Does Cloud Firewall support classic networks?

The Internet firewall and IPS feature of Cloud Firewall support classic networks. The micro-segmentation feature used for access control on east-west traffic only support VPCs.

Is Cloud Firewall available in regions outside China?

Yes, Cloud Firewall is available in the mainland China, China (Hong Kong), Malaysia (Kuala Lumpur), Singapore, and Indonesia (Jakarta) regions.

Can Cloud Firewall control outbound traffic from private addresses to the Internet?

Cloud Firewall only controls outbound traffic to the Internet from EIPs or public IP addresses obtained by using DNAT. It cannot control outbound traffic from private IP addresses.

You can bind an EIP to the private IP address and configure access control policies for this EIP.

Does the Internet firewall of Cloud Firewall support access control for public SLB instances?

Alibaba Cloud provides public and private SLB instances. There is a limit on the network architecture of public SLB instances. The Internet firewall does not support public SLB instances. We recommend that you bind an EIP to a private SLB instance and enable the Internet firewall for the EIP. For more information, see Associate an Elastic IP address with an SLB instance.
Note You cannot enable the Internet firewall for a public SLB instance. We recommend that you do not change the network of the public SLB instance. If you need any help, contact SLB technical support.

Can Cloud Firewall control IPsec traffic?

The Internet firewall cannot be used to control decrypted IPsec traffic.

You can configure access control policies on a VPC or internal firewall to control decrypted IPsec traffic.

Can Cloud Firewall control traffic on virtual border routers of dedicated connections in Express Connect?

Yes, Cloud Firewall supports access control for dedicated connections between on-premises Internet data centers and Alibaba Cloud.

The inbound traffic with unknown applications accounts for a large proportion of all inbound traffic. Does this occur because Cloud Firewall cannot identify the applications in traffic from the Internet?

There is a large amount of traffic from the Internet. Most of the traffic uses non-standard application protocols that Cloud Firewall cannot identify. Therefore, the applications of such traffic are unknown.

To view the sources and destinations of the traffic with unknown applications, navigate to Log Audit > Traffic Logs or Log Audit > Event Logs.

Why is there a large proportion of traffic with unknown ISPs on the All Access Activities page of Traffic Analysis?

This occurs because a large amount of inbound and outbound traffic comes from and goes to areas outside China. Cloud Firewall marks the ISPs of such traffic as unknown. To view the areas and ISPs of specific IP addresses, navigate to Log Audit > Traffic Logs.

The outbound traffic with unknown applications accounts for a large proportion of all outbound traffic. Does this occur because Cloud Firewall cannot identify the applications in the traffic?

Destination servers may reject the outbound traffic and then send a large number of RST packets to the source servers. These RST packets are also recorded as outbound traffic. As a result, there is a large proportion of outbound traffic with unknown applications. To determine whether exceptions occur in the outbound traffic, navigate to Log Audit > Traffic Logs.