Cloud Firewall integrates with Simple Log Service (SLS) to collect, query, analyze, transform, and consume traffic logs from your protected assets in real time. Use this feature to monitor network activity, respond to security incidents, and meet classified protection compliance requirements. Agentic NDR, a value-added service of Cloud Firewall, shares the same log storage.
Use cases
| Scenario | What you can do |
|---|---|
| Compliance auditing | Store access logs for more than six months to meet classified protection compliance requirements and pass audits. |
| Security analytics and emergency response | Identify threat sources, analyze attack patterns, and take action to prevent future incidents. |
| Data center integration | Export logs to your own data processing centers for centralized log management. |
| Performance monitoring | Monitor network performance in real time, detect issues, and optimize the user access experience. |
Billing
Starting October 15, 2025, Cloud Firewall billing is updated to Billing 2.0. New users are on Billing 2.0 by default. Existing users can continue with Billing 1.0 and upgrade at any time. For details on pricing changes and how to upgrade, see Billing 1.0 and upgrade instructions.
Log analysis is billed based on log storage duration and capacity. Your total cost depends primarily on which storage capacity you select and how long you retain logs.
Billing 2.0
Pay-as-you-go
You are billed based on your selected storage capacity (1 TB–500 TB) at USD 0.3 per TB per hour. Cloud Firewall handles billing directly.
Subscription
Log analysis is not included in the base price of any Cloud Firewall edition — purchase it separately in 1 TB increments.
| Edition | Available storage range |
|---|---|
| Premium Edition | 2 TB–500 TB |
| Enterprise Edition | 4 TB–500 TB |
| Ultimate Edition | 6 TB–500 TB |
Logstore provisioning
After you enable log analysis, Cloud Firewall automatically creates:
A dedicated Project named
cloudfirewall-project-<Alibaba Cloud account ID>-<region id>A dedicated Logstore named
cloudfirewall-logstore
Both Cloud Firewall and Agentic NDR write logs to these resources. You can sign in to the Simple Log Service console to view the dedicated Project and Logstore for Agentic NDR. Do not delete the Project or Logstore — deleted log data is permanently lost and cannot be recovered. If you accidentally delete them, re-enable log analysis to create new resources.
Billing 1.0 (legacy)
Pay-as-you-go
Simple Log Service handles billing.
Subscription
Log analysis is billed based on log storage duration and capacity. For details, see Storage capacity for log analysis.
After Agentic NDR pushes logs to Simple Log Service, the dedicated Logstore itself incurs no extra charges. However, operations you perform in the Simple Log Service console may incur additional fees:
| Billing method | Charges |
|---|---|
| Pay-by-feature | Data transformation, data shipping, and streaming reads from public endpoints. See Billable items for the pay-by-feature billing method. |
| Pay-by-data-volume | Reading data from public endpoints only (standard SLS rates). Data transformation and data shipping are free. See Billable items for the pay-by-data-volume billing method. |
Logstore provisioning
After you enable log analysis, Cloud Firewall automatically creates a dedicated Project and Logstore based on your billing type:
| Billing type | Project name | Logstore name |
|---|---|---|
| Subscription | cloudfirewall-project-<Alibaba Cloud account ID>-<region id> | cloudfirewall-logstore |
| Pay-as-you-go | cloudfirewallnew-project-<Alibaba Cloud account ID>-<region id> | cloudfirewall-logstore |
You can sign in to the Simple Log Service console to view the dedicated Project and Logstore for Agentic NDR. Do not delete the Project or Logstore — deleted log data is permanently lost and cannot be recovered. If you accidentally delete them, re-enable log analysis to create new resources.
Limitations
The dedicated Logstore has the following limitations:
| Limitation | Detail |
|---|---|
| Write access | Only Cloud Firewall and Agentic NDR can write to the Logstore. Querying, statistics, alerting, and consumption have no restrictions. |
| Retention period | Modify the data retention period in the Cloud Firewall console only, not in the Simple Log Service console. |
| SLS account status | Log analysis is suspended if your Simple Log Service account has overdue payments. |
| Storage capacity | If the Logstore is full, Cloud Firewall stops writing new logs. Make sure you have enough storage allocated. |
Log storage usage shown in the Cloud Firewall console may lag behind actual usage by up to two hours.