Web Application Firewall:Critical event protection

Billing overview

Prerequisites

• A Web Application Firewall (WAF) 3.0 instance is purchased. For more information, see Purchase a WAF 3.0 subscription instance and Activate a pay-as-you-go WAF 3.0 instance.

  The operations that you can perform to enable the critical event protection feature vary based on the edition of the WAF instance.

  Edition	Whether critical event protection is enabled by default	Description
  Subscription Ultimate Edition	Yes	By default, the critical event protection feature is enabled.
  Subscription Pro Edition, Subscription Enterprise Edition, and Pay-as-you-go Edition	No. You can enable the critical event protection feature by temporarily upgrading the edition of the WAF instance.	Upgrade the edition of the WAF instance to Ultimate Edition. For more information, see Upgrade or downgrade a WAF instance. Enable the critical event protection feature. For more information, see Enable the critical event protection feature.
  Subscription Basic Edition	No. You cannot enable the critical event protection feature.	Upgrade the edition of the WAF instance to Ultimate Edition. For more information, see Upgrade or downgrade a WAF instance. Upgrade the edition of the WAF instance to Pro Edition or Enterprise Edition. Then, enable the critical event protection feature. For more information, see Enable the critical event protection feature.

• Web services are added to WAF in CNAME record mode or cloud native mode. If web services are added to WAF in cloud native mode, the web services must be deployed on Layer 4 Classic Load Balancer (CLB), Layer 7 CLB, or Elastic Compute Service (ECS) instances. For more information, see Website configuration overview.

  Note

  If you add Application Load Balancer (ALB) instances or Function Compute-related domain names to WAF as protected objects, the feature is not supported.

Enable critical event protection

1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.

2. In the left-side navigation pane, choose Protection Configuration > Critical Event Protection.

3. Click Enable Protection for Critical Events. On the page that appears, enable the critical event protection feature and configure the Subscription Period parameter.

4. Click Buy Now, read and select Terms of Service, and then complete the payment.

   After enabling the critical event protection feature, you can view the number of protection rules for critical events, number of threat intelligence rules, number of IP addresses in the blacklist, and total number of IP addresses in the Protection Plan for Critical Events section of the Protection for Critical Events page.

Create a critical event protection rule template

Before you use the critical event protection feature, you must create a critical event protection rule template. You can create up to 20 critical event protection rule templates.

1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.

2. In the left-side navigation pane, choose Protection Configuration > Critical Event Protection.

3. On the Protection Templates tab, click Create Template.

4. In the Create Protection Template for Critical Events panel, configure the parameters. The following table describes the parameters.

   1. Configure the basic information and click Next.

      Parameter	Description
      Template Name	Specify a name for the template. The name of the template must be 1 to 255 characters in length and can contain letters, digits, periods (.), underscores (_), and hyphens (-).
      Protection Features	Configure protection rules and configure protection actions. Threat Intelligence for Protection for Critical Events: This feature can accurately identify attackers based on the Alibaba Cloud libraries of malicious IP addresses. By default, the feature is enabled and the protection action is set to Monitor. Protection Rule Group for Critical Events: This feature provides precise protection rules for each user based on the intelligent protection model. By default, the feature is enabled and the protection action is set to Monitor. IP Address Blacklist for Protection for Critical Events: This feature supports 50,000 custom IP addresses or CIDR blocks in the blacklist. Shiro Deserialization Vulnerability Prevention: This feature defends against Apache Shiro Java deserialization vulnerabilities by using cookie encryption technologies.
      Apply To	Select items to which you want to apply the template on the Protected Objects and Protected Object Groups tabs. For more information, see Configure protected objects and protected object groups.

   2. If you enable the IP Address Blacklist for Protection for Critical Events feature in the Basic Information step, you must configure the parameters in the Configure IP Address Blacklist step. Then, click Next. The following table describes the parameters.

      Parameter	Operation
      Add IP Address Blacklist	Click Add IP Address Blacklist to add IP addresses to the blacklist. In the IP Address Blacklist field, enter the IP addresses that you want to add to the blacklist and press the Enter key. Note CIDR blocks and IPv6 addresses are supported. You can specify up to 500 CIDR blocks or IPv6 addresses. Separate multiple CIDR blocks or IPv6 addresses with line feeds or commas (,). Configure the End At parameter to specify the date and time when you want the configuration to become invalid. Valid values: Permanently Effective. Custom. Click the date and time picker to specify a date and time. In the Remarks field, enter a description and click OK. After adding IP addresses to the blacklist, you can view the IP addresses that you added.
      Import IP Address Blacklist	Click Import IP Address Blacklist to import a blacklist that contains multiple IP addresses. Click Upload File and select the target IP address blacklist file. Important CSV files are supported. IPv4 addresses, IPv6 addresses, and CIDR blocks are supported. You can import only one file at a time. Each file can contain up to 2,000 IP addresses or CIDR blocks. The size of the file cannot exceed 1 MB. You can import a large number of IP addresses in batches. Configure the End At parameter to specify the date and time when you want the configuration to become invalid. Valid values: Permanently Effective. Custom. Click the date and time picker to specify a date and time. In the Remarks field, enter a description and click OK. After adding IP addresses to the blacklist, you can view the IP addresses that you added.
      Delete All IP Addresses	If you no longer need to block the IP addresses that you added to the blacklist, you can click Delete All IP Addresses to remove all IP addresses from the blacklist.
      Delete Expired IP Addresses	After the validity period of the IP addresses ends, you can click Delete Expired IP Addresses to remove all expired IP addresses from the blacklist.

5. Click Complete.

   By default, the new critical event protection rule template is enabled. Perform the following operations in the critical event protection rule template list:

   • View the number of Protection Rules and the number of Protected Object/Groups associated with the template.

   • Turn on or turn off the switch in the Status column to enable or disable the template.

   • In the Actions column, click Edit, Delete, or Copy to modify, delete, or copy the template.

   • If you enabled the IP Address Blacklist for Protection for Critical Events feature, click Edit IP Address Blacklist to modify the IP address blacklist.

View the statistics on critical event protection

1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.

2. In the left-side navigation pane, choose Protection Configuration > Critical Event Protection.

3. On the Security Reports tab, you can view the following information:

   On the Security Reports tab, you can specify the protected object and the time range to query the security report data.

   • Protected object: By default, All is selected and the security report data of all protected objects in WAF is obtained. You can also query the security report data of a specific protected object.

   • Time range: By default, Today is selected and the security report data of the current day is obtained. You can select Yesterday, Today, Last 7 Days, Last 30 Days, or a point in time in the previous 30 days to view data in the corresponding time range.

   The following table describes the security report data.

   Category	Description	Supported operation
   Attack statistics (labeled 1 in the preceding figure)	Displays the statistical analysis results of attacks that are received by protected objects in a specific time range. Distribution of Attack Types Displays the breakdown of attacks by type in a pie chart. Top 5 Attacks Displays the top 5 protected objects that are most frequently attacked on the Attacked Object tab and the top 5 IP addresses from which attacks are most frequently launched on the Attacker IP Address tab. The protected objects or IP addresses are listed in descending order based on the number of attacks.	None
   Attack event records (labeled 2 in the preceding figure)	Displays information about the attacks that match protection rules of the core protection rule module in a list. The list includes the following information: Attacker IP Address: the source IP address of the attack. Area: the area where the attacker IP address is located. Attack Time: the start time of the attack. Attack Type: the type of the attack, such as SQL injection and code execution. Rule Type: the type of the rule, such as rule groups for critical event protection and threat intelligence for critical event protection. Actions: the action that WAF performs on the request. The action can be Block or Monitor. The Block action blocks the request. The Monitor action records the request but does not block the request.	Filter attack events In the upper part of the attack event list, you can use the following fields to filter attack events: Attack type: Valid values: All, SQL Injection, XSS, Code Execution, Local File Inclusion, Remote File Inclusion, Webshell, and Others. Default value: All. Rule type: Valid values: All, Protection Rule Group for Critical Events, Threat Intelligence for Protection for Critical Events, IP Address Blacklist for Protection for Critical Events, and Shiro Deserialization Vulnerability Prevention. Default value: All. Rule action: Valid values: All, Block and Monitor. Default value: All. View attack details Find the attack event whose details you want to view and click View Details in the Actions column. Then, you can view the details of the attack event. The details include the attack type and the ID, name, description, and action of the protection rule that is matched by the attack.
   Real-time threat intelligence (labeled 3 in the preceding figure)	Displays the following information about the threat intelligence of an attacker IP address: The IP address of the attacker and the corresponding attributes. The area to which the attacker IP address belongs. The number of attacks that occurred in the previous hour. The type of the attack.	Query the real-time threat intelligence of an attacker IP address: Enter the IP address that you want to query and click the icon to query the real-time threat intelligence of the IP address.