The Cloud Firewall intrusion prevention system (IPS) detects and blocks malicious traffic in real time. This includes traffic from malicious attacks, vulnerability exploits, brute-force attacks, worms, mining programs, backdoor trojans, and DoS attacks. The IPS protects your cloud-based information systems and network architecture by preventing unauthorized access, data breaches, and damage or downtime to your business systems and applications.
Limits
Cloud Firewall intrusion prevention cannot decrypt, detect, or block traffic that is encrypted using Transport Layer Security (TLS) or Secure Sockets Layer (SSL). However, it supports some IPS detection rules that are based on encrypted fingerprints.
Because of data aggregation, intrusion prevention statistics in Cloud Firewall may be delayed. To query real-time data, you can use the log audit or log analysis features. For more information, see Log audit or Query and analyze logs.
When you query protection data from the last hour, the statistics are delayed by 10 minutes. The query results do not include protection events from the last 10 minutes.
When you query protection data for a period longer than one hour, the statistics are delayed by 30 minutes. The query results do not include protection events from the last 30 minutes.
For example, if the current time is 15:00:00 and you query data from 12:00:00 to 15:00:00 on the same day, data between 14:30:00 and 15:00:00 is not returned. If you query data from 12:00:00 to 14:30:00, the complete data for that time range is returned.
View or modify intrusion prevention rules
After you enable Cloud Firewall, the threat engine defaults to Block Mode, which automatically blocks attacks. Based on your service traffic, Cloud Firewall also automatically selects a block mode level (Loose, Medium, or Strict). In addition, threat intelligence, basic protection, and virtual patches are enabled by default.
You can go to the IPS Configuration page to manage mitigation policies in one of the following ways:
On the Intrusion Prevention page, in the Protection Details list, click the link in the upper-right corner.
In the navigation pane on the left, choose .
On the Basic Protection card, click Configure to view the default intrusion prevention rules. To modify a rule, find the rule and change its action in the Current Action column. For more information, see IPS Configuration.
Enable IPS private IP tracing
Navigation:
On the Intrusion Prevention page, click the link in the upper-right corner of the Protection Details list to open the IPS Private IP Tracing Configuration page.
Enable the feature:
On the IPS Private IP Tracing page, you can enable tracing for specific resources. This helps you quickly locate risky assets without exposing their private IP addresses.
NoteTo use the IPS Private IP Tracing feature, you must enable both Internet Firewall Protection and NAT Session Log Service for the asset. For more information, see IPS Private IP Tracing Configuration.
View traced sources:
After you enable this feature, the Intrusion Prevention page displays the IP addresses of risky assets in the Protection Details list and the Details panel.
List
Details
View internet blocking events
Cloud Firewall provides statistics on inbound and outbound internet traffic protection for your cloud assets. This helps you understand the protection status of your assets and ensure their security. You can query data on blocked internet traffic from the last 90 days. The maximum time range for a single query is 31 days.
Navigate to the page. On the Protection Status tab, you can set a time range to view protection statistics and protection details.
The Protection Statistics module displays the total number of attacks, the distribution of attack types, and the amount of blocked data.
The blocked data metrics are described as follows:
Top Blocked Destinations: The top five destination IP addresses blocked by Cloud Firewall.
Hover over a destination IP address and click the
icon to open the Log Audit page. This page displays traffic details for the IP address, such as the destination port, application, and action.Top Blocked Sources: Displays the top three source IPs blocked by Cloud Firewall.
Top Blocked Applications: Displays the top five applications blocked by Cloud Firewall.
Protection Details: Displays the details of blocked attack traffic based on your query conditions. The details include the risk level, number of events, source IP address, and destination IP address.
NoteIf the source IP is a WAF or DDoS back-to-origin IP address, Cloud Firewall identifies it and displays WAF Back-to-Origin IP or DDoS Back-to-Origin IP.
In this section, you can perform the following operations:
To search for events, select criteria such as risk level, protection status, attack type, detection source, direction, and time range. Then, click Search to view the matching events.
In the Actions column, click Details to view the details of a blocked event. The details page provides information such as Basic Information and Attack Payload. The Attack Payload information shows the 5-Tuple Information and the content of the payloads for the attack traffic, which helps you trace the source of attacks and reduce security risks.
Download blocked events: Click the
icon to the right of the search bar, and then download the events from Download Task Management in the upper-right corner.To quickly analyze an event with the Security AI Assistant, click the
icon in the AI Analysis column.The analysis includes:
Payload content analysis: Includes a brief description of the request and the AI's analysis of the requested action.
Threat intelligence: The result of comparing the destination address with the threat intelligence database.
NoteThis item is not supported in the Premium Edition and pay-as-you-go editions of Cloud Firewall.
Attacker intent: A prediction of the attacker's intent based on AI analysis.
Defense suggestions: Provides suggestions for Cloud Firewall mitigation settings (such as access control list (ACL) policies and IPS configurations) and asset investigation.
View VPC blocking events
Cloud Firewall provides statistics on traffic protection between VPCs. You can view the status of allowed and blocked traffic between VPCs. You can query data on blocked VPC traffic from the last 90 days. The maximum time range for a single query is 31 days.
The VPC Protection tab is unavailable in Cloud Firewall Premium Edition because this edition does not support VPC firewalls.
Go to the page. On the VPC Protection tab, you can view details about blocked VPC events within a specified time range, such as the event name, risk level, and attack type.
You can perform the following operations:
To search for events, specify criteria such as risk level, protection status, attack type, and time. Then, click Search to view the events that match your criteria.
In the Actions column, click Details to view the details of a blocked event. The details page displays information such as Basic Information and Attack Payload. The Attack Payload section displays the 5-Tuple Information and the content of the payloads from the attack traffic. You can use this information to trace the source of attacks and reduce security risks.
Click the
icon to the right of the search bar to download protection events. You can find the downloaded file in the Download Task Management section in the upper-right corner.AI-assisted analysis: In the AI Analysis column, click the
icon to use the Security AI Assistant for quick event analysis.The analysis includes:
Payload content analysis: Includes a brief description of the request and the AI's analysis of the requested action.
Threat intelligence: The result of comparing the destination address with the threat intelligence database.
NoteThis item is not supported in the Premium Edition and pay-as-you-go editions of Cloud Firewall.
Attacker intent: A prediction of the attacker's intent based on AI analysis.
Defense suggestions: Provides suggestions for Cloud Firewall mitigation settings (such as ACL policies and IPS configurations) and asset investigation.