Updated on 2025-09-25 GMT+08:00

Configuring Virtual Patching

CFW can install hot patches for the IPS at the network layer to block remote attacks that exploit high-risk vulnerabilities in real time, and to avoid service interruptions caused by vulnerability fixes.

Updated rules are added to the virtual patch library first. You can determine whether to add the rules to the basic protection library.

To add defense rules, enable this function to apply virtual patch rules. The protection action can be manually modified.

Constraints

  • Intrusion prevention does not support decryption detection and defense for TLS- and SSL-encrypted traffic.

Impacts on Services

If IPS basic protection is enabled, a range of possible threats and suspicious traffic will be blocked. To change the protection mode, you are advised to enable the Observe mode and check false alarms for a period of time and then switch to the Intercept mode.

Enabling Virtual Patching

  1. Log in to the CFW console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. (Optional) Switch to another firewall instance. Select a firewall from the drop-down list in the upper left corner of the page.
  4. In the navigation pane, choose Attack Defense > Intrusion Prevention.
  5. Ensure Basic Protection is enabled.
  6. In the Virtual Patching area, click to enable protection.

Follow-up Operations

For details about the protection overview, see Viewing Attack Defense Information on the Dashboard. For details about logs, see Attack Event Logs.

Related Operations

  • Update virtual patches: Click Update Virtual Patch in the Virtual Patching area. The system will automatically start the update. After the update, you can view their details in 3 to 5 minutes.
  • Viewing virtual patch details: Click View Virtual Patch in the Virtual Patching area. On the displayed page, you can view the virtual patch rule details, including the rule name, risk level, and attack type.
  • Disabling virtual patch protection: Click next to Virtual Patching.