The intrusion prevention system (IPS) of Cloud Firewall proactively detects and blocks malicious traffic that is generated by attacks, exploits, brute-force attacks, worms, mining programs, trojans, and DoS attacks in real time. This protects enterprise information systems and network architectures in the cloud against attacks, prevents unauthorized access or data leaks, and prevents damages or failures of your business systems and applications.
Limits
The intrusion prevention feature of Cloud Firewall cannot decrypt or protect traffic that is encrypted by using SSL or Transport Layer Security (TLS). However, specific encrypted fingerprint and IPS-based rules support this type of traffic.
The data of intrusion prevention is generated at a latency due to data aggregation. If you want to query real-time data, we recommend that you use the log audit or log analysis feature. For more information, see Log audit or Query and analyze logs.
If you query intrusion prevention data that is generated within the previous hour, the data has a latency of 10 minutes. In this case, the query results do not contain data of intrusion prevention events that occurred within the previous 10 minutes.
If you query intrusion prevention data that is generated more than 1 hour ago, including intrusion prevention data within the previous 30 minutes, the data has a latency of 30 minutes. In this case, the query results do not contain intrusion prevention events that occurred within the previous 30 minutes.
For example, the current time is 15:00:00. If you query the data from 12:00:00 to 15:00:00 of the current day, the data between 14:30:00 and 15:00:00 of the current day cannot be displayed. If you query the data from 12:00:00 to 14:30:00 of the current day, the complete data within the time range can be displayed.
View or modify intrusion prevention rules
By default, after you purchase Cloud Firewall, the Block mode is enabled for the threat detection engine. Cloud Firewall automatically blocks attacks. Cloud Firewall automatically selects a level for the Block mode based on your business traffic. The levels are Loose, Medium, and Strict. Cloud Firewall also automatically enables the threat intelligence, basic protection, and virtual patching features.
If you use Cloud Firewall Enterprise Edition or Ultimate Edition, you can go to the page, and click Configure to view the default intrusion prevention rules. If you want to modify an intrusion prevention rule, find the rule and change the action in the Current Action column. For more information, see Prevention configuration.
View Internet blocking events
Cloud Firewall provides statistics on the inbound and outbound Internet traffic of your cloud assets. This helps you obtain the traffic protection status of the assets and ensure the security of the assets. You can query the events of Internet traffic blocking within the previous 90 days. The maximum time span for a single query is 31 days.
To view the statistics and details of intrusion prevention data, go to the page. On the Protection Status tab, specify a time range.
The Protection Statistics section displays the total number of attacks, attack type distribution, and blocking data.
The Blocking Information section displays the following tabs:
Top Blocked Destinations: displays the top 5 destination IP addresses that are most frequently used among the statistics on traffic blocked by Cloud Firewall.
You can move the pointer over a destination IP address and click the
icon to go to the Log Audit page. In the log list, you can view the port and application type in the traffic of the IP address, and the action that is performed on the traffic of IP address. Top Blocked Sources: displays the top 3 modules that are most frequently used by Cloud Firewall to block traffic.
Top Blocked Applications: displays the top 5 types of applications that are most frequently requested among the statistics on traffic blocked by Cloud Firewall.
Detailed Data: displays the protection details of each event by search condition, including the risk level, number of times the event occurred, source IP address, and destination IP address.
NoteIf a source IP address is a back-to-origin address used by Web Application Firewall (WAF) or Anti-DDoS, Cloud Firewall identifies the back-to-origin address and displays WAF Back-to-origin IP Address or Anti-DDoS Back-to-origin IP Address.
In this section, you can perform the following operations:
Search for events: Specify conditions and click Search to search for events. The conditions include the risk level, defense mode, attack type, source, direction, and time range.
View the details of an event: Find an event and click Details in the Actions column to view the details of the event, including Basic Information and Attack Payload. The Attack Payload tab displays information such as 5-Tuple Information and Payload Content to help you trace the sources of attacks and reduce security risks.
Download blocking events: On the right side of the search box, click the
icon. In the upper-right corner of the page, click Download Task Management to download blocking events.
View VPC traffic blocking events
Cloud Firewall provides statistics on traffic protection between virtual private clouds (VPCs). You can view the traffic status between VPCs. You can query the events of VPC traffic blocking within the previous 90 days. The maximum time span for a single query is 31 days.
Cloud Firewall Premium Edition does not support the VPC Firewall feature or the display of the VPC Protection tab.
Go to the page. On the VPC Protection tab, you can view information such as the name, risk level, and attack type. You can also specify a time range to view information.
You can perform the following operations:
Search for events: Specify conditions and click Search to search for events. The conditions include the risk level, defense mode, attack type, and time range.
View the details of an event: Find an event and click Details in the Actions column to view the details of the event, including Basic Information and Attack Payload. The Attack Payload tab displays information such as 5-Tuple Information and Payload Content to help you trace the sources of attacks and reduce security risks.
Download blocking events: On the right side of the search box, click the
icon. In the upper-right corner of the page, click Download Task Management to download events.