After you configure an access control policy, Cloud Firewall matches traffic against the 4-tuple, application type, and domain name in sequence. If Cloud Firewall cannot identify the application type or domain name of traffic, it allows the traffic by default to ensure service continuity. To prevent this, you can enable strict mode.
How Cloud Firewall matches traffic
After you configure an access control policy, Cloud Firewall inspects traffic by matching each packet against the 4-tuple (source address, destination address, destination port, and transport layer protocol), application type, or domain name.
Loose mode: If Cloud Firewall cannot identify a packet's application type or domain name, it allows the traffic by default when evaluating policies based on those criteria.
An access control policy is configured with an application type other than ANY.
A domain name is configured, and the domain name matching mode is set to FQDN-based Dynamic Resolution (Extract Host and SNI Fields) or FQDN and DNS-based Dynamic Resolution.
Strict mode: Cloud Firewall does not automatically allow traffic with an unidentified application type or domain name. Instead, it continues to evaluate the traffic against the next policy in priority order. If a match is found, Cloud Firewall applies the policy's action (allow or deny). If the traffic does not match any access control policy after all policies are evaluated, Cloud Firewall allows the traffic by default.
If Cloud Firewall incorrectly drops legitimate traffic after you enable strict mode, add the necessary application protocol information to the request packets or switch back to loose mode.
For new VPC firewalls, strict mode is enabled by default.
Enable or disable strict mode
You can configure the access control engine mode for the Internet firewall and NAT firewalls. By default, the engine mode is set to Loose Mode. In this mode, Cloud Firewall allows traffic with an unidentified application type or domain name to prevent service disruptions. You can switch to Strict Mode as needed.
To switch the access control engine mode for the Internet firewall, see Configure the access control engine mode for an Internet firewall.
To switch the access control engine mode for a NAT firewall, see Configure the access control engine mode for a NAT firewall.
FAQ
How to view unidentified traffic logs
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose .
On the tab, set Rule Source to Access Control. In the All Pre-match Access Control Policy Statuses search box, select Application Unidentified or Domain Name Unidentified to find the relevant logs.
Review the traffic logs for details such as the time, source IP address, destination IP address, and destination port.
Related documentation
For an overview of how access control policies work, see Overview of access control policies.
To configure an access control policy for an Internet firewall, see Configure access control policies for an Internet firewall.
For more information about traffic logs and their field descriptions, see Log Audit.