The invention discloses a method for detecting network attack, and a firewall system. The method comprises the steps: detecting whether there is a flow passing through a firewall or not; conducting the flow to a virtual machine simulation environment if the flow is detected to pass through the firewall; and determining whether a host suffers from network attack or not through monitoring the changes generated by the virtual machine simulation environment. The method overcomes a difficulty that conventional firewall equipment cannot detect unknown malicious attack. Meanwhile, the method leads the suspicious flow to the virtual machine simulation environment, and reduces the adverse effect on a production environment from the suspicious flow.