Alibaba Cloud Cloud Server Firewall Settings

The intrusion prevention page displays the source IP, destination IP, blocked application, blocked source, and blocked event details of the traffic blocked by the cloud firewall in real time.This article introduces the information and related operations displayed on the intrusion prevention page. Let's work with 87cloud to learn about the firewall settings of Alibaba Cloud International Edition cloud server:

Prerequisites

You need to enable the basic defense function on the protection configuration page before Cloud Firewall can intercept the traffic and display it in the interception record on the intrusion prevention page.

Overview

The intrusion prevention page shows you the detailed information about the outbound and inbound Internet traffic and inter-VPC traffic protection of the cloud firewall. You can switch to the Internet protection or VPC protection tab to view the corresponding event details.

Note Cloud Firewall Premium does not support displaying the VPC protection tab.

Restriction Description

• Cloud Firewall Premium, Enterprise and Ultimate editions support intrusion prevention, but the free edition does not.
• The cloud firewall attack protection function does not support parsing TLS and SSL encrypted traffic, so it cannot detect and protect such traffic.

Internet Protection

On the Internet Protection tab, you can view the Internet outbound or inbound directions within the last 1 hour, 1 day, 7 days, 1 month and a custom time range.blocking situation.The customizable time range that can be set is within 6 months from the current time.

The Internet Protection tab contains the following modules:

• Protection data: Contains the total number of attacks, distribution of attack types, and interception data.Among them, the intercepted data includes the following:
  • Blocked destination TOP: Displays the top 5 destination IP addresses that account for the largest proportion of traffic blocked by the cloud firewall.

    Click View Log to the right of the blocking destination IP address to jump to the cloud firewall log audit page.You can view detailed information such as the destination port, application type, and action of the destination IP address in the log list.

  • Blocked sources TOP: Shows the top three source types with the largest proportion of traffic blocked by the cloud firewall.
  • Blocked applications TOP: Shows the top 5 application types that account for the largest proportion of traffic blocked by the cloud firewall.
• Detailed data: Shows the detailed information of all blocking events, including the risk level of the event, the number of events, the source IP address and the destination IP address.

  

  In the verbose data module, you can do the following:

  • In the search bar, locate specific events by filtering information such as risk level, judgment source, direction and time range.
  • Click the details of the action bar to open the details page of the blocking event, and view the event description, attack payload and other detailed information.
  • On the right side of the search bar, click the icon to download the intrusion prevention policy.By default, 1,000 intrusion prevention policies that are closest to the current time are downloaded, and downloading is not supported for the excess.

VPC Protection

The VPC Protection tab displays information about abnormal events between VPC networks intercepted by the cloud firewall.You can view detailed information such as the name, risk level, and attack type of VPC interception events within a specified time period.

On the VPC Protection tab, you can perform the following operations as needed:

• After selecting the risk level, defense status, attack type, and time, click Search to view the event information that meets the set conditions.
• Locate the target event and click Details to view the event description, rule ID, defense status and other details of the current event.