The Security Operations Agent uses Large Language Model (LLM) capabilities to analyze your service traffic logs from the last seven days. The agent automatically identifies access relationships, such as source and destination IP addresses, protocols, and ports. Based on this analysis, the agent generates precise policy suggestions for your Access Control List (ACL) rules. This feature simplifies ACL configuration, helps you avoid security risks caused by redundant rules, incorrect priorities, or overly permissive settings, and improves the efficiency and accuracy of your policy configuration.
The Security Operations Agent feature is in public preview and is free of charge for a limited time. The feature is subject to change. If you have any questions or suggestions, contact your account manager.
Features
Intelligent policy recommendations
The agent uses deep learning on historical traffic logs to automatically generate highly relevant ACL policy suggestions that are precisely adapted to your service scenarios.Visualized decision support
Visualized statistics for high-frequency access traffic and policy hit counts provide an intuitive overview of traffic features to support precise decision-making for policy configuration.Continuous adaptive optimization
The agent continually learns from changes in your service traffic and automatically proposes ACL policy optimization suggestions based on the latest logs. This ensures that your security policies remain synchronized with your business requirements.Secure and controllable optimization
All optimization suggestions are for reference only and do not automatically take effect or modify existing ACL policies. This ensures business stability and operational security.
Applicable Scope
The Security Operations Agent can generate ACL policies for Internet firewalls and NAT firewalls.
Policy generation is based on service traffic logs. You must enable the log analysis feature and ensure that at least seven days of historical traffic data is available to guarantee accurate policy suggestions.
Enable Security Operations Agent
Log on to the Cloud Firewall console.
In the navigation pane on the left, choose .
Click Enable Now. In the dialog box that appears, click OK. After you activate the feature, the system automatically enables traffic log delivery for Internet firewalls and NAT firewalls and starts to collect and analyze historical traffic data.
NoteIf the Log Analysis feature is not enabled, click Enable Log Analysis to activate it. Ensure that the Log Delivery is enabled.
If you disable the log analysis feature, the Security Operations Agent feature is automatically disabled.
View and Apply Policies Generated by Security Operations Agent
After you enable the Security Operations Agent feature, you can view the policies that it generates.
View policies for Internet firewalls: On the Security Operations Agent page, click the Internet Border Generated Policies tab. Click Outbound or Inbound to view the policies generated by the agent.
View policies for NAT firewalls: On the Security Operations Agent page, click the NAT Border Generated Policies tab. By default, the policies generated by the agent for All NAT Instances are displayed. You can also select a specific NAT firewall instance to view the policies generated for that instance.
Each generated policy includes the following information: Source Address, Destination Address, Port, Protocol, Traffic Logs (Last 7 Days), Hits, Priority, Validity, and Agent Generation Reason. You can perform the following operations on these policies:
Apply a policy directly: If a policy is reasonable and accurate, click Apply Policy. In the dialog box that appears, click OK. After you apply the policy, you can view it in the policy list on the Internet Border or NAT Border tab under Prevention Configuration > Access Control.
Modify a policy before you apply it: If a policy requires adjustment, click Custom Application Policy to modify its content. For more information about the items that you can modify, see Configure Internet Border Access Control Policies and Configure NAT Border Access Control Policies. After you modify the policy, click OK to apply it.
Delete a policy: If a policy is invalid or unreasonable, click Delete Policy to remove it. To delete multiple policies at a time, select the policies and click Batch Delete at the bottom of the page. After a policy is deleted, it is removed from the list.
Address book creation rules:
If you apply a policy directly and it contains multiple source IP addresses, destination IP addresses, or ports, the system automatically creates an address book.
If you customize a policy that contains multiple source IP addresses, destination IP addresses, or ports, you must manually specify a name and description to create an address book.
Policy configuration rules: By default, the Priority of a generated policy is set to Highest. The agent does not generate policies with an Action of Deny. If these default settings do not meet your business requirements, you can manually adjust the policy content.
Daily O&M
At the top of the Security Operations Agent page, you can view the following information:
Number of policies generated by the agent: In the Agent-Generated Policies area, you can view the values for Total Policies, Internet Firewall Policies, and NAT Firewall Policies.
Number of deployed policies: In the Agent-Generated Policies area, you can view the Applied Policies. Click View Deployment Records to view the details of deployed policies. Policies that are applied directly are tagged as Apply Policies. Policies that are applied after modification are tagged as User Modified.
Policy update status: The agent automatically updates policies every seven days. You cannot customize the update frequency. In the Policy Update Status area, you can view the time of the last policy update and the estimated time of the next update.