This topic describes the terminology and protection configuration process for .

Protection configuration process

After you add a web service to WAF, you can perform the following steps to configure protection rules for the web service. The protection configuration process varies based on the method that you use to add the web service to WAF.

Step Cloud native CNAME record
1. Add a protected object. The cloud service instances that are added to WAF are automatically added as protected objects in WAF.

If you want to configure different protection rules for domain names that are hosted on a cloud service instance, you must manually add the domain names as protected objects in WAF. For more information, see Add a domain name that is hosted on a cloud service instance as a protected object.

You do not need to perform this step.

The domain names that are added to WAF in CNAME record mode are automatically added as protected objects in WAF.

2. (Optional) Add a protected object to a protected object group. If you want to configure the same protection rules for multiple protected objects, you can add the protected objects to a protected object group and then configure protection rules for the protected object group. The protection rules of the protected object group take effect on all protected objects in the group.

Before you can use a protected object group, you must create a protected object group and add protected objects to the group. For more information, see Create a protected object group.

3. Create a protection template. Before you can enable a protection module, you must create a protection template for the protection module. Then, you can apply the protection template to specified protected objects or protected object groups.

The basic protection rule and whitelist modules provide built-in default protection templates. You do not need to create a protection template. If you want to enable other protection modules, you must manually create protection templates for the protection modules. For more information, see Protection module overview.

You can create multiple protection templates and then use the protection templates to configure protection rules for different protected objects. For more information, see Example: Configure multiple protection templates for a protection module.

4. Manage protection rules. You can manage protection rules in the protection templates of different protection modules. For example, you can add, enable, or disable rules. Rule modifications in a protection template take effect on the objects to which the protection template is applied.

The operations that you can perform on protection rules vary based on the protection template. For more information, see Protection module overview.

Protection module overview

The following table describes the protection modules that are supported by WAF and the default configurations of each protection module.

Protection module Description Default protection template Recommended configuration
Basic protection rule Defends against common web application attacks based on a built-in protection rule set.The common web application attacks include SQL injections, cross-site scripting (XSS) attacks, code execution, webshell uploads, and command injections. A built-in default protection template is provided, and the template contains the protection rule set provided by WAF. By default, the default protection template is enabled, and the Block action is specified.
Important The basic protection rule module protects all protected objects that are newly added to WAF. The module automatically blocks attack requests.
We recommend that you retain the default configurations.

If the basic protection rule set blocks normal requests, you can configure a whitelist for the basic protection rules. For more information, see Create a whitelist rule.

Basic protection rule group You can configure a custom basic protection rule group or use the default basic protection rule group. You can associate a rule group with a basic protection rule template based on your business requirements to protect your website from common web application attacks. A built-in default basic protection rule group is provided by WAF. Before you can enable a custom basic protection rule group, you must create a custom basic protection rule template and configure protection rules for the template.
Whitelist Allows requests that have specified characteristics to bypass the checks of all or specified protection modules. You can configure the characteristics of the requests based on your business requirements. A built-in default protection template is provided, and protection rules are not provided in the default protection template. By default, the default protection template is enabled. If you want WAF to allow requests that have specified characteristics, you must create a whitelist rule in the default protection template.
IP address blacklist Blocks requests from specified IPv4 addresses, IPv6 addresses, or CIDR blocks. You can specify the IP addresses or CIDR blocks based on your business requirements. Default protection rule templates are not provided. By default, this protection module is disabled. Before you can enable this protection module, you must create a protection rule template and configure protection rules for the template.
Custom rule Blocks requests, verifies requests, or records logs based on the custom characteristics of HTTP requests or a combination of custom characteristics.

When you configure a custom rule, you can turn on Rate Limiting. After Rate Limiting is turned on, a statistical object, such as an IP address or a session, is added to the blacklist if the request rate of the statistical object exceeds the threshold value. After the statistical object is added to the blacklist, WAF performs a specified action on the requests from the statistical object during the specified period of time.

Scan protection Identifies the scanning behaviors and characteristics of scanners to prevent attackers or scanners from scanning websites. This reduces the risk of intrusions into web services and blocks invalid scanning traffic.
Custom response Allows you to configure the custom block page that WAF returns to the client when a client request is blocked by WAF. You can specify the status code, response headers, and response body of the block page.
HTTP flood protection Mitigates high-frequency HTTP flood attacks based on common built-in HTTP flood protection algorithms. You can also configure rate limiting for HTTP flood protection rules in the custom rule module.
Region Blacklist Blocks requests from client IP addresses in specified regions with a few clicks.
Anti-crawler rules for websites Identifies bot traffic based on the characteristics of clients, traffic, behaviors, and intelligence, and blocks malicious traffic to prevent bandwidth increase, data crawling, spam user registration, malicious orders, malicious voting, and abuse of APIs.
Anti-crawler rules for apps

Example: Configure multiple protection templates for a protection module

You can configure multiple protection templates for a protection module. You can use the protection templates to configure protection rules for different protected objects to meet your business requirements.

The basic protection rule module is used in this example. By default, a default protection template is provided, and the Block action is specified in the template. The default protection template is applied to all newly added protected objects in WAF. If WAF detects an attack request that is sent to a protected object, WAF blocks the attack request.

If you want WAF to monitor the attack requests that are sent to newly added protected objects and want WAF to block the attack requests that are sent to existing protected objects, you can use the following configurations. If WAF monitors the attack requests, WAF does not block the attack requests but records the protection rules that are matched by the attack requests.
  • Change the value of the Action parameter to Monitor in the default protection template.
  • Create a protection template. Set the Action parameter to Block and the Apply To parameter to all existing protected objects in WAF.

After you complete the preceding configurations, WAF monitors the attack requests that are sent to the newly added protected objects. After you confirm WAF only blocks unwanted requests, you can apply the protection template that you create to the protected objects.