This topic describes special scenarios of the Cloud Firewall access control feature.
Managing the execution priority of the rule lists
You can manage the execution priority of edge firewall rules, NAT firewall rules, and inter-VPC rules. The following takes Edge firewall rules as an example.
Scenario 1: Sorting rules in the list
1. Log in to the Cloud Firewall console and select Access Control -> Edge firewall rules in the left navigation pane. 2. On the Edge firewall rules page, click Sort on the top of the list to enter the modification mode.
3. You can move the positions and priority of rules in batch within the current page, and sort the rules by dragging the icons on their left.
4. When you are done, click Save.
Sort operations:
If you change the position of any rule when you release the mouse cursor, one sort operation has taken place.
If you do not change the position of any rule when you release the mouse cursor, no sort operation has taken place.
After a sort operation takes place, the Cancel button becomes active.
Click Recover once to return the list to the state before the last sort operation.
If you click Save, you will see a Sorted successfully toast at the top of the page.
If you click Cancel, the list will return to the initial state and all sort operations will not take effect.
Scenario 2: Modifying a rule to move it to a specified position
When you need to move a rule within a large range, sorting is inefficient. Instead, you can use the modification feature. You can modify the execution priority of only one rule at a time.
1. Log in to the Cloud Firewall console and select Access Control -> Edge firewall rules in the left navigation pane. 2. On the Edge firewall rules page, find the rule you want to move in the list, and determine the new position.
3. Click Modify on the right to enter the rule modification mode.
4. Modify the execution priority to the desired value.
Note:
Execution priority values cannot be repeated and are continuous. As such, the minimum value is 1 and the maximum value is the total number of rules in the current list.
5. Click Complete and check the rule priority.
Note:
When you modify the execution priority of a rule in the list, the positions of all other rules will be automatically adjusted.
Scenario 3: Inserting a rule to a specified position in an existing list
Cloud Firewall allows you to insert a rule between any two rules, and the inserted rule will be executed in the priority.
The rule will be inserted above the selected position. In the following example, we want to insert a rule between the rules in positions 2 and 3:
1. Log in to the Cloud Firewall console and select Access Control -> Edge firewall rules in the left navigation pane. 2. On the Edge firewall rules page, find the rule in position 3 in the list, and click Add one above on the right.
3. The rule modification box will be displayed above the rule in position 3.
4. In the box, enter the fields of the new rule and click Complete* to insert the rule.
Note:
The inserted rule will take the position of the rule below it, and the execution priority of all the rules below the new rule will be moved down by one position.
Checking if rules are effective
Method 1: Check the hit counts in the access control list. If there are hits, the rules have taken effect.
Note:
If a rule has zero hits, it does not necessarily mean that the rule is incorrectly configured. The rule may simply have no hits for the time being.
Method 2: Select Log Auditing -> Access Control Logs in the left navigation pane to view the access control logs (rule hit logs). If a rule is included in the log, the rule has taken effect. Operation locking
At any one time, only one user is allowed to execute any one of the following operations on a single access control list with the same AppID (the firewall ID is used for VPCs): Add rule, Import rule, Sort, Modify, and Add one above.
When performing operations on a list, you may see the toast The list is being modified by others. Please wait. This means that another user is performing operations on the list.
Note
Operations are locked for 5 minutes, and will be automatically unlocked after that time period.
Was this page helpful?