This topic describes the terminology and protection configuration process for Web Application Firewall (WAF).
Protection configuration process
After you add a web service to WAF, you can perform the following steps to configure protection rules for the web service. The protection configuration process varies based on the method that you use to add the web service to WAF.
Cloud native mode
CNAME record mode
1. Add a protected object.
The cloud service instances that are added to WAF are automatically added as protected objects in WAF.
If you want to configure different protection rules for domain names that are hosted on a cloud service instance, you must manually add the domain names as protected objects in WAF. For more information, see Protected objects and protected object groups.
You do not need to perform this step.
The domain names that are added to WAF in CNAME record mode are automatically added as protected objects in WAF.
2. (Optional) Add a protected object to a protected object group.
If you want to configure the same protection rules for multiple protected objects, you can add the protected objects to a protected object group and then configure protection rules for the protected object group. The protection rules of the protected object group take effect for all protected objects in the group.
Before you can use a protected object group, you must create a protected object group and add protected objects to the group. For more information, see Create a protected object group.
3. Create a protection template.
Before you can enable a protection module, you must create a protection template for the protection module. Then, you can apply the protection template to specified protected objects or protected object groups.
The basic protection rule and whitelist modules provide built-in default protection templates. You do not need to create a protection template. If you want to enable other protection modules, you must manually create protection templates for the protection modules. For more information, see Protection module overview.
You can create multiple protection templates and then use the protection templates to configure protection rules for different protected objects. For more information, see Example: Configure multiple protection templates for a protection module.
4. Manage protection rules.
You can manage protection rules in the protection templates of different protection modules. For example, you can add, enable, or disable rules. Rule modifications in a protection template take effect for the objects to which the protection template is applied.
The operations that you can perform on protection rules vary based on the protection template. For more information, see Protection module overview.
Protection module overview
The following table describes the protection modules that are supported by WAF and the default configurations of each protection module.
Default protection template
Defends against common web application attacks based on a built-in protection rule set. The common web application attacks include SQL injections, cross-site scripting (XSS) attacks, code execution, webshell uploads, and command injections.
A built-in default protection template is provided, and the template contains the protection rule set provided by WAF. By default, the default protection template is enabled, and the Block action is specified.
By default, the basic protection rule module takes effect for all new protected objects. The module automatically blocks attack requests.
We recommend that you retain the default configurations.
If the basic protection rule set blocks normal requests, you can configure a whitelist rule for the basic protection rules. For more information, see Configure whitelist rules to allow specific requests.
You can configure a custom basic protection rule group or use the default basic protection rule group. You can associate a rule group with a basic protection rule template based on your business requirements to protect your website from common web application attacks.
A built-in default basic protection rule group is provided by WAF.
Before you can enable a custom basic protection rule group, you must create a custom basic protection rule template and configure protection rules for the template.
Allows requests that have specified characteristics to bypass the checks of all or specified protection modules. You can configure the characteristics of the requests based on your business requirements.
A built-in default protection template is provided, and protection rules are not provided in the default protection template. By default, the default protection template is enabled.
If you want WAF to allow requests that have specified characteristics, you must create a whitelist rule in the default protection template.
Blocks requests from specified IPv4 addresses, IPv6 addresses, or CIDR blocks. You can specify the IP addresses or CIDR blocks based on your business requirements.
Default protection rule templates are not provided. By default, this protection module is disabled.
Before you enable this module, you must create a protection rule template and configure rules for the template.
Blocks requests, verifies requests, or records logs based on the custom characteristics of HTTP requests or a combination of custom characteristics.
When you configure a custom rule, you can turn on Rate Limiting. After Rate Limiting is turned on, a statistical object, such as an IP address or a session, is added to the blacklist if the request rate of the statistical object exceeds the threshold value. After the statistical object is added to the blacklist, WAF performs a specified action on the requests from the statistical object during the specified period of time.
Identifies the scanning behaviors and characteristics of scanners to prevent attackers or scanners from scanning websites. This reduces the risk of intrusions into web services and blocks invalid scanning traffic.
Allows you to configure the custom block page that WAF returns to the client when a client request is blocked by WAF. You can specify the status code, response headers, and response body of the block page.
Mitigates high-frequency HTTP flood attacks based on common built-in HTTP flood protection algorithms. You can also configure rate limiting for HTTP flood protection rules in the custom rule module.
Blocks requests from client IP addresses in specified regions with a few clicks.
This feature allows you to lock specified web pages to avoid content tampering. When a locked web page receives a request, a preconfigured cached page is returned.
This feature helps you to filter abnormal returned content and mask sensitive information, such as ID card numbers, phone numbers, bank card numbers, and sensitive words.
Detects Layer 4 and Layer 7 bot traffic by using fingerprinting techniques.
Identifies bot traffic based on the characteristics of clients, traffic, behaviors, and intelligence, and blocks malicious traffic to prevent bandwidth increase, data crawling, spam user registration, malicious orders, malicious voting, and abuse of APIs.
Automatically sorts API assets for services that are protected by WAF and detects API vulnerabilities, such as unauthorized access to APIs, exposure of sensitive data, and exposure of internal APIs. This module allows you to trace API exception events by using reports, provides suggestions on how to fix detected vulnerabilities, and provides data for API lifecycle management. This helps you configure comprehensive API security protection.
Example: Configure multiple protection templates for a protection module
You can configure multiple protection templates for a protection module. You can use the protection templates to configure protection rules for different protected objects to meet your business requirements.
The basic protection rule module is used in this example. By default, a default protection template is provided, and the Block action is specified in the template. The default protection template is applied to all newly added protected objects in WAF. If WAF detects an attack request that is sent to a protected object, WAF blocks the attack request.
If you want WAF to monitor the attack requests that are sent to newly added protected objects and want WAF to block the attack requests that are sent to existing protected objects, you can use the following configurations. If WAF monitors the attack requests, WAF does not block the attack requests but records the protection rules that are matched by the attack requests.
Change the value of the Action parameter to Monitor in the default protection template.
Create a protection template. Set the Action parameter to Block and the Apply To parameter to all existing protected objects in WAF.
After you complete the preceding configurations, WAF monitors the attack requests that are sent to the newly added protected objects. After you confirm that WAF only blocks unwanted requests, you can apply the protection template that you create to the protected objects.