Help Center/ Cloud Firewall/ User Guide/ Attack Defense/ IPS Rule Management/ Modifying the Protection Action of an Intrusion Prevention Rule
Updated on 2024-11-04 GMT+08:00

Modifying the Protection Action of an Intrusion Prevention Rule

For rules in the basic defense rule library and the virtual patch rule library, you can manually modify their protection actions. After the modification, their actions do not change with the IPS protection mode.

If the rules in the rule library cannot meet your requirements, you can customize IPS signature rules. For details, see Customizing IPS Signatures.

Constraints

The restrictions on modifying an IPS rule are as follows:
  • The action of a manually modified rule remains unchanged even if Protection Mode is changed.
  • The constraints on manually modified actions are as follows:
    • The actions of up to 3000 rules can be manually changed to observation.
    • The actions of up to 3000 rules can be manually changed to interception.
    • The actions of up to 128 rules can be manually changed to disabling.

Default Actions of Rule Groups in Different Protection Modes

-

Mode

Intercept mode - strict

Intercept mode - medium

Intercept mode - loose

Observe rule group

Observe

Disable

Disable

Disable

Strict rule group

Observe

Intercept

Disable

Disable

Medium rule group

Observe

Intercept

Intercept

Disable

Loose rule group

Observe

Intercept

Intercept

Intercept

  • Observe: The firewall records the traffic that matches the current rule in Attack Event Logs and does not block the traffic.
  • Intercept: The firewall records the traffic that matches the current rule in Attack Event Logs and blocks it.
  • Disable: The firewall does not log or block the traffic that matches the current rule.

Modifying the Action of a Basic Protection Rule

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane on the left, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed.
  4. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click View in the Operation column of a firewall to go to its details page.
  5. In the navigation pane, choose Attack Defense > Intrusion Prevention. Click View Effective Rules under Basic Protection. The Basic Protection tab is displayed.
  6. (Optional) To view the parameter details of a type of rules, set filter criteria in the input box above the list.
  7. Click an action in the Operation column.

    • Observe: The firewall logs the traffic that matches the current rule and does not block the traffic.
    • Intercept: The firewall logs and blocks the traffic that matches the current rule.
    • Disable: The firewall does not log or block the traffic that matches the current rule.
    Figure 1 Changing the current action
    • The action of a manually modified rule remains unchanged even if Protection Mode is changed. To restore the default action, select a rule and click Restore Default.
    • The constraints on manually modified actions are as follows:
      • The actions of up to 3000 rules can be manually changed to observation.
      • The actions of up to 3000 rules can be manually changed to interception.
      • The actions of up to 128 rules can be manually changed to disabling.

Related Operations

  • Restoring the default actions of some rules: On the Basic Protection tab, select rules and click Restore Default.
  • Restoring the default actions of all rules: On the Basic Protection tab, select rules and click Restore All Defaults.