After you enable the strict mode of the Internet firewall, the Internet firewall directly blocks traffic that meets the following conditions: The traffic matches an access control policy, and the application type of the traffic is identified Unknown by Cloud Firewall. Cloud Firewall identifies application types based on packet characteristics. If Cloud Firewall fails to identify the application type of the traffic, Cloud Firewall automatically allows the traffic. If you want to discard traffic with unknown application types, we recommend that you enable the strict mode.

Prerequisites

Access control policies are configured for the Internet firewall. For more information, see Create access control policies for outbound and inbound traffic on the Internet firewall.

Background information

The strict mode takes effect only on traffic that matches an access control policy, regardless of whether the policy action is allow, deny, or monitor. If traffic does not match an access control policy, the traffic is allowed even if its application type is unknown.

Enable or disable the strict mode

  1. Log on to the Cloud Firewall console.
  2. In the left-side navigation pane, choose Settings > Toolbox.
  3. On the Toolbox page, enable or disable the switch in the Strict Mode section.
    The following steps describe how to enable Strict Mode:
    1. In the Strict Mode section, turn on Strict Mode. Strict Mode switch
    2. In the Advanced Settings message, click OK. Strict Mode
    After the strict mode is enabled, the Internet firewall blocks traffic that meets the following conditions: The traffic matches an access control policy, and the application type of the traffic is identified Unknown. You can view the logs of discarded traffic on the Log Audit page.

View logs of discarded traffic

  1. Log on to the Cloud Firewall console.
  2. In the left-side navigation pane, choose Log Analysis > Log Audit.
  3. On the Traffic Logs tab of the Log Audit page, find the Internet Firewall tab.
  4. On the Internet Firewall tab, click Show Advanced Search. Then, set Application to Unknown and Policy Source to Access Control and click Search.
  5. View the logs of traffic that is discarded in strict mode. For example, you can view the time, source IP addresses, destination IP addresses, and destination ports of the discarded traffic.
    The policy names in these logs are unknown_app_deny_all.
    Notice If normal traffic is discarded, we recommend that you add the application protocol information to the request packets or disable the strict mode.
    Logs of traffic with unknown application type