All Products
Search
Document Center

Cloud Firewall:FAQ about network traffic analysis

Last Updated:Nov 24, 2023

This topic provides answers to some frequently asked questions about network traffic analysis of Cloud Firewall.

Traffic from unknown applications accounts for a large proportion in traffic analysis. Does this occur because Cloud Firewall cannot identify the types of applications that generate traffic from the Internet?

Possible causes:

  • A large volume of traffic is generated from the Internet, and the traffic does not comply with standard protocols. As a result, Cloud Firewall cannot identify the application type for the traffic.

  • The destination server blocks network traffic and returns a large number of RST packets. The RST packets are counted in the inbound or outbound traffic. A large number of RST packets cause a large proportion of traffic from applications whose type is Unknown.

Note

You can go to the Log Audit page and click the Event Logs or Traffic Logs tab to view the source and purpose of the traffic from unknown applications. Then, you can determine whether the traffic is normal.

When I view the results of all access activities, the system displays a large proportion of traffic from unknown ISPs. Why?

For inbound traffic from Hong Kong (China), Macao (China), Taiwan (China), or regions outside China, the system displays only the names of the countries or regions. Cloud Firewall marks the Internet service providers (ISPs) of such traffic as unknown.

You can go to the Log Audit page and click the Traffic Logs tab to view the region and ISP for an IP address.

Intelligence tags are displayed on the Outbound Connection page. What are the meanings of the tags?

Cloud Firewall automatically adds tags based on the Internet information about the domain names or the destination IP addresses that are involved in outbound activities. The tags include Malicious download, Ore pooled, Threat Intelligence, New, Periodic, Popular website, and DDoS Trojan. For more information about intelligence tags, see Outbound Connection.

  • Malicious download, Ore pooled, or Threat Intelligence: Cloud Firewall considers the outbound activity risky.

    Note

    You must check whether the outbound activity is a false positive at the earliest opportunity. If the outbound activity is malicious, we recommend that you configure an access control policy to limit related activities. For more information, see Create inbound and outbound access control policies for the Internet firewall.

  • New: Cloud Firewall identifies an outbound activity for the first time.

  • Periodic: Your assets periodically communicate with a domain name or a destination IP address in outbound connections.

  • Popular website: A domain name is frequently accessed by your server or business.

  • DDoS Trojan: Cloud Firewall considers that the outbound activity may trigger DDoS attacks.

How do I troubleshoot network connection failures?

After you enable a firewall, the following issues may occur:

  • You cannot log on to your server.

  • You cannot access the services that run on your server.

  • Your server cannot connect to the Internet.

If the preceding issues occur, you must troubleshoot the issues from the following dimensions: the Internet firewall and internal firewalls.

Internet firewall

  1. Check whether the Internet firewall is enabled for your asset.

    After you enable the Internet firewall, traffic passes through Cloud Firewall. For more information about how to enable the Internet firewall, see Internet firewall.

    Note

    If the Internet firewall is disabled for your asset, traffic does not pass through Cloud Firewall. In this case, you must check whether other issues such as network connection failures occur.

  2. Check whether traffic logs are generated on the Traffic Logs tab.

    • If no traffic logs are found, the traffic is discarded before it reaches the Internet firewall.

    • If traffic logs are found and the action is Discard, the traffic is discarded by the Internet firewall. In this case, you can find the relevant event on the Event Logs tab and check the module that performs the Discard action based on the information in the Module column.

      • If the Discard action is performed by the Access Control module, the traffic is discarded based on the access control policies that you configure. We recommend that you check the access control policies and modify them based on your business requirements.

      • If the Discard action is performed by the Basic Protection, Virtual Patching, or Threat Intelligence module, the traffic is discarded based on the intrusion prevention policies that you configure. In this case, you can choose Attack Prevention > Intrusion Prevention in the left-side navigation pane to disable the intrusion prevention policies.

    • If traffic logs are found and the action is Allow or Monitor, the traffic is not discarded by the Internet firewall. You must check security groups.

Internal firewalls (security groups)

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Instances & Images > Instances.

  3. Find and click the Elastic Compute Service (ECS) instance on which the network connection failure occurs. On the Security Groups tab of the Security Groups tab, check whether the value in the Action column of the required security group rule is Allow.

What are the priorities of rules that are used by Cloud Firewall to protect traffic?

Cloud Firewall matches traffic against rules based on the following priorities of rules:

  • If no access control policies are enabled, or if access control policies are enabled but the traffic does not match access control policies, Cloud Firewall matches the traffic against the rules of Threat Intelligence, and then against the rules of Basic Protection, Intelligent Defense, and Virtual Patching.

    Note

    If the traffic is blocked by the rules of Threat Intelligence, Cloud Firewall no longer matches the traffic against other rules.

  • If access control policies are enabled and the traffic matches an Allow policy or a Monitor policy, Cloud Firewall does not match the traffic against the rules of Threat Intelligence, but matches the traffic against the rules of Basic Protection, Intelligent Defense, and Virtual Patching.

  • If access control policies are enabled and the traffic matches a Deny policy, Cloud Firewall no longer matches the traffic against other rules.

image
Note

Cloud Firewall matches traffic against the rules of Basic Protection, Intelligent Defense, and Virtual Patching without priority.

What do I do if the volume of my business traffic exceeds the purchased bandwidth of Cloud Firewall?

If the volume of your business traffic exceeds the purchased bandwidth, the excess traffic is not protected by Cloud Firewall. Cloud Firewall can protect only the traffic whose volume does not exceed the bandwidth. If the volume of your business traffic exceeds the purchased bandwidth, you must locate the ECS instances whose traffic exceeds the bandwidth and determine whether to purchase additional bandwidth or disable the firewall for the ECS instances. For more information about how to increase the bandwidth, see Renewal.

If the volume of your business traffic exceeds the purchased bandwidth, we recommend that you perform the following operations:

  • Go to the Overview page to view traffic trends. You can view traffic changes on the Outbound Connection, Internet Exposure, and VPC Access pages. Then, you can identify suspicious IP addresses based on Cloud Firewall logs and handle the risks.

    You can perform the following steps to identify a suspicious public IP address. The operations to locate a suspicious VPC are similar to those to locate a suspicious public IP address.

    1. Log on to the Cloud Firewall console. In the left-side navigation pane, click Overview.

    2. In the Traffic Trend section of the Overview page, click the Internet Border tab to view the traffic trend charts.

    3. Move the pointer over a trend chart to view the details of inbound and outbound peak traffic at a specified point in time.

    4. Determine which peak value among the inbound traffic or outbound traffic is higher based on the trend charts.

      • Inbound traffic = Traffic of requests exposed on the Internet + Traffic of responses exposed on the internet

        Peak Inbound Traffic specifies the peak of all traffic that is exposed on the Internet. The peak is less than or equal to the sum of request traffic and response traffic. This is because Cloud Firewall calculates traffic statistics based on the aggregated peak values within a specified period of time.

      • Outbound traffic = Traffic of requests in outbound connections + Traffic of responses in outbound connections

        Peak Outbound Traffic specifies the peak of all traffic that flows over outbound connections. The peak is less than or equal to the sum of request traffic and response traffic. This is because Cloud Firewall calculates traffic statistics based on the aggregated peak values within a specified period of time.

    5. Click the 详情 icon to the right of Peak Inbound Traffic or Peak Outbound Traffic. In the tooltip that appears, click Peak Traffic of Response Exposed on Internet or Peak Traffic of Outbound Requests to go to the Outbound Connection or Internet Exposure page to view the details of peak traffic. Then, you can identify suspicious public IP addresses based on Cloud Firewall logs.

  • If the volume of your business traffic exceeds the purchased bandwidth, Cloud Firewall sends you a notification email. We recommend that you check your email on a regular basis and handle issues based on the information that is provided in the email.

    Note

    If the volume of your business traffic exceeds the purchased bandwidth, Cloud Firewall sends you a notification email within 24 hours.