DescribeAclCheck - Cloud Firewall - Alibaba Cloud Documentation Center

Queries the details of an Access Control List (ACL) check.

Operation description

QPS limit

This operation is limited to 10 queries per second (QPS) per user. If you exceed this limit, the system throttles your API calls, which can affect your business. Call this operation at a reasonable rate.

Try it now

Try this API in OpenAPI Explorer, no manual signing needed. Successful calls auto-generate SDK code matching your parameters. Download it with built-in credential security for local usage.

Test

RAM authorization

No authorization for this operation. If you encounter issues with this operation, contact technical support.

Request parameters

Parameter	Type	Required	Description	Example
Lang	string	No	The language of the response. Valid values: en : English zh : Chinese (default)	zh
TaskId	string	Yes	The task ID.	132
PageNo	integer	Yes	The page number.	1
PageSize	integer	Yes	The number of entries per page.	10

Response elements

Element	Type	Description	Example
	object
RequestId	string	The request ID.	25E655B0-CAED-53D4-8054-F983126****
CheckRecord	object	The check record.
AclTotalCount	integer	The total number of access control list (ACL) policies at the time of the check.	10
RecordAssessmentDetail	string	The details of the ACL check assessment.	建议删除无效策略，同时可帮助节省规格。
CheckName	string	The name of the ACL check.	PolicyHitCountZero
Description	string	The description of the ACL check item.	由于业务下线或其它原因等，导致对象策略一段时间命中次数为0。
LastCheckTime	string	The timestamp of the last check. This value is a UNIX timestamp. Unit: seconds.	1724982259
Level	string	The risk level.	High
TaskId	string	The task ID.	task-c92d4544ef7b6a42
Acls	array<object>	A list of ACL check results.
	array<object>	The ACL check result.
Acl	object	The ACL check result.
Direction	string	The direction of Internet traffic. Valid values: in: inbound traffic out: outbound traffic	out
Order	integer	The priority of the access control policy. Priorities start from 1. A smaller number indicates a higher priority.	1
SourceType	string	The source address type in the access control policy. Valid values: net: source CIDR block group: source address book location: source region	group
ApplicationName	string	The application types supported by the access control policy for the VPC firewall. Use `ApplicationNameList` instead. Valid values: HTTP HTTPS MySQL SMTP SMTPS RDP VNC SSH Redis MQTT MongoDB Memcache SSL ANY (all application types)	ANY
HitTimes	integer	The number of hits on the access control policy.	1
Description	string	The description of the access control policy.	test_policy
SourceGroupType	string	The type of the source address book in the access control policy. Valid values: ip: an IP address book that contains one or more CIDR blocks. tag: an ECS tag-based address book that contains the IP addresses of ECS instances with specific tags. domain: a domain name address book that contains one or more domain names. threat: a threat intelligence address book that contains one or more malicious IP addresses or domain names. backsrc: an origin address book that contains the origin URLs of one or more Anti-DDoS or WAF instances.	ip
DnsResultTime	integer	The timestamp of the DNS resolution. This value is a UNIX timestamp. Unit: seconds.	1579261141
DnsResult	string	The result of the DNS resolution.	192.0.XX.XX
Proto	string	The protocol type of the traffic in the access control policy. Valid values: TCP UDP ICMP ANY (all protocol types) Note If you do not set this parameter, policies with all protocol types are queried.	TCP
DestinationGroupType	string	The type of the destination address book in the access control policy. Valid values: ip: an IP address book that contains one or more CIDR blocks. tag: an ECS tag-based address book that contains the IP addresses of ECS instances with specific tags. domain: a domain name address book that contains one or more domain names. threat: a threat intelligence address book that contains one or more malicious IP addresses or domain names. backsrc: an origin address book that contains the origin URLs of one or more Anti-DDoS or WAF instances.	domain
Destination	string	The destination address in the access control policy. Fuzzy queries are supported. The value of this parameter varies based on the value of DestinationType. If `DestinationType` is `net`, the value of this parameter is a CIDR block. Example: 10.0.3.0/24. If `DestinationType` is `domain`, the value of this parameter is a domain name. Example: aliyun. If `DestinationType` is `group`, the value of this parameter is the name of an address book. Example: db_group. If `DestinationType` is `location`, the value of this parameter is a region. For more information about region codes, see AddControlPolicy. Example: ["BJ11", "ZB"]. Note If you do not set this parameter, destination addresses of all types are queried.	kms.cn-shanghai.aliyuncs.com
HitLastTime	integer	The timestamp of the last hit. This value is a UNIX timestamp. Unit: seconds.	1579261141
DestPortGroup	string	The type of the destination port for the traffic in the access control policy. Valid values: port: port group: port address book	my_port_group
AclUuid	string	The unique ID of the access control policy.	997b38e0-01fa-4db7-8d30-02ebf6fdb747
DestPortType	string	The type of the destination port for the traffic in the access control policy. Valid values: port: port group: port address book	port
Source	string	The source address in the access control policy. Valid values: If SourceType is `net`, the value of this parameter is a CIDR block. Example: 192.0.XX.XX/24. If SourceType is `group`, the value of this parameter is the name of a source address book. Example: db_group. If SourceType is `location`, the value of this parameter is a region. For more information, see AddControlPolicy. Example: ["BJ11", "ZB"].	172.28.7.167
DestinationType	string	The destination address type in the access control policy. Valid values: net: destination CIDR block group: destination address book domain: destination domain name location: destination region	domain
DestPort	string	The destination port in the access control policy.	80/80
IpVersion	integer	The IP version supported. Valid values: 4: IPv4 6: IPv6	4
AclAction	string	The action that is performed on traffic that hits the access control policy. Valid values: accept: allow drop: deny log: monitor	log
Release	string	The status of the access control policy. Valid values: true: The policy is enabled. false: The policy is disabled.	true
ApplicationId	string	The application ID in the access control policy.	plugin_idp4_ciam
DestinationGroupCidrs	array	The CIDR blocks in the destination address book of the access control policy.
	string	The CIDR blocks in the destination address book of the access control policy.	192.0.XX.XX/32
DestPortGroupPorts	array	The ports in the destination port address book.
	string	The ports in the destination port address book.	80/80
SourceGroupCidrs	array	The CIDR blocks in the source address book of the access control policy.
	string	The CIDR blocks in the source address book of the access control policy.	111.48.54.39/32
ApplicationNameList	array	A list of application types supported by the access control policy. Valid values: FTP HTTP HTTPS Memcache MongoDB MQTT MySQL RDP Redis SMTP SMTPS SSH SSL VNC ANY (all application types)
	string	A list of application types supported by the access control policy for the VPC firewall. Valid values: HTTP HTTPS MySQL SMTP SMTPS RDP VNC SSH Redis MQTT MongoDB Memcache SSL ANY (all application types)	ANY
SpreadCnt	integer	The number of specifications that the access control policy consumes. The value is the sum of specifications consumed by each policy. The number of specifications consumed by a single policy is calculated using the following formula: Number of source addresses (IP address CIDR blocks or regions) × Number of destination addresses (IP address CIDR blocks, regions, or domain names) × Number of port ranges × Number of applications.	10
CreateTime	integer	The time when the policy was created.	1761062400
ModifyTime	integer	The time when the policy was last modified.	1761062400
RepeatType	string	The recurrence type for the policy validity period. Valid values: Permanent (default): always None: a single time Daily: daily Weekly: weekly Monthly: monthly	Permanent
RepeatDays	array	The recurrence day for the policy validity period. Note If `RepeatType` is set to `Weekly`, the valid values are 0 to 6, where the week starts on Sunday. If `RepeatType` is set to `Monthly`, the valid values are 1 to 31.
	integer	The recurrence day for the policy validity period. Note If `RepeatType` is set to `Weekly`, the valid values are 0 to 6, where the week starts on Sunday. If `RepeatType` is set to `Monthly`, the valid values are 1 to 31.	6
RepeatStartTime	string	The recurrence start time for the policy validity period. Example: 08:00. The time must be on the hour or half-hour, and at least 30 minutes earlier than the recurrence end time. Note This parameter is empty if `RepeatType` is `Permanent` or `None`. This parameter is required if `RepeatType` is `Daily`, `Weekly`, or `Monthly`.	08:00
RepeatEndTime	string	The recurrence end time for the policy validity period. Example: 23:30. The time must be on the hour or half-hour, and at least 30 minutes later than the recurrence start time. Note This parameter is empty if `RepeatType` is `Permanent` or `None`. This parameter is required if `RepeatType` is `Daily`, `Weekly`, or `Monthly`.	23:30
StartTime	integer	The start time of the policy validity period. This value is a UNIX timestamp. Unit: seconds.	1730318400
EndTime	integer	The end time of the policy validity period. This value is a UNIX timestamp. Unit: seconds. The time must be on the hour or half-hour, and at least 30 minutes later than the start time. Note This parameter is empty if `RepeatType` is `Permanent`. This parameter is required if `RepeatType` is `None`, `Daily`, `Weekly`, or `Monthly`.	1758334822
AddressListCount	integer	The number of addresses in the address book.	1
GroupUuid	string	The unique ID of the address book. To delete an address book from an access control policy, provide this ID. Call the DescribeAddressBook operation to obtain the ID.	b91d86c3-2b52-4534-aae9-8d0339b12a48
AutoAddTagEcs	integer	Indicates whether to automatically add the public IP addresses of new ECS instances that match the tags to the address book.	0
GroupName	string	The name of the address book.	钟馗开门白名单
ReferenceCount	integer	The number of times the address book is referenced.	1
GroupType	string	The type of the address book. Valid values: ip: IP address book. domain: domain name address book. port: port address book. tag: ECS tag-based address book. allCloud: cloud service address book. threat: threat intelligence address book.	ip
TagRelation	string	The relationship between multiple ECS tags. Valid values: and: An ECS instance must match all the tags. or: An ECS instance must match one of the tags.	or
TagList	array<object>	A list of ECS tags.
	object	The ECS tag.
TagValue	string	The value of the ECS tag.	tfTestAcc0
TagKey	string	The key of the ECS tag.	ss
AddressList	array	The addresses in the address book.
	string	The addresses in the address book.	183.2.201.71/32,60.28.235.22/32,210.51.58.107/32,60.28.235.81/32,210.51.58.51/32,60.28.235.52/32,1.1.1.1/32,154.212.141.143/32,167.94.146.55/32,185.226.197.47/32,101.251.238.174/32
NatGatewayId	string	The ID of the NAT gateway.	ngw-2ze4w62zbdkwjmoqeokgl
DomainResolveType	integer	The domain name resolution method for the access control policy. Valid values: FQDN: FQDN-based DNS: DNS-based dynamic resolution FQDN_AND_DNS: FQDN-based and DNS-based dynamic resolution	FQDN
VpcFirewallId	string	The instance ID of the VPC firewall.	vfw-925514970c2c4bcab222
Addresses	array<object>	A list of addresses and their descriptions.
	object	The address and its description.
Address	string	The address in the address book.	192.0.XX.XX/32
Note	string	The description.	已审核
AclStatus	string	The status of the ACL check. Valid values: Pending : pending Ignored : ignored Processed : processed	Pending
AclAssessmentDetail	string	The assessment details for the ACL policy.	无流量命中策略。

Examples

Success response

JSON format

{
  "RequestId": "25E655B0-CAED-53D4-8054-F983126****",
  "CheckRecord": {
    "AclTotalCount": 10,
    "RecordAssessmentDetail": "建议删除无效策略，同时可帮助节省规格。",
    "CheckName": "PolicyHitCountZero",
    "Description": "由于业务下线或其它原因等，导致对象策略一段时间命中次数为0。",
    "LastCheckTime": "1724982259",
    "Level": "High",
    "TaskId": "task-c92d4544ef7b6a42",
    "Acls": [
      {
        "Acl": {
          "Direction": "out",
          "Order": 1,
          "SourceType": "group",
          "ApplicationName": "ANY",
          "HitTimes": 1,
          "Description": "test_policy",
          "SourceGroupType": "ip",
          "DnsResultTime": 1579261141,
          "DnsResult": "192.0.XX.XX",
          "Proto": "TCP",
          "DestinationGroupType": "domain",
          "Destination": "kms.cn-shanghai.aliyuncs.com",
          "HitLastTime": 1579261141,
          "DestPortGroup": "my_port_group\n",
          "AclUuid": "997b38e0-01fa-4db7-8d30-02ebf6fdb747",
          "DestPortType": "port",
          "Source": "172.28.7.167",
          "DestinationType": "domain",
          "DestPort": "80/80",
          "IpVersion": 4,
          "AclAction": "log",
          "Release": "true",
          "ApplicationId": "plugin_idp4_ciam",
          "DestinationGroupCidrs": [
            "192.0.XX.XX/32"
          ],
          "DestPortGroupPorts": [
            "80/80"
          ],
          "SourceGroupCidrs": [
            "111.48.54.39/32"
          ],
          "ApplicationNameList": [
            "ANY"
          ],
          "SpreadCnt": 10,
          "CreateTime": 1761062400,
          "ModifyTime": 1761062400,
          "RepeatType": "Permanent",
          "RepeatDays": [
            6
          ],
          "RepeatStartTime": "08:00\n",
          "RepeatEndTime": "23:30",
          "StartTime": 1730318400,
          "EndTime": 1758334822,
          "AddressListCount": 1,
          "GroupUuid": "b91d86c3-2b52-4534-aae9-8d0339b12a48",
          "AutoAddTagEcs": 0,
          "GroupName": "钟馗开门白名单",
          "ReferenceCount": 1,
          "GroupType": "ip",
          "TagRelation": "or",
          "TagList": [
            {
              "TagValue": "tfTestAcc0",
              "TagKey": "ss"
            }
          ],
          "AddressList": [
            "183.2.201.71/32,60.28.235.22/32,210.51.58.107/32,60.28.235.81/32,210.51.58.51/32,60.28.235.52/32,1.1.1.1/32,154.212.141.143/32,167.94.146.55/32,185.226.197.47/32,101.251.238.174/32"
          ],
          "NatGatewayId": "ngw-2ze4w62zbdkwjmoqeokgl",
          "DomainResolveType": 0,
          "VpcFirewallId": "vfw-925514970c2c4bcab222",
          "Addresses": [
            {
              "Address": "192.0.XX.XX/32",
              "Note": "已审核"
            }
          ]
        },
        "AclStatus": "Pending",
        "AclAssessmentDetail": "无流量命中策略。"
      }
    ]
  }
}

Error codes

HTTP status code	Error code	Error message	Description
400	ErrorAclCheckNotExist	ACL check not exist.	The access control configuration check does not exist.

See Error Codes for a complete list.

Release notes

See Release Notes for a complete list.