When a cluster's blocking status is Abnormal or Normal to be confirmed, defense rules created for that cluster cannot generate alerts or block unusual traffic. This topic describes how to diagnose and resolve both statuses.
Prerequisites
Before you begin, make sure that you have:
A defense rule created for your cluster. For more information, see Create a defense rule.
Background
Defense rules take effect only when the AliNet plug-in is both installed and online. The AliNet plug-in blocks suspicious network connections, Domain Name System (DNS) hijacking, and brute-force attacks. Before using the container microsegmentation feature, verify that your cluster nodes run an operating system whose kernel version is supported by the AliNet plug-in. For supported OS versions, see Supported operating system versions.
Diagnose the blocking status
The following table describes the two abnormal statuses, their causes, and the resolution path for each.
| Blocking status | Meaning | Resolution |
|---|---|---|
| Abnormal | The Defensive status switch is turned off. Security Center cannot provide container microsegmentation for the cluster. The AliNet plug-in's Installation status or Online status is abnormal. | Check the Protection plug-in status panel and resolve the plug-in issue. See Resolve the Abnormal status. |
| Normal to be confirmed | The issues that caused the Abnormal status have been resolved, but the defense rules have not been confirmed. | Verify all defense rules, then click Recovery. See Resolve the Normal to be confirmed status. |
Resolve the Abnormal status
Log on to the Security Center console.Log on to the Security Center console.
In the left-side navigation pane, choose Protection Configuration > Container Protection > Container Microsegmentation.
On the Container Microsegmentation page, click the Protection Management tab.
In the cluster list, find a cluster whose Interceptible status is Abnormal, and click View to the right of Abnormal. The Protection plug-in status panel opens.
Check the Installation status and Online status columns for the AliNet plug-in, then resolve the issue based on what you see.
What you see Cause Action Installation status shows the plug-in is not installed, or Online status shows the plug-in is offline The behavior prevention feature is not enabled Enable the behavior prevention feature for the cluster. For more information, see Use proactive defense. Installation status still shows the plug-in is not installed after behavior prevention is enabled The OS kernel version on the cluster node may not support the AliNet plug-in Check the supported kernel versions and review the installation log (see below).
Check the AliNet plug-in installation log
If the behavior prevention feature is enabled but the AliNet plug-in still fails to install, the cluster node's OS kernel version may be unsupported. To confirm, log on to the cluster and run:
cat /usr/local/aegis/PythonLoader/data/AliNet_config.logIf the log contains install,driver file not exist, the kernel version is not supported by the AliNet plug-in. For supported OS versions and kernel versions, see Supported operating system versions.
Resolve the Normal to be confirmed status
The Normal to be confirmed status means the plug-in issues are resolved, but the defense rules still need to be reviewed before the cluster can resume normal protection.
Log on to the Security Center console.
In the left-side navigation pane, choose Protection Configuration > Container Protection > Container Microsegmentation.
On the Container Microsegmentation page, click the Protection Management tab.
Review all defense rules created for the cluster. Confirm that:
All defense rules are enabled.
The priorities of defense rules are correctly configured.
After confirming that all defense rules are normal, click Recovery to the right of Normal to be confirmed in the Interceptible status column. The blocking status changes to Normal.
