This topic provides answers to some frequently asked questions about attack prevention of Cloud Firewall.
Why does Cloud Firewall block requests from the server IP addresses of Security Center and other scanners when I scan for vulnerabilities?
Possible causes
If you use Security Center to scan for application vulnerabilities on your servers, Security Center simulates intrusions that are launched from the Internet to scan your servers. The simulated intrusions may trigger the protection policies or access control policies of Cloud Firewall.
Solutions
If you want to perform a vulnerability scan, we recommend that you add the server IP addresses of Security Center and other scanners to the whitelist in the Prevention Configuration module of Cloud Firewall. For information about the server IP addresses of Security Center, see Server IP addresses of the web scanner. For more information about how to add IP addresses to the whitelist in the Prevention Configuration module, see Configure a protection whitelist. You can also add the server IP addresses of Security Center to an address book and reference the address book when you configure a whitelist. For more information about how to create an address book, see Manage address books.
Why is attack traffic not blocked after I select a block mode on the Prevention Configuration page?
Possible causes
You did not turn on Basic Protection, Virtual Patches, or Threat Intelligence.
You configured a whitelist to allow matched traffic.
You selected one of the following block modes on the Prevention Configuration page and set the action of Basic Protection to Monitor or Disable:
Loose: allows the Block action in Loose rule groups to take effect.
Medium: allows the Block action in Loose and Medium rule groups to take effect.
Strict: allows the Block action in Loose, Medium, and Strict rule groups to take effect.
Solutions
Turn on Basic Protection, Virtual Patches, and Threat Intelligence. For more information, see Advanced settings.
Configure the whitelists. For more information, see Configure whitelists.
Select another block mode and change the action in rule groups. For more information, see Configure the working mode of the threat detection engine.
Why are there no statistics displayed on the Vulnerability Prevention page of the Cloud Firewall console when vulnerabilities are detected on my assets?
The following list describes the possible causes:
Cloud Firewall analyzes exploit behavior based on attack traffic to defend against vulnerabilities. If no attack traffic is generated for a vulnerability, no prevention statistics of the vulnerability are displayed.
The vulnerabilities that are detected based on software component analysis in Security Center cannot be synchronized to Cloud Firewall. These vulnerabilities are detected after Security Center collects information about the software versions of your assets. Only the vulnerabilities that are detected based on network scans can be synchronized to Cloud Firewall.
The vulnerabilities are detected on the assets that reside in an internal network. Cloud Firewall displays only statistics about the vulnerabilities on the assets that are exposed to the Internet.
For more information about vulnerability prevention, see Prevention configuration.
How does Cloud Firewall obtain attack samples?
Cloud Firewall can obtain attack samples only if traffic matches the rules that are configured for Basic Protection or Virtual Patches. You can use one of the following methods to view attack samples:
Go to the Intrusion Prevention page. On the Internet Traffic Blocking tab, find an event and click View Details in the Actions column. On the Attack Payload tab of the panel that appears, view attack samples in the Payloads section.
Go to the Log Audit page. On the Traffic Logs tab, set the All Policy Source parameter to Basic Protection or Virtual Patches and then click Search. In the result list, find a log whose attack sample you want to obtain and click Obtain Attack Sample in the Actions column.