This topic describes the release notes for Web Application Firewall (WAF) and provides links to the relevant references.
2024
Release date | Feature | Description | References |
2024-03-27 | Multi-account management for enterprise-level customers | A WAF instance can be used to protect cloud resources within multiple Alibaba Cloud accounts. | |
2024-01-16 | Blocked request query | Blocking details can be queried on the Blocked Request Query page by using request IDs. | |
2024-01-15 | Hybrid cloud log delivery configuration | Hybrid cloud logs can be delivered to a syslog server or Kafka platform. Log delivery configurations take effect for hybrid cloud clusters. |
2023
Release date | Feature | Description | References |
2023-10-12 | API security in WAF 3.0 outside the Chinese mainland | The API security module is supported for WAF 3.0 instances that are deployed outside the Chinese mainland. | |
2023-09-21 | Compliance check and tracing and auditing in the API security module of WAF 3.0 | Compliance check and tracing and auditing are supported in the API security module of WAF 3.0 for outbound data transfer. | |
2023-08-28 | Configuration of cookie attributes in WAF 3.0 | Cookie attributes can be configured for protected objects in WAF 3.0. | |
2023-08-20 | WAF 3.0 protection for IPv6 traffic | IPv6 can be enabled in WAF 3.0. | |
2023-08-10 | Configuration of default SSL and TLS settings | Default Transport Layer Security (TLS) settings and SSL certificate settings can be configured for virtual IP addresses (VIPs). | |
2023-08-01 | Back-to-origin traffic marking, canary release configurations for bot management rules, and bot traffic analysis |
| |
2023-07-14 | Verification of DNS resolution status | WAF 3.0 verifies the DNS resolution status of domain names that are added to WAF 3.0 and identifies domain names whose DNS resolution status is abnormal to prevent web services from being affected. | |
2023-06-21 | Verification of domain ownership | The first time a domain name is added to WAF, the ownership of the domain name must be verified. After the ownership of the domain name is verified, you can add subdomains of the domain name without the need to verify the ownership of the subdomains. | |
2023-06-10 | WAF 3.0 protection for websites that use SM certificates | If you select HTTPS, wafnew.assetManage.access.openSM2 and wafnew.assetManage.access.SM2AccessOnly can be turned on to enable SM certificate-based verification and allow access only from SM certificate-based clients. | |
2023-05-30 | API security | Custom sensitive data type policies can be configured. | |
2023-05-22 | Semantic-based protection | Semantic-based protection is supported, which can be used to defend against SQL injection attacks. Detection of non-injection attacks can be enabled or disabled. | |
2023-05-18 | Specification downgrade |
| |
2023-04-28 | Manual addition of domain names that are hosted on Classic Load Balancer (CLB) or Elastic Compute Service (ECS) instances to WAF as protected objects | Domain names that are hosted on CLB or ECS instances can be manually added to WAF as protected objects. | |
2023-04-14 | Traffic billing protection | The traffic billing protection feature is supported for pay-as-you-go WAF instances. After you enable the traffic billing protection feature for a pay-as-you-go WAF instance, the WAF instance is added to a sandbox when the peak queries per second (QPS) of the WAF instance exceeds the specified threshold for traffic billing protection. You are not charged traffic processing fees or feature fees that are generated in the hour when the WAF instance is added to a sandbox. This prevents high costs due to traffic spikes. | |
2023-03-03 | API security |
| |
2023-02-24 | Major event protection and the number of hybrid cloud protection nodes |
| |
2023-02-08 | Intelligent whitelist, false positive ignoring, and loose and strict rule groups |
| |
2023-02-08 | WAF 3.0 protection for custom domain names bound to web applications in Function Compute | The protection capabilities of WAF are integrated into Function Compute as an SDK module. You can add custom domain names bound to web applications in Function Compute to WAF in cloud native mode. WAF identifies, scrubs, and filters out malicious web traffic, and then forwards normal traffic to the backend function. | Enable WAF protection for a custom domain name bound to a web application in Function Compute |
2023-01-19 | Group-based resource management and tag-based resource management in WAF 3.0 | WAF 3.0 is integrated with Alibaba Cloud Resource Management. You can use resource groups and tags to manage resources and permissions. | |
2023-01-17 | Bot management |
|
Releases of 2022
Release date | Feature | Description | References |
2022-12-22 | API security in WAF 3.0 in the Chinese mainland | The API security module is supported. The module automatically sorts the APIs of services that are protected by WAF and detects API vulnerabilities, such as unauthorized access to APIs, exposure of sensitive data, and exposure of internal APIs. The module also allows you to trace API exception events by using reports, shows how to fix detected vulnerabilities, and provides data to help you manage the API lifecycle. This helps implement comprehensive security protection for APIs. | |
2022-11-29 | WAF 3.0 feature that retries forwarding back-to-origin requests and configuration of back-to-origin keep-alive requests | If a domain name is added to WAF in CNAME record mode, the feature that allows WAF to retry forwarding requests to the origin server can be enabled. Back-to-origin keep-alive requests can also be configured. | |
2022-11-28 | Recording of custom request headers, request body, response headers, and response body in WAF 3.0 logs | The request_body, request_header, response_header, and response_info fields are added to record custom request headers, request body, response headers, and response body in WAF 3.0 logs. | |
2022-11-25 | Log storage capacity alerts in WAF 3.0 | If your log storage usage exceeds 80% of the upper limit, the service sends notifications by text message and email. If the log storage capacity is exhausted, WAF logs can no longer be written. We recommend that you increase the log storage capacity of your WAF instance at the earliest opportunity. | |
2022-11-24 | Subscription billing method in WAF 3.0 | The subscription billing method is supported in WAF 3.0. | |
2022-11-23 | WAF 3.0 protection for Layer 4 CLB instances, Layer 7 CLB instances, and ECS instances | Traffic redirection ports can be specified to add Layer 4 CLB instances, Layer 7 CLB instances, and ECS instances to WAF. | |
2022-11-17 | Specification downgrade in the WAF 3.0 console | The following specifications can be downgraded in the WAF 3.0 console: additional QPS quota, burstable QPS (pay-as-you-go) quota, additional domain name quota, and log storage capacity. | |
2022-10-30 | WAF 3.0 API operations | API operations for common configurations in the WAF 3.0 console are provided. You can call the operations to perform batch processing. | |
2022-10-27 | Burstable QPS (pay-as-you-go) and sandbox features in WAF 3.0 | The burstable QPS (pay-as-you-go) feature is provided. The feature is suitable for scenarios in which expected or unexpected traffic spikes occur, such as traffic spikes during promotional events. In the preceding scenarios, the peak service traffic may exceed the sum of the default QPS quota of your WAF edition and the additional QPS quota that you purchased. If you enable the burstable QPS (pay-as-you-go) feature, you are charged for using excess QPS resources. The feature ensures service continuity and prevents your domain names from being added to a sandbox. | |
2022-10-19 | Monitoring and alerting feature in WAF 3.0 | Alert rules can be configured to allow WAF 3.0 to send alert notifications when attacks and abnormal traffic are detected. This way, you can check the security status of your business at the earliest opportunity. | |
2022-09-23 | Custom header fields that record the source ports of clients | Enable Traffic Mark and Source Port can be selected when a domain name is added to WAF 3.0 to use custom header fields to record the source ports of clients. | |
2022-08-24 | Configuration of custom timeout periods for back-to-origin requests | Custom timeout periods for new connections, read connections, and write connections can be specified when a domain name is added to WAF 3.0. | |
2022-08-12 | WAF 3.0 protection for MSE instances | If your web services use a Microservices Engine (MSE) instance, you can add the MSE instance to WAF 3.0 to enable WAF 3.0 protection for your web services. | |
2022-07-22 | Data leakage prevention in WAF 3.0 | The data leakage prevention module of WAF 3.0 is supported. The module filters abnormal content that is returned and masks sensitive information, such as ID card numbers, phone numbers, bank card numbers, and sensitive words. Then, WAF returns the masked information or default response pages. | Configure data leakage prevention rules to prevent data leakage |
2022-07-22 | Website tamper-proofing in WAF 3.0 | The website tamper-proofing module is supported. The module allows you to lock web pages that require protection, such as web pages that contain sensitive information. When a locked web page is requested, WAF returns a cached version of the page. This helps prevent website tampering. | Configure website tamper-proofing rules to prevent web page tampering |
2022-07-20 | Subscription billing method in WAF 3.0 | The subscription billing method is supported in WAF 3.0. In the subscription billing method, you pay for resources before you use the resources. The subscription billing method allows you to reserve resources and can be more cost-effective than the pay-as-you-go billing method. | |
2022-07-14 | Asset center feature in WAF 3.0 | You can use the asset center feature to identify domain names in and outside Alibaba Cloud. You can also use the feature to assess risks based on the attack status of the domain names in the cloud. This way, you can obtain the overall protection status of your domain names. | |
2022-06-23 | Bot management in WAF 3.0 | The bot management module is supported. You can use the module to configure custom anti-crawler rules for websites and apps. This protects your business from malicious crawlers. | |
2022-05-30 | Major event protection in WAF 3.0 | The major event protection module is supported. You can use the module to configure rule groups for major event protection, IP address blacklists for major event protection, collaborative defense, and cookie security-related capabilities. This improves protection for customers in attack-and-defense scenarios. | |
2022-04-21 | HTTP flood protection in WAF 3.0 | The HTTP flood protection module is supported. You can use the module to defend against HTTP flood attacks on websites. If WAF blocks HTTP flood attacks, WAF returns 405 error pages to clients. | Configure HTTP flood protection rules to defend against HTTP flood attacks |
2022-04-21 | Region blacklist in WAF 3.0 | The region blacklist module is supported. The module identifies the source regions of requests. You can configure the module to block or allow requests from specific regions to prevent malicious requests. | Configure region blacklist rules to block requests from specific regions |
2022-01-22 | Release of WAF 3.0 | WAF 3.0 is released. WAF 3.0 supports the CNAME record mode and cloud native mode, and is integrated into the cloud native architecture of other cloud services, such as Application Load Balancer (ALB). Compared with WAF 2.0, WAF 3.0 provides more features and allows you to configure protection settings in the WAF 3.0 console in a more efficient manner. This helps improve user experience. |