This topic provides answers to some frequently asked questions about attack prevention of Cloud Firewall.
Why does Cloud Firewall block requests from the server IP addresses of Security Center and other scanners when I scan for vulnerabilities?
Possible causes
If you use Security Center to scan for application vulnerabilities on your servers, Security Center simulates intrusions that are launched from the Internet to scan your servers. The simulated intrusions may trigger the protection policies or access control policies of Cloud Firewall.
Solutions
If you want to perform a vulnerability scan, we recommend that you add the server IP addresses of Security Center and other scanners to the whitelist in the Prevention Configuration module of Cloud Firewall. For information about the server IP addresses of Security Center, see Server IP addresses of the web scanner. For more information about how to add IP addresses to the whitelist in the Prevention Configuration module, see Configure whitelists. You can also add the server IP addresses of Security Center to an address book and reference the address book when you configure a whitelist. For more information about how to create an address book, see Manage address books.
Why is attack traffic not blocked after I select a block mode on the Prevention Configuration page?
Possible causes
You did not turn on Basic Protection, Virtual Patches, or Threat Intelligence.
You configured a whitelist to allow matched traffic.
You set the threat detection engine to Block Mode, but the rule that attack traffic hits supports only Monitor Mode, or the Current Action parameter of the rule is set to Monitor.
Solutions
Turn on the switches for Basic Protection, Virtual Patching, and Threat Intelligence. For more information, see IPS configuration.
Configure whitelists. For more information, see Configure whitelists.
Modify the working mode of the threat detection engine and the Current Action parameter for the rule. For more information, see IPS configuration.
Why are no statistics displayed on the Vulnerability Prevention page of the Cloud Firewall console when vulnerabilities are detected on my assets?
The following list describes the possible causes:
Cloud Firewall analyzes exploit behavior based on attack traffic to defend against vulnerabilities. If no attack traffic is generated for a vulnerability, no prevention statistics of the vulnerability are displayed.
The vulnerabilities that are detected based on software component analysis in Security Center cannot be synchronized to Cloud Firewall. These vulnerabilities are detected after Security Center collects information about the software versions of your assets. Only the vulnerabilities that are detected based on network scans can be synchronized to Cloud Firewall.
The vulnerabilities are detected on the assets that reside in an internal network. Cloud Firewall displays only statistics about the vulnerabilities on the assets that are exposed to the Internet.
For more information about vulnerability prevention, see IPS configuration.
How does Cloud Firewall obtain attack samples?
Cloud Firewall can obtain attack samples only if traffic matches the rules that are configured for Basic Protection or Virtual Patches. You can use one of the following methods to view attack samples:
Go to the Intrusion Prevention page. On the Protection Status tab, find an event and click Details in the Actions column. On the Attack Payload tab of the panel that appears, view attack samples in the Payload Content section.
Go to the Log Audit page. On the Traffic Logs tab, set the All Policy Source parameter to Basic Protection or Virtual Patches and then click Search. In the result list, find a log whose attack sample you want to obtain and click Obtain Attack Sample in the Actions column.
How does Cloud Firewall use the cyber kill chain to enhance defense and detection capabilities in attack and defense scenarios?
Attack and defense drills are systematic, large-scale, and normalized step by step. The drills cover key business systems across all industries. However, attack methods, including phishing, supply chains, and puddles, become more stealthy. The cyber kill chain describes each stage of an attack. Each stage is an opportunity to detect and respond to the attack. If you want to use the cyber kill chain to prevent attackers from infiltrating the network environment, intelligence and data analysis and response capabilities are required. Cloud Firewall enhances detection and defense capabilities by minimizing asset exposure, quickly responding to attacks, implementing breach awareness, and performing log tracing.
Asset exposure minimization: You can monitor Internet-facing assets and configure inbound and outbound access control policies to minimize asset exposure. For more information, see Access Control.
Quick response to attacks: You can use the intrusion prevention system (IPS) and the virtual patching feature, which are automatically released to intercept attacks. You can also use threat intelligence to detect network-wide attacks and block scans and intrusions. For more information, see Intrusion prevention and IPS configuration.
Breach awareness: You can use the breach awareness feature to analyze, locate, and trace attacks and respond to and handle attacks at the earliest opportunity. The outbound connection data of servers is displayed in real time, which allows you to handle suspicious servers at the earliest opportunity. You can use secure forward proxies and intelligent policies to control and protect traffic from internal networks to the Internet. For more information, see Breach awareness.
Log tracing: You can use the threat detection engine to detect intrusions and record detailed information. The engine performs in-depth analysis and threat tracing on the collected access logs and attack prevention logs based on Simple Log Service. For more information about how to automatically handle alerts, see Log audit.
How does Cloud Firewall implement breach awareness? How do I configure security policies?
How does Cloud Firewall implement breach awareness?
Threats in the cloud are diverse and complex. Advanced threats, such as advanced persistent threat (APT) attacks, pose significant risks to users. A compromised server refers to a server on which an attacker obtains control and that can be used as a jump server to continue penetrating other servers in an internal network. An attacker can perform behavior such as installation and insertion, command and control, data retrieval, and horizontal penetration in the vulnerability exploitation stage. The breach awareness feature analyzes, locates, and traces attacks by using detection methods. You can use the feature to respond to and handle the attacks at the earliest opportunity to reduce the impacts of the attacks, such as losses, on your enterprise. The threat detection engine of Cloud Firewall detects intrusions and records detailed information. The Outbound Connection page displays the outbound connection data of servers in real time to detect suspicious servers at the earliest opportunity.
Enable and configure security policies
Configure access control policies in Cloud Firewall to manage north-south traffic to minimize asset exposure. For more information, see Create access control policies for the Internet firewall.
Enable the intrusion prevention feature of Cloud Firewall to block cloud server intrusions from the Internet. For more information, see IPS configuration.
Use secure forward proxies and intelligent policies to control and protect traffic from internal networks to the Internet. For more information, see Access Control.
Monitor the alerts that are generated for outbound connections and breach awareness and handle risks at the earliest opportunity. For more information, see Configure notifications.
After I enable both WAF in transparent proxy mode and the Internet firewall, where do I view intrusion prevention events that are generated for forwarding ports?
You can view the intrusion prevention events that are generated for forwarding ports in the Web Application Firewall (WAF) console. For more information, see Security reports.