If the blocking status of a cluster is Abnormal or Normal to be confirmed, the defense rules that are created for the cluster cannot generate alerts or block unusual traffic destined for the cluster. This topic describes how to troubleshoot the causes of the preceding issues.

Prerequisites

A defense rule is created for your cluster. For more information about how to create a defense rule, see Create a defense rule.

Background information

A defense rule can take effect only when the AliNet plug-in is installed and is online. The AliNet plug-in is used to block suspicious network connections, Domain Name System (DNS) hijacking, and brute-force attacks. Before you use the container firewall feature, make sure that your cluster nodes run an operating system whose kernel version is supported by the AliNet plug-in. For more information, see Supported operating system versions.

Procedure

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Protection Configuration > Container Protection > Container Firewall.
  3. On the Container Firewall page, click the Protection management tab.
  4. In the cluster list of the Protection management tab, find a cluster whose blocking status is Abnormal or Normal to be confirmed, and perform the following operations to troubleshoot the issues based on the status:
    • Abnormal

      If the blocking status in the Interceptible status column is Abnormal, the switch in the Defensive status column is turned off. In this case, Security Center cannot provide the container firewall feature for the cluster.

      You can click View on the right side of Abnormal to go to the Protection plug-in status panel. In the Protection plug-in status panel, you can check whether the AliNet plug-in is installed in the Installation status column and whether the AliNet plug-in is online in the Online status column. If Installation status or Online status of the AliNet plug-in is abnormal, the blocking status is Abnormal. You can perform the following operations to handle the abnormal status in Installation status and Online status:
      • If the message in the Installation status column shows that a cluster node does not have the AliNet plug-in installed or the message in the Online status column shows that the AliNet plug-in on a cluster node is offline, you can enable the behavior prevention feature for the cluster. For more information about how to enable the behavior prevention feature, see Use proactive defense.
      • If you have enabled the behavior prevention feature for the cluster and the message in the Installation status column shows that the cluster node does not have the AliNet plug-in installed, the possible reason is that the kernel version of the operating system that your cluster node runs does not support the AliNet plug-in. For more information about the operating systems and kernel versions that support the AliNet plug-in, see Supported operating system versions.

        You can also log on to the cluster and run the following command to check the installation log of the AliNet plug-in. If the kernel version of the operating system that your cluster node runs does not support the AliNet plug-in, the message install,driver file not exist appears in the installation log.

        cat /usr/local/aegis/PythonLoader/data/AliNet_config.log 
    • Normal to be confirmed

      If the blocking status in the Interceptible status column is Normal to be confirmed, you have resolved the issues that cause the Abnormal status of the defense rule. In this case, you must check whether all defense rules that are created for the cluster are normal. For example, you can check whether all defense rules are enabled and whether priorities of defense rules are reasonable.

      After you confirm that all defense rules are normal, you can click Recovery on the right side of Normal to be confirmed in the Interceptible status column. Then, the blocking status changes to Normal.Recovery