Configure access control policies to control mutual traffic between assets and the Internet - Cloud Firewall

By default, if you do not create access control policies after you enable the Internet firewall, Cloud Firewall allows all traffic in the traffic match phase that is based on access control policies. You can create outbound and inbound access control policies for the Internet firewall to prevent unauthorized access between Internet-facing assets and the Internet. This topic describes how to create inbound and outbound access control policies for the Internet firewall.

Before you start

You have enabled the Internet Firewall switch and enabled protection for public assets. For more information, see Enable the Internet firewall.
For more information about the public assets that Cloud Firewall can protect, see Protection scope.
The quota for access control policies is sufficient. You can view the usage of policy quota on the Protection Configuration > Access Control > Internet Border page. For more information about how policy quotas are calculated, see Overview of access control policies.
If the remaining available policy quota is insufficient, you can click Increase Quota to purchase additional Access Control Global Extension quota. For more information, see Purchase Cloud Firewall.
If you want to specify multiple items as source or destination addresses, you can create an address book first. For more information, see Address book management.

Create access control policies for the Internet firewall

Cloud Firewall allows you to create custom policies and provides recommended policies that you can apply.

Custom access control policies: You can create custom policies based on your business requirements.
Apply intelligent recommended policies: Cloud Firewall automatically learns your traffic from the previous 30 days and recommends multiple intelligent policies based on the traffic risks that are identified. You can choose whether to apply the recommended policies based on your needs.
Apply common recommended policies: Cloud Firewall provides built-in recommended policies. If the recommended common policies meet your business requirements, you can apply the policies.

Important

We recommend that you allow access to the open ports on which services are provided for an open public IP address on the Internet firewall and deny access to other ports. This reduces the exposure of your assets to the Internet.
If you want to allow access from trusted sources such as IP addresses or domain names and deny access to other sources, we recommend that you first create a policy that allows access from the trusted sources and has a higher priority and then create a policy that denies traffic from all sources and has a lower priority.
If you do not apply recommended intelligent policies or recommended common policies, the policies do not take effect.

Create custom access control policies

You can create custom outbound or inbound policies for the Internet firewall based on your business requirements.

Log on to the Cloud Firewall console.
In the left navigation bar, select Protection Configuration > Access Control > Internet Border.
On the Outbound or Inbound tab, select the IP type for which you want to create a policy (IPv4 policies are created by default), and then click Create Policy.
In the Create Outbound Policy or Create Inbound Policy panel, click Create Policy.

Configure the policy details based on the following tables, and then click OK.

Configure traffic control policies for internal networks to access the Internet (outbound policies)

Parameter	Description
Source Type	The initiator of network traffic. You must select a source type and enter source addresses based on the selected source type. If you set Source Type to IP, specify one or more CIDR blocks, such as 192.168.0.0/16. You can specify up to 2,000 CIDR blocks. Separate multiple CIDR blocks with commas (,). If you enter multiple CIDR blocks at a time, Cloud Firewall automatically creates an address book that includes the entered CIDR blocks. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book. If you set Source Type to Address Book, make sure that an IPv4 or IPv6 address book is configured. For more information about how to create an address book, see Manage address books.
Source
Destination Type	The receiver of network traffic. You must select a destination type and enter destination addresses to which network traffic is sent based on the selected destination type. If you set Source Type to IP, specify one or more CIDR blocks, such as 192.168.0.0/16. You can specify up to 2,000 CIDR blocks. Separate multiple CIDR blocks with commas (,). If you enter multiple CIDR blocks at a time, Cloud Firewall automatically creates an address book that includes the entered CIDR blocks. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book. If you set Source Type to Address Book, make sure that an IPv4 or IPv6 address book is configured. For more information about how to create an address book, see Manage address books. If you set Destination Type to Domain Name, select a domain name identification mode. Valid values: FQDN-based Resolution (Extract Host or SNI Field in Packets): If you want to manage HTTP, HTTPS, SMTP, SMTPS, SSL, POPS, and IMAPS traffic, we recommend that you select this mode. DNS-based Dynamic Resolution: If you want to manage traffic except HTTP, HTTPS, SMTP, SMTPS, SSL, POPS, and IMAPS traffic, we recommend that you select this mode. Important This mode does not support wildcard domain names or address books of wildcard domain names. FQDN and DNS-based Dynamic Resolution: If you want to manage HTTP, HTTPS, SMTP, SMTPS, SSL, POPS, and IMAPS traffic but specific or all traffic does not contain the HOST or SNI field, we recommend that you select this mode. Important This mode takes effect only if the ACL Engine Management mode is Strict. This mode does not support wildcard domain names or address books of wildcard domain names. If you set Destination Type to Location, select one or more locations of traffic destinations for Destination. You can select one or more locations in or outside China.
Destination
Protocol Type	The transport layer protocol. Valid values: TCP, UDP, ICMP, and ANY. If you do not know the protocol type, select ANY.
Port Type	The port type and port number of the destination. If you set Port Type to Port, enter port ranges. Specify a port range in the Port number/Port number format. Examples: 22/22 or 80/88. Separate multiple port ranges with commas (,). You can enter up to 2,000 port ranges. If you enter multiple port ranges, Cloud Firewall automatically creates an address book that includes the entered port ranges. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book. If you set Port Type to Address Book, make sure that a port address book is configured. For more information about how to create an address book, see Manage address books.
Port
Application	The application type of the traffic. The application that you can select varies based on the specified destination type and protocol. If you set Protocol Type to TCP: Destination Type is set to IP, IP Address Book or Location: you can select all applications. Destination Type is set to Domain Name or Domain Address Book: If you set Domain Name Identification Mode to FQDN-based Resolution (Extract Host or SNI Field in Packets, you can select only HTTP, HTTPS, SMTP, SMTPS, SSL, POPS, or IMAPS. If you set Domain Name Identification Mode to DNS-based Dynamic Resolution, you can select all applications. If you set Domain Name Identification Mode to FQDN and DNS-based Dynamic Resolution, you can select only HTTP, HTTPS, SMTP, SMTPS, SSL, POPS, or IMAPS. If you set Protocol Type to UDP, you can select ANY or DNS. If you set Protocol Type to ICMP or ANY, you can select only ANY. Note Cloud Firewall identifies application types based on packet characteristics instead of port numbers. If Cloud Firewall cannot identify the application type in a packet, Cloud Firewall allows the packet. If you want to block the traffic whose application type is unknown, we recommend that you enable the strict mode for the Internet firewall. For more information, see Configure the mode of the access control engine.
Action	The action on the traffic if the traffic meets the preceding conditions that you specify for the access control policy. Valid values: Allow: The traffic is allowed. Deny: The traffic is denied, and no notifications are sent. Monitor: The traffic is recorded and allowed. You can filter traffic logs by specifying related fields and observe the traffic for a period of time. Then, change the policy action to Allow or Deny based on your business requirements.
Description	The description of the access control policy. Enter a description that can help identify the policy.
Priority	The priority of the access control policy. Default value: Lowest. Valid values: Highest: The access control policy has the highest priority. Lowest: The access control policy has the lowest priority.
Policy Validity Period	The validity period of the access control policy. The policy can be used to match traffic only within the validity period. Valid values: Always. Single Time Range: If you select this option, specify a single time range. Recurrence Cycle: If you select this option, specify the time range and date on which you want the policy to take effect. Note The start date must be earlier than the end date. The policy requires 3 to 5 minutes to take effect. If you select Indefinite Recurrence, the end date is automatically set to Dec 31, 2099. FAQ: Does an access control policy take effect if the time range specified for recurrence spans two calendar days?
Enabling Status	Specify whether to enable the policy. If you turn off Status when you create an access control policy, you can enable the policy in the list of access control policies.

Configure traffic control policies for the Internet to access internal networks (inbound policies)

Parameter	Description
Source Type	The initiator of network traffic. You must select a source type and enter source addresses based on the selected source type. If you set Source Type to IP, specify one or more CIDR blocks, such as 192.168.0.0/16. You can specify up to 2,000 CIDR blocks. Separate multiple CIDR blocks with commas (,). If you enter multiple CIDR blocks at a time, Cloud Firewall automatically creates an address book that includes the entered CIDR blocks. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book. If you set Source Type to Address Book, make sure that an IP address book is configured. For more information about how to create an address book, see Manage address books. If you set Source Type to Location, select one or more locations of traffic sources for Source. You can select one or more locations in or outside China.
Source
Destination Type	The receiver of network traffic. You must select a destination type and enter destination addresses to which network traffic is sent based on the selected destination type. If you set Source Type to IP, specify one or more CIDR blocks, such as 192.168.0.0/16. You can specify up to 2,000 CIDR blocks. Separate multiple CIDR blocks with commas (,). If you enter multiple CIDR blocks at a time, Cloud Firewall automatically creates an address book that includes the entered CIDR blocks. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book. If you set Source Type to Address Book, make sure that an IP address book is configured. For more information about how to create an address book, see Manage address books.
Destination
Protocol Type	The transport layer protocol. Valid values: TCP, UDP, ICMP, and ANY. If you do not know the protocol type, select ANY.
Port Type	The port type and port number of the destination. If you set Port Type to Port, enter port ranges. Specify a port range in the Port number/Port number format. Examples: 22/22 or 80/88. Separate multiple port ranges with commas (,). You can enter up to 2,000 port ranges. If you enter multiple port ranges, Cloud Firewall automatically creates an address book that includes the entered port ranges. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book. If you set Port Type to Address Book, make sure that a port address book is configured. For more information about how to create an address book, see Manage address books.
Port
Application	The application type of the traffic. If you set Protocol Type to TCP, you can select all applications, such as HTTP, HTTPS, SMTP, SMTPS, SSL, and FTP. If you set Protocol Type to UDP, you can select ANY or DNS. If you set Protocol Type to ICMP, or ANY, you can select only ANY. Note Cloud Firewall identifies application types based on packet characteristics instead of port numbers. If Cloud Firewall cannot identify the application type in a packet, Cloud Firewall allows the packet. If you want to block the traffic whose application type is unknown, we recommend that you enable the strict mode for the Internet firewall. For more information, see Configure the mode of the access control engine.
Action	The action on the traffic if the traffic meets the preceding conditions that you specify for the access control policy. Valid values: Allow: The traffic is allowed. Deny: The traffic is denied, and no notifications is sent. Monitor: The traffic is recorded and allowed. You can filter traffic logs by specifying related fields and observe the traffic for a period of time. Then, change the policy action to Allow or Deny based on your business requirements.
Description	The description of the access control policy. Enter a description that can help identify the policy.
Priority	The priority of the access control policy. Default value: Lowest. Valid values: Highest: The access control policy has the highest priority. Lowest: The access control policy has the lowest priority.
Policy Validity Period	The validity period of the access control policy. The policy can be used to match traffic only within the validity period. Valid values: Always. Single Time Range: If you select this option, specify a single time range. Recurrence Cycle: If you select this option, specify the time range and date on which you want the policy to take effect. Note The start date must be earlier than the end date. The policy requires 3 to 5 minutes to take effect. If you select Indefinite Recurrence, the end date is automatically set to Dec 31, 2099. FAQ: Does an access control policy take effect if the time range specified for recurrence spans two calendar days?
Enabling Status	Specify whether to enable the policy. If you turn off Status when you create an access control policy, you can enable the policy in the list of access control policies.

Apply intelligent recommended policies

Cloud Firewall automatically learns your traffic from the previous 30 days and recommends multiple intelligent policies based on the traffic risks that are identified. If the recommended intelligent policies meet your business requirements, you can apply the policies.

You can apply both outbound and inbound intelligent policies that are recommended.

Warning

Before you apply a recommended policy, make sure that you understand its meaning and the possible impacts on services.
You can ignore recommended intelligent policies. After you ignore a recommended intelligent policy, the policy cannot be restored. Proceed with caution.

Check whether intelligent recommended policies exist

You can check whether Cloud Firewall has generated intelligent policies on the Internet Border page.

In the left navigation bar, select Protection Configuration > Access Control > Internet Border.
Use one of the following methods to go to the Intelligent Policy Recommendation page:
- In the upper-right corner of the policy list, click Intelligent Policy, and then click the Outbound or Inbound tab.
- On the Outbound or Inbound tab, click Create Policy, and then click the Intelligent Policy Recommendation tab.
View the intelligent recommended policies, click Apply Policy in the area of the policy that you want to apply. Alternatively, select multiple policies that you want to apply and click Batch Dispatch.

Apply common recommended policies

If the recommended common policies meet your business requirements, you can apply the policies.

Warning

Before you apply a recommended policy, make sure that you understand its meaning and the possible impacts on services.
You can ignore recommended common policies. After you ignore a recommended common policy, the policy cannot be restored. Proceed with caution. If you have ignored all common policies, the Common Policy Recommendation tab is not displayed.

In the left navigation bar, select Protection Configuration > Access Control > Internet Border.
On the Outbound or Inbound tab, click Create Policy, and then click the Common Policy Recommendation tab.
View the common recommended policies and click Quick Apply in the area of the policy that you want to apply.

Configure the access control engine mode

The ACL engine mode of the Internet firewall supports Loose and Strict modes:

Loose Mode (default): If you enable the loose mode, Cloud Firewall allows traffic whose application or domain name cannot be identified to ensure business continuity.
Strict Mode: If you enable the strict mode, Cloud Firewall strictly matches traffic whose application or domain name cannot be identified against the configured policies. If a deny policy is configured, Cloud Firewall denies the traffic whose application or domain name cannot be identified.

You can configure the ACL engine mode by using Default for New Assets, Single Asset Configuration, or Batch Asset Configuration. On the Protection Configuration > Access Control > Internet Boundary page, click ACL Engine Management in the upper-right corner of the access control policy list. In the ACL Engine Management - Internet Firewall panel, configure the ACL engine mode.

ACL engine mode for new assets

In the ACL Engine Management - Internet Firewall panel, Engine Management > Add ACL Engine Mode displays the currently configured engine mode. New assets use this mode when protection is enabled.

Click the Modify button to change the current configuration mode:

Modify the ACL engine mode for a single resource

In the ACL Engine Management - Internet Firewall panel, the ACL Engine Mode column in the asset list displays the engine mode that the current asset uses.

Click the Modify button to change the engine mode of the selected asset:

Modify the ACL engine mode for multiple resources

In the ACL Engine Management-Internet Firewall panel, after selecting multiple assets, click the Batch Modify button at the bottom left to batch modify the invisible mode of the selected assets:

View policy hits

After your business has been running for a period of time, you can view the hit status of access control policies in the HitsLast Hit At column in the access control policy list.

Click the hit count to go to the Traffic Log page to view traffic logs. For more information about how to view traffic logs, see Log Audit.

Related operations

After you create a custom policy, you can find the policy in the list of custom policies and edit, delete (you can delete policies one by one or in batch), download (you can download the list of custom policies), copy, or move (change the priority of) the policy.

The priority of an access control policy can be set from 1 to N, where N is the number of existing access control policies. A smaller value indicates a higher priority. After you change the priority of a policy, the priorities of policies with lower priorities decrease.

Important

After you delete a policy, Cloud Firewall no longer controls traffic on which the policy is originally in effect. Proceed with caution.

References

Why is traffic allowed because it does not hit any policy when the Internet firewall has a reject policy for 0.0.0.0/0 in the outbound direction?
How to allow access only to specific subdomains of a primary domain name?
If you need to control access traffic to public assets and specified website domain names, see Policy configuration tutorial for allowing public hosts to access only specified domain names.
If you need to control traffic access for specific areas, see Policy configuration tutorial for rejecting access from outside China to hosts.
For the working principles of Resource Access Management policies, see Overview of Resource Access Management policies.
For more Resource Access Management policy configuration principles, see Resource Access Management policy configuration examples.
To view and manage IP address books, port address books, domain name address books, and more in Resource Access Management policies, see Address book management.
For more questions about the configuration and use of Resource Access Management policies, see FAQ about Resource Access Management policies.