alibabacloud-cfw-status-overview

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Cloud Firewall Status Overview

云防火墙状态概览

⚠️ MANDATORY EXECUTION RULES — READ BEFORE DOING ANYTHING:
DO NOT search for log files, security data, or any files in the workspace. There are none.

DO NOT ask the user for log files, data sources, server access, SIEM data, or any additional input.

DO NOT attempt to SSH, access, or connect to any server or IP address.
The ONLY way to get data is by running
aliyun cloudfw ...
CLI commands as defined in the Core Workflow section below.
Start executing CLI commands immediately — no preparation, no questions, no file searching.

⚠️ 强制执行规则——操作前务必阅读：
禁止搜索工作区中的日志文件、安全数据或任何文件。 工作区不存在这类文件。

禁止向用户索要日志文件、数据源、服务器访问权限、SIEM数据或任何额外输入。

禁止尝试SSH、访问或连接任何服务器或IP地址。
获取数据的唯一方式是运行下文核心工作流部分定义的
aliyun cloudfw ...
CLI命令。
立即开始执行CLI命令——无需准备，无需提问，无需搜索文件。

Scenario Description

场景描述

One-click query of Alibaba Cloud Firewall overall status, including asset management coverage, border firewall switch status across Internet/VPC/NAT boundaries, and traffic overview.

Architecture:

Cloud Firewall Service → Internet Border Firewall + VPC Border Firewall + NAT Border Firewall → Asset Protection + Traffic Analysis

Capability Level: Query (read-only)

Data Source: All data is obtained exclusively through Aliyun CLI commands (

aliyun cloudfw ...

). No log files, no databases, no server access, no SIEM — just CLI commands. Do NOT search the workspace for files. Do NOT ask the user for anything. Just run the commands.

Core Capabilities:

Asset Overview — Display managed asset counts and types
Internet Border Firewall Status — Switch status, protected/unprotected IP counts
VPC Border Firewall Status — Switch status and protection coverage per VPC firewall
NAT Border Firewall Status — Switch status and protection coverage
Traffic Overview — Recent traffic trends and peak bandwidth

一键查询阿里云云防火墙整体状态，包括资产管理覆盖率、互联网/VPC/NAT边界的边界防火墙开关状态，以及流量概览。

架构：

Cloud Firewall Service → Internet Border Firewall + VPC Border Firewall + NAT Border Firewall → Asset Protection + Traffic Analysis

能力级别：查询（只读）

数据源：所有数据仅通过Aliyun CLI命令（

aliyun cloudfw ...

）获取。无需日志文件、无需数据库、无需服务器访问、无需SIEM——仅需CLI命令。禁止在工作区搜索文件，禁止向用户索要任何内容，直接运行命令即可。

核心能力：

资产概览——展示已管理资产的数量和类型
互联网边界防火墙状态——开关状态、已防护/未防护IP数量
VPC边界防火墙状态——每个VPC防火墙的开关状态和防护覆盖率
NAT边界防火墙状态——开关状态和防护覆盖率
流量概览——近期流量趋势和峰值带宽

Prerequisites

前置条件

Pre-check: Aliyun CLI >= 3.3.1 required Run
aliyun version
to verify >= 3.3.1. If not installed or version too low, see
references/cli-installation-guide.md
for installation instructions. Then [MUST] run
aliyun configure set --auto-plugin-install true
to enable automatic plugin installation.

前置检查：要求Aliyun CLI版本 >= 3.3.1 运行
aliyun version
确认版本 >= 3.3.1。如果未安装或版本过低，参考
references/cli-installation-guide.md
的安装指引。然后[必须]运行
aliyun configure set --auto-plugin-install true
开启插件自动安装功能。

Authentication

鉴权

Pre-check: Alibaba Cloud Credentials Required

Security Rules:
NEVER read, echo, print, cat, or display AK/SK values under any circumstances

NEVER ask the user to input AK/SK directly in the conversation or command line
NEVER use
aliyun configure set
with literal credential values
ONLY use
aliyun configure list
to check credential status
bash
aliyun configure list
Check the output for a valid profile (AK, STS, or OAuth identity).

If no valid profile exists, STOP here.
Obtain credentials from Alibaba Cloud Console
Configure credentials outside of this session (via
aliyun configure
in terminal or environment variables in shell profile)
Return and re-run after
aliyun configure list
shows a valid profile

前置检查：需要阿里云凭证

安全规则：
任何情况下都禁止读取、回显、打印、输出或展示AK/SK的值

禁止要求用户在对话或命令行中直接输入AK/SK
禁止在
aliyun configure set
命令中使用明文凭证值
仅可使用
aliyun configure list
检查凭证状态
bash
aliyun configure list
检查输出中是否存在有效配置文件（AK、STS或OAuth身份）。

如果不存在有效配置文件，请在此处停止。
从阿里云控制台获取凭证
在当前会话外配置凭证（通过终端的
aliyun configure
命令或shell配置文件中的环境变量）
待
aliyun configure list
显示有效配置文件后，返回重新运行

RAM Policy

RAM权限策略

[MUST] RAM Permission Pre-check: Before executing any commands, verify the current user has the required permissions.
Use
ram-permission-diagnose
skill to get current user's permissions
Compare against
references/ram-policies.md
Abort and prompt user if any permission is missing

Minimum required permissions — see references/ram-policies.md for full policy JSON.

Alternatively, attach the system policy: AliyunYundunCloudFirewallReadOnlyAccess

[必须] RAM权限前置检查： 执行任何命令前，验证当前用户具备所需权限。
使用
ram-permission-diagnose
skill获取当前用户的权限
与
references/ram-policies.md
对比
如果缺少任何权限，中止操作并提示用户

最低所需权限——完整策略JSON见references/ram-policies.md。

也可直接挂载系统策略：AliyunYundunCloudFirewallReadOnlyAccess

Parameter Confirmation

参数确认

IMPORTANT: Parameter Confirmation — Before executing any command or API call, check if the user has already provided necessary parameters in their request.

If the user's request explicitly mentions a parameter value (e.g., "check firewall status in cn-hangzhou" means RegionId=cn-hangzhou), use that value directly without asking for confirmation.

For optional parameters with sensible defaults (PageSize, CurrentPage, time ranges), use the defaults without asking unless the user indicates otherwise.

Do NOT re-ask for parameters that the user has clearly stated.

Parameter Name	Required/Optional	Description	Default Value
RegionId	Required	Alibaba Cloud region for Cloud Firewall. Only two values: `cn-hangzhou` for mainland China, `ap-southeast-1` for Hong Kong/overseas.	`cn-hangzhou` (use directly without asking; only use `ap-southeast-1` if user explicitly mentions Hong Kong/overseas/international)
PageSize	Optional	Number of items per page for paginated APIs	10 (use without asking)
CurrentPage	Optional	Page number for paginated APIs	1 (use without asking)
StartTime	Optional	Start time for traffic trend queries (Unix timestamp in seconds)	7 days ago (use without asking)
EndTime	Optional	End time for traffic trend queries (Unix timestamp in seconds)	Current time (use without asking)

重要：参数确认——执行任何命令或API调用前，检查用户的请求中是否已经提供了必要参数。

如果用户请求明确提及参数值（例如"check firewall status in cn-hangzhou"代表RegionId=cn-hangzhou），直接使用该值无需确认。

对于存在合理默认值的可选参数（PageSize、CurrentPage、时间范围），直接使用默认值无需询问，除非用户另有说明。

不要重复询问用户已经明确给出的参数。

参数名	必填/可选	描述	默认值
RegionId	必填	云防火墙所属阿里云地域。仅两个取值： `cn-hangzhou` 对应中国内地， `ap-southeast-1` 对应中国香港/境外。	`cn-hangzhou` （直接使用无需询问；仅当用户明确提及中国香港/境外/国际时使用 `ap-southeast-1` ）
PageSize	可选	分页API的每页返回数量	10（直接使用无需询问）
CurrentPage	可选	分页API的页码	1（直接使用无需询问）
StartTime	可选	流量趋势查询的开始时间（Unix秒级时间戳）	7天前（直接使用无需询问）
EndTime	可选	流量趋势查询的结束时间（Unix秒级时间戳）	当前时间（直接使用无需询问）

Error Handling and Workflow Resilience

错误处理与工作流容错

CRITICAL: Continue on failure. If any individual API call fails, do NOT stop the entire workflow. Log the error for that step, then proceed to the next step. Present whatever data was successfully collected.

关键规则：失败时继续执行。 如果单个API调用失败，不要停止整个工作流。记录该步骤的错误，然后继续执行下一步。展示所有成功收集到的数据。

Retry Logic

重试逻辑

For each API call:

If the call fails with a transient error (network timeout, throttling
```
Throttling.User
```
,
```
ServiceUnavailable
```
, HTTP 500/502/503), retry up to 2 times with a 3-second delay between retries.
If the call fails with a permanent error (e.g.,
```
InvalidParameter
```
,
```
Forbidden
```
,
```
InvalidAccessKeyId
```
), do NOT retry. Record the error and move on.
After all retries are exhausted, record "[Step X] Failed: {error message}" and continue to the next step.

每个API调用：

如果调用返回瞬时错误（网络超时、限流
```
Throttling.User
```
、
```
ServiceUnavailable
```
、HTTP 500/502/503），最多重试2次，每次重试间隔3秒。
如果调用返回永久错误（例如
```
InvalidParameter
```
、
```
Forbidden
```
、
```
InvalidAccessKeyId
```
），不要重试。记录错误后继续执行下一步。
所有重试次数用尽后，记录"[第X步] 失败：{错误信息}"，然后继续执行下一步。

Service Not Activated

服务未激活

DescribeUserBuyVersion

(Step 1) returns an error indicating the service is not activated (error code

ErrorFirewallNotActivated

or similar "not purchased/activated" messages):

Inform the user: "Cloud Firewall service is not activated in this region. Please activate it at https://yundun.console.aliyun.com/?p=cfwnext"
Skip all subsequent steps since the service is not available.
If the user requested multiple regions, continue with the next region.

如果

DescribeUserBuyVersion

（第1步）返回错误提示服务未激活（错误码

ErrorFirewallNotActivated

或类似"未购买/未激活"的信息）：

告知用户："当前地域未激活云防火墙服务，请前往https://yundun.console.aliyun.com/?p=cfwnext激活"。
跳过所有后续步骤，因为服务不可用。
如果用户请求了多个地域，继续处理下一个地域。

Step Independence

步骤独立性

The workflow steps have these dependencies:

Step 1 (Instance Info) must succeed first — if the service is not activated, skip remaining steps.
Steps 2-6 are independent of each other — failure in any one step should NOT prevent other steps from executing.
Within Step 2, sub-step 2.1 and sub-step 2.2 are independent.
Within Step 4, sub-steps 4.1, 4.2, and 4.3 are independent.
Within Step 6, sub-steps 6.1 and 6.2 are independent.

工作流步骤的依赖关系如下：

第1步（实例信息）必须先成功——如果服务未激活，跳过剩余步骤。
第2-6步相互独立——任何一步失败都不影响其他步骤执行。
第2步中，子步骤2.1和2.2相互独立。
第4步中，子步骤4.1、4.2、4.3相互独立。
第6步中，子步骤6.1和6.2相互独立。

Partial Results

部分结果

When presenting the final summary report:

For steps that succeeded, show the collected data normally.
For steps that failed, show "N/A (error: {brief error})" in the corresponding section.
Always present the summary report even if some steps failed — partial data is better than no data.

展示最终汇总报告时：

成功执行的步骤，正常展示收集到的数据。
执行失败的步骤，在对应区域展示"N/A（错误：{简要错误信息}）"。
即使部分步骤失败，也要始终展示汇总报告——部分数据好过没有数据。

Core Workflow

核心工作流

All API calls use the Aliyun CLI

cloudfw

plugin.

User-Agent: All commands must include

--user-agent AlibabaCloud-Agent-Skills

Region: Specified via

--region {RegionId}

global flag

CRITICAL: Execute immediately without asking. When this skill is triggered, start executing from Step 1 right away. Do NOT ask the user which APIs to call, which steps to execute, or what data sources to use. All data comes from the Aliyun CLI commands defined below — just run them.

所有API调用都使用Aliyun CLI

cloudfw

插件。

User-Agent：所有命令必须包含

--user-agent AlibabaCloud-Agent-Skills

地域：通过全局参数

--region {RegionId}

指定

关键规则：无需询问，立即执行。 触发该skill后，立即从第1步开始执行。不要询问用户需要调用哪些API、执行哪些步骤、使用什么数据源。所有数据都来自下文定义的Aliyun CLI命令——直接运行即可。

Time Parameters

时间参数

Some APIs (Step 3.2, Step 6.2) require

StartTime

and

EndTime

parameters (Unix timestamp in seconds).

How to get timestamps: Run

date +%s

to get the current timestamp,

date -d '7 days ago' +%s

for 7 days ago. Then use the returned numeric values directly in CLI commands.

IMPORTANT: Do NOT use bash variable substitution like
$(date +%s)
inside CLI commands — some execution environments block
$(...)
. Instead, run
date
commands separately first, note the returned values, then use them as literal numbers in the
--StartTime
and
--EndTime
parameters.

部分API（第3.2步、第6.2步）需要

StartTime

和

EndTime

参数（Unix秒级时间戳）。

获取时间戳的方式：运行

date +%s

获取当前时间戳，运行

date -d '7 days ago' +%s

获取7天前的时间戳。然后将返回的数值直接用在CLI命令中。

重要：不要在CLI命令中使用
$(date +%s)
这类bash变量替换——部分执行环境会拦截
$(...)
。请先单独运行
date
命令，记录返回的值，然后将其作为字面量填入
--StartTime
和
--EndTime
参数中。

Step 1: Query Instance Info (Cloud Firewall Version)

第1步：查询实例信息（云防火墙版本）

bash

aliyun cloudfw DescribeUserBuyVersion \
  --region {RegionId} \
  --user-agent AlibabaCloud-Agent-Skills

Key response fields:

Version

(edition),

InstanceId

ExpireTime

IpNumber

(max protected IPs),

AclExtension

(ACL quota).

bash

aliyun cloudfw DescribeUserBuyVersion \
  --region {RegionId} \
  --user-agent AlibabaCloud-Agent-Skills

关键返回字段：

Version

（版本）、

InstanceId

、

ExpireTime

、

IpNumber

（最大防护IP数）、

AclExtension

（ACL配额）。

Step 2: Asset Overview

第2步：资产概览

2.1 Query Asset Statistics

2.1 查询资产统计

bash

aliyun cloudfw DescribeAssetStatistic \
  --region {RegionId} \
  --user-agent AlibabaCloud-Agent-Skills

Key response fields: Total assets, protected count, unprotected count, by resource type (EIP, SLB, ECS, etc.)

bash

aliyun cloudfw DescribeAssetStatistic \
  --region {RegionId} \
  --user-agent AlibabaCloud-Agent-Skills

关键返回字段：总资产数、已防护数量、未防护数量、按资源类型分类（EIP、SLB、ECS等）

2.2 Query Asset List (Paginated)

2.2 查询资产列表（分页）

bash

aliyun cloudfw DescribeAssetList \
  --CurrentPage 1 \
  --PageSize 10 \
  --region {RegionId} \
  --user-agent AlibabaCloud-Agent-Skills

Key response fields:

Assets[]

with

InternetAddress

IntranetAddress

ResourceType

ProtectStatus

RegionID

Name

bash

aliyun cloudfw DescribeAssetList \
  --CurrentPage 1 \
  --PageSize 10 \
  --region {RegionId} \
  --user-agent AlibabaCloud-Agent-Skills

关键返回字段：

Assets[]

包含

InternetAddress

、

IntranetAddress

、

ResourceType

、

ProtectStatus

、

RegionID

、

Name

。

2.2.1 Query Unprotected Assets

2.2.1 查询未防护资产

IMPORTANT: When the user asks about unprotected/unmanaged assets, assets not covered by the firewall, or protection gaps, you MUST use the
Status
filter parameter set to
"close"
to query only unprotected assets:

bash

aliyun cloudfw DescribeAssetList \
  --CurrentPage 1 \
  --PageSize 50 \
  --Status close \
  --region {RegionId} \
  --user-agent AlibabaCloud-Agent-Skills

Use

PageSize: "50"

for unprotected asset queries to capture more results. If

TotalCount

in the response exceeds

PageSize

, iterate through all pages by incrementing

CurrentPage

until all assets are retrieved.

Status filter values for the
Status
request parameter:

Value	Meaning
`close`	Unprotected assets (firewall not enabled)
`open`	Protected assets (firewall enabled)
`opening`	Assets being enabled

Note: The request parameter uses
close
(no 'd'), while the response field
ProtectStatus
uses
closed
(with 'd'). Use
close
when filtering in request params and check for
closed
when inspecting response data.

重要：当用户询问未防护/未管理资产、防火墙未覆盖的资产或防护缺口时，你必须将
Status
过滤参数设置为
"close"
，仅查询未防护资产：

bash

aliyun cloudfw DescribeAssetList \
  --CurrentPage 1 \
  --PageSize 50 \
  --Status close \
  --region {RegionId} \
  --user-agent AlibabaCloud-Agent-Skills

未防护资产查询使用

PageSize: "50"

以获取更多结果。如果返回的

TotalCount

超过

PageSize

，递增

CurrentPage

遍历所有页面，直到获取全部资产。

Status
请求参数的过滤值：

取值	含义
`close`	未防护资产（防火墙未开启）
`open`	已防护资产（防火墙已开启）
`opening`	开启中的资产

注意：请求参数使用
close
（无d后缀），而返回字段
ProtectStatus
使用
closed
（有d后缀）。请求参数过滤时使用
close
，检查返回数据时匹配
closed
。

Step 3: Internet Border Firewall Status

第3步：互联网边界防火墙状态

3.1 Query Internet Exposure Statistics

3.1 查询互联网暴露统计

bash

aliyun cloudfw DescribeInternetOpenStatistic \
  --region {RegionId} \
  --user-agent AlibabaCloud-Agent-Skills

Key response fields: Total public IPs, open port count, risk level distribution, recently exposed assets.

bash

aliyun cloudfw DescribeInternetOpenStatistic \
  --region {RegionId} \
  --user-agent AlibabaCloud-Agent-Skills

关键返回字段：公网IP总数、开放端口数量、风险等级分布、近期暴露资产。

3.2 Query Internet Defense Traffic Trend

3.2 查询互联网防御流量趋势

bash

aliyun cloudfw DescribeInternetDropTrafficTrend \
  --StartTime {StartTime} \
  --EndTime {EndTime} \
  --SourceCode China \
  --region {RegionId} \
  --user-agent AlibabaCloud-Agent-Skills

SourceCode

values:

China

(mainland),

Other

(overseas).

bash

aliyun cloudfw DescribeInternetDropTrafficTrend \
  --StartTime {StartTime} \
  --EndTime {EndTime} \
  --SourceCode China \
  --region {RegionId} \
  --user-agent AlibabaCloud-Agent-Skills

SourceCode

取值：

China

（中国内地）、

Other

（境外）。

Step 4: VPC Border Firewall Status

第4步：VPC边界防火墙状态

4.1 Query CEN Enterprise Edition (TR Firewalls)

4.1 查询CEN企业版（TR防火墙）

bash

aliyun cloudfw DescribeTrFirewallsV2List \
  --CurrentPage 1 \
  --PageSize 20 \
  --region {RegionId} \
  --user-agent AlibabaCloud-Agent-Skills

Key response fields:

VpcTrFirewalls[]

with

FirewallSwitchStatus

(

opened

closed

opening

closing

CenId

RegionNo

VpcId

bash

aliyun cloudfw DescribeTrFirewallsV2List \
  --CurrentPage 1 \
  --PageSize 20 \
  --region {RegionId} \
  --user-agent AlibabaCloud-Agent-Skills

关键返回字段：

VpcTrFirewalls[]

包含

FirewallSwitchStatus

（

opened

closed

opening

closing

）、

CenId

、

RegionNo

、

VpcId

。

4.2 Query CEN Basic Edition VPC Firewalls

4.2 查询CEN基础版VPC防火墙

bash

aliyun cloudfw DescribeVpcFirewallCenList \
  --CurrentPage 1 \
  --PageSize 20 \
  --region {RegionId} \
  --user-agent AlibabaCloud-Agent-Skills

Key response fields:

VpcFirewalls[]

with

FirewallSwitchStatus

CenId

LocalVpc

PeerVpc

bash

aliyun cloudfw DescribeVpcFirewallCenList \
  --CurrentPage 1 \
  --PageSize 20 \
  --region {RegionId} \
  --user-agent AlibabaCloud-Agent-Skills

关键返回字段：

VpcFirewalls[]

包含

FirewallSwitchStatus

、

CenId

、

LocalVpc

、

PeerVpc

。

4.3 Query Express Connect VPC Firewalls

4.3 查询高速通道VPC防火墙

bash

aliyun cloudfw DescribeVpcFirewallList \
  --CurrentPage 1 \
  --PageSize 20 \
  --region {RegionId} \
  --user-agent AlibabaCloud-Agent-Skills

Key response fields:

VpcFirewalls[]

with

FirewallSwitchStatus

VpcFirewallId

LocalVpc

PeerVpc

Bandwidth

bash

aliyun cloudfw DescribeVpcFirewallList \
  --CurrentPage 1 \
  --PageSize 20 \
  --region {RegionId} \
  --user-agent AlibabaCloud-Agent-Skills

关键返回字段：

VpcFirewalls[]

包含

FirewallSwitchStatus

、

VpcFirewallId

、

LocalVpc

、

PeerVpc

、

Bandwidth

。

Step 5: NAT Border Firewall Status

第5步：NAT边界防火墙状态

bash

aliyun cloudfw DescribeNatFirewallList \
  --region {RegionId} \
  --user-agent AlibabaCloud-Agent-Skills

Key response fields:

NatFirewalls[]

with

ProxyStatus

(

configuring

normal

deleting

NatGatewayId

NatGatewayName

VpcId

RegionId

bash

aliyun cloudfw DescribeNatFirewallList \
  --region {RegionId} \
  --user-agent AlibabaCloud-Agent-Skills

关键返回字段：

NatFirewalls[]

包含

ProxyStatus

（

configuring

normal

deleting

）、

NatGatewayId

、

NatGatewayName

、

VpcId

、

RegionId

。

Step 6: Traffic Overview

第6步：流量概览

6.1 Query Total Traffic Statistics

6.1 查询总流量统计

bash

aliyun cloudfw DescribePostpayTrafficTotal \
  --region {RegionId} \
  --user-agent AlibabaCloud-Agent-Skills

bash

aliyun cloudfw DescribePostpayTrafficTotal \
  --region {RegionId} \
  --user-agent AlibabaCloud-Agent-Skills

6.2 Query Internet Traffic Trend

6.2 查询互联网流量趋势

bash

aliyun cloudfw DescribeInternetTrafficTrend \
  --StartTime {StartTime} \
  --EndTime {EndTime} \
  --SourceCode China \
  --TrafficType TotalTraffic \
  --region {RegionId} \
  --user-agent AlibabaCloud-Agent-Skills

TrafficType values:

TotalTraffic

InTraffic

OutTraffic

bash

aliyun cloudfw DescribeInternetTrafficTrend \
  --StartTime {StartTime} \
  --EndTime {EndTime} \
  --SourceCode China \
  --TrafficType TotalTraffic \
  --region {RegionId} \
  --user-agent AlibabaCloud-Agent-Skills

TrafficType取值：

TotalTraffic

、

InTraffic

、

OutTraffic

。

Output Summary Format

输出汇总格式

After gathering all data, present a summary report. Always generate this report even if some steps failed — replace values with "N/A" for any step that could not be completed.

============================================
   Cloud Firewall Status Overview Report
============================================

1. Instance Info
   - Edition: {Version}
   - Expiry: {ExpireTime}
   - Max Protected IPs: {IpNumber}

2. Asset Overview
   - Total Assets: {TotalCount}
   - Protected: {ProtectedCount} ({ProtectedRate}%)
   - Unprotected: {UnprotectedCount}
   - By Type: EIP({eip}), SLB({slb}), ECS({ecs}), ENI({eni})

3. Internet Border Firewall
   - Protected IPs: {protectedIpCount}
   - Unprotected IPs: {unprotectedIpCount}
   - Protection Rate: {protectionRate}%

4. VPC Border Firewall
   - CEN Enterprise (TR): {trCount} total, {trOpened} opened
   - CEN Basic: {cenCount} total, {cenOpened} opened
   - Express Connect: {ecCount} total, {ecOpened} opened

5. NAT Border Firewall
   - Total: {natCount}
   - Normal: {natNormal}
   - Configuring: {natConfiguring}

6. Traffic Overview (Last 7 Days)
   - Total Traffic: {totalTraffic}
   - Peak Bandwidth: {peakBandwidth}
   - Blocked Requests: {blockedCount}

[Steps with errors (if any)]
   - {Step X}: {error message}
============================================

Note: For any step that failed, show "N/A (error: {brief error})" for that section's data fields, and list all errors in the bottom section.

收集完所有数据后，展示汇总报告。即使部分步骤失败，也必须生成该报告——未完成步骤的取值替换为"N/A"。

============================================
   云防火墙状态概览报告
============================================

1. 实例信息
   - 版本：{Version}
   - 过期时间：{ExpireTime}
   - 最大防护IP数：{IpNumber}

2. 资产概览
   - 总资产数：{TotalCount}
   - 已防护：{ProtectedCount}（{ProtectedRate}%）
   - 未防护：{UnprotectedCount}
   - 按类型分类：EIP({eip})、SLB({slb})、ECS({ecs})、ENI({eni})

3. 互联网边界防火墙
   - 已防护IP：{protectedIpCount}
   - 未防护IP：{unprotectedIpCount}
   - 防护率：{protectionRate}%

4. VPC边界防火墙
   - CEN企业版（TR）：总数{trCount}，已开启{trOpened}
   - CEN基础版：总数{cenCount}，已开启{cenOpened}
   - 高速通道：总数{ecCount}，已开启{ecOpened}

5. NAT边界防火墙
   - 总数：{natCount}
   - 正常运行：{natNormal}
   - 配置中：{natConfiguring}

6. 流量概览（最近7天）
   - 总流量：{totalTraffic}
   - 峰值带宽：{peakBandwidth}
   - 拦截请求数：{blockedCount}

[存在错误的步骤（如有）]
   - {第X步}：{错误信息}
============================================

注意：任何执行失败的步骤，对应区域的数据字段展示"N/A（错误：{简要错误信息}）"，并在底部区域列出所有错误。

Success Verification

成功验证

See references/verification-method.md for detailed verification steps.

Quick verification: If all CLI commands return valid JSON responses without error codes, the skill executed successfully.

详细验证步骤见references/verification-method.md。

快速验证：如果所有CLI命令都返回有效JSON响应，无错误码，则skill执行成功。

API and Command Tables

API与命令对照表

Use references/related-apis.md as the single source of truth for API tables and command mappings.

API对照表和命令映射以references/related-apis.md为唯一权威来源。

Best Practices

最佳实践

Query in order — Start with instance info (Step 1) to confirm the service is active before querying details. If Step 1 fails with a service-not-activated error, stop and guide the user.
Continue on failure — If any step (2-6) fails, log the error and continue with the remaining steps. Always produce a summary with whatever data was collected.
Use pagination — For asset lists, use
```
CurrentPage
```
and
```
PageSize
```
to handle large datasets. Default to PageSize=10 for general queries, PageSize=50 for filtered queries (e.g., unprotected assets).
Time range selection — For traffic trends, default to the last 7 days. Use Unix timestamps in seconds. Calculate with:
```
date -d '7 days ago' +%s
```
for start time and
```
date +%s
```
for end time. Run these commands separately, then use the returned values as literal numbers in
```
--StartTime
```
and
```
--EndTime
```
. Do NOT use
```
$(...)
```
substitution inside CLI commands.
Region awareness — Cloud Firewall only has two regions:
```
cn-hangzhou
```
(mainland China) and
```
ap-southeast-1
```
(Hong Kong/overseas). Default to
```
cn-hangzhou
```
unless user specifies otherwise.
Error handling — If
```
DescribeUserBuyVersion
```
returns an error, the Cloud Firewall service may not be activated. Prompt the user to activate it at https://yundun.console.aliyun.com/?p=cfwnext
Rate limiting — Space API calls to avoid throttling. If you receive a
```
Throttling.User
```
error, wait 3 seconds and retry.
Security — NEVER expose, log, echo, or display AK/SK values.
Retry on transient errors — For network timeouts or 5xx errors, retry up to 2 times with a 3-second delay.

按顺序查询——从实例信息（第1步）开始，确认服务已激活后再查询详情。如果第1步返回服务未激活错误，停止操作并引导用户。
失败时继续执行——如果第2-6步中任何一步失败，记录错误后继续执行剩余步骤。始终基于收集到的所有数据生成汇总报告。
使用分页——资产列表查询使用
```
CurrentPage
```
和
```
PageSize
```
处理大数据集。常规查询默认PageSize=10，过滤查询（例如未防护资产）默认PageSize=50。
时间范围选择——流量趋势默认查询最近7天，使用Unix秒级时间戳。计算方式：开始时间用
```
date -d '7 days ago' +%s
```
，结束时间用
```
date +%s
```
。单独运行这些命令，然后将返回的值作为字面量填入
```
--StartTime
```
和
```
--EndTime
```
，不要在CLI命令中使用
```
$(...)
```
替换。
地域感知——云防火墙仅支持两个地域：
```
cn-hangzhou
```
（中国内地）和
```
ap-southeast-1
```
（中国香港/境外）。除非用户另有说明，默认使用
```
cn-hangzhou
```
。
错误处理——如果
```
DescribeUserBuyVersion
```
返回错误，可能是云防火墙服务未激活，提示用户前往https://yundun.console.aliyun.com/?p=cfwnext激活。
限流处理——控制API调用间隔避免被限流。如果收到
```
Throttling.User
```
错误，等待3秒后重试。
安全规则——永远不要泄露、记录、回显或展示AK/SK的值。
瞬时错误重试——网络超时或5xx错误最多重试2次，每次间隔3秒。

Reference Links

参考链接

Reference	Description
references/related-apis.md	Complete API table with parameters
references/ram-policies.md	Required RAM permissions and policy JSON
references/verification-method.md	Step-by-step verification commands
references/acceptance-criteria.md	Correct/incorrect usage patterns
references/cli-installation-guide.md	Aliyun CLI installation guide

参考文档	描述
references/related-apis.md	完整API对照表，包含参数说明
references/ram-policies.md	所需RAM权限和策略JSON
references/verification-method.md	分步验证命令
references/acceptance-criteria.md	正确/错误使用示例
references/cli-installation-guide.md	Aliyun CLI安装指引