If the blocking status of a cluster is Abnormal or Normal to be confirmed, the defense
rules that are created for the cluster cannot generate alerts or block unusual traffic
destined for the cluster. This topic describes how to troubleshoot the causes of the
preceding issues.
Prerequisites
A defense rule is created for your cluster. For more information about how to create
a defense rule, see
Create a defense rule.
Background information
A defense rule can take effect only when the AliNet plug-in is installed and is online.
The AliNet plug-in is used to block suspicious network connections, Domain Name System
(DNS) hijacking, and brute-force attacks. Before you use the container firewall feature,
make sure that your cluster nodes run an operating system whose kernel version is
supported by the AliNet plug-in. For more information, see Supported operating system versions.
Procedure
- Log on to the Security Center console.
- In the left-side navigation pane, choose .
- On the Container Firewall page, click the Protection management tab.
- In the cluster list of the Protection management tab, find a cluster whose blocking status is Abnormal or Normal to be confirmed, and perform the following operations to troubleshoot the issues based on the status:
- Abnormal
If the blocking status in the Interceptible status column is Abnormal, the switch in the Defensive status column is turned off. In this case, Security Center cannot provide the container
firewall feature for the cluster.
You can click
View on the right side of
Abnormal to go to the
Protection plug-in status panel. In the
Protection plug-in status panel, you can check whether the AliNet plug-in is installed in the
Installation status column and whether the AliNet plug-in is online in the
Online status column. If
Installation status or
Online status of the AliNet plug-in is abnormal, the blocking status is
Abnormal. You can perform the following operations to handle the abnormal status in
Installation status and
Online status:
- If the message in the Installation status column shows that a cluster node does not have the AliNet plug-in installed or the
message in the Online status column shows that the AliNet plug-in on a cluster node is offline, you can enable
the behavior prevention feature for the cluster. For more information about how to
enable the behavior prevention feature, see Use proactive defense.
- If you have enabled the behavior prevention feature for the cluster and the message
in the Installation status column shows that the cluster node does not have the AliNet plug-in installed, the
possible reason is that the kernel version of the operating system that your cluster
node runs does not support the AliNet plug-in. For more information about the operating
systems and kernel versions that support the AliNet plug-in, see Supported operating system versions.
You can also log on to the cluster and run the following command to check the installation
log of the AliNet plug-in. If the kernel version of the operating system that your
cluster node runs does not support the AliNet plug-in, the message install,driver file not exist
appears in the installation log.
cat /usr/local/aegis/PythonLoader/data/AliNet_config.log
- Normal to be confirmed
If the blocking status in the Interceptible status column is Normal to be confirmed, you have resolved the issues that cause the Abnormal status of the defense rule. In this case, you must check whether all defense rules
that are created for the cluster are normal. For example, you can check whether all
defense rules are enabled and whether priorities of defense rules are reasonable.
After you confirm that all defense rules are normal, you can click
Recovery on the right side of
Normal to be confirmed in the
Interceptible status column. Then, the blocking status changes to
Normal.