All Products
Search

This Product

    Cloud Firewall:Web filtering

    Document Center

    Cloud Firewall:Web filtering

    Last Updated:May 12, 2026

    The web filtering feature of Cloud Firewall uses custom URL templates to manage Layer 7 traffic. You can allow, monitor, or block outbound traffic based on domain name and path rules. This feature extends traffic control from the basic network layer to specific web access paths, which helps you implement fine-grained Internet access management and service protection.

    Note

    The web filtering feature is currently in private preview. To activate this feature, contact your business manager.

    Before you begin

    • A Cloud Firewall instance is activated. The web filtering feature requires Enterprise Edition or Ultimate Edition.

    • You have been granted the required RAM permissions. Use the AliyunYundunCFWFullAccess policy to access the access control page.

    • Your outbound traffic is routed through Cloud Firewall. Make sure that DNS or routing is properly configured so that traffic passes through the firewall.

    Create a web filtering template

    1. Log on to the Cloud Firewall console.

    2. In the left-side navigation pane, choose Prevention Configuration > Access Control > Web Filtering.

    3. Click Create Template and configure the following settings.

      Parameter

      Description

      Template Name and Template Description

      Set a descriptive template name and description for easy identification.

      Template Switch

      Enable or disable the template. The configurations in a template take effect only when the template is enabled.

      Custom Rules

      Enter the destination domain name and specify an action. You can click Add Rule to add multiple rules. For HTTPS traffic, you must configure TLS inspection first to extract URL information. Otherwise, this feature does not work properly.

      The destination URL must comply with the following format requirements:

      • Full path format: The destination URL must contain both the hostname and the path. The system matches these against the corresponding parts in the HTTP request.

        • Must include a forward slash: The path format must be complete and end with a forward slash (/).

          • Valid example: example.com/

          • Invalid example: example.com

        • Must not include: protocol headers (such as https://) or request parameters.

      • Wildcard restriction: Only one wildcard (*) is supported, and it must be placed at the end of the path.

        • Valid examples: example.com/* or example.com/test/*

        • Invalid examples: *.example.com, example.com/*/test, or example.com/test*

      The following actions are supported:

      • Monitor: Requests are allowed and recorded in the event logs of Log audit.

      • Allow: Requests are allowed without being logged in event logs.

      • Deny: Requests are blocked and recorded in event logs.

      Note

      When multiple URL rules are configured for the same domain, the system applies the longest match principle.

      For example, if you configure both Allow example.com/* and Deny example.com/test/*, when a request arrives for example.com/test/test, the request will be Deny because the second rule matches a longer path.

    What to do next

    After you create a template, you can reference it in Internet Border Outbound access control policies. For more information, see Access control policies for the internet firewall.

    Manage templates

    On the Web Filtering tab, you can perform the following operations on existing templates:

    • Enable or disable a template: Toggle the switch in the Template Switch column to enable or disable a template.

    • Edit a template: Click Edit in the Actions column to modify the template configurations.

    • Delete a template: Click Delete in the Actions column. You cannot delete a template that is referenced by access control policies.