All Products
Search
Document Center

Cloud Firewall:Intrusion Prevention

Last Updated:May 27, 2026

Cloud Firewall’s intrusion prevention system (IPS) detects and blocks malicious traffic in real time, including hacker attacks, vulnerability exploits, brute-force attacks, worms, mining programs, backdoor trojans, and DoS attacks. IPS protects your cloud infrastructure from unauthorized access, data breaches, and service disruptions.

Limits

  • Cloud Firewall intrusion prevention supports decrypting and inspecting encrypted traffic through TLS inspection for outbound traffic at the Internet Border. For inbound traffic at the Internet Border, combine Cloud Firewall with the Web Application Firewall to enhance protection. TLS/SSL decryption and inspection are not supported at the VPC border.

  • Data aggregation introduces a delay in Cloud Firewall’s intrusion prevention statistics. For real-time data, use log audit or log analysis.

    • Queries for the last hour have a 10-minute delay.

    • Queries spanning more than one hour have a 30-minute delay.

      For example, if the current time is 15:00, querying 12:00–15:00 excludes data from 14:30–15:00. Querying 12:00–14:30 returns complete results for that period.

View or modify IPS rules

After you activate Cloud Firewall, the threat engine defaults to Block Mode, which automatically blocks attacks. Cloud Firewall selects a block mode level (Loose, Moderate, or Strict) based on your traffic. Threat intelligence, basic defense, and virtual patches are enabled by default.

You can go to the IPS Configuration page using either of these methods:

  • From the IPS page, click the link in the upper-right corner of the Protection Details List.

    image

  • In the navigation pane on the left, select Prevention Configuration > IPS Configuration.

On the Basic Protection card, view the default intrusion prevention rules. To change a rule, find it in the list and update its action in the Current Action column. IPS Configuration.

Enable IPS Private IP Tracing

  • Entry point:

    From the IPS page, click the link in the upper-right corner of the Protection Details List to go directly to the IPS Private IP Tracing Configuration page.

    image

  • Enable

    On the Private IP Traceback page, enable tracing for specific resources to locate risky assets without exposing internal IP addresses.

    Note

    IPS Private IP Tracing requires both Internet firewall protection and NAT session log service to be enabled for the same asset. IPS Private IP Tracing Configuration.

    image

  • Traceability:

    After you enable the feature, view risky asset IP addresses in the Protection Details List and Details sections of the IPS page.

    List

    Details

    image

    image

View Internet blocking events

Cloud Firewall provides inbound and outbound Internet traffic blocking statistics. You can query up to 90 days of data, with each query covering a maximum of 31 days.

Go to the Detection and Response > Incidents > IPS page. On the Protection Status tab, set a time range and view protection statistics and the protection details list.

  • The Protection Statistics module shows total attacks, attack type distribution, and blocking data. Internet protection

    Blocking data metrics:

    • Top Blocked Destinations: Displays the top 5 destination IP addresses among traffic blocked by Cloud Firewall.

      Hover over a blocked destination IP and click the View logs icon to open the Log Audit page to view destination port, application type, and action details.

    • Top Blocked Sources: Shows the top three source types by percentage among traffic blocked by Cloud Firewall.

    • Top Blocked Applications: Displays the top five application types among traffic blocked by Cloud Firewall.

  • Protection Details List: Lists blocked attack events with risk level, event count, source IP, and destination IP.

    image

    Note

    If the source IP is a WAF or DDoS back-to-origin IP address, Cloud Firewall detects such back-to-origin IP addresses and displays WAF Back-to-origin IP Address and Anti-DDoS Back-to-origin IP Address.

    You can:

    • Search for events: Set filters such as risk level, defense status, attack type, source, direction, and time range. Then click Search to view matching events.

    • View event details: In the Actions column, click Details to view Basic Information, Attack Payload, and other details. The Attack Payload shows 5-Tuple Information and payload content for attack tracing.

    • Download blocked events: Click the Download icon next to the search bar, then download from the Download Task Management panel in the upper-right corner.

    • AI-assisted event analysis: Click the AI Analysis column's image icon to use the Security AI Assistant for quick event analysis assistance.

      This includes:

      Payload content analysis: Describes the request and AI analysis of the action.

      image

      Threat intelligence: Matches the destination address against the threat intelligence database.

      Note

      This feature is not available in the Cloud Firewall Premium Edition or pay-as-you-go edition.

      Attacker intent: AI-predicted attacker behavior.

      Mitigation recommendations: Suggested Cloud Firewall settings (ACL policies, IPS configuration) and asset checks.

View VPC blocking events

Cloud Firewall provides inter-VPC traffic blocking statistics. You can query up to 90 days of data, with each query covering a maximum of 31 days.

Note

Cloud Firewall Premium Edition does not support VPC firewall and does not display the VPC Protection tab.

Go to the Detection and Response > Incidents > IPS page. On the VPC Protection tab, view details such as event name, risk level, and attack type for VPC blocking events in your selected time range.

image

You can:

  • Search for events: Set filters such as risk level, defense status, attack type, and time. Then click Search to view matching events.

  • View event details: In the Actions column, click Details to view Basic Information, Attack Payload, and other details. The Attack Payload shows 5-Tuple Information and payload content for attack tracing.

  • Download protection events: Click the Download icon next to the search bar, then download from the Download Task Management panel in the upper-right corner.

  • AI-assisted event analysis: Click the image icon in the AI Analysis column to quickly analyze the event with the Security AI Assistant.

    This includes:

    Payload content analysis: Describes the request and AI analysis of the action.

    image

    Threat intelligence: Matches the destination address against the threat intelligence database.

    Note

    This feature is not available in the Cloud Firewall Premium Edition or pay-as-you-go edition.

    Attacker intent: AI-predicted attacker behavior.

    Mitigation recommendations: Suggested Cloud Firewall settings (ACL policies, IPS configuration) and asset checks.