This topic describes the release notes for Web Application Firewall (WAF) and provides links to the relevant references.
2023
Release date | Feature | Description | References |
2023-08-20 | Support for WAF 3.0 protection of IPv6 traffic | IPv6 can be enabled. | |
2023-08-10 | Support for the configuration of default SSL and TLS settings | Default Transport Layer Security (TLS) settings and SSL certificate settings can be configured for virtual IP addresses (VIPs). | |
2023-08-01 | Support for back-to-origin traffic marking, canary release configurations for bot management rules, and bot traffic analysis |
| |
2023-07-14 | Support for the verification of DNS resolution status | WAF 3.0 checks the DNS records of domain names that are added to WAF 3.0 and identifies domain names whose DNS records are abnormal to prevent web services from being affected. | |
2023-06-21 | Support for the verification of domain ownership | The first time a domain name is added to WAF, the ownership of the domain name must be verified. After your ownership of the domain name is verified, you can add subdomains of the domain name without the need to verify the ownership of the subdomains. | |
2023-06-10 | Support for WAF 3.0 protection of websites that use SM certificates | If you select HTTPS, you can turn on wafnew.assetManage.access.openSM2 and wafnew.assetManage.access.SM2AccessOnly to enable SM certificate-based verification and allow access only from SM certificate-based clients. | |
2023-05-30 | Optimization of the API security module | Custom sensitive data type policies can be configured. | |
2023-05-22 | Support for semantic-based protection | Semantic-based protection is supported, which can be used to defend against SQL injections. The detection of non-injection attacks is also supported. Non-injection attack detection can be enabled or disabled. | |
2023-05-18 | Support for downgrading more features |
| |
2023-04-28 | Support for manual addition of domain names that are hosted on CLB or ECS instances to WAF as protected objects | Domain names that are hosted on Classic Load Balancer (CLB) or Elastic Compute Service (ECS) instances can be manually added to WAF as protected objects. | |
2023-04-14 | Support for the traffic billing protection feature | The traffic billing protection feature is supported for pay-as-you-go WAF instances. After you enable the traffic billing protection feature for a pay-as-you-go WAF instance, the WAF instance is added to a sandbox when the peak queries per second (QPS) of the WAF instance exceeds the specified threshold value for traffic billing protection. You are not charged traffic processing fees or feature fees that are generated in the hour when the WAF instance is added to a sandbox. This prevents high costs due to traffic spikes. | |
2023-03-03 | Optimization of the API security module |
| |
2023-02-24 | Support for major event protection and changes in the number of hybrid cloud protection nodes |
| |
2023-02-08 | Support for intelligent whitelist, false positive ignoring, and loose and strict rule groups |
| |
2023-02-08 | Support for WAF 3.0 protection of custom domain names in Function Compute | The protection capabilities of WAF are integrated into Function Compute as an SDK module. You can add custom domain names in Function Compute to WAF in cloud native mode. WAF identifies, scrubs, and filters out malicious web traffic, and then forwards normal traffic to the backend function. | |
2023-01-19 | Support for group-based resource management and tag-based resource management in WAF 3.0 | WAF 3.0 is integrated with Alibaba Cloud Resource Management. You can use resource groups and tags to manage resources and permissions. | |
2023-01-17 | Optimization of the bot management module |
|
Releases of 2022
Release date | Feature | Description | References |
2022-12-22 | Support for the API security feature of WAF 3.0 in the Chinese mainland | The API security module is supported. The module automatically sorts the APIs of services that are protected by WAF and detects API vulnerabilities such as unauthorized access to APIs, exposure of sensitive data, and exposure of internal APIs. The module also allows you to trace API exception events by using reports, shows how to fix detected vulnerabilities, and provides data to help you manage the API lifecycle. This helps implement comprehensive security protection for APIs. | |
2022-11-29 | Support for the feature that allows WAF 3.0 to retry forwarding back-to-origin requests and the configuration of back-to-origin keep-alive requests | If a domain name is added to WAF in CNAME record mode, the feature that allows WAF to retry forwarding requests to the origin server can be enabled. Back-to-origin keep-alive requests can also be configured. | |
2022-11-28 | Support for the record of custom request headers, request body, response headers, and response body in WAF 3.0 logs | The request_body, request_header, response_header, and response_info fields are added to record custom request headers, request body, response headers, and response body in WAF 3.0 logs. | |
2022-11-25 | Support for log storage capacity alerts in WAF 3.0 | If your log storage usage exceeds 80% of the upper limit, the service sends notifications by text message and email. If the log storage capacity is exhausted, WAF logs can no longer be written. We recommend that you increase the log storage capacity of your WAF instance at the earliest opportunity. | |
2022-11-24 | Support for the subscription billing method in WAF 3.0 | The subscription billing method is supported in WAF 3.0. | |
2022-11-23 | Support for WAF 3.0 protection for Layer 4 CLB instances, Layer 7 CLB instances, and ECS instances | Traffic redirection ports can be specified to add Layer 4 CLB instances, Layer 7 CLB instances, and ECS instances to WAF. | |
2022-11-17 | Support for specification downgrade in the WAF 3.0 console | The following specifications can be downgraded in the WAF 3.0 console: extended QPS, burstable QPS threshold, extra domains, and log storage capacity. | |
2022-10-30 | Release of API operations of WAF 3.0 | API operations for common configurations in the WAF 3.0 console are provided. You can use these operations to perform batch processing. | |
2022-10-27 | Support for the burstable QPS (pay-as-you-go) feature and sandbox feature in WAF 3.0 | The burstable QPS (pay-as-you-go) feature is provided. The feature is suitable for scenarios in which expected or unexpected traffic spikes occur, such as traffic spikes during promotional events. In the preceding scenarios, the peak service traffic may exceed the sum of the QPS limits of your WAF edition and the extended QPS that you purchased. If you enable the burstable QPS (pay-as-you-go) feature, you are charged based on the usage of excess QPS resources. The feature ensures service continuity and prevents your domain names from being added to a sandbox. | |
2022-10-19 | Support for the monitoring and alerting feature in WAF 3.0 | Alert rules can be configured to allow WAF 3.0 to send alert notifications when attacks and abnormal traffic are detected. This way, you can check the security status of your business at the earliest opportunity. | |
2022-09-23 | Support for custom header fields that record the source ports of clients | Enable Traffic Mark and Source Port can be selected when a domain name is added to WAF 3.0 to use custom header fields to record the source ports of clients. This way, the origin server can obtain the actual ports of clients. | |
2022-08-24 | Support for the configuration of custom timeout periods for back-to-origin requests | Custom timeout periods for new connections, read connections, and write connections can be specified when a domain name is added to WAF 3.0. | |
2022-08-12 | Support for protection of MSE instances | If your web services use a Microservices Engine (MSE) instance, you can add the MSE instance to WAF 3.0 to enable WAF 3.0 protection for your web services. | |
2022-07-22 | Support for data leakage prevention in WAF 3.0 | The data leakage prevention module of WAF 3.0 is supported. The module filters abnormal content that is returned and masks sensitive information, such as ID card numbers, phone numbers, bank card numbers, and sensitive words. Then, WAF returns the masked information or default response pages. | Configure data leakage prevention rules to prevent data leaks |
2022-07-22 | Support for website tamper-proofing in WAF 3.0 | The website tamper-proofing module is supported. The module allows you to lock web pages that require protection, such as web pages that contain sensitive information. When a locked web page is requested, WAF returns a cached version of the page. This helps prevent website tampering. | Configure website tamper-proofing rules to prevent web page tampering |
2022-07-20 | Support for the subscription billing method in WAF 3.0 | The subscription billing method is supported in WAF 3.0. In the subscription billing method, you pay for resources before you use the resources. The subscription billing method allows you to reserve resources and reduce costs based on discounted rates. | |
2022-07-14 | Support for the asset center feature in WAF 3.0 | The asset center feature is supported. You can use the feature to identify domain names on and outside Alibaba Cloud, and assess risks based on the attack status of the domain names in the cloud. This way, you can obtain the overall protection status of your domain names. | |
2022-06-23 | Support for bot management in WAF 3.0 | The bot management module of WAF 3.0 is supported. You can use the module to configure custom anti-crawler rules for websites and apps based on your business requirements. This protects your business from malicious crawlers. | |
2022-05-30 | Support for major event protection in WAF 3.0 | The major event protection feature of WAF 3.0 is supported. You can use the feature to configure rule groups for major event protection, IP address blacklists for major event protection, collaborative defense, and cookie security-related capabilities. This improves protection for customers in attack-and-defense scenarios. | |
2022-04-21 | Support for HTTP flood protection in WAF 3.0 | The HTTP flood protection module of WAF 3.0 is supported. You can use the module to defend against HTTP flood attacks on websites. If WAF blocks HTTP flood attacks, WAF returns 405 error pages to clients. | Configure HTTP flood protection rules to defend against HTTP flood attacks |
2022-04-21 | Support for region blacklist in WAF 3.0 | The region blacklist module of WAF 3.0 is supported. The module identifies the source regions of requests. You can configure the module to block or allow requests from specific regions to prevent malicious requests. | Configure region blacklist rules to block requests that are sent from specific regions |
2022-01-22 | Release of WAF 3.0 | WAF 3.0 is released. WAF 3.0 supports the CNAME record mode and cloud native mode, and is integrated into the cloud native architecture of other cloud services, such as Application Load Balancer (ALB). Compared with WAF 2.0, WAF 3.0 provides more features and allows you to configure protection settings in the console in a more efficient manner. This helps improve user experience. |