CFW NDR is a cloud-native network detection and response feature. The NDR feature can collect, store, and analyze all traffic data in the network in real time, detect network attack threats, and restore transmitted files to enhance network security.
Note:
If you want to try it, you can submit a ticket to apply for a trial of the NDR feature. Use Cases
Cloud-based comprehensive auditing of traffic, network security monitoring, and advanced threat analysis targeting APTs.
Technical Solution
By asynchronously detecting network traffic via bypass mirroring without impacting business traffic; in specific scenarios, it also supports Agent-based mode for endpoint collection to detect traffic.
|
mode for traffic mirroring | Using ENI to mirror traffic to the firewall cluster for analysis, this approach has no impact on business operations but consumes the server's private network bandwidth. |
mode for endpoint collection | Installing endpoint probes on servers to collect traffic consumes CPU resources and bandwidth of the private network. Supported operating system types: Tlinux, Ubuntu, CentOS (kernel version 3.2 or higher). |
NDR Bandwidth Excess and Recovery Mechanism Overview
Bandwidth overrun in traffic analysis will not cause packet loss in business traffic of the customer or affect the traffic rate, but will be unable to provide the NDR feature.
Throttling for Bandwidth Specification Overrun and Recovery Mechanism
Weight range: 0 - 100 (default: 50). A higher value indicates a higher priority.
mechanism for limiting traffic: When real-time bandwidth > purchased specification, the system automatically disables high-weight resolutions first (if weights are equal, disable in descending order of peak bandwidth) until real-time bandwidth falls within the purchased specification.
Recovery mechanism: When real-time bandwidth ≤ purchased specification, the system automatically enables high-weight resolutions first (if weights are equal, enable in descending order of peak bandwidth) and automatically enables the NDR toggle.
Self-Protection and Recovery Mechanism for Single-Machine Bandwidth Overload
Cooldown period: 30 - 1440 minutes (default: 60 minutes), supports custom configuration.
Self-protection mechanism: The bandwidth utilization of the server is checked every 30s. When bandwidth utilization of the server > 40% (corresponding to total bandwidth utilization > 80% due to mirrored traffic), the NDR toggle for that server is disabled by the system.
Recovery mechanism: The bandwidth utilization of the server is checked every 30s. When the utilization remains ≤40% throughout the last 2 minutes of the cooldown period, the NDR toggle is automatically enabled by the system.