Application control

更新时间:
复制 MD 格式

Cloud Firewall application control uses Deep Packet Inspection (DPI) and heuristic behavior analysis to manage traffic at the application layer. Unlike traditional firewalls that rely on IP/port five-tuples, it identifies application signatures in traffic to reveal the true identity of applications hidden behind encryption or non-standard ports. You can allow, observe, or deny outbound traffic by application type for fine-grained access control.

Benefits

  • Precisely identifies disguised traffic: Regardless of how applications change ports, encrypt transmissions, or tunnel through protocols such as HTTPS, the application control engine accurately identifies their true identities, overcoming the limitations of traditional network-layer management.

  • Fine-grained identity-based control: A built-in application signature library covers multiple industry domains. You can define policies based on application categories or specific applications, shifting control from port filtering to business-aware management.

  • Flexible policy priority definitions: Supports hybrid configuration of custom rules and built-in category rules. You can set independent policies for specific applications (such as GitHub file uploads) to meet fine-grained management requirements in complex scenarios.

image

Note

The application control feature is currently in limited beta. To enable this feature, contact your business manager.

View the built-in application signature library

Cloud Firewall provides a built-in application signature library covering categories such as business transactions, sales and marketing, education, and multimedia content. Each application is assigned a risk level. To view the library:

  1. Log on to the Cloud Firewall console.

  2. In the left-side navigation pane, choose Prevention Configuration > Access Control > Application Control.

  3. On the Application Feature Library tab, view the list of supported applications. You can search by Application Name, Application ID, or Category.

  4. In the right-side area of the Application Feature Library tab, you can view the update history of signature library rules.

Create a custom template

To use application control rules in access control policies, you must first create a custom rule template:

  1. In the left-side navigation pane, choose Prevention Configuration > Access Control > Application Control.

  2. On the Custom Template tab, click Create Template and configure the following parameters.

    Parameter

    Description

    Basic Information

    Set a descriptive template name and description for easy identification.

    Built-in Application Classification

    Specify an action for each application category:

    • Monitor: the default action. Requests are allowed and logged in the event logs of Log audit.

    • Allow: requests are allowed without being logged.

    • Deny: requests are blocked and logged.

    You can set actions in bulk for all applications in a category.

    Custom Rules

    To adjust the priority of application rules, click Add Custom Rule to configure custom rules for fine-grained control.

    • Rule status: A custom rule takes effect only when its toggle is enabled.

    • Priority setting: You can configure multiple rules within a template. Priority values must be unique within the same template. A lower value indicates a higher priority.

    • Action configuration: A single rule can be associated with multiple applications. Available actions include Monitor, Allow, or Deny.

    • Conflict handling: For the same application, the action configured in a custom rule takes precedence over the action configured in Built-in Application Classification.

    Unknown Application Action

    Specify the default action for traffic from unidentified applications.

    Template Switch

    Enable or disable the template. Configurations take effect only when the template is enabled.

Configuration recommendations

  • Broad control scenarios: If control targets are not clearly defined, configure only Built-in Application Classification and set the action to Monitor. After the business runs for a period, go to the Traffic Logs page of Log audit to review the application identification results, and then adjust template actions based on your business requirements.

  • Precise control scenarios: To control specific applications, configure Custom Rules because custom rules take precedence over Built-in Application Classification.

Application identification mechanism and action determination rules

  • Application identification mechanism: Cloud Firewall may identify multiple applications for a single request. For HTTP protocols (including HTTPS after TLS inspection is configured), the identification result dynamically updates with requests over a persistent connection. The system extracts only the most recent result and does not retain intermediate states. For non-HTTP protocols, the system identifies the application once when the connection is established and does not update it afterward.

  • Action determination rules: The system first matches custom rules by priority. If no custom rule matches, it falls back to Built-in Application Classification by weight.

  • Example: A request is identified as both "GitHub-base" and "GitHub Download". Without custom rules, because "GitHub Download" has a higher weight than "GitHub-base" in Built-in Application Classification, the system executes the action configured for "GitHub Download".

What to do next

After you create a template, you can reference it in the access control policies for Internet Border Outbound traffic. For more information, see Configure access control policies for the Internet firewall.

Manage templates

On the Custom Template tab, you can perform the following operations:

  • Enable or disable a template: Toggle the switch in the Template Switch column to enable or disable a template.

  • Edit a template: Click Edit in the Actions column to modify the template configurations.

  • Delete a template: Click Delete in the Actions column. You cannot delete a template that contains custom rules or is referenced by access control policies.

Appendix: Supported application categories

Category

Description

Typical applications

Office Collaboration

Covers daily office and team collaboration scenarios, including document processing, corporate communication, meeting collaboration, and team productivity tools.

Microsoft 365, Google Workspace, WPS Office, DingTalk, WeCom, Feishu (Lark), Microsoft Teams, Slack, Zoom, Tencent Meeting

Instant Messaging

Covers real-time messaging applications for personal or public use, including chat, voice, images, file sharing, and group communication.

WeChat, QQ, Telegram, WhatsApp, Signal, LINE, Viber, Snapchat

VoIP

Covers IP-based voice and video calling services, including Internet phone, enterprise voice systems, and real-time audio/video communication.

Cisco Unified Communications, Avaya, 3CX, RingCentral, Skype, FaceTime, WebRTC

Email

Covers email sending and receiving, mailbox access, and email system management, including corporate email, personal email, email clients, and webmail.

Outlook, Foxmail, Thunderbird, Gmail, QQ Mail, NetEase Mail (163), Tencent Enterprise Email, Microsoft Exchange

File & Content Management

Covers file storage, synchronization, sharing, content publishing, and knowledge management, including file uploads and downloads, external link sharing, team knowledge bases, and content management.

Baidu NetDisk, Dropbox, OneDrive, Nutstore, WeTransfer, SharePoint, Confluence, WordPress, Drupal

Enterprise Core Systems

Covers core business systems that support enterprise operations, including finance, customer management, workflow, supply chain, and asset management.

SAP, Oracle EBS, Kingdee, Yonyou, Salesforce, Microsoft Dynamics 365, FXIAOKE

Human Resources

Covers recruitment, HR management, attendance, payroll, performance, and training, including employee lifecycle management applications.

Workday, Beisen Cloud, Kingdee HR, SAP HCM, Zhaopin, BOSS Zhipin, LinkedIn Recruiter, Liepin

Sales & Marketing

Covers marketing promotion, advertising, customer outreach, customer support, and sales conversion applications.

HubSpot, Marketo, Zendesk, QICHI KEFU (Sobot), Google Ads, Baidu Promotion, Ocean Engine, email marketing platforms

Business Transactions

Covers applications related to trading goods, services, funds, and financial assets, including e-commerce, enterprise procurement, payment settlement, banking, securities, and insurance.

Taobao, JD.com, Pinduoduo, Amazon, Alibaba 1688, Alipay, WeChat Pay, Tonghuashun, East Money

Data Analytics

Covers data query, reporting, visualization analysis, and business insight applications, including data analytics platforms, BI tools, and user behavior analysis services.

Tableau, Power BI, FanRuan, Google Analytics, Sensors Data, GrowingIO, Snowflake, MaxCompute

IT Infrastructure

Covers the underlying IT and network capabilities that support business systems, including cloud platforms, CDN, DNS, load balancing, virtualization, containers, and basic network services.

AWS, Alibaba Cloud, Tencent Cloud, VMware vSphere, Kubernetes, OpenStack, CDN, DNS, DHCP, NTP, BGP, OSPF

IT Operations Management

Covers system monitoring, alerting, logging, configuration, patching, automated operations, and IT service management applications.

Zabbix, Prometheus, Grafana, Nagios, Ansible, Puppet, Windows Update, WSUS, ServiceNow

Development & Design

Covers software development, testing, code collaboration, engineering design, and creative design applications.

GitHub, GitLab, Jenkins, VS Code, IntelliJ IDEA, AutoCAD, SolidWorks, Adobe Creative Cloud, Figma

Storage & Hosts

Covers databases, hosts, object storage, and hosting environment services, including data persistence, computing workloads, and host management.

MySQL, Oracle, PostgreSQL, MongoDB, Redis, Navicat, AWS EC2, Alibaba Cloud ECS, Tencent Cloud CVM, Object Storage Service

Security Services

Covers identity authentication, access control, threat detection, security protection, and data protection applications.

CrowdStrike, Symantec, Huorong, Active Directory, Okta, SAML, DLP systems, Bastion Host, WAF

Network Penetration

Covers remote connection, proxy forwarding, and tunnel transmission applications that may change access paths or bridge network boundaries.

SSL VPN, IPsec VPN, RDP, TeamViewer, Sunlogin, ToDesk, OpenVPN, WireGuard, Squid, Shadowsocks

Social Media

Covers social networks, content communities, forums, Q&A, and interactive platforms, including content publishing, comment interactions, follow subscriptions, and community engagement.

Weibo, Zhihu, Xiaohongshu (RED), Douban, Facebook, X (Twitter), LinkedIn, Instagram, Reddit, CSDN

Multimedia Content

Covers video, audio, live streaming, images, gaming, and digital entertainment applications.

iQIYI, Tencent Video, Youku, Douyin (TikTok), Kuaishou, Bilibili, Spotify, NetEase Cloud Music, Steam, Honor of Kings, Twitch

Education & Learning

Covers online courses, live classrooms, learning management, exam assessment, and corporate training applications.

Coursera, edX, China University MOOC, Tencent Classroom, NetEase Cloud Classroom, Udemy, GeekTime

Industry-Specific

Covers applications that serve the production, operations, delivery, or regulatory processes of specific industries, including healthcare, manufacturing, logistics, energy, retail, connected vehicles, and government systems.

MES, APS, Retail POS, HIS, EMR, PACS, Modbus, OPC-UA, SCADA, DCS

General Internet

Covers publicly accessible information services, including search engines, portals, navigation, and general online tools.

Baidu, Google, Bing, Sina, NetEase Portal, Baidu Maps, Amap (Gaode), Youdao Translate, government portals

Artificial Intelligence

Covers applications and platforms centered on AI models, algorithms, and intelligent generation capabilities, including AI chat, AI writing, image generation, code assistance, model serving, and AI APIs.

ChatGPT, Claude, Gemini, DeepSeek, ERNIE Bot, Tongyi Qianwen (Qwen), Midjourney, GitHub Copilot, Hugging Face, Alibaba Cloud Bailian, Vertex AI