All Products
Search
Document Center

Cloud Firewall:Statistics on traffic from service assets to the Internet

Last Updated:Nov 26, 2024

You can view information about the outbound connections from your assets to the Internet on the Outbound Connection page. The information includes the trace information about outbound traffic, destination addresses that are accessible on the Internet, and outbound connections of Internet-facing and internal-facing assets. This helps you identify suspicious assets and ensure business security.

Prerequisites

The Internet firewall is enabled. For more information, see Internet Firewall.

Visualized analysis

The Visualized Analysis tab displays the peak traffic of all private and public IP addresses, the traffic trend charts of all IP addresses, and the statistics on outbound traffic. This helps you monitor the outbound traffic of your assets in real time.

  1. Log on to the Cloud Firewall console. In the left-side navigation pane, choose Traffic Analysis > Outbound Connection.

  2. In the upper-right corner of the Outbound Connection page, select a time range from the drop-down list and click the Visualized Analysis tab.

  3. On the Visualized Analysis tab, view the information described in the following table.

    image

    Section

    Description

    Supported operation

    IP Traffic

    Private IP Address (traffic redirected by NAT firewalls): This tab displays the peak response traffic for the private IP addresses of Elastic Compute Service (ECS) instances within the specified time range in descending order. The virtual private clouds (VPCs) to which the ECS instances belong must be associated with a NAT gateway.

    • You can specify a public IP address or a private IP address in the search box and view the IP address type and peak of total traffic for the specified IP address.

    • You can click the image.png icon next to a public IP address or a private IP address. The chart on the right side shows the trend of the outbound traffic for the IP address.

    • On the Public IP Address tab, you can click a public IP address to view the peak of total traffic for the private IP address that is associated with the public IP address.

      For example, if you click a public IP address of an ECS instance, you can view the peak of total traffic of the private IP address of the ECS instance. If you click an elastic IP address (EIP) that is used for a NAT gateway, you can view the peak of total traffic for all private IP addresses that passes through the EIP.

    • On the Private IP Address tab, you can click a NAT gateway to view the peak of total traffic for each private IP address that passes through the NAT gateway, and the name and ID of the NAT gateway.

    • On the Private IP Address tab, you can click a NAT firewall to view the peak of total traffic for each private IP address that passes through the NAT firewall, and the name and ID of the NAT firewall.

    • You can click the image.png icon next to an IP address to go to the Log Audit page. On the Log Audit page, you can view the traffic logs of the IP address. For more information, see Log audit.

    • You can click the image icon next to an IP address. You are redirected to the Outbound Connection page. On the page, you can view the statistics on outbound connections of the IP address. For more information, see Outbound Connection.

    • You can click the image icon to export the statistics on the traffic of private and public IP addresses.

    Public IP Address (traffic redirected by the Internet firewall): This tab displays the peak response traffic of public IP addresses, such as public IP addresses of ECS instances and EIPs that are used for NAT gateways, within the specified time range in descending order.

    Outbound Traffic Trend

    This section displays the trends of peak request and response traffic of specific assets or all network assets in real time.

    You can move the pointer over a position in the trend chart to view the peak request and response traffic at the point in time that corresponds to the position. In the Outbound Traffic Trend section, you can click a point in time on the x-axis to refresh the rankings in the IP Traffic section.

    Rankings of Visits by Traffic

    This section displays the top 10 destination locations, top 10 destination service providers, top 10 IP address ranges based on session percentages, and the statistics on ports.

    None.

    You can click View Logs in the upper-right corner of the Outbound Traffic Trend section to go to the Traffic Logs tab of the Log Audit page and view the traffic logs of the Internet firewall. For more information, see Log audit.

View the statistics on outbound connections

The data statistics section on the Outbound Connection page displays the statistics on usual and unusual outbound traffic of your assets. You can troubleshoot unusual traffic on the Outbound Traffic tab based on the statistics to ensure the security of outbound traffic for your assets.

  1. Log on to the Cloud Firewall console. In the left-side navigation pane, choose Traffic Analysis > Outbound Connection.

  2. In the upper-right corner of the Outbound Connection page, select a time range from the drop-down list. Then, you can view the information in the data statistics section and on the Outbound Traffic tab. The following table describes the information.

    image

    You can specify a custom time range within the previous seven days on the Outbound Traffic tab to search for statistics.

    Tab

    Description

    Supported operation

    Outbound Domains

    The number of at-risk domain names and the total number of domain names in outbound connections. The outbound connections are initiated from your assets to the domain names that are accessible on the Internet.

    You can click a number below Outbound Domains in the data statistics section to go to the Outbound Traffic > Outbound Domains tab or click Destination IP Addresses to go to the Outbound Traffic > Outbound IP Addresses tab.

    You can perform the following operations on an at-risk domain name or IP address based on your business requirements to protect your assets:

    • Configure an outbound access control policy to block the outbound traffic of assets

      Click Configure Access Control Policy to go to the Access Control > Internet Border page. For more information, see Create access control policies for the Internet firewall.

    • View the intelligence profile of an outbound domain name or IP address

      Find a domain name or an IP address and click View Intelligence Profile in the Actions column to view the analysis data of the domain name or IP address. For more information, see View the intelligence profile of an outbound domain name or IP address.

    • View the details of an outbound domain name to determine whether traffic is required for your workloads

      Click an outbound domain name to view the details of the domain name.

      On the Outreach public network assets and Extranet assets tabs of the panel that appears, view the information about the ECS instances that initiated outbound connections. You can also click View Logs in the Actions column to go to the Traffic Logs tab of the Log Audit page. For more information, see Log audit.

    • Add a domain name or an IP address to an address book for centralized management

      On the Outbound Domains or Outbound IP Addresses tab, find a domain name or an IP address, click the 1 icon in the Actions column, and then click Add to Address Book. You are redirected to the Create Address Book panel of the Address Books page. For more information, see Manage address books.

    • Mark a domain name or an IP address as followed

      Find a domain name or an IP address, click the 1 icon in the Actions column, and then click Mark as Followed.

    • Unfollow a domain name or an IP address

      On the Outbound Domains or Outbound IP Addresses tab, click Followed in the upper-right corner. In the Followed panel, unfollow a destination domain name, destination IP address, public IP address, or private IP address.

    • Add a domain name or an IP address to the whitelist

      On the Outbound Domains or Outbound IP Addresses tab, find a domain name or an IP address, click the 1 icon in the Actions column, and then click Add to Whitelist to add the domain name or IP address to the whitelist. This way, Cloud Firewall no longer analyzes the domain name or IP address, and the information about the domain name or IP address is no longer displayed.

      You can add up to 100 domain names or IP addresses to the whitelist. The whitelist supports only exact-match domain names.

      For example, if you add the wildcard domain name *.example.com to the whitelist, Cloud Firewall continues to generate alerts for traffic from service assets to the domain name. We recommend that you add exact-match domain names to the whitelist.

    • Remove a domain name or an IP address from the whitelist

      On the Outbound Domains or Outbound IP Addresses tab, click Whitelist in the upper-right corner. In the Whitelist panel, find a domain name or an IP address and click Remove from Whitelist in the Actions column. This way, the information about the domain name or IP address is displayed on the Outbound Connection page again.

    • View the details of traffic logs to determine whether the traffic is required for your workloads

      On the Outbound Domains or Outbound IP Addresses tab, find a domain name or an IP address, click the 1 icon in the Actions column, and then click View Logs. You are redirected to the Traffic Logs tab of the Log Audit page. For more information, see Log audit.

    Outbound IP Addresses

    The number of at-risk destination IP addresses and the total number of destination IP addresses in outbound connections. The outbound connections are initiated from your business to the IP addresses that are accessible on the Internet.

    Outbound Public IP Addresses

    The number of at-risk assets and the total number of assets in outbound connections. The outbound connections are initiated from the assets to the Internet by using the public IP addresses of the assets, such as EIPs.

    You can click a number below Outbound Public IP Addresses in the data statistics section to go to the Outbound Traffic > Outbound Public IP Addresses tab or click a number below Outbound Private IP Addresses to go to the Outbound Traffic > Outbound Private IP Addresses tab. You can perform the following operations on the tabs:

    • Mark an IP address as followed

      Find an IP address and click Mark as Followed in the Actions column.

    • Unfollow an IP address

      In the upper-right corner, click Followed. In the Followed panel, unfollow a destination domain name, destination IP address, public IP address, or private IP address.

    • View the details of traffic logs to determine whether the traffic is required for your workloads

      Find an IP address and click View Logs in the Actions column. You are redirected to the Traffic Logs tab of the Log Audit page. For more information, see Log audit.

    Outbound Private IP Addresses

    The number of at-risk internal-facing assets and the total number of internal-facing assets in outbound connections. The outbound connections are initiated from the assets to the Internet by using the IP addresses of NAT gateways.

    Outbound Connection Protocol

    The analysis results of protocols that are used in outbound connections. The outbound connections are initiated from your business to the Internet. The results include the number of unidentified protocols, the total number of used protocols, and the proportion of unidentified protocols to all used protocols.

    You can click a number below Outbound Protocol Analysis in the data statistics section to go to the Outbound Traffic > Outbound Connection Protocol tab. On the tab, you can perform the following operations:

    You can view the details of traffic logs and determine whether the traffic is required for your workloads: Find a protocol and click View Logs in the Actions column. You are redirected to the Traffic Logs tab of the Log Audit page. For more information, see Log audit.

View the intelligence profile of an outbound domain name or IP address

On the Outbound Domains or Outbound IP Addresses tab, find an outbound domain name or IP address and click View Intelligence Profile in the Actions column to view the detailed analysis data. This helps you check whether the intelligence tags added to the domain name or IP address are accurate.

If an intelligence tag is inaccurate, you can click IOC Feedback to report the issue.

image

Export the statistics on outbound connections

You can click the 下载 icon in the upper-right corner of the Outbound Traffic tab to export the statistics on outbound connections to your computer in the CSV format. The statistics include outbound domain names, outbound destination IP addresses, assets that initiate outbound connections by using public IP addresses, assets that initiate outbound connections by using private IP addresses, and protocols that are used in outbound connections. This allows you to view and analyze the statistics.

References