All Products
Search
Document Center

Cloud Firewall:Attack prevention FAQ

Last Updated:Jun 25, 2026

This topic answers frequently asked questions (FAQs) about the attack prevention feature of Cloud Firewall.

Allowlisting scanner IP addresses

Cause

When Security Center scans for application vulnerabilities, it simulates internet-based attacks that can trigger the attack prevention or Access Control policies of Cloud Firewall.

Solution

If you perform a vulnerability scan, add the IP addresses of Security Center and other scanners to the attack prevention whitelist in Cloud Firewall. For a list of scanner IP addresses used by Security Center, see Web scanner IP addresses for application vulnerabilities. For instructions on how to configure an attack prevention whitelist in Cloud Firewall, see Configure whitelists. You can also add the Security Center scanner IP addresses to an address book and then reference the address book in the whitelist. For instructions on how to create an address book, see Address books.

Attack traffic not blocked in block mode

Cause

  • The switches for Basic Protection, Virtual Patches, or Threat Intelligence are turned off.

  • A whitelist is configured to allow the matching traffic.

  • Although the threat engine is set to Block Mode, the rule matching the attack traffic only supports observation (monitoring traffic regardless of the Block Mode level), or its custom action is set to observe.

Solution

No data on the Vulnerability Prevention page

This issue can have several causes:

  • Cloud Firewall analyzes exploit attempts in attack traffic and provides protection. If a vulnerability is not actively being exploited, no protection data for that vulnerability is displayed.

  • Cloud Firewall synchronizes only vulnerabilities detected by network scans, not those detected by the software component analysis (SCA) feature of Security Center.

  • Cloud Firewall synchronizes only vulnerabilities on public-facing assets, not those on internal assets.

For more information about Vulnerability Prevention, see IPS Configuration.

Obtaining an attack sample

Cloud Firewall can obtain an attack sample only for traffic that matches Basic Protection or Virtual Patches rules. You can obtain an attack sample in two ways:

  • On the Intrusion Prevention page, click Details for an event. The Payload Content displayed on the Attack Payload panel is the attack sample.

  • On the Traffic Logs tab of the Log Audit page, set All Sources to Basic Protection or Virtual Patches. Then, find the relevant log entry and click Obtain Attack Sample in the Actions column.

Using the cyber kill chain to enhance defense

As attack-and-defense drills become more systematic, widespread, and routine, attackers are shifting to stealthier methods, such as phishing, supply chain attacks, and watering hole attacks. The cyber kill chain outlines the stages of an attack, offering opportunities for detection and response at each step. Applying the cyber kill chain to prevent network infiltration requires robust intelligence and data analysis capabilities. Cloud Firewall enhances your detection and response capabilities through attack surface reduction, rapid attack response, Breach awareness, and Log tracing.

  • Reduce attack surface: Identify your internet-facing assets and use inbound and outbound access control policies to shrink your network's attack surface. For more information, see Access Control.

  • Rapid attack response: The Intrusion Prevention System (IPS) and Virtual Patches automatically intercept attacks. Threat Intelligence provides awareness of network-wide attack trends, helping to block scanning and intrusion activities. For more information, see Intrusion Prevention and IPS Configuration.

  • Breach awareness: Analyze, locate, and trace attacks for timely response and remediation. Outbound connection detection provides real-time data on your hosts' outbound activities to help you promptly handle suspicious hosts. The secure forward proxy and intelligent policy features allow you to control and protect traffic from your internal network to the internet. For more information, see Breach awareness.

  • Log tracing: The threat detection engine detects and records detailed information about intrusions. By using a log service, you can perform in-depth analysis and threat tracing on collected access logs and attack prevention logs, and automate alert handling. For more information, see Log Audit.

Breach awareness and recommended policies

Breach awareness implementation

Cloud threats are becoming more diverse and complex, and advanced threats such as advanced persistent threat (APT) attacks pose significant challenges. A compromised host is a machine controlled by an attacker, which can be used as a staging point to infiltrate other hosts on the internal network. According to the cyber kill chain model, after the exploitation phase, an attacker may proceed with installation, command and control, data acquisition, and lateral movement. The Breach awareness feature helps to analyze, locate, and trace attacks, enabling a timely response and remediation to minimize the attack's impact. The Cloud Firewall threat detection engine detects and records detailed information about intrusions. The outbound connection detection feature displays real-time data on outbound activities from your hosts, helping you promptly identify suspicious host activity.

Security policy configuration

  • Configure north-south Access Control policies in Cloud Firewall to reduce your attack surface. For more information, see Configure access control policies for an Internet firewall.

  • Enable the Intrusion Prevention (IPS) feature of Cloud Firewall to intercept intrusions from the internet to your cloud hosts. For more information, see IPS Configuration.

  • Use the secure forward proxy and intelligent policy features to control and protect traffic from your internal network to the internet. For more information, see Access Control.

  • Monitor and promptly handle Cloud Firewall alerts for outbound connection detection and breach awareness. For more information, see Alert Notifications.

Viewing Intrusion Prevention events with transparent WAF

You can view Intrusion Prevention events in WAF. For more information, see Security reports.

Viewing IPS and Threat Intelligence versions

  1. Log on to the Cloud Firewall console. In the left-side navigation pane, choose Prevention Configuration > IPS Configuration.

  2. In the upper-right corner of the page, view the version numbers for the rule library and Threat Intelligence.