The application control feature of Cloud Firewall implements application-layer traffic management based on Deep Packet Inspection (DPI) and heuristic behavior analysis. This feature breaks through the limitations of traditional firewalls that rely solely on IP/port five-tuples. By identifying application characteristics in traffic, it reveals the true identity of applications hidden behind encrypted or non-standard ports. The system supports allowing, observing, or denying outbound traffic by application type, enabling fine-grained access control policies at the application and behavior level.
Benefits
Precisely identifies disguised traffic: Regardless of how applications change ports, encrypt transmissions, or borrow protocols (such as through HTTPS tunnels), the application control engine accurately identifies their true identities. This resolves the challenge of traditional network-layer management being unable to recognize specific applications.
Fine-grained identity-based control: Provides a built-in application signature library that covers multiple industry domains. Users can define action policies based on application categories or specific applications, enabling the core evolution from "port filtering" to "business awareness".
Flexible policy priority definitions: Supports hybrid configuration of custom rules and built-in category rules. By setting independent action policies for specific applications (such as GitHub file uploads), it meets fine-grained management requirements in complex scenarios.
The application control feature is currently in limited beta. To enable this feature, contact your business manager.
View the built-in application signature library
Cloud Firewall provides a built-in application signature library that covers categories such as business transactions, sales and marketing, education, and multimedia content. Each application is assigned a risk level. To view the library, perform the following steps:
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose .
On the Application Feature Library tab, view the list of supported applications. You can search by Application Name, Application ID, or Category.
In the right-side area of the Application Feature Library tab, you can view the update history of signature library rules.
Create a custom template
To apply application control rules in access control policies, create a custom rule template first. Perform the following steps:
In the left-side navigation pane, choose .
On the Custom Template tab, click Create Template and configure the following parameters.
Parameter
Description
Basic Information
Set a descriptive template name and description for easy identification.
Built-in Application Classification
Specify an action for each application category. The following actions are supported:
Monitor: the default action. Requests are allowed and recorded in the event logs of Log audit.
Allow: requests are allowed without being logged in event logs.
Deny: requests are blocked and recorded in event logs.
You can set actions in bulk for all applications in a category.
Custom Rules
To adjust the priority of application rules, click Add Custom Rule to configure custom rules for fine-grained control scenarios.
Rule status: A custom rule takes effect when its toggle is enabled.
Priority setting: You can configure multiple rules within a template. Priority values must be unique within the same template. A smaller value indicates a higher priority.
Action configuration: A single rule can be associated with multiple applications. Available actions include Monitor, Allow, or Deny.
Conflict handling: For the same application, the action configured in a custom rule takes precedence over the action configured in Built-in Application Classification.
Unknown Application Action
Define the default action for traffic from unidentified applications.
Template Switch
Enable or disable the template. Configurations take effect only when the template is enabled.
Configuration recommendations
Broad control scenarios: When control targets are not clearly defined, we recommend that you configure only Built-in Application Classification and set the action to Monitor. After the business runs for a period of time, go to the Traffic Logs page of Log audit to check the application identification results. Then, adjust the template actions based on your business requirements.
Precise control scenarios: When you need to control specific applications, we recommend that you configure Custom Rules because custom rules take precedence over Built-in Application Classification.
Application identification mechanism and action determination rules
Application identification mechanism: Cloud Firewall may identify multiple applications for a single request. For HTTP application protocols (including HTTPS after TLS inspection is configured), the identification result dynamically updates with the request over a persistent connection. The system only extracts the most recent identification result and does not retain intermediate states. For non-HTTP application protocols, the system performs identification only once when the connection is established and does not update it afterward.
Action determination rules: When determining the action for identified applications, the system first matches custom rules by priority. If no custom rule is matched, the system matches Built-in Application Classification by weight.
Example: A request is identified as both "GitHub-base" and "GitHub Download". Without custom rules configured, because the weight of "GitHub Download" in Built-in Application Classification is higher than that of "GitHub-base", the system executes the action configured for "GitHub Download".
What to do next
After you create a template, you can reference it in the access control policies for Internet Border Outbound traffic. For more information, see Access control policies for the internet firewall.
Manage templates
On the Custom Template tab, you can perform the following operations on existing templates:
Enable or disable a template: Toggle the switch in the Template Switch column to enable or disable a template.
Edit a template: Click Edit in the Actions column to modify the template configurations.
Delete a template: Click Delete in the Actions column. You cannot delete a template that contains custom rules or is referenced by access control policies.
Appendix: Supported application categories
Category | Description | Typical applications |
Office Collaboration | Covers daily office and team collaboration scenarios, helping you identify traffic related to document processing, corporate communication, meeting collaboration, and team productivity tools. This category is suitable for managing frequently used office platforms and collaboration tools within an organization. | Microsoft 365, Google Workspace, WPS Office, DingTalk, WeCom, Feishu (Lark), Microsoft Teams, Slack, Zoom, Tencent Meeting |
Instant Messaging | Covers real-time messaging applications used by individuals or the public, helping you understand traffic related to chat, voice, images, file sharing, and group communication. This category is commonly used to distinguish personal communication tools from enterprise-managed corporate communication platforms. | WeChat, QQ, Telegram, WhatsApp, Signal, LINE, Viber, Snapchat |
VoIP | Covers IP-based voice and video calling services, helping you identify traffic from Internet phone, enterprise voice systems, and real-time audio/video communication. This category is suitable for ensuring voice communication quality or managing real-time calling application access. | Cisco Unified Communications, Avaya, 3CX, RingCentral, Skype, FaceTime, WebRTC |
Covers email sending and receiving, mailbox access, and email system management applications, helping you identify traffic from corporate email, personal email, email clients, and Webmail. This category is suitable for email access control, auditing, and data exfiltration governance. | Outlook, Foxmail, Thunderbird, Gmail, QQ Mail, NetEase Mail (163), Tencent Enterprise Email, Microsoft Exchange | |
File & Content Management | Covers file storage, synchronization, sharing, content publishing, and knowledge management applications, helping you identify traffic related to file uploads and downloads, external link sharing, team knowledge bases, and content management. This category is suitable for governing file transfers, content assets, and external sharing. | Baidu NetDisk, Dropbox, OneDrive, Nutstore, WeTransfer, SharePoint, Confluence, WordPress, Drupal |
Enterprise Core Systems | Covers core business systems that support enterprise operations, helping you identify traffic related to finance, customer management, workflow, supply chain, asset management, and comprehensive management applications. This category is suitable for protecting enterprise critical business systems and ensuring core process continuity. | SAP, Oracle EBS, Kingdee, Yonyou, Salesforce, Microsoft Dynamics 365, FXIAOKE |
Human Resources | Covers recruitment, HR management, attendance, payroll, performance, training, and other human resource scenarios, helping you identify traffic related to employee lifecycle management. This category is suitable for managing employee data access and HR system usage. | Workday, Beisen Cloud, Kingdee HR, SAP HCM, Zhaopin, BOSS Zhipin, LinkedIn Recruiter, Liepin |
Sales & Marketing | Covers marketing promotion, advertising, customer outreach, customer support, and sales conversion applications, helping you identify traffic related to enterprise customer acquisition and customer operations. This category is suitable for managing marketing tools, customer service systems, and advertising platform access. | HubSpot, Marketo, Zendesk, QICHI KEFU (Sobot), Google Ads, Baidu Promotion, Ocean Engine, email marketing platforms |
Business Transactions | Covers applications related to the trading of goods, services, funds, and financial assets, helping you identify traffic from e-commerce shopping, enterprise procurement, payment settlement, banking, securities, insurance, and wealth management. This category is suitable for managing access to transaction-type applications and protecting fund-related businesses. | Taobao, JD.com, Pinduoduo, Amazon, Alibaba 1688, Alipay, WeChat Pay, Tonghuashun, East Money |
Data Analytics | Covers data query, reporting, visualization analysis, and business insight applications, helping you identify traffic from data analytics platforms, BI tools, and user behavior analysis services. This category is suitable for managing data access, analytics tool usage, and business data flow. | Tableau, Power BI, FanRuan, Google Analytics, Sensors Data, GrowingIO, Snowflake, MaxCompute |
IT Infrastructure | Covers the underlying IT and network capabilities that support business system operations, helping you identify traffic from cloud platforms, CDN, DNS, load balancing, virtualization, containers, and basic network services. This category is suitable for ensuring infrastructure stability and governing basic resource access. | AWS, Alibaba Cloud, Tencent Cloud, VMware vSphere, Kubernetes, OpenStack, CDN, DNS, DHCP, NTP, BGP, OSPF |
IT Operations Management | Covers system monitoring, alerting, logging, configuration, patching, automated operations, and IT service management applications, helping you identify traffic from operations management platforms and observability tools. This category is suitable for ensuring operations tool availability and managing operations access permissions. | Zabbix, Prometheus, Grafana, Nagios, Ansible, Puppet, Windows Update, WSUS, ServiceNow |
Development & Design | Covers software development, testing, code collaboration, engineering design, and creative design applications, helping you identify traffic from R&D productivity, design collaboration, and engineering creation tools. This category is suitable for managing R&D environments, code assets, and design tool access. | GitHub, GitLab, Jenkins, VS Code, IntelliJ IDEA, AutoCAD, SolidWorks, Adobe Creative Cloud, Figma |
Storage & Hosts | Covers databases, hosts, object storage, and hosting environment services, helping you identify traffic related to data persistence, computing workloads, and host hosting. This category is suitable for protecting data foundational resources and managing hosting service access. | MySQL, Oracle, PostgreSQL, MongoDB, Redis, Navicat, AWS EC2, Alibaba Cloud ECS, Tencent Cloud CVM, Object Storage Service |
Security Services | Covers identity authentication, access control, threat detection, security protection, and data protection applications, helping you identify traffic from enterprise security capabilities and security management platforms. This category is suitable for ensuring security service availability and managing access to critical security controls. | CrowdStrike, Symantec, Huorong, Active Directory, Okta, SAML, DLP systems, Bastion Host, WAF |
Network Penetration | Covers remote connection, proxy forwarding, and tunnel transmission applications, helping you identify traffic that may change access paths or bridge network boundaries. This category is suitable for fine-grained management of remote access, proxy services, and tunnel-type applications. | SSL VPN, IPsec VPN, RDP, TeamViewer, Sunlogin, ToDesk, OpenVPN, WireGuard, Squid, Shadowsocks |
Social Media | Covers social networks, content communities, forums, Q&A, and interactive platforms, helping you identify traffic from user content publishing, comment interactions, follow subscriptions, and community engagement. This category is suitable for managing employee social media access and external content publishing scenarios. | Weibo, Zhihu, Xiaohongshu (RED), Douban, Facebook, X (Twitter), LinkedIn, Instagram, Reddit, CSDN |
Multimedia Content | Covers video, audio, live streaming, images, gaming, and digital entertainment applications, helping you identify traffic from leisure entertainment, streaming media playback, and gaming platforms. This category is suitable for bandwidth governance, entertainment application access management, and content consumption analysis. | iQIYI, Tencent Video, Youku, Douyin (TikTok), Kuaishou, Bilibili, Spotify, NetEase Cloud Music, Steam, Honor of Kings, Twitch |
Education & Learning | Covers online courses, live classrooms, learning management, exam assessment, and corporate training applications, helping you identify traffic from learning training and knowledge dissemination. This category is suitable for ensuring education resource access and managing employee training platform usage. | Coursera, edX, China University MOOC, Tencent Classroom, NetEase Cloud Classroom, Udemy, GeekTime |
Industry-Specific | Covers applications that serve the production, operations, delivery, or regulatory processes of specific industries, helping you identify traffic from healthcare, manufacturing, logistics, energy, retail, connected vehicles, and government industry-specific systems. This category is suitable for managing industry core applications and vertical business system access. | MES, APS, Retail POS, HIS, EMR, PACS, Modbus, OPC-UA, SCADA, DCS |
General Internet | Covers publicly accessible information access, search, portals, navigation, and general online tools, helping you identify traffic from daily Internet information services. This category is suitable for basic Internet access management and general website traffic analysis. | Baidu, Google, Bing, Sina, NetEase Portal, Baidu Maps, Amap (Gaode), Youdao Translate, government portals |
Artificial Intelligence | Covers applications and platforms centered on AI models, algorithms, and intelligent generation capabilities, helping you identify traffic from AI chat, AI writing, image generation, code assistance, model serving, and AI APIs. This category is suitable for managing generative AI usage, AI platform access, and intelligent application data flow. | ChatGPT, Claude, Gemini, DeepSeek, ERNIE Bot, Tongyi Qianwen (Qwen), Midjourney, GitHub Copilot, Hugging Face, Alibaba Cloud Bailian, Vertex AI |