Source Type |
Specify the type of the traffic source. Valid values:
- IP: If you select this option, specify a CIDR block for Source. You can specify only
one CIDR block.
- Address Book: If you select this option, select a preconfigured IP address book for Source. An
IP address book contains multiple CIDR blocks. This allows you to configure access
control for multiple IP addresses in an efficient manner.
|
Source |
Specify the sources that are allowed.
- If you set Source Type to IP, specify a CIDR block for Source. You can specify only one CIDR block for each policy.
- If you set Source Type to Address Book, find the IP address book that you want to use and click Select in the Actions column to specify the address book for Source.
Note You can select only one address book each time. If you want to use multiple address
books, you must create multiple policies. To create a policy, click Create Policy.
|
Destination Type |
Specify the type of the traffic destination. Valid values: IP, Address Book, Domain Name, and Region.
Note All locations are supported for Region.
|
Destination |
Specify the destinations that can be accessed.
- If you set Destination Type to IP, specify a CIDR block for Destination. You can specify only one CIDR block for each
policy.
- If you set Destination Type to Address Book, find the address book that you want to use and click Select in the Actions column to specify the address book for Destination.
Note You can select only one address book each time. If you want to use multiple address
books, you must create multiple policies. To create a policy, click Create Policy.
- If you set Destination Type to Domain Name, enter a domain name for Destination. Cloud Firewall automatically resolves the domain
name and performs access control. For more information, see Configure access control policies for domain names.
- If you set Destination Type to Region, select one or more locations of traffic destination for Destination. You can select
one or more locations in or outside China.
|
Protocol |
Select the protocol for the policy. Valid values: TCP, UDP, ICMP, and ANY. If you do not know the protocol for the policy, select ANY. The value ANY specifies that all protocols are matched.
|
Port Type |
Specify the type of the port. Valid values:
- Ports: If you select this option, you can enter only one port range.
- Address Book: If you select this option, select a preconfigured port address book for Ports. A
port address book contains multiple ports. This allows you to configure access control
for multiple ports in an efficient manner.
|
Ports |
Specify the ports on which you want to control traffic. If you set Port Type to Ports, enter a port range. If you set Port Type to Address Book, find the port
address book that you want to use and click Select in the Actions column.
Note You can select only one address book each time. If you want to use multiple address
books, you must create multiple policies. To create a policy, click Create Policy.
|
Application |
Select the type of application on which you want the policy to take effect.
Cloud Firewall supports various types of applications. For more information, go to
the Internet Firewall tab of the Access Control page in the Cloud Firewall console.
If you set Protocol to TCP, you can select all types of applications. If you set Protocol to another value,
you can select only ANY for Application.
If you select a domain address book as the destination or set Destination to a wildcard domain name, you can select only HTTP, HTTPS, SMTP, SMTPS, or SSL.
Note Cloud Firewall identifies applications based on packet characteristics instead of
port numbers. If Cloud Firewall fails to identify an application in a packet, Cloud
Firewall allows the packet. If you want to block traffic from unknown applications,
we recommend that you enable the strict mode for the Internet firewall. For more information,
see Strict mode of the Internet firewall.
|
Policy Action |
Select the action on the traffic. In this example, select Allow.
- Allow: If traffic meets the preceding conditions that you specify for the policy, the traffic
is allowed.
- Deny: If traffic meets the preceding conditions that you specify for the policy, the traffic
is denied, and no notifications are sent.
- Monitor: If traffic meets the preceding conditions that you specify for the policy, the traffic
is recorded and allowed. You can observe the traffic for a period of time and change
the policy action to Allow or Deny based on your business requirements.
|
Description |
Enter a description that can help you identify the policy. |
Priority |
Select the priority of the policy. Valid values:
- Lowest: The policy has the lowest priority. This is the default value.
- Highest: The policy has the highest priority.
|