This topic describes the terminology, process, protection modules, and examples for protection configuration of Web Application Firewall (WAF).
Protection configuration process
After you add web services to WAF, you can perform the following steps to configure protection rules for the web services . The protection configuration process varies based on the mode in which you add the web services to WAF.
Step | Cloud native mode | CNAME record mode |
1. Add a protected object . | The cloud service instances that are added to WAF are automatically added as protected objects in WAF. If you want to configure different protection rules for different domain names pointing to the same cloud service instance, you must manually add the domain names as protected objects in WAF. For more information, see Protected objects and protected object groups. | You do not need to perform this step. The domain names that are added to WAF in CNAME record mode are automatically added as protected objects in WAF. |
2. (Optional) Add a protected object to a protected object group . | If you want to configure the same protection rules for multiple protected objects, you can add the protected objects to a protected object group and then configure protection rules for the protected object group. The protection rules that are configured for the protected object group take effect for all protected objects in the group. Before you can use a protected object group, you must create a protected object group and add protected objects to the group. For more information, see Create a protected object group. | |
3. Create a protection template. | Before you can enable a protection module , you must create a protection template for the protection module. Then, you can apply the protection template to specific protected objects or protected object groups. The basic protection rule and whitelist modules provide built-in default protection templates. You do not need to create a protection template to use these modules. If you want to enable other protection modules, you must create protection templates for the protection modules. For more information, see Protection module overview. You can create multiple protection templates and then use the protection templates to configure different protection rules for different protected objects. For more information, see Example: Configure multiple protection templates for a protection module. | |
4. Manage protection rules. | You can manage protection rules in the protection templates of different protection modules. For example, you can add, enable, or disable rules. Modifications to rules in a protection template take effect for the objects to which the protection template is applied. The operations that you can perform on protection rules vary based on the protection template. For more information, see Protection module overview. | |
Protection module overview
The following table describes the protection modules that are supported by WAF and the default configurations of each protection module.
Protection module | Description | Default protection template | Configuration recommendation |
Defends against common web application attacks based on a built-in protection rule set. The common web application attacks include SQL injection, cross-site scripting (XSS), code execution, webshell upload, and command injection. | A built-in default protection template is provided, and the template contains the protection rule set provided by WAF. By default, the default protection template is enabled, and the Block action is specified. Important The basic protection rule module protects all protected objects that are newly added to WAF. The module automatically blocks attack requests. | We recommend that you retain the default configurations. If the basic protection rule set blocks normal requests, you can configure a whitelist rule to be used with the basic protection rules. For more information, see Configure whitelist rules to allow specific requests. | |
Defends against attacks based on a group of protection rules. You can configure a custom rule group or use the default rule group. You can associate a rule group with a basic protection rule template based on your business requirements to protect your website from common web application attacks. | A built-in default rule group is provided by WAF. | To enable a custom rule group, you must create a rule group template and configure rules for the template. | |
Allows requests that have specific characteristics to bypass the checks of all or specified protection modules. You can configure the characteristics of the requests based on your business requirements. | A built-in default protection template is provided, but no protection rules are pre-defined in the default protection template. By default, the protection template is enabled. | If you want WAF to allow requests that have specific characteristics, you must create a whitelist rule in the default protection template. | |
Mitigates HTTP flood attacks based on built-in common HTTP flood protection algorithms. You can also configure throttling for HTTP flood protection in the custom rule module. | A built-in default protection template is provided, but no protection rules are pre-defined in the default protection template. By default, the protection template is enabled. Note The default protection template takes effect only for subscription WAF Pro Edition, Enterprise Edition, and Ultimate Edition instances. | To enable custom HTTP flood protection rules, you must create an HTTP flood protection template and configure rules for the template. | |
Identifies the scanning behaviors and characteristics of scanners to prevent attackers or scanners from scanning your websites. This helps reduce the risk of intrusions into web services and blocks unwanted scanning traffic. | A built-in default protection template is provided, but no protection rules are pre-defined in the default protection template. By default, the protection template is enabled. Note The default protection template takes effect only for subscription WAF Pro Edition, Enterprise Edition, and Ultimate Edition instances. | To enable custom scan protection rules, you must create a scan protection template and configure rules for the template. | |
Blocks requests from specified IPv4 addresses, IPv6 addresses, or CIDR blocks. You can specify the IP addresses or CIDR blocks based on your business requirements. | No default protection template is provided. By default, this protection module is disabled. | To enable the IP address blacklist module, you must create an IP address blacklist template and configure rules for the template. | |
Blocks requests, verifies requests, or records logs based on the characteristics of HTTP requests or a set of custom characteristics that you specify. When you configure a custom rule, you can turn on Rate Limiting. After Rate Limiting is turned on, a statistical object, such as an IP address or a session, is added to the blacklist if the request rate of the statistical object exceeds the threshold value. After the statistical object is added to the blacklist, WAF performs a specified action on the requests from the statistical object during the specified period of time. | |||
Allows you to configure the block page that WAF returns to the client when a client request is blocked by WAF. You can specify the status code, response headers, and response body of the block page. | |||
Allows you to block client IP addresses from specific regions with a few clicks. | |||
Locks specific web pages to prevent content tampering. When a locked web page receives a request, a preconfigured cached page is returned. | |||
Filters abnormal returned content and masks sensitive information, such as ID card numbers, phone numbers, bank card numbers, and sensitive words. | |||
Detects Layer 4 and Layer 7 bot traffic by using fingerprinting techniques. | |||
Identifies bot traffic based on the characteristics of clients, traffic, behaviors, and intelligence, and blocks malicious traffic to prevent unwanted bandwidth consumption, data crawling, spam user registration, malicious orders, malicious voting, and abuse of APIs. | |||
Ensures the security of major events within a specific time range and provides precise protection for your services. | No default protection template is provided. By default, this protection module is disabled. | To enable the major event protection module, you must create a major event protection template and configure rules for the template. | |
Automatically sorts through the APIs of services that are protected by WAF and detects API vulnerabilities, such as unauthorized access to APIs, exposure of sensitive data, and exposure of internal APIs. This module allows you to trace API exception events by using reports, provides suggestions on how to fix detected vulnerabilities, and provides data for API lifecycle management. This helps you configure comprehensive API security protection. | N/A | ||
Example: Configure multiple protection templates for a protection module
You can configure multiple protection templates for a protection module. You can use the protection templates to configure protection rules for different protected objects to meet your business requirements.
The basic protection rule module is used in this example. A default protection template is provided. By default, the template is enabled, and the Block action is specified in the template. The default protection template is applied to all newly added protected objects in WAF. If WAF detects an attack request that is sent to a protected object, WAF blocks the attack request.
If you want WAF to monitor the attack requests that are sent to newly added protected objects and want WAF to block the attack requests that are sent to existing protected objects, you can use the following configurations. If WAF monitors the attack requests, WAF does not block the attack requests but rather keeps a record of the protection rules that are matched by the attack requests.
Change the value of the Action parameter to Monitor in the default protection template.
Create a protection template. Set the Action parameter to Block and the Apply To parameter to all existing protected objects in WAF.
After you complete the preceding configurations, WAF monitors the attack requests that are sent to the newly added protected objects. After you confirm that WAF only blocks unwanted requests, you can apply the protection template that you created to the protected objects.