All Products
Search

This Product

    Cloud Firewall:Agent firewall

    Document Center

    Cloud Firewall:Agent firewall

    Last Updated:May 28, 2026

    Agent firewall is designed to manage the network traffic risks of intelligent agents during runtime. It covers the traffic of their key network egress points, such as Elastic IP Addresses (EIPs). The system independently performs deep risk detection and enforced control at the network layer to meet business audit and traceability requirements.

    Benefits

    Asset discovery and management

    • Automatically identifies agent instances and the MCP tools and LLM models they invoke.

    • Displays egress IPs, associated workloads, and agent counts, with one-click protection enablement.

    • If Agent Security Center is activated, the system automatically associates registered agent information with the agent network environment.

    Agent behavior control

    • Restricts agent external connections based on domain blocklists, port restrictions, and application-level controls.

    • Parses traffic and restores original Skill files through file reconstruction for threat detection analysis in cloud sandboxes.

    • Monitors communication content and identifies sensitive data exfiltration such as AK/SK, API keys, and personal information.

    Event triggering and log auditing

    • Unified management and handling of security events including access control, anomaly detection, and data leakage.

    • Full logging of communication between agents and LLMs to meet compliance audit requirements.

    Challenges addressed

    • Invisible assets and control blind spots: Agent instances are growing in an uncontrolled manner without global visibility. Enterprises cannot determine the actual deployment scale of agents, public network egress paths, or tool permissions being invoked, resulting in unclear asset inventories and security control blind spots.

    • External interaction and supply chain risks: Agents connecting to unauthorized or insecure model services and accessing the external Internet without controls can easily cause data boundary violations. Additionally, MCP Skills face supply chain poisoning threats that may contain malicious instructions, and sensitive credentials such as AK/SK can be leaked to LLMs through Prompts or Tool return values.

    • Fragmented security operations and lack of auditing: Security events of various types are isolated and fragmented, lacking a unified management and response mechanism. Furthermore, the system lacks the ability to audit agent behavior throughout the full lifecycle, making it unable to meet the requirements for security event traceability and compliance review.

    Enable Agent firewall

    To use Agent Firewall, follow these steps to enable it.

    Important

    After enabling Agent Firewall, the following impacts and changes will occur:

    • Feature linkage: Since Agent Firewall depends on Agentic NDR capabilities, the system will enable the Agentic NDR encrypted traffic security detection feature by default.

    • Billing information: Enabling protection for assets will simultaneously occupy the instance specifications of Internet Firewall and Agentic NDR. For users who have not yet enabled Agentic NDR (Agentic NDR only supports providing protection for assets in certain regions. For details, see Supported regions), the rules under different billing methods are as follows:

      • Subscription Cloud Firewall: After enabling the 引流开关, you can enable NDR Traffic Mirroring for up to three Agent Network Environment free of charge. This edition supports only Agent Firewall features and does not support other Agentic NDR features beyond asset onboarding.

      • Pay-as-you-go Cloud Firewall: After enabling the 引流开关, the system automatically provisions a pay-as-you-go Agentic NDR instance, which incurs additional charges.

    1. Log on to the Cloud Firewall console.

    2. In the left-side navigation pane, choose Agent Firewall, then click Enable Now, and follow the on-page instructions to complete the operation.

    After the activation is complete, you can use the following steps:

    1. Runtime environment: View your agent assets and enable protection for them.

    2. Behavioral control: View built-in rules and configure custom rules to control agent behavior.

    3. Security events: View and handle security events that match rules.

    4. Audit logs: View full agent behavior and traffic logs.

    Disable agent firewall

    1. Log on to the Cloud Firewall console.

    2. In the left-side navigation pane, choose Agent Firewall > Runtime Environment.

    3. Click Disable Agent Firewall in the upper-right corner of the page and follow the prompts to complete the operation. After disabling, agent assets will lose protection.