Cloud Firewall provides a built-in threat detection engine to defend against intrusions and common attacks in real time. Cloud Firewall also provides the virtual patching feature against threats. You can use the prevention configuration feature of Cloud Firewall to configure the working mode of the threat detection engine. You can also configure the threat intelligence, basic protection, intelligent defense, and virtual patching features to effectively identify and block intrusion attempts. This topic describes the working modes of the threat detection engine, how to block different types of attacks, and how to configure the working mode.
Prerequisites
The Internet firewall is enabled. For more information, see Internet firewall.
Configure the working mode of the threat detection engine
After Cloud Firewall is purchased, Block Mode is automatically enabled. Cloud Firewall automatically determines a level based on your traffic condition. The threat intelligence, basic protection, and virtual patching features block threats only after Block Mode is enabled. If Block Mode is disabled, these features only monitor threats and malicious traffic.
Log on to the Cloud Firewall console. In the left-side navigation pane, choose .
In the Threat Engine Mode section, select a working mode for the threat detection engine.
The threat detection engine supports the following modes:
Monitor Mode: If you select this mode, Cloud Firewall monitors traffic and generates alerts for malicious traffic.
Block Mode: If you select this mode, Cloud Firewall blocks malicious traffic and intrusion attempts.
You can also select one of the following levels for this mode based on your business requirements:
Loose: blocks attacks in a loose manner by using rules that prevent a high rate of false positives. This level is suitable for business that requires the rate of false positives to be minimized.
Medium: blocks attacks in a standard manner by using common rules. This level is suitable for daily O&M and provides a lower rate of false positives than the Strict level.
Strict: blocks attacks in a strict manner by using all rules. This level is suitable for business that requires the rate of false positives to be minimized. This level may cause a higher rate of false positives than the Medium level.
Configure whitelists
In the Advanced Settings section, click Whitelist to add trusted source IPv4 and IPv6 addresses or trusted destination IPv4 and IPv6 addresses to an inbound or outbound whitelist. After you add IP addresses to a whitelist, the basic protection, intelligent defense, and virtual patching features allow traffic of the IP addresses. You can add up to 50 IP addresses to a custom destination IP address whitelist or a custom source IP address whitelist.
The whitelists that you configure take effect only for the basic protection, intelligent defense, and virtual patching features. If you want the threat intelligence feature to allow traffic of IP addresses, you must configure access control policies. For more information, see Create inbound and outbound access control policies for the Internet firewall and What are the priorities of rules that are used by Cloud Firewall to protect traffic?
Configure the threat intelligence feature
In the Advanced Settings section, turn on Threat Intelligence. After you enable the feature, Cloud Firewall scans for threat intelligence and blocks malicious behavior that is initiated from central control systems based on the threat intelligence. The threat intelligence feature synchronizes malicious IP addresses that are detected across Alibaba Cloud to Cloud Firewall, and then performs precise intrusion prevention. The malicious IP addresses are used to initiate malicious access, scans, or brute-force attacks. We recommend that you enable the threat intelligence feature.
Configure the basic protection feature
In the Advanced Settings section, turn on Basic Rules. After you enable the feature, Cloud Firewall detects common threats by default. The basic protection feature protects your assets against common intrusions, such as brute-force attacks and attacks that exploit command execution vulnerabilities. The feature also manages connections from compromised hosts to a command-and-control (C&C) server and provides basic protection for your assets. We recommend that you enable the basic protection feature.
If the default settings do not meet your business requirements, you can click Configure on the right side of the Basic Protection section to configure one or more basic protection policies. You can change only the actions of basic protection policies. The actions include Monitor, Block, and Disable.
Only Cloud Firewall Enterprise Edition and Ultimate Edition allow you to configure basic protection policies.
Configure the intelligent defense feature
In the Advanced Settings section, turn on Intelligent Defense. After you enable the feature, Cloud Firewall learns from a large amount of data about attacks in the cloud to improve the accuracy of threat detection and attack detection. We recommend that you enable the intelligent defense feature.
The intelligent defense feature is available only if you select Monitoring Mode.
Configure the virtual patching feature
In the Advanced Settings section, turn on Virtual Patching. After you enable the feature, Cloud Firewall protects your assets against common high-severity vulnerabilities and urgent vulnerabilities in real time. The virtual patching feature provides hot patches at the network layer to protect your business against high-severity vulnerabilities and urgent vulnerabilities that can be remotely exploited. This helps intercept vulnerability exploits in real time and prevents business interruption when vulnerabilities are being fixed. You do not need to install virtual patches on your server. If the feature is disabled, Cloud Firewall cannot automatically update patches for your assets. We recommend that you enable the virtual patching feature.
To configure basic virtual patching policies, click Configure on the right of the Virtual Patching section. In the Customize Virtual Patching Policies dialog box, specific policies are marked with Focus On. This indicates frequent attacks. Take note of these attacks and handle the attacks at the earliest opportunity.
Only Cloud Firewall Enterprise Edition and Ultimate Edition support virtual patching policies.
What to do next
After you turn on Basic Protection, you can view malicious traffic that is blocked by Cloud Firewall on the Intrusion Prevention page. The traffic includes inbound and outbound traffic and traffic between VPCs. For more information, see Implementation of intrusion prevention and Use the intrusion prevention feature.
On the Vulnerability Prevention page, you can view information about the vulnerabilities that can be exploited by cyberattacks. The vulnerabilities are automatically detected by Security Center and synchronized to Cloud Firewall. On this page, you can enable the firewalls of Cloud Firewall and configure protection rules of the intrusion prevention system (IPS) to prevent the vulnerabilities from being exploited. For more information, see Use the vulnerability protection feature.
On the Breach Awareness page, you can view intrusion events that are detected by the IPS and the details of the intrusion events. For more information, see Use the breach awareness feature.