This topic describes the release notes for Web Application Firewall (WAF) features.


Release date Version Feature update Description Documentation
April 10, 2020 V5.0.0.1 User experience optimized Data on the Overview page can now be drilled down to the Security report page. Data on the Security report page can be drilled down to the Log Service page to improve the closed-loop experience in operations data.
  • Data in the Protection statistics area of the Overview page can be drilled down to the Security report page. The ranking on the URL Requests tab shows the domain name information.
  • Statistics data on the Access Control/Throttling tab of the Security report page can be drilled down to the Log Service page. Custom access control rules that match access requests can be viewed and edited.
View overall information

View security reports

April 2, 2020 V5.0.0.0 Support for bot management Value-added services such as bot management and application protection are supported to provide intelligent protection against automated attacks and intelligent protection of bot traffic. The bot management module provides trusted communications to protect native applications and fends against bot script abuse.
Note The bot management and application protection modules are only available to the new protection engine released in January, 2020. If you are using a protection engine of an earlier version, we recommend that you upgrade your protection engine as soon as possible.
Configure the bot management whitelist


March 10, 2020 V4.6.3.1 Upgrade guide released for the new protection engine Upgrade guide is provided to instruct existing users to upgrade their protection engines. You can upgrade your protection engine without service interruption. Protection engine is upgraded
March 4, 2020 V4.6.3.0 Support for intelligent load balancing among multiple WAF nodes Intelligent load balancing is supported. WAF provides multiple service nodes to enable automatic disaster recovery and optimal routing with low latency. Intelligent load balancing
February 14, 2020 V4.6.2.0 Log Service upgraded and user experience optimized Log Service for WAF is upgraded. You can customize domain names to enable features such as full log service. None
February 10, 2020 V4.6.1.0 Event alert feature upgraded The alert notification feature is upgraded. Security event alerts and workload monitoring alerts are provided based on basic statistics data and attack events to support routine O&M. Configure alert rules
January 15, 2020 V4.6.0.0 Protection capabilities and user experience upgraded Fine-grained throttling and robust protection against malicious network traffic are supported in the new protection engine of WAF. Account security protection can be enabled to prevent common HTTP flood attacks, credential stuffing, and weak password sniffing.
Note The protection capabilities are available for all users but are configured only for users who newly purchased WAF in the console. Existing users can upgrade their protection engines in March, 2020.
Configure the RegEx Protection Engine


Release date Feature update Description Documentation
December 20, 2019 Features in exclusive edition optimized Features in the WAF exclusive edition are optimized. You can customize the request timeout period for your domain. Create an exclusive cluster
November 28, 2019 Support for account security risk detection The account security feature is supported to help you detect account security risks on the logon interfaces. The risks include credential stuffing, brute-force attacks, zombie accounts, weak password sniffing, and SMS interface flooding. Configure account security
October 25, 2019 Exclusive edition released The WAF exclusive edition is released. It allows you to customize items such as protection ports, TLS versions, cipher suites, and the response page that appears when a request is blocked. This edition meets your web application protection requirements. Create an exclusive cluster
October 22, 2019 URL profiling supported for protected websites URL profiling is supported. WAF can automatically identify business URL profiles and business volumes based on the normal network traffic that flowed through websites. This enables you to customize protection policies for different websites. None
October 16, 2019 Data of website scanning protection provided on the Overview page The amount of traffic blocked by the anti-scanning module, a list of the blocked website scanning attacks, attack details, and resolutions provided by security experts are displayed on the Overview page in the WAF console. View overall information
August 22, 2019 Positive security model released Based on intelligent big data learning algorithms, the positive security model is used to learn historical network traffic of a user in an iterative manner. This enables you to customize automated protection policies. Configure the positive security model
July 18, 2019 Web attack details added to the Security report page Web attack details are added to the Security report page to show the specific causes of blocked attacks. This improves the efficiency of security O&M. WAF security reports
June 27, 2019 Support for HTTP/2-compliant application protection HTTP/2-compliant application protection is supported. It increases the coverage rate of application protocols. This ensures that the applications of WAF users are fully protected. Add domain names
June 13, 2019 Support for decoding modes of web request contents in protection configuration Decoding modes of web request contents can be customized in protection configuration. Configure the RegEx Protection Engine
May 30, 2019 ACL rules optimized Multiple IP addresses or CIDR blocks can be added to ACL rules for condition matching. Create a custom protection policy
May 30, 2019 Overview page optimized The Overview page in the WAF console is optimized. It aggregates security operations events based on a large volume of log data and provides professional suggestions for event handling. This page also displays the number of attacks by type and the frequently attacked domains. After the optimization, the operations capabilities of WAF are enhanced. View overall information
March 19, 2019 Threat intelligence feature released The threat intelligence feature is released. It provides a library that contains scanning attack information. Based on the provided information, you can customize the thresholds of network scanning frequency and duration for blocking malicious scanning attacks. This feature is used to prevent scanning attacks with common signatures, such as path traversal. Configure scan protection
January 3, 2019 Custom country or region supported for request blocking All requests from the IP addresses in the blocked countries or regions are blocked by WAF. Configure the IP blacklist


Release date Feature update Description Documentation
December 20, 2018 Website defacement-prevention API operations released Website defacement-prevention API operations are released. You can call these operations to update cached pages and add protection rules. None
December 13, 2018 Support for customization of web application protection rule groups Web application protection rule groups can be customized, so you can configure rules based on your business requirements. This prevents false request blocking caused by default protection rule levels and ensures business security. Customize protection rule groups
November 16, 2018 Support for one-year storage of business logs WAF is integrated with Log Service to collect, query, and analyze business logs of websites that are added to WAF in real time. Log search
October 24, 2018 Support for traffic marking Traffic marking is supported. You can specify a header field name and value to mark the traffic forwarded by WAF. Add domain names
October 17, 2018 Support for query of blocking events in all logs by using a unique ID The unique ID can be used to query blocking events in all logs, so you can quickly locate the cause of request blocking and view the request details. Log search
October 1, 2018 Support for security events and alerts Security events and system alerts can be sent to you by using text messages or emails. You can customize business metrics to detect business exceptions in a timely manner. Configure alert rules
August 9, 2018 Support for the big data deep learning engine The big data deep learning engine is supported. It offers powerful machine learning capabilities for WAF to identify exceptions and block risk requests. Configure the big data deep learning engine
July 27, 2018 OpenAPI released API operations required for common configurations in the console are opened to facilitate batch processing. API overview
April 27, 2018 Precise access control enhanced More HTTP header fields can be used to set ACL rules and filter access requests. Create a custom protection policy
March 15, 2018 Support for release of WAF instances WAF instances can be released in the console based on business requirements. Release WAF instance
January 30, 2018 Support for download of all logs In Business edition or higher editions, intelligent searches of all access logs are enabled, and one-click download of log search results is allowed. Log search
January 11, 2018 AntBuckler risk control service by mobile number released The AntBuckler risk control service by mobile number is released to efficiently resolve the problems of bot-based registration, click farming, and ticket scalping.
Note The service is already deprecated.


Release date Feature update Description
December 28, 2017 Non-standard ports added More non-standard ports are added for port protection.
November 24, 2017 Support for diversified load balancing algorithms Diversified load balancing algorithms can be selected as required to meet different business requirements.
October 30, 2017 Application security solutions provided Application security solutions are provided to protect your applications from traffic flooding attacks and data crawling.
October 26, 2017 Support for WebSocket WebSocket-compliant website business is supported.
August 31, 2017 Support for monitoring of error codes Error codes can be monitored.
August 31, 2017 Support for query of business bandwidth The uplink and downlink bandwidth usage of business can be queried.
August 31, 2017 Support for business QPS The QPS by instance or domain name is supported.
August 16, 2017 Support for viewing details of black hole events The information such as attack thresholds and events generated when a black hole occurs can be viewed.
July 27, 2017 Exclusive WAF IP addresses released Exclusive WAF IP addresses are released. You can purchase exclusive WAF IP addresses to protect specified domain names.
July 25, 2017 Precise access control optimized Policies for risk control on allowed access requests and region blocking can be configured in precise access control rules.
July 25, 2017 Man-machine identification algorithm optimized The man-machine identification algorithm in custom HTTP flood protection rules is optimized, so the rate of blocking HTTP flood attacks is increased.
July 25, 2017 Support for more logical operators Logical operators such as "Does not exist" and "Value length range" are added to define match conditions of precise access control rules.
July 25, 2017 Support for detection of more HTTP fields Rules for detection of more HTTP fields are supported in precise access control.
June 7, 2017 Support for the back-to-origin CIDR block feature Back-to-origin addresses in the domain name format are supported in website configuration.
May 25, 2017 Data leakage prevention feature released A sensitive data leakage prevention scheme is launched based on network security regulations.
April 12, 2017 HTTPS implementation with one click HTTPS-based website access with one click is supported, without changes in server configurations.
April 12, 2017 Support for non-standard ports in multiple versions of WAF Non-standard ports are supported in multiple versions of WAF for security protection.
March 28, 2017 Support for the big-data threat intelligence feature The big-data threat intelligence feature is supported. Services such as security check score assessment, high-risk warning, and viewing of hacking tools are provided.
March 8, 2017 Access experience optimized DNS records can be added with one click.
February 9, 2017 Support for the website defacement-prevention feature The website defacement-prevention feature is supported to protect web page data from being tampered with.
February 9, 2017 Log search feature released All service access logs can be searched for with one click.
January 5, 2017 Support for virtual hosts Virtual hosts (HiChina) are supported for website security protection.


Release date Feature update Description
December 21, 2016 WAF V3.1 released WAF V3.1 is released. It improves the core protection capabilities of protection engines and provides features such as blocking IP addresses in specified regions and customizing protection rules to block HTTP flood attacks.
December 1, 2016 Intelligent semantic analysis engine provided The intelligent semantic analysis engine is provided. Compared with the RegEx Protection Engine, this engine reduces false positives.