This solution correlates Cloud Firewall IPS attack detection results with NAT session logs to help you quickly pinpoint at-risk private IP addresses and trace network attacks.
Business risk
In a Virtual Private Cloud (VPC), organizations often use a NAT Gateway to create a secure internet entry and exit point. The gateway protects internal services by translating and hiding their private IP addresses. While security services like firewalls are deployed at this internet gateway to filter traffic, they face a common challenge: when an attack or unauthorized outbound connection occurs, alerts typically identify only the elastic IP address (EIP) of the NAT Gateway. This makes it difficult to quickly pinpoint the compromised ECS instance or other resource by its private IP address, delaying incident response and remediation.
Solution
To solve this challenge, Cloud Firewall integrates with the NAT session log feature to provide IPS private IP tracing. By automatically correlating NAT Gateway session logs with Cloud Firewall IPS events, the feature identifies the private IP address of the affected instance. This process helps you quickly and accurately locate compromised assets and take effective countermeasures.
Cloud Firewall IPS: The intrusion prevention system (IPS) engine detects and protects against inbound and outbound attack traffic. The IPS engine filters all network traffic that passes through the Internet firewall before forwarding it. Cloud Firewall uses deep packet inspection to identify protocols and parse packets, and then applies its IPS engine and threat intelligence to filter flows and packets. If traffic matches a threat signature, the corresponding packets are dropped or allowed based on your configured rules, which triggers real-time alerts and interception. Cloud Firewall records detailed logs for all IPS events.
NAT session log: NAT Gateway provides a session log feature that records all sessions passing through an SNAT entry. These logs are essential for network tracing and monitoring. The NAT session logs are written to Simple Log Service (SLS). Each log entry captures a specific five-tuple within a specific capture window. For inbound traffic, you can locate the specific private IP address by using DNAT and port mapping.
Trace outbound attacks
Trace inbound attacks
Use case
Consider an e-commerce business that runs on Alibaba Cloud. To ensure service stability and security, the company deploys a NAT Gateway in a DMZ Virtual Private Cloud (VPC) to handle all inbound and outbound internet traffic and reduce the exposure of backend services. The company also uses Cloud Firewall and enables the Internet firewall to filter and protect traffic to the elastic IP address (EIP) of the NAT Gateway. One night, the security operations team receives an alert for suspicious traffic. A server has been compromised by a vulnerability, and an attacker has installed a trojan. This trojan is making malicious outbound connections to an overseas IP address, downloading a bash script, and installing a CoinMiner trojan. The team needs to quickly identify the compromised backend server.
This is where the IPS private IP tracing feature becomes critical. After the organization enables this feature, the system automatically correlates the NAT Gateway session logs with the Cloud Firewall IPS attack logs. It matches the five-tuple from each NAT session log with the corresponding IPS event log to pinpoint the at-risk private IP address in minutes. This allows the security team to quickly identify the compromised server, apply an access control policy to block its outbound traffic, and remove the trojan to contain the threat and prevent further damage.
Usage notes
Both the pay-as-you-go and subscription editions of Cloud Firewall support this feature. NAT Gateway instances billed by capacity units (CUs) support this feature. NAT Gateway instances billed by specification do not support the session log feature.
Enabling IPS private IP tracing does not incur additional charges from Cloud Firewall itself, but the system creates an index and runs queries on your NAT Gateway session logs, incurring costs from Simple Log Service. For information about Simple Log Service billing, see the SLS pricing documentation.
If you enable IPS private IP tracing and the system detects that indexing for the NAT session log is disabled or that required fields are missing, it automatically creates the index or adds the missing fields.
Configuration
Log on to the Cloud Firewall console. In the left-side navigation pane, choose .
On the tab, view the list of public assets that support tracing. To use IPS private IP tracing for a NAT Gateway, you must first enable Internet firewall protection and the NAT session log. You are prompted to enable these features when you click the switch in the Actions column. Click the link in the prompt and follow the on-screen instructions. Alternatively, see the following documentation:
Internet firewall: Enable the firewall switch
NAT session log: NAT session log configuration process
For more information, see IPS private IP tracing.
View tracing data
Tracing results may be delayed by up to 20 minutes due to data capture and delivery latency in NAT Gateway.
After you enable Private IP Traceback, you can view the tracing data in the following locations.
List:
Details page:
List:
Details page:
On the tab:
