One-Click Blocking or Unblocking

Scenario

One-Click Blocking: You can configure a one-click blocking policy to block access from malicious IP addresses or unauthorized IAM users.

One-Click Unblocking: You can unblock IP addresses or IAM users that were blocked by one-click blocking policies with just a single click. This action only applies to alerts for which one-click blocking was successfully executed.

Emergency policies are used to quickly prevent attacks from malicious IP addresses. You can select a block type based on the alert source to block attackers. Table 1 lists recommended settings. You can also block an attack source based on the comprehensive investigation of multiple alerts.

This topic describes how to block or unblock attack sources quickly.

Limitations and Constraints

• In a workspace you have, you can add up to 300 emergency policies that support block aging, and a maximum of 2,500 emergency policies in total. Limits on blocked objects you can add are as follows:
  • For a policy to be delivered to CFW, each time a maximum of 500 IP addresses can be added as blocked objects by each account.
  • For a policy to be delivered to WAF, each time a maximum of 500 IP addresses can be added as blocked objects by each account.
  • For a policy to be delivered to VPC, every minute a maximum of 500 IP addresses can be added once as blocked objects by each account.
  • For a policy to be delivered to IAM, each time a maximum of 500 IAM users can be added as blocked objects by each account.
• If an IP address or IP address range or an IAM user is added to the blacklist, CFW, WAF, VPC, and IAM will block requests from that IP address or user without checking whether the requests are malicious.
• To ensure system stability, a maximum of five emergency policy tasks can be executed at the same time. If there are already five ongoing tasks, no more emergency policies can be added, retried, or edited.
• After an emergency policy is added, its blocked object type and blocked objects, such as IP addresses, IP address ranges, or IAM user names, cannot be modified.
• After an emergency policy is added, its policy object, policy type, object type, and selected operation connections cannot be modified.

One-Click Blocking

1. Log in to the SecMaster console.
2. Click in the upper left corner of the management console and select a region or project.
3. Click in the upper left corner of the page and choose Security & Compliance > SecMaster.
4. In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.
   Figure 1 Workspace management page
   

5. In the navigation pane on the left, choose Threats > Alerts.
   Figure 2 Alerts
   

6. In the alert list, locate the row that contains the target alert and choose Operation > One-Click Block in the Operation column. The One-Click Block panel is displayed on the right.

   You can also go to the details page of the target alert and click One-Click Block on the top of the page.

7. On the displayed page, configure the blocking policy.

   Table 2 Parameters for a one-click blocking policy

   Parameter	Description
   Policy Type	Type of the policy. You can select Block or Allow. If Block is selected, the access from the policy object will be denied. Allow: The access from the policy object will be allowed.
   Object Type	If Policy Type is set to Block, Object Type can be set to IP, Account, or Domain name. If Policy Type is set to Allow, Object Type can be set to IP or Domain name. Select an object type based on your needs. If IP is selected, the operation object of the policy is an IP address or IP address range. If Domain name is selected, the operation object of the policy is a domain name. If Account is selected, the policy is applied to a cloud service account (IAM user).
   Policy Object	Enter one or more policy objects. If Object Type is set to IP, enter IP addresses or IP address ranges. Enter one or more IP addresses or IP address ranges and separate them with commas (,). Example: IPv4: 192.168.0.0 or 192.168.0.0/12; IPv6: 0:0:0:0:0:0:0:0 or 0:0:0:0:0:0:0:0/128. If Object Type is set to Domain name, enter domain names. Enter one or more domain names. If there are multiple domain names, separate them with commas (,). Enter a maximum of 63 characters. Only letters, digits, hyphens (-), underscores (_), and periods (.) are allowed. If Policy type is set to Block and Object Type is set to Account, set Policy Object to the cloud service account (IAM user). Enter one or more cloud service accounts (IAM usernames). If there are multiple cloud service accounts (IAM usernames), separate them with commas (,).
   Policy Application Scope	Select Current region and enterprise project or All regions and enterprise projects based on your needs.
   Operation Connection	Asset connections associated with the emergency policy process. Select the operation connection of the policy based on your needs. If Policy Type is set to Block and Object Type is set to IP, you can select CFW, VPC, and WAF operation connections. If Policy Type is set to Block and Object Type is set to Account, you can select IAM operation connections. If Policy Type is set to Block and Object Type is set to Domain name, you can select CFW operation connections. If Policy Type is set to Allow and Object Type is set to IP, you can select WAF operation connections. If Policy Type is set to Allow and Object Type is set to Domain name, you can select CFW operation connections.
   Auto Expiration	Auto expiration configured for the policy. If you select Yes, set the policy expiration time. If you select No, the policy is always valid.
   Tag (Optional)	Tag of the custom emergency policy.
   Policy Description (Optional)	Description of the custom policy.

8. Click OK.
9. After the policy is added, choose Risk Prevention > Security Policies from the navigation pane on the left and click the Emergency Policies tab. The emergency policy management page is displayed. On the emergency policy management page, click the Task View tab to view the task execution progress in the task list.
10. After the task is successfully executed, click the Policy View tab on the emergency policy management page to view the new policy in the policy list.

One-Click Unblocking

The One-Click Unblocking operation can be performed only on alerts for which the One-Click Blocking operation has been delivered and is successfully executed.

1. Log in to the SecMaster console.
2. Click in the upper left corner of the management console and select a region or project.
3. Click in the upper left corner of the page and choose Security & Compliance > SecMaster.
4. In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.
   Figure 3 Workspace management page
   

5. In the navigation pane on the left, choose Threats > Alerts.
   Figure 4 Alerts
   

6. In the alert list, locate the row that contains the target alert, click More > One-Click Unblock in the Operation column.

   You can also go to the details page of the target alert and click One-Click Unblock in the upper right corner of the page.

7. In the displayed dialog box, enter the reason and click OK.
8. After the unblocking is complete, choose Risk Prevention > Security Policies from the navigation pane on the left, click the Emergency Policies tab, and click the Policy View tab. The policy for one-click unblocking is not displayed in the policy list. One-click unblocking is equivalent to deleting an emergency policy. One-Click unblocking is only applied to alerts for which one-click blocking has been executed successfully.