Vulnerability prevention

Limits

Enterprise Edition and Ultimate Edition of Cloud Firewall support the vulnerability prevention feature. Free trial edition and Premium Edition do not support this feature.

You cannot manually initiate vulnerability scans on the Vulnerability Prevention page.

Vulnerability statistics

• Unprevented: the number of your vulnerable assets that are not protected by Cloud Firewall. Traffic to these assets does not pass through Cloud Firewall, or IPS blocking is not enabled for these assets.
• Prevented: the number of your vulnerable assets for which Cloud Firewall is activated and IPS defense rules are configured. Cloud Firewall defends against the network attacks that exploit these vulnerabilities.
• Applications: the number of vulnerable assets.
• Intrusions Blocked: the number of times network attacks are blocked by Cloud Firewall after Cloud Firewall is activated and IPS defense rules are configured for your vulnerable assets.

Vulnerabilities that can be detected

• Web CMS: website builder vulnerabilities that are detected by comparing vulnerability files with the vulnerability library. Common website builders are identified by monitoring website directories. For more information, see Web-CMS vulnerabilities.
• Application: weak passwords of system services and vulnerabilities of system and application services. For more information, see Application vulnerabilities.
• Emergency: emergency vulnerabilities that have been exposed on the Internet recently. For more information, see Urgent vulnerabilities.

Vulnerability status

• Prevented: Cloud Firewall provides protection against the vulnerability.
• Unprevented: Cloud Firewall does not provide protection against the vulnerability.
• Partially Prevented: The vulnerability prevention feature is enabled for some ECS instances.

Procedure

1. Log on to the Cloud Firewall console.
2. In the left-side navigation pane, choose Intrusion Prevention > Vulnerability Prevention.
3. On the Vulnerability Prevention page, view the vulnerability detection results.
   
   • Move the pointer over the icon in the Affected Assets column. The IP addresses of servers that are exposed to the vulnerability are displayed.
   • Move the pointer over the icon in the Status column. The ID of the IPS defense rule for the vulnerability is displayed. Built-in IPS defense rules have IDs. You can use a rule ID to query the rule details in the Customize Basic Protection Policies or Customize Virtual Patches Policies dialog box. To open the dialog box, choose Intrusion Prevention > Intrusion Prevention in the left-side navigation pane. Then, in the Advanced Settings section on the Intrusion Prevention page, click Customize for Basic Protection or Virtual Patches.
4. On the Vulnerability Prevention page, select Unprevented from the All Vulnerabilities list, and click Enable Protection in the Operation column for all the filtered vulnerabilities.
   
5. In the Enable Protection dialog box, click OK. In the message that appears, click ok to enable vulnerability prevention.
   
   After you enable vulnerability prevention, Cloud Firewall is activated for the IP addresses of the servers that are exposed to the vulnerability. The vulnerability status is updated within 2 minutes.

   Note After vulnerability prevention is enabled, existing access control policies take effect on the assets for which Cloud Firewall is newly activated. Make sure that traffic to the external ports of these assets is allowed. To allow the traffic, log on to the Cloud Firewall console, navigate to the Access Control page, and then click the Inbound Policies tab under the Internet Firewall tab.