Cloud Firewall provides a built-in threat detection engine to defend against intrusions and common attacks in real time. Cloud Firewall also provides the virtual patching feature against threats. You can use the prevention configuration feature of Cloud Firewall to configure the working mode of the threat detection engine. You can also configure the threat intelligence, basic protection, intelligent defense, and virtual patching features to effectively identify and block intrusion attempts. This topic describes the prevention configuration feature and related operations.

Limits

Cloud Firewall Premium Edition, Enterprise Edition, and Ultimate Edition support the prevention configuration feature. Cloud Firewall Premium Edition does not support the custom virtual patching and basic protection features.

Prerequisites

Internet Firewall is enabled. For more information, see Internet firewall.

Working modes of the threat detection engine

  1. Log on to the Cloud Firewall console. In the left-side navigation pane, choose Intrusion Prevention > Prevention Configuration.
  2. In the Threat Engine Mode section of the Prevention Configuration page, select a working mode for the threat detection engine.
    The threat detection engine supports the following modes:
    • Monitor Mode: If you enable this mode, Cloud Firewall monitors traffic and generates alerts for malicious traffic.
    • Block Mode: If you enable this mode, Cloud Firewall blocks malicious traffic and intrusion attempts.
      You can also select one of the following levels for this mode based on your business requirements:
      • Loose: blocks attacks in a loose manner by using rules that prevent a high rate of false positives. This level is suitable for business that requires the false positive rate to be minimized.
      • Medium: blocks attacks in a standard manner by using common rules. This level is suitable for daily O&M. This level delivers a lower false positive rate than the Strict level.
      • Strict: blocks attacks in a strict manner by using all rules. This level is suitable for business that requires the false negative rate to be minimized. This level may cause a higher false positive rate than the Medium level.
      Note After Cloud Firewall is purchased, Block Mode is enabled by default. Cloud Firewall automatically determines a level based on your traffic condition. The threat intelligence, basic protection, and virtual patching features block threats only after you enable Block Mode. If you do not enable Block Mode, these features only monitor threats and malicious traffic.

Advanced settings

  1. Log on to the Cloud Firewall console. In the left-side navigation pane, choose Intrusion Prevention > Prevention Configuration.
  2. In the Advanced Settings section of the Prevention Configuration page, configure whitelists and the threat intelligence, intelligent defense, basic protection, and virtual patching features.
    • Configure whitelists

      Click Whitelist to add trusted source IPv4 and IPv6 addresses or trusted destination IPv4 and IPv6 addresses to an inbound or outbound whitelist. After you add IP addresses to a whitelist, the basic protection, intelligent defense, and virtual patching features allow traffic of the IP addresses. You can add up to 50 IP addresses to a custom destination IP address whitelist or a custom source IP address whitelist.

      Note The whitelists that you configure take effect only for the basic protection, intelligent defense, and virtual patching features. If you want the threat intelligence feature to allow the traffic of IP addresses on the whitelists, you must configure access control policies. For more information, see Create access control policies for the Internet firewall on outbound and inbound traffic and FAQ about network traffic analysis
    • Configure the threat intelligence feature

      We recommend that you enable the threat intelligence feature. To enable the feature, turn on Threat Intelligence in the Advanced Settings section. After you enable the feature, Cloud Firewall scans for threat intelligence and blocks malicious behavior that is initiated from central control systems based on the threat intelligence. The threat intelligence feature synchronizes malicious IP addresses that are detected across Alibaba Cloud to Cloud Firewall, and then implements precise intrusion prevention. The malicious IP addresses are used to initiate malicious access, scans, or brute-force attacks. This feature provides up-to-date information about threat sources. We recommend that you enable the threat intelligence feature.

    • Configure the basic protection feature

      To enable the basic protection feature, turn on Basic Policies in the Advanced Settings section. After you enable the feature, Cloud Firewall detects common threats by default. The basic protection feature protects your assets against common intrusions, such as brute-force attacks and attacks that exploit command execution vulnerabilities. The feature also manages connections from compromised hosts to a command-and-control (C&C) server and provides basic protection for your assets. We recommend that you enable the basic protection feature.

      If the default settings do not meet your business requirements, you can click Customize on the right to configure one or more basic protection policies. You can change only the actions of basic protection policies. The actions include Monitor, Block, and Disable.

      Only Cloud Firewall Enterprise Edition and Ultimate Edition allow you to configure basic protection policies.

    • Configure the intelligent defense feature

      We recommend that you enable the intelligent defense feature. To enable the intelligent defense feature, turn on Intelligent Defense in the Advanced Settings section. After you enable the feature, Cloud Firewall learns a large amount of data about attacks in the cloud to improve the accuracy of threat detection and attack detection. We recommend that you enable the intelligent defense feature.

      Intelligent defense is available only when Monitor Mode is selected.

    • Configure the virtual patching feature

      After you enable the virtual patching feature, Cloud Firewall protects your assets against common high-severity vulnerabilities and urgent vulnerabilities in real time. The virtual patching feature provides hot patches at the network layer to protect your business against high-severity vulnerabilities and urgent vulnerabilities that can be remotely exploited. This helps intercept vulnerability exploits in real time and prevents business interruption when vulnerabilities are being fixed. You do not need to install virtual patches on your server. If the feature is disabled, Cloud Firewall cannot automatically update patches for your assets. We recommend that you enable the virtual patching feature.

      To configure basic virtual patching policies, click Customize on the right. In the Customize Virtual Patches Policies dialog box, some policies are marked with Highly Focused. This indicates frequent attacks. You must take note of these attacks and perform troubleshooting at the earliest opportunity.

      Only Cloud Firewall Enterprise Edition and Ultimate Edition allow you to configure virtual patching policies.

What to do next

You can view the details of prevention statistics on the Intrusion Prevention page. For more information, see Intrusion prevention.