This topic describes the operations in Alert Management. Log in to the Cloud Firewall console. In the Alert Management page, click Blocked attacks to open the Blocked attacks page. This page displays a trend chart of blocked attacks, blocked IPs, regions, and destination ports to help you analyze and protect your assets. Filtering blocked attacks
This section describes how to find the blocked attacks you want to view through filtering.
① Select the assets and regions for which you want to view the blocked attacks;
② Select Inbound, Lateral movement, or Outbound.
③ Select the intrusion defense policy and resolution status. You can filter the records by specifying Blocking history ranking, Page refresh frequency, and Blocking frequency statistics.
Note
The above describes the operations in the asset view. For more information about operations in the event view, please see Filtering alert events. Resolving blocked attacks
1. This section describes how to resolve blocked attacks. For more information about how to filter blocked attacks, please see "Filtering blocked attacks".
Note
To modify your operation, undo the operation in Intrusion defense -> Blocklist, Allowlist, or Quarantined list. 2. On the Blocked attacks page, you can search for different assets and IPs by selecting Inbound, Lateral movement, or Outbound.
You can pin or allow the access source IPs that have been blocked in the inbound direction. For the allowed IPs, you can select More -> Block to block them if necessary.
For the assets and IPs involving lateral movement attacks, you can view the blocking history here.
You can pin, allow, quarantine, block, or ignore the assets/IPs blocked by the Intrusion defense module in the outbound direction.
3. You can perform the following operations on different assets/IP addresses:
Pin to top/Unpin: You can pin or unpin assets. Note: A maximum of 5 items can be pinned for Outbound or Inbound.
Allow: Click Allow for an IP that does not need to be blocked. Then, select Reason, Direction, and Validity. The IP will be in the allowlist in the Intrusion defense module within the selected period. CFW allows traffic from the IP by skipping attack detection for the IP in Intrusion defense within the specified period. If you are not certain about whether the reason is "false positive", you can select Allow for emergency, and modify it later if necessary.
Block: For assets with a high threat level, click Block. Then, specify a validity period and direction to add the IP to the blocklist in Intrusion defense. CFW automatically blocks that IP from accessing all of your assets within the specified period.
Quarantine: Click Quarantine. When an asset instance is quarantined, the system automatically publishes the blocking rule for enterprise security groups to block network access to the selected asset in the specified blocking direction. This makes the subsequent troubleshooting easy and prevents the asset from being attacked.
Ignore: For repeated or possible false alerts, you can click Ignore. The ignored alert events are not included in the alert list and statistics, but their logs are retained. You are no longer notified of the ignored alert events when they trigger alerts again. You can select Ignored in the list to view all the ignored events. The "Ignore" operation is irreversible. Resolving false alerts
You can add the IP to the allowlist. On the Blocked attacks page, select the target asset/IP, click Allow, select False positive for Reason, and then click OK.
Searching for attack events from an IP
In the Asset view, place the pointer over the value of Access destination, Access source, or Asset name, and click Check in intrusion defense log to view all attack events.
Note
The figure above shows the process.
Viewing the blocked attacks for an asset
Method 1: Select the specified asset in the upper-left corner to filter the records.
Method 2: Select the target asset by clicking Event details -> Asset name to view its records of blocked attacks.
Viewing recently blocked attacks
The Blocked attacks page is automatically refreshed. Click in the upper part of the page, select Last blocked for Blocking history ranking, and then click OK* to view the recently blocked attacks.
Was this page helpful?