This topic describes the release notes for Web Application Firewall (WAF) features.


Release date Feature update Description Documentation
2020-06-08 API security released The API security module is added to WAF. This module is suitable for users whose websites provide API services. You can formulate API conventions to protect against malicious API requests. This protects website assets from data tampering and replay attacks. API request security
2020-06-04 Custom protection rule groups and Overview page optimized
  • Rules in custom rule groups can be automatically updated, which improves security and availability of the groups.
  • The protection rule details and impact scopes of zero-day vulnerabilities are displayed on the Overview page.
Customize protection rule groups

View overall information

2020-05-20 Big Data Deep Learning Engine optimized Attack probability thresholds are adjustable to achieve optimal protection effects for different businesses. Configure the Big Data Deep Learning Engine
2020-05-18 Support for Terraform Terraform is supported to suit O&M needs of large enterprises. It allows you to perform basic operations, such as managing domain names and policies, by using code.
Note This feature also enables automated operations in the console, achieving high operational efficiencies and eliminating human errors. For more information, see Terraform documentation.
2020-04-10 User experience optimized Data on the Overview page can now be drilled down to the Security report page. Data on the Security report page can be drilled down to the Log Service page, which closes the loop of operations data.
  • Data in the Protection statistics area of the Overview page can be drilled down to the Security report page. The ranking on the URL Requests tab shows domain name information.
  • Statistics on the Access Control/Throttling tab of the Security report page can be drilled down to the Log Service page. Custom access control rules that match access requests can be viewed and edited.
View overall information

View security reports

2020-04-02 Support for bot management Value-added services such as bot management and application protection are supported to provide intelligent protection against automated attacks and intelligent protection of bot traffic. The bot management module provides trusted communications to protect native applications and defends against bot script abuse.
Note The bot management and application protection modules are available only to the new protection engine released in January 2020. If you are using a protection engine of an earlier version, we recommend that you upgrade your protection engine at the earliest opportunity.
Configure the bot management whitelist


2020-03-10 Upgrade guide released for the new protection engine An upgrade guide is provided to instruct existing users to upgrade their protection engines without service interruption. Protection engine is upgraded
2020-03-04 Support for intelligent load balancing among multiple SLB service nodes Intelligent load balancing is supported. WAF connects to multiple SLB service nodes to enable automatic disaster recovery and optimal routing with low latency. Intelligent load balancing
2020-02-14 Log Service for WAF upgraded and user experience optimized Log Service for WAF is upgraded. You can customize domain names to enable features such as full log service. None
2020-02-10 Event alert feature upgraded The alert notification feature is upgraded to provide basic statistics and details about security events and workload monitoring. Related alerts are provided to support routine O&M. Configure alert rules
2020-01-15 Protection capabilities and user experience upgraded Fine-grained throttling and robust protection against malicious network traffic are supported in the new protection engine of WAF. The account security feature can be enabled to protect against common HTTP flood attacks, credential stuffing, and weak password sniffing.
Note The protection capabilities work for all users but can be directly enabled only by users who newly purchased WAF instances in the console. Existing users must wait until March 2020 before they can upgrade their WAF instances to enable the protection capabilities.
Configure the RegEx Protection Engine


Release date Feature update Description Documentation
2019-12-20 Features in the Exclusive edition optimized Features in the WAF Exclusive edition are optimized. You can customize the request timeout period for your domain name. Create an exclusive cluster
2019-11-28 Support for account security detection The account security feature allows you to detect account security risks on logon interfaces. The risks include credential stuffing, brute-force attacks, zombie accounts, weak password sniffing, and SMS interface abuse. Configure account security
2019-10-25 Exclusive edition released The WAF Exclusive edition is released. It allows you to customize items such as protection ports, TLS versions, cipher suites, and the response page that appears when a request is blocked. This edition meets your special requirements for web application protection. Create an exclusive cluster
2019-10-22 URL profiling supported for protected websites URL profiling is supported. WAF can automatically identify business URL profiles and business volumes based on the normal network traffic that flowed through websites. This allows you to customize protection policies for different websites. None
2019-10-16 Data of website scanning protection provided on the Overview page The volume of traffic blocked by the anti-scanning module, a list of blocked website scanning attacks, attack details, and resolutions provided by security experts are displayed on the Overview page in the WAF console. View overall information
2019-08-22 Positive security model released Based on algorithms for intelligent big data learning, the positive security model learns historical network traffic of users in an iterative manner. This allows you to customize automatic protection policies. Configure the positive security model
2019-07-18 Web attack details added to the Security report page Web attack details are added to the Security report page to show the specific causes of blocked attacks. This improves the efficiency of security O&M. View security reports
2019-06-27 Support for HTTP/2-compliant application protection HTTP/2-compliant application protection is supported. It increases the coverage rate of application protocols. This ensures that the applications of WAF users are fully protected. Add domain names
2019-06-13 Support for decoding methods of web request content in protection configuration Decoding methods of web request content can be customized in protection configuration. Configure the RegEx Protection Engine
2019-05-30 ACL rules optimized Multiple IP addresses or CIDR blocks can be added to ACL rules for condition matching. Create a custom protection policy
2019-05-30 Overview page optimized The Overview page in the WAF console is optimized. On this page, the system aggregates security operations events based on a large volume of log data and provides professional suggestions for event handling. This page also displays the number of attacks by type and the frequently attacked domain names. After the optimization, the operations capabilities of WAF are enhanced. View overall information
2019-03-19 Threat intelligence feature released The threat intelligence feature is released. It provides a library that contains scanning attack information. Based on the provided information, you can customize the thresholds of network scanning frequency and duration for blocking malicious scanning attacks. This feature is used to prevent scanning attacks with common signatures, such as path traversal. Configure scan protection
2019-01-03 Custom country or region supported for request blocking All requests from the IP addresses in the blocked countries or regions are denied by WAF. Configure the IP blacklist


Release date Feature update Description Documentation
2018-12-20 Website defacement-prevention API operations released Website defacement-prevention API operations are released. You can call these operations to update cached pages and add protection rules. None
2018-12-13 Support for customization of protection rule groups for web applications Protection rule groups for web applications can be customized, so you can configure rules based on your business requirements. This prevents false request blocking caused by default protection rules and ensures business security. Customize protection rule groups
2018-11-16 Support for one-year storage of business logs WAF is integrated with Log Service to collect, query, and analyze business logs of websites that are added to WAF in real time. Use full logs
2018-10-24 Support for traffic marking Traffic marking is supported. You can specify a header field name and value to mark the traffic forwarded by WAF. Add domain names
2018-10-17 Support for query of blocking events in all logs by using a unique ID A unique ID can be used to query blocking events in all logs, so you can locate the cause of request blocking and view the request details. Use full logs
2018-10-01 Support for security events and alerts Security events and system alerts can be sent to you by using text messages or emails. You can customize metrics to detect business exceptions in a timely manner. Configure alert rules
2018-08-09 Support for the Big Data Deep Learning Engine The Big Data Deep Learning Engine is supported. It offers powerful machine learning capabilities for WAF to identify exceptions and block risky requests. Configure the Big Data Deep Learning Engine
2018-07-27 API operations provided API operations for common configurations in the console are provided to facilitate batch processing. API overview
2018-04-27 Precise access control enhanced More HTTP header fields can be used to set ACL rules and filter access requests. Create a custom protection policy
2018-03-15 Support for release of WAF instances WAF instances can be released in the console based on business requirements. Release WAF instance
2018-01-30 Support for download of all logs In Business or higher editions, intelligent searches across all access logs are supported, and download of log search results with a few clicks is implemented. Use full logs


Release date Feature update Description
2017-12-28 Non-standard ports added More non-standard ports are supported for protection.
2017-11-24 Support for multiple load balancing algorithms Multiple load balancing algorithms can be selected as required to meet different business requirements.
2017-10-30 Application security solutions provided Application security solutions are provided to protect your applications from traffic flooding attacks and data crawling.
2017-10-26 Support for WebSocket WebSocket-compliant website business is supported.
2017-08-31 Support for monitoring of error codes Error codes can be monitored.
2017-08-31 Support for query of business bandwidth The uplink and downlink bandwidth usage of business can be queried.
2017-08-31 Support for business QPS The QPS by instance or domain name is supported.
2017-08-16 Support for viewing details of blackhole events The information such as attack thresholds and events generated when a blackhole occurs can be viewed.
2017-07-27 Exclusive WAF IP addresses released Exclusive WAF IP addresses are released. You can purchase exclusive WAF IP addresses to protect specified domain names.
2017-07-25 Precise access control optimized Policies for risk control on allowed access requests and region blocking can be configured in precise access control rules.
2017-07-25 CAPTCHA algorithm optimized The CAPTCHA algorithm in custom HTTP flood protection rules is optimized, which improves the accuracy in blocking HTTP flood attacks.
2017-07-25 Support for more logical operators Logical operators such as "Does not exist" and "Value length range" are added to define precise access control rules.
2017-07-25 Support for detection of more HTTP fields Rules for detection of more HTTP fields are supported in precise access control.
2017-06-07 Support for the back-to-origin CIDR block feature Back-to-origin addresses can be set to domain names in website configuration.
2017-05-25 Data leakage prevention feature released A sensitive data leakage prevention scheme is released based on network security regulations.
2017-04-12 HTTPS implementation with a few clicks HTTPS-based website access is implemented with a few clicks, without changes in server configurations.
2017-04-12 Support for non-standard ports in multiple editions of WAF Non-standard ports are supported in multiple editions of WAF for security protection.
2017-03-28 Support for the big-data threat intelligence feature The big-data threat intelligence feature is supported. Services such as security check score assessment, high-risk warning, and viewing of hacking tools are provided.
2017-03-08 Access experience optimized DNS records can be added with a few clicks.
2017-02-09 Support for the website defacement-prevention feature The website defacement-prevention feature is supported to protect web page data from being tampered with.
2017-02-09 Log search feature released All of the service access logs can be searched with a few clicks.
2017-01-05 Support for virtual hosts Virtual hosts (HiChina) are supported for website security protection.


Release date Feature update Description
2016-12-21 WAF V3.1 released WAF V3.1 is released. It improves the core protection capabilities of protection engines and provides features such as blocking IP addresses from specified regions and customizing protection rules to block HTTP flood attacks.
2016-12-01 Intelligent Semantic Analysis Engine provided The Intelligent Semantic Analysis Engine is provided. Compared with the RegEx Protection Engine, this engine reduces false positives.