Cloud Firewall uses a built-in threat detection engine to defend against intrusions and common cyberattacks in real time. Cloud Firewall also provides virtual patching against threats to intelligently block intrusion attempts.
The Premium Edition, Enterprise Edition, and Ultimate Edition of Cloud Firewall support the prevention configuration feature. The free trial edition does not support this feature.
The Premium Edition of Cloud Firewall does not allow you to customize the virtual patching or basic protection module. Enterprise Edition and Ultimate Edition do not have this limit.
Working modes of the threat engine
The threat engine supports the following modes:
- Monitor Mode: If you enable this mode, Cloud Firewall monitors traffic and sends alerts when it detects malicious traffic.
- Block Mode: If you enable this mode, Cloud Firewall intercepts malicious traffic and blocks
intrusion attempts. You can also select the following levels for this mode based on
your business requirements:
Notice After Cloud Firewall is activated, Block Mode is enabled by default. Cloud Firewall automatically determines the level based on your traffic condition. The threat intelligence, basic protection, and virtual patching modules block threats only after you enable Monitor Mode. If you do not enable Monitor Mode, the modules only monitor threats and malicious traffic.
- Loose: blocks attacks in a loose way by using rules that prevent a high rate of false positives. This level is suitable for business that requires the false positive rate to be minimized.
- Medium: blocks attacks in a standard way by using common rules. This level is suitable for daily O&M. This level delivers a lower false positive rate than the Strict level.
- Strict: blocks attacks in a strict way by using all rules. This level is suitable for business that requires the false negative rate to be minimized, such as major events or cybersecurity protection activities launched by Chinese government departments. The activities are rehearsals for network attacks and protection. This level may cause a higher false positive rate than the Medium level.
In the Advanced Settings section, you can configure whitelists and customize the threat intelligence, intelligent defense, basic protection, and virtual patching modules to implement precise intrusion prevention.You can perform the following operations in the Advanced Settings section:
- Configure whitelists
In the Advanced Settings section, click Whitelist to add trusted IP addresses to specific whitelists. After you configure the whitelists, Cloud Firewall trusts IP addresses in the whitelists and does not block traffic from or to the IP addresses.Notice A maximum of 50 IP addresses can be added to a custom destination IP address whitelist or a custom source IP address whitelist.You can add the trusted source IP addresses, destination IP addresses, or address books of both inbound and outbound traffic to the whitelists.
- Enable or disable threat intelligence
The threat intelligence module synchronizes malicious IP addresses detected across Alibaba Cloud to Cloud Firewall, and then implements precise intrusion prevention. The malicious IP addresses are used to initiate malicious access, scans, or brute-force attacks. This module provides up-to-date information about threat sources.
After you turn on Threat Intelligence, Cloud Firewall scans for threat intelligence, and blocks malicious behavior initiated from central control systems based on the threat intelligence. We recommend that you enable threat intelligence.
- Enable or disable basic protection
The basic protection module protects your assets against common intrusions, such as brute-force attacks and attacks that exploit command execution vulnerabilities. The module also manages connections from infected hosts to a command-and-control (C&C) server. We recommend that you enable basic protection.After you turn on Basic Policies, Cloud Firewall detects common threats by default. If this detection mechanism does not meet your requirements, click Customize for Basic Protection. In the Customize Basic Protection Policies dialog box, customize basic protection policies. You can change only the actions of basic protection policies. The actions include Monitor, Block, and Disable.Note Only the Enterprise Edition and Ultimate Edition of Cloud Firewall allow you to customize basic protection policies.
- Enable or disable intelligent defense
The intelligent defense module identifies attacks based on a large amount of data about attacks on the cloud. The module also generates alerts in real time.After you turn on Intelligent Defense, Cloud Firewall learns a large amount of data about attacks on the cloud to improve the accuracy of threat and attack detection. We recommend that you enable intelligent defense.Note Intelligent defense is available only for Monitor Mode.
- Enable or disable virtual patching
The virtual patching module provides hot patches at the network layer to protect your business against high-risk vulnerabilities and urgent vulnerabilities that can be remotely exploited. This helps intercept vulnerability exploits in real time and prevents business interruption during vulnerability fixing. You do not need to install virtual patches on your server. After you enable this module, Cloud Firewall protects your assets against common high-risk vulnerabilities and urgent vulnerabilities in real time. If this module is disabled, Cloud Firewall does not automatically update patches for your assets. We recommend that you enable virtual patching.Note Only the Enterprise Edition and Ultimate Edition of Cloud Firewall allow you to customize virtual patching policies.Click Customize for Virtual Patches. In the Customize Virtual Patches Policies dialog box, configure basic virtual patching policies.Note In the Customize Virtual Patches Policies dialog box, some policies are marked with Highly Focused. This indicates frequent attacks across the entire network. You must pay attention to such attacks and perform troubleshooting in time.