Help Center/ Cloud Firewall/ User Guide/ Managing Intrusion Prevention/ Checking the IPS Rule Library
Updated on 2024-01-12 GMT+08:00
View PDF

Checking the IPS Rule Library

Basic protection cannot be disabled, but can be changed with protection mode. Basic protection functions scan traffic for attacks, threats, and vulnerabilities, such as phishing, Trojans, worms, hacker tools, spyware, password attacks, vulnerability exploits, SQL injection attacks, XSS attacks, and web attacks. They also check for exceptions in protocols, buffer overflow, access control, and suspicious DNS activities.

If the rules in the IPS rule library cannot meet your requirements, you can customize IPS signature rules. For details, see Customizing IPS Signatures.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. In the navigation pane, click and choose Security & Compliance > Cloud Firewall. The Dashboard page will be displayed, as shown in Figure 1.

    Figure 1 CFW Dashboard

  4. (Optional) If the current account has only one firewall instance, the firewall details page is displayed. If there are multiple firewall instances, click View in the Operation column to go to the details page.
  5. In the navigation pane, choose Attack Defense > Intrusion Prevention. Click Check Rules under Basic Protection. The Basic Protection tab is displayed.

    Figure 2 Checking rules

  6. Check basic protection rules. For more information, see Basic protection rule parameters.

    Figure 3 Basic protection rules
    Table 1 Basic protection rule parameters

    Parameter

    Description

    ID

    ID of a rule.

    Name

    Name of a rule.

    Updated In

    The year when the rule was updated.

    Description

    Rule description.

    Risk Level

    Risk level of a rule. It can be Low, Medium, High, or Fatal.

    CVE

    CVE ID of the rule.

    Rule Type

    Type of detected attacks, including vulnerability attacks, access control, and hacker tools.

    Affected Software

    Software affected by the attack.

    Rule Group

    Group that the role belongs to. Its types are the same as those of Protection Mode, including Observe, strict, moderate, and loose.

    Default Action

    Default action of the current rule, which is determined by the current protection mode. The action can be observe, intercept, or disable.

    Current Action

    Operation performed by firewall on the traffic that matches the current rule.

    If you click Restore All Defaults, the current actions of all the rules in the list will be restored to the default actions.

    • Observe: The firewall logs the traffic that matches the current rule and does not block the traffic.
    • Intercept: The firewall logs and blocks the traffic that matches the current rule.
    • Disable: The firewall does not log or block the traffic that matches the current rule.

  7. (Optional) To view the parameter details of a type of rules, set filter criteria in the input box above the list.