Cloud Firewall application control uses Deep Packet Inspection (DPI) and heuristic behavior analysis to manage traffic at the application layer. Unlike traditional firewalls that rely on IP/port five-tuples, it identifies application signatures in traffic to reveal the true identity of applications hidden behind encryption or non-standard ports. You can allow, observe, or deny outbound traffic by application type for fine-grained access control.
Benefits
-
Precisely identifies disguised traffic: Regardless of how applications change ports, encrypt transmissions, or tunnel through protocols such as HTTPS, the application control engine accurately identifies their true identities, overcoming the limitations of traditional network-layer management.
-
Fine-grained identity-based control: A built-in application signature library covers multiple industry domains. You can define policies based on application categories or specific applications, shifting control from port filtering to business-aware management.
-
Flexible policy priority definitions: Supports hybrid configuration of custom rules and built-in category rules. You can set independent policies for specific applications (such as GitHub file uploads) to meet fine-grained management requirements in complex scenarios.
The application control feature is currently in limited beta. To enable this feature, contact your business manager.
View the built-in application signature library
Cloud Firewall provides a built-in application signature library covering categories such as business transactions, sales and marketing, education, and multimedia content. Each application is assigned a risk level. To view the library:
-
Log on to the Cloud Firewall console.
-
In the left-side navigation pane, choose .
-
On the Application Feature Library tab, view the list of supported applications. You can search by Application Name, Application ID, or Category.
-
In the right-side area of the Application Feature Library tab, you can view the update history of signature library rules.
Create a custom template
To use application control rules in access control policies, you must first create a custom rule template:
-
In the left-side navigation pane, choose .
-
On the Custom Template tab, click Create Template and configure the following parameters.
Parameter
Description
Basic Information
Set a descriptive template name and description for easy identification.
Built-in Application Classification
Specify an action for each application category:
-
Monitor: the default action. Requests are allowed and logged in the event logs of Log audit.
-
Allow: requests are allowed without being logged.
-
Deny: requests are blocked and logged.
You can set actions in bulk for all applications in a category.
Custom Rules
To adjust the priority of application rules, click Add Custom Rule to configure custom rules for fine-grained control.
-
Rule status: A custom rule takes effect only when its toggle is enabled.
-
Priority setting: You can configure multiple rules within a template. Priority values must be unique within the same template. A lower value indicates a higher priority.
-
Action configuration: A single rule can be associated with multiple applications. Available actions include Monitor, Allow, or Deny.
-
Conflict handling: For the same application, the action configured in a custom rule takes precedence over the action configured in Built-in Application Classification.
Unknown Application Action
Specify the default action for traffic from unidentified applications.
Template Switch
Enable or disable the template. Configurations take effect only when the template is enabled.
-
Configuration recommendations
-
Broad control scenarios: If control targets are not clearly defined, configure only Built-in Application Classification and set the action to Monitor. After the business runs for a period, go to the Traffic Logs page of Log audit to review the application identification results, and then adjust template actions based on your business requirements.
-
Precise control scenarios: To control specific applications, configure Custom Rules because custom rules take precedence over Built-in Application Classification.
Application identification mechanism and action determination rules
-
Application identification mechanism: Cloud Firewall may identify multiple applications for a single request. For HTTP protocols (including HTTPS after TLS inspection is configured), the identification result dynamically updates with requests over a persistent connection. The system extracts only the most recent result and does not retain intermediate states. For non-HTTP protocols, the system identifies the application once when the connection is established and does not update it afterward.
-
Action determination rules: The system first matches custom rules by priority. If no custom rule matches, it falls back to Built-in Application Classification by weight.
-
Example: A request is identified as both "GitHub-base" and "GitHub Download". Without custom rules, because "GitHub Download" has a higher weight than "GitHub-base" in Built-in Application Classification, the system executes the action configured for "GitHub Download".
What to do next
After you create a template, you can reference it in the access control policies for Internet Border Outbound traffic. For more information, see Configure access control policies for the Internet firewall.
Manage templates
On the Custom Template tab, you can perform the following operations:
-
Enable or disable a template: Toggle the switch in the Template Switch column to enable or disable a template.
-
Edit a template: Click Edit in the Actions column to modify the template configurations.
-
Delete a template: Click Delete in the Actions column. You cannot delete a template that contains custom rules or is referenced by access control policies.
Appendix: Supported application categories
|
Category |
Description |
Typical applications |
|
Office Collaboration |
Covers daily office and team collaboration scenarios, including document processing, corporate communication, meeting collaboration, and team productivity tools. |
Microsoft 365, Google Workspace, WPS Office, DingTalk, WeCom, Feishu (Lark), Microsoft Teams, Slack, Zoom, Tencent Meeting |
|
Instant Messaging |
Covers real-time messaging applications for personal or public use, including chat, voice, images, file sharing, and group communication. |
WeChat, QQ, Telegram, WhatsApp, Signal, LINE, Viber, Snapchat |
|
VoIP |
Covers IP-based voice and video calling services, including Internet phone, enterprise voice systems, and real-time audio/video communication. |
Cisco Unified Communications, Avaya, 3CX, RingCentral, Skype, FaceTime, WebRTC |
|
|
Covers email sending and receiving, mailbox access, and email system management, including corporate email, personal email, email clients, and webmail. |
Outlook, Foxmail, Thunderbird, Gmail, QQ Mail, NetEase Mail (163), Tencent Enterprise Email, Microsoft Exchange |
|
File & Content Management |
Covers file storage, synchronization, sharing, content publishing, and knowledge management, including file uploads and downloads, external link sharing, team knowledge bases, and content management. |
Baidu NetDisk, Dropbox, OneDrive, Nutstore, WeTransfer, SharePoint, Confluence, WordPress, Drupal |
|
Enterprise Core Systems |
Covers core business systems that support enterprise operations, including finance, customer management, workflow, supply chain, and asset management. |
SAP, Oracle EBS, Kingdee, Yonyou, Salesforce, Microsoft Dynamics 365, FXIAOKE |
|
Human Resources |
Covers recruitment, HR management, attendance, payroll, performance, and training, including employee lifecycle management applications. |
Workday, Beisen Cloud, Kingdee HR, SAP HCM, Zhaopin, BOSS Zhipin, LinkedIn Recruiter, Liepin |
|
Sales & Marketing |
Covers marketing promotion, advertising, customer outreach, customer support, and sales conversion applications. |
HubSpot, Marketo, Zendesk, QICHI KEFU (Sobot), Google Ads, Baidu Promotion, Ocean Engine, email marketing platforms |
|
Business Transactions |
Covers applications related to trading goods, services, funds, and financial assets, including e-commerce, enterprise procurement, payment settlement, banking, securities, and insurance. |
Taobao, JD.com, Pinduoduo, Amazon, Alibaba 1688, Alipay, WeChat Pay, Tonghuashun, East Money |
|
Data Analytics |
Covers data query, reporting, visualization analysis, and business insight applications, including data analytics platforms, BI tools, and user behavior analysis services. |
Tableau, Power BI, FanRuan, Google Analytics, Sensors Data, GrowingIO, Snowflake, MaxCompute |
|
IT Infrastructure |
Covers the underlying IT and network capabilities that support business systems, including cloud platforms, CDN, DNS, load balancing, virtualization, containers, and basic network services. |
AWS, Alibaba Cloud, Tencent Cloud, VMware vSphere, Kubernetes, OpenStack, CDN, DNS, DHCP, NTP, BGP, OSPF |
|
IT Operations Management |
Covers system monitoring, alerting, logging, configuration, patching, automated operations, and IT service management applications. |
Zabbix, Prometheus, Grafana, Nagios, Ansible, Puppet, Windows Update, WSUS, ServiceNow |
|
Development & Design |
Covers software development, testing, code collaboration, engineering design, and creative design applications. |
GitHub, GitLab, Jenkins, VS Code, IntelliJ IDEA, AutoCAD, SolidWorks, Adobe Creative Cloud, Figma |
|
Storage & Hosts |
Covers databases, hosts, object storage, and hosting environment services, including data persistence, computing workloads, and host management. |
MySQL, Oracle, PostgreSQL, MongoDB, Redis, Navicat, AWS EC2, Alibaba Cloud ECS, Tencent Cloud CVM, Object Storage Service |
|
Security Services |
Covers identity authentication, access control, threat detection, security protection, and data protection applications. |
CrowdStrike, Symantec, Huorong, Active Directory, Okta, SAML, DLP systems, Bastion Host, WAF |
|
Network Penetration |
Covers remote connection, proxy forwarding, and tunnel transmission applications that may change access paths or bridge network boundaries. |
SSL VPN, IPsec VPN, RDP, TeamViewer, Sunlogin, ToDesk, OpenVPN, WireGuard, Squid, Shadowsocks |
|
Social Media |
Covers social networks, content communities, forums, Q&A, and interactive platforms, including content publishing, comment interactions, follow subscriptions, and community engagement. |
Weibo, Zhihu, Xiaohongshu (RED), Douban, Facebook, X (Twitter), LinkedIn, Instagram, Reddit, CSDN |
|
Multimedia Content |
Covers video, audio, live streaming, images, gaming, and digital entertainment applications. |
iQIYI, Tencent Video, Youku, Douyin (TikTok), Kuaishou, Bilibili, Spotify, NetEase Cloud Music, Steam, Honor of Kings, Twitch |
|
Education & Learning |
Covers online courses, live classrooms, learning management, exam assessment, and corporate training applications. |
Coursera, edX, China University MOOC, Tencent Classroom, NetEase Cloud Classroom, Udemy, GeekTime |
|
Industry-Specific |
Covers applications that serve the production, operations, delivery, or regulatory processes of specific industries, including healthcare, manufacturing, logistics, energy, retail, connected vehicles, and government systems. |
MES, APS, Retail POS, HIS, EMR, PACS, Modbus, OPC-UA, SCADA, DCS |
|
General Internet |
Covers publicly accessible information services, including search engines, portals, navigation, and general online tools. |
Baidu, Google, Bing, Sina, NetEase Portal, Baidu Maps, Amap (Gaode), Youdao Translate, government portals |
|
Artificial Intelligence |
Covers applications and platforms centered on AI models, algorithms, and intelligent generation capabilities, including AI chat, AI writing, image generation, code assistance, model serving, and AI APIs. |
ChatGPT, Claude, Gemini, DeepSeek, ERNIE Bot, Tongyi Qianwen (Qwen), Midjourney, GitHub Copilot, Hugging Face, Alibaba Cloud Bailian, Vertex AI |