After the strict mode is enabled, Cloud Firewall matches the traffic that already matches an access control policy against other policies if the application type or domain name of the traffic is identified as Unknown. This topic describes how to configure the strict mode of the Internet firewall.

Prerequisites

Access control policies are configured for the Internet firewall. For more information, see Create access control policies for the Internet firewall on outbound and inbound traffic.

Enable or disable the strict mode

  1. Log on to the Cloud Firewall console.
  2. In the left-side navigation pane, choose Settings > Toolbox.
  3. On the Toolbox page, enable or disable the strict mode in the Strict Mode section.
    If the strict mode is disabled, perform the following steps to enable the strict mode in the Strict Mode section:
    1. In the Strict Mode section, turn on the switch.
    2. In the Advanced Settings message, click ok.
    After the strict mode is enabled, Cloud Firewall matches the traffic that already matches an access control policy against other policies if the application type or domain name of the traffic is identified as Unknown.

View the logs of traffic whose application type is Unknown in strict mode

  1. Log on to the Cloud Firewall console.
  2. In the left-side navigation pane, choose Log Analysis > Log Audit.
  3. On the Log Audit page, click the Traffic Logs tab and then the Internet Border tab.
  4. On the Internet Border tab, click Show Advanced Search, and set Application to Unknown and Policy Source to Access Control. Then, click Search.
  5. View the logs of traffic in strict mode. The logs include the following information: time, source IP addresses, destination IP addresses, and destination ports.
    Important If normal traffic is blocked after the strict mode is enabled, we recommend that you add the required application information to the request packets or disable the strict mode.