All Products
Search
Document Center

Web Application Firewall:Release notes

Last Updated:Sep 19, 2023

This topic describes the release notes for Web Application Firewall (WAF) and provides links to the relevant references.

2023

Release date

Feature

Description

References

2023-08-20

Support for WAF 3.0 protection of IPv6 traffic

IPv6 can be enabled.

Enable IPv6

2023-08-10

Support for the configuration of default SSL and TLS settings

Default Transport Layer Security (TLS) settings and SSL certificate settings can be configured for virtual IP addresses (VIPs).

Configure default SSL or TLS settings

2023-08-01

Support for back-to-origin traffic marking, canary release configurations for bot management rules, and bot traffic analysis

  • The bot management module supports the following features:

    • Bot traffic analysis.

    • Back-to-origin traffic marking for detected bot behaviors.

    • Canary release configurations for bot management rules. You can apply a bot management rule to a specific proportion of objects.

  • Canary release configurations for custom rules are supported. You can apply a custom rule to a specific proportion of objects.

2023-07-14

Support for the verification of DNS resolution status

WAF 3.0 checks the DNS records of domain names that are added to WAF 3.0 and identifies domain names whose DNS records are abnormal to prevent web services from being affected.

2023-06-21

Support for the verification of domain ownership

The first time a domain name is added to WAF, the ownership of the domain name must be verified. After your ownership of the domain name is verified, you can add subdomains of the domain name without the need to verify the ownership of the subdomains.

2023-06-10

Support for WAF 3.0 protection of websites that use SM certificates

If you select HTTPS, you can turn on wafnew.assetManage.access.openSM2 and wafnew.assetManage.access.SM2AccessOnly to enable SM certificate-based verification and allow access only from SM certificate-based clients.

Add a domain name to WAF

2023-05-30

Optimization of the API security module

Custom sensitive data type policies can be configured.

Configure a sensitive data type policy

2023-05-22

Support for semantic-based protection

Semantic-based protection is supported, which can be used to defend against SQL injections. The detection of non-injection attacks is also supported. Non-injection attack detection can be enabled or disabled.

Configure basic protection rules and rule groups

2023-05-18

Support for downgrading more features

  • The number of exclusive IP addresses can be reduced.

  • Bot management for website protection, bot management for app protection, and API security can be disabled by downgrading the WAF instance.

Upgrade or downgrade a WAF instance

2023-04-28

Support for manual addition of domain names that are hosted on CLB or ECS instances to WAF as protected objects

Domain names that are hosted on Classic Load Balancer (CLB) or Elastic Compute Service (ECS) instances can be manually added to WAF as protected objects.

Protected objects and protected object groups

2023-04-14

Support for the traffic billing protection feature

The traffic billing protection feature is supported for pay-as-you-go WAF instances. After you enable the traffic billing protection feature for a pay-as-you-go WAF instance, the WAF instance is added to a sandbox when the peak queries per second (QPS) of the WAF instance exceeds the specified threshold value for traffic billing protection. You are not charged traffic processing fees or feature fees that are generated in the hour when the WAF instance is added to a sandbox. This prevents high costs due to traffic spikes.

2023-03-03

Optimization of the API security module

  • The API security module can be enabled for pay-as-you-go WAF 3.0 instances.

  • Custom API security policies can be configured.

API security

2023-02-24

Support for major event protection and changes in the number of hybrid cloud protection nodes

  • Major event protection:

    • The major event protection feature is supported for subscription WAF instances of Basic Edition, Pro Edition, Enterprise Edition, and Ultimate Edition. If you use a WAF instance of Ultimate Edition, the major event protection feature is enabled by default. If you use a WAF instance of the Pro or Enterprise edition, you can enable the major event protection feature for the WAF instance for a specific period of time. The time period must be greater than or equal to 30 days. You cannot enable the major event protection feature for a WAF instance of the Basic edition.

  • Hybrid cloud mode:

    • By default, the hybrid cloud mode is supported for WAF instances of the Enterprise edition and Ultimate edition, and one hybrid cloud protection node is provided for each WAF instance.

    • If you use a WAF instance of the Basic edition or Pro edition, you can use the hybrid cloud mode only after you upgrade the edition of the WAF instance to Enterprise Edition or Ultimate Edition.

    • If you purchase an additional hybrid cloud protection node, you can add 100 additional domain names to WAF in hybrid cloud mode free of charge. If you purchase two or more additional hybrid cloud protection nodes, you can add 200 additional domain names to WAF in hybrid cloud mode free of charge.

2023-02-08

Support for intelligent whitelist, false positive ignoring, and loose and strict rule groups

  • The intelligent whitelist feature can be enabled to prevent normal requests from being blocked. After you enable the intelligent whitelist feature, WAF performs intelligent learning based on historical service traffic and identifies basic protection rules that may cause false positives. Then, the basic protection rules and URLs that are always falsely blocked are automatically added to a whitelist. This way, the requests that are sent from the URLs can bypass detection based on the basic protection rules.

  • Built-in loose rule groups and strict rule groups are provided.

  • The false positive ignoring feature can be enabled to add attacker IP addresses that are detected by basic protection rules to a whitelist.

2023-02-08

Support for WAF 3.0 protection of custom domain names in Function Compute

The protection capabilities of WAF are integrated into Function Compute as an SDK module. You can add custom domain names in Function Compute to WAF in cloud native mode. WAF identifies, scrubs, and filters out malicious web traffic, and then forwards normal traffic to the backend function.

Add a custom domain name in Function Compute to WAF

2023-01-19

Support for group-based resource management and tag-based resource management in WAF 3.0

WAF 3.0 is integrated with Alibaba Cloud Resource Management. You can use resource groups and tags to manage resources and permissions.

2023-01-17

Optimization of the bot management module

  • The bot management module supports the following features:

    • The basic protection feature can be enabled to protect websites from medium-level bot traffic and low-level bot traffic.

    • Slider CAPTCHA verification, strict slider CAPTCHA verification, intelligent protection, and threat intelligence are supported for bot management during app protection configuration.

    • The validity period of bot management rules can be specified.

  • The security report of the bot management module is optimized. You can view information about attacks to trace and analyze the attacks.

Releases of 2022

Release date

Feature

Description

References

2022-12-22

Support for the API security feature of WAF 3.0 in the Chinese mainland

The API security module is supported. The module automatically sorts the APIs of services that are protected by WAF and detects API vulnerabilities such as unauthorized access to APIs, exposure of sensitive data, and exposure of internal APIs. The module also allows you to trace API exception events by using reports, shows how to fix detected vulnerabilities, and provides data to help you manage the API lifecycle. This helps implement comprehensive security protection for APIs.

API security

2022-11-29

Support for the feature that allows WAF 3.0 to retry forwarding back-to-origin requests and the configuration of back-to-origin keep-alive requests

If a domain name is added to WAF in CNAME record mode, the feature that allows WAF to retry forwarding requests to the origin server can be enabled. Back-to-origin keep-alive requests can also be configured.

CNAME record mode

2022-11-28

Support for the record of custom request headers, request body, response headers, and response body in WAF 3.0 logs

The request_body, request_header, response_header, and response_info fields are added to record custom request headers, request body, response headers, and response body in WAF 3.0 logs.

Fields in logs

2022-11-25

Support for log storage capacity alerts in WAF 3.0

If your log storage usage exceeds 80% of the upper limit, the service sends notifications by text message and email. If the log storage capacity is exhausted, WAF logs can no longer be written. We recommend that you increase the log storage capacity of your WAF instance at the earliest opportunity.

Configure log settings and manage log storage capacity

2022-11-24

Support for the subscription billing method in WAF 3.0

The subscription billing method is supported in WAF 3.0.

Overview of the subscription billing method

2022-11-23

Support for WAF 3.0 protection for Layer 4 CLB instances, Layer 7 CLB instances, and ECS instances

Traffic redirection ports can be specified to add Layer 4 CLB instances, Layer 7 CLB instances, and ECS instances to WAF.

2022-11-17

Support for specification downgrade in the WAF 3.0 console

The following specifications can be downgraded in the WAF 3.0 console: extended QPS, burstable QPS threshold, extra domains, and log storage capacity.

Upgrade or downgrade a WAF instance

2022-10-30

Release of API operations of WAF 3.0

API operations for common configurations in the WAF 3.0 console are provided. You can use these operations to perform batch processing.

List of operations by function

2022-10-27

Support for the burstable QPS (pay-as-you-go) feature and sandbox feature in WAF 3.0

The burstable QPS (pay-as-you-go) feature is provided. The feature is suitable for scenarios in which expected or unexpected traffic spikes occur, such as traffic spikes during promotional events. In the preceding scenarios, the peak service traffic may exceed the sum of the QPS limits of your WAF edition and the extended QPS that you purchased. If you enable the burstable QPS (pay-as-you-go) feature, you are charged based on the usage of excess QPS resources. The feature ensures service continuity and prevents your domain names from being added to a sandbox.

2022-10-19

Support for the monitoring and alerting feature in WAF 3.0

Alert rules can be configured to allow WAF 3.0 to send alert notifications when attacks and abnormal traffic are detected. This way, you can check the security status of your business at the earliest opportunity.

Configure WAF alerting

2022-09-23

Support for custom header fields that record the source ports of clients

Enable Traffic Mark and Source Port can be selected when a domain name is added to WAF 3.0 to use custom header fields to record the source ports of clients. This way, the origin server can obtain the actual ports of clients.

Add a domain name to WAF

2022-08-24

Support for the configuration of custom timeout periods for back-to-origin requests

Custom timeout periods for new connections, read connections, and write connections can be specified when a domain name is added to WAF 3.0.

Add a domain name to WAF

2022-08-12

Support for protection of MSE instances

If your web services use a Microservices Engine (MSE) instance, you can add the MSE instance to WAF 3.0 to enable WAF 3.0 protection for your web services.

Add an MSE instance to WAF

2022-07-22

Support for data leakage prevention in WAF 3.0

The data leakage prevention module of WAF 3.0 is supported. The module filters abnormal content that is returned and masks sensitive information, such as ID card numbers, phone numbers, bank card numbers, and sensitive words. Then, WAF returns the masked information or default response pages.

Configure data leakage prevention rules to prevent data leaks

2022-07-22

Support for website tamper-proofing in WAF 3.0

The website tamper-proofing module is supported. The module allows you to lock web pages that require protection, such as web pages that contain sensitive information. When a locked web page is requested, WAF returns a cached version of the page. This helps prevent website tampering.

Configure website tamper-proofing rules to prevent web page tampering

2022-07-20

Support for the subscription billing method in WAF 3.0

The subscription billing method is supported in WAF 3.0. In the subscription billing method, you pay for resources before you use the resources. The subscription billing method allows you to reserve resources and reduce costs based on discounted rates.

Subscription billing method

2022-07-14

Support for the asset center feature in WAF 3.0

The asset center feature is supported. You can use the feature to identify domain names on and outside Alibaba Cloud, and assess risks based on the attack status of the domain names in the cloud. This way, you can obtain the overall protection status of your domain names.

Asset center

2022-06-23

Support for bot management in WAF 3.0

The bot management module of WAF 3.0 is supported. You can use the module to configure custom anti-crawler rules for websites and apps based on your business requirements. This protects your business from malicious crawlers.

2022-05-30

Support for major event protection in WAF 3.0

The major event protection feature of WAF 3.0 is supported. You can use the feature to configure rule groups for major event protection, IP address blacklists for major event protection, collaborative defense, and cookie security-related capabilities. This improves protection for customers in attack-and-defense scenarios.

Major event protection

2022-04-21

Support for HTTP flood protection in WAF 3.0

The HTTP flood protection module of WAF 3.0 is supported. You can use the module to defend against HTTP flood attacks on websites. If WAF blocks HTTP flood attacks, WAF returns 405 error pages to clients.

Configure HTTP flood protection rules to defend against HTTP flood attacks

2022-04-21

Support for region blacklist in WAF 3.0

The region blacklist module of WAF 3.0 is supported. The module identifies the source regions of requests. You can configure the module to block or allow requests from specific regions to prevent malicious requests.

Configure region blacklist rules to block requests that are sent from specific regions

2022-01-22

Release of WAF 3.0

WAF 3.0 is released. WAF 3.0 supports the CNAME record mode and cloud native mode, and is integrated into the cloud native architecture of other cloud services, such as Application Load Balancer (ALB). Compared with WAF 2.0, WAF 3.0 provides more features and allows you to configure protection settings in the console in a more efficient manner. This helps improve user experience.

WAF 3.0 released, WAF 2.0 end-of-sale