Network Detection and Response
Last updated: 2025-07-30 15:32:09
Cloud Firewall Network Detection and Response (NDR) is a cloud-native network detection and response feature. The Network Detection and Response feature enables real-time collection, storage, and analysis of all traffic data in the network to detect attack threats, restore transferred files, and improve network security.
Note:
Use Cases
Full audit of cloud traffic, network security monitoring, and advanced threat analysis against APTs.
Technical Solution
Asynchronously detect network traffic via bypass mirroring with no impact on business traffic. It also supports Agent terminal collection for pattern detection in special scenarios.
Mode | Description |
Traffic mirroring mode | Use ENI to mirror traffic to the firewall cluster for analysis, with no impact on business and consuming server private network bandwidth. |
Terminal Collection Mode | Install terminal probes on servers to collect traffic, consuming CPU performance and private network bandwidth. Supported OS types: Tlinux, Ubuntu, CentOS (Linux kernel version 3.2 or later). Install the automation assistant. For details, see automation assistant client installation. |
Tutorial
1. Log in to the CFW console, click Network Detection and Response in the left navigation bar.
Note:
2. On the Network Detection and Response page, container clusters support enabling the network detection and response analysis switch based on nodes, while CVMs support enabling it based on assets.
After enabling the network detection and response analysis switch, CFW mirrors inbound/outbound server traffic for the following analysis:
All traffic passes through the intrusion defense engine, detects and analyzes based on intrusion prevention rules, and alarms.
Log all entry and exit server traffic, including packet Header and Payload. Among them, for unencrypted traffic, analyze and interpret the Payload to restore protocols and applications, with each message recording a maximum of 1000 bytes.
3. On the Network Detection and Response page, click Network Detection and Response Settings in the upper right corner to support new asset flow parsing settings, network detection and response bandwidth settings, and network detection and response overage handling settings.
New asset flow parsing settings: allow setting whether to automatically activate traffic analysis for new assets.
a. When the asset type is set to all new assets
Auto on the Parsing Switch when enabled, it will automatically activate traffic analysis upon detecting new assets (public network assets and non-public network assets).
Auto on the Parsing Switch when turned off, it will not automatically activate traffic analysis upon detecting new assets (public network assets and non-public network assets).
b. When the asset type is set to new public network assets only
Auto on the Parsing Switch when enabled, it will automatically activate traffic analysis upon detecting new public network assets, but not for non-public network assets.
Auto on the Parsing Switch when turned off, it will not automatically activate traffic analysis upon detecting new assets (public network assets and non-public network assets).
Network Detection and Response Bandwidth Settings
a. Total traffic = sum of peak values of inbound and outbound traffic for each instance. Please ensure the traffic analysis bandwidth or elastic analysis bandwidth is larger than the total traffic.
b. Elastic Protection: allows setting elastic analysis bandwidth. When traffic is less than the elastic analysis bandwidth, perform analysis. When traffic is above the elastic analysis bandwidth, perform overage handling.
Network Detection and Response Overage Handling: Bandwidth overage in traffic analysis will not cause packet loss or impact traffic rate for customer business traffic, but will be unable to provide network detection and response function.
a. Bandwidth specification overage traffic throttling and recovery mechanism
Weight range: 0 - 100 (default 50). Larger values represent higher priorities.
Traffic throttling mechanism: When real-time bandwidth exceeds purchase specs, the system automatically shuts down high-weight resolutions first (those with identical weight are shut down in descending order of peak bandwidth) until real-time bandwidth drops to within purchase specs.
Recovery mechanism: When real-time bandwidth is within purchase specs, the system automatically enables high-weight resolutions first (those with identical weight are enabled in descending order of peak bandwidth) and turns on network detection and response.
b. Self-protection and recovery mechanism for single machine bandwidth overload
Cooldown: 30 - 1440 minutes (default 60 minutes), customizable configuration.
Self-protection mechanism: Detect server bandwidth utilization every 30s. When server bandwidth utilization > 40% (due to mirror traffic, corresponding total bandwidth utilization > 80%), the system disables network detection and response for this server.
Recovery mechanism: Detect server bandwidth utilization every 30s. When server bandwidth utilization ≤ 40% for the last 2 minutes of cooldown, the system automatically enables network detection and response.
c. Supports batch editing weight.
d. The system will display a banner reminder for bandwidth specification overage. Overage Alarm and overage handling will send notifications via in-site message, email, and SMS.
On the Alarm Center page, view threat alarms detected by network detection and response. Supports analysis of eight types of alarms including lateral movement and active outbound, and supports attack result determination.
New version alarm center
Legacy alert center
4. On the Log Audit > Network Detection and Response Log page, you can view network detection and response traffic analysis logs, traffic alarm logs, detected file lists, etc.
Network Detection and Response Bandwidth Overload and Recovery Mechanism Description
Bandwidth overage in traffic analysis will not cause packet loss or impact traffic rate for customer business traffic, but will be unable to provide network detection and response function.
Bandwidth Specification Overage Traffic Throttling and Recovery Mechanism
Weight range: 0 - 100 (default 50). Larger values represent higher priorities.
Traffic throttling mechanism: When real-time bandwidth exceeds purchase specs, the system automatically shuts down high-weight resolutions first (those with identical weight are shut down in descending order of peak bandwidth) until real-time bandwidth drops to within purchase specs.
Recovery mechanism: When real-time bandwidth is within purchase specs, the system automatically enables high-weight resolutions first (those with identical weight are enabled in descending order of peak bandwidth) and turns on network detection and response.
Self-Protection and Recovery Mechanism for Single Machine Bandwidth Overload
Cooldown: 30 - 1440 minutes (default 60 minutes), customizable configuration.
Self-protection mechanism: Detect server bandwidth utilization every 30s. When server bandwidth utilization > 40% (due to mirror traffic, corresponding total bandwidth utilization > 80%), the system disables network detection and response for this server.
Recovery mechanism: Detect server bandwidth utilization every 30s. When server bandwidth utilization ≤ 40% for the last 2 minutes of cooldown, the system automatically enables network detection and response.
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No
Feedback