This topic provides solutions to common issues with Cloud Firewall network traffic analysis.
Why do many unknown internet service providers appear among my top traffic sources?
What do the intelligence tags on the Outbound Connection page mean?
What is the rule evaluation order for traffic protection in Cloud Firewall?
Issues related to traffic exceeding bandwidth limits:
Why is unknown application traffic high?
Traffic may be classified as Unknown for the following reasons:
High volumes of inbound traffic from the internet may not use standard protocols. As a result, Cloud Firewall cannot identify the application type.
A destination server may block network traffic and send a large number of RST packets. These packets are recorded as inbound or outbound traffic. If the volume of these packets is high, they increase the proportion of Unknown traffic.
You can go to the Log Audit page and check the Event Logs or Traffic Logs tab to observe the source and purpose of the Unknown traffic. This information helps you identify any abnormal traffic.
Why do unknown ISPs appear in top traffic?
For inbound traffic from regions outside Chinese mainland, such as Hong Kong (China), Macao (China), and Taiwan (China), the firewall only displays the country or region name. As a result, the internet service provider is labeled as unknown.
You can go to the Traffic Logs tab of the Log Audit page to view the specific region and internet service provider associated with an IP address.
Intelligence tags
An intelligence tag is an attribute that Cloud Firewall automatically assigns to an outbound domain or destination IP address based on publicly available information. Examples include Malicious Download, Miner Pool, Threat Intelligence, First Time, Epoch, Popular Website, and DDoS Trojan. For more information about intelligence tags, go to the Outbound Connection page.
Malicious Download, Miner Pool, and Threat Intelligence: Indicate that Cloud Firewall has detected a threat associated with an outbound connection.
NoteYou should promptly investigate outbound activities with these tags to check for false positives. If you confirm the activity is malicious, configure an access control policy to manage it. For more information, see Configure access control policies for the Internet firewall.
First Time: Indicates that Cloud Firewall has detected this outbound connection for the first time.
Epoch: Indicates that your asset periodically connects to the specified domain or destination IP address.
Popular Website: Indicates a domain frequently accessed by your servers or services.
DDoS Trojan: Indicates that Cloud Firewall has detected an outbound connection associated with a DDoS attack threat.
How do I troubleshoot traffic connectivity issues?
When traffic passes through Cloud Firewall, you may encounter the following issues:
You cannot log on to a server.
You cannot access services running on a server.
A server cannot access the internet.
To resolve these issues, investigate both the Internet firewall and the internal firewall.
Internet firewall
Verify that the Internet firewall is enabled for your asset.
Traffic passes through Cloud Firewall only after the Internet firewall is enabled. For more information about how to enable the firewall, see Internet firewall.
NoteIf the Internet firewall is not enabled for your asset, traffic does not pass through Cloud Firewall. In this case, you must check for other issues, such as network connectivity problems.
Check the Traffic Logs tab for corresponding traffic records.
If no traffic logs are found, the traffic was dropped before reaching the firewall.
If traffic logs exist and the action is Discard, the traffic was dropped by the Internet firewall. In this case, find the corresponding traffic in the Event Logs list and check the Judgement Source column to identify the module that blocked the traffic.
If the source is Access Control, the traffic was blocked by one of your access control policies. Review and modify the policy configuration.
If the source is Basic Protection, Virtual Patching, or Threat Intelligence, the traffic was blocked by an intrusion prevention policy. You can go to the page to disable the responsible policy.
If traffic logs exist and the action is Allow or Monitor, the traffic was not dropped by the Internet firewall. In this case, you must continue to troubleshoot the internal firewall (security group) policy.
Internal firewall (security group)
Log on to the ECS console.
In the left-side navigation pane, choose .
Find the ECS instance that is experiencing connectivity issues. On the Security Group tab, go to the Security Group List tab and verify that the security group rules allow the traffic. The Authorization policy should be set to Allow.
Rule evaluation order
In Cloud Firewall, network traffic is evaluated against rules in the following order:
Access control policy (ACL)
If you enable an access control policy, the system first matches traffic against the policy's rules:If traffic matches a rule with the Deny action, it is blocked immediately, and no further evaluation occurs.
If traffic matches a rule with the Allow or Monitor action, or if no ACL rules are matched, evaluation continues to the next stage.
Threat Intelligence (TI)
The system then matches traffic against the Threat Intelligence database:If traffic matches a threat and the action is Block, the evaluation stops.
Otherwise, evaluation continues to the next stage.
Intrusion Prevention System (IPS) module
The Intrusion Prevention System (IPS) module evaluates traffic against the Basic Protection, Intelligent Defense, and Virtual Patching rule sets. These three rule sets have no specific priority, and the system matches traffic against all of them. If any rule triggers a Block action, the traffic is dropped. Otherwise, the traffic is allowed after all checks are complete.
The ACL, TI, and IPS modules are independent and evaluated sequentially. The evaluation process stops only when a module blocks the traffic. Otherwise, evaluation continues through all subsequent modules.
Internet exposure detection
Cloud Firewall analyzes inbound traffic data to detect anomalies, such as exposed public IP addresses, open ports, public-facing applications, and public IPs of cloud services. For more information about how to view internet exposure details, see Internet Exposure.
Traffic exceeding bandwidth limits
Handling traffic overages
If your service traffic exceeds the purchased bandwidth specification, the service level agreement (SLA) is not guaranteed. This overage can trigger service degradation, which may include but is not limited to: disabled security features like access control, IPS, and Log Audit; firewall bypass for high-traffic assets; and packet loss from rate limiting.
If you expect traffic to exceed your purchased limit, use the subscription elastic traffic pay-as-you-go feature.
For information about how to troubleshoot unusual traffic, see Troubleshoot unusual traffic on the Internet border.
For information about how to upgrade your bandwidth, see Renewal.
Configure traffic overage notifications
There are two types of notifications for traffic overages: Traffic Exceeding Notification and Traffic Exceeding Warning.
Traffic Exceeding Notification: Provides real-time statistics for the current day when traffic on any border (Internet border, VPC border, or NAT border) exceeds the limit.
Trigger logic: A notification is sent with a 10-minute delay after the limit is exceeded. Alerts are sent 24/7.
Sending logic: A notification is sent only once per day.
Note: If you use the subscription elastic traffic pay-as-you-go feature, you will no longer receive traffic overage notifications.
If you upgrade your bandwidth within 10 minutes of an overage, an alert is not triggered.
Traffic Exceeding Warning: Provides real-time statistics (with a 10-minute delay) when traffic exceeds a predefined threshold. Currently, Traffic Exceeding Warning is supported for the Internet border and VPC border. It is not available for the NAT border.
Trigger logic: The current traffic exceeds the configured warning threshold.
Warning content logic: The notification includes the peak bandwidth and the number of times the warning threshold was exceeded in the last 24 hours. An event is counted if the threshold is exceeded at any point within a 30-minute interval.
Sending logic: A warning is sent only once per day. If a Traffic Exceeding Notification has already been sent for the day, a warning is not sent.
Warnings are not sent if you have enabled the elastic traffic processing capability.
Warnings are sent between 08:00 and 20:00.
For information about supported notification types and how to configure them, see Alerting.
Handling untimely traffic overages
If you anticipate short-term traffic bursts that you cannot manage in time, use the subscription elastic traffic pay-as-you-go feature of Cloud Firewall.
The subscription elastic traffic pay-as-you-go feature is a post-paid model for traffic that exceeds the quota included in your subscription plan. This model lets you pay for excess traffic based on actual usage without changing your existing subscription billing method. For more information, see subscription elastic traffic pay-as-you-go.
This scenario does not apply to the pay-as-you-go edition, as all traffic is billed on a post-paid basis.
Maximum elastic traffic bandwidth
The default daily processing limit is 1,000,000 GB. Note: Cloud Firewall limits are based on traffic bandwidth and do not involve concepts like queries per second (QPS) or connection counts. For more information, see: subscription elastic traffic pay-as-you-go - Billing.