After you configure access control policies for the Internet firewall, Cloud Firewall matches the packets of the traffic that passes through Cloud Firewall based on the following order: the four factors, application, and domain name of the traffic. If Cloud Firewall cannot identify the application type or domain name of the traffic, Cloud Firewall automatically allows the unidentified traffic to avoid impacts on your workloads. The four factors are the source address, destination address, destination port, and transport layer protocol. If you do not want to allow the unidentified traffic, you can enable the strict mode for the Internet firewall.
Overview
After you configure an access control policy whose application type is not ANY or an access control policy whose destination type is domain name for the Internet firewall, the Cloud Firewall matches the packets of the traffic that passes through Cloud Firewall based on the following order: the four factors and application or domain name.
If you configured a domain name-based access control policy whose application type is HTTP, HTTPS, SMTP, SMTPS, or SSL, Cloud Firewall matches traffic packets based on the following order: the four factors, application, and domain name.
If you configured an application-based access control policy or a domain name-based access control policy whose application type is not HTTP, HTTPS, SMTP, SMTPS, or SSL, Cloud Firewall matches traffic packets based on the following order: the four factors and the application.
If a traffic packet does not carry a standard application or a domain name, Cloud Firewall may be unable to identify the application type or domain name of traffic. In this case, Cloud Firewall automatically allows the traffic.
After the strict mode is enabled, Cloud Firewall does not directly allow the traffic whose application type or domain name is unidentified. Cloud Firewall continues to match the traffic against the access control policy that has a lower priority until an access control policy is hit and performs the action specified in the access control policy. If no access control policy is hit after all access control policies are matched, Cloud Firewall automatically allows the traffic.
Enable or disable the strict mode
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose .
In the Strict Mode section, turn on or turn off Strict Mode Disabled.
After the strict mode is enabled, Cloud Firewall matches the traffic that already matches an access control policy against other policies if the application type or domain name of the traffic is identified as Unknown.
View the logs of traffic whose application type or domain name is Unknown
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose .
On the tab, select Access Control for Rule Source, select Application Unidentified or Domain Name Unidentified for All Pre-match Access Control Policy Statuses, and then click Search.
View the logs of traffic in strict mode. The logs include the following information: time, source IP addresses, destination IP addresses, and destination ports.
ImportantIf normal traffic is blocked after the strict mode is enabled, we recommend that you add the required application information to the request packets or disable the strict mode.
References
For more information about how access control policies work, see Overview of access control policies.
For more information about how to configure an access control policy for the Internet firewall, see Create inbound and outbound access control policies for the Internet firewall.
For more information about the fields in traffic logs and how to query traffic logs, see Log audit.