the access control engine mode for a single asset, and change the access control engine mode for multiple assets at the same time. To perform the preceding operations, go to the Prevention Configuration > Access Control > Internet Border page. On the Internet Border page, click ACL Engine Mode in the upper-right corner of the access control policy list. Then, perform the required operations in the Access Control Engine Management - Internet Border panel.

Configure the default access control engine mode for new assets

In the Access Control Engine Management - Internet Border panel, the mode specified for Add ACL Engine Mode is displayed in the Engine Management section. The specified mode is automatically applied to new assets.

To change the mode, click Modify.

Change the access control engine mode for an asset

In the Access Control Engine Management - Internet Border panel, the access control engine mode of an asset is displayed in the ACL Engine Mode column of the asset.

To change the mode, click Modification.

Change the access control engine mode for multiple assets at the same time

In the Access Control Engine Management - Internet Border panel, select multiple assets and click Batch Modify below the asset list to change their access control policy engine mode.

View policy hits

After your business runs for a period of time, you can view the hit count and last hit time of access control policies in the HitsLast Hit At column of the access control policy list.

You can click the hit count to go to the Traffic Logs page to view traffic logs. For more information about how to view traffic logs, see Log Audit.

What to do next

After you create a custom policy, you can find the policy in the list of custom policies and click Edit, Delete, or Copy in the Actions column to manage the policy. You can download the list of custom policies, delete multiple policies at a time, and click Move to change the priority of the policy.

A valid priority value ranges from 1 to the number of existing policies. A smaller value indicates a higher priority. After you change the priority of a policy, the priorities of policies that have lower priorities decrease.

Important

After you delete a policy, Cloud Firewall no longer manages traffic on which the policy is originally in effect. Proceed with caution.

References

I configured an outbound Deny access control policy whose Source is set to 0.0.0.0/0 for the Internet firewall. However, some traffic is still allowed because no policy is hit. Why?
How do I configure access control policies to allow access only to a specified subdomain name of a secondary domain name?
For more information about how to manage traffic from Internet-facing assets to a specified domain name, see Configure a policy to allow only Internet-facing servers to access a specified domain name.
For more information about how to perform access control on a specified region, see Configure a policy to deny traffic destined for a server from regions outside China.
For more information about how access control policies work, see Overview of access control policies.
For more information, see Configure access control policies.
For more information about how to view and manage IP address books, port address books, and domain address books in access control policies, see Manage address books.
For more information about how to configure and use access control policies, see FAQ about access control policies.