Rule groups are used to centrally create, orchestrate, and maintain reusable rule sets. They support CFW rule group management, covering internet boundary rules, NAT boundary rules, VPC boundary rules, and enterprise security group rules. Rule groups also enable fine-grained, lifecycle management of the groups and their internal rules, including creating, editing, sorting, filtering, and batch operations. This provides the rule foundation for subsequent cross-account rule distribution processes.
In a multi-account scenario, a rule group serves as the core vehicle for one-time orchestration and multi-account deployment: It defines only the rule content and order. For details on which specific accounts or account groups the rule group is deployed to, see Rule Management.
Operation Steps
Create Rule Group
1. Log in to the FWM console. In the left-side navigation pane, select Rule Group.
2. On the Rule Group Management page, select the target product for which you want to create a rule group, and then click Creating Rule Group.
3. On the Add Rule Group page, configure the following parameters:
(Group) Priority: It is automatically assigned values of 1, 2, 3... in the order of addition, with a smaller number indicating a higher priority. The priority numbers cannot be edited directly. You can only adjust the order by dragging the
icon at the beginning of a row up or down, and the priority will be updated accordingly.
IP Type (Supported by VPC Boundary and Enterprise Security Group): Select the IP type for which the rule takes effect.
Applicable Scope
Internet Boundary: The serial firewall.
NAT Boundary: The region or firewall instance where the current rule takes effect.
VPC Boundary: The firewall instance where the current rule takes effect.
Enterprise Security Group: A security group or a Lighthouse firewall.
Access Source and Access Destination
IP Address: Directly enter any IP address or address in CIDR format, such as 10.10.10.10 or 10.10.10.10/24. Multiple objects are supported and can be separated by commas.
Note:
When you enter 0.0.0.0/0, the backend automatically associates all public IP addresses. The same applies when you enter a CIDR address, where the association only takes effect for public IP addresses within that network segment.
If you specify an address outside the CIDR of the local VPC or the peer VPC in a VPC boundary rule, the rule will not take effect.
Domain Name (Supported by Internet Boundary, NAT Boundary, and VPC Boundary): Domain name matching supports standard domain name formats and wildcard patterns. The specific matching modes are as follows:
FQDN Matching: It performs identity matching based on the Host header field or the SNI extension field in the application-layer packet.
Loose Matching: A match occurs if the FQDN matching rule is satisfied, or if the client IP address accessing the domain belongs to any IP address in the current DNS resolution result for that domain. Meeting either condition triggers a hit.
Strict Matching: A match occurs only if the FQDN matching rule is satisfied and the client IP address accessing the domain belongs to any IP address in the current DNS resolution result for that domain. Both conditions must be met to trigger a hit.
Note:
When you enter *, the backend automatically associates all domain names.
When you enter a wildcard domain name (such as *.example.com), the backend automatically associates all second-level domain names that start with *.
Address Template (Supported by Internet Boundary, NAT Boundary, and VPC Boundary): Select from the created IP address templates. For custom address templates, refer to Address Template.
Parameter Template (Supported by Enterprise Security Group): A parameter template that is custom-configured by users.
Asset Instance (Supported by Internet Boundary, NAT Boundary, and VPC Boundary): Select a specific instance as the access destination.
Resource Tag (Supported by Internet Boundary, NAT Boundary, and VPC Boundary): Select the access destination based on the resource's Tag. The public IP addresses of instances within the Tag will then match the corresponding boundary rules.
Location (Supported by Internet Boundary and NAT Boundary): It refers to the actual geographic location corresponding to an IP address, encompassing provinces within the Chinese mainland, the Hong Kong/Macao/Taiwan (China) region, and continents overseas.
Asset Geography (Supported by Enterprise Security Group): Select a specific region.
Destination Port: Manually enter the destination port or select the required address template from the existing port template protocol content. For custom port protocol templates, refer to Address Template.
It supports single port numbers, port ranges based on '/', and discrete port values separated by commas.
Destination Port Instance
Description
-1/-1
Indicates all ports.
80
Indicates port 80.
80,443,3389
Indicates that the rule applies to ports 80, 443, and 3389.
80/443
Indicates that the rule applies to all ports from 80 to 443.
80/443,3389
Indicates that the rule applies to all ports from 80 to 443 and port 3389.
Protocol
Internet Boundary
Direction
Destination Type
Supported Protocols
Inbound
IP Address
ANY, TCP, UDP, ICMP, FTP (supported only for exact IP)
ANY, TCP, UDP, ICMP\\HTTP/HTTPS, HTTP, HTTPS, SMTP/SMTPS, SMTP, SMTPS, DNS (supported only for domain names), FTP (supported only for exact IP address)
Domain Name > FQDN Matching, Address template > Domain Name Address Template
ANY, HTTP/HTTPS, HTTP, HTTPS, SMTP/SMTPS, SMTP, SMTPS, DNS (supported only for domain names)
Domain Name > Loose matching, Domain Name > Strict Matching
Not supported.
Asset Instance, Resource Tag, Address Template > IP Address Template
ANY,TCP,UDP,ICMP,FTP
Outbound
IP Address
ANY, TCP, UDP, ICMP, FTP (supported only for exact IP)
Domain Name > FQDN Matching, Address template > Domain Name Address Template
ANY, HTTP/HTTPS, HTTP, HTTPS, SMTP/SMTPS, SMTP, SMTPS, DNS (supported only for domain names)
Domain Name > Loose matching, Domain Name > Strict Matching
TCP,UDP
Location, Address Template > IP Address Template
ANY,TCP,UDP,ICMP
NAT Boundary
Direction
Destination Type
Supported Protocols
Inbound
IP Address, Asset Instance, Resource Tag, Address Template > IP Address Template
ANY,TCP,UDP
Address template > Domain Name Address Template
Not supported.
Outbound
IP Address
ANY, TCP, UDP, ICMP, FTP (supported only for exact IP)
Location, Address Template > IP Address Template
ANY,TCP,UDP,ICMP
Domain Name > FQDN Matching, Address template > Domain Name Address Template
ANY, HTTP/HTTPS, HTTP, HTTPS, SMTP/SMTPS, SMTP, SMTPS, DNS (supported only for domain names)
Domain Name > Loose matching, Domain Name > Strict Matching
TCP,UDP
VPC Boundary
Destination Type
Supported Protocols
IP Address
ANY, TCP, UDP, ICMP, FTP (supported only for exact IP)
Asset Instance, Resource Tag, Address Template > IP Address Template
ANY,TCP,UDP,ICMP
Domain Name > FQDN Matching, Address template > Domain Name Address Template
ANY, HTTP/HTTPS, HTTP, HTTPS, SMTP/SMTPS, SMTP, SMTPS, DNS (supported only for domain names)
Domain Name > Loose matching, Domain Name > Strict Matching
TCP,UDP
Enterprise Security Group: It supports the ANY, TCP, UDP, and ICMP protocols.
Policy
Pass(Enterprise Security Group is Allow): It permits traffic that matches the rule, records the number of matches but not the access control logs, and records the traffic logs.
Observe: Permit traffic that matches the rule, record the number of matches, and log both access control and traffic logs.
Block (Enterprise Security Group is Reject): It blocks traffic that matches the rule, records the number of matches and the access control logs, and the traffic logs record information of a request packet from the traffic.
Description: It is used to describe the rule and supports up to 50 characters.
4. If you have already edited the preceding rule and the subsequent rule to be configured is similar to it, you can quickly generate a new rule by using the copy feature, and then adjust the details as needed.
Click
in the operation bar to add a new rule below the currently selected rule and automatically copy all content of the current rule.
Click
below to add a new rule at the bottom of the rule list and automatically copy the content of the last rule in the list.
Note:
A rule group supports adding up to 10 rules at a time.
5. After it is confirmed that everything is correct, click Confirm to complete the configuration.
Note:
A rule does not take effect immediately after creation. Go to the Rule Management page and manually deploy the rule to activate it.
Risk notice for IP address-based configuration: When asset IP addresses are not duplicated, you can quickly configure security group rules by IP address. Note: If an IP address is bound to multiple instances, the rule for that IP address will be applied to all instances under it. If asset changes later cause that IP address to correspond to new instances, this rule will also be automatically extended to all associated instances.
Manage Rule Group
On the Rule Group page, you can filter and query rule groups by combining multiple resource attributes, and then manage the target rule groups.
Delete Rule Group
Delete a Single Rule: In the Actions column of the target rule group, click Delete.
Batch Delete: First, select multiple rule groups, and then click Batch Delete above the list.
Note:
A rule group cannot be deleted if it has associated deployment accounts. Go to the Rule Management page, remove the relevant deployment rule groups to ensure no associated deployment accounts exist, and then proceed with the deletion.
Deleted rule groups cannot be recovered.
Edit Rule Group
In the Actions column of the target rule group, click Edit to go to the edit page.
This page is divided into two parts:
Basic Information: You can only modify the rule group name by clicking
. Other basic information parameters cannot be edited.
Rule Information: You can add, query, modify, delete, and sort all rules within the current rule group.
Query Rule: You can filter and query rules by combining multiple resource attributes.
Create Rule: Click Create Rule to add a rule within this group. For parameter descriptions, see Create Rule Group.
Edit Rule: Click Edit in the Actions column of the target rule to modify its detailed configuration.
Delete Rule: Click Delete in the Actions column of the target rule to delete it. To delete multiple rules, select them and then click Batch Delete.
Quick Sort: The top-to-bottom order of rules in the list indicates their priority from high to low. To adjust the order, follow the steps below:
a. Click Quick Sort above the list.
b. Hover the mouse over the rule row you need to adjust. When the cursor changes to a drag icon, press and hold the left mouse button and drag up or down.
c. After the position is adjusted to the target position, click Save. Rules at the top of the list have higher priority than those at the bottom. The system automatically updates the priority values.
