The Internet firewall controls the outbound and inbound traffic of your web assets. You can create access control policies in the Cloud Firewall console to prevent unauthorized access between your web assets and the Internet.

Prerequisites

Internet Firewall is enabled. If Internet Firewall is disabled, the access control policies that you create for the Internet firewall do not take effect. For more information, see Enable or disable the Internet firewall.

Background information

The Internet firewall allows you to create both outbound policies and inbound policies. You can also export the policies that you created.

The Internet firewall supports both IPv4 and IPv6 access control policies. In an IPv4 access control policy, both the source and destination IP addresses are in the IPv4 format. Whether the Internet firewall supports IPv4 and IPv6 access control policies depends on the edition of Cloud Firewall. For more information, see Features.

Limits

Take note of the following limits when you create access control policies for the Internet firewall:
  • If you use Cloud Firewall Premium Edition, you can create up to 4,000 access control policies.
  • If you use Cloud Firewall Enterprise Edition, you can create up to 10,000 access control policies.
  • If you use Cloud Firewall Ultimate Edition, you can create up to 20,000 access control policies. You can submit a ticket to increase the quota.
  • If you set Destination Type to Domain Name and Application to a value other than HTTP, HTTPS, SMTP, SMTPS, or SSL when you create outbound access control policies, you can create up to 200 policies.
Notice The following formula is used to calculate the number of access control policies: The number of CIDR blocks that you specify for Source × The number of CIDR blocks or locations that you specify for Destination × The number of ports that you specify for Ports. For example, if you set Source Type to IP, Destination Type to IP, and Port Type to Ports, the number of access control policies is calculated as 1 because the numbers of specified IP addresses and ports are all 1. If you set Source Type, Destination Type, and Port Type to Address Book and the address books contain multiple IP addresses or ports, the number of access control policies is calculated based on the numbers of IP addresses and ports. The calculation result indicates multiple policies.

Create outbound access control policies

  1. Log on to the Cloud Firewall console.
  2. In the left-side navigation pane, choose Access Control > Access Control.
  3. On the Access Control page, click the Internet Firewall tab. In the lower part of the tab that appears, click the Outbound Policies tab.
  4. On the Outbound Policies tab, click Create Policy.
    Create a policy
  5. In the Create Outbound Policy dialog box, perform the following operations to create outbound access control policies:
    1. Create the first outbound policy to allow traffic from trusted IP addresses.
      1. Configure the parameters. The following table describes the parameters.
        Parameter Description
        Source Type Specify the type of the traffic source. Valid values:
        • IP: If you select this option, specify a CIDR block for Source. You can specify only one CIDR block.
        • Address Book: If you select this option, select a preconfigured IP address book for Source. An IP address book contains multiple CIDR blocks. This allows you to configure access control for multiple IP addresses in an efficient manner.
        Source Specify the sources that are allowed.
        • If you set Source Type to IP, specify a CIDR block for Source. You can specify only one CIDR block for each policy.
        • If you set Source Type to Address Book, find the IP address book that you want to use and click Select in the Actions column to specify the address book for Source.
          Note You can select only one address book each time. If you want to use multiple address books, you must create multiple policies. To create a policy, click Create Policy.
        Destination Type
        Specify the type of the traffic destination. Valid values: IP, Address Book, Domain Name, and Region.
        Note All locations are supported for Region.
        Destination Specify the destinations that can be accessed.
        • If you set Destination Type to IP, specify a CIDR block for Destination. You can specify only one CIDR block for each policy.
        • If you set Destination Type to Address Book, find the address book that you want to use and click Select in the Actions column to specify the address book for Destination.
          Note You can select only one address book each time. If you want to use multiple address books, you must create multiple policies. To create a policy, click Create Policy.
        • If you set Destination Type to Domain Name, enter a domain name for Destination. Cloud Firewall automatically resolves the domain name and performs access control. For more information, see Configure access control policies for domain names.
        • If you set Destination Type to Region, select one or more locations of traffic destination for Destination. You can select one or more locations in or outside China.
        Protocol Select the protocol for the policy. Valid values: TCP, UDP, ICMP, and ANY. If you do not know the protocol for the policy, select ANY. The value ANY specifies that all protocols are matched.
        Port Type Specify the type of the port. Valid values:
        • Ports: If you select this option, you can enter only one port range.
        • Address Book: If you select this option, select a preconfigured port address book for Ports. A port address book contains multiple ports. This allows you to configure access control for multiple ports in an efficient manner.
        Ports Specify the ports on which you want to control traffic. If you set Port Type to Ports, enter a port range. If you set Port Type to Address Book, find the port address book that you want to use and click Select in the Actions column.
        Note You can select only one address book each time. If you want to use multiple address books, you must create multiple policies. To create a policy, click Create Policy.
        Application Select the type of application on which you want the policy to take effect.

        Cloud Firewall supports various types of applications. For more information, go to the Internet Firewall tab of the Access Control page in the Cloud Firewall console.

        If you set Protocol to TCP, you can select all types of applications. If you set Protocol to another value, you can select only ANY for Application.

        If you select a domain address book as the destination or set Destination to a wildcard domain name, you can select only HTTP, HTTPS, SMTP, SMTPS, or SSL.

        Note Cloud Firewall identifies applications based on packet characteristics instead of port numbers. If Cloud Firewall fails to identify an application in a packet, Cloud Firewall allows the packet. If you want to block traffic from unknown applications, we recommend that you enable the strict mode for the Internet firewall. For more information, see Strict mode of the Internet firewall.
        Policy Action Select the action on the traffic. In this example, select Allow.
        • Allow: If traffic meets the preceding conditions that you specify for the policy, the traffic is allowed.
        • Deny: If traffic meets the preceding conditions that you specify for the policy, the traffic is denied, and no notifications are sent.
        • Monitor: If traffic meets the preceding conditions that you specify for the policy, the traffic is recorded and allowed. You can observe the traffic for a period of time and change the policy action to Allow or Deny based on your business requirements.
        Description Enter a description that can help you identify the policy.
        Priority Select the priority of the policy. Valid values:
        • Lowest: The policy has the lowest priority. This is the default value.
        • Highest: The policy has the highest priority.
      2. Click Submit.
        Notice The newly created policy is displayed in the last row on the last page of the policy list.
    2. Create the second outbound policy to deny traffic from all sources to the Internet.

      Set Source to 0.0.0.0/0 and set Policy Action to Deny to prevent all unauthorized access. Configure other parameters based on the descriptions in the preceding table.

    3. Make sure that the priority of the first policy that allows access from trusted sources is higher than the priority of the second policy that denies access from all sources.

Create inbound access control policies

  1. Log on to the Cloud Firewall console.
  2. In the left-side navigation pane, choose Access Control > Access Control.
  3. On the Access Control page, click the Internet Firewall tab. In the lower part of the tab that appears, click the Inbound Policies tab.
  4. On the Inbound Policies tab, click Create Policy.
    Inbound policies
  5. In the Create Inbound Policy dialog box, create the first inbound policy to allow traffic from trusted IP addresses.

    Set Source to a trusted CIDR block or a preconfigured IP address book. Set Policy Action to Allow. Configure other parameters based on the descriptions in Create outbound access control policies.

    Note If you set Source Type or Destination Type to Address book, you can select an IPv4 address book or a cloud address book for Source and Destination.
  6. Create the second inbound policy to deny traffic from all sources to the internal network.

    Set Source to 0.0.0.0/0 and set Policy Action to Deny to prevent all unauthorized access.

  7. Make sure that the priority of the first policy that allows access from trusted sources is higher than the priority of the second policy that denies access from all sources.

Export policies

You can export inbound or outbound access control policies for the Internet firewall based on your business requirements. Export policies

Search for a policy by using the policy ID

Each access control policy for the Internet firewall has a policy ID. You can use a policy ID to identify an access control policy. This way, you can view the status of the policy and adjust the policy based on your business requirements.

If you want to view the ID of a policy, find the policy on the Internet Firewall tab and move the pointer over the Policy display icon icon in the Description/Policy ID column. View the ID of a policy

Check whether access traffic hits an access control policy

By default, an access control policy immediately takes effect after it is created. However, if you specify invalid values for the policy parameters or disable the Internet firewall, the policy may not take effect.

In the access control policy list, if the number in the Hits column is greater than 0 for an access control policy, access traffic hits the policy. The number in the Hits column indicates the number of times that access traffic hits the policy. Hits
You can click the number to go to the Traffic Logs tab. On the Traffic Logs tab, the name of an access control policy that the access traffic hits is displayed in the Policy Name column.
Note This tab displays information about the traffic that was generated in the last seven days. If the last hit of the access control policy was more than seven days ago, the information about the traffic is not displayed on the Traffic Logs tab.

What to do next

After an access control policy is created, you can click Modify, Delete, or Copy in the Actions column of the policy. You can also click Move to change the priority of the policy.
Warning After you delete an access control policy, Cloud Firewall does not control the traffic to which the policy applies. Delete a policy with caution.