All Products
Search
Document Center

Cloud Firewall:FAQ about access control policies

Last Updated:Feb 18, 2024

This topic describes the issues that may occur when you use access control policies of Cloud Firewall to control business traffic. This topic also provides solutions to the issues.

Can I increase the default quota for access control policies?

  • If you use Premium Edition, Enterprise Edition, or Ultimate Edition of Cloud Firewall that uses the subscription billing method, and the quota for access control policies of the Internet firewall, NAT firewalls, or virtual private clouds (VPC) firewalls cannot meet your business requirements, you can configure the Quota for Additional Policy parameter on the Cloud Firewall buy page to increase the quota. For more information, see Subscription.

  • If you use Cloud Firewall that uses the pay-as-you-go billing method, you cannot increase the quota for access control policies. For more information, see Pay-as-you-go.

Can I increase the protected VPC traffic bandwidth?

Yes, if the purchased VPC traffic processing capability cannot meet your business requirements, you can configure the Protected VPC Traffic parameter to increase the peak cross-VPC traffic that can be protected.

  • Enterprise Edition: The basic price covers 200 Mbit/s of bandwidth. You can increase the traffic processing capability to up to 5,000 Gbit/s.

  • Ultimate Edition: The basic price covers 1,000 Mbit/s of bandwidth. You can increase the traffic processing capability to up to 10,000 Mbit/s.

Can Cloud Firewall block traffic of IPv6 CIDR blocks?

If you use Premium Edition, Enterprise Edition, or Ultimate Edition of Cloud Firewall that uses the subscription billing method, you can create access control policies for the Internet firewall to control the traffic of IPv6 CIDR blocks. For more information, see Create inbound and outbound access control policies for the Internet firewall.

Cloud Firewall that uses the pay-as-you-go billing method does not control traffic of IPv6 CIDR blocks.

What are the differences between Cloud Firewall and security groups?

A security group is a virtual host firewall provided by Elastic Compute Service (ECS) to control the traffic between ECS instances.

Cloud Firewall provides the Internet firewall to control the traffic at the Internet boundary, NAT firewalls to control the traffic at the NAT boundary, VPC firewalls to control the traffic at the VPC boundary, and internal firewalls to control the traffic between ECS instances.

Compared with security groups, Cloud Firewall provides the following unique features:

  • Application-based access control. You can control traffic by protocol such as HTTP without the need to specify ports.

  • Domain name-based access control. For example, you can allow ECS instances to send requests only to a specific domain name.

  • Intrusion prevention. Cloud Firewall provides preemptive measures against common system vulnerabilities and brute-force attacks.

  • The monitor mode of access control policies. Cloud Firewall monitors traffic but does not block potential malicious traffic.

  • Complete traffic logs and real-time traffic analysis.

  • Centralized platform security management. The access control policies that are created for internal firewalls in the Cloud Firewall console are automatically synchronized to ECS security groups. This simplifies security management.

What are the differences between common policy groups and enterprise policy groups?

Policy groups that are configured for an internal firewall between ECS instances correspond to the security groups of ECS instances. Policy groups are virtual firewalls that control inbound and outbound traffic between ECS instances. Policy groups are classified into common and enterprise policy groups, which are suitable for different scenarios.

  • A common policy group corresponds to a basic security group of ECS instances. Resources in the same basic security group can communicate with each other. A common policy group can be specified as authorization objects in the rules of other security groups. The number of private IP addresses that can be contained in a common policy group is less than that in an enterprise policy group.

  • An enterprise security group corresponds to an advanced security group of ECS instances. You can configure access control policies for more private IP addresses in an enterprise policy group. However, resources in the same enterprise security group cannot communicate with each other, or an enterprise policy group cannot be specified as authorization objects in the rules of other security groups.

For more information, see Basic security groups and advanced security groups.

I configured an outbound access control policy whose application type is HTTP or HTTPS for a domain name. How do I check whether the policy is valid?

You can run the curl command or enter the domain name in the address bar of a browser to check whether the policy is valid. For example, you can run the curl -k "https://www.aliyundoc.com" command, and then log on to the Cloud Firewall console to view the number of times that the policy is hit and the audit logs.

Important

Do not run the telnet command to check whether the policy takes effect on the domain name. When you run the telnet command, such as the telnet example.com 80 command, only TCP handshake traffic is generated. Complete HTTP or HTTPS requests are not simulated. In this case, the application type of the traffic is identified as Unknown and the traffic does not hit a policy whose application type is HTTP or HTTPS.

How do I troubleshoot the error that is returned after I apply the default Allow policies to a security group?

The error is reported because the security groups that are associated with the IP address for which you apply the policies do not support the default Allow policies due to the following reasons:

  • The security groups that are associated with the IP address are advanced security groups.

    Advanced security groups do not support the default Allow policies. For more information, see Advanced security groups.

  • The Internet firewall is disabled for the IP address.

    To better protect your assets, we recommend that you do not apply the default Allow policies to resources for which the firewalls provided by Cloud Firewall are disabled. We recommend that you do not disable the firewalls for resources to which you have applied the default Allow policies.

When I apply the default Allow policies, the system prompts that a configuration conflict cannot be resolved. How do I troubleshoot the error?

Possible cause

The priorities, protocol types, port ranges, and authorization objects of the security group rules for the security groups that are associated with the IP address are the same as those of the default Allow policies to be applied.

Solution

We recommend that you go to the Security Groups page of the ECS console to view and adjust the priorities of conflicting rules. For more information, see Modify a security group rule. You can also submit a ticket to obtain technical support.

Why is the Quick Apply icon unavailable? How do I troubleshoot the error?

Possible cause

Conflicting security group rules exist.

Solution

You must resolve the conflicts between the rules in the ECS security groups that are associated with the IP address for which you click Apply as prompted before you can apply the default Allow policies. For more information, see Internet Firewall.

How do I eliminate false positives for suspicious outbound connections that are caused by Internet-based scans?

Possible cause

If false positives are generated for suspicious outbound connections when Internet-based port scans are performed, the inbound access control policies are weak. When an attacker scans a port that is disabled on a server, the server returns an Internet Control Message Protocol (ICMP) packet that indicates the port is inaccessible. Cloud Firewall considers the ICMP packet as an outbound connection that is initiated by the client.

Principles

The following section describes how a false positive is generated:

  • In normal cases, when an SYN packet reaches an open port on a server, the server returns an SYN-ACK packet. In this case, Cloud Firewall considers that the SYN and SYN-ACK packets belong to the same connection.

  • When an attacker scans a port that is disabled on a server, the server or a NAT gateway returns an ICMP packet, which indicates that the port is inaccessible. In this case, Cloud Firewall cannot identify the request packet that correspond to the ICMP packet. Therefore, the ICMP packet is considered as an outbound connection that is initiated by the client. If the source of scans is listed in a threat intelligence library, an alert is generated for the suspicious outbound connection.

image

Solution

To resolve this issue, we recommend that you configure an inbound access control policy to allow traffic only over the ports that are required for your workloads. For more information, see Create inbound and outbound access control policies for the Internet firewall.

I configured an outbound Deny access control policy whose Source is set to 0.0.0.0/0 for the Internet firewall. However, some traffic is still allowed because no policy is matched. Why?

Possible causes

  • The domain name of the traffic is not identified.

    You configured a domain name-based access control policy that has a high priority, and the source IP address, destination IP address, and application type of traffic are identified. However, the domain name of the traffic is not identified. In this case, the traffic is allowed. This ensures that the domain name of the traffic can be identified by subsequent access control policies.

  • The application type of traffic is not identified.

    You configured a application-based access control policy that has a high priority, and the source IP address, destination IP address, and port of traffic are identified. However, the application type of traffic is not identified. In this case, the traffic is allowed. This ensures that the application type of the traffic can be identified by subsequent access control policies.

Solutions

  • Enable the strict mode for access control policies of the Internet firewall.

    After you enable the strict mode, Cloud Firewall matches the preceding traffic against other access control policies until the application type or domain name of the traffic is identified. If a Deny policy is configured, traffic whose application type or domain name is identified as Unknown is denied. For more information, see Configure the strict mode of the Internet firewall.

  • Create only Layer 4 access control policies. Do not create Layer 7 access control policies.

    When you create a Layer 4 access control policy, set the Application parameter to ANY. Do not specify domain names for Destination. If Cloud Firewall matches traffic to the Layer 4 access control policy, Cloud Firewall processes the traffic based on the action that is specified in the policy. For more information, see Create inbound and outbound access control policies for the Internet firewall.

How do I configure access control policies to allow access only to a specified subdomain name of a secondary domain name?

In this example, the xyz.com domain name is used. To configure access control policies to allow access only to the abc.xyz.com domain name, perform the following operations:

  1. Create an access control policy to block access to the *xyz.com domain name and set the priority of the policy to Lowest.

  2. Create an access control policy to allow access to the abc.xyz.com domain name and set the priority of the policy to Highest.

Make sure that the policy that allows access to the subdomain name has a higher priority than the policy that denies access to other websites. For more information about how to configure an access control policy, see Create inbound and outbound access control policies for the Internet firewall.