Access Control
Last updated:2026-02-28 15:11:54
Is the Default Rule of CFW "Pass" or "Block" If No Rule Is Configured?
CFW passes all traffic by default. When the CFW toggle is enabled, CFW will start recording traffic logs and generating intrusion prevention alarms. However, no traffic will be blocked at this time since no rules are configured.
How to Configure CFW to Only Pass Access to Permitted Ports?
1. After enabling the Internet Firewall, choose Access Control > Internet Border Rule > Inbound Rule to go to the Inbound Rules page.
2. In the inbound rules page, click Add rule to pass the ports you need, and add a rule to block all ports.
Note:
Internet Firewall passes all traffic by default when no rules are configured.
How Long Does It Take for an Access Control Rule to Take Effect After It Is Configured?
When CFW rules are configured, it takes about 10 seconds to 1 minute for the rules to take effect.
Cloud Firewall supports access control based on domain names
Both Internet Firewall and NAT Firewall support the use of domain names in outbound rules, and Inter-VPC Firewall also supports domain name access control rules.
Does CFW Support Configuring Limit Policies via Domain Names?
Currently, assets in the Chinese mainland and Hong Kong (China) support configuring restriction policies via domain names.
Does CFW Have the Geo-Blocking Feature?
Premium Edition and above have the Geo-blocking feature.
What Is the Reason Why Some Address Templates Cannot Be Selected When Inbound Rules Are Added in CFW?
For both inbound sources and destinations, domain name templates cannot be selected. For outbound traffic, domain name templates cannot be selected for sources but can be selected for destinations. This is because inbound sources cannot be domain names.
What Is the Difference Between the Access Control Feature of CFW (Cloud Firewall) and the Security Group Feature in VPC (Virtual Private Cloud)?
The VPC security group feature is relatively limited and is typically used to set up an allowlist for specific services on servers. We recommend using CFW's Enterprise Security Group, which supports intelligent algorithms for unified policy deployment.
Does Cloud Firewall Support Protection Against the UDP Protocol?
NAT Firewall, Enterprise Security Group, and inter-VPC firewalls support UDP protection, while the Internet border bypass firewall does not.
How Many NAT Firewall Rules Can Be Extended?
Can be expanded to 20,000 entries.
Why Are Observation Rule Entries Still Generated in the Alarm Center After the Internet Firewall is Configured to Block Access from Regions Outside the Chinese Mainland?
1. If no corresponding blocked requests are found in the ACL logs, you need to check whether there are other higher-priority pass rules.
2. If the ACL logs record corresponding blocked requests, this may be caused by the bypass preemption mechanism. If you are concerned about this issue, you can manually block all attack alarms from overseas in the Alarm Center.
Why do some requests still appear in the Alarm Center and are not blocked after access control rules are configured?
It may be that the Access Control rules are not yet in effect.
In cases where Access Control rules are already in effect, the issue may be caused by bypass packet leakage in the Internet Firewall. The bypass firewall analyzes traffic by mirroring network traffic, where some traffic may be matched by the Intrusion Defense system and trigger alarms, but in fact, these access requests have already been intercepted.
Does CFW Access Control Support Configuring Specific Effective Time Periods?
We recommend selecting the automation tool on the Common Tool page to configure the effective time of rules, and configure the enable and disable times for the rules based on specific scenarios.
What Are the Usage Restrictions for Enabling Long-Lived Connections in NAT Firewall Access Control?
1. The engine needs to be kept up to date, and it is recommended to update it. For details, see Firewall Engine Upgrade.
2. Maximum connections are subject to the limitations of bandwidth specifications. For details, see Firewall FAQs.
After a domain name is obtained, if the IP address resolved by this domain name conflicts with existing IP address rules, how should it be handled?
Processing higher-priority rules.
Can Attackers Bypass by Modifying host After CFW Domain Restriction Rules Are Deployed as IP?
CFW intercepts traffic based on IP address rules generated by Authoritative DNS resolution. Attackers modifying the local hosts file will not affect rule enforcement, thus cannot bypass the protection.
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No
Feedback