After you add web services to Web Application Firewall (WAF), you can configure data leakage prevention rules to filter abnormal returned content and mask sensitive information, such as ID card numbers, phone numbers, bank card numbers, and sensitive words. Then, WAF returns the masked information or default response pages to clients. This topic describes how to create a data leakage prevention rule template and add rules to the template.

Limits

You cannot configure this type of protection rule for Application Load Balancer (ALB) instances or Microservices Engine (MSE) instances that are added to WAF in cloud native mode.

Prerequisites

Step 1: Create a data leakage prevention rule template

WAF does not provide a default data leakage prevention rule template. Before you can enable a data leakage prevention rule, you must create a data leakage prevention rule template.

  1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region to which the WAF instance that you want to manage belongs. You can select Chinese Mainland or Outside Chinese Mainland for the region.
  2. In the left-side navigation pane, choose Protection Configuration > Protection Rules.
  3. In the lower part of the Protection Rules page, click Create Template in the Data Leakage Prevention section.
    Note If no data leakage prevention templates exist, you can click Configure Now in the Data Leakage Prevention card in the upper part of the Protection Rules page.
  4. In the Create Template - Data Leakage Prevention panel, configure the parameters and click OK. The following table describes the parameters.
    ParameterDescription
    Template NameEnter a name for the template.

    The name must be 1 to 255 characters in length, and can contain letters, digits, periods (.), underscores (_), and hyphens (-).

    Rule ConfigurationClick Create Rule to create a data leakage prevention rule for the template. You can also create a data leakage prevention rule for the template after the template is created. For more information, see Step 2: Create a data leakage prevention rule for the template.
    Apply ToSelect the protected objects and protected object groups to which you want to apply the template.

    You can apply only one template of a protection module to a protected object or a protected object group. For information about how to add protected objects and protected object groups, see Protected objects and protected object groups.

    By default, the new rule template is enabled. You can perform the following operations in the rule template list:
    • View the number of protected objects or protected object groups that are associated with the rule template.
    • Turn on or turn off Status to enable or disable the rule template.
    • Click Edit or Delete in the Actions column to modify or delete the rule template.
    • Click the show icon on the left side of a rule template to view the rules in the template.

Step 2: Create a data leakage prevention rule for the template

The data leakage prevention rule template takes effect only after you create data leakage prevention rules for the template. If you already created data leakage prevention rules when you create the template, skip this step.

  1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region to which the WAF instance that you want to manage belongs. You can select Chinese Mainland or Outside Chinese Mainland for the region.
  2. In the left-side navigation pane, choose Protection Configuration > Protection Rules.
  3. In the Data Leakage Prevention section, find the data leakage prevention rule template for which you want to create a rule and click Create Rule in the Actions column.
  4. In the Create Rule dialog box, configure the parameters and click OK. The following table describes the parameters.
    ParameterDescription
    Rule NameEnter a name for the rule.

    The name can contain letters, digits, periods (.), underscores (_), and hyphens (-).

    Match ConditionSpecify the type of sensitive information that you want to detect. Valid values:
    • Status Code: 400, 401, 402, 403, 404, 405–499, 500, 501, 502, 503, 504, and 505–599
    • Sensitive Info: ID Card Number, Credit Card Number, Mobile Phone Number, and Default Sensitive Words
      Important Data leakage prevention rules can process only data in the formats that are supported in the Chinese mainland. The data includes ID card numbers, mobile phone numbers, and bank card numbers.

    You can select multiple values for Status Code and Sensitive Info.

    If you select And, you can specify the URL that you want to detect. This way, WAF detects sensitive information only on the specified page.

    ActionSpecify the action that you want WAF to perform on the sensitive information that is detected.
    • If you set the Match Condition parameter to Status Code, the following actions can be performed on the detected sensitive information:
      • Monitor: records requests that match the rule in logs without blocking the requests.
      • Block: blocks requests that match the rule and returns a block page to the client that initiated the requests.
    • If you set the Match Condition parameter to Sensitive Info, the following actions can be performed on the detected sensitive information:
      • Monitor: records requests that match the rule in logs without blocking the requests.
      • Mask: masks sensitive information in the requests that match the rule with asterisks (*). The requests are not blocked.
    By default, the new rule is enabled. You can perform the following operations in the rule list:
    • Turn on or turn off Status to enable or disable the rule.
    • Click Edit or Delete in the Actions column to modify or delete the rule.

What to do next

On the Data Leakage Prevention tab of the Security Reports page, you can view the protection details of the data leakage prevention rules. For more information, see Data leakage prevention module.

References