Web Application Firewall:Configure threat intelligence rules to proactively defend against malicious IPs

Key concepts

• Threat intelligence: A protection module in WAF that automatically identifies and blocks web attack source IP addresses from around the world. You do not need to manually configure complex rules. To use this module, you must create a threat intelligence protection template. You can create multiple templates.

• Protection template: A template is a collection of rules that defines the rule content and its applicable scope. It consists of three parts: template type, protection rules, and applicable objects.

  • Template type: You must specify a template type when you create a template. The type cannot be changed after creation. There are two types of templates:

    Template type	Description	Scenarios
    Default template	When created, the template applies to all protected objects and object groups by default. New objects are also automatically included. You can manually exclude specific objects by setting their status to "Not applied". You can create only one default template for the threat intelligence module.	Deploy general rules that need to be applied globally.
    Custom template	You must manually specify the protected objects or object groups to which it applies.	Deploy fine-grained rules for specific services.

  • Protection rules: Defines the detection logic and response actions. Each rule consists of two parts:

    • Rule type: Defines the type of threat to detect. Supported types are Website Scanning, Exploitation, and Tor IP.

    • Rule action: Defines the action to take when a rule is hit. The actions, from highest to lowest priority, are: Block, Strict Slider, Slider, JS Challenge, and Monitor.

  • Applicable objects: Specifies the targets for the template. By setting applicable objects, you can apply the protection rules to specific protected objects or groups.

    • Protected object: WAF automatically creates a protected object for each domain name or cloud product instance that you add.

    • Protected object group: You can add multiple protected objects to a group for centralized management.

Step 1: Configure the threat intelligence template type

On the Core Web Protection page, in the Threat Intelligence section, click Create Template. In the Create Template - Threat Intelligence panel, complete the following settings.

• Template Name: Set a name for the template.

• Save as Default Template: You can set only one default template for the threat intelligence module. You can only set a template as the default when you create it.

  • Yes: If you select Yes, you do not need to set Apply To. After the template is created, it applies to all protected objects and object groups by default. New objects are also automatically included. You can manually exclude specific objects by setting their status to Not Applied.

  • No: If you select No, you must set Apply To to specify the protected objects or object groups to which the template applies.

Step 2: Configure protection rules

In the Rule Configuration section, complete the following settings.

• Rule type: Select a rule type based on your business needs to defend against specific types of attacks.

  Rule type	Description
  Website Scanning	These IP addresses use automated tools to probe websites to identify technical architecture, open ports, potential security vulnerabilities, or other information.
  Exploitation	These IP addresses exploit security vulnerabilities in web applications to perform malicious operations, gain unauthorized access, and potentially cause damage.
  Tor IP	These IP addresses are exit nodes of the Tor network. They represent user traffic that accesses the Internet anonymously through the Tor network. The communication from these users is identified by these exit IP addresses.

• Rule Action: Select the protection action to take when a request hits a rule.

  Parameter	Description
  JavaScript Validation	WAF returns a JavaScript snippet to the client. A standard browser automatically executes this code. If the client executes it successfully, WAF allows all requests from that client for a period of time (default is 30 minutes); otherwise, it blocks the request.
  Block	Blocks requests that match the rule and returns a block page to the client. Note By default, WAF uses a standard block page. You can also customize the block page by using custom response.
  Monitor	Allows requests that match the rule to pass but logs the match event. When you test a rule, first set its action to Monitor and analyze WAF logs to ensure no legitimate traffic is blocked before changing the action.
  Slider	WAF returns a slider CAPTCHA page to the client. If the client successfully completes the challenge, WAF allows all requests from that client for a period of time (default is 30 minutes); otherwise, it blocks the request.
  Strict Slider	WAF returns a slider CAPTCHA page to the client. If the client successfully completes the challenge, the request is allowed; otherwise, it is blocked. In this mode, the client must complete a slider challenge for every request that matches the rule.

  Note

  • The Slider verification is available only for subscription-based Enterprise and Ultimate instances, and pay-as-you-go instances.

  • JavaScript Validation and Slider are applicable only to synchronous requests. To ensure features function correctly with asynchronous requests, such as those using XMLHttpRequest or the Fetch API, inject the web SDK. For more details, see the JS Challenge and Slider CAPTCHA sections in Bot Management.

  • When JavaScript Validation or Slider is enabled, WAF sets a cookie in the response header via Set-Cookie after the client passes the validation. The cookie is named acw_sc__v2 for JavaScript Validation or acw_sc__v3 for Slider CAPTCHA. The client will include this identifier in the Cookie header of subsequent requests.

• Advanced Settings (Optional):

  Configuration item	Description
  Staged Rollout	Configure the percentage of objects to which the rule applies, based on different dimensions. After you enable grayscale release, you must also set the Dimension and Canary Release Proportion. The Dimension can be IP, Custom Header, Custom Parameter, Custom Cookie, or Session. Note Grayscale release takes effect based on the configured Dimension, not randomly on a percentage of requests. For example, if the Dimension is IP and the Canary Release Proportion is 10%, WAF selects about 10% of IP addresses. All requests from the selected IP addresses are subject to the rule. The rule is not applied to 10% of all requests randomly.
  Effective Mode	Permanently Effective (Default): The rule is always in effect when the protection template is enabled. Fixed Schedule: The protection rule is in effect only for a specified period. Recurring Schedule: The protection rule is in effect only during specified recurring periods.

Step 3: Set applicable objects for the threat intelligence template

In the Apply To section, select the protected objects and object groups to which this template applies.

How the template is applied depends on the configuration in Step 1:

• If the template is set as the default: You do not need to specify applicable objects. The template applies to all protected objects and object groups by default after it is created. New objects are also automatically included. You can manually exclude specific objects by setting their status to Not Applied.

• If the template is not set as the default: You must specify the protected objects and object groups to which the template applies.

Routine maintenance