Cloud Firewall uses a built-in threat detection engine to defend against intrusions and common cyber attacks. It provides virtual patches against vulnerabilities to intelligently block intrusion attempts.

Background information

On the Intrusion Prevention page in the Cloud Firewall console, you can configure the mode of the threat detection engine, basic protection, and virtual patches to accurately identify and block intrusions.

Modes of the threat detection engine

The threat detection engine supports the following modes:

  • Monitoring Mode: The engine only sends alerts after it detects malicious traffic.
    Note Monitoring Mode is selected by default after you activate Cloud Firewall.
  • Traffic Control Mode: The engine blocks malicious traffic to prevent intrusions.

Advanced settings

In the Advanced Settings section, you can configure a whitelist, threat intelligence, intelligent defense, basic protection, and virtual patches to achieve precise intrusion prevention.

Advanced settings
  • Whitelist

    Cloud Firewall trusts the source and destination IP addresses in a whitelist and does not block their traffic.

  • Threat intelligence

    The threat intelligence feature synchronizes malicious IP addresses detected across Alibaba Cloud to Cloud Firewall. Malicious IP addresses include IP addresses that initiate malicious traffic, scanning, or brute-force attacks. This feature provides up-to-date information about threat sources.

  • Basic protection

    The basic protection feature defends your network against common intrusions, such as brute-force attacks and command execution vulnerabilities, and manages connections from infected hosts to a command-and-control (C&C) server.

  • Intelligent defense

    The intelligent defense feature learns from a massive amount of data about attacks on the cloud. It identifies attacks and generates alerts in real time.

  • Virtual patches

    Virtual patches are installation-free. You can use them to defend against high-risk vulnerabilities.

Procedure

  1. Log on to the Cloud Firewall console.
  2. In the left-side navigation pane, choose Security Policies > Intrusion Prevention.
  3. On the Intrusion Prevention page, perform the following operations to protect your network:
    • In the Threat Engine Settings section, select Monitoring Mode or Traffic Control Mode.
      Note Monitoring Mode is selected by default. In this mode, Cloud Firewall only sends alerts after it detects malicious traffic (but does not block it). After you select Traffic Control Mode, Cloud Firewall blocks malicious traffic it detects.
    • In the Advanced Settings section, click Whitelist to add trusted IP addresses to a whitelist. Cloud Firewall allows traffic of IP addresses in the whitelist.

      You can add the trusted source IP addresses, destination IP addresses, or address books of both inbound and outbound traffic to the whitelist.

      Whitelist
    • Configure Threat Intelligence. This feature scans for signs of threats and blocks traffic to C&C servers.
      Note We recommend that you enable threat intelligence.
    • Configure Basic Protection. This feature defends against common intrusions such as brute-force attacks and command execution vulnerabilities.
      Note We recommend that you enable basic protection.

      In the Basic Protection section, click Customize. In the Customize Basic Protection Policies dialog box that appears, configure one or more basic protection policies.

      Customize basic protection policies
    • Configure Intelligent Defense. This feature learns from a massive amount of data about attacks on the cloud. It identifies attacks and generates alerts in real time.
      Note We recommend that you enable intelligent defense.
    • Configure Virtual Patches. After this feature is enabled, Cloud Firewall provides installation-free patches against common vulnerabilities in real time.
      Note If this feature is disabled, Cloud Firewall does not automatically update patches for your assets. We recommend that you enable all virtual patches.

      In the Virtual Patches section, click Customize. In the Customize Virtual Patches Policies dialog box that appears, configure one or more basic virtual patch policies.

      Customize virtual patches policies

Rule base update

The Rule Base Update tab displays information about the updates of security intelligence, virtual patches, and basic IPS policies.

In the upper-right corner of the Rule Base Update tab, click Learn More to view all updates.Rule base update