This topic provides answers to some frequently asked questions about attack prevention of Cloud Firewall.

Why does Cloud Firewall block the requests from the server IP addresses of Security Center and other scanners when I scan for vulnerabilities?

Possible causes

When you use Security Center to scan for application vulnerabilities in your servers, Security Center simulates intrusions that are launched from the Internet to scan your servers. The simulated intrusions may trigger the protection policies or access control policies of Cloud Firewall.

Solutions

If you want to perform a vulnerability scan, we recommend that you add the server IP addresses of Security Center and other scanners to the whitelist in the Prevention Configuration module of Cloud Firewall. For more information about the server IP addresses of Security Center, see Server IP addresses of the web scanner. For more information about how to add IP addresses to the whitelist in the Prevention Configuration module, see Configure a protection whitelist.

Why is attack traffic not blocked after I select a block mode on the Prevention Configuration page?

Possible causes

  • You did not turn on the switches for Basic Protection, Virtual Patches, or Threat Intelligence. Or, you configured the monitor mode.
  • You configured a whitelist to allow matched traffic.
  • You selected one of the following block modes on the Prevention Configuration page but set the action of Basic Protection to Monitor or Disable:
    • Loose: This mode allows the Block action in Loose rule groups to take effect.
    • Medium: This mode allows the Block action in Loose and Medium rule groups to take effect.
    • Strict: This mode allows the Block action in Loose, Medium, and Strict rule groups to take effect.

Solutions

Vulnerabilities are detected in my assets, but no statistics are displayed on the Vulnerability Prevention page of the Cloud Firewall console. Why?

The following list describes the possible causes:

  • Cloud Firewall analyzes exploit behavior based on attack traffic and then defends against vulnerabilities. If no attack traffic is generated for a vulnerability, no prevention statistics of the vulnerability are displayed.
  • The vulnerabilities that are detected based on software component analysis in Security Center cannot be synchronized to Cloud Firewall. These vulnerabilities are detected after Security Center collects information about the software versions of your assets. Only the vulnerabilities that are detected based on network scans can be synchronized to Cloud Firewall.
  • The vulnerabilities are detected on the assets that reside in an internal network. Cloud Firewall displays only the statistics of the vulnerabilities on the assets that are exposed to the Internet.

For more information about vulnerability prevention, see Prevention configuration.

How does Cloud Firewall obtain attack samples?

Cloud Firewall can obtain attack samples only if traffic matches the rules that are configured for Basic Protection or Virtual Patches. You can use one of the following methods to view attack samples:
  • Go to the Intrusion Prevention page. On the Internet Traffic Blocking tab, find an event and click View Details in the Actions column. On the Attack Payload tab of the panel that appears, view attack samples in the Payloads section.
  • Go to the Log Audit page. On the Traffic Logs tab, set All Policy Source to Basic Protection or Virtual Patches and click Search. In the result list, find a log and click Obtain Attack Sample in the Actions column.