返回 Skill 列表
extension
分类: 开发与工程无需 API Key

alibabacloud-cfw-acl-diagnosis

>

person作者: alibabacloud-skillshubOpenAPI

Cloud Firewall ACL Rule Diagnosis (Read-Only)

⚠️ READ-ONLY CONSTRAINT (HIGHEST PRIORITY)

STRICTLY PROHIBITED throughout entire workflow:

  • ❌ NEVER execute Create/Update/Delete API calls or write CLI commands
  • ❌ NEVER provide executable configuration commands with specific parameter values
  • ❌ NEVER use --profile parameter in any CLI command
  • ❌ NEVER run aliyun configure get or aliyun configure list
  • ❌ NEVER fabricate CLI output — use only real API responses
  • ❌ Do NOT output diagnosis report unless at least one CLI query has succeeded
  • ❌ Do NOT reference any memory, experience, or external knowledge — ONLY this SKILL.md and CLI outputs
  • NEVER create any file in any way — do NOT use write_file, create_file, Bash redirection (>, >>, tee), or any other file-writing mechanism

HARD BLOCK Pre-output Self-Check (MANDATORY before generating ANY reply):

Before writing any response, internally verify: Have I called write_file, create_file, or any Bash redirection? If YES → immediately abort file output and print the content as Markdown text directly in the conversation instead. Violation of this rule causes immediate task failure.

All diagnosis reports MUST start with:

⚠️ Disclaimer: This tool is a read-only diagnostic assistant. It only provides analysis and configuration suggestions, and does NOT perform any configuration changes.

Allowed queries only: aliyun cloudfw describe-* | aliyun sls get-logs-v2 | aliyun actiontrail lookup-events

See references/security_rules.md for complete prohibitions list.


Trigger & Service Identification

Intent Classification (FIRST STEP — decide path before doing anything else)

| User Intent | Keywords | Action | |------------|----------|--------| | Configuration Query | "how to configure" / "configuration steps" / "how to set up" / "rule writing" / "configuration guide" | → CONFIG PATH: Read references/configuration_guide.md, output steps directly in conversation. NO CLI commands, NO firewall queries. | | Diagnosis / Troubleshooting | "not working" / "no effect" / "blocked" / "HitTimes=0" / "traffic log" / "troubleshoot" | → DIAGNOSIS PATH: IMMEDIATELY start Step 0 with information already provided. DO NOT wait for more input. | | "Security Group" | — | NOT this skill (use aliyun ecs commands) | | "firewall" without qualifier | — | ASK: Cloud Firewall or Security Group? |

CONFIG PATH output rule: Output configuration steps directly in conversation as text. Reference references/configuration_guide.md for content. Do NOT run any CLI commands.


Observability

All Alibaba Cloud service calls performed by this skill MUST use the following User-Agent (UA) template and session-id rule so that every diagnostic workflow is traceable.

User-Agent Template

AlibabaCloud-Agent-Skills/alibabacloud-cfw-acl-diagnosis/{{SESSION_ID}}
  • Replace {{SESSION_ID}} with a real session identifier at runtime.
  • The placeholder form MUST be preserved in documentation and command examples.

Session-ID Generation Rule

  1. At the start of each diagnostic workflow, generate one unique session identifier.
  2. Format: lowercase UUIDv4 (e.g., a1b2c3d4-e5f6-7890-abcd-ef1234567890).
  3. Use the same session ID for all Alibaba Cloud service CLI commands within that workflow.
  4. Do NOT reuse a session ID across different workflows or different user conversations.

Scope Rule

  • Alibaba Cloud service API calls (e.g., aliyun cloudfw describe-*, aliyun sls get-logs-v2, aliyun actiontrail lookup-events) MUST include --user-agent "AlibabaCloud-Agent-Skills/alibabacloud-cfw-acl-diagnosis/{{SESSION_ID}}".
  • Local/system commands such as which aliyun, aliyun version, aliyun plugin list, and aliyun plugin update do NOT call Alibaba Cloud service APIs and MUST NOT add --user-agent.

Setup

Prerequisites Check

which aliyun && aliyun version
aliyun plugin list  # Confirm aliyun-cli-cloudfw installed

Install plugin if missing (requires explicit user confirmation before execution): aliyun plugin install cloudfw
Credentials: ALIBABA_CLOUD_ACCESS_KEY_ID / ALIBABA_CLOUD_ACCESS_KEY_SECRET env vars. See references/ram-policies.md.
Region: Always use cn-hangzhou (Cloud Firewall is a global service, do NOT ask user for region).


Firewall Type Identification

| Scenario | Firewall Type | Key Parameter | |---------|--------------|---------------| | Public IP, EIP, Internet inbound/outbound | Internet Firewall | No FirewallId (global) | | VPC inter-access, CEN, Express Connect | VPC Boundary Firewall | VpcFirewallId | | NAT Gateway, SNAT/DNAT | NAT Boundary Firewall | NatFirewallId |

Key differences:

  • Internet FW: --Direction <in|out> required; asset-level EngineMode (strict/loose)
  • NAT FW: no Direction; firewall-level StrictMode (0=loose, 1=strict); supports domain rules
  • VPC FW: no Direction; no strict mode; no domain rules (Layer 4 only)

Protected asset identification:

  • Inbound (in) → Protected asset = Destination
  • Outbound (out) → Protected asset = Source (public IP, not internal CIDR)

Diagnosis Flow (MANDATORY ORDER)

Process: Step 0 → Step 1 → Step 2 (3 checks) → [ANY FAIL: output conclusion, STOP] → Step 3 → Step 4 → Report

🔴 FORBIDDEN before Step 2 complete: Do NOT mention engine mode, give conclusions, suggest solutions, or skip any CLI query.


Step 0: Identify Protected Asset

Extract from user message — do NOT re-ask what user already provided:

  • Firewall type, direction (in/out), target IP/domain
  • Apply protected asset logic above

Step 1: Query Rules (MUST execute CLI — NO fabrication)

| Firewall | Command | |----------|---------| | Internet | aliyun cloudfw describe-control-policy --Direction <in\|out> --CurrentPage 1 --PageSize 50 --user-agent "AlibabaCloud-Agent-Skills/alibabacloud-cfw-acl-diagnosis/{{SESSION_ID}}" | | NAT | aliyun cloudfw describe-nat-firewall-control-policy --NatFirewallId <ID> --CurrentPage 1 --PageSize 50 --user-agent "AlibabaCloud-Agent-Skills/alibabacloud-cfw-acl-diagnosis/{{SESSION_ID}}" | | VPC | aliyun cloudfw describe-vpc-firewall-control-policy --VpcFirewallId <ID> --CurrentPage 1 --PageSize 50 --user-agent "AlibabaCloud-Agent-Skills/alibabacloud-cfw-acl-diagnosis/{{SESSION_ID}}" |

Record: Source, Destination, DestinationType, AclAction, Order, Release.

SELF-CHECK: If no CLI command executed yet, STOP and execute NOW before proceeding.


Step 2: Pre-checks (ALL 3 in order — NO skipping, NO guessing)

Check 2.1: Asset/Firewall Status

  • Internet FW: aliyun cloudfw describe-asset-list --CurrentPage 1 --PageSize 50 --user-agent "AlibabaCloud-Agent-Skills/alibabacloud-cfw-acl-diagnosis/{{SESSION_ID}}"
    • ProtectStatus=open ✅ | other values ❌ (most common cause of rules not working)
    • Record EngineMode: strict / loose
  • NAT FW: aliyun cloudfw describe-nat-firewall-list --PageNo 1 --PageSize 50 --user-agent "AlibabaCloud-Agent-Skills/alibabacloud-cfw-acl-diagnosis/{{SESSION_ID}}"
    • Check firewall exists and status normal; record StrictMode: 0=loose / 1=strict
  • VPC FW: aliyun cloudfw describe-vpc-firewall-list --CurrentPage 1 --PageSize 50 --user-agent "AlibabaCloud-Agent-Skills/alibabacloud-cfw-acl-diagnosis/{{SESSION_ID}}"
    • Check firewall exists and status normal

Check 2.2: Policy Matches Asset

  • Source/Destination covers protected asset; direction correct
  • If user's target domain ≠ rule's domain → CONFIGURATION MISMATCH — highlight explicitly

Check 2.3: Rule Enabled

  • Release=true ✅ | Release=false

🔴 MANDATORY STOP POINT — Step 2 Branch Gate — HARD STOP

IF any Check result is FAIL:

  1. IMMEDIATELY stop — do NOT execute any Step 3 or Step 4 CLI commands (describe-traffic-log, etc.)
  2. FORBIDDEN: calling ANY further CLI commands after this point
  3. Jump directly to Output Format section and generate the final report now
  4. Continuing to Step 3/4 after a FAIL is a critical violation that causes task failure

IF all Checks PASS → proceed to Step 3.

Permission Denied Handling: Record blocked check, mark as [Blocked - Permission Denied], continue remaining checks (NOT Step 3/4). List all blocked checks in final report.


Step 3: Query Traffic Logs (only if Step 2 all PASS)

# Internet FW
aliyun cloudfw describe-traffic-log --FirewallType InternetFirewall --Direction <in|out> \
  --SourceCode yundun [--StartTime <unix>] [--EndTime <unix>] [--SrcIP <ip>] [--DstIP <ip>] \
  --CurrentPage 1 --PageSize 10 --user-agent "AlibabaCloud-Agent-Skills/alibabacloud-cfw-acl-diagnosis/{{SESSION_ID}}"

# NAT FW
aliyun cloudfw describe-traffic-log --FirewallType NatFirewall --SourceCode yundun \
  [--StartTime <unix>] [--EndTime <unix>] \
  --CurrentPage 1 --PageSize 10 --user-agent "AlibabaCloud-Agent-Skills/alibabacloud-cfw-acl-diagnosis/{{SESSION_ID}}"

Critical: SourceCode=yundun required. Do NOT set FlowType (causes no results). RuleResult: 0=allow, 2=deny.
When user provides time/IP parameters, MUST include them — do not query all then filter manually.


Step 4: Detailed Diagnosis (only if Step 2 all PASS)

Internet FW:

  1. EngineMode=loose + domain rules → domain not matched → switch to strict mode
  2. strict + domain rules → test with curl/wget NOT telnet (telnet can't trigger domain recognition)
  3. Log AclPreState=app_unknown → L7 pre-match, application not yet identified

NAT FW:

  1. StrictMode=0 + domain rules → domain not matched (likely root cause)
  2. Verify actual source IP after SNAT; same L7 rules apply as Internet FW

See references/diagnosis.md for full diagnosis framework, L7 pre-match mechanism, and troubleshooting checklists.


Output Format

STRICT FORMATTING INSTRUCTION — MANDATORY: read before writing a single word of output:

  • Output MUST match the template below EXACTLY — no extra headings, no greeting, no background paragraphs
  • Total output MUST NOT exceed 30 lines. If content would exceed 30 lines, apply auto-truncation:
    • Diagnosis conclusion: 1 line max
    • Pre-check result table: ≤5 rows
    • Remediation suggestions: ≤3 bullet points
    • Verification method: 1 line
    • Delete ALL explanatory text beyond these limits
  • ❌ NEVER write output to any file — print directly in conversation as Markdown text
⚠️ Disclaimer: This tool is a read-only diagnostic assistant. It only provides analysis and configuration suggestions, and does NOT perform any configuration changes.

## Diagnosis Conclusion
[One-sentence root cause, max 50 characters]

## Pre-check Results (Step 2)
| Check Item | Actual CLI Value | Status |
|-----------|------------------|--------|
| ProtectStatus | [from describe-asset-list] | PASS/FAIL |
| EngineMode / StrictMode | [value] | loose/strict |
| Traffic Direction | [in/out] | PASS/FAIL |
| Release | [true/false] | PASS/FAIL |
| Policy Match | [analysis] | PASS/FAIL |

## Remediation Suggestions
[Console operation steps, one per line, max 3 items]

Verification Method: [one-line description]

Rules:

  • NEVER write output to any file — ALL results MUST be output directly in conversation as text
  • Every UUID/IP/value in report MUST be copy-pasted from CLI output (no typing from memory)
  • Classify findings: [Verified] (confirmed by CLI) / [Unverified] (theoretical) / [Blocked] (permission denied)
  • If TotalCount > PageSize, query all pages before making "all assets" summary statements

Reference Files

| File | Purpose | |------|---------| | references/cli_commands.md | Complete CLI command examples with key response fields | | references/cli_traps.md | Common CLI pitfalls and error patterns | | references/diagnosis.md | Full diagnosis framework, L7 pre-match, checklists | | references/configuration_guide.md | Console configuration guidance (text-only, for user) | | references/security_rules.md | Complete security prohibitions and output checklist | | references/ram-policies.md | RAM permissions required | | references/cfw_acl_knowledge.md | ACL knowledge base and FAQ |