This page answers common questions about Cloud Firewall's attack prevention features.
Security Center blocked during a vulnerability scan
Security Center simulates Internet-based intrusions when scanning your servers for application vulnerabilities. These simulated attacks can trigger Cloud Firewall's protection and access control policies, causing the scanner's IP addresses to be blocked.
To run a vulnerability scan without interference, add the server IP addresses of Security Center and other scanners to the whitelist in the Prevention Configuration module. For the list of Security Center IP addresses, see Server IP addresses of the web scanner. To configure the whitelist, see Configure whitelists.
If you scan frequently, add the Security Center IP addresses to an address book and reference that address book in the whitelist configuration. This lets you update the IP list in one place rather than editing each whitelist rule individually. For details, see Manage address books.
Block Mode is on, but attack traffic still gets through
Check the following:
Basic Protection, Virtual Patches, or Threat Intelligence are not enabled
All three features must be turned on for the engine to intercept matching traffic. Go to Prevention Configuration > IPS Configuration and verify that all three switches are on. For details, see IPS configuration.
A whitelist is allowing the traffic
If a whitelist rule matches the attack traffic, Cloud Firewall bypasses the block action. Review your whitelist entries in the Prevention Configuration module and remove any overly broad rules. See Configure whitelists.
The matched rule supports only Monitor Mode
Even with the engine set to Block Mode, a specific rule may be locked to Monitor Mode by default, or its Current Action parameter may be manually set to Monitor. To check: find the rule that matched the traffic, inspect its action setting, and change it if needed. For details, see IPS configuration.
Vulnerability Prevention page shows no statistics even though vulnerabilities were detected
Cloud Firewall generates vulnerability prevention statistics only when it detects active exploit attempts against a known vulnerability — not based on the presence of a vulnerability alone.
Three situations produce no statistics:
No attack traffic targeting the vulnerability — Cloud Firewall identifies vulnerabilities by analyzing attack traffic, not by scanning software versions. If no one is actively exploiting the vulnerability against your assets, no prevention events are logged.
Vulnerability detected by software component analysis in Security Center — Security Center uses two detection methods: software component analysis (inspecting installed software versions) and network scans. Only vulnerabilities found through network scans sync to Cloud Firewall. Vulnerabilities detected by component analysis do not.
Assets are in an internal network — Cloud Firewall tracks only vulnerabilities on Internet-exposed assets. Vulnerabilities on internal network assets are not shown on the Vulnerability Prevention page.
For more information, see IPS configuration.
How Cloud Firewall obtains attack samples
Cloud Firewall can obtain attack samples only if traffic matches a Basic Protection or Virtual Patches rule. Two ways to view them:
From the Intrusion Prevention page
Go to the Intrusion Prevention page.
On the Protection Status tab, find the event and click Details in the Actions column.
On the Attack Payload tab, view the sample in the Payload Content section.
From the Log Audit page
Go to the Log Audit page.
On the Traffic Logs tab, set All Sources to Basic Protection or Virtual Patching and click Search.
Find the log entry and click Obtain Attack Sample in the Actions column.
How Cloud Firewall uses the cyber kill chain to strengthen defense
Attack and defense drills are systematic, large-scale, and increasingly normalized. Attack methods — including phishing, supply chain attacks, and watering hole attacks — continue to grow more stealthy. The cyber kill chain maps each stage of an attack — from initial reconnaissance through exploitation and post-breach activity. Cloud Firewall addresses multiple stages simultaneously through four capabilities:
Asset exposure minimization
Monitor Internet-facing assets and configure inbound and outbound access control policies to reduce the attack surface. See Access Control.
Quick response to attacks
The intrusion prevention system (IPS) and Virtual Patches are automatically released to intercept known attacks. Threat intelligence extends coverage to network-wide attack patterns, blocking scans and intrusions in real time. See Intrusion prevention and IPS configuration.
Breach awareness
After an attacker gains a foothold, breach awareness helps you detect and contain the damage. The Outbound Connection page shows real-time outbound traffic from your servers, making it easier to spot compromised hosts before lateral movement spreads. Secure forward proxies and intelligent policies give you control over internal-to-Internet traffic. See Breach awareness.
Log tracing
The threat detection engine records detailed information about every intrusion event. These logs — stored in Simple Log Service — support in-depth analysis and threat tracing across access logs and attack prevention logs. See Log audit.
How breach awareness works and how to configure security policies
How breach awareness works
Advanced persistent threat (APT) attacks often go undetected until an attacker has established persistence. A compromised server — one where an attacker has gained control — can be used as a jump server to move laterally through your internal network, performing installation, command and control, data exfiltration, and lateral movement in the vulnerability exploitation stage.
Breach awareness addresses this post-intrusion phase. It analyzes, locates, and traces attacks so you can respond before the damage spreads. The threat detection engine records intrusion details, and the Outbound Connection page displays real-time outbound traffic from your servers to help you identify suspicious behavior early.
Configure security policies
Set up the following policies to enable full breach awareness coverage:
Minimize asset exposure — Configure access control policies to manage north-south traffic. See Create access control policies for the Internet firewall.
Block inbound intrusions — Enable the intrusion prevention feature to block Internet-sourced attacks against your cloud servers. See IPS configuration.
Control outbound traffic — Use secure forward proxies and intelligent policies to manage traffic from internal networks to the Internet. See Access Control.
Set up alerts — Monitor outbound connection and breach awareness alerts so you can respond to risks immediately. See Configure notifications.
WAF transparent proxy mode + Internet firewall: where to find intrusion prevention events for forwarding ports
View these events in the Web Application Firewall (WAF) console, not the Cloud Firewall console. See Security reports.
How to check IPS rule library and threat intelligence versions
Log on to the Cloud Firewall console. In the left-side navigation pane, choose Prevention Configuration > IPS Configuration.
In the upper-right corner of the IPS Configuration page, view the current versions of the IPS rule library and threat intelligence.