All Products
Search
Document Center

Cloud Firewall:Create inbound and outbound access control policies for the Internet firewall

Last Updated:Dec 20, 2023

By default, if you do not create access control policies after you enable the Internet firewall, Cloud Firewall allows all traffic in the traffic match phase that is based on access control policies. You can create outbound and inbound access control policies for the Internet firewall to prevent unauthorized access between Internet-facing assets and the Internet. This topic describes how to create inbound and outbound access control policies for the Internet firewall.

Feature

You can create an outbound access control policy for the Internet firewall to manage traffic from your Internet-facing assets to the Internet and an inbound access control policy for the Internet firewall to manage traffic from the Internet to your Internet-facing assets. The following figure shows how the Internet firewall protects traffic.

image

Prerequisites

  • The Internet firewall is enabled for your Internet-facing assets. For more information about how to enable the Internet firewall, see Enable or disable the Internet firewall.

    For more information about the Internet-facing assets that can be protected by Cloud Firewall, see Protection scope.

  • The quota for access control policies is sufficient. You can view the quota usage on the Access Control > Internet Border page. For more information about how to calculate quota usage, see Overview of access control policies.

    If the remaining quota is insufficient, you can click Increase Quota to increase the value of Quota for Additional Policy. For more information, see Purchase Cloud Firewall.

    image.png

  • If you want to add multiple objects as an access source or destination, make sure that an address book that contains the objects is created. For more information, see Manage address books.

Create access control policies for the Internet firewall

Cloud Firewall allows you to create custom policies and provides recommended policies that you can apply.

  • Create custom policy: You can create custom policies based on your business requirements.

  • Apply recommended intelligent policies: Cloud Firewall automatically learns your traffic from the previous 30 days and recommends multiple intelligent policies based on the traffic risks that are identified. You can determine whether to apply the policies.

  • Apply recommended common policies: Cloud Firewall recommends common policies. If the recommended common policies meet your business requirements, you can apply the policies.

Important
  • We recommend that you allow access to the open ports on which services are provided for an open public IP address on the Internet firewall and deny access to other ports. This reduces the exposure of your assets to the Internet.

  • If you want to allow access from trusted sources such as IP addresses or domain names and deny access to other sources, we recommend that you first create a policy that allows access from the trusted sources and has a higher priority and then create a policy that denies traffic from all sources and has a lower priority.

  • If you do not apply recommended intelligent policies or recommended common policies, the policies do not take effect.

Create a custom policy

You can create a custom outbound or inbound policy for the Internet firewall based on your business requirements.

  1. Log on to the Cloud Firewall console.

  2. In the left-side navigation pane, choose Access Control > Internet Border.

  3. On the Outbound or Inbound tab, select IPV4 or IPV6 from the drop-down list and click Create Policy. By default, an access control policy for IPv4 addresses is created.

    image.png

  4. In the Create Outbound Policy or Create Inbound Policy panel, click the Create Policy tab.

  5. Configure the policy based on the following table and click OK.

    Create an access control policy to protect outbound traffic over the Internet

    Parameter

    Description

    Source Type

    The initiator of network traffic. You must select a source type and enter source addresses from which network traffic is initiated based on the selected source type.

    • If you set Source Type to IP, specify one or more CIDR blocks, such as 192.168.0.0/16. You can specify up to 2,000 CIDR blocks. Separate multiple CIDR blocks with commas (,).

      If you enter multiple CIDR blocks at a time, Cloud Firewall automatically creates an address book that includes the entered CIDR blocks. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book.

    • If you set Source Type to Address Book, make sure that an IPv4 or IPv6 address book is configured. For more information about how to create an address book, see Manage address books.

    Source

    Destination Type

    The receiver of network traffic. You must select a destination type and enter destination addresses to which network traffic is sent based on the selected destination type.

    • If you set Source Type to IP, specify one or more CIDR blocks, such as 192.168.0.0/16. You can specify up to 2,000 CIDR blocks. Separate multiple CIDR blocks with commas (,).

      If you enter multiple CIDR blocks at a time, Cloud Firewall automatically creates an address book that includes the entered CIDR blocks. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book.

    • If you set Source Type to Address Book, make sure that an IPv4 or IPv6 address book is configured. For more information about how to create an address book, see Manage address books.

    • If you set Destination Type to Domain Name, enter a domain name for Destination. Cloud Firewall automatically resolves the domain name and performs access control.

      A domain name can be resolved to up to 500 IP addresses. For more information, see Domain name resolution.

    • If you set Destination Type to Region, select one or more regions of traffic destinations for Destination. You can select one or more regions in or outside China.

    Destination

    Protocol Type

    The transport layer protocol. Valid values: TCP, UDP, ICMP, and ANY. If you do not know the protocol type, select ANY.

    Port Type

    The port type and port number of the destination.

    • If you set Port Type to Port, enter port ranges. Specify a port range in the Port number/Port number format. Examples: 22/22 or 80/88. Separate multiple port ranges with commas (,). You can enter up to 2,000 port ranges.

      If you enter multiple port ranges, Cloud Firewall automatically creates an address book that includes the entered port ranges. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book.

    • If you set Port Type to Address Book, make sure that a port address book is configured. For more information about how to create an address book, see Manage address books.

    Port

    Application

    The application type of the traffic.

    • If you set Protocol Type to TCP, you can select HTTP, HTTPS, SMTP, SMTPS, SSL, and FTP for Application.

    • If you set Protocol Type to UDP, ICMP, or ANY, you can select only ANY for Application.

    • If you select Domain Name or Address Book for Destination Type, you can select only HTTP, HTTPS, SMTP, SMTPS, or SSL for Application.

    Note

    Cloud Firewall identifies application types based on packet characteristics instead of port numbers. If Cloud Firewall cannot identify the application type in a packet, Cloud Firewall allows the packet. If you want to block the traffic whose application type is unknown, we recommend that you enable the strict mode for the Internet firewall. For more information, see Configure the strict mode of the Internet firewall.

    Action

    The action on the traffic if the traffic meets the preceding conditions that you specify for the access control policy.

    • Allow: The traffic is allowed.

    • Deny: The traffic is denied, and no notifications are sent.

    • Monitor: The traffic is recorded and allowed. You can observe the traffic for a period of time and change the policy action to Allow or Deny based on your business requirements.

    Description

    The description of the access control policy. Enter a description that can help identify the policy.

    Priority

    The priority of the access control policy. Default value: Lowest. Valid values:

    • Highest: The access control policy has the highest priority.

    • Lowest: The access control policy has the lowest priority.

    Policy Validity Period

    The validity period of the access control policy. The policy can be used to match traffic only within the validity period.

    Status

    Specifies whether to enable the policy. If you turn off Status when you create an access control policy, you can enable the policy in the list of access control policies.

    Create an access control policy to protect inbound traffic over the Internet

    Parameter

    Description

    Source Type

    The initiator of network traffic. You must select a source type and enter source addresses from which network traffic is initiated based on the selected source type.

    • If you set Source Type to IP, specify one or more CIDR blocks, such as 192.168.0.0/16. You can specify up to 2,000 CIDR blocks. Separate multiple CIDR blocks with commas (,).

      If you enter multiple CIDR blocks at a time, Cloud Firewall automatically creates an address book that includes the entered CIDR blocks. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book.

    • If you set Source Type to Address Book, make sure that an IP address book is configured. For more information about how to create an address book, see Manage address books.

    • If you set Source Type to Region, select one or more regions of traffic sources for Source. You can select one or more regions in or outside China.

    Source

    Destination Type

    The receiver of network traffic. You must select a destination type and enter destination addresses to which network traffic is sent based on the selected destination type.

    • If you set Source Type to IP, specify one or more CIDR blocks, such as 192.168.0.0/16. You can specify up to 2,000 CIDR blocks. Separate multiple CIDR blocks with commas (,).

      If you enter multiple CIDR blocks at a time, Cloud Firewall automatically creates an address book that includes the entered CIDR blocks. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book.

    • If you set Source Type to Address Book, make sure that an IP address book is configured. For more information about how to create an address book, see Manage address books.

    • If you set Destination Type to Region, select one or more regions of traffic destinations for Destination. You can select one or more regions in or outside China.

    Destination

    Protocol Type

    The transport layer protocol. Valid values: TCP, UDP, ICMP, and ANY. If you do not know the protocol type, select ANY.

    Port Type

    The port type and port number of the destination.

    • If you set Port Type to Port, enter port ranges. Specify a port range in the Port number/Port number format. Examples: 22/22 or 80/88. Separate multiple port ranges with commas (,). You can enter up to 2,000 port ranges.

      If you enter multiple port ranges, Cloud Firewall automatically creates an address book that includes the entered port ranges. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book.

    • If you set Port Type to Address Book, make sure that a port address book is configured. For more information about how to create an address book, see Manage address books.

    Port

    Application

    The application type of the traffic.

    • If you set Protocol Type to TCP, you can select HTTP, HTTPS, SMTP, SMTPS, SSL, and FTP for Application.

    • If you set Protocol Type to UDP, ICMP, or ANY, you can select only ANY for Application.

    Note

    Cloud Firewall identifies application types based on packet characteristics instead of port numbers. If Cloud Firewall cannot identify the application type in a packet, Cloud Firewall allows the packet. If you want to block the traffic whose application type is unknown, we recommend that you enable the strict mode for the Internet firewall. For more information, see Configure the strict mode of the Internet firewall.

    Action

    The action on the traffic if the traffic meets the preceding conditions that you specify for the access control policy.

    • Allow: The traffic is allowed.

    • Deny: The traffic is denied, and no notifications are sent.

    • Monitor: The traffic is recorded and allowed. You can observe the traffic for a period of time and change the policy action to Allow or Deny based on your business requirements.

    Description

    The description of the access control policy. Enter a description that can help identify the policy.

    Priority

    The priority of the access control policy. Default value: Lowest. Valid values:

    • Highest: The access control policy has the highest priority.

    • Lowest: The access control policy has the lowest priority.

    Policy Validity Period

    The validity period of the access control policy. The policy can be used to match traffic only within the validity period.

    Status

    Specifies whether to enable the policy. If you turn off Status when you create an access control policy, you can enable the policy in the list of access control policies.

Apply recommended intelligent policies

Cloud Firewall automatically learns your traffic from the previous 30 days and recommends multiple intelligent policies based on the traffic risks that are identified. If the recommended intelligent policies meet your business requirements, you can apply the policies.

You can apply both outbound and inbound intelligent policies that are recommended.

Warning
  • Before you apply a recommended policy, make sure that you understand its meaning and the possible impacts on services.

  • You can ignore recommended intelligent policies. After you ignore a recommended intelligent policy, the policy cannot be restored. Proceed with caution.

Check whether recommended intelligent policies exist

You can check whether recommended intelligent policies are generated by Cloud Firewall on the Access Control > Internet Border page.

image.png

  1. In the left-side navigation pane, choose Access Control > Internet Border.

  2. Go to the Recommended Intelligent Policy page. You can use one of the following methods:

    • In the upper-right corner above the policy list, click Intelligent Policy. In the panel that appears, click the Outbound or Inbound tab.

      image.png

    • On the Outbound or Inbound tab, click Create Policy. In the panel that appears, click the Recommended Intelligent Policy tab.

  3. View and apply the recommended intelligent policies. You can find a policy and click Apply Policy. Alternatively, you can select multiple policies and click Batch Dispatch.

Apply recommended common policies

If the recommended common policies meet your business requirements, you can apply the policies.

Warning
  • Before you apply a recommended policy, make sure that you understand its meaning and the possible impacts on services.

  • You can ignore recommended common policies. After you ignore a recommended common policy, the policy cannot be restored. Proceed with caution. If you ignore all recommended common policies, the Recommended Common Policy tab is no longer displayed.

  1. In the left-side navigation pane, choose Access Control > Internet Border.

  2. On the Outbound or Inbound tab, click Create Policy. In the panel that appears, click the Recommended Common Policy tab.

  3. View and apply the recommended common policies. You can find a policy and click Quick Apply.

What to do next

After you create a custom policy, you can find the policy in the list of custom policies and click Edit, Delete, or Copy in the Actions column to manage the policy. You can download the list of custom policies, delete multiple policies at a time, and click Move to change the priority of the policy.

Change the priority of a policy

  1. In the left-side navigation pane, choose Access Control > Internet Border.

  2. Click the Outbound or Inbound tab, find the policy that you want to manage, and then click Move in the Actions column.

  3. Specify a new priority for the policy and click OK.

    A valid priority value ranges from 1 to the number of existing policies. A smaller value indicates a higher priority. After you change the priority of a policy, the priorities of policies that have lower priorities decrease.

View the hit details about an access control policy

By default, an access control policy immediately takes effect after it is created. In the list of access control policies, view the hit details about an access control policy in the Hits/Last Hit At column.

image.png

The Hits/Last Hit At column displays the number of hits and the time when the policy was last hit. Click the number of hits to go to the Log Audit page. On the Traffic Logs tab, view the hit details. For more information, see Log audit.

Download the list of policies

  1. In the left-side navigation pane, choose Access Control > Internet Border.

  2. Click the Outbound or Inbound tab. In the upper-right corner above the policy list, click the image.png icon.

  3. After the policies are packaged, click Download Task Management in the upper-right corner of the Internet Border page.

  4. In the Tasks panel, select the required task type, find the task whose file you want to download, and then click Download in the Actions column.

Delete a policy

Warning

After you delete a policy, Cloud Firewall no longer manages traffic on which the policy is originally in effect. Proceed with caution.

If you no longer need a policy that is created for the Internet firewall, you can perform the following operations to delete the policy: Go to the Access Control > Internet Border page. Find the policy that you want to delete in the policy list and choose image.png > Delete in the Actions column.

References