This topic describes the release notes for Web Application Firewall (WAF) features.
2021
| Release date | Feature | Description | References |
|---|---|---|---|
| 2021-09-18 | Support for custom header fields that record the actual IP addresses of clients | Custom header fields can be used to record the actual IP addresses of clients. When
you add a website to WAF, you can enable the WAF traffic marking feature and configure
custom header fields to record the actual IP addresses of clients. After you enable
the WAF traffic marking feature, origin servers can obtain the actual IP addresses
of clients from custom header fields that are contained in WAF back-to-origin requests.
You can use the WAF traffic marking feature only after you configure the custom header fields that record the actual IP addresses of clients for the origin servers. |
Add a website |
| 2021-08-13 | Upgraded Log Service for WAF | The Log Service for WAF feature is upgraded.
|
Log fields supported by WAF |
| 2021-07-30 | Support for origin SNI | Enable Origin SNI is supported in CNAME record mode. If your website uses HTTPS and the origin server hosts multiple domain names, you can enable this feature after you select HTTPS. This way, you can add a Server Name Indication (SNI) field in a WAF back-to-origin request to specify the domain name that you want to access. | Add a website |
| 2021-06-22 | Support for server ports in custom protection policies | The Server-Port field is added and can be used as a match field in custom protection policies. The field is supported only for WAF instances that run Business Edition or higher. | Fields in match conditions |
| 2021-05-11 | Support for console-based cluster deployment and node management in Hybrid Cloud WAF | The following features are supported by Hybrid Cloud WAF:
|
Deploy a protection cluster for Hybrid Cloud WAF |
| 2021-05-08 | Support for custom header fields that are used to obtain actual IP addresses of clients | The Obtain Source IP Address parameter is supported in CNAME record mode. If a Layer 7 proxy, such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, is deployed in front of WAF, you can use the value of the specified header field as the actual IP address of the client. If multiple header fields are specified, you can obtain the actual IP address of the client from the fields in sequence. | Add a website |
| 2021-04-01 | Support for IPv6 addresses of origin servers | The IPv6 addresses of origin servers can be specified for Destination Server (IP Address) in CNAME record mode. This feature is suitable for users that need to upgrade their network from IPv4 to IPv6 in the finance, government, and enterprise sectors. | Add a website |
| 2021-03-23 | Support for threat event analysis on the Overview page | The threat event analysis module is added to the Overview page. Threat events are generated based on the analysis of a large number of attack alerts. This module helps you identify attack sources and defend against the attacks. This feature is suitable for scenarios in which your services are at risk of web attacks and you want to obtain threat events based on a large number of alerts. | View protection history on the WAF Overview page |
| 2021-03-18 | Support for false positive ignoring on the Security Report page | False positives can be ignored on the Security Report page. WAF can automatically generate whitelist rules for specific rules. You can also add whitelist rules for Web Intrusion Prevention based on specific rule IDs or rules types. This way, the user experience is improved. This feature is suitable for scenarios in which false positives must be managed at a fine-grained granularity without affecting protection effects. | View security reports |
| 2021-01-29 | Scenario-specific configuration feature released | The scenario-specific configuration feature is released. You can use this feature to customize anti-crawler rules to protect your business from malicious crawlers. | Configure anti-crawler rules for websites |
| 2021-01-15 | Support for custom settings of TLS versions and cipher suites | Transport Layer Security (TLS) protocol versions and cipher suites can be selected based on your business requirements. This helps ensure security compliance and compatibility for HTTPS communication in different scenarios. This feature is suitable for scenarios in which some TLS protocols and cipher suites need to be disabled or enabled due to classified protection requirements and compatibility requirements. | Configure custom TLS settings |
2020
| Release date | Feature | Description | References |
|---|---|---|---|
| 2020-10-21 | Security report optimized | The security report feature is optimized to filter attack records by rule ID. | View security reports |
| 2020-06-04 | Optimized custom protection rule groups and Overview page |
|
Customize protection rule groups |
| 2020-05-20 | Big Data Deep Learning Engine optimized | Attack probability thresholds can be adjusted to achieve optimal protection effects for various business scenarios. | Configure the Big Data Deep Learning Engine |
| 2020-05-18 | Support for Terraform | Terraform is supported to meet the operations and maintenance (O&M) requirements of large enterprises.
Terraform allows you to perform basic operations, such as domain name management and
policy management, by using code.
Note This feature also enables automated operations in the console. This way, high operational
efficiency is achieved and human errors are eliminated. For more information, see
Terraform documentation.
|
None |
| 2020-04-10 | User experience optimized | Data on the Overview page can be drilled down to the Security report page, and data
on the Security report page can be drilled down to the Log Service page. As a result,
the loop of operations data closes.
|
View protection history on the WAF Overview page |
| 2020-04-02 | Support for bot management | Value-added services such as bot management and app protection are supported to provide
intelligent protection against automated attacks and intelligent protection for bot
traffic. The bot management module provides trusted communications to protect native
apps and defends against bot script abuse.
Note The bot management and app protection modules are available only in the new protection
engine that was released in January 2020. If you use a protection engine of an earlier
version, we recommend that you upgrade your protection engine at the earliest opportunity.
|
Configure a whitelist for Bot Management |
| 2020-03-10 | Upgrade guide released for the new protection engine | An upgrade guide is provided to help existing users upgrade their protection engines without service interruption. | Protection engine upgrade |
| 2020-03-04 | Support for intelligent load balancing among multiple SLB service nodes | Intelligent load balancing is supported. WAF connects to multiple Server Load Balancer (SLB) service nodes to enable automatic disaster recovery and optimal routing with low latency. | Intelligent load balancing |
| 2020-02-14 | Upgraded Log Service for WAF and optimized user experience | Log Service for WAF is upgraded. You can enable the full log feature for specific domain names. | None |
| 2020-02-10 | Alert feature upgraded | The alert notification feature is upgraded to provide basic statistics and details about security events and workload monitoring. Related alerts are provided to support routine O&M. | Configure WAF alerting |
| 2020-01-15 | Protection capabilities upgraded | Fine-grained throttling and robust protection against malicious network traffic are
supported in the new protection engine of WAF. The account security feature can be
enabled to protect against common HTTP flood attacks, dictionary attacks, and weak
password sniffing.
Note The protection capabilities can be used by all users. However, only the users who
purchased WAF instances in the console can directly enable these capabilities. Existing
users must wait until March 2020 before they can upgrade their WAF instances to enable
the protection capabilities.
|
Configure the Protection Rules Engine |
2019
| Release date | Feature | Description | References |
|---|---|---|---|
| 2019-12-20 | Features in the Exclusive edition optimized | Features in the WAF Exclusive edition are optimized. You can customize the request timeout period for your domain name. | Create an exclusive cluster |
| 2019-11-28 | Support for account security detection | The account security feature is used to detect account security risks on logon interfaces. The risks include dictionary attacks, brute-force attacks, spam user registrations, weak password sniffing, and SMS flood attacks. | Configure account security |
| 2019-10-25 | Exclusive edition released | The WAF Exclusive edition is released. The Exclusive edition allows you to customize items such as protection ports, TLS versions, cipher suites, and the response page that appears when a request is blocked. This edition meets your special requirements for web application protection. | Create an exclusive cluster |
| 2019-10-22 | URL profiling supported for protected websites | URL profiling is supported. WAF can automatically identify business URL profiles and business volumes based on the normal network traffic that flowed through websites. This allows you to customize protection policies for different websites. | None |
| 2019-10-16 | Data of website scan protection provided on the Overview page | The volume of traffic blocked by the scan protection module, a list of blocked website scan attacks, attack details, and resolutions provided by security experts are displayed on the Overview page in the WAF console. | View protection history on the WAF Overview page |
| 2019-08-22 | Positive security model released | The positive security model is based on algorithms for intelligent big data learning. This model learns the historical network traffic of users in an iterative manner. This allows you to customize automatic protection policies. | Configure the positive security model |
| 2019-07-18 | Web attack details added to the Security report page | Web attack details are added to the Security report page to show the specific causes of blocked attacks. This improves the efficiency of security O&M. | View security reports |
| 2019-06-27 | Protection for HTTP/2-compliant applications | Protection for HTTP/2-compliant applications is supported. This feature increases the coverage rate of application protocols. This ensures that the applications of WAF users are fully protected. | Add a website |
| 2019-06-13 | Decoding methods of web request content in protection configuration | Decoding methods of web request content can be customized in the protection configuration. | Configure the Protection Rules Engine |
| 2019-05-30 | ACL rules optimized | Multiple IP addresses or CIDR blocks can be added to ACL rules for condition matching. | Create a custom protection policy |
| 2019-05-30 | Overview page optimized | The Overview page in the WAF console is optimized. On this page, the system aggregates security operations events based on a large volume of log data and provides professional suggestions for event handling. This page also displays the number of attacks by type and the frequently attacked domain names. This way, the capabilities of WAF are enhanced. | View protection history on the WAF Overview page |
| 2019-03-19 | Threat intelligence feature released | The threat intelligence feature is released. This feature provides a library that contains scan attack information. You can customize the thresholds of network scan frequency and duration for blocking malicious scan attacks based on the information. This feature is used to prevent scan attacks with common signatures, such as path traversal. | Configure scan protection |
| 2019-01-03 | Support for custom countries and regions to block requests | The region blacklist is supported. You can specify countries and regions to block all requests from the IP addresses in the specified countries and regions. | Configure a blacklist |
2018
| Release date | Feature | Description | References |
|---|---|---|---|
| 2018-12-20 | API operations available for website tamper-proofing | API operations are available for website tamper-proofing. You can call these operations to update cached pages and add protection rules. | None |
| 2018-12-13 | Customization of protection rule groups for web applications | Protection rule groups for web applications can be customized. This allows you to configure rules based on your business requirements. This prevents false request blocking caused by default protection rules and ensures business security. | Customize protection rule groups |
| 2018-11-16 | Support for one-year storage of business logs | WAF is integrated with Log Service to collect, query, and analyze business logs of websites that are added to WAF in real time. | Overview of the Log Service for WAF feature |
| 2018-10-24 | Support for traffic marking | Traffic marking is supported. You can specify a header field name and value to mark the traffic forwarded by WAF. | Add a website |
| 2018-10-01 | Support for security events and alerts | Security events and system alerts can be sent to you by using text messages or emails. You can customize metrics to detect business exceptions at the earliest opportunity. | Configure WAF alerting |
| 2018-08-09 | Support for the Big Data Deep Learning Engine | The Big Data Deep Learning Engine is supported. It offers powerful machine learning capabilities for WAF to identify exceptions and block potentially malicious requests. | Configure the Big Data Deep Learning Engine |
| 2018-07-27 | API operations provided | API operations for common configurations in the console are provided to facilitate batch processing. | List of operations by function |
| 2018-04-27 | Precise access control enhanced | More HTTP header fields can be used to set ACL rules and filter access requests. | Create a custom protection policy |
| 2018-03-15 | Support for release of WAF instances | WAF instances can be released in the console based on business requirements. | Terminate the WAF service |
2017
| Release date | Feature update | Description |
|---|---|---|
| 2017-12-28 | Non-standard ports added | More non-standard ports are supported for protection. |
| 2017-11-24 | Support for multiple load balancing algorithms | Multiple load balancing algorithms can be selected as required to meet different business requirements. |
| 2017-10-30 | Application security solutions provided | Application security solutions are provided to protect your applications from traffic flooding attacks and data crawling. |
| 2017-10-26 | Support for WebSocket | WebSocket-compliant website service is supported. |
| 2017-08-31 | Support for monitoring of error codes | Error codes can be monitored. |
| 2017-08-31 | Support for query of service bandwidth | The uplink and downlink bandwidth usage can be queried. |
| 2017-08-31 | Support for the query of queries per second (QPS) | The QPS can be queried by instance or domain name. |
| 2017-08-16 | Support for viewing of blackhole event details | The information such as attack thresholds and events generated when a blackhole occurs can be viewed. |
| 2017-07-27 | Exclusive WAF IP addresses released | Exclusive WAF IP addresses are released. You can purchase exclusive WAF IP addresses to protect specific domain names. |
| 2017-07-25 | Precise access control optimized | Policies for risk control on allowed access requests and region blocking can be configured in precise access control rules. |
| 2017-07-25 | CAPTCHA algorithm optimized | The CAPTCHA algorithm in custom HTTP flood protection rules is optimized, which improves the accuracy in blocking HTTP flood attacks. |
| 2017-07-25 | Support for more logical operators | Logical operators such as "Does not exist" and "Value length range" are added to define precise access control rules. |
| 2017-07-25 | Support for detection of more HTTP fields | Rules for detection of more HTTP fields are supported in precise access control. |
| 2017-06-07 | Support for back-to-origin domain names | Back-to-origin addresses can be set to domain names in website configuration. |
| 2017-05-25 | Data leakage prevention feature released | A sensitive data leakage prevention scheme is released based on network security regulations. |
| 2017-04-12 | HTTPS implementation with a few clicks | HTTPS-based website access is implemented with a few clicks, without changes in server configuration. |
| 2017-04-12 | Support for non-standard ports in multiple editions of WAF | Non-standard ports are supported in multiple editions of WAF for security protection. |
| 2017-03-28 | Support for the big-data threat intelligence feature | The big-data threat intelligence feature is supported. Services such as security score assessment, high-risk warning, and viewing of attack information are provided. |
| 2017-03-08 | Access experience optimized | DNS records can be added with a few clicks. |
| 2017-02-09 | Support for the website tamper-proofing feature | The website tamper-proofing feature is supported to protect web page data from being tampered with. |
| 2017-01-05 | Support for virtual hosts | Virtual hosts (HiChina) are supported for website security protection. |
2016
| Release date | Feature update | Description |
|---|---|---|
| 2016-12-21 | WAF V3.1 released | WAF V3.1 is released. This version improves the core protection capabilities of protection engines and provides features such as blocking IP addresses from specified regions and customizing protection rules to block HTTP flood attacks. |
| 2016-12-01 | Intelligent Semantic Analysis Engine provided | The Intelligent Semantic Analysis Engine is provided. Compared with the RegEx Protection Engine, this engine reduces false positives. |