All Products
Search

This Product

    Cloud Firewall:Behavioral Control

    Document Center

    Cloud Firewall:Behavioral Control

    Last Updated:May 28, 2026

    Agent Firewall provides three types of rules: Access Control, Anomaly Detection, and Data Leak Detection. This topic describes how to configure behavioral control rules to protect your assets after you enable Agent Firewall protection.

    Create agent behavioral control rules

    Note

    Before you perform the following operations, make sure that you have enabled protection for the target assets on the Runtime Environment page. Otherwise, the related rules do not take effect.

    1. Go to the console: Log on to the Cloud Firewall console.In the left-side navigation pane, choose Agent Firewall > Guardrails.

    2. Create Access Control rules: You can configure three types of rules: Model Restrictions, Network Protection, and Agent Outbound Control. Click Create Rule in the corresponding rule section to start the configuration. After a rule is created, the system automatically delivers the corresponding access control policy, whose policy name contains the CREATE_BY_AGENT_FIREWALL identifier.

      • Model Restrictions: Restricts the LLM model services that an agent can access based on domain name blocklists and allowlists, preventing access to unauthorized models (for example, denying access to api.openai.com).

      • Network Protection: Identifies public port exposure risks for agent workloads and prevents unauthorized external access.

      • Agent Outbound Control: Uses the Application control feature to identify agent outbound behaviors and provide fine-grained control over outbound connections.

        Model Restrictions

        Parameter

        Description

        Protected Asset

        Select the target objects for which protection has been enabled on the Runtime Environment page.

        Rule Name and Description

        Enter an easy-to-identify name and description.

        Alert Type

        Currently, only Blacklist is supported, which restricts agent access to the configured Matching Domain.

        Matching Domain

        Popular AI large model API service domain names (Base URLs) are listed below the input box for selection. You can also enter custom domain names, such as *.openai.com. A maximum of 2,000 entries are supported.

        Network Protection

        Parameter

        Description

        Protected Asset

        Select the target objects for which protection has been enabled on the Runtime Environment page.

        Rule Name and Description

        Enter an easy-to-identify name and description.

        Action

        The following action types are supported:

        • Monitor: Allows the request and records a log in the Access Control module of Incidents.

        • Allow: Allows the request without recording an event log.

        • Deny: Blocks the request and records an event log.

        Match Conditions

        Enter the asset ports that you want to protect. A maximum of 2,000 ports are supported. Press Enter after you enter each port.

        Agent Outbound Control

        Parameter

        Description

        Protected Asset

        Select the target objects for which protection has been enabled on the Runtime Environment page.

        Rule Name and Description

        Enter an easy-to-identify name and description.

        Application Template

        Select a custom template that has been created in Application Control.

        Note

        • Prerequisite: If you have not created a template, go to the Application control feature module to configure one first.

        • Recommendation: To effectively decrypt HTTPS-encrypted traffic, we recommend that you also enable the TLS Inspection feature.

    3. Create Anomaly Detection rules: You can configure two types of rules: Skill Usage Anomaly Detection and Tool Call Anomaly Detection. Click Create Rule in the corresponding rule section to start the configuration. The Skill File Threat Detection rules are built-in and automatically enabled by the system, and cannot be configured.

      • Skill Usage Anomaly Detection: Monitors the agent skill invocation chain to identify abnormal invocation patterns and unauthorized skill usage.

      • Tool Call Anomaly Detection: Monitors agent tool invocation behaviors to identify high-risk tool calls and abnormal invocation patterns.

      • Skill File Threat Detection: Restores the SKILL.md file and detects whether the file content itself contains threats.

        Skill Usage Anomaly Detection

        Parameter

        Description

        Protected Asset

        Select the target objects for which protection has been enabled on the Runtime Environment page.

        Rule Name and Description

        Enter an easy-to-identify name and description.

        Alert Type

        Supports Blacklistand Allow List. Only one type can be selected for the same Protected Asset.

        • Blacklist: If a selected skill is matched, a security event is triggered.

        • Allow List: If an unselected skill is matched, a security event is triggered.

        Skill Name

        Select from the skills associated with the asset. Multiple selections are supported.

        Tool Call Anomaly Detection

        Parameter

        Description

        Protected Asset

        Select the target objects for which protection has been enabled on the Runtime Environment page.

        Rule Name and Description

        Enter an easy-to-identify name and description.

        Alert Type

        Blacklist and Allow List are supported. Only one type can be selected for the same Protected Asset.

        • Blacklist: If a selected tool is matched, a security event is triggered.

        • Allow List: If an unselected tool is matched, a security event is triggered.

        Tool Name

        Select from the tools associated with the asset. Multiple selections are supported.

    4. View Data Leakage rules: After protection is enabled for an asset, the system automatically enables three types of rules: AccessKey/API Key Leak Detection, Personal Data Leak Detection, and Sensitive File Exfiltration Detection. You can click the type count in the corresponding rule section to view the specific data types supported for detection. These rules cannot be manually configured.

      • AccessKey/API Key Leak Detection: Detects Access Key and API Key leakage risks in agent communication traffic.

      • Personal Data Leak Detection: Detects risks of personally identifiable information (PII) exfiltration in agent traffic.

      • Sensitive File Exfiltration Detection: Detects whether an agent transmits sensitive file content through outbound channels.

    What to do next

    After a rule is created, the Total Hits or Hits in Last 24 Hours in the corresponding rule section displays the hit statistics for the rule.

    To view detailed hit information, go to the Security events page.

    Routine O&M

    For the following five types of rules: Model Restrictions, Network Protection, Agent Outbound Control, Skill Usage Anomaly Detection, and Tool Call Anomaly Detection, after a rule is created, you can click Rules in the corresponding rule section to perform the following operations:

    • Change the enable status of a rule: Rules are enabled by default after creation. Click the toggle in the Status column of the target rule to disable it. After a rule is disabled, it no longer takes effect.

    • Edit a rule: Click Edit in the Operation column of the target rule to modify its configuration.

    • Delete a rule: Click Delete in the Operation column of the target rule to delete it.