Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Situation Awareness
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive
Help Center/ Cloud Firewall/ FAQs/ Troubleshooting/ What Do I Do If Service Traffic is Abnormal?

What Do I Do If Service Traffic is Abnormal?

Updated on 2024-12-31 GMT+08:00

This section describes how to rectify the fault if your service traffic is abnormal and may be interrupted by CFW.

Symptom

Service traffic is abnormal. For example:

  • An EIP cannot access the Internet.
  • A server cannot be accessed.

Troubleshooting Methods

Figure 1 Procedure of checking traffic exceptions
Table 1 Procedure of checking traffic exceptions

No.

Possible Cause

Solution

1

Traffic interruption not caused by CFW

See Cause 1: Traffic Interruption Not Caused by CFW.

2

Traffic blocked by protection policies

See Cause 2: Traffic Blocked by Protection Policies.

3

Traffic blocked by intrusion prevention

See Cause 3: Traffic Blocked by Intrusion Prevention.

Cause 1: Traffic Interruption Not Caused by CFW

You can disable protection on the CFW console and observe the service status. If the service does not recover, it indicates the traffic interruption was not caused by CFW.

To disable protection, perform the following steps:
If problem persists, refer to the following common fault causes:
  • Network fault: The route configuration is incorrect, or the NE is faulty.
  • Policy-based interception: Interception caused by incorrect configurations of other security services, network ACLs, or security groups.

If you need assistance from Huawei Cloud, you can create a service ticket.

Cause 2: Traffic Blocked by Protection Policies

Traffic is blocked probably because a blocking rule is configured in the access control policy, or the normal services are blacklisted. In this case, CFW blocks related sessions, causing service loss.

You can take the following measures:

In the Access Control Logs tab, search for logs about the blocked IP address or domain name.

  • If no records are found, see cause 3 in Table 1.
  • If a record is found, click the Rule column to go to the matched blocking policy.
    • If normal services are blacklisted, you can:
      • Delete the blacklist policy.
      • Add a whitelist policy for the IP address/domain name. (The whitelist takes precedence over the blacklist. After the whitelist policy is added, the blacklist policy becomes invalid and the traffic is directly permitted.)
    • If the traffic is blocked by a blocking rule, you can:
      • Find the blocking rule of the IP address or domain name in the access control rule list and disable the policy.
      • Modify the matching condition of the blocking policy and remove the IP address or domain name information.
      • Add a protection rule whose Action is Allow and Priority is Pin on top. For details, see Adding a Protection Rule.

Case

Handling process: Detect a fault -> Disable protection -> View logs -> Modify a policy -> Restore protection -> Confirm logs

The network O&M personnel of a company found that an ECS cannot access the Internet through the bound EIP xx.xx.xx.94.

The firewall administrator took the following measures:

  1. To ensure that the IP address can be used for external communication during fault locating, the firewall administrator logged in to the CFW console, and chose Assets > EIPs, and disables protection for the EIP.

    During the firewall is disabled, the traffic of the EIP is not processed and related logs are not displayed.
    Figure 2 EIPs

  2. The administrator chose Log Audit > Log Query and clicked the Access Control Logs tab. He searched for the blocking logs of the access source IP address xx.xx.xx.94. A blocking rule named Block-Malicious-Outreach was found, and this rule blocked the traffic from the attack source IP address to the Internet.

    Figure 3 Filtering access control logs

  3. The administrator searched for "Source: xx.xx.xx.94; Action: Block; Direction: Outbound; Status: Enabled" in the access control policy list. Three available policies that contain the IP address were found.

    The policy contained the Block-Malicious-Outreach blocking rule. According to the value of the Hits column, a large number of sessions have been blocked.
    Figure 4 Searching for a protection rule
    CAUTION:

    According to Figure 4, there were three valid rules whose source IP addresses contain xx.xx.xx.94, including Block-xxx-com (with the highest priority), Block-Malicious-Outreach, and Allow-Asia (with the lowest priority). Besides the blocking rule Block-Malicious-Outreach, the administrator checked whether the two other two rules may intercept normal services.

    Finally, it is found that the EIP accessed suspicious IP addresses so that an administrator configured a blocking rule it, but the configured destination was incorrect. As a result, all external traffic is blocked by mistake (see the second protection rule in Figure 4).

  4. The administrator changed the destination address to a specific IP address that needs to be blocked, and enabled protection for the EIP on the Assets > EIPs page of the CFW console. After protection was restored, the traffic of the EIP was normally forwarded by CFW.
  5. The administrator viewed the external connection logs related to the IP address in the traffic logs and confirmed that the service was restored.

Cause 3: Traffic Blocked by Intrusion Prevention

The protection mode of intrusion prevention functions, such as IPS, is too strict, blocking normal traffic.

You can take the following measures:

In the Attack Event Logs tab, search for logs about the blocked IP address or domain name.
  • If no records are found, submit a service ticket.
  • If a record is found, perform either of the following operations:
    • Copy the rule ID. In the corresponding module (such as IPS), set the protection mode of the rule with that ID to Observe. For details about the intrusion prevention module, see Configuring Intrusion Prevention.
    • Add the IP addresses that do not need to be protected by CFW to the whitelist. For details about how to configure the whitelist, see Adding an Item to the Blacklist or Whitelist.

Case

Handling process: Detect a fault -> Change the protection status -> View logs -> Confirm services -> Modify the policy -> Restore the protection status -> Confirm logs

The O&M personnel of a company found that a service on the server whose IP address was xx.xx.xx.90 cannot be accessed. It was suspected that the service was blocked by the firewall.

The firewall administrator took the following measures:

  1. To quickly recover the service, the administrator logged in to the CFW console, choose Attack Defense > Intrusion Prevention, and changed the protection mode from Intercept mode - strict to Observe.

    During this period, the firewall did not intercept attack traffic but only logged the attack traffic.

  2. The administrator chose Log Audit > Log Query and clicked the Attack Event Logs tab. The logs about the access to the destination IP address xx.xx.xx.90 were displayed. The IPS rule whose ID was 331978 blocked the traffic.

    Figure 5 Filtering attack event logs

  3. The administrator clicked Details in the Operation column, clicked Payload Content in the display page, and created a packet capture task to verify that the service is normal. The administrator searched for the rule whose ID is 331978 from the list on the Basic Protection tab page by referring to Modifying the Action of a Basic Protection Rule.

    Figure 6 Rule 331978

  4. The administrator clicked Observe in the Operation column. This rule did not block the traffic matching the signature but only logged the traffic.
  5. The administrator set the protection mode to Intercept mode - strict and went to the Basic Protection tab to confirm that the Current Status of the rule 331978 was still Observe.
  6. In the Attack Event Logs tab, after the service session matched the rule, the Action of the log was Allow. The service was restored.

Submitting a Service Ticket

If the preceding methods cannot solve your problem, submit a service ticket.

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback