Intrusion prevention - Intrusion Prevention| Alibaba Cloud Documentation Center

The Intrusion Prevention page displays real-time data of traffic blocked by the intrusion prevention system (IPS) of Cloud Firewall. The data includes the source IP addresses, destination IP addresses, and applications of the traffic, along with the modules used to block the traffic and the details about traffic blocking events. This topic describes the data that is displayed on the Intrusion Prevention page and the operations that you can perform on this page.

Prerequisites

Basic Protection on the Prevention Configuration page is turned on. Otherwise, Cloud Firewall cannot block traffic, record the traffic data, or display the data on the Intrusion Prevention page. Basic Policies switch

Overview

The Intrusion Prevention page displays the details about protection operations that are performed by Cloud Firewall on inbound and outbound traffic over the Internet and between virtual private clouds (VPCs). You can switch between the Internet Traffic Blocking and VPC Traffic Blocking tabs to view the details about specific events.

Notice If your Cloud Firewall runs the Premium Edition, the VPC Traffic Blocking tab does not appear.

Limits

Premium Edition, Enterprise Edition, and Ultimate Edition of Cloud Firewall support intrusion prevention. Free Edition of Cloud Firewall does not support this feature.
The intrusion prevention feature of Cloud Firewall cannot parse the traffic that is encrypted by using SSL or Transport Layer Security (TLS). Therefore, this type of traffic cannot be detected or protected.

Internet Traffic Blocking

On the Internet Traffic Blocking tab, you can view the blocking events of inbound and outbound traffic from the last one hour, one day, seven days, one month, or a custom time range. You can specify a custom time range only within the last six months.

The Internet Traffic Blocking tab contains the following sections:

Prevention Statistics: contains the Attack Statistics, Attack Distribution by Type, and Blocking Statistics widgets. The Blocking Statistics widget provides the following tabs:
- Top Blocked Destination IP Addresses: displays the top 5 destination IP addresses that are most frequently used among the statistics on traffic blocked by Cloud Firewall.
  If you want to view the details about a blocked destination IP address, click the View Logs icon to go to the Log Audit page. In the log list, you can view the destination port and application type for the IP address, and the action that is performed on the IP address.
- Blocking Criteria: displays the top 3 modules that are most frequently used by Cloud Firewall to block traffic.
- Blocked Applications: displays the top 5 types of applications that are most frequently requested among the statistics on traffic blocked by Cloud Firewall.
Detailed Data: displays the details about each traffic blocking event, including the risk level, number of times the event occurred, source IP address, and destination IP address.
In the Detailed Data section, you can perform the following operations:
- Specify conditions to search for events. The conditions include the risk level, module, traffic direction, and time range.
- Find an event and click View Details in the Actions column to view the details about the event.
- On the right of the search box, click the icon to download intrusion prevention policies. By default, you can download only the most recent 1,000 intrusion prevention policies. Excess policies cannot be downloaded.

VPC Traffic Blocking

On the VPC Traffic Blocking tab, you can view the information about unusual events on the traffic blocked between VPCs by Cloud Firewall. The information includes the name, risk level, and attack type. You can also specify a time range to view the information.

On the VPC Traffic Blocking tab, you can perform the following operations:

Specify conditions and click Search to search for events. The conditions include the risk level, defense mode, attack type, and time range.
Find an event and click View Details in the Actions column to view the details about the event. The details include the event description, rule ID, and defense mode.