All Products
Search
Document Center

Web Application Firewall:Release notes

Last Updated:Apr 30, 2024

This topic describes the release notes for Web Application Firewall (WAF) and provides links to the relevant references.

2024

Release date

Feature

Description

References

2024-03-27

Multi-account management for enterprise-level customers

A WAF instance can be used to protect cloud resources within multiple Alibaba Cloud accounts.

Use the multi-account management feature

2024-01-16

Blocked request query

Blocking details can be queried on the Blocked Request Query page by using request IDs.

Query blocked requests

2024-01-15

Hybrid cloud log delivery configuration

Hybrid cloud logs can be delivered to a syslog server or Kafka platform. Log delivery configurations take effect for hybrid cloud clusters.

Hybrid cloud log delivery

2023

Release date

Feature

Description

References

2023-10-12

API security in WAF 3.0 outside the Chinese mainland

The API security module is supported for WAF 3.0 instances that are deployed outside the Chinese mainland.

API security

2023-09-21

Compliance check and tracing and auditing in the API security module of WAF 3.0

Compliance check and tracing and auditing are supported in the API security module of WAF 3.0 for outbound data transfer.

Step 4: Compliance check and tracing and auditing

2023-08-28

Configuration of cookie attributes in WAF 3.0

Cookie attributes can be configured for protected objects in WAF 3.0.

Protected objects and protected object groups

2023-08-20

WAF 3.0 protection for IPv6 traffic

IPv6 can be enabled in WAF 3.0.

Enable IPv6

2023-08-10

Configuration of default SSL and TLS settings

Default Transport Layer Security (TLS) settings and SSL certificate settings can be configured for virtual IP addresses (VIPs).

Configure default SSL or TLS settings

2023-08-01

Back-to-origin traffic marking, canary release configurations for bot management rules, and bot traffic analysis

  • The bot management module supports the following features:

    • Bot traffic analysis.

    • Back-to-origin traffic marking for detected bot behaviors.

    • Canary release configurations for bot management rules. A bot management rule can be applied to a specific proportion of objects.

  • Canary release configurations for custom rules are supported. A custom rule can be applied to a specific proportion of objects.

2023-07-14

Verification of DNS resolution status

WAF 3.0 verifies the DNS resolution status of domain names that are added to WAF 3.0 and identifies domain names whose DNS resolution status is abnormal to prevent web services from being affected.

2023-06-21

Verification of domain ownership

The first time a domain name is added to WAF, the ownership of the domain name must be verified. After the ownership of the domain name is verified, you can add subdomains of the domain name without the need to verify the ownership of the subdomains.

2023-06-10

WAF 3.0 protection for websites that use SM certificates

If you select HTTPS, wafnew.assetManage.access.openSM2 and wafnew.assetManage.access.SM2AccessOnly can be turned on to enable SM certificate-based verification and allow access only from SM certificate-based clients.

Add a domain name to WAF

2023-05-30

API security

Custom sensitive data type policies can be configured.

Configure a sensitive data type policy

2023-05-22

Semantic-based protection

Semantic-based protection is supported, which can be used to defend against SQL injection attacks. Detection of non-injection attacks can be enabled or disabled.

Basic protection rules and rule groups

2023-05-18

Specification downgrade

  • The number of exclusive IP addresses can be reduced.

  • Bot management for website protection, bot management for app protection, and API security can be disabled by downgrading the WAF instance.

Upgrade or downgrade a WAF instance

2023-04-28

Manual addition of domain names that are hosted on Classic Load Balancer (CLB) or Elastic Compute Service (ECS) instances to WAF as protected objects

Domain names that are hosted on CLB or ECS instances can be manually added to WAF as protected objects.

Protected objects and protected object groups

2023-04-14

Traffic billing protection

The traffic billing protection feature is supported for pay-as-you-go WAF instances. After you enable the traffic billing protection feature for a pay-as-you-go WAF instance, the WAF instance is added to a sandbox when the peak queries per second (QPS) of the WAF instance exceeds the specified threshold for traffic billing protection. You are not charged traffic processing fees or feature fees that are generated in the hour when the WAF instance is added to a sandbox. This prevents high costs due to traffic spikes.

2023-03-03

API security

  • The API security module can be enabled for pay-as-you-go WAF 3.0 instances.

  • Custom policies can be configured.

API security

2023-02-24

Major event protection and the number of hybrid cloud protection nodes

  • Major event protection:

    • The major event protection feature is supported. By default, the feature is enabled for a WAF Ultimate Edition instance. The feature can be enabled for a WAF Pro Edition or Enterprise Edition instance for a specific period of time. The feature cannot be enabled for a WAF Basic Edition instance.

    • The period of time that the major event protection feature can be enabled for a WAF Pro Edition or Enterprise Edition instance must be greater than or equal to 30 days.

  • Hybrid cloud mode:

    • By default, the hybrid cloud mode is supported for WAF Enterprise Edition and Ultimate Edition instances and one hybrid cloud protection node is provided for each WAF instance.

    • If you use a WAF Basic Edition or Pro Edition instance, you can use the hybrid cloud mode only after you upgrade the edition of the WAF instance to Enterprise Edition or Ultimate Edition.

    • If you purchase an additional hybrid cloud protection node, you can add 100 additional domain names to WAF in hybrid cloud mode free of charge. If you purchase multiple additional hybrid cloud protection nodes, you can add 200 additional domain names to WAF in hybrid cloud mode free of charge.

2023-02-08

Intelligent whitelist, false positive ignoring, and loose and strict rule groups

  • The intelligent whitelist feature can be enabled to prevent normal requests from being blocked. After you enable the intelligent whitelist feature, WAF performs intelligent learning based on historical service traffic and identifies basic protection rules that may cause false positives. Then, the basic protection rules and URLs that are always falsely blocked are automatically added to the whitelist. This way, the requests that are sent from the URLs can bypass detection based on the basic protection rules.

  • Built-in loose rule groups and strict rule groups are provided.

  • The false positive ignoring feature can be enabled to add attacker IP addresses that are detected by basic protection rules to the whitelist.

2023-02-08

WAF 3.0 protection for custom domain names bound to web applications in Function Compute

The protection capabilities of WAF are integrated into Function Compute as an SDK module. You can add custom domain names bound to web applications in Function Compute to WAF in cloud native mode. WAF identifies, scrubs, and filters out malicious web traffic, and then forwards normal traffic to the backend function.

Enable WAF protection for a custom domain name bound to a web application in Function Compute

2023-01-19

Group-based resource management and tag-based resource management in WAF 3.0

WAF 3.0 is integrated with Alibaba Cloud Resource Management. You can use resource groups and tags to manage resources and permissions.

2023-01-17

Bot management

  • The bot management module supports the following features:

    • The basic protection feature can be enabled to protect websites from medium-level bot traffic and low-level bot traffic.

    • Slider CAPTCHA verification, strict slider CAPTCHA verification, intelligent protection, and threat intelligence are supported in bot management for app protection.

    • The validity period of bot management rules can be specified.

  • The security report of the bot management module is optimized. You can view information about attacks to trace and analyze the attacks.

Releases of 2022

Release date

Feature

Description

References

2022-12-22

API security in WAF 3.0 in the Chinese mainland

The API security module is supported. The module automatically sorts the APIs of services that are protected by WAF and detects API vulnerabilities, such as unauthorized access to APIs, exposure of sensitive data, and exposure of internal APIs. The module also allows you to trace API exception events by using reports, shows how to fix detected vulnerabilities, and provides data to help you manage the API lifecycle. This helps implement comprehensive security protection for APIs.

API security

2022-11-29

WAF 3.0 feature that retries forwarding back-to-origin requests and configuration of back-to-origin keep-alive requests

If a domain name is added to WAF in CNAME record mode, the feature that allows WAF to retry forwarding requests to the origin server can be enabled. Back-to-origin keep-alive requests can also be configured.

Add a website in CNAME record mode

2022-11-28

Recording of custom request headers, request body, response headers, and response body in WAF 3.0 logs

The request_body, request_header, response_header, and response_info fields are added to record custom request headers, request body, response headers, and response body in WAF 3.0 logs.

Fields in logs

2022-11-25

Log storage capacity alerts in WAF 3.0

If your log storage usage exceeds 80% of the upper limit, the service sends notifications by text message and email. If the log storage capacity is exhausted, WAF logs can no longer be written. We recommend that you increase the log storage capacity of your WAF instance at the earliest opportunity.

Configure log settings and manage log storage capacity

2022-11-24

Subscription billing method in WAF 3.0

The subscription billing method is supported in WAF 3.0.

Subscription billing overview

2022-11-23

WAF 3.0 protection for Layer 4 CLB instances, Layer 7 CLB instances, and ECS instances

Traffic redirection ports can be specified to add Layer 4 CLB instances, Layer 7 CLB instances, and ECS instances to WAF.

2022-11-17

Specification downgrade in the WAF 3.0 console

The following specifications can be downgraded in the WAF 3.0 console: additional QPS quota, burstable QPS (pay-as-you-go) quota, additional domain name quota, and log storage capacity.

Upgrade or downgrade a WAF instance

2022-10-30

WAF 3.0 API operations

API operations for common configurations in the WAF 3.0 console are provided. You can call the operations to perform batch processing.

List of operations by function

2022-10-27

Burstable QPS (pay-as-you-go) and sandbox features in WAF 3.0

The burstable QPS (pay-as-you-go) feature is provided. The feature is suitable for scenarios in which expected or unexpected traffic spikes occur, such as traffic spikes during promotional events. In the preceding scenarios, the peak service traffic may exceed the sum of the default QPS quota of your WAF edition and the additional QPS quota that you purchased. If you enable the burstable QPS (pay-as-you-go) feature, you are charged for using excess QPS resources. The feature ensures service continuity and prevents your domain names from being added to a sandbox.

2022-10-19

Monitoring and alerting feature in WAF 3.0

Alert rules can be configured to allow WAF 3.0 to send alert notifications when attacks and abnormal traffic are detected. This way, you can check the security status of your business at the earliest opportunity.

Configure WAF alerting

2022-09-23

Custom header fields that record the source ports of clients

Enable Traffic Mark and Source Port can be selected when a domain name is added to WAF 3.0 to use custom header fields to record the source ports of clients.

Add a domain name to WAF

2022-08-24

Configuration of custom timeout periods for back-to-origin requests

Custom timeout periods for new connections, read connections, and write connections can be specified when a domain name is added to WAF 3.0.

Add a domain name to WAF

2022-08-12

WAF 3.0 protection for MSE instances

If your web services use a Microservices Engine (MSE) instance, you can add the MSE instance to WAF 3.0 to enable WAF 3.0 protection for your web services.

Enable WAF protection for an MSE instance

2022-07-22

Data leakage prevention in WAF 3.0

The data leakage prevention module of WAF 3.0 is supported. The module filters abnormal content that is returned and masks sensitive information, such as ID card numbers, phone numbers, bank card numbers, and sensitive words. Then, WAF returns the masked information or default response pages.

Configure data leakage prevention rules to prevent data leakage

2022-07-22

Website tamper-proofing in WAF 3.0

The website tamper-proofing module is supported. The module allows you to lock web pages that require protection, such as web pages that contain sensitive information. When a locked web page is requested, WAF returns a cached version of the page. This helps prevent website tampering.

Configure website tamper-proofing rules to prevent web page tampering

2022-07-20

Subscription billing method in WAF 3.0

The subscription billing method is supported in WAF 3.0. In the subscription billing method, you pay for resources before you use the resources. The subscription billing method allows you to reserve resources and can be more cost-effective than the pay-as-you-go billing method.

Subscription billing overview

2022-07-14

Asset center feature in WAF 3.0

You can use the asset center feature to identify domain names in and outside Alibaba Cloud. You can also use the feature to assess risks based on the attack status of the domain names in the cloud. This way, you can obtain the overall protection status of your domain names.

Asset center

2022-06-23

Bot management in WAF 3.0

The bot management module is supported. You can use the module to configure custom anti-crawler rules for websites and apps. This protects your business from malicious crawlers.

2022-05-30

Major event protection in WAF 3.0

The major event protection module is supported. You can use the module to configure rule groups for major event protection, IP address blacklists for major event protection, collaborative defense, and cookie security-related capabilities. This improves protection for customers in attack-and-defense scenarios.

Major event protection

2022-04-21

HTTP flood protection in WAF 3.0

The HTTP flood protection module is supported. You can use the module to defend against HTTP flood attacks on websites. If WAF blocks HTTP flood attacks, WAF returns 405 error pages to clients.

Configure HTTP flood protection rules to defend against HTTP flood attacks

2022-04-21

Region blacklist in WAF 3.0

The region blacklist module is supported. The module identifies the source regions of requests. You can configure the module to block or allow requests from specific regions to prevent malicious requests.

Configure region blacklist rules to block requests from specific regions

2022-01-22

Release of WAF 3.0

WAF 3.0 is released. WAF 3.0 supports the CNAME record mode and cloud native mode, and is integrated into the cloud native architecture of other cloud services, such as Application Load Balancer (ALB). Compared with WAF 2.0, WAF 3.0 provides more features and allows you to configure protection settings in the WAF 3.0 console in a more efficient manner. This helps improve user experience.

WAF 3.0 released, WAF 2.0 end-of-sale