The Security Operation Agent leverages large language models to analyze your business traffic logs from the past seven days. It automatically identifies access patterns, including source and destination IP addresses, protocols, and ports, to generate precise recommendations for your access control policies (ACLs). This feature helps you simplify ACL configuration, improve policy efficiency and accuracy, and reduce security risks associated with redundant rules, incorrect priority settings, or overly permissive access.
The Security Operation Agent is currently in public preview and is available free of charge for a limited time. The final version of the feature may differ from the preview. If you have any questions or suggestions, please contact us through your account manager.
Benefits
Intelligent policy recommendations
Analyzes historical traffic logs to automatically generate highly relevant policy recommendations tailored to your business needs.Visual decision support
Provides visualizations of high-frequency traffic and policy hit counts to help you intuitively understand traffic patterns and make informed policy decisions.Continuous adaptive optimization
Continuously learns from traffic changes and suggests policy optimizations based on the latest logs. This ensures your security policies remain aligned with your evolving business needs.Secure and controllable optimization
All recommendations are for reference only. They are not automatically applied and do not modify your existing access control policies. This ensures business stability and operational safety.
Applicability
The Security Operation Agent can generate access control policies for the Internet border firewall and the NAT border firewall.
Policy generation is based on an analysis of your business traffic logs. To ensure the accuracy of recommendations, you must enable the Log Analysis feature and have at least seven days of historical traffic data.
Enable the Security Operation Agent
Log on to the Cloud Firewall console.
In the left-side navigation pane, choose .
Click Enable Now, and then click OK in the dialog box that appears. After you enable the feature, the system automatically turns on the Log Delivery Switch for the Internet border firewall and NAT border firewall and starts collecting and analyzing historical traffic data.
NoteIf the Log Analysis feature is not enabled, click Enable Log Analysis first, and then make sure the Log Delivery is on.
Disabling the Log Analysis feature also automatically disables the Security Operation Agent.
View and apply generated policies
After you enable the Security Operation Agent, you can view the policies it generates.
View policies for the Internet border firewall: On the SecOps Agent page, go to the Policies Generated for Internet Border tab. Click Outbound or Inbound to view the list of generated policies.
View policies for the NAT border firewall: On the SecOps Agent page, go to the Policies Generated for NAT Border tab. By default, the list shows policies generated for All NAT Instances. You can also filter by a specific NAT border firewall instance to view its policies.
Each generated policy includes the following information: Source Address, Destination Address, Port, Protocol, Hit count Hits, Priority, Validity, and Agent Generation Reason. You can perform the following actions on these policies:
To apply a policy directly: Click Apply Policy, and then click OK in the dialog box that appears. After the policy is applied, you can view it in the policy list under Prevention Configuration > Access Control > Policy Configuration > Internet Border/NAT Border.
To modify a policy before applying: Click Custom Application Policy to modify its content. For more information about the configurable items, see Configure an access control policy for the Internet border firewall and Configure an access control policy for a NAT border firewall. After you make the changes, click OK to apply the policy.
To delete an unnecessary policy: Click Delete Policy to remove a single policy. To delete multiple policies, select their checkboxes and click Batch Delete at the bottom of the page. Deleted policies are removed from the list.
Address book creation rules:
When you apply a policy directly, the system automatically creates an address book if the policy contains multiple source addresses, destination addresses, or ports.
When you customize a policy, you must manually specify a name and description to create an address book if the policy contains multiple source addresses, destination addresses, or ports.
Policy configuration rules: By default, generated policies have their Priority set to Highest and do not include policies with an Action of Deny. If this does not meet your business requirements, you must manually adjust the policy content.
Operations
The top of the SecOps Agent page displays the following information:
Number of policies generated by the Agent: The Agent-Generated Policies area displays the Total Policies, Internet Firewall Policies, and NAT Firewall Policies.
Number of applied policies: In the Agent-Generated Policies section, the Applied Policies area displays the number of applied policies. You can click View Deployment Records to view application details. Directly applied policies are labeled Apply Policies. Policies modified before application are labeled User Modified.
Policy update status: The Agent automatically updates policies every seven days. This update frequency cannot be customized. The Policy Update Status area shows the time of the last update and the estimated time of the next update.