Help Center/ Cloud Firewall/ User Guide/ Attack Defense/ Configuring Intrusion Prevention
Updated on 2025-07-23 GMT+08:00

Configuring Intrusion Prevention

CFW provides attack defense to help you detect common network attacks.

Constraints

  • Intrusion prevention does not support decryption detection and defense for TLS- and SSL-encrypted traffic.

Impacts on Services

If IPS blocking is enabled, a range of possible threats and suspicious traffic will be blocked. To change the protection mode, you are advised to enable the Observe mode and check false alarms for a period of time and then switch to the Intercept mode.

Intrusion Prevention System (IPS)

IPS detects and defends against access traffic in real time based on the attack defense experience and rules accumulated over the years, blocking common network attacks and effectively protecting your assets.

IPS provides multiple types of rule libraries:
  • Basic protection: A built-in rule library. It covers common network attacks and provides basic protection capabilities for your assets. You can change the protection mode to change the protection status of the rule library. For details, see Adjusting the IPS Protection Mode to Block Network Attacks. For details about how to change the protection status of a single rule, see Changing the Protection Action of an Intrusion Prevention Rule.
  • Virtual patching: Hot patches are provided for IPS at the network layer to intercept high-risk remote attacks in real time and prevent service interruption during vulnerability fixing.

    Updated rules are added to the virtual patch library first. You can determine whether to add the rules to the basic protection library.

    To add defense rules, enable this function to apply virtual patch rules. The protection action can be manually modified.

  • Custom IPS signature (supported only by the professional edition): If the built-in rule library cannot meet your requirements, you can customize signature rules. For details, see Adding a Custom IPS Signature.

    Signature rules of the HTTP, TCP, UDP, POP3, SMTP and FTP protocols can be added.

Adjusting the IPS Protection Mode to Block Network Attacks

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
  4. (Optional) Switch to another firewall instance. Select a firewall from the drop-down list in the upper left corner of the page.
  5. In the navigation pane, choose Attack Defense > Intrusion Prevention.
  6. Ensure Basic Protection is enabled.
  7. In the Protection Mode area, select a protection mode.

    Table 1 Protection mode

    Protection Mode

    Description

    Observe

    Attacks are detected and recorded in logs but are not blocked.

    Intercept

    Attacks and abnormal IP address access are automatically blocked.

    • Intercept mode - loose: The protection granularity is coarse. In this mode, only attacks with high threat and high certainty are blocked.
    • Intercept mode - moderate: The protection granularity is medium. This mode meets protection requirements in most scenarios.
    • Intercept mode - strict: The protection granularity is fine-grained, and all attack requests are intercepted.
    NOTE:
    • You are advised to use the Observe mode for a period of time before changing to the Intercept mode. For details about how to view attack event logs, see Attack Event Logs.
    • If a rule blocks normal traffic, you can modify the action of the rule. For details, see IPS Rule Management.

    The Intercept status of a rule varies depending on the protection mode. For details, see Table 2. For details about how to modify an IPS rule, see Changing the Protection Action of an Intrusion Prevention Rule.

    Table 2 Default actions of rule groups in different protection modes

    -

    Observe

    Intercept mode - strict

    Intercept mode - medium

    Intercept mode - loose

    Observe rule group

    Observe

    Disable

    Disable

    Disable

    Strict rule group

    Observe

    Intercept

    Disable

    Disable

    Medium rule group

    Observe

    Intercept

    Intercept

    Disable

    Loose rule group

    Observe

    Intercept

    Intercept

    Intercept

Enabling Sensitive Directory Scan Defense

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
  4. (Optional) Switch to another firewall instance. Select a firewall from the drop-down list in the upper left corner of the page.
  5. In the navigation pane, choose Attack Defense > Intrusion Prevention.
  6. Click Advanced at the bottom of the page. In the Sensitive Directory Scan Defense area, click to enable it.

    • Action:
      • Observe: Detected sensitive directory scanning attacks are only recorded in attack event logs.
      • Block session: If the firewall detects a sensitive directory scan attack, it blocks the current session.
      • Block IP: If CFW detects a sensitive directory scan attack, it blocks the attack IP address for a period of time.

        After Block IP is configured, CFW continuously blocks IP addresses. If address translation or proxy is involved, evaluate the impact of blocking IP addresses with caution.

    • Duration: If Action is set to Block IP, you can set the blocking duration. The value range is 60s to 3,600s.
    • Threshold: CFW performs the specified action if the scan frequency of a sensitive directory reaches this threshold.

  7. Click OK.

Enabling Reverse Shell Defense

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
  4. (Optional) Switch to another firewall instance. Select a firewall from the drop-down list in the upper left corner of the page.
  5. In the navigation pane, choose Attack Defense > Intrusion Prevention.
  6. Click Advanced at the bottom of the page. In the Reverse Shell Defense area, click to enable it.

    • Action:
      • Observe: Detected reverse shell attacks are only recorded in attack event logs.
      • Block session: If the firewall detects a reverse shell attack, it blocks the current session.
      • Block IP: If CFW detects a reverse shell attack, it blocks the attack IP address for a period of time.

        After Block IP is configured, CFW continuously blocks IP addresses. If address translation or proxy is involved, evaluate the impact of blocking IP addresses with caution.

    • Duration: If Action is set to Block IP, you can set the blocking duration. The value range is 60s to 3,600s.
    • Mode:
      • Conservative: coarse-grained protection. If a single session is attacked for four times, observation or interception is triggered. It ensures that no false positives are reported.
      • Sensitive: fine-grained protection. If a single session is attacked for two times, observation or interception is triggered. It ensures that attacks can be detected and handled.

  7. Click OK.

Follow-up Operations

For details about the protection overview, see Viewing Attack Defense Information on the Dashboard. For details about logs, see Attack Event Logs.

References

For details about how to handle incorrect IPS blocking, see What Do I Do If IPS Blocks Normal Services?.