This topic describes the terminology, process, protection modules, and examples for the protection configuration of Web Application Firewall (WAF).
Protection configuration process
After you add web services to WAF, you can perform the following steps to configure protection rules for the web services. The protection configuration process varies based on the method that you use to add the web service to WAF.
Step | Cloud native mode | CNAME record mode |
1. Add a protected object . | The cloud service instances that are added to WAF in cloud native mode are automatically added as protected objects in WAF. You do not need to perform this step if you have no special configuration requirements. If you want to configure different protection rules for different domain names that point to the same cloud service instance, you must manually add the domain names as protected objects in WAF. For more information, see Configure protected objects and protected object groups. | You do not need to perform this step. The domain names that are added to WAF in CNAME record mode are automatically added as protected objects in WAF. |
2. (Optional) Add the protected object to a protected object group . | If you want to configure the same protection rules for multiple protected objects, you can add the protected objects to a protected object group and then configure protection rules for the protected object group. The protection rules that are configured for the protected object group take effect for all protected objects in the group. Before you can use a protected object group, you must create a protected object group and add protected objects to the group. For more information, see Create a protected object group. | |
3. Define protection templates. | Before you can enable a protection module , you must create a protection template for the protection module. Then, you can apply the protection template to specific protected objects or protected object groups. The Core Protection Rule and Whitelist modules have initial default protection templates. You do not need to manually create protection templates for these modules. If you want to enable other protection modules, you must manually create protection templates. For more information, see Protection module overview. You can also define multiple protection templates to apply different protection rules to different protected objects. For more information, see Example: Configure multiple protection templates for a protection module. | |
4. Manage protection rules and objects to which the rules apply. | You can manage protection rules in the protection templates of different protection modules. For example, you can enable or disable protection rules, or create protection rules. Then, you can select existing protected objects or groups as the objects to which the rules apply. Modifications to protection rules in a protection template take effect on all protected objects to which the protection template is applied. The operations that you can perform on protection rules vary based on the protection module. For more information, see Protection module overview. | |
Protection module overview
The following table describes the protection modules that are supported by WAF and the default configurations of each protection module.
Protection module | Description | Initial default protection | Configuration suggestion |
Defends against common web application attacks based on a built-in protection rule set . The common web application attacks include SQL injection, cross-site scripting (XSS), code execution, webshell upload, and command injection. | Has an initial default protection template (which includes the core protection rule set of WAF) that is enabled by default and uses the Block mode. Important By default, the core protection rule module is enabled for all protected objects that are newly added to WAF. The module automatically blocks attack requests. | We recommend that you retain the default configuration. If you find that the core protection rule set blocks normal requests after your services are protected by WAF for a period of time, you can configure a Whitelist rule to bypass the core protection rules that cause false positives. For more information, see Configure protection rules for the whitelist module to allow specific requests. | |
Note The rule group feature has been upgraded and iterated to the engine configuration feature. For more information, see [Announcement]. | Supports default rule groups and custom rule groups. You can associate rule groups with core protection rule templates based on your business requirements to protect your website against various common web application attacks. | Has an initial default rule group. | To enable a custom rule group, you must create a rule group template and configure related rules. |
Allows requests that have specified characteristics to bypass the checks of all or specified protection modules. You can configure the characteristics of the requests based on your business requirements. | Has an initial default protection template (with no rules defined). The protection template is enabled by default. | If you want to allow business requests that have specific characteristics, you can create whitelist rules in the default protection template. | |
Mitigates high-frequency HTTP flood attacks based on built-in common HTTP flood protection algorithms. You can also configure rate limiting in the custom rule module to customize HTTP flood protection rules. | Has an initial default protection template. The protection template is enabled by default. Note Only subscription WAF instances that run the Pro, Enterprise, or Ultimate edition have initial default protection templates that are enabled by default. | To enable a custom rule, you must create a protection template and configure related rules. | |
The scan protection module identifies scanning behavior and characteristics of scanners to prevent attackers or scanners from scanning websites at large scale. This helps reduce the risk of intrusions into web services and block invalid scanning traffic. | Has an initial default protection template. The protection template is enabled by default. Note Only subscription WAF instances that run the Pro, Enterprise, or Ultimate edition have initial default protection templates that are enabled by default. | To enable a custom rule, you must create a protection template and configure related rules. | |
The IP blacklist module blocks requests from specified IPv4 addresses, IPv6 addresses, or CIDR blocks. You can specify the IP addresses or CIDR blocks based on your business requirements. | No initial default protection template is provided. This protection module is disabled by default. | To enable this protection module, you must create a protection template and configure related rules. | |
The custom rule module allows you to configure a custom rule and add match conditions in the custom rule. After you create a custom rule, Web Application Firewall (WAF) performs a specific action on the requests that match the custom rule. The action can be Block, Monitor, or JavaScript Verification. The match conditions specify the characteristics of the requests that you want WAF to detect. When you configure a custom rule, you can turn on Rate Limiting. After Rate Limiting is turned on, a statistical object, such as an IP address or a session, is added to the blacklist if the request rate of the statistical object exceeds the threshold value. After the statistical object is added to the blacklist, WAF performs a specified action on the requests from the statistical object during the specified period of time. | |||
Allows you to configure the block page that WAF returns to the client when a client request is blocked by WAF. You can specify the status code, response headers, and response body of the block page. | |||
Blocks client IP addresses from specific regions with a few clicks. | |||
This feature allows you to lock specified web pages to avoid content tampering. When a locked web page receives a request, a preconfigured cached page is returned. | |||
Filters abnormal returned content and masks sensitive information, such as ID card numbers, phone numbers, bank card numbers, and sensitive words. | |||
Detects Layer 4 and Layer 7 bot traffic by using fingerprinting techniques. | |||
Identifies bot traffic based on the characteristics of clients, traffic, behaviors, and intelligence, and blocks malicious traffic to prevent unwanted bandwidth consumption, data crawling, spam user registration, malicious orders, malicious voting, and abuse of APIs. | |||
Ensures the security of major events within a specific time range and provides precise protection for your services. | No initial default protection template is provided. This protection module is disabled by default. | To enable this protection module, you must create a protection template and configure related rules. | |
Automatically sorts through the APIs of services that are protected by WAF and detects API vulnerabilities, such as unauthorized access to APIs, exposure of sensitive data, and exposure of internal APIs. This module allows you to trace API exception events by using reports, provides suggestions on how to fix detected vulnerabilities, and provides data for API lifecycle management. This helps you configure comprehensive API security protection. | N/A. | ||
Allows you to strictly control the number of requests to servers by using QPS throttling or percentage throttling, and filter traffic from specific source regions. | No initial default protection template is provided. This protection module is disabled by default. | To enable this protection module, you must create a protection template and configure related rules. | |
The protection capabilities of WAF vary based on the edition. For example, the peak traffic throttling module is supported only in subscription WAF instances that run the Pro edition or higher. For more information about the differences in features, see Editions.
Disable WAF protection
If you want to temporarily disable WAF protection, you can go to the Protected Objects page of the WAF 3.0 console and turn off WAF Protection Status. The following figure shows the toggle.
After you disable WAF protection, traffic destined for the websites that are originally protected by WAF bypasses the protection engine of WAF, and WAF stops logging monitored and blocked requests. After you perform operations that require WAF protection to be temporarily disabled, such as emergency tests, we recommend that you go to the Protected Objects page of the WAF 3.0 console and enable WAF protection at the earliest opportunity to resume logging. This helps reduce the potential exposure of your assets. If you disable WAF protection or specific features but configure API security policies, the related detection processes still continue.
If you use a pay-as-you-go WAF instance and disable WAF protection for a short period of time, you are still charged feature fees and basic traffic fees during the period. If you enable the API security module, you are also charged traffic fees for the API security module. The billing for bot management, risk identification, and custom rules is suspended.
You cannot turn off WAF Protection Status to disable WAF protection for Microservices Engine (MSE) or Function Compute (FC) assets that are added to WAF in cloud native mode. If your assets are added to WAF in hybrid cloud mode, you can turn off WAF Protection Status to disable WAF protection for the assets only if your WAF instance runs the required edition. For more information about the required edition, contact your business manager or submit a ticket for consultation. Our support team will provide you with precise information about the version requirements.
Example: Configure multiple protection templates for a protection module
You can configure multiple protection templates for a protection module. You can use the protection templates to configure different protection rules for different protected objects to meet diverse protection requirements.
Most protection modules support default protection templates. A protection module can have only one default protection template. The default protection template automatically applies to all newly added protected objects or groups. The default protection template is marked with Default. In a protection module, templates without this mark are custom protection templates. Protected objects can also be manually removed from the default protection template. If a protected object is not included in any template, it is not protected by WAF.
Some protection modules also support configuring multiple protection templates for a single protected object or object group. When you add or remove protected objects from these custom protection templates, the protected objects are not automatically added to or removed from the default protection template.
Example 1: Monitor new protected objects with core protection rules
In this example, the Core Protection Rule module is used. This module has an initial default protection template (with Action set to Block), which is directly applied to all newly added protected objects in WAF. If WAF detects an attack request that is sent to a protected object, WAF blocks the attack request.
If you want WAF to monitor the attack requests that are sent to newly added protected objects and want WAF to block the attack requests that are sent to existing protected objects, you can use the following configurations. If WAF monitors the attack requests, WAF does not block the attack requests but rather keeps a record of the protection rules that are matched by the attack requests.
Change the value of the Action parameter to Monitor in the default protection template.
Create a core protection rule template (custom protection template). Set the Action parameter to Block and the Apply To parameter to all existing protected objects in WAF.
After you perform the preceding operations, WAF monitors requests that are sent to the new protected objects. After you confirm that WAF blocks only unwanted requests, you can apply the protection template that uses the Block mode to the new protected objects.
Example 2: Configure a custom whitelist for a specific protected object
In this example, the Whitelist module is used. This module has an initial default protection template (with no rules defined). The protection template is enabled by default.
If you want to configure a whitelist rule for all protected objects in WAF to allow requests from IP1, but you want to allow requests from both IP1 and IP2 for a specific protected object, you can use the following configurations:
Configure a protection rule in the default protection template to allow requests from
IP1. By default, all protected objects or groups are selected as the objects to which the rule applies.Create a whitelist template (custom protection template) to allow requests from
IP2, and set the Apply To parameter to the specific protected object.