Access Control
Last updated: 2025-06-23 18:07:50
When no rules are configured, does the CFW rule default to release or block?
CFW releases all traffic by default. When you turn on the CFW switch, CFW will start logging traffic and generate intrusion prevention alarms, but since no rules are configured, no traffic will be blocked at this time.
How to Configure CFW to Only Allow Access to the Passed Ports?
1. After turning on the Internet Firewall, click to select Access Control > Internet Boundary Rules > Inbound Rules to enter the inbound rules page.
2. On the inbound rules page, click Add Rule to allow the port you need, and add a rule to block all ports.
Notes:
Note: The Internet Firewall allows all traffic by default when no rules are set.
How long does it take for configured access control rules to take effect?
When you configure CFW rules, it takes about 10 seconds to 1 minute for the rules to take effect.
Does Cloud Firewall Support Access Control through Domain Name?
The Internet Firewall and NAT firewall both support domain names in outbound rules. The inter-VPC firewall also supports access control rules for domain names.
Does Cloud Firewall Support Configuring Restriction Policies through Domain Name?
Currently, assets in the Chinese mainland and Hong Kong (China) support restriction policies configured through domain names.
Does Cloud Firewall Support Regional Blocking Feature?
Enterprise Edition and above support the regional blocking feature.
Adding Inbound Rules in CFW: What Is the Cause for Unable to Select Partial Address Templates?
Neither the inbound access source nor the access destination can choose the domain name template. The outbound access source cannot choose the domain name template, but the access destination can. This is because the inbound source cannot be a domain name.
Access Control in CFW Vs Security Group in VPC?
VPC security group feature is limited, usually used for setting up allowlist for specific service on servers. Recommended for use is CFW's enterprise security group, which supports intelligent algorithm to unify deployment strategy.
Does Cloud Firewall Support UDP Protocol?
The NAT boundary firewall, enterprise security group, and inter-VPC firewall support UDP protection, while the Internet boundary bypass firewall does not support it.
How Many NAT Firewall Rule Entries Can Be Expanded?
Can scale to 20,000 entries.
Why Internet Edge Firewall Forbids Regional Access outside Chinese Mainland but Alarm Center Still Generates Rule Entry Observation?
1. If no appropriate block request is found in the ACL logs, check if there are other higher-priority bypass rules.
2. If the ACL logs record an appropriate block request, this is likely due to the bypass preemption mechanism. If this issue is concerning, you can manually ban ALL attack alerts from outside Chinese mainland in the Alarm Center.
Why Configured Access Control Rules Still Show Some Requests in Alarm Center Without Being Blocked?
The access control rule might not be effective yet.
With access control rules already effective, this may be due to packet leakage in the bypass of the Internet edge firewall. The bypass firewall analyzes mirrored network traffic, where some traffic may match the intrusion prevention system and trigger alarms, but in fact, these access requests have already been blocked.
Does CFW Access Control Support Configuring a Specific Effective Time Period?
It is recommended to select Automation Tool on the Common Tools Page to configure the effective time of rules, and set the enablement and deactivation time based on specific scenarios.
Enabling Persistent Connection in NAT Firewall Access Control Usage Limits?
1. The engine must be kept up to date. It is recommended to update it. For details, see Firewall Engine Upgrade.
2. The maximum number of connections is limited by the instance bandwidth specification. For details, see Firewall Common Issues.
After Obtaining a Domain Name How to Handle IP Conflict in Domain Resolution?
Rules with high processing priority.
Cloud Firewall Domain Name Limitation after Issuing Rules As IP Can Attacker Bypa?
CFW intercepts based on IP rules generated by authoritative DNS resolution. Modifying the local host file does not impact rule effectiveness, so attackers cannot bypass it.
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No
Feedback