NDR mirrors inbound and outbound server network traffic, performs real-time detection, analysis, and alarms by leveraging the Intrusion Defense engine, and records complete traffic logs (including packet headers and payloads). It supports three types of assets: CVM, container clusters, and public network traffic (GAAP), and can be flexibly enabled at the asset or node granularity. Before enabling, the system automatically verifies multiple prerequisites such as region, instance, network, quota, and Agent to ensure the environment is ready. It also supports enabling the encrypted traffic detection feature to perform deep analysis on encrypted traffic such as HTTPS.
This document describes how to configure the NDR switch, view asset runtime status and performance monitoring, and manage configurations for basic settings, storage settings, file detection, risk policies, notifications, and log parsing.
Note:
Go to CFW purchase page to purchase the Network Detction and Response feature.
To try out, you can submit a ticket to apply for a trial of the Network Detction and Response feature.
Enabling NDR
Log in to the CFW console, in the left sidebar, click Network Detection and Response.
Note:
This section uses CVM assets as an example to describe the relevant operations. The operations for other assets are similar.
To enable NDR for public network traffic of GAAP assets, first enable the corresponding CFW Firewall Toggle for the asset. Click Enable to quickly jump to the CFW console and complete the configuration.
Pre-checks
Before NDR traffic parsing is enabled, the system automatically fetches and verifies the status of the account, region, instance, network, quota, bandwidth, Agent, and container permissions, and then categorizes the assets into the following three statuses based on the verification results:
Ready to Enable: All checks have passed, and NDR can be enabled normally.
Ready to Enable (with risk): There are certain risks (such as insufficient bandwidth margin), but it can still be enabled. The system will display risk prompt information.
Cannot Enable: There are blocking issues (such as region not supported, OS incompatible, insufficient quota, and so on). You must resolve all issues according to the guidance before enabling.
The system performs checks from the following dimensions. If the pre-check fails, the NDR toggle status of the asset will be displayed as Cannot Enable or Ready to Enable (with risk). For details on the specific exception causes and solutions, please.
Whether the region supports the traffic analysis service.
Resource Existence and Basic Information
Pre-check / Triggered check
Valid subnet ID of the instance, and no conflicting image binding on the instance.
Instance and OS Compatibility
Pre-check
Whether the instance type supports mirroring mode, and whether the operating system is on the supported list.
Network and Bandwidth Health
Triggered check
Real-time bandwidth of the instance and the threshold; purchased bandwidth limit of the account.
Quotas and Resource Limits
Pre-check
Upper limit on the number of enabled instances.
Container Scenarios and Permissions
Pre-check
Access permissions for the container cluster KubeConfig; DaemonSet status and Pod health.
Account and Allowlist
Pre-check
Whether the VPC traffic mirroring allowlist has been enabled.
Instance TAT / Agent Status
Pre-check
Whether TAT has been installed.
Note:
Pre-check: The system automatically checks every 5 minutes whether the assets meet the enabling conditions.
Triggered Check: The system triggers verification when a user selects an asset and enables the NDR toggle or the encrypted traffic detection toggle. After the verification is complete, the system synchronously updates the pre-check status.
Note:
On the NDR > CVM page, click Enable NDR in the Operation column. CFW will then mirror the inbound and outbound traffic of the server for deep analysis. All traffic passes through the Intrusion Defense engine, where it is detected based on Intrusion Defense rules and alarms are generated. Simultaneously, the system records all traffic logs for the server, including packet headers and payloads. For non-encrypted traffic, the system also performs protocol and application-layer restoration analysis on the Payload, with a maximum record of 1000 bytes per packet.
Furthermore, for assets that have NDR enabled, the encrypted traffic detection feature can also be enabled to analyze and detect encrypted traffic. For more details, see Encrypted Traffic Detection.
Note:
To stop NDR for the asset, disable the corresponding toggle in the Operation column.
Note:
On the NDR > CVM page, click Enable all or Disable all to enable or disable NDR for all CVM assets.
Note:
When all are enabled, the system performs a pre-check on each asset. Assets whose pre-check status is "Cannot Enable" are skipped, and the system prompts the reason for skipping.
If you only need to enable or disable NDR for some CVM assets, follow these steps:
1.1 Select the CVM assets that require configuration.
Note:
Only CVM assets whose NDR toggle status is Ready to Enable or Ready to Enable (with risk) can be selected. Assets in other statuses cannot be selected. For details on asset status descriptions, see Asset Status Description.
1.2 Click Batch enable or Batch disable.
If you need to enable encrypted NDR for new assets, see Basic Settings.
Note:
On the NDR page, the system displays the real-time operational status of assets in the NDR Toggle Status column. This status comprehensively reflects the pre-check results and runtime conditions:
Status Column
Possible Values
Description
NDR switch status
Enabled, Disabled, Enableable - with risk, Not enableable, Enable failed, Enabling, Disabling
Displays the enabled status and abnormal conditions of NDR traffic collection.
When the status is abnormal (for example, enabling fails, cannot be enabled, or the terminal Agent is abnormal), the page displays a red warning icon and exception information, indicating that the current detection is unavailable. Hover over the status to view the specific cause and operation instructions. The exception information and instructions include:
Failure Reason Categories
Solution
The current region does not support the traffic analysis service.
The Traffic Analysis service is not deployed in the current region. Please submit a ticket to confirm regional support and assess deployment feasibility.
The subnet ID of the asset instance does not exist.
The subnet ID of the asset instance is detected as invalid or deleted. Please go to VPC Firewall to verify the subnet information. Click Synchronize Assets and try again.
The IP address format of the asset instance is invalid.
The IP address format of the asset instance does not comply with the specifications. Please go to VPC Firewall, click Synchronize Assets, and try again.
The current operating system type is not supported.
The current operating system is not supported. Please go to technical solution to confirm compatibility.
Endpoint TAT not detected.
The instance does not have Endpoint TAT installed. Please see TAT Deployment Guide and retry after completing the installation.
Network bandwidth has reached the upper limit.
Real-time bandwidth has reached the purchased limit. Recommendation:
1. Disable the non-essential traffic analysis switch.
2. Go to Renewal Center to upgrade the full traffic detection specification or wait for traffic to decrease and try again.
The number of enabled asset instances has reached the upper limit.
Please submit a ticket to apply for adjustment of the asset instance enablement limit.
Single machine bandwidth overloaded operation
Current server real-time bandwidth utilization >40% (which means real-time bandwidth usage and mirror traffic together exceed 80% of total bandwidth). The system has automatically restricted the traffic analysis feature. Recommendation:
1. Wait for 10 minutes and retry.
2. Go to CVM to upgrade the instance specification.
The current instance type does not support traffic mirroring mode.
The current instance model does not support traffic mirroring mode. Please submit a ticket to request adding model adaptation.
The traffic mirroring feature is not enabled.
The current account has not been added to the allowlist for VPC traffic mirroring service. Please submit a ticket to apply (specify VPCID and region information).
An existing traffic mirroring instance has been detected. Go to Mirror Traffic to delete the capture ENI and retry.
The number of traffic mirrors exceeds the quota limitation.
By default, a single VPC supports 5 traffic mirroring instances. To scale out, please submit a ticket to request a quota adjustment (provide VPCID and required quantity).
The server is temporarily unavailable. Please try again later.
Temporary unavailability of the server has been detected. Please wait 5 minutes and try again. If the issue persists, please submit a ticket to contact technical support.
Terminal Agent loading exception
A loading exception occurred during the Agent deployment process. Please try again later. If the exception persists, please submit a ticket to contact technical support.
Terminal Agent abnormal
1. The Agent network may be abnormal. Please check whether security groups allow access.
2. Operation of the Agent process may be abnormal. Please verify the operating system status.
3. If no abnormalities are detected, submit a ticket to contact technical support.
icon for the asset. The system then displays the machine resource usage of that asset in the side panel, which includes the following metrics:
Monitoring Metric
Description
Alarm Threshold
Bandwidth
Displays the real-time bandwidth usage of the asset.
Displays a limit red line when the value exceeds 40%.
CPU usage
Displays the CPU utilization of the asset.
-
Memory usage
Displays the memory usage of the asset.
-
Agent CPU usage
Displays the CPU utilization of the NDR Agent (visible when encrypted traffic detection is enabled).
Displays a limit red line when the value exceeds 50%.
Agent memory usage
Displays the memory usage of the NDR Agent (visible when encrypted traffic detection is enabled).
Displays a limit red line when the memory usage exceeds 600 MB.
Note:
When a monitoring metric exceeds its limit threshold, the system displays a corresponding risk alert in the monitoring chart. This helps promptly identify and address potential resource bottleneck issues.
Network Detection and Response Settings
Basic Settings
1. On the NDR page, click NDR Settings in the upper-right corner. Then, select Basic Settings.
2. You can configure New Asset Traffic Analysis Settings, NDR Bandwidth Settings, and NDR Excess Traffic Handling here.
New Asset Traffic Analysis Settings: Allows you to set whether new assets Auto on all traffic detect and respond and Automatically enable encrypted traffic analysis.
When the asset type is set to All New Assets
When Enable is selected for the switch for Auto on all traffic detect and respond, traffic analysis will be automatically enabled upon discovery of new public/non-public network CVMs, containers, and public network traffic assets.
When Disable is selected for the switch for Auto on all traffic detect and respond traffic analysis will not be automatically enabled upon discovery of new assets (public/non-public network CVMs, containers, and public network traffic assets).
When Enable is selected for the switch for Automatically enable encrypted traffic analysis, encrypted traffic analysis will be automatically enabled upon discovery of new public/non-public network CVMs, containers, and public network traffic assets.
When Disable is selected for the switch for Automatically enable encrypted traffic analysis, encrypted traffic analysis will not be automatically enabled upon discovery of new assets (public/non-public network CVMs, containers, and public network traffic assets).
When the asset type is set to Only New Public Network Assets
When Enable is selected for the switch for Auto on all traffic detect and respond, traffic analysis will be automatically enabled upon discovery of new public network CVM assets and public network traffic assets. Traffic analysis will not be automatically enabled for non-public network assets.
When Disable is selected for the switch for Auto on all traffic detect and respond, traffic analysis will not be automatically enabled upon discovery of new assets (public/non-public network CVMs, containers, and public network traffic assets).
When Enable is selected for the switch for Automatically enable encrypted traffic analysis, traffic analysis will be automatically enabled upon discovery of new public network CVM assets and public network traffic assets; encrypted traffic analysis will not be automatically enabled for non-public network assets.
When Disable is selected for the switch for Automatically enable encrypted traffic analysis, encrypted traffic analysis will not be automatically enabled upon discovery of new assets (public/non-public network CVMs, containers, and public network traffic assets).
Network Detection and Response bandwidth settings
Total traffic is the sum of peak inbound and outbound traffic of all instances. Please ensure the traffic analysis bandwidth or elastic analysis bandwidth is larger than the total traffic.
Elastic Protection: This feature allows you to configure an elastic analysis bandwidth. Traffic is analyzed when it is less than the elastic analysis bandwidth. When traffic exceeds the elastic analysis bandwidth, overage handling is triggered. For details on billing and overage handling, see Bandwidth. Adjust the elastic analysis bandwidth value as needed. Click Edit to modify the value. After completing the modification, click Confirm Adjustment to save the settings.
Network Detection and Response overage handling: Exceeding bandwidth for traffic analysis will not cause packet loss or impact traffic rates in customer services, but will disable the Network Detction and Response feature.
Bandwidth specification exceeded traffic throttling and recovery mechanism
Traffic throttling mechanism: when real-time bandwidth exceeds purchase specs, the system automatically closes high-weight resolutions first (if weights are identical, close in descending order of peak bandwidth) until real-time bandwidth drops to within purchase specs.
The recovery mechanism: when real-time bandwidth ≤ purchase specs, the system preferentially enables high-weight resolution (if weights are identical, start in descending order of peak bandwidth), with auto on for Network Detection and Response.
Single machine bandwidth overload self-protection and recovery mechanism
Self-protection mechanism: Every 30s detect server bandwidth utilization. When server bandwidth utilization > 40% (due to mirror traffic, corresponding total bandwidth utilization > 80%), the system disables Network Detection and Response for this server.
Recovery mechanism: every 30s detect server bandwidth utilization. When server bandwidth utilization remains ≤ 40% during the last 2 minutes of cooldown, the system automatically activates Network Detection and Response.
You can edit weights in batches.
When bandwidth specifications are exceeded, a system banner alert is displayed. Notifications for both overage alarms and overage actions are sent according to the configuration in the Notification Setting.
Storage Settings
1. On the NDR page, click NDR Settings in the upper-right corner. Then, select Storage Settings.
2. You can configure traffic packet storage, traffic log storage, and alarm log storage here.
Note:
Enterprise Edition or higher users can modify the log storage type and storage duration, with a limit of once per month and takes effect within approximately 10 minutes.
Parameter Name
Parameter Description
Traffic Message Storage Configuration
Original Traffic Package Storage
Supports setting the storage length for the req_hex, rsp_hex, http_request_body, and http_response_body fields, defaults to 1024 bytes.
Optional values: 64, 128, 256, 512, 1024 bytes.
Traffic Log Storage Configuration
Traffic Log Retention Period
Go to the Log Storage Type Configuration page; default is 180 days.
Optional values: 7, 30, 60, 90, 180 days.
Traffic
Log Storage Type
Go to the Log Storage Type Configuration page, where multiple selections can be made from
Traffic in、Traffic out and east-west traffic.
Payload Storage
When enabled: HTTP data parsing fully saved.
When it is disabled: only HTTP request and response headers are retained; HTTP Payload details and TCP request/response packets are not retained.
Protocol Log Storage Range
Set the network protocol scope for storing Network Detection and Response traffic logs.
Basic Protocol Class: ICMP, TCP, UDP
Email: SMTP, SMTPS
Internet Type HTTP, HTTPS, DNS
File Transfer: FTP, SMB, FTP-DATA
Log-in Authentication: TLS
Remote Management Class: SSH, DCERPC
Alarm Log Storage Configuration
Alarm/Risk Log Retention Period
Go to the Log Storage Type Configuration page; you can set the log retention period to 7, 30, 60, 90, or 180 days.
Alarm Log Storage Type
Go to the Log Storage Type Configuration page, where multiple selections can be made from Threat Intelligence, Basic Rule, Virtual Patch, Blocked list and Honeypot.
Risk Log Storage Type
Network Detection and Response risk logs do not support configuration of storage type. By default, for weak password and API Sensitive Information Transmission, they are selected and cannot be modified.
File Detection Settings
1. On the NDR page, click NDR Settings in the upper-right corner. Then, select File Detection Settings.
2. You can enable the Abnormal File Transfer Detection feature here. This feature fully reconstructs files transmitted in network traffic, integrates with threat intelligence and cloud sandbox dynamic behavior detection engines to perform deep scanning of suspicious files, thereby accurately identifying and determining security threats.
Risk Analysis Settings
1. On the NDR page, click NDR Settings in the upper-right corner. Then, select Risk Policy Settings.
2. You can enable or disable detection for port risk, weak password risk, and sensitive data leak risk here:
Port Risk Detection Switch: Detect high-risk port exposure in real time, accurately locate the access source, destination IP, and destination port, and help determine whether the asset exposure surface converges.
Weak Password Risk Detection Switch: Detect weak password transmission, and locate low-security accounts. Click Rule Configuration to view specific detection rules.
Sensitive Data Leak Risk Detection Switch: Detect data leakage risks in real-time analysis, check whether apis open to the outside world leak sensitive information, and whether AI applications with external access leak sensitive information. Click Policy Configuration to enable or disable specific detection policies.
Notification Settings
1. On the NDR page, click NDR Settings in the upper-right corner. Then, select Notification Setting.
2. You can configure settings for bandwidth specification overage and single-instance bandwidth overload here:
receive notifications: When it is enabled, relevant alarm notifications will be received; when it is disabled, they will no longer be received.
Sent to: Select the sub-accounts to be notified from the sub-account list, and simultaneously select the master account for notification.
Alerting period: The time period to send alerts. Alerts triggered outside the time period will be ignored by default. The minimum time period is 1 hour. Up to five periods can be configured.
Log Parsing Settings
1. On the NDR page, click NDR Settings in the upper-right corner. Then, select Log Parsing Settings.
2. In the custom parsing field list, select the field to be edited and click Edit to parse special fields in HTTP Headers and add them to traffic logs. Currently, up to 3 custom fields can be parsed.
NDR Alarms
On the Alarm Center page, view threat alarms detected by Network Detction and Response. It supports analysis and detection of 8 alarm types including lateral movement and active outbound connections, and enables determination of attack results.
New Version of Alarm Center
Old Version of Alarm Center
NDR Logs
On the Network Detction and Response page, select the target CVM, container cluster, or public network traffic instance. Click View Alarm Logs or View Traffic Logs in the operation column to jump to the detailed alarm logs or traffic logs page for that instance. For specific operational guidance on the log page, see Viewing Network Detction and Response Logs.
On the Log Auditing > NDR Log page, you can view core log information related to NDR, including: traffic analysis logs, traffic alarm logs, traffic risk logs, and detected file lists. This page provides a basic log overview feature. For specific operational guidance, see Viewing NDR Logs.
On the Log Analysis page, you can obtain complete information of all stored NDR logs, quickly locate target logs using custom search queries, and gain insights into the value of log data through reporting and statistical analysis services. This page supports advanced analysis and visualization features. For specific operational guidance, see Log Analysis.
