After you add a website to Web Application Firewall (WAF), the Protection Rules Engine is enabled by default. The Protection Rules Engine uses built-in rules that are developed based on specialized expertise. The Protection Rules Engine automatically protects websites against common web attacks, such as SQL injections, XSS attacks, webshell uploads, command injections, backdoor isolations, invalid file requests, path traversals, and vulnerability exploits. You can adjust the protection rules of the Protection Rules Engine based on your business requirements. You can also query the protection rules of the Protection Rules Engine.

Prerequisites

Procedure

  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group and region to which the WAF instance belongs. The region can be Mainland China or International.
  3. In the left-side navigation pane, choose Protection Settings > Website Protection.
  4. In the upper part of the Website Protection page, select the domain name for which you want to configure the whitelist. Switch Domain Name
  5. Click the Web Security tab, find the Protection Rules Engine section, and configure the following parameters. Protection Rules Engine
    Parameter Description
    Status The status of the Protection Rules Engine. After you add a website to WAF, the Protection Rules Engine is enabled by default.
    Note After the Protection Rules Engine is enabled, all requests that are destined for the website are checked by the engine. You can configure a whitelist in the Web Intrusion Prevention section. Then, the requests that meet the rules specified in the whitelist can bypass the check. For more information, see Configure a whitelist for web intrusion prevention.
    Mode The action that you want to perform on requests when WAF detects attacks. Valid values:
    • Block: blocks requests.
    • Warn: triggers alerts but does not block requests.
    Protection Rule Group The protection rule group that you want to use. Built-in rule groups and custom rule groups are both supported. WAF provides the following built-in rule groups:
    • Medium rule group: detects common web application attacks in a standard way. This rule group is used by default.
    • Strict rule group: detects web application attacks, such as path traversals, SQL injections, and command injections, in a strict way.
    • Loose rule group: detects common web application attacks in a loose way. If you encounter a high false positive rate when you apply the medium rule group or your business has a high amount of uncontrollable user input, such as rich text editors and technical forums, we recommend that you select this loose rule group.

    You can click Settings to go to the Protection Rule Group page. On this page, you can create custom rule groups. Then, select rules based on your business requirements. For more information, see Customize protection rule groups.

    Decoding Settings The data formats that you want the Protection Rules Engine to decode and analyze.

    By default, the Protection Rules Engine decodes and analyzes the request data of all formats. This ensures the protection performance. If the Protection Rules Engine blocks normal requests that contain data of specific formats, you can clear the formats to reduce the false positive rate.

    You can unfold the Decode Settings drop-down list and select the format that you want to decode or clear the format that you do not want to decode.
    Notice You cannot clear the following formats: URL Decoding, JavaScript Unicode Decoding, Hex Decoding, Comment Processing, and Space Compression.
    Decoding Settings

Query protection rules

You can use the following methods to query the latest protection rules that are added to the Protection Rules Engine and query all protection rules that are included in the Protection Rules Engine:

  • Query the latest protection rules

    Log on to the Web Application Firewall console. Go to the Overview page, find the Vulnerabilities section, and then click items in the section to view the latest protection rules.

  • Query all protection rules

    Log on to the Web Application Firewall console. In the left-side navigation pane, choose System Management > Protection Rule Group and view all protection rules that are included in the Protection Rules Engine.

    Procedure
    1. On the Web Application Protection tab, find Strict rule group and click the number in the Built-in Rule Number column.
      The strict rule group is a built-in rule group. The group contains all protection rules of the Protection Rules Engine and cannot be modified.
      Note The number of protection rules of the Protection Rules Engine dynamically changes. The number of protection rules displayed in the WAF console may be different from the number in the following figure.
      Strict rule group
    2. In the Built-in Rule Number panel, query the protection rules that you want to know.

      You can configure Risk Level, Protection Type, and Application Type to filter protection rules. You can also query a protection rule by using Rule ID or CVE ID. You can obtain a rule ID on the Overview or Security Report page.

      Built-in Rule Number panel

      The rule list displays the following information: Risk Level/Rule name, Rule ID, Updated On, Application Type, CVE ID, Protection Type, and Description.

      You can click a CVE ID to view the details about the vulnerability.

References

Best practices for the protection rules engine

Customize protection rule groups