All Products
Search
Document Center

Cloud Firewall:Configure Cloud Firewall

Last Updated:Nov 07, 2023

Cloud Firewall is used to ensure network security for workloads that you migrate to Alibaba Cloud. Cloud Firewall provides core features such as network-wide traffic identification, centralized policy management, and intrusion detection. Cloud Firewall protects traffic from the Internet to your Elastic Compute Service (ECS) instances, traffic from your ECS instances to the Internet, and traffic between your ECS instances. This topic describes how to configure Cloud Firewall.

Prerequisites

Cloud Firewall is purchased. For more information, see Purchase Cloud Firewall.

Step 1: Enable firewalls

Cloud Firewall provides the following types of firewalls: Internet firewall, virtual private cloud (VPC) firewall, internal firewall, and NAT firewall. If you do not configure an access control policy or enable a block mode of the threat detection engine after you enable Cloud Firewall firewalls, Cloud Firewall cannot protect your services.

  1. Log on to the Cloud Firewall console.

  2. In the left-side navigation pane, click Firewall Settings.

  3. Enable firewalls based on your business requirements. The following table describes the types of firewalls that you can enable.

    Firewall type

    Description

    Operation

    Internet firewall

    The Internet firewall protects traffic between the Internet and your public IP addresses in a centralized manner.

    Enable the Internet firewall. For more information, see Internet firewall.

    VPC firewall

    A VPC firewall protects traffic between VPCs and traffic between a VPC and a data center in a centralized manner.

    Note

    Only Cloud Firewall Enterprise Edition and Ultimate Edition support VPC firewalls.

    Enable a VPC firewall. For more information, see Configure a VPC firewall for an Enterprise Edition transit router.

    Internal firewall

    An internal firewall protects inbound and outbound traffic between ECS instances and blocks unauthorized access.

    The access control policies that you configured and published for an internal firewall in the Cloud Firewall console are synchronized to ECS security groups. You do not need to enable internal firewalls.

    Note

    Only Cloud Firewall Enterprise Edition and Ultimate Edition support internal firewalls.

    Configure access control policies for an internal firewall. For more information, see Create an access control policy for an internal firewall between ECS instances.

    NAT firewall

    A NAT firewall controls and protects traffic of private IP addresses that are used to access the Internet.

    Enable a NAT firewall. For more information, see NAT firewalls.

    After you enable or disable a firewall for your assets, the firewall status changes to Enabled or Disabled in the Firewall Status column. The value Enabled indicates that the firewall is in effect. The value Disabled indicates that the firewall no longer protects your assets. The system requires several seconds to update the firewall status.

Step 2: Configure intrusion prevention policies

Cloud Firewall provides an intrusion prevention system (IPS) to defend against intrusions in real time.

  1. Log on to the Cloud Firewall console.

  2. In the left-side navigation pane, choose Attack Prevention > Prevention Configuration.

  3. On the Prevention Configuration page, configure the Threat Engine Mode, Whitelist, Threat Intelligence, Basic Protection, and Virtual Patching parameters. The following table describes the parameters.

    Parameter

    Description

    Operation

    Threat Engine Mode

    The threat detection engine supports the Monitor and Block working modes.

    • Monitor working mode: Cloud Firewall monitors traffic and generates alerts for malicious traffic.

    • Block working mode: Cloud Firewall intercepts malicious traffic and blocks intrusion attempts. You can select a level for the Block working mode based on your business requirements.

      • Loose: blocks attacks in a loose manner by using rules that prevent a high rate of false positives. This level is suitable for business that requires the false positive rate to be minimized.

      • Medium: blocks attacks in a standard manner by using common rules. This level is suitable for daily O&M.

      • Strict: blocks attacks in a strict manner by using all rules. This level is suitable for business that requires the false negative rate to be minimized, such as major events or cybersecurity protection activities launched by public service sectors. The activities are rehearsals for network attack and defense. This level may cause a higher false positive rate than the Medium level.

      Note
      • After you purchase Cloud Firewall, the Block working mode is automatically enabled for the threat detection engine. Cloud Firewall specifies a level for the Block working mode based on your actual traffic.

      • The threat intelligence, basic protection, and virtual patching features block threats only after the Block working mode is enabled. If you do not enable the Block working mode, these features only monitor threats and malicious traffic.

    Configure a working mode for the threat detection engine. For more information, see Working modes of the threat detection engine.

    Whitelist

    Cloud Firewall allows you to add trusted source IPv4 and IPv6 addresses or trusted destination IPv4 and IPv6 addresses to an inbound or outbound whitelist. After you add IP addresses to a whitelist, the basic protection and virtual patching features allow the traffic of the IP addresses. The whitelist that you configure does not take effect for the threat intelligence feature.

    Configure an intrusion prevention whitelist. For more information, see Advanced settings.

    Threat Intelligence

    After you turn on Threat Intelligence, Cloud Firewall scans for threat intelligence and blocks malicious behavior that is initiated from command-and-control (C&C) servers based on the threat intelligence.

    The threat intelligence feature synchronizes malicious IP addresses that are detected across Alibaba Cloud to Cloud Firewall, and then implements precise intrusion prevention. The malicious IP addresses are used to initiate malicious access, scans, or brute-force attacks. This feature provides up-to-date information about threat sources.

    Configure the threat intelligence feature. For more information, see Advanced settings.

    Basic Protection

    After you turn on Basic Rules, Cloud Firewall detects common threats based on detection rules.

    The basic protection feature protects your assets against common intrusions, such as brute-force attacks and attacks that exploit command execution vulnerabilities. The feature also manages connections from compromised hosts to a C&C server and provides basic protection for your assets. We recommend that you enable the basic protection feature.

    Configure the basic protection feature. For more information, see Advanced settings.

    Intelligent Defense

    After you turn on Intelligent Defense, Cloud Firewall learns a large amount of data about attacks in the cloud to improve the accuracy of threat detection and attack detection.

    Intelligent defense is available only if you select Monitor Mode.

    Configure the intelligent defense feature. For more information, see Advanced settings.

    Virtual Patching

    After you turn on Virtual Patching, Cloud Firewall protects your assets against common high-severity vulnerabilities and urgent vulnerabilities in real time.

    The virtual patching feature provides hot patches at the network layer to protect your business against high-severity vulnerabilities and urgent vulnerabilities that can be remotely exploited. This helps intercept vulnerability exploits in real time and prevent business interruption when vulnerabilities are being fixed.

    Note

    Only Cloud Firewall Enterprise Edition and Ultimate Edition allow you to configure virtual patching policies.

    Configure the virtual patching feature. For more information, see Advanced settings.

Step 3: View traffic statistics

The traffic analysis feature provides real-time traffic statistics, such as statistics about outbound connections, Internet exposures, and VPC access, to allow you to control traffic in a visualized manner and identify unusual traffic.

Traffic statistics are essential information that you can use to configure appropriate access control policies. Before you configure access control policies, we recommend that you view traffic statistics about your assets.

Outbound Connection

After you enable a firewall for your network assets, the Outbound Connection page displays real-time information about outbound connections that are initiated by your servers. This helps you identify suspicious servers.

  1. Log on to the Cloud Firewall console.

  2. In the left-side navigation pane, choose Traffic Analysis > Outbound Connection.

  3. On the Outbound Connection page, view the details of outbound connections from your assets within a specific period of time.

    ParameterDescriptionSupported operation
    Outbound DomainsThe number of risky domain names and the total number of domain names in outbound connections. The outbound connections are initiated from your business to the domain names, which are located on the Internet.

    You can click Outbound Domains in the Data Statistics section to go to the Outbound Domains tab or click Outbound IP Addresses in the Data Statistics section to go to the Outbound IP Addresses tab.

    You can perform the following operations on a risky domain name or IP address based on your business requirements to protect your assets:

    • Configure an access control policy

      On the Outbound Domains or Outbound IP Addresses tab, find a domain name or an IP address and click Configure Access Control Policy in the Actions column. In the Create Outbound Policy panel, create an outbound access control policy. For more information, see Create inbound and outbound access control policies for the Internet firewall.

    • View the details of an outbound domain name

      On the Outbound Domains tab, find an outbound domain name and click Details in the Actions column. In the Outbound Domains panel, view the details of the domain name.

      On the Outbound Connection Initiated over EIP and Outbound Connection Initiated over Private IP Address of NAT Gateway tabs of the panel, view the information about the Elastic Compute Service (ECS) instances that initiated outbound connections. You can also click View Logs in the Actions column to go to the Traffic Logs tab of the Log Audit page. For more information, see Traffic logs.

    • Add a domain name or an IP address to an address book

      On the Outbound Domains or Outbound IP Addresses tab, find a domain name or an IP address, click the 1 icon in the Actions column, and then click Add to Address Book. The system redirects to the Create Address Book panel of the Address Books page. For more information, see Manage address books.

    • Mark a domain name or an IP address as followed

      On the Outbound Domains or Outbound IP Addresses tab, find a domain name or an IP address, click the 1 icon in the Actions column, and then click Mark as Followed.

    • Unfollow a domain name or an IP address

      On the Outbound Domains or Outbound IP Addresses tab, click Followed in the upper-right corner. In the Followed panel, unfollow a destination domain name, destination IP address, public IP address, or private IP address.

    • Add a domain name or an IP address to the whitelist

      On the Outbound Domains or Outbound IP Addresses tab, find a domain name or an IP address, click the 1 icon in the Actions column, and then click Add to Whitelist to add the domain name or IP address to the whitelist. This way, Cloud Firewall no longer analyzes the domain name or IP address, and the information about the domain name or IP address is no longer displayed.

    • Remove a domain name or an IP address from the whitelist

      On the Outbound Domains or Outbound IP Addresses tab, click Ignored in the upper-right corner. In the Ignored panel, remove a domain name or an IP address from the whitelist. This way, the information about the domain name or IP address is displayed on the Outbound Connection page again.

    • View logs

      On the Outbound Domains or Outbound IP Addresses tab, find a domain name or an IP address, click the 1 icon in the Actions column, and then click View Logs. The system redirects to the Traffic Logs tab of the Log Audit page. For more information, see Traffic logs.

    Outbound IP AddressesThe number of risky destination IP addresses and the total number of destination IP addresses in outbound connections. The outbound connections are initiated from your business to the IP addresses, which are located on the Internet.
    Outbound Public IP AddressesThe number of risky assets and the total number of assets in outbound connections. The outbound connections are initiated from the assets to the Internet by using the public addresses of the assets, such as elastic IP addresses (EIPs).

    You can click Outbound Public IP Addresses in the Data Statistics section to go to the Outbound Public IP Addresses tab and click Outbound Private IP Addresses in the Data Statistics section to go to the Outbound Private IP Addresses tab. You can perform the following operations on the tabs:

    • Mark an IP address as followed

      Find an IP address and click Mark as Followed in the Actions column.

    • Unfollow a domain name or an IP address

      In the upper-right corner, click Followed. In the Followed panel, unfollow a destination domain name, destination IP address, public IP address, or private IP address.

    • View logs

      Find an IP address and click View Logs in the Actions column. The Traffic Logs tab of the Log Audit page is displayed. For more information, see Traffic logs.

    Outbound Private IP AddressesThe number of risky private assets and the total number of private assets in outbound connections. The outbound connections are initiated from the assets to the Internet by using the IP addresses of NAT gateways.
    Outbound Connection ProtocolThe analysis results of protocols that are used in outbound connections. The outbound connections are initiated from your business to the Internet. The results include the number of unidentified protocols, the total number of used protocols, and the proportion of unidentified protocols to all used protocols. You can click Protocol Analysis to go to the Outbound Connection Protocol tab. You can perform the following operations on the tab:

    View logs: Find a protocol and click View Logs in the Actions column. The Traffic Logs tab of the Log Audit page is displayed. For more information, see Traffic logs.

Internet Exposure

The Internet Exposure page of the Cloud Firewall console provides an overview of the normal and unusual inbound traffic of your assets, including information about open applications, open ports, open public IP addresses, and cloud services to which inbound traffic flows.

  1. Log on to the Cloud Firewall console.

  2. In the left-side navigation pane, choose Traffic Analysis > Internet Exposure.

  3. On the Internet Exposure page, view the traffic rankings of IP addresses, traffic trends, and details of Internet access.

    ParameterDescriptionSupported operation
    Open Public IP AddressesThe total number of open public IP addresses and the number of risky open public IP addresses. View the traffic statistics of a public IP address that is accessed: On the Open Public IP Addresses tab, find the IP address and click View Details in the Actions column. In the Open Public IP Addresses panel, view the access information about the IP address. This helps you identify the traffic of malicious behavior.
    Open PortsThe total number of open ports and the number of risky open ports. View the traffic statistics of an open port: On the Open Ports tab, find the open port and click View Details in the Actions column. In the Open Ports panel, view the access information about the open port. This helps you identify the traffic of malicious behavior.
    Open ApplicationsThe total number of open applications and the number of risky open applications. View the traffic statistics of an open application: On the Open Applications tab, find the open application and click View Details in the Actions column. In the Open Applications panel, view the access information about the application. This helps you identify the traffic of malicious behavior.
    DetailsThe traffic statistics of all assets. View the traffic statistics of an asset: On the Details tab, find the asset and click View Details in the Actions column. In the Details panel, view the access information about the asset. This helps you identify the traffic of malicious behavior.
    Cloud ProductsThe number of public IP addresses to which inbound traffic flows to access cloud services. None.

VPC Access

The VPC Access page displays information about the traffic between VPCs to help you detect unusual traffic and potential attacks.

  1. Log on to the Cloud Firewall console.

  2. In the left-side navigation pane, choose Traffic Analysis > VPC Access.

  3. On the VPC Access page, view information about the traffic between VPCs, rankings of sessions between VPCs, open ports, and assets.

    Section or tabDescriptionSupported operation
    Traffic Between VPCsThis section displays the following data: peak traffic in both the inbound and outbound directions, average traffic in both the inbound and outbound directions, and trend charts for both inbound and outbound traffic. View traffic-based rankings: On a traffic trend chart, click a point in time. The top IP addresses that are involved in the traffic at that point in time are displayed in the Ranking of IP Addresses by Traffic section.
    Ranking of IP Addresses by TrafficThis section displays the rankings of top 10, top 20, or top 50 IP addresses by traffic. You can view IP, and Inbound, Outbound. By default, the rankings of top 50 IP addresses are displayed. View logs: Find the IP address that you want to manage and click View Logs in the Actions column. On the VPC Border page, view the log details of the VPC to which the IP address belongs.
    Ranking of Sessions Between VPCs by Visits and TrafficThis section displays the rankings of sessions between VPCs. You can view Ranking, Session, Sessions, Traffic, Port, and Ratio. View the proportion of ports by session: Find the session data record of an IP address and click View in the Ratio column. In the Open Ports by Traffic section, view the proportion of ports that are involved in the session.
    Open Ports by TrafficBy default, this section displays the distribution of all open ports. None.
    Open PortsThis tab displays the data of open ports that are used for the traffic between VPCs. You can view Open Port, Protocol, Application, Traffic, Requests, Asset IP, and Risk Level. View the details of an open port: Find the local open port that you want to manage and click View Details in the Actions column. In the Port Details panel, view the details of the port.

    View logs: In the Port Details panel, find the peer IP address that corresponds to the local open port and click View Logs in the Actions column. On the VPC Firewall tab of the Traffic Logs tab, view the log details of the IP address.

    Note To download the data of open ports to a CSV file on your computer, you can click the Download icon icon in the upper-right corner above the port list. This way, you can view the data or use the data for analysis in a more convenient manner.
    AssetsThis tab displays the data of assets that are involved in traffic between VPCs. You can view Asset IP, Instance ID/Name, Port, Traffic, Requests, and Risk Level. View the details of an asset: Find the local asset that you want to manage and click View Details in the Actions column. In the Asset Access Details panel, view the details of the asset.

    View logs: In the Asset Access Details panel, find the peer IP address that corresponds to the asset and click View Logs in the Actions column. On the VPC Firewall tab of the Traffic Logs tab, view the log details of the IP address.

    Note To download the data of assets to a CSV file on your computer, you can click the Download icon icon in the upper-right corner above the asset list. This way, you can view the data or use the data for analysis in a more convenient manner.

Step 4: Create access control policies

Cloud Firewall allows you to create access control policies for inbound and outbound traffic over the Internet and mutual access traffic over an internal network to reduce the risk of intrusions into your assets.

If you want to create policies to allow traffic from trusted IP addresses and deny traffic from other sources, create a policy that allows traffic from trusted IP addresses. Then, create a policy that denies traffic from all sources to the Internet. Make sure that the priority of the Allow policy is higher than the priority of the Deny policy.

Create access control policies for the Internet firewall on outbound and inbound traffic

The Internet firewall controls the outbound and inbound traffic of your Internet assets. You can create access control policies in the Cloud Firewall console to prevent unauthorized access between your Internet assets and the Internet.

Important

We recommend that you set the actions of outbound policies to Deny. This does not apply if the policies are used to allow outbound connections that are required for your business.

  1. Log on to the Cloud Firewall console.

  2. In the left-side navigation pane, choose Access Control > Internet Border.

  3. On the Outbound or Inbound tab, select IPV4 or IPV6 from the drop-down list and click Create Policy. By default, an access control policy for IPv6 addresses is created.

    image.png
  4. In the Create Outbound Policy or Create Inbound Policy panel, click the Create Policy tab.

  5. Configure the policy based on the following table and click OK.

    Create an access control policy to protect outbound traffic over the Internet

    Parameter

    Description

    Source Type

    The initiator of network traffic. You must select a source type and enter source addresses from which network traffic is initiated based on the selected source type.

    • If you set Source Type to IP, specify one or more CIDR blocks, such as 192.168.0.0/16. You can specify up to 2,000 CIDR blocks. Separate multiple CIDR blocks with commas (,).

      If you enter multiple CIDR blocks at a time, Cloud Firewall automatically creates an address book that includes the entered CIDR blocks. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book.

    • If you set Source Type to Address Book, make sure that an IPv4 or IPv6 address book is configured. For more information about how to create an address book, see Manage address books.

    Source

    Destination Type

    The receiver of network traffic. You must select a destination type and enter destination addresses to which network traffic is sent based on the selected destination type.

    • If you set Source Type to IP, specify one or more CIDR blocks, such as 192.168.0.0/16. You can specify up to 2,000 CIDR blocks. Separate multiple CIDR blocks with commas (,).

      If you enter multiple CIDR blocks at a time, Cloud Firewall automatically creates an address book that includes the entered CIDR blocks. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book.

    • If you set Source Type to Address Book, make sure that an IPv4 or IPv6 address book is configured. For more information about how to create an address book, see Manage address books.

    • If you set Destination Type to Domain Name, enter a domain name for Destination. Cloud Firewall automatically resolves the domain name and performs access control.

    • If you set Destination Type to Region, select one or more regions of traffic destinations for Destination. You can select one or more regions in or outside China.

    Destination

    Protocol Type

    The transport layer protocol. Valid values: TCP, UDP, ICMP, and ANY. If you do not know the protocol type, select ANY.

    Port Type

    The port type and port number of the destination.

    • If you set Port Type to Port, enter port ranges. Specify a port range in the Port number/Port number format. Examples: 22/22 or 80/88. Separate multiple port ranges with commas (,). You can enter up to 2,000 port ranges.

      If you enter multiple port ranges, Cloud Firewall automatically creates an address book that includes the entered port ranges. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book.

    • If you set Port Type to Address Book, make sure that a port address book is configured. For more information about how to create an address book, see Manage address books.

    Port

    Application

    The application type of the traffic.

    • If you set Protocol Type to TCP, you can select HTTP, HTTPS, SMTP, SMTPS, SSL, and FTP for Application.

    • If you set Protocol Type to UDP, ICMP, or ANY, you can select only ANY for Application.

    • If you select Domain Name or Address Book for Destination Type, you can select only HTTP, HTTPS, SMTP, SMTPS, or SSL for Application.

    Note

    Cloud Firewall identifies application types based on packet characteristics instead of port numbers. If Cloud Firewall cannot identify the application type in a packet, Cloud Firewall allows the packet. If you want to block the traffic whose application type is unknown, we recommend that you enable the strict mode for the Internet firewall. For more information, see Configure the strict mode of the Internet firewall.

    Action

    The action on the traffic if the traffic meets the preceding conditions that you specify for the access control policy.

    • Allow: The traffic is allowed.

    • Deny: The traffic is denied, and no notifications are sent.

    • Monitor: The traffic is recorded and allowed. You can observe the traffic for a period of time and change the policy action to Allow or Deny based on your business requirements.

    Description

    The description of the access control policy. Enter a description that can help identify the policy.

    Priority

    The priority of the access control policy. Default value:Lowest. Valid values:

    • Highest: The access control policy has the highest priority.

    • Lowest: The access control policy has the lowest priority.

    Status

    Specifies whether to enable the policy. If you turn off Status when you create an access control policy, you can enable the policy in the list of access control policies.

    Create an access control policy to protect inbound traffic over the Internet

    Parameter

    Description

    Source Type

    The initiator of network traffic. You must select a source type and enter source addresses from which network traffic is initiated based on the selected source type.

    • If you set Source Type to IP, specify one or more CIDR blocks, such as 192.168.0.0/16. You can specify up to 2,000 CIDR blocks. Separate multiple CIDR blocks with commas (,).

      If you enter multiple CIDR blocks at a time, Cloud Firewall automatically creates an address book that includes the entered CIDR blocks. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book.

    • If you set Source Type to Address Book, make sure that an IP address book is configured. For more information about how to create an address book, see Manage address books.

    • If you set Source Type to Region, select one or more regions of traffic sources for Source. You can select one or more regions in or outside China.

    Source

    Destination Type

    The receiver of network traffic. You must select a destination type and enter destination addresses to which network traffic is sent based on the selected destination type.

    • If you set Source Type to IP, specify one or more CIDR blocks, such as 192.168.0.0/16. You can specify up to 2,000 CIDR blocks. Separate multiple CIDR blocks with commas (,).

      If you enter multiple CIDR blocks at a time, Cloud Firewall automatically creates an address book that includes the entered CIDR blocks. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book.

    • If you set Source Type to Address Book, make sure that an IP address book is configured. For more information about how to create an address book, see Manage address books.

    • If you set Destination Type to Region, select one or more regions of traffic destinations for Destination. You can select one or more regions in or outside China.

    Destination

    Protocol Type

    The transport layer protocol. Valid values: TCP, UDP, ICMP, and ANY. If you do not know the protocol type, select ANY.

    Port Type

    The port type and port number of the destination.

    • If you set Port Type to Port, enter port ranges. Specify a port range in the Port number/Port number format. Examples: 22/22 or 80/88. Separate multiple port ranges with commas (,). You can enter up to 2,000 port ranges.

      If you enter multiple port ranges, Cloud Firewall automatically creates an address book that includes the entered port ranges. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book.

    • If you set Port Type to Address Book, make sure that a port address book is configured. For more information about how to create an address book, see Manage address books.

    Port

    Application

    The application type of the traffic.

    • If you set Protocol Type to TCP, you can select HTTP, HTTPS, SMTP, SMTPS, SSL, and FTP for Application.

    • If you set Protocol Type to UDP, ICMP, or ANY, you can select only ANY for Application.

    Note

    Cloud Firewall identifies application types based on packet characteristics instead of port numbers. If Cloud Firewall cannot identify the application type in a packet, Cloud Firewall allows the packet. If you want to block the traffic whose application type is unknown, we recommend that you enable the strict mode for the Internet firewall. For more information, see Configure the strict mode of the Internet firewall.

    Action

    The action on the traffic if the traffic meets the preceding conditions that you specify for the access control policy.

    • Allow: The traffic is allowed.

    • Deny: The traffic is denied, and no notifications are sent.

    • Monitor: The traffic is recorded and allowed. You can observe the traffic for a period of time and change the policy action to Allow or Deny based on your business requirements.

    Description

    The description of the access control policy. Enter a description that can help identify the policy.

    Priority

    The priority of the access control policy. Default value:Lowest. Valid values:

    • Highest: The access control policy has the highest priority.

    • Lowest: The access control policy has the lowest priority.

    Status

    Specifies whether to enable the policy. If you turn off Status when you create an access control policy, you can enable the policy in the list of access control policies.

Create access control policies for a VPC firewall

A VPC firewall can monitor and control the traffic between two VPCs. By default, a VPC firewall allows all traffic. You must create an Allow policy for a VPC firewall to allow traffic from trusted sources and specify the Highest priority for the policy. Then, create a Deny policy for the VPC firewall to deny traffic from all sources and specify the Lowest priority for the policy.

Note

Only Cloud Firewall Enterprise Edition and Ultimate Edition support VPC firewalls.

  1. Log on to the Cloud Firewall console.

  2. In the left-side navigation pane, choose Access Control > VPC Border.

  3. On the VPC Border page, click Create Policy.

  4. Configure the policy based on the following table and click OK.

    Parameter

    Description

    Source Type

    The initiator of the network connection. You must select a source type and enter source addresses from which network traffic is initiated based on the selected source type.

    • If you set Source Type to IP, specify one or more CIDR blocks, such as 192.168.0.0/16. You can specify up to 2,000 CIDR blocks. Separate multiple CIDR blocks with commas (,).

      If you enter multiple CIDR blocks at a time, Cloud Firewall automatically creates an address book that includes the entered CIDR blocks. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book.

    • If you set Source Type to Address Book, make sure that an IPv4 or IPv6 address book is configured. For more information about how to create an address book, see Manage address books.

    • If you set Source Type to Region, select one or more regions of traffic sources for Source. You can select one or more regions in or outside China.

    Source

    Destination Type

    The receiver of network traffic. You must select a destination type and enter destination addresses to which network traffic is sent based on the selected destination type.

    • If you set Source Type to IP, specify one or more CIDR blocks, such as 192.168.0.0/16. You can specify up to 2,000 CIDR blocks. Separate multiple CIDR blocks with commas (,).

      If you enter multiple CIDR blocks at a time, Cloud Firewall automatically creates an address book that includes the entered CIDR blocks. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book.

    • If you set Source Type to Address Book, make sure that an IPv4 or IPv6 address book is configured. For more information about how to create an address book, see Manage address books.

    • If you set Destination Type to Domain Name, enter a domain name for Destination. You can enter a wildcard domain name. Example: *.aliyun.com.

    Destination

    Protocol Type

    The transport layer protocol. Valid values: TCP, UDP, ICMP, and ANY. If you do not know the protocol type, select ANY.

    Port Type

    The port type and port number of the destination.

    • If you set Port Type to Port, enter port ranges. Specify a port range in the Port number/Port number format. Examples: 22/22 or 80/88. Separate multiple port ranges with commas (,). You can enter up to 2,000 port ranges.

      If you enter multiple port ranges, Cloud Firewall automatically creates an address book that includes the entered port ranges. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book.

    • If you set Port Type to Address Book, make sure that a port address book is configured. For more information about how to create an address book, see Manage address books.

    Port

    Application

    The application type of the traffic.

    • If you set Protocol Type to TCP, you can select HTTP, HTTPS, SMTP, SMTPS, SSL, and FTP for Application.

    • If you set Protocol Type to UDP, ICMP, or ANY, you can select only ANY for Application.

    • If you select Domain Name or Address Book for Destination Type, you can select only HTTP, HTTPS, SMTP, or SMTPS for Application.

    Note

    Cloud Firewall identifies application types based on packet characteristics instead of port numbers. If Cloud Firewall cannot identify the application type in a packet, Cloud Firewall allows the packet. If you want to block the traffic whose application type is unknown, we recommend that you enable the strict mode for the Internet firewall. For more information, see Configure the strict mode of the Internet firewall.

    Policy Action

    The action on the traffic if the traffic meets the preceding conditions that you specify for the access control policy.

    • Allow: The traffic is allowed.

    • Deny: The traffic is denied, and no notifications are sent.

    • Monitor: The traffic is recorded and allowed. You can observe the traffic for a period of time and change the policy action to Allow or Deny based on your business requirements.

    Description

    The description of the access control policy. Enter a description that can help identify the policy.

    Priority

    The priority of the access control policy. Default value:Lowest. Valid values:

    • Highest: The access control policy has the highest priority.

    • Lowest: The access control policy has the lowest priority.

Create access control policies for an internal firewall between ECS instances

An internal firewall can control inbound and outbound traffic between ECS instances and block unauthorized access. The access control policies that you configured and published for an internal firewall in the Cloud Firewall console are synchronized to ECS security groups.

  1. Log on to the Cloud Firewall console.

  2. In the left-side navigation pane, choose Access Control > Internal Border.

  3. On the Internal Border page, create access control policies for an internal firewall. For more information, see Create an access control policy for an internal firewall between ECS instances.

Step 5: Handle exceptions

If exceptions occur, you can check traffic statistics and use attack prevention capabilities to identify and handle the exceptions based on your configurations. Cloud Firewall retains unhandled exceptions for 30 days.