All Products
Search
Document Center

Cloud Firewall:Data leak

Last Updated:Jun 21, 2026

When your cloud assets make outbound connections, there is a risk of sensitive data leaks. The sensitive data leak detection feature in Cloud Firewall helps you promptly identify and record such leaks, including the risky payloads, to prevent business losses. This topic describes how to use the sensitive data leak detection feature.

Supported editions and billing

Note

This feature does not affect Cloud Firewall's performance in protecting your business traffic.

Cloud Firewall detects sensitive data in outbound traffic. After you enable this feature on the buy page, you receive a default monthly free quota for traffic detection. The quotas are 100 GB for the Premium Edition, 300 GB for the Enterprise Edition, 500 GB for the Ultimate Edition, and 100 GB for the Cloud Firewall (pay-as-you-go) edition. Traffic exceeding the free quota is charged at USD 0.02/GB (postpaid), and the bill is generated the next day. You can use a pay-as-you-go savings plan (prepaid) to offset the charges. You can add assets for monitoring on the console.

For detailed instructions, see Enable sensitive data leak detection.

Billing method

Edition

Monthly free quota

Overage charge (postpaid)

Pay-as-you-go savings plan

subscription

Premium Edition

100 GB

USD 0.02/GB

  • Prepayment of USD 10 to USD 99: 5% discount.

  • Prepayment of USD 100 to USD 999: 9% discount.

  • Prepayment of USD 1,000 to USD 10,000: 14% discount.

Enterprise Edition

300 GB

Ultimate Edition

500 GB

pay-as-you-go

Cloud Firewall (pay-as-you-go)

100 GB

USD 0.02/GB

Supported sensitive data types

Cloud Firewall can detect the following types of sensitive data in outbound traffic from your public IP addresses:

  • AccessKey ID

  • Passport number (Chinese mainland)

  • Debit card number

  • ID card number (Hong Kong, China)

  • Number of Exit-Entry Permit for Travelling to and from Hong Kong and Macao

  • ID card number (Chinese mainland)

  • Military ID number

  • Private key

On the IPS configuration page, in the data leak section, you can view the data types that Cloud Firewall can identify. You can enable or disable detection for specific data types based on your business needs. Cloud Firewall does not automatically block traffic that contains detected sensitive data. To block this traffic, you can configure an access control policy in Cloud Firewall.

Prerequisites

The Internet firewall must be enabled. For more information, see Enable the Internet firewall.

Enable sensitive data leak detection

Subscription

For new users

When you purchase a Cloud Firewall subscription, select Yes for the Sensitive Data Leak Detection option on the buy page.

For existing users

You can enable the feature from either of the following pages:

  • Upgrade page

    Overview > Upgrade

    Select Yes for the Sensitive Data Leak Detection option.

  • Feature page

    Data Loss Prevention > Enable Now

    Select Yes for the Sensitive Data Leak Detection option.

    In the left-side navigation pane, choose Data Detection and Response > Data Leak.

Pay-as-you-go

For pay-as-you-go editions, go to the Data Loss Prevention page and click Enable Now > OK.

Configure data leak detection for cloud assets

You must enable data leak detection for each asset that you want to monitor. Cloud Firewall then inspects the outbound traffic from these assets to the Internet to identify potential sensitive data leaks.

This feature inspects traffic over plaintext protocols such as HTTP. Encrypted traffic, such as HTTPS, is not supported.

  1. Log on to the Cloud Firewall console. In the left-side navigation pane, choose Detection & Response > Data Loss Prevention.

  2. In the upper-right corner of the Data Loss Prevention page, click Asset Configuration.

  3. Find the target public IP address and click Enable Data Leak Detection in the Actions column.

  4. In the Asset Configuration panel, click Daily Limit on Detected Traffic in the upper-right corner to set a daily processing limit.

    Note
    • The limit you set must be within the specified range and cannot be lower than the traffic already processed on the current day.

    • To determine an appropriate limit, refer to your outbound request traffic. You can view the outbound request traffic for the last 7 days on the Asset Configuration panel.

View or configure detection types

Protection configuration page

You can go to the data leak protection configuration page in either of the following ways:

  • In the left-side navigation pane, choose Data Loss Prevention and click Prevention Configuration in the upper-right corner of the page.

  • In the left-side navigation pane, choose IPS Configuration and find the Data Loss Prevention card on the page.

View and manage detection types

After you navigate to the data leak protection configuration page, you can view the supported sensitive data types and their current status.

To stop detecting a specific type of data, click Disable in the corresponding Actions column.

View data leak statistics

The sensitive data statistics area shows the data leak status of your assets for the selected time range.

The data type distribution area shows the breakdown of leaks by type for the selected time range. This helps you audit asset behavior and prevent business losses.

The sensitive data statistics area displays key metrics, including the number of sensitive data leak events, the number of assets with detected data leaks, and the total detected outbound traffic. The page also includes a Distribution of Leaking Assets and Destination IPs section, which ranks the top five of each. The event list at the bottom provides details for each incident and can be filtered by criteria such as risk level, sensitivity level, data type, area, and source IP. Each entry shows the event time, event name, sensitive data type, data volume, risk level, source and destination IPs, traffic size, and protection status.

View data leak details

The data displayed corresponds to the time range you select. Click View Details to open the Data Leak Details panel, where you can find leak information, the risky payload, a list of sensitive data, and event details. The panel also provides an intelligence profile for the destination IP address or domain name to help you assess whether the destination is safe.

Based on the leak event, Cloud Firewall provides recommended actions, such as configuring an ACL policy to prevent the leak from recurring. You can evaluate your business needs and take steps to reduce the risk of data leaks.

View billing information

Bill Management page

You can go to the Bill Management page to view the traffic consumed by sensitive data leak detection:

  • In the left-side navigation pane, choose Settings > Bill Management, and then select the Sensitive Data Leak Detection tab.

View traffic and bills

On the Sensitive Data Leak Detection tab of the Bill Management page, you can view the billed traffic for this feature.

Important

Sensitive data leak detection is billed daily. Data on the Bill Management page is updated the following day (T+1). Fees for the previous day are calculated and settled around 18:00 every day. If you disable the feature, the bill for the current day is generated around 18:00 on the following day.

In the upper-right corner of the list, click View Offset Details or View Bill Details to go to the Expenses and Costs console. There, you can view the deduction details for your pay-as-you-go savings plan or the details of your generated bills.