CFW Dashboard Templates

CFW is a next-generation cloud-native firewall. It protects Internet and VPC borders on the cloud by real-time intrusion detection and prevention, global unified access control, full traffic analysis, log audit, and tracing. CFW employs AI for intelligent defense, and can be elastically scaled to meet changing business needs, helping you easily handle security threats. It allows you to view the risk levels, affected ports, matched rules, and attack event types of detected dangerous traffic in attack event logs. You can also view all traffic allowed or blocked in access control logs to better adjust access control policies.

CFW dashboard templates support Viewing CFW Access Log Center, Viewing CFW Traffic Log Center, and Viewing CFW Attack Log Center.

Prerequisites

Logs have been collected from CFW. For details, see Ingesting CFW Logs to LTS.
Logs have been structured. For details, see Setting Cloud Structuring Parsing.

Viewing CFW Access Log Center

Log in to the LTS console. In the navigation pane, choose Log Management.
In the Log Applications area, click CFW Log Center and choose Go to the Dashboard.
In the dashboard list, choose CFW dashboard templates under Dashboard Templates and click CFW access log center to view the chart details.
- The Blockage Trends (Internet Access) chart displays the blockage trend of Internet access. The associated query and analysis statement is:
```
select time_series(MILLIS_TO_TIMESTAMP(hit_time), 'PT1M', 'yyyy-MM-dd HH:mm:ss', '0') as t_time,COUNT(*) as frequency WHERE action='deny' AND direction='out2in' group by t_time order by t_time
```
- The Blockage Trends (Server-Originated Access) chart displays the blockage trend of server-originated access. The associated query and analysis statement is:
```
select time_series(MILLIS_TO_TIMESTAMP(hit_time), 'PT1M', 'yyyy-MM-dd HH:mm:ss', '0') as t_time,COUNT(*) as frequency WHERE action='deny' AND direction='in2out' group by t_time order by t_time
```
- The 5 Most Blocked Applications chart displays the top 5 applications with the most Internet access blocks. The associated query and analysis statement is:
```
SELECT app, COUNT(*) as frequency WHERE action='deny' AND direction='out2in' GROUP BY app ORDER BY frequency DESC LIMIT 5
```
- The 5 Most Blocked Destinations chart displays the top 5 destinations with the most Internet access blocks. The associated query and analysis statement is:
```
SELECT dst_ip, COUNT(*) as frequency WHERE action='deny' AND direction='out2in' GROUP BY dst_ip ORDER BY frequency DESC LIMIT 5
```
- The 5 Most Blocked Sources chart displays the top 5 sources with the most Internet access blocks. The associated query and analysis statement is:
```
SELECT src_ip, COUNT(*) as frequency WHERE action='deny' AND direction='out2in' GROUP BY src_ip ORDER BY frequency DESC LIMIT 5
```
- The 5 Most Blocked Applications (Server-Originated Access) chart displays the top 5 applications with the most server-originated access blocks. The associated query and analysis statement is:
```
SELECT app, COUNT(*) as frequency WHERE action='deny' AND direction='in2out' GROUP BY app ORDER BY frequency DESC LIMIT 5
```
- The 5 Most Blocked Destinations (Server-Originated Access) chart displays the top 5 destinations with the most server-originated access blocks. The associated query and analysis statement is:
```
SELECT dst_ip, COUNT(*) as frequency WHERE action='deny' AND direction='in2out' GROUP BY dst_ip ORDER BY frequency DESC LIMIT 5
```
- The 5 Most Blocked Sources (Server-Originated Access) chart displays the top 5 sources with the most server-originated access blocks. The associated query and analysis statement is:
```
SELECT src_ip, COUNT(*) as frequency WHERE action='deny' AND direction='in2out' GROUP BY src_ip ORDER BY frequency DESC LIMIT 5
```

Viewing CFW Traffic Log Center

Log in to the LTS console. In the navigation pane, choose Log Management.
In the Log Applications area, click CFW Log Center and choose Go to the Dashboard.
In the dashboard list, choose CFW dashboard templates under Dashboard Templates and click CFW traffic log center to view the chart details.
- The Traffic Trends (Internet Access) chart displays the traffic trend of Internet access. The associated query and analysis statement is:
```
select time_series(MILLIS_TO_TIMESTAMP(start_time), 'PT1M', 'yyyy-MM-dd HH:mm:ss', '0') as t_time, SUM(to_s_bytes) AS 'Inbound', SUM(to_c_bytes) AS 'Outbound' WHERE direction='out2in' group by t_time order by t_time
```
- The Region Distribution of Inbound Internet Access (China) chart displays the distribution of inbound Internet access by region in China. The associated query and analysis statement is:
```
SELECT count(*) AS PV, ip_to_province(src_ip) AS province WHERE direction='out2in' and IP_TO_COUNTRY (src_ip) = 'China' GROUP BY province HAVING province not in ('','Reserved address','*') ORDER BY PV DESC
```
- The Region Distribution of Inbound Internet Access (Global) chart displays the distribution of inbound Internet access by region in the world. The associated query and analysis statement is:
```
SELECT count(*) AS PV, ip_to_country(src_ip) AS country WHERE direction='out2in' GROUP BY country HAVING country not in ('','Reserved address','*') ORDER BY PV DESC
```
- The Application Distribution of Internet Access chart displays the application distribution of Internet access. The associated query and analysis statement is:
```
SELECT app, COUNT(*) AS num WHERE direction='out2in' GROUP BY app ORDER BY num DESC
```
- The Top 5 Source IP Addresses chart displays the top 5 source IP addresses of Internet access. The associated query and analysis statement is:
```
select src_ip, SUM(bytes)/1024 as sum_bytes WHERE direction='out2in' GROUP BY src_ip ORDER BY sum_bytes DESC LIMIT 5
```
- The Top 5 Destination IP Addresses chart displays the top 5 destination IP addresses of Internet access. The associated query and analysis statement is:
```
select dst_ip, SUM(bytes)/1024 as sum_bytes WHERE direction='out2in' GROUP BY dst_ip ORDER BY sum_bytes DESC LIMIT 5
```
- The Traffic Trends (Server-Originated Access) chart displays the traffic trend of server-originated access. The associated query and analysis statement is:
```
select time_series(MILLIS_TO_TIMESTAMP(start_time), 'PT1M', 'yyyy-MM-dd HH:mm:ss', '0') as t_time, SUM(to_c_bytes) AS 'Inbound', SUM(to_s_bytes) AS 'Outbound' WHERE direction='in2out' group by t_time order by t_time
```
- The Destination Region Distribution of Server Originated Access (China) chart displays the destination region distribution of server-originated access in China. The associated query and analysis statement is:
```
SELECT count(*) AS PV, ip_to_province(dst_ip) AS province WHERE direction='in2out' and IP_TO_COUNTRY (dst_ip) = 'China' GROUP BY province HAVING province not in ('','Reserved address','*') ORDER BY PV DESC
```
- The Destination Region Distribution (Global) chart displays the destination region distribution in the world. The associated query and analysis statement is:
```
SELECT count(*) AS PV, ip_to_country(dst_ip) AS country WHERE direction='in2out' GROUP BY country HAVING country not in ('','Reserved address','*') ORDER BY PV DESC
```
- The Application Distribution (Server-Originated Access) chart displays the application distribution of server-originated access. The associated query and analysis statement is:
```
SELECT app, COUNT(*) AS num WHERE direction='in2out' GROUP BY app ORDER BY num DESC
```
- The Top 5 Source IP Addresses (Server-Originated Access) chart displays the top 5 source IP addresses of server-originated access. The associated query and analysis statement is:
```
select src_ip, SUM(bytes)/1024 as sum_bytes WHERE direction='in2out' GROUP BY src_ip ORDER BY sum_bytes DESC LIMIT 5
```
- The Top 5 Destination IP Addresses (Server-Originated Access) chart displays the top 5 destination IP addresses of server-originated access. The associated query and analysis statement is:
```
select dst_ip, SUM(bytes)/1024 as sum_bytes WHERE direction='in2out' GROUP BY dst_ip ORDER BY sum_bytes DESC LIMIT 5
```

Viewing CFW Attack Log Center

Log in to the LTS console. In the navigation pane, choose Log Management.
In the Log Applications area, click CFW Log Center and choose Go to the Dashboard.

In the dashboard list, choose CFW dashboard templates under Dashboard Templates and click CFW attack log center to view the chart details.

Attack Trends. The associated query and analysis statement is:

select time_series(MILLIS_TO_TIMESTAMP(event_time), 'PT1M', 'yyyy-MM-dd HH:mm:ss', '0') as t_time, count(*) as frequency group by t_time order by t_time

Sources (China). The associated query and analysis statement is:

SELECT count(*) as PV,ip_to_province(src_ip) as province WHERE  IP_TO_COUNTRY (src_ip) = 'China' GROUP BY province HAVING province not in ('','Reserved address','*')

Sources (Global). The associated query and analysis statement is:

SELECT count(*) AS PV,ip_to_country(src_ip) AS country GROUP BY country HAVING country not in ('','Reserved address','*')

Types. The associated query and analysis statement is:

SELECT attack_type, COUNT(*) as num GROUP BY attack_type ORDER BY num

Top 5 Destinations. The associated query and analysis statement is:

SELECT dst_ip, COUNT(*) as frequency GROUP BY dst_ip ORDER BY frequency  DESC LIMIT 5

Top 5 Sources. The associated query and analysis statement is:

SELECT src_ip, COUNT(*) as frequency GROUP BY src_ip ORDER BY frequency DESC LIMIT 5

Parent topic: Dashboard Templates

Previous topic: CDN Dashboard Templates

Next topic: CSE Dashboard Templates

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot