This topic provides answers to frequently asked questions about network traffic analysis in Cloud Firewall.
Intelligence tags are displayed on the Outbound Connection page. What are the meanings of the tags?
What are the priorities of rules that are used by Cloud Firewall to protect traffic?
What is the principle of Cloud Firewall public exposure detection?
Service traffic exceeding related issues:
Traffic from unknown applications accounts for a large proportion in traffic analysis. Does this occur because Cloud Firewall cannot identify the types of applications that generate traffic from the Internet?
Applications displayed as Unknown may be due to the following reasons:
A large volume of traffic is generated from the Internet, and the traffic does not comply with standard protocols. As a result, Cloud Firewall cannot identify the application type for the traffic.
The destination server blocks network traffic and returns many RST packets. These packets are recorded in outbound or inbound traffic. If the number of packets is large, the proportion of Unknown traffic is also large.
You can visit the Log Audit page, and on the Event Logs or Traffic Logs tab, observe the specific source and purpose of Unknown traffic to determine whether outbound or inbound traffic is abnormal.
When I view the results of all access activities, the system displays a large proportion of traffic from unknown ISPs. Why?
For inbound traffic from Hong Kong (China), Macao (China), Taiwan (China), or regions outside China, the system displays only the names of the countries or regions. Cloud Firewall marks the Internet service providers (ISPs) of such traffic as unknown.
You can visit the Log Audit page and go to the Traffic Logs tab to observe the regions and ISPs corresponding to specific IP addresses.
Intelligence tags are displayed on the Outbound Connection page. What are the meanings of the tags?
Intelligence tags are attributes that Cloud Firewall automatically adds based on public information about outbound domains or destination IP addresses, such as Malicious Download, Miner Pool, Threat Intelligence, First, Epoch, Popular Website, and DDoS Trojan. For more intelligence tags, visit the Outbound Connection page.
Malicious Download, Miner Pool, and Threat Intelligence: outbound activities with threats detected by Cloud Firewall.
NoteYou must check whether the outbound activity is a false positive at the earliest opportunity. If the outbound activity is malicious, we recommend that you configure an access control policy to limit related activities. For more information, see Configure access control policies for the Internet firewall.
First: Cloud Firewall detects the outbound activity for the first time.
Epoch: Your asset has periodic outbound activities to the domain or destination IP address.
Popular Website: domains that your server or business frequently visits.
DDoS Trojan: outbound activities with DDoS attack threats detected by Cloud Firewall.
How do I troubleshoot network connection failures?
After you enable a firewall, the following issues may occur:
You cannot log on to your server.
You cannot access the services that run on your server.
Your server cannot connect to the Internet.
If the preceding issues occur, you must troubleshoot the issues from the following dimensions: the Internet firewall and internal firewalls:
Internet firewall
Check whether the Internet firewall is enabled for your asset.
After you enable the Internet firewall, traffic passes through Cloud Firewall. For more information, see Internet Firewall.
NoteIf the Internet firewall is not enabled for your asset, traffic does not pass through Cloud Firewall. In this case, you must check whether other issues such as network connection failures occur.
Check whether traffic logs are generated on the Traffic Logs tab.
If no traffic logs are found, the traffic is discarded before it reaches the Internet firewall.
If traffic logs are found and the action is Block, the traffic is discarded by the Internet firewall. In this case, you can query the traffic in the Event Logs list and check the source of the instruction that blocks the traffic in the Source column.
If the source is Access Control, the traffic is blocked by an access control policy that you configured. We recommend that you check the access control policies and modify them based on your business requirements.
If the source is Basic Protection, Virtual Patches, or Threat Intelligence, the traffic is blocked by an intrusion prevention policy that you configured. You can go to the page and disable the corresponding intrusion prevention policy.
If traffic logs are found and the action is Allow or Monitor, the traffic is not discarded by the Internet firewall. In this case, you must check the internal firewall (security group) policy.
Internal firewalls (security groups)
Log on to the ECS console.
In the left-side navigation pane, choose .
Find the ECS instance for which the network connection fails. On the Security Groups tab, click the Security Group List tab. Then, check whether the security group allows the traffic (the Authorization Policy is set to Allow).
What are the priorities of rules that are used by Cloud Firewall to protect traffic?
Cloud Firewall matches traffic against rules based on the following priorities:
If access control policies are not enabled or access control policies are enabled but the traffic does not match any access control policy, Cloud Firewall first matches the traffic against Threat Intelligence rules and then matches the traffic against Basic Protection, Intelligent Defense, and Virtual Patching rules.
NoteIf the traffic matches a Threat Intelligence rule and the action is Block, Cloud Firewall no longer matches the traffic against other rules.
If access control policies are enabled and the traffic matches an Allow or Monitor policy, Cloud Firewall no longer matches the traffic against Threat Intelligence rules. Instead, Cloud Firewall matches the traffic against Basic Protection, Intelligent Defense, and Virtual Patching rules.
If access control policies are enabled and the traffic matches a Deny policy, Cloud Firewall no longer matches the traffic against other rules.
The Basic Protection, Intelligent Defense, and Virtual Patching rules do not have priorities. The traffic is matched against all these rules.
What is the principle of Cloud Firewall public exposure detection?
Cloud Firewall detects unusual traffic, Open Public IP Addresses, Open Ports, Open Applications, and public IP addresses of cloud services based on inbound traffic data. For more information, see Internet Exposure.
Questions related to service traffic exceeding limits
What should I do if my service traffic exceeds the bandwidth specification supported by Cloud Firewall?
If your service traffic exceeds the traffic processing specification of the purchased Cloud Firewall, the Service-Level Agreement (SLA) cannot be guaranteed. This may trigger degradation rules including but not limited to security capability failure (ACL, IPS, log audit), firewall shutdown for top overload assets, and rate limiting with packet loss.
If your service traffic may be at risk of exceeding limits, we recommend that you refer to Subscription elastic traffic pay-as-you-go.
For information about how to troubleshoot unusual traffic, see Troubleshooting guide for unusual traffic at the Internet border.
For information about how to expand protection bandwidth, see Renewal policy.
How do I set up notifications for Cloud Firewall public network protection bandwidth traffic exceeding limits?
Traffic exceeding limits is divided into two types: Traffic Exceeding Notification and Traffic Exceeding Warning:
Traffic Exceeding Notification: Real-time statistics of the current border traffic (Internet border, VPC border, and NAT border) exceeding limits for the day.
Trigger logic: Sent when exceeding limits, with a 10-minute delay. Alerts are sent 24 hours a day regardless of day or night.
Sending logic: Sent once and only once per day.
Note that subscription customers who enable elastic traffic processing capability will no longer receive traffic exceeding notifications.
If capacity expansion is completed within 10 minutes of exceeding limits, no exceeding limit alert will be triggered.
Traffic Exceeding Warning: Real-time statistics for exceeding limit warnings (with a 10-minute delay). Currently only supports Internet border traffic exceeding limit warnings, and does not support NAT border traffic exceeding limit warnings.
Trigger logic: Current traffic exceeds the set warning threshold.
Warning text data statistics logic: Statistics of peak values and the number of times exceeding the warning threshold in the past 24 hours from the current time. The definition of "times" is based on a half-hour granularity. If there is an excess within each half-hour period, it counts as one time.
Sending logic: Only sent once per day. If a Traffic Exceeding Notification has already been sent, no warning will be sent.
Not sent to users who have enabled elastic traffic processing capability.
Sent 24 hours.
You can learn about notification types supported and steps to set up notifications in Alerting.
What should I do if I cannot handle traffic exceeding limits in time?
If you anticipate that your service traffic may experience short-term traffic spikes that you cannot handle in time, you can use Cloud Firewall's subscription elastic traffic pay-as-you-go capability.
Subscription elastic traffic pay-as-you-go capability refers to a pay-as-you-go model for traffic that exceeds the traffic quota included in the subscription package. This model allows users to pay for the excess traffic based on actual usage without changing the original subscription billing method. For detailed information, see Subscription elastic traffic pay-as-you-go.
For the pay-as-you-go version, all traffic is billed in pay-as-you-go mode, so this situation does not need to be considered.
What is the maximum specification that Cloud Firewall elastic traffic can scale to?
The default daily processing limit is 1,000,000 GB. Note that Cloud Firewall only has traffic bandwidth specification limits and does not involve queries per second (QPS) or connection count concepts. For detailed information, see: Subscription elastic traffic pay-as-you-go - Billing description.