After you configure access control policies for the Internet firewall and NAT firewalls, Cloud Firewall matches traffic packets based on the following factors in sequence: 4-tuple, application type, and domain name when traffic passes through Cloud Firewall. If Cloud Firewall cannot identify the application type or domain name, Cloud Firewall automatically allows the unidentified traffic. This helps prevent negative impacts on your workloads. A 4-tuple refers to the source address, destination address, destination port, and transport layer protocol. If you do not want to allow the unidentified traffic, you can enable the strict mode for the Internet firewall and NAT firewalls.
Overview
After you configure an access control policy whose application type is not ANY or whose destination type is Domain Name for the Internet firewall or a NAT firewall, Cloud Firewall matches traffic packets based on the following factors in sequence: 4-tuple, application type, and domain name when traffic passes through Cloud Firewall.
If you configured a domain name-based access control policy whose application type is HTTP, HTTPS, SMTP, SMTPS, or SSL, Cloud Firewall matches traffic packets based on the following factors in sequence: 4-tuple, application type, and domain name.
If you configured an application-based access control policy or a domain name-based access control policy whose application type is not HTTP, HTTPS, SMTP, SMTPS, or SSL, Cloud Firewall matches traffic packets based on the following factors in sequence: 4-tuple and application type.
If a traffic packet does not carry a standard application or a domain name, Cloud Firewall may be unable to identify the application type or domain name of traffic. In this case, Cloud Firewall automatically allows the traffic.
After the strict mode is enabled, Cloud Firewall does not directly allow traffic whose application type or domain name is unidentified. Cloud Firewall continues to match the traffic against the access control policy that has a lower priority until an access control policy is hit. Then, Cloud Firewall performs the action specified in the access control policy. If no access control policy is hit after Cloud Firewall matches traffic against all access control policies, Cloud Firewall automatically allows the traffic.
If normal traffic is blocked after the strict mode is enabled, we recommend that you add the required application information to the request packets or disable the strict mode.
Enable or disable the strict mode of the access control engine
You can configure the mode of the access control engine for the Internet firewall and NAT firewalls. By default, the access control engine is in loose mode. In this mode, the traffic whose application type or domain name is identified as Unknown is automatically allowed to prevent negative impacts on your workloads. You can change the mode to Strict Mode if required.
For more information about how to change the mode of the access control engine for the Internet firewall, see Configure the access control engine mode.
For more information about how to change the mode of the access control engine for a NAT firewall, see Configure the access control engine mode.
FAQ
How do I view the logs of unidentified traffic?
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose .
On the tab, select Access Control for Rule Source, select Application Unidentified or Domain Name Unidentified for All Pre-match Access Control Policy Statuses, and then click Search.
View the logs of traffic in strict mode. The logs include the following information: time, source IP addresses, destination IP addresses, and destination ports.
References
For more information about how access control policies work, see Overview of access control policies.
For more information about how to configure an access control policy for the Internet firewall, see Create access control policies for the Internet firewall.
For more information about the fields in traffic logs and how to query traffic logs, see Log audit.