Outbound Connection - Cloud Firewall - Alibaba Cloud Documentation Center

After the Internet firewall is enabled for your network assets, you can view the real-time information about outbound connections initiated by your assets on the Outbound Connection page. This helps you detect suspicious servers. This topic describes how to view the statistics and details of outbound connections. This topic also describes how to analyze the traffic of related IP addresses in a visualized manner.

Prerequisites

The Internet firewall is enabled. For more information, see Internet firewall.

View the statistics of outbound connections

The Data Statistics section on the Outbound Connection page displays the statistics of usual and unusual outbound traffic of your assets. You can troubleshoot unusual traffic on the Outbound traffic tab based on the statistics to ensure the security of outbound traffic for your assets.

Log on to the Cloud Firewall console. In the left-side navigation pane, choose Traffic Analysis > Outbound Connection.

In the upper-right corner of the Outbound Connection page, select a time period from the drop-down list. Then, you can view the information in the Data Statistics section and on the Outbound traffic tab. The following table describes the information.

You can specify a custom a time range within the previous seven days on the Outbound traffic tab to search for statistics.


Parameter	Description	Supported operation
Outbound Domains	The number of risky domain names and the total number of domain names in outbound connections. The outbound connections are initiated from your business to the domain names, which are located on the Internet.	You can click Outbound Domains in the Data Statistics section to go to the Outbound Domains tab or click Outbound IP Addresses in the Data Statistics section to go to the Outbound IP Addresses tab. You can perform the following operations on a risky domain name or IP address based on your business requirements to protect your assets: Configure an access control policy On the Outbound Domains or Outbound IP Addresses tab, find a domain name or an IP address and click Configure Access Control Policy in the Actions column. In the Create Outbound Policy panel of the Internet Border page, create an outbound access control policy. For more information, see Create access control policies for the Internet firewall on outbound and inbound traffic. View the details of an outbound domain name On the Outbound Domains tab, find an outbound domain name and click Details in the Actions column. In the Outbound Domains panel, view the details of the domain name. On the Outbound Connection Initiated over EIP and Outbound Connection Initiated over Private IP Address of NAT Gateway tabs of the panel, view the information about the Elastic Compute Service (ECS) instances that initiated outbound connections. You can also click View Logs in the Actions column to go to the Traffic Logs tab of the Log Audit page. For more information, see Traffic logs. Add a domain name or an IP address to an address book On the Outbound Domains or Outbound IP Addresses tab, find a domain name or an IP address, click the icon in the Actions column, and then click Add to Address Book. The system redirects to the Create Address Book panel of the Address Books page. For more information, see Manage address books. Mark a domain name or an IP address as followed On the Outbound Domains or Outbound IP Addresses tab, find a domain name or an IP address, click the icon in the Actions column, and then click Mark as Followed. Unfollow a domain name or an IP address On the Outbound Domains or Outbound IP Addresses tab, click Followed in the upper-right corner. In the Followed panel, unfollow a destination domain name, destination IP address, public IP address, or private IP address. Add a domain name or an IP address to the whitelist On the Outbound Domains or Outbound IP Addresses tab, find a domain name or an IP address, click the icon in the Actions column, and then click Add to Whitelist to add the domain name or IP address to the whitelist. This way, Cloud Firewall no longer analyzes the domain name or IP address, and the information about the domain name or IP address is no longer displayed. Remove a domain name or an IP address from the whitelist On the Outbound Domains or Outbound IP Addresses tab, click Ignored in the upper-right corner. In the Ignored panel, remove a domain name or an IP address from the whitelist. This way, the information about the domain name or IP address is displayed on the Outbound Connection page again. View logs On the Outbound Domains or Outbound IP Addresses tab, find a domain name or an IP address, click the icon in the Actions column, and then click View Logs. The system redirects to the Traffic Logs tab of the Log Audit page. For more information, see Traffic logs.
Outbound IP Addresses	The number of risky destination IP addresses and the total number of destination IP addresses in outbound connections. The outbound connections are initiated from your business to the IP addresses, which are located on the the Internet.
Assets Initiating Outbound Connections over Public IP Addresses	The number of risky assets and the total number of assets in outbound connections. The outbound connections are initiated from the assets to the Internet by using the public addresses of the assets, such as elastic IP addresses (EIPs).	You can click Assets Initiating Outbound Connections over Public IP Addresses in the Data Statistics section to go to the Assets Initiating Outbound Connections over Public IP Addresses tab and click Assets Initiating Outbound Connections over IP Addresses of NAT Gateways in the Data Statistics section to go to the Assets Initiating Outbound Connections over IP Addresses of NAT Gateways tab. You can perform the following operations on the tabs: Mark an IP address as followed Find an IP address and click Mark as Followed in the Actions column. Unfollow a domain name or an IP address In the upper-right corner, click Followed. In the Followed panel, unfollow a destination domain name, destination IP address, public IP address, or private IP address. View logs Find a domain name or an IP address and click View Logs in the Actions column. The system redirects to the Traffic Logs tab of the Log Audit page. For more information, see Traffic logs.
Assets Initiating Outbound Connections over IP Addresses of NAT Gateways	The number of risky private assets and the total number of private assets in outbound connections. The outbound connections are initiated from the assets to the Internet by using the IP addresses of NAT gateways.
Outbound Connection Protocol	The analysis results of protocols that are used in outbound connections. The outbound connections are initiated from your business to the Internet. The results include the number of unidentified protocols, the total number of used protocols, and the proportion of unidentified protocols to all used protocols.	You can click Protocol Analysis in the Data Statistics section to go to the Outbound Connection Protocol tab. You can perform the following operations on the tab: View logs: Find a protocol and click View Logs in the Actions column. The system redirects to the Traffic Logs tab of the Log Audit page. For more information, see Traffic logs.

Export the statistics of outbound connections

You can click the Download icon icon in the upper-right corner of the Outbound traffic tab to export the statistics of outbound connections to your computer in the CSV format. The statistics include outbound domain names, outbound destination IP addresses, assets that initiate outbound connections by using public IP addresses, assets that initiate outbound connections by using private IP addresses, and protocols that are used in outbound connections. This allows you to view and analyze the statistics.

Visualized analysis

The Visualized analysis tab displays the peak traffic of all private and public IP addresses, the traffic trend charts of all IP addresses, and the statistics of outbound traffic. This helps you monitor the outbound traffic of your assets in real time.

Log on to the Cloud Firewall console. In the left-side navigation pane, choose Traffic Analysis > Outbound Connection.
On the Outbound Connection page, click the Visualized analysis tab.

On the Visualized analysis tab, specify a time range and view the information. The following table describes the information.

You can select a time period from the drop-down list. You can also specify a custom time range within the previous 30 days.


Parameter	Description	Supported operation
IP Traffic	Private IP: This tab displays the peak response traffic of private IP addresses within the specified time range in descending order.	In the IP Traffic section, you can enter a public or private IP address in the search box and click the search icon to refresh data and view the traffic trend of the IP address.
IP Traffic	Public IP: This tab displays the peak response traffic of public IP addresses within the specified time range in descending order.
Trends of Traffic	This section displays the trends of peak request and response traffic of specified or all network assets in real time.	You can move the pointer over a position in the trend chart to view the peak request and response traffic at the point in time that corresponds to the position. In the Trends of Traffic section, you can click a point in time on the x-axis to refresh the rankings in the IP Traffic section.
Rankings of Visits by Traffic	This section displays the top 10 destination locations, top 10 destination service providers, top 10 IP address ranges based on session percentages, and statistics of ports.	None.

You can click View Logs in the upper-right corner of the Trends of Traffic section to go to the Traffic Logs tab of the Log Audit page to view the traffic logs of the Internet firewall. For more information, see Traffic logs.