All Products
Search
Document Center

Cloud Firewall:Configure the strict mode of the Internet firewall

Last Updated:May 17, 2024

After you configure access control policies for the Internet firewall, Cloud Firewall matches the packets of the traffic that passes through Cloud Firewall based on the following order: the four factors, application, and domain name of the traffic. If Cloud Firewall cannot identify the application type or domain name of the traffic, Cloud Firewall automatically allows the unidentified traffic to avoid impacts on your workloads. The four factors are the source address, destination address, destination port, and transport layer protocol. If you do not want to allow the unidentified traffic, you can enable the strict mode for the Internet firewall.

Overview

After you configure an access control policy whose application type is not ANY or an access control policy whose destination type is domain name for the Internet firewall, the Cloud Firewall matches the packets of the traffic that passes through Cloud Firewall based on the following order: the four factors and application or domain name.

  • If you configured a domain name-based access control policy whose application type is HTTP, HTTPS, SMTP, SMTPS, or SSL, Cloud Firewall matches traffic packets based on the following order: the four factors, application, and domain name.

  • If you configured an application-based access control policy or a domain name-based access control policy whose application type is not HTTP, HTTPS, SMTP, SMTPS, or SSL, Cloud Firewall matches traffic packets based on the following order: the four factors and the application.

If a traffic packet does not carry a standard application or a domain name, Cloud Firewall may be unable to identify the application type or domain name of traffic. In this case, Cloud Firewall automatically allows the traffic.

After the strict mode is enabled, Cloud Firewall does not directly allow the traffic whose application type or domain name is unidentified. Cloud Firewall continues to match the traffic against the access control policy that has a lower priority until an access control policy is hit and performs the action specified in the access control policy. If no access control policy is hit after all access control policies are matched, Cloud Firewall automatically allows the traffic.

image

Enable or disable the strict mode

  1. Log on to the Cloud Firewall console.

  2. In the left-side navigation pane, choose Settings > Toolbox.

  3. In the Strict Mode section, turn on or turn off Strict Mode Enabled.

    After the strict mode is enabled, Cloud Firewall matches the traffic that already matches an access control policy against other policies if the application type or domain name of the traffic is identified as Unknown.

View the logs of traffic whose application type or domain name is Unknown

  1. Log on to the Cloud Firewall console.

  2. In the left-side navigation pane, choose Log Analysis > Log Audit.

  3. On the Traffic Logs > Internet Border tab, select Access Control for Rule Source, select Application Unidentified or Domain Name Unidentified for All Pre-match Access Control Policy Statuses, and then click Search.

    image.png

  4. View the logs of traffic in strict mode. The logs include the following information: time, source IP addresses, destination IP addresses, and destination ports.

    Important

    If normal traffic is blocked after the strict mode is enabled, we recommend that you add the required application information to the request packets or disable the strict mode.

References