:FAQ about WAF

Overview

• FAQ about pre-sales consulting
  • Can I use WAF to protect servers that are not deployed on Alibaba Cloud?
  • Does WAF support Cloud Web Hosting instances?
  • Can WAF protect HTTPS services?
  • Does WAF support custom ports?
  • What are the limits for the ports that can be added to WAF?
  • Does the QPS limit that is configured for a WAF instance in the WAF console apply to the entire WAF instance or a single domain name that is added to the WAF instance?
  • Does WAF support two-way HTTPS authentication?
  • Does WAF support the WebSocket, HTTP/2, or SPDY protocols?
  • Is the origin server affected when HTTP/2 services are added to WAF?
  • What are the TLS protocols supported by WAF?
  • Can WAF protect websites that use NTLM authentication?
• FAQ about website access configuration
  • Can I use the internal IP address of an ECS instance as an origin IP address in the WAF console?
  • Can WAF protect multiple origin IP addresses for one domain name?
  • How does WAF balance request loads among multiple origin servers?
  • Does WAF support the health check feature?
  • Does WAF support the session persistence feature?
  • Does latency occur when I change an origin IP address in the WAF console?
  • What are the back-to-origin CIDR blocks of WAF?
  • Are the back-to-origin CIDR blocks of WAF automatically added to security groups?
  • Do I need to allow access requests from all client IP addresses?
  • Can a WAF instance that uses an exclusive IP address defend against DDoS attacks?
  • Can WAF be deployed together with CDN or with Anti-DDoS Pro or Anti-DDoS Premium?
  • Can I deploy WAF together with CDN and Anti-DDoS Pro or Anti-DDoS Premium by using different Alibaba Cloud accounts?
  • How does WAF ensure the security of an uploaded certificate and the private key of the certificate? Does WAF decrypt HTTPS traffic and record the content of HTTPS requests?
  • A domain name is added to WAF. Why am I unable to find the domain name in the domain name list?
• FAQ about website protection configuration
  • How can I use WAF to defend against HTTP flood attacks?
  • How long does it take for configuration modifications in the WAF console to take effect?
  • When I configure custom protection policies (ACL policies) in the WAF console, can I enter CIDR blocks in the IP field?
  • Why does a custom protection policy whose URL match field contains two forward slashes (//) not take effect?
• FAQ about website protection analysis
  • Can I view the source IP addresses of HTTP flood attacks in the WAF console?
  • How do I query the bandwidth usage of WAF?

Can I use WAF to protect servers that are not deployed on Alibaba Cloud?

Does WAF support Cloud Web Hosting instances?

Yes, all editions of WAF support exclusive Cloud Web Hosting instances. After you activate WAF, you can configure exclusive instances in the WAF console.

Shared Cloud Web Hosting instances use shared IP addresses. Therefore, multiple users share the same origin server. We recommend that you do not configure WAF for shared instances.

Can WAF protect HTTPS services?

Yes, all editions of WAF can protect HTTPS services. You can add wildcard domain names to WAF.

To protect HTTPS services, you must upload SSL certificates and private key files as prompted. After HTTPS-enabled websites are added to WAF, WAF decrypts access requests, checks request packets, encrypts the requests, and then forwards the requests to origin servers.

Does WAF support custom ports?

What are the limits for the ports that can be added to WAF?

WAF supports only specific ports. The ports vary based on the editions of WAF. For more information, see Ports supported by each WAF edition.

Security risks may be caused by vulnerable ports, and Internet service providers (ISPs) may block service traffic that is destined for the vulnerable ports. The following ports are vulnerable TCP ports: 42, 135, 137, 138, 139, 445, 593, 1025, 1434, 1068, 3127, 3128, 3129, 3130, 4444, 5554, 5800, 5900, and 9996. If a website that is protected by WAF uses the preceding vulnerable ports, the website may be inaccessible in specific regions. Before you add your web service to WAF, make sure that the website does not use the preceding vulnerable ports.

Does the QPS limit that is configured for a WAF instance in the WAF console apply to the entire WAF instance or a single domain name that is added to the WAF instance?

The queries per second (QPS) limit applies to the entire WAF instance.

For example, if you add three domain names to a WAF instance in the WAF console, the total QPS of the domain names cannot exceed the configured QPS limit. If the total QPS exceeds the limit, WAF triggers throttling and may randomly discard packets.

Does WAF support two-way HTTPS authentication?

No, WAF does not support two-way HTTPS authentication.

Does WAF support the WebSocket, HTTP/2, or SPDY protocols?

All editions of WAF support WebSocket. The WAF Business Edition and more advanced editions support HTTP/2. WAF does not support SPDY.

Is the origin server affected when HTTP/2 services are added to WAF?

Yes, the origin server is affected. If you add HTTP/2 services to WAF, WAF can handle HTTP/2 requests from clients. However, WAF forwards requests to the origin servers only over HTTP/1.0 or HTTP/1.1. Therefore, if you want to add HTTP/2 services, HTTP/2 multiplexing cannot work as expected and the clean bandwidth of the origin server increases.

What are the TLS protocols supported by WAF?

WAF instances that reside in the Chinese mainland support TLS 1.0, TLS 1.1, and TLS 1.2. WAF instances that reside outside the Chinese mainland support TLS 1.1 and TLS 1.2.

If you have custom requirements, you can specify custom TLS configurations. For example, you can disable TLS 1.0 and enable TLS 1.3 for your WAF instance. For more information, see Configure custom TLS settings.

Can WAF protect websites that use NTLM authentication?

No, WAF cannot protect websites that use New Technology LAN Manager (NTLM) authentication. If your website uses NTLM authentication, the access requests that are forwarded by WAF may fail the NTLM authentication of an origin server. As a result, authentication prompts may be repeatedly displayed on the client. We recommend that you use a different authentication method for your website.

Can I use the internal IP address of an ECS instance as an origin IP address in the WAF console?

No, you cannot use the internal IP address of an Elastic Compute Service (ECS) instance as an origin IP address. This is because WAF forwards requests to an origin server over the Internet.

Can WAF protect multiple origin IP addresses for one domain name?

Yes, you can enter up to 20 origin IP addresses when you add a domain name in the WAF console.

How does WAF balance request loads among multiple origin servers?

If you configure multiple origin servers, WAF automatically uses the IP hash method to balance request loads among the origin servers. You can also use other load balancing algorithms based on your business requirements. For more information, see Add a domain name.

Does WAF support the health check feature?

Does WAF support the session persistence feature?

Yes, WAF supports session persistence. By default, the session persistence is disabled. If you want to enable session persistence, Contact your account manager or solution architect..

Does latency occur when I change an origin IP address in the WAF console?

Yes, latency occurs when you change an origin IP address. The new IP address requires approximately 1 minute to take effect.

What are the back-to-origin CIDR blocks of WAF?

You can perform the following operations to query the back-to-origin CIDR blocks of WAF: Log on to the WAF console and choose System Management > Product Information. For more information, see Allow access from back-to-origin CIDR blocks of WAF.

Are the back-to-origin CIDR blocks of WAF automatically added to security groups?

No, the back-to-origin CIDR blocks of WAF are not automatically added to security groups. If you deploy other firewalls or host protection software for origin servers, we recommend that you add the back-to-origin CIDR blocks of WAF to the whitelists of those firewalls and software.

We recommend that you configure specific protection policies for the origin servers. For more information, see Configure protection for an origin server.

Do I need to allow access requests from all client IP addresses?

You can allow access requests from all client IP addresses or only from the back-to-origin CIDR blocks of WAF. We recommend that you allow access requests only from the back-to-origin CIDR blocks of WAF to protect the origin servers of your web services.

Can a WAF instance that uses an exclusive IP address defend against DDoS attacks?

Yes, a WAF instance that uses an exclusive IP address can defend against DDoS attacks.

WAF provides exclusive IP addresses for users. Blackhole filtering, which is used to protect the IP addresses of ECS and Server Load Balancer (SLB) instances from DDoS attacks, can also be used to protect the exclusive IP addresses from DDoS attacks. The default DDoS mitigation capability provided by the WAF instance that uses an exclusive IP address is the same as the DDoS mitigation capability of an ECS instance in the region where WAF is deployed.

Can WAF be deployed together with CDN or with Anti-DDoS Pro or Anti-DDoS Premium?

Yes, WAF is fully compatible with Alibaba Cloud Content Delivery Network (CDN), Anti-DDoS Pro, and Anti-DDoS Premium. If you want to deploy WAF together with CDN and Anti-DDoS Pro or Anti-DDoS Premium, we recommend that you deploy the components in the following sequence: client, Anti-DDoS Pro or Anti-DDoS Premium, CDN, WAF, SLB, and origin server.

If you want to deploy WAF together with CDN or with Anti-DDoS Pro or Anti-DDoS Premium, set the address of the origin server to the CNAME assigned by WAF when you add a domain name to CDN, Anti-DDoS Pro, or Anti-DDoS Premium. In this case, requests are forwarded by CDN, Anti-DDoS Pro, or Anti-DDoS Premium to WAF and then to the origin server. This way, the origin server is protected. For more information, see Protect a website service by using both Anti-DDoS Pro or Anti-DDoS Premium and WAF and Use WAF with CDN.

Can I deploy WAF together with CDN and Anti-DDoS Pro or Anti-DDoS Premium by using different Alibaba Cloud accounts?

Yes, you can deploy WAF together with CDN and Anti-DDoS Pro or Anti-DDoS Premium by using different accounts. This allows you to defend against DDoS attacks and web application attacks.

How does WAF ensure the security of an uploaded certificate and the private key of the certificate? Does WAF decrypt HTTPS traffic and record the content of HTTPS requests?

If you use WAF to protect HTTPS services, you must upload the required SSL certificate and the private key of the certificate. This way, WAF can decrypt HTTPS traffic to detect attacks and analyze the characteristics of the attacks. Alibaba Cloud uses a dedicated key server to store and manage private keys. The key server is based on Alibaba Cloud Key Management Service (KMS) and can ensure the data security, integrity, and availability of certificates and private keys. This helps meet the requirements for regulation, classified protection, and compliance. For more information about KMS, see What is Key Management Service?.

WAF uses an uploaded certificate and the private key of the certificate to decrypt HTTPS traffic only in scenarios where attacks are detected in real time. WAF records only specific content of request payloads. The content is determined based on attack characteristics. Then, WAF provides attack reports and data statistics based on the content. WAF can record the full content of requests or responses only when WAF is authorized.

WAF is accredited against various authoritative standards, including ISO 9001, ISO 20000, ISO 22301, ISO 27001, ISO 27017, ISO 27018, ISO 27701, ISO 29151, BS 10012, Cloud Security Alliance (CSA) STAR, MLPS level 3, Service Organization Control (SOC) 1, SOC 2, SOC 3, Cloud Computing Compliance Criteria Catalogue (C5), Green Finance Certification Scheme developed by Hong Kong Quality Assurance Agency (HKQAA), Outsourced Service Providers Audit Report (OSPAR), and Payment Card Industry Data Security Standard (PCI DSS). The standards also include those that prove the effectiveness of WAF across financial sectors in Hong Kong (China). WAF also provides the same security and compliance qualifications as Alibaba Cloud. For more information, visit Alibaba Cloud Trust Center.

A domain name is added to WAF. Why am I unable to find the domain name in the domain name list?

The domain name is automatically removed by WAF. This may be because the ICP filing information of the domain name is invalid. You must complete an ICP filing for the domain name and add the domain name to WAF again. For more information about ICP filing, see ICP filing application overview.

How can I use WAF to defend against HTTP flood attacks?

WAF provides various protection modes to defend against HTTP flood attacks. You can select a mode based on your business requirements. For more information, see Configure HTTP flood protection.

To achieve better protection and reduce the occurrence of false positives, you can use WAF Business Edition or WAF Enterprise Edition based on your business requirements. For more information, see Create a custom protection policy.

How long does it take for configuration modifications in the WAF console to take effect?

In most cases, configuration modifications take effect within 1 minute.

When I configure custom protection policies (ACL policies) in the WAF console, can I enter CIDR blocks in the IP field?

Yes, you can enter CIDR blocks in the IP field when you configure custom protection policies in the WAF console.

Why does a custom protection policy whose URL match field contains two forward slashes (//) not take effect?

When the rules engine of WAF processes the URL match field, the rules engine compresses consecutive forward slashes (/). Therefore, the rules engine cannot match the custom protection policy because the URL match field contains two forward slashes (//).

If you want to define an ACL policy whose URL match field contains two forward slashes (//), you must enter only one forward slash (/). For example, if you want to set the URL match field to //api/sms/request, enter /api/sms/request. This way, WAF can implement access control based on the policy.

Can I view the source IP addresses of HTTP flood attacks in the WAF console?

Yes, you can view the source IP addresses of HTTP flood attacks in the WAF console. You can view the source IP addresses of HTTP flood attacks after you enable the Log Service for WAF feature. For more information, see Get started with the Log Service for WAF feature and Query logs.

How do I query the bandwidth usage of WAF?

You can query the bandwidth usage of WAF on the Overview page in the WAF console.