This topic describes how to use the Intrusion Protection System (IPS) to identify unknown risks beyond access control rules, monitor the north-south traffic of public IP addresses based on intrusion defense rules, and prevent CVM vulnerabilities from being exposed to the Internet.
Selecting a protection mode
2. On the Intrusion protection system page, configure the protection mode in the Protection mode module.
Three protection modes are available: Observe, Block, and Strict.
Note:
The default protection mode is Observe.
In the Observe mode, threat intelligence, basic protection, and virtual patching only detect and send alerts against malicious access or network attacks without interrupting the connections.
In the Block mode, threat intelligence automatically blocks outbound malicious access, basic protection blocks network attacks that trigger high-confidence rule alerts, and virtual patching blocks all the traffic detected as vulnerability exploits.
In the Strict mode, threat intelligence (except for detection of outbound domain names), basic protection, and virtual patching block any detected malicious behaviors that trigger alerts while interrupting the connections. Note that this can cause false positives and is only suggested when the asset is under attack.
3. Click Advanced settings on the right side of the Protection mode module.
4. In the Advanced settings window displayed, configure the protection mode for each asset under Edge firewall, NAT firewall, and Inter-VPC firewall respectively.
IPS overview
2. On the right side of the Intrusion protection system page, feature updates and feature descriptions are displayed.
Feature updates: You can view the features of IPS modules.
Intelligence center:
2.1.1 Click Intelligence center at the upper right corner of feature updates to view security threat intelligence information.
2.1.2 In the Intelligence center window displayed, click an intelligence title to view details about vulnerability description and threat level. You can also scan your assets for the threats reported in the vulnerability intelligence.
Managing lists
2. At the bottom of the Intrusion protection system page, you can view the Blocklist, Allowlist, and Quarantined list.
Blocklist
Viewing the blocklist
1. Click Blocklist to enter the blocklist.
2. In the blocklist, you can view the IP addresses marked as "Blocked" in Alert Management -> Attack alerts and their information. You can also manually add IP addresses to the blocklist. Disabling the blocklist
1. In case of emergency, click to turn off Enable blocklist, and then go to Alert Management -> Blocked attacks to view all blocking statistics and locate the alert source.
2. After the fault is located and fixed, click to turn on Enable blocklist again. Managing the effective period in the blocklist
An IP address whose effective period expires will be automatically removed from the blocklist, and traffic of this IP address will not be blocked by the firewall anymore. To prevent risky IP addresses from being automatically removed from the blocklist, you can click Edit in the action column on the right side of the blocklist to modify the expiration time for IP addresses.
Note:
For IP addresses in the blocklist, their inbound or outbound traffic that goes through CFW will be blocked and recorded in Log Auditing -> Intrusion Defense Logs. Allowlist
Viewing the allowlist
1. Click Allowlist to enter the allowlist.
2. In the allowlist, you can view the IP addresses marked as "Allowed" in Alert Management -> Attack alerts and their information. You can also manually add IP addresses to the allowlist. Note:
IP addresses in the allowlist will directly bypass the IDPS.
Managing the effective period in the allowlist
An IP address whose effective period expires will be automatically removed from the allowlist, and traffic of this IP address will not bypass CFW IDPS anymore. To prevent trusted IP addresses from being automatically removed from the allowlist, you can click Edit in the action column on the right side of the allowlist to modify the expiration time for IP addresses.
Quarantined list
Viewing the quarantined list
1. Click Quarantined list to enter the quarantined list.
2. In the quarantined list, you can view the IP addresses marked as "Quarantined" in Alert Management -> Attack alerts -> Server compromised and their information. Viewing rules
IP addresses of compromised servers are quarantined using security groups. Click View rules to go to the enterprise security group page and view detailed rule information.
Managing the effective period in the quarantined list
An IP address whose effective period expires will be automatically removed from the quarantined list, and the security group rules of this IP address will be deleted as well. To prevent IP addresses of compromised servers from being automatically removed from the quarantined list, you can click Edit in the action column on the right side of the quarantined list to modify the expiration time for IP addresses.
Backing up and rolling back rules
Click Backup rules to back up existing blocklist and allowlist rules. When the rules are greatly changed, you can click Roll back to the right of the backup file to recover the rules.
1. On the Back up and roll up rules page, click Create backup, select Blocklist or Allowlist from the drop-down list, enter a description, and click OK to complete the backup.
2. To roll back rules, click Roll back on the right side of the backup list to recover the rules.
Was this page helpful?