The strict mode of the Internet firewall blocks traffic that matches an access control
policy but contains an application unknown to Cloud Firewall. Cloud Firewall identifies
applications based on packet characteristics. If Cloud Firewall fails to identify
the application in the traffic, it allows the traffic by default. If you want to discard
traffic with unknown applications, you can enable the strict mode.
Background information
The strict mode only takes effect on traffic that matches an access control policy,
regardless of whether the policy action is allow, deny, or monitor. If the traffic
does not match any access control policy, the traffic is allowed even if its application
is unknown.
Before you enable the strict mode on the Internet firewall, we recommend that you
configure access control policies. For more information, see Outbound and inbound traffic control on the Internet firewall.
Enable or disable the strict mode
- Log on to the Cloud Firewall console.
- In the left-side navigation pane, choose .
- In the upper-right corner of the Internet Firewall tab, click Advanced Settings.

- In the Advanced Settings dialog box that appears, enable or disable Internet Firewall-Strict Mode and click OK.
After the strict mode is enabled, all traffic that matches an access control policy
and contains unknown applications is discarded. You can view logs of discarded traffic
on the Log Audit page.
View logs of discarded traffic
- Log on to the Cloud Firewall console.
- In the left-side navigation pane, choose .
- Navigate to and click Show Advanced Search. Then, set Application to Unknown and Policy Source to Access Control and click Search.

- View the logs of traffic discarded in strict mode. The policy names of these logs
are unknown_app_deny_all. You can view the time, source IP addresses, destination IP addresses, and destination
ports of the discarded traffic.
If normal traffic is discarded, we recommend that you add the application information
to the request packets or disable the strict mode.