This topic describes the release notes for Web Application Firewall (WAF) 2.0 and provides links to the relevant references.
Release notes in 2023
Release date | Feature | Description | References |
2023-07-14 | Support for the verification of DNS resolution status | WAF checks the DNS resolution status of protected domain names and identifies domain names whose DNS records are abnormal. This helps prevent service interruptions. | |
2023-06-21 | Support for the verification of domain ownership | The first time a domain name is added to WAF, you must verify the ownership of the domain name. After you prove your ownership of the domain name, you can add subdomains of the domain name without the need to verify the ownership of the subdomains. |
Releases of 2022
Release date | Feature | Description | References |
2022-09-23 | Support for custom header fields that are used to record the source ports of clients | If you select Enable Traffic Mark and then select Source Port when you add a website to WAF, custom headers can be configured to record the source port of a client. This way, your origin server can obtain the actual port of the client. | |
2022-08-24 | Configuration of custom timeout periods for back-to-origin requests | Custom timeout periods for new connections, read connections, and write connections can be specified based on business requirements when a website is added to WAF. | |
2022-08-12 | Support for the transparent proxy mode in WAF 2.0 | The transparent proxy mode is supported. If your origin server is an Elastic Compute Service (ECS) instance or is added to a Server Load Balancer (SLB) instance, you can add a website to WAF in transparent proxy mode. | |
2022-04-18 | Support for dynamic token-based authentication in WAF 2.0 | Dynamic token-based authentication is integrated into the scenario-specific anti-crawler rule configuration feature in WAF 2.0. This helps resolve security issues and compatibility issues that are related to CAPTCHA verification. Dynamic token-based authentication is implemented by adding a signature to a web request. When a client sends a request, WebSDK that is provided by WAF generates a signature for the request. The signature is sent together with the request to WAF. If the signature is verified, the request is forwarded to the origin server. If the signature fails the authentication, sample code is returned for the client to allow the user to obtain a dynamic token and the client must re-add a signature to the request. | |
2022-01-19 | Support for intelligent rule hosting in the protection rules engine feature of WAF 2.0 | The protection rules engine of WAF 2.0 can be configured to protect websites against common web attacks. The common web attacks include SQL injections, cross-site scripting (XSS) attacks, webshell uploads, command injections, backdoor isolation, invalid file requests, path traversal, and common application attacks. |
2021
Release date | Feature | Description | References |
2021-09-18 | Support for custom header fields that are used to record the actual IP addresses of clients | Custom header fields can be configured to record the actual IP addresses of clients. When you add a website to WAF, you can enable the WAF traffic marking feature and configure custom header fields to record the actual IP addresses of clients. After you enable the WAF traffic marking feature, origin servers can obtain the actual IP addresses of clients from custom header fields that are included in WAF back-to-origin requests. You can use the WAF traffic marking feature only after you configure the custom header fields that can be used to record the actual IP addresses of clients for the origin servers. The CNAME record mode and transparent proxy mode support this feature. | |
2021-08-13 | Upgrade of the Log Service for WAF feature | The Log Service for WAF feature is upgraded.
| |
2021-07-30 | Support for origin SNI | Enable Origin SNI can be selected when a website is added to WAF in CNAME record mode. If your website uses HTTPS and the origin server hosts multiple virtual hosts, you can enable this feature after you select HTTPS. This way, you can add a Server Name Indication (SNI) field in a WAF back-to-origin request to specify the host that you want to access. | |
2021-06-22 | Support for server ports in custom protection policies | The Server-Port field is added and can be used as a match field in custom protection policies. The field is supported only for WAF instances that run the Business edition or a more advanced edition. | |
2021-05-11 | Support for console-based cluster deployment and node management in Hybrid Cloud WAF | The following features are supported by Hybrid Cloud WAF:
| |
2021-05-08 | Support for custom header fields that are used to obtain actual IP addresses of clients | The Obtain Source IP Address parameter is supported in CNAME record mode. If a Layer 7 proxy, such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, is deployed in front of WAF, you can use the value of the specified header field as the actual IP address of the client. If multiple header fields are configured, you can obtain the actual IP address of the client from the fields in sequence. | |
2021-04-01 | Support for IPv6 addresses of origin servers | The IPv6 addresses of origin servers can be specified for the Destination Server (IP Address) parameter in CNAME record mode. This feature is suitable for users who want to upgrade from IPv4 to IPv6 in the finance, government, and enterprise sectors. | |
2021-03-23 | Support for threat event analysis on the Overview page | The threat event analysis module is added to the Overview page. Threat events are generated based on the analysis results of a large number of attack alerts. You can use this module to identify attack sources and defend against the attacks. This feature is suitable for scenarios in which your services are at risk of web attacks and you want to obtain threat events based on a large number of alerts. | |
2021-03-18 | Support for the ignore action that is performed on false positives on the Security Report page | False positives can be ignored on the Security Report page. WAF can automatically generate whitelist rules for specific rules. You can also add whitelist rules for Web Intrusion Prevention based on specific rule IDs or rule types. This helps improve user experience. This feature is suitable for scenarios in which false positives must be managed in a fine-grained manner without affecting protection configurations. | |
2021-01-29 | Release of the scenario-specific configuration feature | The scenario-specific configuration feature is released. You can use the feature to configure custom anti-crawler rules to protect your business from malicious crawlers. | |
2021-01-15 | Support for custom settings of TLS versions and cipher suites | Transport Layer Security (TLS) protocol versions and cipher suites can be configured based on business requirements. This helps ensure security compliance and compatibility for HTTPS communication in different scenarios. This feature is suitable for scenarios in which specific TLS protocols and cipher suites must be disabled or enabled to meet classified protection requirements and compatibility requirements. |
2020
Release date | Feature | Description | References |
2020-10-21 | Optimization of security reports | The security report feature is optimized to filter attack records by rule ID. | |
2020-06-04 | Optimization of custom protection rule groups and the Overview page |
| |
2020-05-18 | Support for Terraform | Terraform is supported to meet the O&M requirements of large enterprises. Terraform allows you to run code to perform basic operations, such as domain name management and policy management. Note This feature also enables automated operations in the WAF console. This helps ensure high operational efficiency and eliminate human errors. For more information, see Terraform documentation. | None. |
2020-04-10 | Improvement of user experience | Data on the Overview page can be drilled down to the Security Report page, and data on the Security Report page can be drilled down to the Log Service page. This allows for a closed-loop cycle of data operations.
| |
2020-04-02 | Support for bot management | Value-added services such as bot management and app protection are supported to provide intelligent protection against automated attacks and bot traffic. The bot management module protects native apps and defends against malicious bot script exploitation by allowing only trusted connections. Note The bot management and app protection modules are available only in the protection engine that is released in January 2020. If you use a protection engine of an earlier version, we recommend that you upgrade your protection engine at the earliest opportunity. | |
2020-03-04 | Support for intelligent load balancing among multiple SLB service nodes | Intelligent load balancing is supported. WAF connects to multiple SLB service nodes to perform automatic disaster recovery and optimal routing at low latency. | |
2020-02-14 | Upgrade of the Log Service for WAF feature | The Log Service for WAF feature is upgraded. You can enable the full log feature for specific domain names. | None. |
2020-02-10 | Upgrade of the alert notification feature | The alert notification feature is upgraded to provide basic statistics and details of security events and workload monitoring. Related alerts are provided to support routine O&M. | |
2020-01-15 | Upgrade of protection capabilities | Fine-grained throttling and robust protection against malicious network traffic are supported by the protection engine of WAF. The account security feature can be enabled to protect against common HTTP flood attacks, dictionary attacks, and weak password sniffing. Note The protection capabilities can be used by all users. Only users who purchased WAF instances in the console can directly enable the capabilities. From March 2020, existing users can upgrade WAF instances to enable the protection capabilities. |
2019
Release date | Feature | Description | References |
2019-12-20 | Upgrade of the features in the Exclusive edition | The features in WAF Exclusive Edition are optimized. You can specify a custom request timeout period for your domain name. | |
2019-11-28 | Support for account security detection | The account security feature is supported. The feature is used to detect account security risks on logon interfaces. The risks include dictionary attacks, brute-force attacks, spam user registrations, weak password sniffing, and SMS flood attacks. | |
2019-10-25 | Release of the Exclusive edition | WAF Exclusive edition is released. WAF Exclusive edition allows you to configure custom items such as protection ports, TLS versions, cipher suites, and the response page that appears when a request is blocked. This edition can meet special requirements for web application protection. | |
2019-10-22 | Support for URL profiling for protected websites | URL profiling is supported. WAF can automatically identify business URL profiles and business volumes based on the normal network traffic that is sent to websites. This allows you to configure custom protection policies for different websites. | None. |
2019-10-16 | Scan protection data on the Overview page | Data that is generated by the website scan protection module is displayed on the Overview page in the WAF console. The data includes the volume of traffic that is blocked by the scan protection module, the list of blocked website scan attacks, attack details, and resolutions that are provided by security experts. | |
2019-08-22 | Release of the positive security model | The positive security model is provided. The model is based on algorithms for intelligent big data learning. The model is trained based on the historical network traffic of users in an iterative manner. This way, you can configure custom automatic protection policies. | |
2019-07-18 | Web attack details on the Security Report page | Web attack details are added to the Security Report page to display the specific causes of blocked attacks. This helps improve the efficiency of security O&M. | |
2019-06-27 | Support for protection for HTTP/2-compliant applications | Protection for HTTP/2-compliant applications is supported. The feature increases the coverage rate of application protocols. This helps ensure that the applications of WAF users are protected. | |
2019-06-13 | Decoding methods of web request content in protection configuration | Custom decoding methods for web request content can be configured in the protection configuration. | |
2019-05-30 | Optimization of ACL rules | Multiple IP addresses or CIDR blocks can be added to access control list (ACL) rules for condition matching. | |
2019-05-30 | Upgrade of the Overview page | The Overview page in the WAF console is optimized. On the Overview page, the system aggregates security operations events based on a large volume of log data and provides professional suggestions to handle events. The Overview page also displays the number of attacks by type and the domain names that are frequently attacked. This helps improve the capabilities of WAF. | |
2019-03-19 | Release of the threat intelligence feature | The threat intelligence feature is released. The feature provides a library that contains information about scan attacks. You can specify custom thresholds for network scan frequency and a time period for which you want to block malicious scan attacks based on the information. The feature is used to prevent scan attacks that use common signatures, such as path traversal. | |
2019-01-03 | Support for region blacklists | The region blacklist is supported. You can specify countries and regions to block all requests from the IP addresses in the specified countries and regions. |
2018
Release date | Feature | Description | References |
2018-12-20 | Support for API operations for website tamper-proofing | API operations are provided for website tamper-proofing. You can call the operations to update cached pages and add protection rules. | None. |
2018-12-13 | Support for custom protection rule groups for web applications | Custom protection rule groups for web applications can be configured. This way, you can configure rules based on your business requirements. This helps prevent false request blocking that is caused by default protection rules and ensure business security. | |
2018-11-16 | Support for one-year storage of business logs | WAF is integrated into Log Service to collect, query, and analyze business logs of websites that are added to WAF in real time. | |
2018-10-24 | Support for traffic marking | The traffic marking feature is supported. You can specify a header field name and value to mark traffic that is forwarded by WAF. | |
2018-10-01 | Security events and system alerts | Security events and system alerts can be sent by text message or email. You can configure custom metrics to detect business exceptions at the earliest opportunity. | |
2018-07-27 | Release of API operations | API operations for common configurations in the WAF console are provided to allow you to perform batch processing. | |
2018-04-27 | Upgrade of precise access control | More HTTP header fields can be used to configure ACL rules and filter access requests. | |
2018-03-15 | Support for the termination of WAF instances | WAF instances can be released in the WAF console. |
2017
Release date | Feature | Description |
2017-12-28 | Non-standard ports | More non-standard ports are supported for protection. |
2017-11-24 | Support for multiple load balancing algorithms | Multiple load balancing algorithms can be selected to meet different business requirements. |
2017-10-30 | Application security solutions | Application security solutions are provided to protect your applications from traffic flooding attacks and data crawling. |
2017-10-26 | Support for WebSocket | WebSocket-compliant website service is supported. |
2017-08-31 | Support for error code monitoring | Error codes can be monitored. |
2017-08-31 | Support for the query of service bandwidth | The uplink bandwidth usage and downlink bandwidth usage can be queried. |
2017-08-31 | Support for the query of QPS | The QPS can be queried by instance or domain name. |
2017-08-16 | Support for viewing information about blackhole events | The information about events can be viewed, such as attack thresholds and events that are generated when a blackhole event occurs. |
2017-07-27 | Release of exclusive WAF IP addresses | Exclusive WAF IP addresses are released. You can purchase exclusive WAF IP addresses to protect specific domain names. |
2017-07-25 | Optimization of precise access control | Policies for risk control on allowed access requests and region blocking can be configured in precise access control rules. |
2017-07-25 | Optimization of the CAPTCHA algorithm | The CAPTCHA algorithm in custom HTTP flood protection rules is optimized. This helps improve the accuracy of blocking HTTP flood attacks. |
2017-07-25 | Support for more logical operators | Logical operators such as "Does not exist" and "Value length range" are added to define precise access control rules. |
2017-07-25 | Support for detection of more HTTP fields | Rules for the detection of more HTTP fields are supported in precise access control. |
2017-06-07 | Support for back-to-origin domain names | Back-to-origin addresses can be set to domain names in website configuration. |
2017-05-25 | Release of the data leakage prevention feature | A sensitive data leakage prevention solution is released based on network security regulations. |
2017-04-12 | One-click HTTPS implementation | HTTPS-based website access can be configured with a few clicks, without the need to modify the server configuration. |
2017-04-12 | Support for non-standard ports in multiple editions of WAF | Non-standard ports are supported in multiple editions of WAF for security protection. |
2017-03-28 | Support for the big-data threat intelligence feature | The big-data threat intelligence feature is supported. Capabilities such as security score assessment, high-risk warning, and viewing of attack information are provided. |
2017-03-08 | Optimization of access experience | DNS records can be added with a few clicks. |
2017-02-09 | Support for the website tamper-proofing feature | The website tamper-proofing feature is supported to protect web page data from being tampered with. |
2017-01-05 | Support for virtual hosts | Virtual hosts (HiChina) are supported to ensure the security of websites. |
2016
Release date | Feature | Description |
2016-12-21 | WAF V3.1 | WAF V3.1 is released. This version improves the core protection capabilities of protection engines and provides features that allow you to block IP addresses from specific regions and configure custom protection rules to block HTTP flood attacks. |
2016-12-01 | Intelligent semantic analysis engine | The intelligent semantic analysis engine is provided. Compared with RegEx Protection Engine, this engine helps reduce false positives. |