After you add web services to Web Application Firewall (WAF), you can configure data leakage prevention rules to filter abnormal returned content and mask sensitive information, such as ID card numbers, phone numbers, bank card numbers, and sensitive words. Then, WAF returns the masked information or default response pages to clients. This topic describes how to create a data leakage prevention rule template and add rules to the template.
Limits
You cannot configure this type of protection rule for Application Load Balancer (ALB) instances or Microservices Engine (MSE) instances that are added to WAF in cloud native mode.
Prerequisites
- A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.
- Web services are added as the protected objects of WAF 3.0. For more information, see Protected objects and protected object groups.
Step 1: Create a data leakage prevention rule template
WAF does not provide a default data leakage prevention rule template. Before you can enable a data leakage prevention rule, you must create a data leakage prevention rule template.
- Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region to which the WAF instance that you want to manage belongs. You can select Chinese Mainland or Outside Chinese Mainland for the region.
- In the left-side navigation pane, choose .
- In the lower part of the Protection Rules page, click Create Template in the Data Leakage Prevention section. Note If no data leakage prevention templates exist, you can click Configure Now in the Data Leakage Prevention card in the upper part of the Protection Rules page.
- In the Create Template - Data Leakage Prevention panel, configure the parameters and click OK. The following table describes the parameters.
Parameter Description Template Name Enter a name for the template. The name must be 1 to 255 characters in length, and can contain letters, digits, periods (.), underscores (_), and hyphens (-).
Rule Configuration Click Create Rule to create a data leakage prevention rule for the template. You can also create a data leakage prevention rule for the template after the template is created. For more information, see Step 2: Create a data leakage prevention rule for the template. Apply To Select the protected objects and protected object groups to which you want to apply the template. You can apply only one template of a protection module to a protected object or a protected object group. For information about how to add protected objects and protected object groups, see Protected objects and protected object groups.
By default, the new rule template is enabled. You can perform the following operations in the rule template list:- View the number of protected objects or protected object groups that are associated with the rule template.
- Turn on or turn off Status to enable or disable the rule template.
- Click Edit or Delete in the Actions column to modify or delete the rule template.
- Click the icon on the left side of a rule template to view the rules in the template.
Step 2: Create a data leakage prevention rule for the template
The data leakage prevention rule template takes effect only after you create data leakage prevention rules for the template. If you already created data leakage prevention rules when you create the template, skip this step.
- Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region to which the WAF instance that you want to manage belongs. You can select Chinese Mainland or Outside Chinese Mainland for the region.
- In the left-side navigation pane, choose .
- In the Data Leakage Prevention section, find the data leakage prevention rule template for which you want to create a rule and click Create Rule in the Actions column.
- In the Create Rule dialog box, configure the parameters and click OK. The following table describes the parameters.
Parameter Description Rule Name Enter a name for the rule. The name can contain letters, digits, periods (.), underscores (_), and hyphens (-).
Match Condition Specify the type of sensitive information that you want to detect. Valid values: - Status Code: 400, 401, 402, 403, 404, 405–499, 500, 501, 502, 503, 504, and 505–599
- Sensitive Info: ID Card Number, Credit Card Number, Mobile Phone Number, and Default Sensitive Words Important Data leakage prevention rules can process only data in the formats that are supported in the Chinese mainland. The data includes ID card numbers, mobile phone numbers, and bank card numbers.
You can select multiple values for Status Code and Sensitive Info.
If you select And, you can specify the URL that you want to detect. This way, WAF detects sensitive information only on the specified page.
Action Specify the action that you want WAF to perform on the sensitive information that is detected. - If you set the Match Condition parameter to Status Code, the following actions can be performed on the detected sensitive information:
- Monitor: records requests that match the rule in logs without blocking the requests.
- Block: blocks requests that match the rule and returns a block page to the client that initiated the requests.
- If you set the Match Condition parameter to Sensitive Info, the following actions can be performed on the detected sensitive information:
- Monitor: records requests that match the rule in logs without blocking the requests.
- Mask: masks sensitive information in the requests that match the rule with asterisks (*). The requests are not blocked.
By default, the new rule is enabled. You can perform the following operations in the rule list:- Turn on or turn off Status to enable or disable the rule.
- Click Edit or Delete in the Actions column to modify or delete the rule.
What to do next
On the Data Leakage Prevention tab of the Security Reports page, you can view the protection details of the data leakage prevention rules. For more information, see Data leakage prevention module.
References
- Protection configuration overview: describes the protected objects, protection modules, and protection process.
- CreateDefenseTemplate: creates a protection rule template.
- CreateDefenseRule: creates a protection rule. When you call this operation to create a data leakage prevention rule, you must set the DefenseScene parameter to dlp.