All Products
Search

This Product

    Cloud Firewall:Runtime environment

    Document Center

    Cloud Firewall:Runtime environment

    Last Updated:May 28, 2026

    When AI agents communicate with external services, their network traffic needs inspection and their behavior requires monitoring. After enabling the Agent Firewall, you must enable protection for the runtime environments of your agent assets. This topic describes how to view the asset overview on the Agent Runtime Environment page and enable traffic diversion protection.

    Prerequisites

    Before proceeding, ensure that you have Enable Agent firewall (enabled the Agent Firewall).

    Enable protection for an Agent

    1. Log on to the Cloud Firewall console.

    2. In the left-side navigation pane, choose Agent Firewall > Runtime Environment.

    3. The agent asset list appears at the bottom of the page, showing the Agent Network Environment, Running Workload, Associated Agents, and Associated Skills/Tools columns. Use the search bar at the top to filter assets by Running Workload, Protection Status, or Public IP Address. If the target asset does not appear in the list, click Synchronize Assets to synchronize the asset list.

    4. To protect a target asset with the Agent Firewall, enable protection for its runtime environment. Click View Protection Settings in the Protection Status column for the target Agent Network Environment, and then turn on the 引流开关.

      Important

      After you turn on the 引流开关, the system attempts to enable Cloud Firewall Traffic Diversion and NDR Traffic Mirroring for the corresponding asset. These two features consume the instance quotas of Internet Firewall and Agentic NDR, respectively. If the instance quota has reached its upper limit, the corresponding feature fails to enable. For full protection coverage, we recommend enabling both features so that the asset reaches the Full Protection state.

      For users without Agentic NDR enabled (protection is limited to specific regions; refer to Supported regions), billing rules by payment method are as follows:

      • Subscription Cloud Firewall: After enabling the 引流开关, you can enable NDR Traffic Mirroring for up to three Agent Network Environment free of charge. This edition supports only Agent Firewall features and does not support other Agentic NDR features beyond asset onboarding.

      • Pay-as-you-go Cloud Firewall: After enabling the 引流开关, the system automatically provisions a pay-as-you-go Agentic NDR instance, which incurs additional charges.

    View Agent protection status

    • View protection overview: At the top of the Runtime Environment page, you can view the counts for Agent Network Environment, Fully Protected, Partial Protection, Unprotected, and Associated Agents.

    • View agent details: In the agent asset list at the bottom of the page, you can perform the following operations:

      • Click the image icon in the Agent Network EnvironmentAssociated Agents column to view the names and types of agents.

      • In the Associated Skills/Tools column, click the image icon to view associated skills, or click the image icon to view associated tools.

    What to do next

    After you enable protection for an agent, the firewall automatically activates Data Leak Detection, Skill File Threat Detection, and Behavior and Traffic Auditing.

    To maximize protection effectiveness, you must also manually configure the following rules:

    • Access Control: Controls which external services and IP addresses your agents are allowed to access.

    • Skill Usage Anomaly Detection: Monitors agent skill usage patterns and detects deviations from normal behavior.

    • Tool Call Anomaly Detection: Identifies unusual or unauthorized tool invocation patterns by agents.

    For configuration details, see Create agent behavioral control rules (the rule configuration guide).