Web Application Firewall:Configure threat intelligence rules to proactively defend against malicious IPs

Key concepts

• Threat intelligence: A WAF protection module that automatically identifies and blocks IP addresses that are sources of web attacks from around the world. You do not need to manually configure complex rules. You can enable this module by creating a threat intelligence protection template. You can create multiple templates.

• Protection template: A template is a collection of rules that defines the rule content and its applicable scope. A template consists of three parts: template type, protection rules, and effective objects.

  • Template type: You must specify a template type when you create a template. The type cannot be changed after the template is created. Two template types are available:

    Template type	Description	Scenarios
    Default template	When created, the template applies to all protected objects and object groups by default. New objects are also automatically included. You can manually exclude specific objects by setting them to "Not effective". You can create only one default template in the threat intelligence module.	Deploy general rules that need to be applied globally.
    Custom template	You must manually specify the protected objects or object groups to which it applies.	Deploy fine-grained rules for specific services.

  • Protection rule: Defines the detection logic and response action. Each rule consists of two parts:

    • Rule type: Defines the type of threat to detect. The supported types are Website Scanning, Exploitation, and Tor Address.

    • Rule action: Defines the action to take when a rule is hit. The available actions, in descending order of priority, are Block, Strict Slider, Slider, JS Challenge, and Monitor.

  • Effective object: Specifies the target of the template. You can use effective objects to apply protection rules to specific protected objects or protected object groups. A protected object or object group can be associated with only one threat intelligence template.

    • Protected object: WAF automatically creates a protected object for each domain name or cloud product instance that you add.

    • Protected object group: You can add multiple protected objects to a group to manage them in a centralized manner.

Step 1: Configure the threat intelligence template type

On the Core Web Protection page, find the Threat Intelligence section and click Create Template. In the Create Template - Threat Intelligence panel, configure the following parameters.

• Template Name: Enter a name for the template.

• Save as Default Template: You can set only one default template for the threat intelligence module. You can set a template as the default only when you create the template.

  • Yes: You do not need to set Apply To. After the template is created, it applies to all protected objects and object groups by default. New objects are also automatically included. You can manually exclude specific objects by setting them to "Not effective".

  • No: You must set Apply To and manually specify the protected objects or object groups to which the template applies.

Step 2: Configure protection rules

In the Rule Configuration section, configure the following parameters.

• Rule Type: Select a rule type to defend against specific types of attacks as needed.

  Rule Type	Description
  Website Scanning	These IP addresses use automated tools to probe websites to identify technical architecture, open ports, potential security vulnerabilities, or gather other relevant information.
  Exploitation	These IP addresses exploit security vulnerabilities in web applications to perform malicious operations, gain unauthorized access, and potentially cause destructive consequences.
  Tor Address	These IP addresses are exit nodes of the Tor network. They represent user traffic that accesses the Internet anonymously through the Tor network, with this IP as the exit identifier.

• Rule Action: Select the action to take when a request hits a rule.

  Parameter	Description
  JavaScript Validation	WAF returns a JavaScript snippet to the client. A standard browser automatically executes this code. If the client executes it successfully, WAF allows all requests from that client for a period of time (default is 30 minutes); otherwise, it blocks the request.
  Block	Blocks requests that match the rule and returns a block page to the client. Note By default, WAF uses a standard block page. You can also customize the block page by using custom response.
  Monitor	Allows requests that match the rule to pass but logs the match event. When you test a rule, first set its action to Monitor and analyze WAF logs to ensure no legitimate traffic is blocked before changing the action.
  Slider CAPTCHA	WAF returns a slider CAPTCHA page to the client. If the client successfully completes the challenge, WAF allows all requests from that client for a period of time (default is 30 minutes); otherwise, it blocks the request.
  Strict Slider CAPTCHA	WAF returns a slider CAPTCHA page to the client. If the client successfully completes the challenge, the request is allowed; otherwise, it is blocked. In this mode, the client must complete a slider challenge for every request that matches the rule.

  Note

  • The Slider CAPTCHA verification is available only for subscription-based Enterprise and Ultimate instances, and pay-as-you-go instances.

  • JavaScript Validation and Slider CAPTCHA are applicable only to synchronous requests. To ensure features function correctly with asynchronous requests, such as those using XMLHttpRequest or the Fetch API, inject the web SDK. For more details, see the JS Challenge and Slider CAPTCHA sections in Bot Management.

  • When JavaScript Validation or Slider CAPTCHA is enabled, WAF sets a cookie in the response header via Set-Cookie after the client passes the validation. The cookie is named acw_sc__v2 for JavaScript Validation or acw_sc__v3 for Slider CAPTCHA. The client will include this identifier in the Cookie header of subsequent requests.

• Advanced Settings (Optional):

  Configuration Item	Description
  Canary Release	Configure the percentage of objects of different dimensions to which the rule applies. After you enable rule grayscale, you must also set the Dimension and Canary Release Proportion. Dimension includes: IP, Custom Header, Custom Parameter, Custom Cookie, and Session. Note Rule grayscale takes effect based on the configured Dimension, not by randomly applying the rule to a percentage of requests. For example, if the Dimension is IP and the Canary Release Proportion is 10%, WAF selects about 10% of the IP addresses. All requests from the selected IP addresses are subject to the rule, rather than the rule being applied to 10% of all requests randomly.
  Effective Mode	Permanently Effective (default): The rule is always effective when the protection template is enabled. Fixed Schedule: The protection rule is effective only within a specified period. Recurring Schedule: The protection rule is effective only during a specified recurring period.

Step 3: Set the effective objects for the threat intelligence template

In the Apply To section, select the protected objects and protected object groups to which you want to apply this template.

How the template takes effect depends on the configuration in Step 1:

• If you set the template as the default protection template: You do not need to configure effective objects. After the template is created, it applies to all protected objects and object groups by default. New objects are also automatically included. You can manually exclude specific objects by setting them to "Not effective".

• If you do not set the template as the default protection template: You must manually specify the protected objects and protected object groups to which the template applies.

Daily O&M