If a server is compromised, the breach awareness feature of Cloud Firewall can help you detect and identify the intrusion event at the earliest opportunity to protect your business from major losses. This topic describes how to check whether security threats exist on a server and configure the prevention mode.
Prerequisites
Internet Firewall is enabled. For more information, see Enable the Internet firewall.
The block mode is enabled for the threat detection engine. For more information, see IPS configuration.
Procedure
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose .
On the Breach Awareness page, view the details of intrusion events.
On the Breach Awareness page, you can perform the following operations based on your business requirements:
View the intrusion event list
In the intrusion event list, view information such as risk levels, the UIDs and IP addresses of affected assets, and the event status.
Search for intrusion events
Specify the filter conditions or search conditions in the search box above the intrusion event list to search for intrusion events. The filter conditions include risk levels, event types, event status, and detection time ranges. The search conditions include instance IP addresses, instance IDs, instance names, and UIDs. Fuzzy match is supported.
Enable the block mode for the threat detection engine
By default, the block mode is enabled for the threat detection engine after the Internet firewall is enabled. If you disable the block mode, the breach awareness feature can only detect risk events but cannot block the risk events. You can click Quick Blocking in the Actions column of an event to enable the block mode of the threat detection engine. The threat detection engine is displayed on the Prevention Configuration page.
ImportantThe Quick Blocking feature does not take effect on a single event. If you click Quick Blocking, the intrusion prevention feature of Cloud Firewall is enabled.
Ignore intrusion events
In the intrusion event list, find an intrusion event that is considered as a normal event and click Ignore in the Actions column to ignore the intrusion event.
NoteAfter you ignore an intrusion event, the intrusion event is removed from the intrusion event list, and Cloud Firewall no longer generates alerts for this event.
View the details of an intrusion event
In the intrusion event list, find an intrusion event whose details you want to view and click View Details in the Actions column. In the Details panel, view the details of the intrusion event and the security suggestions.
What to do next
You can use the prevention configuration feature of Cloud Firewall to configure the working mode of the threat detection engine. You can also configure the threat intelligence, basic protection, intelligent defense, and virtual patching features to effectively identify and block intrusion attempts. For more information, see IPS configuration.
You can use the intrusion prevention system (IPS) to proactively detect and block malicious traffic that is generated by attacks, exploits, brute-force attacks, worms, mining programs, trojans, and DoS attacks in real time. This protects enterprise information systems and network architectures in the cloud against attacks. For more information, see Overview of intrusion prevention and Intrusion prevention.
Cloud Firewall can detect vulnerabilities that are exploited by cyberattacks and defend against the vulnerabilities. For more information, see Vulnerability prevention.