This topic provides answers to some frequently asked questions about network traffic analysis of Cloud Firewall.
Traffic from unknown applications accounts for a large proportion in traffic analysis. Does this occur because Cloud Firewall cannot identify the types of applications that generate traffic from the Internet?
Possible causes:
A large amount of traffic is generated from the Internet, and the traffic does not comply with standard protocols. As a result, Cloud Firewall cannot identify the application type for the traffic.
The destination server blocks network traffic and returns a large number of RST packets. The RST packets are counted in the inbound or outbound traffic. A large number of RST packets cause a large proportion of traffic from applications whose type is Unknown.
You can go to the Log Audit page and click the Event Logs or Traffic Logs tab to view the source and purpose of the traffic from unknown applications. Then, you can determine whether the traffic is normal.
When I view the results of all access activities, the system displays a large proportion of traffic from unknown ISPs. Why?
For inbound traffic from Hong Kong (China), Macao (China), Taiwan (China), or regions outside China, the system displays only the names of the countries or regions. Cloud Firewall marks the Internet service providers (ISPs) of such traffic as unknown.
You can go to the Log Audit page and click the Traffic Logs tab to view the region and ISP for an IP address.
The tags of domain names are displayed on the Outbound Connection page. What are the meanings of the tags?
Cloud Firewall automatically adds tags based on the Internet information about the domain names or the destination IP addresses that are involved in outbound activities. The tags include Malicious download, Ore pooled, Threat Intelligence, New, Popular website, and DDoS Trojan.
Malicious download, Ore pooled, or Threat Intelligence: Cloud Firewall considers the outbound activity risky.
NoteYou must check whether the outbound activity is a false positive at the earliest opportunity. If the outbound activity is malicious, we recommend that you configure an access control policy to limit related activities. For more information, see Create inbound and outbound access control policies for the Internet firewall.
New: Cloud Firewall identifies an outbound activity for the first time.
Popular website: A domain name is frequently accessed by your server or business.
DDoS Trojan: Cloud Firewall considers that the outbound activity may trigger DDoS attacks.
How do I troubleshoot network connection failures?
After you enable a firewall, the following issues may occur:
You cannot log on to your server.
You cannot access the services that run on your server.
Your server cannot connect to the Internet.
If the preceding issues occur, you must troubleshoot the issues from the following dimensions: the Internet firewall and internal firewalls:
Internet firewall
Check whether the Internet firewall is enabled for your asset.
After you enable the Internet firewall, traffic passes through Cloud Firewall. For more information about how to enable the Internet firewall, see Internet firewall.
NoteIf the Internet firewall is disabled for your asset, traffic does not pass through Cloud Firewall. In this case, you must check whether other issues such as network connection failures occur.
Check whether traffic logs are generated on the Traffic Logs tab.
If no traffic logs are found, the traffic is discarded before it reaches the Internet firewall.
If traffic logs are found and the action is Discard, the traffic is discarded by the Internet firewall. In this case, you can find the relevant event on the Event Logs tab and check the module that performs the Discard action based on the information in the Module column.
If the Discard action is performed by the Access Control module, the traffic is discarded based on the access control policies that you configure. We recommend that you check the access control policies and modify them based on your business requirements.
If the Discard action is performed by the Basic Protection, Virtual Patches, or Threat Intelligence module, the traffic is discarded based on the intrusion prevention policies that you configure. In this case, you can choose
in the left-side navigation pane to disable the intrusion prevention policies.
If traffic logs are found and the action is Allow or Monitor, the traffic is not discarded by the Internet firewall. You must check security groups.
Internal firewalls (security groups)
Log on to the ECS console.
In the left-side navigation pane, choose
.Find and click the Elastic Compute Service (ECS) instance on which the network connection failure occurs. On the Security Groups tab of the Security Groups tab, make sure that the value in the Action column of the required security group rule is Allow.
What are the priorities of rules that are used by Cloud Firewall to protect traffic?
Cloud Firewall matches traffic against rules based on the following priorities of rules:
If no access control policies are enabled, or if access control policies are enabled but the traffic does not match access control policies, Cloud Firewall matches the traffic first against the rules of Threat Intelligence, and then against the rules of Basic Protection, Intelligent Defense, and Virtual Patches.
NoteIf the traffic is blocked by the rules of Threat Intelligence, Cloud Firewall no longer matches the traffic against other rules.
If access control policies are enabled and the traffic matches an Allow policy or a Monitor policy, Cloud Firewall does not match the traffic against the rules of Threat Intelligence, but matches the traffic against the rules of Basic Protection, Intelligent Defense, and Virtual Patches.
If access control policies are enabled and the traffic matches a Deny policy, Cloud Firewall no longer matches the traffic against other rules.
Cloud Firewall matches traffic against the rules of Basic Protection, Intelligent Defense, and Virtual Patches without priority.
What do I do if the volume of my business traffic exceeds the purchased bandwidth of Cloud Firewall?
If the volume of your business traffic exceeds the purchased bandwidth, the excess traffic is not protected by Cloud Firewall. Cloud Firewall can protect only the traffic whose volume does not exceed the bandwidth. To enable Cloud Firewall to protect the excess business traffic, you must increase the bandwidth. For more information about how to increase the bandwidth, see Renewal.
If the volume of your business traffic exceeds the purchased bandwidth, we recommend that you perform the following operations:
Go to the Overview page to view traffic trends. You can view the traffic changes on the Outbound Connection, Internet Exposure, and VPC Access pages. Then, you can identify suspicious IP addresses based on Cloud Firewall logs and handle the risks.
To identify a suspicious IP address, perform the following steps:
Log on to the Cloud Firewall console. In the left-side navigation pane, click Overview.
In the Traffic Trends section of the Overview page, click the Internet Border and VPC Firewall tabs to view the traffic trend charts.
Move the pointer over a trend chart to view the details of inbound and outbound peak traffic at a specified point in time.
Determine which peak value among the inbound traffic or outbound traffic is higher based on the trend charts. For example, the peak value of inbound traffic is higher than the peak value of outbound traffic.
Peak Inbound Traffic = Peak Traffic of Outbound Responses + Peak Traffic of Request Exposed on Internet
Peak Outbound Traffic = Peak Traffic of Outbound Requests + Peak Traffic of Response Exposed on Internet
Click the
icon to the right of Peak Inbound Traffic and Peak Outbound Traffic. In the tooltip that appears, click Peak Traffic of Outbound Requests or Peak Traffic of Response Exposed on Internet to go to the Outbound Connection page or the Internet Exposure page to view the details of peak traffic. Then, you can identify suspicious IP addresses based on Cloud Firewall logs.
If the volume of your business traffic exceeds the purchased bandwidth, Cloud Firewall sends you a notification email. We recommend that you check your email on a regular basis and handle issues based on the information that is provided in the email.
NoteIf the volume of your business traffic exceeds the purchased bandwidth, Cloud Firewall sends you a notification email within 24 hours.