All Products
Search

This Product

    :How an access control policy works

    Document Center

    :How an access control policy works

    Last Updated:Nov 11, 2025

    If access control policies are inappropriately configured, traffic may be incorrectly allowed or denied. This may cause risks such as data leaks, Internet exposures, and service interruptions. We recommend that you evaluate your business requirements before you configure access control policies. This helps ensure precise traffic management. This topic describes how access control policies work.

    Background information

    By default, if no access control policy is configured, Cloud Firewall allows all traffic during the matching process of access control policies. After you configure access control policies, Cloud Firewall filters traffic and allows only traffic that meets specific requirements.

    Terms

    The following table lists key terms that are related to access control policies, which helps you understand how access control policies work.

    Term

    Description

    matching item

    An access control policy contains multiple items, including the source type, source address, and destination type. When traffic passes through Cloud Firewall, Cloud Firewall matches the traffic packet against specific items of access control policies in sequence. The items are the source address, destination address, destination port, protocol type, application, and domain name.

    destination type

    The type of the destination address in an access control policy. The supported destination types include IP address, address book, and domain name.

    Note

    The supported destination types vary based on the firewall type. The supported destination types displayed in the Cloud Firewall console shall prevail.

    4-tuple

    In this topic, a 4-tuple consists of the source IP address, destination IP address, destination port, and protocol type.

    application

    The application layer protocol. Cloud Firewall supports various types of applications, such as HTTP, HTTPS, Simple Mail Transfer Protocol (SMTP), Simple Mail Transfer Protocol Secure (SMTPS), SSL, and FTP. You can select up to five types of applications for an access control policy.

    The value ANY specifies all application types.

    Note

    Cloud Firewall identifies the application of SSL and TLS traffic over port 443 as HTTPS, and SSL and TLS traffic over other ports as SSL.

    splitting logic

    When you configure an access control policy, you can specify multiple control objects for different matching items. The value of each matching item can be an independent control object. For example, you can specify the CIDR block 192.0.2.0/24, port range 80/88, and port 22/22 as control objects.

    After you configure an access control policy, Cloud Firewall splits the policy into one or more matching rules based on specific logic and sends the matching rules to an engine. Each matching item of a matching rule can contain only one control object.

    matching logic

    The process in which Cloud Firewall evaluates whether network traffic meets the conditions based on the split matching rules, and performs the action specified in the related access control policy based on the matching result.

    If the destination type of an access control policy is domain name or domain address book, take note of the following domain name identification modes:

    • FQDN-based Dynamic Resolution (Extract Host and SNI Fields): If Application of the policy is set to HTTP, HTTPS, SMTP, SMTPS, or SSL, Cloud Firewall preferentially uses the Host or SNI fields to perform access control on domain names.

    • DNS-based Dynamic Resolution: If Application of the policy is set to a value other than HTTP, HTTPS, SSL, SMTP, or SMTPS, Cloud Firewall performs Domain Name System (DNS)-based dynamic resolution on domain names. Cloud Firewall can perform access control on the resolved IP addresses of the domain names. A domain name can be resolved to up to 500 IP addresses.

    Workflow

    The following figure shows the workflow of an access control policy.

    image

    1. After you create an access control policy, Cloud Firewall splits the policy into one or more matching rules based on specific logic and sends the matching rules to the engine. For more information, see 1. Splitting logic of an access control policy.

    2. When traffic passes through Cloud Firewall, Cloud Firewall matches the traffic packet against access control policies based on the priorities of the policies in sequence, and allows or denies the traffic packet based on the matching result. For more information, see 2. Matching logic of an access control policy.

      If the traffic packet hits a policy, Cloud Firewall performs the action specified in the policy, and the subsequent policies are not matched. Otherwise, Cloud Firewall continues to match the traffic packet against the policy that has a lower priority until a policy is hit or all configured policies are matched. By default, if traffic does not hit a policy after all configured policies are matched, the traffic is allowed.

    1. Splitting logic of an access control policy

    After you create an access control policy, Cloud Firewall splits the policy into one or more matching rules based on specific logic and sends the matching rules to the engine. The Internet firewall, NAT firewalls, and virtual private cloud (VPC) firewalls implement access control for domain names based on the domain name information in traffic. The splitting logic of access control policies created for firewalls varies based on whether Cloud Firewall performs DNS resolution on the domain name.

    Important

    • After you create, modify, or delete an access control policy, Cloud Firewall requires approximately 3 minutes to send the matching rules to the engine.

    • After Cloud Firewall splits an access control policy into multiple matching rules, when Cloud Firewall matches traffic against the access control policy, Cloud Firewall matches the traffic against the matching rules in sequence. If the traffic hits a matching rule of the access control policy, the traffic hits the access control policy.

    • For more information about DNS resolution, see DNS resolution.

    Internet border

    After you create an access control policy for the Internet firewall, Cloud Firewall splits the policy into matching rules based on Destination Type and Application specified for the policy. The following figure shows the splitting logic and matching logic of an access control policy created for the Internet firewall.

    image

    The destination type is IP or IP address book

    If Destination Type of a policy is set to IP or IP Address Book, Cloud Firewall splits the source address, destination address, protocol type, port, and application based on the number of the control objects specified for each matching item.

    Cloud Firewall matches traffic against this policy by 4-tuple and application in sequence. For more information, see Match traffic by 4-tuple and application in sequence.

    Policy splitting example

    Access control policy

    Matching rule after splitting

    • Source: 192.0.2.0/24, 198.51.100.0/24

    • Destination: 203.0.113.0/24

    • Protocol: TCP

    • Port: 22/22, 80/88

    • Application: HTTP

    Matching rule 1:

    • Source: 192.0.2.0/24

    • Destination: 203.0.113.0/24

    • Protocol: TCP

    • Port: 22/22

    • Application: HTTP

    Matching rule 3:

    • Source: 198.51.100.0/24

    • Destination: 203.0.113.0/24

    • Protocol: TCP

    • Port: 22/22

    • Application: HTTP

    Matching rule 2:

    • Source: 192.0.2.0/24

    • Destination: 203.0.113.0/24

    • Protocol: TCP

    • Port: 80/88

    • Application: HTTP

    Matching rule 4:

    • Source: 198.51.100.0/24

    • Destination: 203.0.113.0/24

    • Protocol: TCP

    • Port: 80/88

    • Application: HTTP

    The destination type of the policy is domain name

    If Destination Type of a policy is set to Domain Name, Cloud Firewall identifies the application specified in the policy, splits the policy into matching rules based on the application, and sends the matching rules to the engine.

    • If Application is set to HTTP, HTTPS, SMTP, SMTPS, SSL, or a combination of the values and Domain Name Identification Mode is set to FQDN-based Dynamic Resolution (Extract Host and SNI Fields), Cloud Firewall does not resolve the domain name to IP addresses. Cloud Firewall sets the destination address to 0.0.0.0/0, and splits the domain name, source address, protocol type, port, and application based on the number of the control objects specified for each matching item.

      Cloud Firewall matches traffic against this policy by 4-tuple, application, and domain name in sequence. For more information, see Match traffic by 4-tuple, application, and domain name in sequence.

      Policy splitting example

      Access control policy

      Matching rule after splitting

      • Source: 192.0.2.0/24

      • Destination: www.aliyun.com

      • Protocol: TCP

      • Port: 0/0

      • Application: HTTP, HTTPS

      Matching rule 1:

      • Source: 192.0.2.0/24

      • Destination: 0.0.0.0/0

      • Protocol: TCP

      • Port: 0/0

      • Application: HTTP

      • Domain name: www.aliyun.com

      Matching rule 2:

      • Source: 192.0.2.0/24

      • Destination: 0.0.0.0/0

      • Protocol: TCP

      • Port: 0/0

      • Application: HTTPS

      • Domain name: www.aliyun.com

    • If Application is set to a value other than HTTP, HTTPS, SMTP, SMTPS, SSL, or ANY and Domain Name Identification Mode is set to DNS-based Dynamic Resolution, Cloud Firewall resolves the domain name to IP addresses, sets the destination address to the resolved IP addresses, and splits the source address, destination address, protocol type, port, and application based on the number of the control objects specified for each matching item.

      Cloud Firewall matches traffic against this policy by 4-tuple and application in sequence. For more information, see Match traffic by 4-tuple and application in sequence.

      Policy splitting example

      Access control policy

      Matching rule after splitting

      • Source: 203.0.113.0/24

      • Destination: www.aliyun.com

      • Protocol: TCP

      • Port: 0/0

      • Application: MySQL

      Note

      Assume that www.aliyun.com is resolved to 106.XX.XX.5 and 106.XX.XX.6.

      • Source: 203.0.113.0/24

      • Destination: 106.XX.XX.5

      • Protocol: TCP

      • Port: 0/0

      • Application: MySQL

      • Source: 203.0.113.0/24

      • Destination: 106.XX.XX.6

      • Protocol: TCP

      • Port: 0/0

      • Application: MySQL

    • If Application is set to ANY, or a combination of HTTP, HTTPS, SMTP, SMTPS, or SSL and another application, Cloud Firewall splits the policy into two types of matching rules. For example, the application of the policy is set to HTTP and MySQL.

      1. If Application is set to HTTP, HTTPS, SMTP, SMTPS, or SSL and Domain Name Identification Mode is set to FQDN-based Dynamic Resolution (Extract Host and SNI Fields), Cloud Firewall does not resolve the domain name to IP addresses. Cloud Firewall sets the destination address to 0.0.0.0/0, and splits the domain name, source address, protocol type, port, and application based on the number of the control objects specified for each matching item.

        Cloud Firewall matches traffic against this policy by 4-tuple, application, and domain name in sequence. For more information, see Match traffic by 4-tuple, application, and domain name in sequence.

      2. If Application is set to ANY and Domain Name Identification Mode is set to DNS-based Dynamic Resolution, Cloud Firewall resolves the domain name to IP addresses, sets the destination address to the resolved IP addresses, and splits the source address, destination address, protocol type, port, and application based on the number of the control objects specified for each matching item.

        Cloud Firewall matches traffic against this policy by 4-tuple and application in sequence. For more information, see Match traffic by 4-tuple and application in sequence.

      Policy splitting example

      Access control policy

      Matching rule after splitting

      • Source: 192.0.2.0/24

      • Destination: www.aliyun.com

      • Protocol: TCP

      • Port: 0/0

      • Application: ANY

      Note

      Assume that www.aliyun.com is resolved to 106.XX.XX.5 and 106.XX.XX.6.

      Matching rule 1:

      • Source: 192.0.2.0/24

      • Destination: 0.0.0.0/0

      • Protocol: TCP

      • Port: 0/0

      • Application: HTTP

      • Domain name: www.aliyun.com

      Matching rule 2:

      • Source: 192.0.2.0/24

      • Destination: 0.0.0.0/0

      • Protocol: TCP

      • Port: 0/0

      • Application: HTTPS

      • Domain name: www.aliyun.com

      Matching rule 3:

      • Source: 192.0.2.0/24

      • Destination: 0.0.0.0/0

      • Protocol: TCP

      • Port: 0/0

      • Application: SMTP

      • Domain name: www.aliyun.com

      Matching rule 4:

      • Source: 192.0.2.0/24

      • Destination: 0.0.0.0/0

      • Protocol: TCP

      • Port: 0/0

      • Application: SMTPS

      • Domain name: www.aliyun.com

      Matching rule 5:

      • Source: 192.0.2.0/24

      • Destination: 0.0.0.0/0

      • Protocol: TCP

      • Port: 0/0

      • Application: SSL

      • Domain name: www.aliyun.com

      Matching rule 6:

      • Source: 192.0.2.0/24

      • Destination: 106.XX.XX.5

      • Protocol: TCP

      • Port: 0/0

      • Application: ANY

      Matching rule 7:

      • Source: 192.0.2.0/24

      • Destination: 106.XX.XX.6

      • Protocol: TCP

      • Port: 0/0

      • Application: ANY

      • Source: 198.51.100.0/24

      • Destination: www.aliyun.com

      • Protocol: TCP

      • Port: 0/0

      • Application: HTTP, MySQL

      Note

      Assume that www.aliyun.com is resolved to 106.XX.XX.5 and 106.XX.XX.6.

      Matching rule 1:

      • Source: 198.51.100.0/24

      • Destination: 0.0.0.0/0

      • Protocol: TCP

      • Port: 0/0

      • Application: HTTP

      • Domain name: www.aliyun.com

      Matching rule 2:

      • Source: 198.51.100.0/24

      • Destination: 106.XX.XX.6

      • Protocol: TCP

      • Port: 0/0

      • Application: MySQL

      Matching rule 3:

      • Source: 198.51.100.0/24

      • Destination: 106.XX.XX.5

      • Protocol: TCP

      • Port: 0/0

      • Application: MySQL

    The destination type of the policy is domain address book

    If Destination Type of a policy is set to Domain Address Book and Domain Name Identification Mode is set to FQDN-based Dynamic Resolution (Extract Host and SNI Fields), Application can be set only to HTTP, HTTPS, SMTP, SMTPS, or SSL. If the destination type is domain address book, the destination address is multiple domain names. In this case, Cloud Firewall does not resolve the domain name to IP addresses. Cloud Firewall sets the destination address to 0.0.0.0/0, and splits the domain name, source address, protocol type, port, and application based on the number of the control objects specified for each matching item.

    Cloud Firewall matches traffic against this policy by 4-tuple, application, and domain name in sequence. For more information, see Match traffic by 4-tuple, application, and domain name in sequence.

    Policy splitting example

    Access control policy

    Matching rule after splitting

    • Source: 192.0.2.0/24

    • Destination: www.aliyun.com, www.example.com

    • Protocol: TCP

    • Port: 0/0

    • Application: HTTP, HTTPS

    Matching rule 1:

    • Source: 192.0.2.0/24

    • Destination: 0.0.0.0/0

    • Protocol: TCP

    • Port: 0/0

    • Application: HTTP

    • Domain name: www.aliyun.com

    Matching rule 2:

    • Source: 192.0.2.0/24

    • Destination: 0.0.0.0/0

    • Protocol: TCP

    • Port: 0/0

    • Application: HTTPS

    • Domain name: www.aliyun.com

    Matching rule 3:

    • Source: 192.0.2.0/24

    • Destination: 0.0.0.0/0

    • Protocol: TCP

    • Port: 0/0

    • Application: HTTP

    • Domain name: www.example.com

    Matching rule 4:

    • Source: 192.0.2.0/24

    • Destination: 0.0.0.0/0

    • Protocol: TCP

    • Port: 0/0

    • Application: HTTPS

    • Domain name: www.example.com

    NAT border

    When you configure an access control policy for a NAT firewall, if you configure a domain name-based access control policy, you can configure the Domain Name Identification Mode parameter. Cloud Firewall determines whether to perform DNS resolution on the domain name based on the value of the parameter. The following figure shows the splitting logic and matching logic of an access control policy created for a NAT firewall.

    image

    The destination type is IP or IP address book

    If Destination Type of a policy is set to IP or IP Address Book, Cloud Firewall splits the source address, destination address, protocol type, port, and application based on the number of the control objects specified for each matching item.

    Cloud Firewall matches traffic against this policy by 4-tuple and application in sequence. For more information, see Match traffic by 4-tuple and application in sequence.

    Policy splitting example

    Access control policy

    Matching rule after splitting

    • Source: 10.0.0.0/8, 192.168.0.0/24

    • Destination: 192.0.2.0/24

    • Protocol: TCP

    • Port: 22/22, 80/88

    • Application: HTTP

    Matching rule 1:

    • Source: 10.0.0.0/8

    • Destination: 192.0.2.0/24

    • Protocol: TCP

    • Port: 22/22

    • Application: HTTP

    Matching rule 3:

    • Source: 10.0.0.0/8

    • Destination: 192.0.2.0/24

    • Protocol: TCP

    • Port: 22/22

    • Application: HTTP

    Matching rule 2:

    • Source: 192.168.0.0/24

    • Destination: 192.0.2.0/24

    • Protocol: TCP

    • Port: 80/88

    • Application: HTTP

    Matching rule 4:

    • Source: 192.168.0.0/24

    • Destination: 192.0.2.0/24

    • Protocol: TCP

    • Port: 80/88

    • Application: HTTP

    The destination type of the policy is domain name

    If Destination Type of a policy is set to Domain Name, Cloud Firewall splits the policy based on the domain name identification mode.

    • If Domain Name Identification Mode is set to FQDN-based Dynamic Resolution (Extract Host and SNI Fields), Application can be set only to HTTP, HTTPS, SMTP, SMTPS, SSL, or a combination of the values. In this mode, Cloud Firewall does not resolve the domain name to IP addresses. Cloud Firewall sets the destination address to 0.0.0.0/0, and splits the domain name, source address, protocol type, port, and application based on the number of the control objects specified for each matching item.

      Cloud Firewall matches traffic against this policy by 4-tuple, application, and domain name in sequence. For more information, see Match traffic by 4-tuple, application, and domain name in sequence.

      Policy splitting example

      Access control policy

      Matching rule after splitting

      • Source: 192.168.7.10/32

      • Destination: www.aliyun.com

        Domain Name Identification Mode: FQDN-based Dynamic Resolution (Extract Host and SNI Fields)

      • Protocol: TCP

      • Port: 0/0

      • Application: HTTP, HTTPS

      Matching rule 1:

      • Source: 192.168.7.10/32

      • Destination: 0.0.0.0/0

      • Protocol: TCP

      • Port: 0/0

      • Application: HTTP

      • Domain name: www.aliyun.com

      Matching rule 2:

      • Source: 192.168.7.10/32

      • Destination: 0.0.0.0/0

      • Protocol: TCP

      • Port: 0/0

      • Application: HTTPS

      • Domain name: www.aliyun.com

    • If Domain Name Identification Mode is set to DNS-based Dynamic Resolution, Cloud Firewall splits the policy based on the application.

      • If Application is set to HTTP, HTTPS, SMTP, SMTPS, SSL, or a combination of the values, Cloud Firewall does not resolve the domain name to IP addresses. Cloud Firewall sets the destination address to 0.0.0.0/0, and splits the domain name, source address, protocol type, port, and application based on the number of the control objects specified for each matching item.

        Cloud Firewall matches traffic against this policy by 4-tuple, application, and domain name in sequence. For more information, see Match traffic by 4-tuple, application, and domain name in sequence.

      • If Application of the policy is set to a value other than HTTP, HTTPS, SMTP, SMTPS, and SSL, Cloud Firewall resolves the domain name to IP addresses, sets the destination address of the matching rule to the resolved IP addresses, and splits the source address, destination address, protocol type, port, and application based on the number of the control objects specified for each matching item.

        Cloud Firewall matches traffic against this policy by 4-tuple and application in sequence. For more information, see Match traffic by 4-tuple and application in sequence.

      • If Application is set to ANY, or a combination of HTTP, HTTPS, SMTP, SMTPS, or SSL and another application, Cloud Firewall splits the policy into two types of matching rules. For example, Application is set to HTTP and MySQL.

        When Cloud Firewall matches traffic against this policy, Cloud Firewall classifies traffic based on the matching rules, and separately matches traffic by 4-tuple, application, and domain name, and 4-tuple and application. For more information, see Match traffic by 4-tuple and application in sequence and Match traffic by 4-tuple, application, and domain name in sequence.

      Policy splitting example

      Access control policy

      Matching rule after splitting

      • Source: 192.168.7.10/32

      • Destination: www.aliyun.com

        Domain Name Identification Mode: DNS-based Dynamic Resolution

      • Protocol: TCP

      • Port: 0/0

      • Application: ANY

      Note

      Assume that www.aliyun.com is resolved to 106.XX.XX.5 and 106.XX.XX.6.

      Matching rule 1:

      • Source: 192.168.7.10/32

      • Destination: 0.0.0.0/0

      • Protocol: TCP

      • Port: 0/0

      • Application: HTTP

      • Domain name: www.aliyun.com

      Matching rule 2:

      • Source: 192.168.7.10/32

      • Destination: 0.0.0.0/0

      • Protocol: TCP

      • Port: 0/0

      • Application: HTTPS

      • Domain name: www.aliyun.com

      Matching rule 3:

      • Source: 192.168.7.10/32

      • Destination: 0.0.0.0/0

      • Protocol: TCP

      • Port: 0/0

      • Application: SMTP

      • Domain name: www.aliyun.com

      Matching rule 4:

      • Source: 192.168.7.10/32

      • Destination: 0.0.0.0/0

      • Protocol: TCP

      • Port: 0/0

      • Application: SMTPS

      • Domain name: www.aliyun.com

      Matching rule 5:

      • Source: 192.168.7.10/32

      • Destination: 0.0.0.0/0

      • Protocol: TCP

      • Port: 0/0

      • Application: SSL

      • Domain name: www.aliyun.com

      Matching rule 6:

      • Source: 192.168.7.10/32

      • Destination: 106.XX.XX.5

      • Protocol: TCP

      • Port: 0/0

      • Application: ANY

      Matching rule 7:

      • Source: 192.168.7.10/32

      • Destination: 106.XX.XX.6

      • Protocol: TCP

      • Port: 0/0

      • Application: ANY

      • Source: 172.16.10.10/32

      • Destination: www.aliyun.com

        Domain Name Identification Mode: DNS-based Dynamic Resolution

      • Protocol: TCP

      • Port: 0/0

      • Application: HTTP, MySQL

      Note

      Assume that www.aliyun.com is resolved to 106.XX.XX.5 and 106.XX.XX.6.

      Matching rule 1:

      • Source: 172.16.10.10/32

      • Destination: 106.XX.XX.5

      • Protocol: TCP

      • Port: 0/0

      • Application: MySQL

      Matching rule 2:

      • Source: 172.16.10.10/32

      • Destination: 106.XX.XX.6

      • Protocol: TCP

      • Port: 0/0

      • Application: MySQL

      Matching rule 3:

      • Source: 172.16.10.10/32

      • Destination: 0.0.0.0/0

      • Protocol: TCP

      • Port: 0/0

      • Application: HTTP

      • Domain name: www.aliyun.com

    • If Domain Dame Identification Mode is set to FQDN and DNS-based Dynamic Resolution, Application can be set only to HTTP, HTTPS, SMTP, SMTPS, SSL, or ANY. In this mode, Cloud Firewall splits the policy based on the application.

      • If Application is set to HTTP, HTTPS, SMTP, SMTPS, SSL, or a combination of the values, Cloud Firewall does not resolve the domain name to IP addresses. Cloud Firewall sets the destination address to 0.0.0.0/0, and splits the domain name, source address, protocol type, port, and application based on the number of the control objects specified for each matching item.

      • If Application is set to ANY, Cloud Firewall splits the policy into two types of the matching rules:

        • If Application is set to HTTP, HTTPS, SMTP, SMTPS, or SSL, Cloud Firewall does not resolve the domain name to IP addresses. Cloud Firewall sets the destination address to 0.0.0.0/0, and splits the domain name, source address, protocol type, port, and application based on the number of the control objects specified for each matching item.

          Cloud Firewall matches traffic against this policy by 4-tuple, application, and domain name in sequence. For more information, see Match traffic by 4-tuple, application, and domain name in sequence.

        • If Application is set to ANY, Cloud Firewall resolves the domain name to IP addresses, sets the destination address to the resolved IP addresses, and splits the source address, destination address, protocol type, port, and application based on the number of the control objects specified for each matching item.

          Cloud Firewall matches traffic against this policy by 4-tuple and application in sequence. For more information, see Match traffic by 4-tuple and application in sequence.

    The destination type of the policy is domain address book

    If Destination Type of a policy is set to Domain Address Book, Domain Name Identification Mode can be set only to FQDN-based Dynamic Resolution (Extract Host and SNI Fields), and Application can be set only to HTTP, HTTPS, SMTP, SMTPS, or SSL. In this case, Cloud Firewall does not resolve the domain name to IP addresses. Cloud Firewall sets the destination address to 0.0.0.0/0, and splits the domain name, source address, protocol type, port, and application based on the number of the control objects specified for each matching item.

    Cloud Firewall matches traffic against this policy by 4-tuple, application, and domain name in sequence. For more information, see Match traffic by 4-tuple, application, and domain name in sequence.

    Policy splitting example

    Access control policy

    Matching rule after splitting

    • Source: 10.0.0.0/8

    • Destination: www.aliyun.com, www.example.com

      Domain Name Identification Mode: FQDN and DNS-based Dynamic Resolution

    • Protocol: TCP

    • Port: 0/0

    • Application: HTTP, HTTPS

    Matching rule 1:

    • Source: 10.0.0.0/8

    • Destination: 0.0.0.0/0

    • Protocol: TCP

    • Port: 0/0

    • Application: HTTP

    • Domain name: www.aliyun.com

    Matching rule 2:

    • Source: 10.0.0.0/8

    • Destination: 0.0.0.0/0

    • Protocol: TCP

    • Port: 0/0

    • Application: HTTPS

    • Domain name: www.aliyun.com

    Matching rule 3:

    • Source: 10.0.0.0/8

    • Destination: 0.0.0.0/0

    • Protocol: TCP

    • Port: 0/0

    • Application: HTTP

    • Domain name: www.example.com

    Matching rule 4:

    • Source: 10.0.0.0/8

    • Destination: 0.0.0.0/0

    • Protocol: TCP

    • Port: 0/0

    • Application: HTTPS

    • Domain name: www.example.com

    VPC border

    Access control policies that are created for VPC firewalls do not support DNS resolution. After you configure an access control policy for a VPC firewall, Cloud Firewall identifies the destination type of the policy and then splits the policy based on the destination type. The following figure shows the splitting logic and matching logic of an access control policy created for a VPC firewall.

    image

    The destination type is IP or IP address book

    If Destination Type of a policy is set to IP or IP Address Book, Cloud Firewall splits the source address, destination address, protocol type, port, and application based on the number of the control objects specified for each matching item.

    Cloud Firewall matches traffic against this policy by 4-tuple and application in sequence. For more information, see Match traffic by 4-tuple and application in sequence.

    Policy splitting example

    Access control policy

    Matching rule after splitting

    • Source: 10.0.0.0/8, 192.168.0.0/16

    • Destination: 172.16.0.0/12

    • Protocol: TCP

    • Port: 22/22, 80/88

    • Application: HTTP

    Matching rule 1:

    • Source: 10.0.0.0/8

    • Destination: 172.16.0.0/12

    • Protocol: TCP

    • Port: 22/22

    • Application: HTTP

    Matching rule 3:

    • Source: 192.168.0.0/16

    • Destination: 172.16.0.0/12

    • Protocol: TCP

    • Port: 22/22

    • Application: HTTP

    Matching rule 2:

    • Source: 10.0.0.0/8

    • Destination: 172.16.0.0/12

    • Protocol: TCP

    • Port: 80/88

    • Application: HTTP

    Matching rule 4:

    • Source: 192.168.0.0/16

    • Destination: 172.16.0.0/12

    • Protocol: TCP

    • Port: 80/88

    • Application: HTTP

    The destination type is domain name or domain address book

    If Destination Type of a policy is set to Domain Name or Domain Address Book, Application can be set only to HTTP, HTTPS, SMTP, SMTPS, SSL, or a combination of the values. In this mode, Cloud Firewall does not resolve the domain name to IP addresses. Cloud Firewall sets the destination address of the matching rule to 0.0.0.0/0, and splits the domain name, source address, protocol type, port, and application based on the number of the control objects specified for each matching item.

    Cloud Firewall matches traffic against this policy by 4-tuple, application, and domain name in sequence. For more information, see Match traffic by 4-tuple, application, and domain name in sequence.

    Policy splitting example

    Access control policy

    Matching rule after splitting

    • Source: 10.0.0.0/8

    • Destination: www.aliyun.com

    • Protocol: TCP

    • Port: 0/0

    • Application: HTTP, HTTPS

    Matching rule 1:

    • Source: 10.0.0.0/8

    • Destination: 0.0.0.0/0

    • Protocol: TCP

    • Port: 0/0

    • Application: HTTP

    • Domain name: www.aliyun.com

    Matching rule 2:

    • Source: 10.0.0.0/8

    • Destination: 0.0.0.0/0

    • Protocol: TCP

    • Port: 0/0

    • Application: HTTPS

    • Domain name: www.aliyun.com

    2. Matching logic of access control policies

    When traffic passes through Cloud Firewall, Cloud Firewall matches the traffic packet against access control policies, threat intelligence rules, basic protection rules, intelligent defense rules, and virtual patching rules, and then performs an action based on the matching result. This section describes the matching logic of access control policies. For more information about the matching order in different traffic matching phases, see FAQ about traffic analysis.

    Cloud Firewall matches traffic by 4-tuple and application in sequence or by 4-tuple, application, and domain name in sequence.

    Match traffic by 4-tuple and application in sequence

    In specific scenarios, when traffic passes through Cloud Firewall, Cloud Firewall matches the 4-tuple and application of the traffic against the 4-tuple and application of the access control policy. If the traffic matches both the 4-tuple and application, the traffic hits the access control policy.

    The following list describes the scenarios:

    • Destination Type of the access control policy is set to IP or IP Address Book.

    • Destination Type of the access control policy is set to Domain Name, and Application is set to ANY and other applications, excluding HTTP, HTTPS, SMTP, SMTPS, and SSL.

    • Destination Type of the access control policy is set to Domain Name, and Application is set to ANY, and the application of the split matching rule is other than HTTP, HTTPS, SMTP, SMTPS, or SSL.

    The following flowchart shows how Cloud Firewall matches traffic by 4-tuple and application in sequence.

    image

    1. When traffic passes through Cloud Firewall, Cloud Firewall matches the traffic against the 4-tuple of the access control policy.

      • If the traffic hits the 4-tuple of the access control policy, Cloud Firewall continues to match the application of the traffic against the application of the policy and performs Step 2.

      • If the traffic does not hit the 4-tuple of the access control policy, Cloud Firewall no longer matches the traffic against this access control policy, and determines whether an access control policy that has a lower priority exists.

        • If yes, Cloud Firewall matches the 4-tuple of the traffic against the 4-tuple of the policy that has a lower priority until the traffic matches a policy. Then, Cloud Firewall matches the application of the traffic against the application of a policy that has a lower priority, and performs Step 2.

          If the traffic does not hit an access control policy after all policies are matched, the matching process of access control policies ends.

        • If no, the matching process of access control policies ends.

    2. Cloud Firewall matches the application of the traffic against the application of the access control policy.

      • If Cloud Firewall identifies the application of the traffic, and the application of the traffic hits the application of the access control policy, Cloud Firewall performs the action specified in the policy. The action can be Allow or Deny.

      • If Cloud Firewall identifies the application of the traffic, but the application of the traffic does not hit the application of the access control policy, Cloud Firewall determines whether another access control policy exists.

        • If yes, the system continues to match the 4-tuple of the traffic against the 4-tuple of the access control policy that has a lower priority until the traffic hits the 4-tuple and application of an access control policy.

          If the traffic does not hit an access control policy after all policies are matched, the matching process of access control policies ends.

        • If no, the matching process of access control policies ends.

      • If Cloud Firewall cannot identify the application of the traffic, Cloud Firewall determines whether Domain Name Identification Mode is Strict or Loose.

        • In Loose mode, Cloud Firewall allows the traffic packet by default to ensure that your business is not affected.

        • In Strict mode, Cloud Firewall does not directly allow the traffic packet, but continues to match the traffic packet against the access control policy that has a lower priority until an access control policy is hit, and then performs the action specified in the policy. The action can be Allow or Deny.

          If no access control policy is hit after all access control policies are matched, Cloud Firewall automatically allows the traffic.

    Match traffic by 4-tuple, application, and domain name in sequence

    In specific scenarios, when traffic passes through Cloud Firewall, Cloud Firewall matches the 4-tuple and application of the traffic against the 4-tuple and application of the access control policy. If the traffic matches both the 4-tuple and application, the traffic hits the access control policy.

    The following list describes the scenarios:

    • Destination Type of the access control policy is set to Domain Name, and Application of the policy is set to HTTP, HTTPS, SMTP, SMTPS, and SSL.

    • Destination Type of the access control policy is Domain Name, Application of the policy is set to ANY, and the application of the split matching rule is HTTP, HTTPS, SMTP, SMTPS, and SSL.

    • Destination Type of the access control policy is Domain Address Book.

    The following procedure shows how Cloud Firewall matches traffic by 4-tuple, application, and domain name in sequence:

    image

    1. When traffic passes through Cloud Firewall, Cloud Firewall matches the traffic against the 4-tuple of the access control policy.

      • If the traffic hits the 4-tuple of the access control policy, Cloud Firewall continues to match the application of the traffic against the application of the policy and performs Step 2.

      • If the traffic does not hit the 4-tuple of the access control policy, Cloud Firewall no longer matches the traffic against this access control policy, and determines whether an access control policy that has a lower priority exists.

        • If yes, Cloud Firewall matches the 4-tuple of the traffic against the 4-tuple of the policy that has a lower priority until the traffic matches a policy. Then, Cloud Firewall matches the application of the traffic against the application of a policy that has a lower priority, and performs Step 2.

          If the traffic does not hit an access control policy after all policies are matched, the matching process of access control policies ends.

        • If no, the matching process of access control policies ends.

    2. Cloud Firewall matches the application of the traffic against the application of the access control policy.

      • If Cloud Firewall identifies the application of the traffic, and the traffic hits the application of the access control policy, Cloud Firewall continues to match the domain name of the traffic against the domain name of the access control policy, and performs Step 3.

      • If Cloud Firewall identifies the application of the traffic, but the traffic does not hit the application of the access control policy, Cloud Firewall determines whether another access control policy exists.

        • If yes, Cloud Firewall continues to match the traffic against the 4-tuple and application of the access control policy that has a lower priority, matches the traffic against the application and domain name against the access control policy that has a lower priority, and performs Step 3.

          If the traffic does not hit an access control policy after all policies are matched, the matching process of access control policies ends.

        • If no, the matching process of access control policies ends.

      • If Cloud Firewall cannot identify the application of the traffic, Cloud Firewall determines whether Domain Name Identification Mode is Strict or Loose.

        • In Loose mode, Cloud Firewall allows the traffic packet by default to ensure that your business is not affected.

        • In Strict mode, Cloud Firewall does not directly allow the traffic packet, but continues to match the traffic packet against the access control policy that has a lower priority until an access control policy is hit, and then performs the action specified in the policy. The action can be Allow or Deny.

          If no access control policy is hit after all access control policies are matched, Cloud Firewall automatically allows the traffic.

    3. Cloud Firewall matches the domain name of the traffic against the domain name of the access control policy.

      • If Cloud Firewall identifies the domain name of the traffic, and the domain name of the traffic hits the domain name of the access control policy, Cloud Firewall performs the action specified in the access control policy. The action can be Allow or Deny.

      • If Cloud Firewall identifies the domain name of the traffic, but the domain name of the traffic does not hit the domain name of the access control policy, Cloud Firewall determines whether another access control policy exists.

        • If yes, Cloud Firewall continues to match the 4-tuple of the traffic against the 4-tuple of the access control policy that has a lower priority.

        • If no, the matching process of access control policies ends.

      • If Cloud Firewall cannot identify the domain name of the traffic, Cloud Firewall determines whether Domain Name Identification Mode is Strict or Loose.

        • In Loose mode, Cloud Firewall allows the traffic packet by default to ensure that your business is not affected.

        • In Strict mode, Cloud Firewall does not directly allow the traffic packet, but continues to match the traffic packet against the access control policy that has a lower priority until an access control policy is hit, and then performs the action specified in the policy. The action can be Allow or Deny.

          If no access control policy is hit after all access control policies are matched, Cloud Firewall automatically allows the traffic.

    Examples

    The following section describes the matching logic of access control policies that are created for the Internet firewall in different scenarios.

    Scenario 1: The destination type of an access control policy is IP address book

    1. You created two access control policies in the Cloud Firewall console.

      Access control policy A

      Access control policy B

      • Source: 192.0.2.0/24

      • Destination: 198.51.100.0/24

      • Protocol: TCP

      • Port: 80/88

      • Application: HTTP

      • Action: Allow

      • Priority: 1

      • Source: 0.0.0.0/0

      • Destination: 0.0.0.0/0

      • Protocol: ANY

      • Port: 0/0

      • Application: ANY

      • Action: Deny

      • Priority: 2

    2. Cloud Firewall splits the access control policies to multiple matching rules based on the splitting logic and sends the matching rules to the engine.

    3. When traffic passes through Cloud Firewall, Cloud Firewall matches the traffic packet against access control policies based on the priorities of the policies in sequence.

      Example

      Traffic packet

      Matching result

      Example 1

      (Matched.)

      • Source: 192.0.2.1

      • Destination: 198.51.100.1

      • Protocol: TCP

      • Port: 80

      • Application: HTTP

      1. Match the traffic packet against the 4-tuple of Access control policy A. → Hit

      2. Match the traffic packet against the application of Access control policy A. → Hit

      3. Perform the action specified in Access control policy A: Allow the traffic packet.

      Example 2

      (The source IP address does not match.)

      • Source: 203.0.113.1

      • Destination: 198.51.100.1

      • Protocol: TCP

      • Port: 80

      • Application: HTTP

      1. Match the traffic packet against the 4-tuple of Access control policy A. → Miss

      2. Match the traffic packet against the 4-tuple of Access control policy B. → Hit

      3. Perform the action specified in Access control policy B: Deny the traffic packet.

      Example 3

      (The application is not identified.)

      • Source: 192.0.2.4

      • Destination: 198.51.100.1

      • Protocol: TCP

      • Port: 80

      • Application: Unknown

      1. Match the traffic packet against the 4-tuple of Access control policy A. → Hit

      2. Match the traffic packet against the application of Access control policy A. → The application of the traffic packet cannot be identified.

      3. Determine the domain name identification mode.

        • In Loose mode, Cloud Firewall allows the traffic packet by default.

        • In Strict mode, Cloud Firewall continues to match the traffic packet against Access control policy B.

          1. Match the traffic packet against the 4-tuple of Access control policy B. → Hit

          2. Perform the action specified in Access control policy B: Deny the traffic packet.

    Scenario 2: The destination type of the access control policy is domain name

    1. You created multiple access control policies in the Cloud Firewall console.

      Access control policy A

      Access control policy B

      Access control policy C

      Access control policy D

      • Source: 192.0.2.0/24

      • Destination: www.aliyun.com

      • Protocol: TCP

      • Port: 0/0

      • Application: HTTP, HTTPS

      • Action: Allow

      • Priority: 1

      Note

      Cloud Firewall matches the destination domain name of the traffic packet against this policy based on the Host or SNI field.

      • Source: 198.51.100.0/24

      • Destination: www.aliyun.com

      • Protocol: TCP

      • Port: 0/0

      • Application: SSH

      • Action: Allow

      • Priority: 2

      Note

      Cloud Firewall matches the destination domain name of the traffic packet against this policy based on the resolved IP address of the domain name.

      • Source: 203.0.113.0/24

      • Destination: www.aliyun.com

      • Protocol: TCP

      • Port: 0/0

      • Application: SMTP

      • Action: Allow

      • Priority: 3

      • Source: 0.0.0.0/0

      • Destination: 0.0.0.0/0

      • Protocol: ANY

      • Port: 0/0

      • Application: ANY

      • Action: Deny

      • Priority: 4

    2. Cloud Firewall splits the access control policies to multiple matching rules based on the splitting logic and sends the matching rules to the engine.

    3. When the traffic of protected assets passes through Cloud Firewall, Cloud Firewall matches the traffic packet against the policies based on the priority of the policies.

      Note

      Assume that www.aliyun.com is resolved to 106.XX.XX.5.

      Example

      Traffic packet

      Matching result

      Example 1

      • Source: 192.0.2.1

      • Destination: 106.XX.XX.5

      • Protocol: TCP

      • Port: 80

      • Application: HTTP

      • Domain name: www.aliyun.com

      1. Match the traffic packet against the 4-tuple of Access control policy A. → Hit

      2. Match the traffic packet against the application of Access control policy A. → Hit

      3. Match the traffic packet against the domain name of Access control policy A. → Hit

      4. Perform the action specified in Access control policy A: Allow the traffic packet.

      Example 2

      • Source: 203.0.113.3

      • Destination: 106.XX.XX.5

      • Protocol: TCP

      • Port: 443

      • Application: HTTPS

      • Domain name: www.aliyun.com

      1. Match the traffic packet against the 4-tuple of Access control policy A. → Miss

      2. Match the traffic packet against the 4-tuple of Access control policy B. → Miss

      3. Match the traffic packet against the 4-tuple of Access control policy C. → Hit

      4. Match the traffic packet against the application of Access control policy C. → Miss

      5. Match the traffic packet against the 4-tuple of Access control policy D. → Hit

      6. Perform the action specified in Access control policy D: Deny the traffic packet.

      Example 3

      • Source: 198.51.100.1

      • Destination: 106.XX.XX.5

      • Protocol: ANY

      • Port: 22

      • Application: SSH

      • Domain name: www.aliyun.com

      1. Match the traffic packet against the 4-tuple of Access control policy A. → Miss

      2. Match the traffic packet against the 4-tuple of Access control policy B. → Hit

      3. Match the traffic packet against the application of Access control policy B. → Hit

      4. Perform the action specified in Access control policy B: Allow the traffic packet.

      Example 4

      • Source: 192.0.2.2

      • Destination: 106.XX.XX.5

      • Protocol: TCP

      • Port: 80

      • Application: Unknown

      1. Match the traffic packet against the 4-tuple of Access control policy A. → Hit

      2. Match the traffic packet against the application of Access control policy A. → The application of the traffic packet cannot be identified.

      3. Determine the domain name identification mode.

        • In Loose mode, Cloud Firewall allows the traffic packet by default.

        • In Strict mode, Cloud Firewall continues to match the traffic packet against Access control policy B.

          1. Match the traffic packet against the 4-tuple of Access control policy B. → Miss

          2. Match the traffic packet against the 4-tuple of Access control policy C. → Miss

          3. Match the traffic packet against the 4-tuple of Access control policy D. → Hit

          4. Perform the action specified in Access control policy D: Deny the traffic packet.

      Example 5

      • Source: 192.0.2.3

      • Destination: 106.XX.XX.5

      • Protocol: TCP

      • Port: 80

      • Application: HTTP

      • Domain name: Unknown

      1. Match the traffic packet against the 4-tuple of Access control policy A. → Hit

      2. Match the traffic packet against the application of Access control policy A. → Hit

      3. Match the traffic packet against the domain name of Access control policy A. → The domain name of the traffic packet cannot be identified.

      4. Determine the domain name identification mode.

        • In Loose mode, Cloud Firewall allows the traffic packet by default.

        • In Strict mode, Cloud Firewall continues to match the traffic packet against Access control policy B.

          1. Match the traffic packet against the 4-tuple of Access control policy B. → Miss

          2. Match the traffic packet against the 4-tuple of Access control policy C. → Miss

          3. Match the traffic packet against the 4-tuple of Access control policy D. → Hit

          4. Perform the action specified in Access control policy D: Deny the traffic packet.

    Scenario 3: The destination type of the access control policy is domain address book

    1. You created two access control policies in the Cloud Firewall console.

      Access control policy A

      Access control policy B

      • Source: 192.0.2.0/24

      • Destination: www.aliyun.com, www.example.com

      • Protocol: TCP

      • Port: 0/0

      • Application: HTTP, HTTPS

      • Action: Allow

      • Priority: 1

      • Source: 0.0.0.0/0

      • Destination: 0.0.0.0/0

      • Protocol: ANY

      • Port: 0/0

      • Application: ANY

      • Action: Deny

      • Priority: 2

    2. Cloud Firewall analyzes the access control policies and splits Access control policy A to multiple matching rules.

    3. When traffic passes through Cloud Firewall, Cloud Firewall matches the traffic packet against access control policies based on the priorities of the policies in sequence.

      Note

      Assume that www.aliyun.com is resolved to 106.XX.XX.5 and www.example.com is resolved to 107.XX.XX.7.

      Example

      Traffic packet

      Matching result

      Example 1

      • Source: 192.0.2.1

      • Destination: 106.XX.XX.5

      • Protocol: TCP

      • Port: 80

      • Application: HTTP

      • Domain name: www.aliyun.com

      1. Match the traffic packet against the 4-tuple of Access control policy A. → Hit

      2. Match the traffic packet against the application of Access control policy A. → Hit

      3. Match the traffic packet against the domain name of Access control policy A. → Hit

      4. Perform the action specified in Access control policy A: Allow the traffic packet.

      Example 2

      • Source: 192.0.2.2

      • Destination: 107.XX.XX.7

      • Protocol: TCP

      • Port: 22

      • Application: SSH

      • Domain name: www.example.com

      1. Match the traffic packet against the 4-tuple of Access control policy A. → Hit

      2. Match the traffic packet against the application of Access control policy A. → Miss

      3. Match the traffic packet against the 4-tuple of Access control policy B. → Hit

      4. Perform the action specified in Access control policy B: Deny the traffic packet.

      Example 3

      • Source: 192.0.2.3

      • Destination: 107.XX.XX.7

      • Protocol: TCP

      • Port: 22

      • Application: Unknown

      • Domain name: www.example.com

      1. Match the traffic packet against the 4-tuple of Access control policy A. → Hit

      2. Match the traffic packet against the application of Access control policy A. → The application of the traffic packet cannot be identified.

      3. Determine the domain name identification mode.

        • In Loose mode, Cloud Firewall allows the traffic packet by default.

        • In Strict mode, Cloud Firewall continues to match the traffic packet against Access control policy B.

          1. Match the traffic packet against the 4-tuple of Access control policy B. → Hit

          2. Perform the action specified in Access control policy B: Deny the traffic packet.

      Example 4

      • Source: 192.0.2.4

      • Destination: 106.XX.XX.5

      • Protocol: TCP

      • Port: 80

      • Application: HTTP

      • Domain name: Unknown

      1. Match the traffic packet against the 4-tuple of Access control policy A. → Hit

      2. Match the traffic packet against the application of Access control policy A. → Hit

      3. Match the traffic packet against the domain name of Access control policy A. → The domain name of the traffic packet cannot be identified.

      4. Determine the domain name identification mode.

        • In Loose mode, Cloud Firewall allows the traffic packet by default.

        • In Strict mode, Cloud Firewall continues to match the traffic packet against Access control policy B.

          1. Match the traffic packet against the 4-tuple of Access control policy B. → Hit

          2. Perform the action specified in Access control policy B: Deny the traffic packet.

    References