After the Internet firewall is enabled for your network assets, the Outbound Connections page displays real-time information about outbound connections initiated by your servers. This helps you detect suspicious servers. This topic describes the information displayed and operations that you can perform on this page.
Overview

Outbound connection statistics

- Outbound Domains: the total number of domain names and the number of risky domain names in outbound
connections.
You can click this section to view details about the domain names on the Outbound Domains tab of the Outbound traffic tab.
- Outbound IP Addresses: the total number of destination IP addresses and the number of risky destination
IP addresses in outbound connections.
You can click this section to view details about the outbound IP addresses on the Outbound IP Addresses tab of the Outbound traffic tab.
- Assets: the total number of assets that initiate outbound connections and the number of
assets that initiate risky outbound connections.
You can click this section to view details about the assets on the Assets tab of the Outbound traffic tab.
- Protocol Analysis: the analysis results of protocols used in outbound connections, including the total
number of protocols and the proportion of outbound connections with unidentified protocols.
You can click this section to view details about the IP address traffic and analysis results of protocols in the Visualized analysis tab. This tab displays IP Traffic and Protocol Analysis.
Outbound traffic
The Outbound traffic tab displays domain names, destination IP addresses, and assets used in outbound connections. You can click the Outbound Domains, Outbound IP Addresses, or Assets tab to view details.
- Outbound Domains
Each record includes the following information: Domain Name, Traffic, Requests, Category, Intelligence Tag, and Recommended Operation. Category and Intelligence Tag are website attributes that Cloud Firewall adds based on the Internet information of a domain name. For more information about the tags, see FAQ about network traffic analysis.
You can click the
icon in the upper-right corner above the outbound domain name list to download the list to your computer in the CSV format for check and analysis.
You can perform the following operations on the outbound domain names:- Ignore: Find a domain name and click Ignore in the Recommended Operation column. The domain name is added to the Destination Domain tab of the Ignored tab.
To remove a domain name from the Ignored tab, click Ignored in the upper-right corner. On the Destination Domain tab, find the domain name and click Cancel Ignore in the Actions column.
- Follow: Find a domain name and choose in the Recommended Operation column. The domain name is added to the Destination Domain tab of the Followed tab.
To unfollow a domain name, click Followed in the upper-right corner. On the Destination Domain tab, find the domain name and click Unfollow in the Actions column.
- View Logs: Find a domain name and choose in the Recommended Operation column. On the Traffic Logs tab of the Log Audit page, view the traffic information about the domain name. For more information, see Log audit.
- View Details: Find a domain name and choose in the Recommended Operation column. In the Outbound Domains panel, view the access
details of the domain name. The details include the IP addresses of ECS instances
that access the domain name, the time when the outbound connections are initiated,
the transmission rates of request and response traffic, and the number of requests.
The following figure shows the access details of a domain name.
- Ignore: Find a domain name and click Ignore in the Recommended Operation column. The domain name is added to the Destination Domain tab of the Ignored tab.
- Outbound IP Addresses
Each record includes the following information: Destination IP, Applications/Ports, Traffic, Sessions, Category, Address Book, Intelligence Tag, and Recommended Operation. Category and Intelligence Tag are website attributes that Cloud Firewall adds based on the Internet information of a domain name. For more information about the tags, see FAQ about network traffic analysis.Address Book indicates the address book that stores the destination IP address.
You can click the
icon in the upper-right corner above the outbound IP address list to download the list to your computer in the CSV format for check and analysis.
You can perform the following operations on the outbound IP addresses:- Ignore: Find an IP address and click Ignore in the Recommended Operation column. The IP address is added to the Destination IP tab of the Ignored tab.
To remove an IP address from the Ignored tab, click Ignored in the upper-right corner. On the Destination IP tab, find the IP address and click Cancel Ignore in the Actions column.
- Follow: Find an IP address and choose in the Recommended Operation column. The IP address is added to the Destination IP tab of the Followed tab.
To unfollow an IP address, click Followed in the upper-right corner. On the Destination IP tab, find the IP address and click Unfollow in the Actions column.
- View Logs: Find an IP address and choose in the Recommended Operation column. On the Traffic Logs tab of the Log Audit page, view the traffic information about the IP address. For more information, see Log audit.
- View Details: Find a domain name and choose in the Recommended Operation column. In the Outbound IP Addresses panel, view the
access details of the IP address. The details include the IP address of ECS instances
that access this IP address, the time when outbound connections are initiated, transmission
rates of request and response traffic, and the number of requests. The following figure
shows the access details of a destination IP address.
- Ignore: Find an IP address and click Ignore in the Recommended Operation column. The IP address is added to the Destination IP tab of the Ignored tab.
- Assets
Each record includes the following information: Asset IP, Asset Type, Instance ID/Name, Region, Traffic, Requests, Security Risk, and Actions. Security Risk indicates the status that Cloud Firewall sets for an asset based on outbound connection records.
You can click the
icon in the upper-right corner above the asset list to download the list to your computer in the CSV format for check and analysis.
You can perform the following operations on the asset IP addresses:- Follow: Find an asset IP address and choose in the Actions column. The IP address is added to the Asset IP tab of the Followed tab.
To unfollow an asset IP address, click Followed in the upper-right corner. On the Asset IP tab, find the IP address and click Unfollow in the Actions column.
- View Logs: Find an asset IP address and choose in the Actions column. On the Traffic Logs tab of the Log Audit page, view the traffic information about the asset IP address, which indicates the source IP address of an outbound connection. For more information, see Log audit.
- To view more details about an asset IP address, click the
icon next to the asset IP address.
The details include Outbound Domains/Outbound IP Addresses, Requests, Category, Tag, and Recommended Operation. Category and Intelligence Tag are website attributes that Cloud Firewall adds based on the Internet information of a domain name. For more information about the tags, see FAQ about network traffic analysis.
You can perform the following operations on an outbound domain name or IP address that is displayed in the details:- Ignore: Find an outbound domain name or IP address and click Ignore in the Recommended Operation column. The domain name or IP address is added to the
Destination Domain or Destination IP tab of the Ignored tab.
To remove a domain name or IP address from the Ignored tab, click Ignored in the upper-right corner. On the Destination Domain tab, find the domain name or IP address and click Cancel Ignore in the Actions column.
- Follow: Find an outbound domain name or IP address and choose in the Recommended Operation column. The domain name or IP address is added to the
Destination Domain or Destination IP tab of the Followed tab.
To unfollow a domain name or IP address, click Followed in the upper-right corner. On the Destination Domain or Destination IP tab, find the domain name or IP address and click Unfollow in the Actions column.
- View Logs: Find an outbound domain name or IP address and choose in the Recommended Operation column. On the Traffic Logs tab of the Log Audit page, view the traffic information about the domain name or IP address. For more information, see Log audit.
- Ignore: Find an outbound domain name or IP address and click Ignore in the Recommended Operation column. The domain name or IP address is added to the
Destination Domain or Destination IP tab of the Ignored tab.
- Follow: Find an asset IP address and choose in the Actions column. The IP address is added to the Asset IP tab of the Followed tab.
Visualized analysis
The Visualized analysis tab displays the IP traffic statistics and protocol analysis modules.
- IP traffic statisticsThis module provides IP address lists in the IP Traffic section and traffic trends of IP addresses in the Trends of Traffic section. You can click an IP address in the lists to view its traffic trend.IP Traffic: lists private and public IP addresses in descending order based on their response traffic at a specific point in time.
- Click the Private IP or Public IP tab to check the traffic of IP addresses.
- In the Trends of Traffic section, click a point in time on the x-axis to refresh the traffic rankings in the IP Traffic section.
- Find an IP address and choose Traffic Logs tab of the Log Audit page, view the traffic information about the IP address. For more information, see Log audit.
Trends of Traffic: displays the peak transmission rates of request and response traffic of specified or all network assets in real time. You can move the pointer over a position in the trend chart to view the peak transmission rates at the point in time that corresponds to the position.- Specify a time range. By default, data of the last seven days is displayed. You can
select a time range in the IP Traffic section.The following time ranges are available:
- Previous Day
- Last 7 Days
- Last 30 Days
- Specify a data range. By default, the traffic trends of all protected network assets
are displayed. In the IP Traffic section, you can specify an IP address to view its trends by using one of the following
methods:
- Click an IP address, or find an IP address and choose
- Click the search icon in the upper-right corner and enter a public or private IP address.
Note After you perform this operation, the IP Traffic section does not display traffic rankings.
The filter condition you specified is displayed above the chart. - Click an IP address, or find an IP address and choose
- Protocol analysisThis module contains the Protocol Analysis and Protocol Details sections. The Protocol Analysis section provides a pie chart of Applications.
Applications: displays the proportion of each application protocol used in outbound connections.
Protocol Details: displays the details about application protocols used in outbound connections. You can find an application and click View Logs in the Actions column. On the Traffic Logs tab of the Log Audit page, you can view the traffic information about the application.