Updated on 2023-12-06 GMT+08:00

Viewing Protection Event Logs

For details about how to view attack traffic detected by the cloud firewall in attack logs, see Attack Event Logs.

You can also view all traffic allowed or blocked in access control logs to adjust access control policies. For details, see Access Control Logs.

Attack Event Logs

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed, as shown in Figure 1.

    Figure 1 CFW Dashboard

  4. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click View in the Operation column to go to the details page.
  5. In the navigation pane, choose Log Audit > Log Query. The Attack Event Logs tab page is displayed. You can view details about attack events in the past week.

    Figure 2 Attack event logs
    Table 1 Attack event log parameters

    Parameter

    Description

    Time

    Time when an attack occurred.

    Attack Type

    Type of the attack event, including IMAP, DNS, FTP, HTTP, POP3, TCP, and UDP.

    Severity

    It can be Critical, High, Medium, or Low.

    Rule ID

    Rule ID

    Matched Rule

    Matched rule in the library.

    Source IP Address

    Source IP address of an attack event.

    Source Country/Region

    Geographical location of the attack source IP address.

    Source Port

    Source port of an attack.

    Destination IP Address

    Attacked IP address.

    Destination Country/Region

    Geographical location of the attack target IP address.

    Destination Port

    Destination port of an attack.

    Protocol

    Protocol type of an attack.

    Application

    Application type of an attack.

    Direction

    It can be outbound or inbound.

    Action

    Action taken on an event. It can be Observe, Block, or Allow.

    Operation

    You can click Details to view the basic information and attack payload of an event.

Access Control Logs

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed, as shown in Figure 3.

    Figure 3 CFW Dashboard

  4. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click View in the Operation column to go to the details page.
  5. In the navigation pane, choose Log Audit > Log Query. Click the Access Control Logs tab and check the access control traffic details in the past week.

    Figure 4 Access control logs
    Table 2 Access control log parameters

    Parameter

    Description

    Received

    Time of an access.

    Source

    Source IP address of the access.

    Source Country/Region

    Geographical location of the source IP address.

    Source Port

    Source port for access control. It can be a single port or consecutive port groups (example: 80-443).

    Destination IP Address

    Destination IP address.

    Destination Country/Region

    Geographical location of the destination IP address.

    Destination URL

    Destination domain name.

    Destination Port

    Destination port for access control. It can be a single port or consecutive port groups (example: 80-443).

    Protocol

    Protocol type for access control.

    Action

    Action taken on an event. It can be Observe, Block, or Allow.

    Rule

    Type of an access control rule. It can be a blacklist or whitelist.