Configure access control policies to control mutual traffic between assets and the Internet - Cloud Firewall

By default, if you do not create access control policies after you enable the Internet firewall, Cloud Firewall allows all traffic in the traffic match phase that is based on access control policies. You can create outbound and inbound access control policies for the Internet firewall to prevent unauthorized access between Internet-facing assets and the Internet. This topic describes how to create inbound and outbound access control policies for the Internet firewall.

Prerequisites

The Internet firewall is enabled for your Internet-facing assets. For more information about how to enable the Internet firewall, see Enable the Internet firewall.
For more information about the Internet-facing assets that can be protected by Cloud Firewall, see Protection scope.
The quota for access control policies is sufficient. You can view the quota usage on the Prevention Configuration > Access Control > Internet Border page. For more information about how to calculate quota usage, see Overview of access control policies.
If the remaining quota is insufficient, you can click Increase Quota to increase the value of Quota for Additional Policy. For more information, see Purchase Cloud Firewall.
If you want to add multiple objects as an access source or destination, make sure that an address book that contains the objects is created. For more information, see Manage address books.

Create access control policies for the Internet firewall

Cloud Firewall allows you to create custom policies and provides recommended policies that you can apply.

Create custom policies: You can create custom policies based on your business requirements.
Apply recommended intelligent policies: Cloud Firewall automatically learns your traffic within the previous 30 days and recommends multiple intelligent policies based on the traffic risks that are identified. You can determine whether to apply the policies.
Apply recommended common policies: Cloud Firewall recommends common policies. If the recommended common policies meet your business requirements, you can apply the policies.

Important

We recommend that you allow access to the open ports on which services are provided for an open public IP address on the Internet firewall and deny access to other ports. This reduces the exposure of your assets to the Internet.
If you want to allow access from trusted sources such as IP addresses or domain names and deny access to other sources, we recommend that you first create a policy that allows access from the trusted sources and has a higher priority and then create a policy that denies traffic from all sources and has a lower priority.
If you do not apply recommended intelligent policies or recommended common policies, the policies do not take effect.

Create a custom policy

You can create a custom outbound or inbound policy for the Internet firewall based on your business requirements.

Log on to the Cloud Firewall console.
In the left-side navigation pane, choose Prevention Configuration > Access Control > Internet Border.
On the Outbound or Inbound tab, select IPV4 or IPV6 from the drop-down list and click Create Policy. By default, an access control policy for IPv4 addresses is created.
In the Create Outbound Policy or Create Inbound Policy panel, click the Create Policy tab.

Configure the policy based on the following table and click OK.

Create an access control policy to protect outbound traffic over the Internet

Parameter	Description
Source Type	The initiator of network traffic. You must select a source type and enter source addresses from which network traffic is initiated based on the selected source type. If you set Source Type to IP, specify one or more CIDR blocks, such as 192.168.0.0/16. You can specify up to 2,000 CIDR blocks. Separate multiple CIDR blocks with commas (,). If you enter multiple CIDR blocks at a time, Cloud Firewall automatically creates an address book that includes the entered CIDR blocks. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book. If you set Source Type to Address Book, make sure that an IPv4 or IPv6 address book is configured. For more information about how to create an address book, see Manage address books.
Source
Destination Type	The receiver of network traffic. You must select a destination type and enter destination addresses to which network traffic is sent based on the selected destination type. If you set Source Type to IP, specify one or more CIDR blocks, such as 192.168.0.0/16. You can specify up to 2,000 CIDR blocks. Separate multiple CIDR blocks with commas (,). If you enter multiple CIDR blocks at a time, Cloud Firewall automatically creates an address book that includes the entered CIDR blocks. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book. If you set Source Type to Address Book, make sure that an IPv4 or IPv6 address book is configured. For more information about how to create an address book, see Manage address books. If you set Destination Type to Domain Name, select a domain name identification mode. Valid values: FQDN-based Resolution (Extract Host or SNI Field in Packets): If you want to manage HTTP, HTTPS, SMTP, SMTPS, and SSL traffic, we recommend that you select this mode. DNS-based Dynamic Resolution: If you want to manage traffic except HTTP, HTTPS, SMTP, SMTPS, and SSL traffic, we recommend that you select this mode. Important This mode does not support wildcard domain names. FQDN and DNS-based Dynamic Resolution: If you want to manage HTTP, HTTPS, SMTP, SMTPS, and SSL traffic, but specific or all traffic does not contain the HOST or SNI field, we recommend that you use this mode. Important This mode takes effect only if the ACL Engine Management mode is Strict. If you set Destination Type to Region, select one or more locations of traffic destinations for Destination. You can select one or more locations in or outside China.
Destination
Protocol Type	The transport layer protocol. Valid values: TCP, UDP, ICMP, and ANY. If you do not know the protocol type, select ANY.
Port Type	The port type and port number of the destination. If you set Port Type to Port, enter port ranges. Specify a port range in the Port number/Port number format. Examples: 22/22 or 80/88. Separate multiple port ranges with commas (,). You can enter up to 2,000 port ranges. If you enter multiple port ranges, Cloud Firewall automatically creates an address book that includes the entered port ranges. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book. If you set Port Type to Address Book, make sure that a port address book is configured. For more information about how to create an address book, see Manage address books.
Port
Application	The application type of the traffic. If you set Protocol Type to TCP, you can select HTTP, HTTPS, SMTP, SMTPS, SSL, and FTP for Application. If you set Protocol Type to UDP, ICMP, or ANY, you can select only ANY for Application. If you select Domain Name or Address Book for Destination Type, you can select only HTTP, HTTPS, SMTP, SMTPS, or SSL for Application. If you set the Domain Name Identification Mode parameter to DNS-based Dynamic Resolution, you can select all applications. If you set the Domain Name Identification Mode parameter to FQDN-based Resolution (Extract Host or SNI Field in Packets), you can select only HTTP, HTTPS, SMTP, SMTPS, or SSL. If you set the Domain Name Identification Mode parameter to FQDN and DNS-based Dynamic Resolution, you can select HTTP, HTTPS, SMTP, SMTPS, or SSL. Note Cloud Firewall identifies application types based on packet characteristics instead of port numbers. If Cloud Firewall cannot identify the application type in a packet, Cloud Firewall allows the packet. If you want to block the traffic whose application type is unknown, we recommend that you enable the strict mode for the Internet firewall. For more information, see Configure the mode of the access control engine.
Action	The action on the traffic if the traffic meets the preceding conditions that you specify for the access control policy. Valid values: Allow: The traffic is allowed. Deny: The traffic is denied, and no notifications are sent. Monitor: The traffic is recorded and allowed. You can observe the traffic for a period of time and change the policy action to Allow or Deny based on your business requirements.
Description	The description of the access control policy. Enter a description that can help identify the policy.
Priority	The priority of the access control policy. Default value: Lowest. Valid values: Highest: The access control policy has the highest priority. Lowest: The access control policy has the lowest priority.
Policy Validity Period	The validity period of the access control policy. The policy can be used to match traffic only within the validity period. Valid values: Always. Single Time Range: If you select this option, specify a single time range. Recurrence Cycle: If you select this option, specify the time range and date on which you want the policy to take effect. Note The start date must be earlier than the end date. The policy requires 3 minutes to 5 minutes to take effect. If you select Indefinite Recurrence, the end date is automatically set to Dec 31, 2099. FAQ: Does an access control policy take effect if the time range specified for recurrence spans two calendar days?
Status	Specify whether to enable the policy. If you turn off Status when you create an access control policy, you can enable the policy in the list of access control policies.

Create an access control policy to protect inbound traffic over the Internet

Parameter	Description
Source Type	The initiator of network traffic. You must select a source type and enter source addresses from which network traffic is initiated based on the selected source type. If you set Source Type to IP, specify one or more CIDR blocks, such as 192.168.0.0/16. You can specify up to 2,000 CIDR blocks. Separate multiple CIDR blocks with commas (,). If you enter multiple CIDR blocks at a time, Cloud Firewall automatically creates an address book that includes the entered CIDR blocks. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book. If you set Source Type to Address Book, make sure that an IP address book is configured. For more information about how to create an address book, see Manage address books. If you set Source Type to Region, select one or more locations of traffic sources for Source. You can select one or more locations in or outside China.
Source
Destination Type	The receiver of network traffic. You must select a destination type and enter destination addresses to which network traffic is sent based on the selected destination type. If you set Source Type to IP, specify one or more CIDR blocks, such as 192.168.0.0/16. You can specify up to 2,000 CIDR blocks. Separate multiple CIDR blocks with commas (,). If you enter multiple CIDR blocks at a time, Cloud Firewall automatically creates an address book that includes the entered CIDR blocks. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book. If you set Source Type to Address Book, make sure that an IP address book is configured. For more information about how to create an address book, see Manage address books. If you set Destination Type to Domain Name, select a domain name identification mode. Valid values: FQDN-based Resolution (Extract Host or SNI Field in Packets): If you want to manage HTTP, HTTPS, SMTP, SMTPS, and SSL traffic, we recommend that you select this mode. DNS-based Dynamic Resolution: If you want to manage traffic except HTTP, HTTPS, SMTP, SMTPS, and SSL traffic, we recommend that you select this mode. Important This mode does not support wildcard domain names. FQDN and DNS-based Dynamic Resolution: If you want to manage HTTP, HTTPS, SMTP, SMTPS, and SSL traffic, but specific or all traffic does not contain the HOST or SNI field, we recommend that you use this mode. Important This mode takes effect only if the ACL Engine Management mode is Strict. If you set Destination Type to Region, select one or more locations of traffic destinations for Destination. You can select one or more locations in or outside China.
Destination
Protocol Type	The transport layer protocol. Valid values: TCP, UDP, ICMP, and ANY. If you do not know the protocol type, select ANY.
Port Type	The port type and port number of the destination. If you set Port Type to Port, enter port ranges. Specify a port range in the Port number/Port number format. Examples: 22/22 or 80/88. Separate multiple port ranges with commas (,). You can enter up to 2,000 port ranges. If you enter multiple port ranges, Cloud Firewall automatically creates an address book that includes the entered port ranges. When you save the access control policy, Cloud Firewall prompts you to specify a name for this address book. If you set Port Type to Address Book, make sure that a port address book is configured. For more information about how to create an address book, see Manage address books.
Port
Application	The application type of the traffic. If you set the Domain Name Identification Mode parameter to DNS-based Dynamic Resolution, you can select all applications. If you set the Domain Name Identification Mode parameter to FQDN-based Resolution (Extract Host or SNI Field in Packets), you can select only HTTP, HTTPS, SMTP, SMTPS, or SSL. If you set the Domain Name Identification Mode parameter to FQDN and DNS-based Dynamic Resolution, you can select HTTP, HTTPS, SMTP, SMTPS, or SSL. If you set Protocol Type to TCP, you can select HTTP, HTTPS, SMTP, SMTPS, SSL, and FTP for Application. If you set Protocol Type to UDP, ICMP, or ANY, you can select only ANY for Application. Note Cloud Firewall identifies application types based on packet characteristics instead of port numbers. If Cloud Firewall cannot identify the application type in a packet, Cloud Firewall allows the packet. If you want to block the traffic whose application type is unknown, we recommend that you enable the strict mode for the Internet firewall. For more information, see Configure the mode of the access control engine.
Action	The action on the traffic if the traffic meets the preceding conditions that you specify for the access control policy. Valid values: Allow: The traffic is allowed. Deny: The traffic is denied, and no notifications is sent. Monitor: The traffic is recorded and allowed. You can observe the traffic for a period of time and change the policy action to Allow or Deny based on your business requirements.
Description	The description of the access control policy. Enter a description that can help identify the policy.
Priority	The priority of the access control policy. Default value: Lowest. Valid values: Highest: The access control policy has the highest priority. Lowest: The access control policy has the lowest priority.
Policy Validity Period	The validity period of the access control policy. The policy can be used to match traffic only within the validity period. Valid values: Always. Single Time Range: If you select this option, specify a single time range. Recurrence Cycle: If you select this option, specify the time range and date on which you want the policy to take effect. Note The start date must be earlier than the end date. The policy requires 3 minutes to 5 minutes to take effect. If you select Indefinite Recurrence, the end date is automatically set to Dec 31, 2099. FAQ: Does an access control policy take effect if the time range specified for recurrence spans two calendar days?
Status	Specify whether to enable the policy. If you turn off Status when you create an access control policy, you can enable the policy in the list of access control policies.

Apply recommended intelligent policies

Cloud Firewall automatically learns your traffic from the previous 30 days and recommends multiple intelligent policies based on the traffic risks that are identified. If the recommended intelligent policies meet your business requirements, you can apply the policies.

You can apply both outbound and inbound intelligent policies that are recommended.

Warning

Before you apply a recommended policy, make sure that you understand its meaning and the possible impacts on services.
You can ignore recommended intelligent policies. After you ignore a recommended intelligent policy, the policy cannot be restored. Proceed with caution.

Check whether recommended intelligent policies exist

You can check whether recommended intelligent policies are generated by Cloud Firewall on the Internet Border page.

In the left-side navigation pane, choose Prevention Configuration > Access Control > Internet Border.
Go to the Recommended Intelligent Policy page. You can use one of the following methods:
- In the upper-right corner above the policy list, click Intelligent Policy. In the panel that appears, click the Outbound or Inbound tab.
- On the Outbound or Inbound tab, click Create Policy. In the panel that appears, click the Recommended Intelligent Policy tab.
View and apply the recommended intelligent policies. You can find a policy and click Apply Policy. Alternatively, you can select multiple policies and click Batch Dispatch.

Apply recommended common policies

If the recommended common policies meet your business requirements, you can apply the policies.

Warning

Before you apply a recommended policy, make sure that you understand its meaning and the possible impacts on services.
You can ignore recommended common policies. After you ignore a recommended common policy, the policy cannot be restored. Proceed with caution. If you ignore all recommended common policies, the Recommended Common Policy tab is no longer displayed.

In the left-side navigation pane, choose Prevention Configuration > Access Control > Internet Border.
On the Outbound or Inbound tab, click Create Policy. In the panel that appears, click the Recommended Common Policy tab.
View and apply the recommended common policies. You can find a policy and click Quick Apply.

Configure the access control engine mode

After an access control policy is created, the access control engine mode of the Internet firewall is Loose Mode by default. In this mode, the traffic whose application type or domain name is identified as Unknown is automatically allowed to avoid impacts on your workloads. You can change the mode to Strict Mode based on your business requirements.

On the Prevention Configuration > Access Control > Internet Border page, click ACL Engine Management in the upper-right corner of the access control policy list.
In the Access Control Engine Management - Internet Border panel, find the Engine Mode parameter and click Modify.
In the Change Engine Mode dialog box, configure the Engine Mode parameter and click OK.
- Strict Mode: After you enable the strict mode, the traffic whose application type or domain name is identified as Unknown is matched against all policies that you configured. If you configured a Deny policy, this type of traffic is denied.
- Loose Mode: After you enable the loose mode, traffic whose application type or domain name is identified as Unknown is allowed. This ensures normal access.

View the hit details about an access control policy

After your service runs for a period of time, you can view the hit details about an access control policy in the Hits/Last Hit At column in the list of access control policies.

You can click the number of hits to go to the Log Audit page to view traffic logs. For more information, see Log audit.

What to do next

After you create a custom policy, you can find the policy in the list of custom policies and click Edit, Delete, or Copy in the Actions column to manage the policy. You can download the list of custom policies, delete multiple policies at a time, and click Move to change the priority of the policy.

A valid priority value ranges from 1 to the number of existing policies. A smaller value indicates a higher priority. After you change the priority of a policy, the priorities of policies that have lower priorities decrease.

Important

After you delete a policy, Cloud Firewall no longer manages traffic on which the policy is originally in effect. Proceed with caution.

References

I configured an outbound Deny access control policy whose Source is set to 0.0.0.0/0 for the Internet firewall. However, some traffic is still allowed because no policy is hit. Why?
How do I configure access control policies to allow access only to a specified subdomain name of a secondary domain name?
For more information about how to manage traffic between Internet-facing assets and a website domain name, see Configure access control policies to allow traffic from an Internet-facing server only to a specific domain name.
For more information about how to perform access control in a specified region, see Configure an access control policy to deny traffic from regions outside China to a server.
For more information about how access control policies work, see Overview of access control policies.
For more information about how to configure an access control policy, see Configure access control policies.
For more information about how to view and manage IP address books, port address books, and domain address books in access control policies, see Manage address books.
For more information about how to configure and use an access control policy, see FAQ about access control policies.