This document describes how to identify unknown risks beyond access control rules and perform detection of intrusion prevention rules on the north-south traffic of public network IP addresses while preventing vulnerabilities in Cloud Virtual Machine (CVM) from being exposed to the Internet through the intrusion prevention feature.
Select Protection Mode
1. Log in to the CFW console and click Intrusion Defense in the left sidebar.
2. On the Intrusion Defense page, locate the "Protection Mode" module to configure the protection mode. The available protection modes are Observe, Block, and Strict.
Note:
The observation mode is used by default.
If you select Observe, Threat Intelligence, Basic Rule, and Virtual Patch are all in detection mode. For malicious access or behaviors of network attacks detected, only alarms are generated, but connections will not be automatically blocked.
If you select Block, high-confidence network attacks or malicious access will be automatically intercepted. Threat Intelligence supports the automatic interception of outbound malicious access. Basic Rule supports the automatic interception of high-confidence rule alarms. Virtual Patch supports the automatic interception of traffic detected as vulnerability exploits.
If you select Strict, Threat Intelligence (except the threat intelligence detection for outbound domain names), Basic Rule, and Virtual Patch are all in global interception mode. For any detected alarms, connections are automatically blocked but false positives may be generated. This mode is suitable for guarantee for important periods or attack and defense scenarios.
3. On the right of Protection Mode, click Advanced Settings to go to the advanced settings pop-up window.
4. In the advanced settings pop-up window, users can select a single asset on the Internet Border Firewall, NAT Border Firewall, or VPC Border Firewall Toggle to change its mode. For example, some assets can be set to Observe, some to Block, and others to Strict.
Updates
1. Log in to the CFW console and click Intrusion Defense in the left sidebar.
2. On the right side of the Intrusion Defense page, scroll the mouse wheel in the Updates module to view records of rule updates and vulnerability updates in reverse chronological order.
3. Click Update history to view detailed records of rule updates and vulnerability updates.
Supports filtering by update type, attack type, and risk level to quickly locate target records.
Click Details to trigger the rule details pop-up window or redirect to the corresponding vulnerability query page.
Management list
1. Log in to the CFW console and click Intrusion Defense in the left sidebar.
2. At the bottom of the Intrusion Defense page, you can view the "Blocked list", "Allowlist strategy", and "Quarantined list".
Block list
Viewing the Blocked list
1. Click Blocked list to go to the Blocked list page.
2. Under Blocked list, you can view IPs "blocked" in Alarm Center > Attack Alert Event along with their related information, or manually add IPs to the Blockled ist.
Disabling the Blocked list
1. In case of emergencies, click
to disable "Enable blocklist", deactivate the blocklist, and go to Alarm Center > Attack Alert Event to view all block statistics and identify the source of blocks.
2. After the cause of the failure is located and fixed, you can click
to enable the "Enable blocklist" switch to re-enable this feature.
Managing the Effective Time of the Blocked list
In the Blocked list, when the expiration time of an IP address is reached, the list will automatically remove that IP address. Subsequent traffic from this IP address will then not be blocked by the firewall. To prevent the automatic removal of potentially risky IP addresses from the blocklist, click Edit in the operation column on the right side of the list to modify the expiration time of the target IP address.
Note
IP addresses in the Blocked list will block all traffic passing through CFW in both outbound and inbound directions, and are recorded in Log Auditing > Intrusion Defense Log.
Management of Blocked list Quota
1. Click Quota to view the total list quota currently provided and the remaining quota information.
2. When the remaining quota is insufficient, click Upgrade and Scale to purchase Blocked list quota.
Allowlist strategy
Viewing the Allowlist strategy
1. On the Intrusion Defense page, click Allowlist strategy to go to the allowlist management page.
2. In the tab for allowlist policy, you can view IPs with the handling status "added to allowlist" and their related information in Alarm Center > Attack Alert Event, or you can manually add addresses to the allowlist.
Note:
IP addresses in the allowlist will bypass the IDPS feature directly.
Blocked list and allowlist policies have rule limits, and the limits for both are the same.
For the quantity limit of each edition, see Purchase Guide.
Add Allowlist Policy
1. On the allowlist strategy page, click Add policy to go to the configuration page and configure the relevant parameters.
Field description:
Policy name: Custom policy names are supported, with a maximum length of 50 characters.
Scope: Select the scope of the current policy. At least one scope must be selected, with all selected by default.
Match Condition: The match conditions of the current policy. Multiple conditions have an "and" logical relationship. The selected effective scope determines the supported range of match conditions. For specific correspondences, see the following table:
Matching Condition
Internet Border Firewall
NAT Border Firewall
VPC Border Firewall
Network Detection and Response
Source IP address
Supported
Supported
Supported
Supported
Source IP address + Destination IP address
Source IP address + Destination IP address + Destination port
Source IP address + Destination CIDR
Source IP address + Destination CIDR + Destination port
Source CIDR
Supported
Supported
Supported
Supported
Source CIDR + Destination IP address
Source CIDR + Destination IP address + Destination port
Source CIDR + Destination CIDR
Source CIDR + Destination CIDR + Destination port
Destination IP
Supported
Supported
Supported
Supported
Destination IP address + Destination port
Destination CIDR
Destination CIDR + Destination port
Domain name
Supported
Supported
Supported
Supported
IP for threat intelligence + Domain for threat intelligence
Not supported
Not supported
Not supported
Not involved
Asset instance
Not supported
Not supported
Supported
Supported
Source IP address + Destination IP address + Intrusion Defense rules
Supported
Supported
Supported
Supported
Source IP address + Destination IP Address:Port + User-Agent + URL + XFF + Hostname + Filename + MD5 checksum of the file
Not supported
Not supported
Not supported
Supported
Not supported
Effective period: Select permanent or set a custom expiration date for the policy.
Description: Support custom descriptions, with a maximum length of 200 characters.
Conflict resolution: When "Remove conflicting addresses in the blocklist and continue adding" is selected, the system will automatically remove conflicting addresses found in the blocklist during the adding operation and proceed to complete subsequent additions.
2. Click Next to go to the rule preview page. On this page, you can view your "Remaining Number of Rules" and "Estimated New Additions", preview the edited allowlist policy, and click OK to complete policy addition after confirming that the information is correct.
Note:
When multiple IP addresses, XFF, MD5, URLs, domains, hostnames, filenames, and so on are entered in the condition content, the system will split and calculate the number of rules based on the actual number of entries. For example: When "Source IP" is selected as the condition type with three separate IP addresses entered, the system will automatically split them into three independent allowlist policies after saving, occupying three rule slots.
The total number of rules generated in a single split must not exceed 100. When the limit is exceeded, the message "The rules are too complex. After parsing, the number exceeds 100. Please split them and create multiple allowlists" will be displayed.
When "Estimated New Additions" + the number of new rules to be added > "Remaining Rule Count", the system will display the message: "Insufficient available rules. Please purchase General Rule Expansion Quota." You can click Upgrade and Scale to perform the scaling operation.
Quarantined list
View Quarantined list
1. Click Quarantined list to go to the Quarantined list page.
2. In the Quarantined list you can view IPs with a handling status of "Quarantine" and their related information in Alarm Center > Attack Alert Event > Host Compromise Events.
Viewing Rules
The isolation of compromised host IPs is implemented through security groups. Click View Rules to jump to the Enterprise Security Group page and view detailed rule information.
Management of Quarantined list Effective Time
In the isolation list, when the expiration time of an IP address is reached, the list will automatically remove that IP address, at which point the security group rules for that IP address will also be deleted. Therefore, to prevent compromised IP addresses from being automatically removed from the isolation list, in the operation column on the right side of the list, click Edit to modify the expiration time and date of the target IP address.
Policy Backup and Rollback
Click Rule backups to back up the current blocklist and rules of the allowlist policy. When significant changes occur to the rules, click Roll back on the right side of the backup file to restore the rules.
1. On the Policy Backup and Rollback page, click Create backup, select either Blocked list or Allowlist Policy from the dropdown menu, enter a description, and click OK to complete rule backup.
2. Rules rollback: Click Roll back on the far right of the backup list to restore the rules.
Related Information
If you encounter issues related to intrusion defense, refer to the documentation on Intrusion Defense.
