This topic describes the release notes for Web Application Firewall (WAF) and provides links to the relevant references.
2022
| Release date | Feature | Description | References |
|---|---|---|---|
| 2022-11-23 | Support for WAF protection for Layer 4 Classic Load Balancer (CLB) instances, Layer 7 CLB instances, and Elastic Compute Service (ECS) instances | You can specify traffic redirection ports to add Layer 4 CLB instances, Layer 7 CLB instances, and ECS instances to WAF. | |
| 2022-11-17 | Support for specification downgrade in the WAF console | You can downgrade the following specifications in the WAF console: extended queries per second (QPS), burstable QPS threshold, extra domains, and log storage capacity. | Upgrade and downgrade WAF instances |
| 2022-10-30 | Available API operations in WAF 3.0 | API operations for common configurations in the console are provided to allow you to perform batch processing. | API overview |
| 2022-10-27 | Support for the burstable QPS (pay-as-you-go) feature and sandbox feature in WAF 3.0 | The burstable QPS (pay-as-you-go) feature is suitable for scenarios in which expected traffic spikes or unexpected traffic spikes occur, such as traffic spikes during promotional events. In these scenarios, the peak traffic may exceed the sum of the QPS specifications that are supported by your WAF edition and extended QPS specifications. If you enable this feature, you are charged based on the usage of excess QPS resources. The feature helps ensure service continuity and prevents your domain names from being added to a sandbox when the peak service traffic exceeds the current QPS specifications. | None |
| 2022-10-19 | Support for the monitoring and alerting feature in WAF 3.0 | You can configure alert rules to enable WAF to send alert notifications when attacks and abnormal traffic are detected in access requests. This way, you can check the security status of your business in a timely manner. | Configure WAF alerting |
| 2022-09-23 | Support for custom header fields that record the source ports of clients | If you select Enable Traffic Mark and then select Source Port when you add a website to WAF, you can configure a custom header to record the source port of a client. This way, your origin server can obtain the actual port of the client. | Add a domain name |
| 2022-08-24 | Support for custom timeout periods for back-to-origin requests | When you add a website to WAF, you can specify custom timeout periods for new connections, read connections, and write connections based on your business requirements. | Add a domain name |
| 2022-08-12 | Support for the transparent proxy mode in WAF 2.0 | If your origin server is an ECS instance or is added to a Server Load Balancer (SLB) instance, you can add a website to WAF in transparent proxy mode. | Add a website in transparent proxy mode |
| 2022-07-22 | Support for data leakage prevention in WAF 3.0 | The data leakage prevention module filters abnormal content returned from the origin and masks sensitive information such as ID card numbers, phone numbers, bank card numbers, and sensitive words. Then, WAF returns the masked information or default response pages. | Configure the data leakage prevention module |
| 2022-07-22 | Support for website tamper-proofing in WAF 3.0 | The website tamper-proofing module allows you to lock web pages that require protection, such as web pages that contain sensitive information. When a locked web page is requested, WAF returns a cached version of the page. This helps prevent website tampering. | Configure the website tamper-proofing module |
| 2022-07-20 | Support for the subscription billing method in WAF 3.0 | If you use the subscription billing method, you must pay subscription fees before you use the service. This billing method allows you to reserve resources and reduce costs based on discounted rates. | Subscription billing method |
| 2022-07-14 | Support for the asset center feature in WAF 3.0 | You can use the asset center feature to identify domain names on Alibaba Cloud and outside Alibaba Cloud, and assess risks based on the attack status of the domain names on the cloud. This way, you can obtain the overall protection status of your domain names. | Asset Center |
| 2022-06-23 | Support for bot management in WAF 3.0 | This feature allows you to configure custom anti-crawler rules for websites and apps based on your business requirements and protects your business from malicious crawlers. | |
| 2022-05-30 | Support for major event protection in WAF 3.0 | You can use a protection plan to configure cookie security-related capabilities and protection capabilities based on protection rule groups for major events, IP address blacklists, and collaborative defense. This helps improve protection for customers in attack-and-defense scenarios. | None |
| 2022-04-21 | Support for HTTP flood protection in WAF 3.0 | The HTTP flood protection module helps defend against HTTP flood attacks on websites. If WAF blocks HTTP flood attacks, WAF returns 405 error pages to clients. | Configure the HTTP flood protection module |
| 2022-04-21 | Support for region blacklist in WAF 3.0 | The region blacklist module identifies the source regions of requests. You can configure the module to block or allow requests from specific regions to prevent malicious requests. | Configure the region blacklist module |
| 2022-04-18 | Support for dynamic token-based authentication in WAF 2.0 | Dynamic token-based authentication is integrated into the scenario-specific anti-crawler rule configuration feature. This way, you can solve the security and compatibility issues of CAPTCHA verification. You can add a signature to a web request to perform dynamic token-based authentication. When a client sends a request, WebSDK provided by WAF generates a signature for the request. The signature is sent together with the request to WAF. If the signature is verified, the request is forwarded to the origin server. If the signature fails the authentication, a code block is returned for the client to obtain a dynamic token and the client must add a signature to the request again. | Configure anti-crawler rules for websites |
| 2022-01-22 | Release of WAF 3.0 | WAF 3.0 allows you to add websites in CNAME record mode that is also supported in WAF 2.0. WAF 3.0 is integrated into the cloud-native architecture of other cloud services such as Application Load Balancer (ALB). This way, you can add websites in cloud-native mode. WAF 3.0 provides more features and a new console to allow you to configure protection settings in an efficient manner to improve user experience. | Release notes for WAF 3.0 |
| 2022-01-19 | Support for intelligent rule hosting in the protection rules engine feature of WAF 2.0 | The feature allows you to configure the protection rules engine to protect your websites against common web attacks. The common web attacks include SQL injections, cross-site scripting (XSS) attacks, webshell uploads, command injections, backdoor isolation, invalid file requests, path traversal, and common application attacks. | Configure the protection rules engine feature |
2021
| Release date | Feature | Description | References |
|---|---|---|---|
| 2021-09-18 | Support for custom header fields that record the actual IP addresses of clients | Custom header fields can be used to record the actual IP addresses of clients. When you add a website to WAF, you can enable the WAF traffic marking feature and configure custom header fields to record the actual IP addresses of clients. After you enable the WAF traffic marking feature, origin servers can obtain the actual IP addresses of clients from custom header fields that are included in WAF back-to-origin requests. You can use the WAF traffic marking feature only after you configure the custom header fields that can record the actual IP addresses of clients for the origin servers. | Add a domain name |
| 2021-08-13 | Upgraded Log Service for WAF | The Log Service for WAF feature is upgraded.
| Log fields supported by WAF |
| 2021-07-30 | Support for origin SNI | You can select Enable Origin SNI when you add a website to WAF in CNAME record mode. If your website uses HTTPS and the origin server hosts multiple domain names, you can enable this feature after you select HTTPS. This way, you can add a Server Name Indication (SNI) field in a WAF back-to-origin request to specify the domain name that you want to access. | Add a domain name |
| 2021-06-22 | Support for server ports in custom protection policies | The Server-Port field is added and can be used as a match field in custom protection policies. The field is supported only for WAF instances that run Enterprise Edition or higher. | Fields in match conditions |
| 2021-05-11 | Support for console-based cluster deployment and node management in Hybrid Cloud WAF | The following features are supported by Hybrid Cloud WAF:
| Deploy a protection cluster for Hybrid Cloud WAF |
| 2021-05-08 | Support for custom header fields that are used to obtain actual IP addresses of clients | The Obtain Source IP Address parameter is supported in CNAME record mode. If a Layer 7 proxy, such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, is deployed in front of WAF, you can use the value of the specified header field as the actual IP address of the client. If multiple header fields are specified, you can obtain the actual IP address of the client from the fields in sequence. | Add a domain name |
| 2021-04-01 | Support for IPv6 addresses of origin servers | The IPv6 addresses of origin servers can be specified for Destination Server (IP Address) in CNAME record mode. This feature is suitable for users that need to upgrade their network from IPv4 to IPv6 in the finance sector, government sector, and enterprise sector. | Add a domain name |
| 2021-03-23 | Support for threat event analysis on the Overview page | The threat event analysis module is added to the Overview page. Threat events are generated based on the analysis of a large number of attack alerts. You can use this module to identify attack sources and defend against the attacks. This feature is suitable for scenarios in which your services are at risk of web attacks and you want to obtain threat events based on a large number of alerts. | View Protection History on the WAF Overview Page |
| 2021-03-18 | Support for false positive ignorance on the Security Report page | False positives can be ignored on the Security Report page. WAF can automatically generate whitelist rules for specific rules. You can also add whitelist rules for Web Intrusion Prevention based on specific rule IDs or rules types. This way, the user experience is improved. This feature is suitable for scenarios in which false positives must be managed at a fine-grained granularity without affecting protection configurations. | View security reports |
| 2021-01-29 | Release of the scenario-specific configuration feature | The scenario-specific configuration feature is released. You can use this feature to configure custom anti-crawler rules to protect your business from malicious crawlers. | Configure anti-crawler rules for websites |
| 2021-01-15 | Support for custom settings of TLS versions and cipher suites | Transport Layer Security (TLS) protocol versions and cipher suites can be selected based on your business requirements. This helps ensure security compliance and compatibility for HTTPS communication in different scenarios. This feature is suitable for scenarios in which some TLS protocols and cipher suites need to be disabled or enabled due to classified protection requirements and compatibility requirements. | Configure custom TLS settings |
2020
| Release date | Feature | Description | References |
|---|---|---|---|
| 2020-10-21 | Optimized security report | The security report feature is optimized to filter attack records by rule ID. | View security reports |
| 2020-06-04 | Optimized custom protection rule groups and Overview page |
| Customize protection rule groups |
| 2020-05-18 | Support for Terraform | Terraform is supported to meet the O&M requirements of large enterprises. Terraform allows you to perform basic operations, such as domain name management and policy management, by using code. Note This feature also enables automated operations in the console. This helps ensure high operational efficiency and eliminate human errors. For more information, see Terraform documentation. | None |
| 2020-04-10 | Optimized user experience | Data on the Overview page can be drilled down to the Security Report page, and data on the Security Report page can be drilled down to the Log Service page. As a result, the loop of data operations is enclosed.
| View Protection History on the WAF Overview Page |
| 2020-04-02 | Support for bot management | Value-added services such as bot management and app protection are supported to provide intelligent protection against automated attacks and intelligent protection for bot traffic. The bot management module ensures trusted connections to protect native apps and defends against bot script abuse. Note The bot management module and app protection module are available only in the new protection engine that was released in January 2020. If you use a protection engine of an earlier version, we recommend that you upgrade your protection engine at the earliest opportunity. | Configure a whitelist for Bot Management |
| 2020-03-04 | Support for intelligent load balancing among multiple SLB service nodes | Intelligent load balancing is supported. WAF connects to multiple SLB service nodes to perform automatic disaster recovery and optimal routing at low latency. | Intelligent load balancing |
| 2020-02-14 | Upgraded Log Service for WAF and optimized user experience | The Log Service for WAF feature is upgraded. You can enable the full log feature for specific domain names. | None |
| 2020-02-10 | Upgraded alert feature | The alert notification feature is upgraded to provide basic statistics and details of security events and workload monitoring. Related alerts are provided to support routine O&M. | Configure WAF alerting |
| 2020-01-15 | Upgraded protection capabilities | Fine-grained throttling and robust protection against malicious network traffic are supported in the new protection engine of WAF. The account security feature can be enabled to protect against common HTTP flood attacks, dictionary attacks, and weak password sniffing. Note The protection capabilities can be used by all users. Only the users who purchased WAF instances in the console can directly enable these capabilities. Existing users must wait until March 2020 before they upgrade their WAF instances to enable the protection capabilities. | Configure the protection rules engine feature |
2019
| Release date | Feature | Description | References |
|---|---|---|---|
| 2019-12-20 | Optimized features in the Exclusive edition | Features in the WAF Exclusive edition are optimized. You can specify a custom request timeout period for your domain name. | Create an exclusive cluster |
| 2019-11-28 | Support for account security detection | The account security feature is used to detect account security risks on logon interfaces. The risks include dictionary attacks, brute-force attacks, spam user registrations, weak password sniffing, and SMS flood attacks. | Configure account security |
| 2019-10-25 | Release of the exclusive edition | The WAF Exclusive edition is released. The Exclusive edition allows you to configure custom items such as protection ports, TLS versions, cipher suites, and the response page that appears when a request is blocked. This edition can meet your special requirements for web application protection. | Create an exclusive cluster |
| 2019-10-22 | Support for URL profiling for protected websites | URL profiling is supported. WAF can automatically identify business URL profiles and business volumes based on the normal network traffic that is sent to websites. This way, you can configure custom protection policies for different websites. | None |
| 2019-10-16 | Data of website scan protection provided on the Overview page | The volume of traffic that is blocked by the scan protection module, a list of blocked website scan attacks, attack details, and resolutions that are provided by security experts are displayed on the Overview page in the WAF console. | View Protection History on the WAF Overview Page |
| 2019-08-22 | Release of the positive security model | The positive security model is based on algorithms for intelligent big data learning. This model is trained based on the historical network traffic of users in an iterative manner. This way, you can configure custom automatic protection policies. | Configure the positive security model |
| 2019-07-18 | Web attack details added to the Security Report page | Web attack details are added to the Security Report page to indicate the specific causes of blocked attacks. This helps improve the efficiency of security O&M. | View security reports |
| 2019-06-27 | Protection for HTTP/2-compliant applications | Protection for HTTP/2-compliant applications is supported. This feature increases the coverage rate of application protocols. This helps ensure that the applications of WAF users are fully protected. | Add a domain name |
| 2019-06-13 | Decoding methods of web request content in protection configuration | Custom decoding methods for web request content can be configured in the protection configuration. | Configure the protection rules engine feature |
| 2019-05-30 | Optimized ACL rules | Multiple IP addresses or CIDR blocks can be added to ACL rules for condition matching. | Create a custom protection policy |
| 2019-05-30 | Optimized Overview page | The Overview page in the WAF console is optimized. On this page, the system aggregates security operations events based on a large volume of log data and provides professional suggestions for event handling. This page also displays the number of attacks by type and the frequently attacked domain names. This way, the capabilities of WAF are optimized. | View Protection History on the WAF Overview Page |
| 2019-03-19 | Release of the threat intelligence feature | The threat intelligence feature is released. This feature provides a library that contains scan attack information. You can specify custom thresholds for network scan frequency and a time period for which you want to block malicious scan attacks based on the information. This feature is used to prevent scan attacks that use common signatures, such as path traversal. | Configure scan protection |
| 2019-01-03 | Support for custom countries and regions to block requests | The region blacklist is supported. You can specify countries and regions to block all requests from the IP addresses in the specified countries and regions. | Configure a blacklist |
2018
| Release date | Feature | Description | References |
|---|---|---|---|
| 2018-12-20 | Available API operations for website tamper-proofing | API operations are available for website tamper-proofing. You can call these operations to update cached pages and add protection rules. | None |
| 2018-12-13 | Custom protection rule groups for web applications | Custom protection rule groups for web applications can be configured. This way, you can configure rules based on your business requirements. This helps prevent false request blocking that is caused by default protection rules and ensure business security. | Customize protection rule groups |
| 2018-11-16 | Support for one-year storage of business logs | WAF is integrated into Log Service to collect, query, and analyze business logs of websites that are added to WAF in real time. | Overview |
| 2018-10-24 | Support for traffic marking | Traffic mark is supported. You can specify a header field name and value to mark the traffic that is forwarded by WAF. | Add a domain name |
| 2018-10-01 | Support for security events and alerts | Security events and system alerts can be sent by text message or email. You can configure custom metrics to detect business exceptions at the earliest opportunity. | Configure WAF alerting |
| 2018-07-27 | Release of API operations | API operations for common configurations in the console are provided to allow you to perform batch processing. | List of operations by function |
| 2018-04-27 | Optimized precise access control | More HTTP header fields can be used to configure ACL rules and filter access requests. | Create a custom protection policy |
| 2018-03-15 | Support for release of WAF instances | WAF instances can be released in the console based on business requirements. | Terminate the WAF service |
2017
| Release date | Release notes | Description |
|---|---|---|
| 2017-12-28 | Non-standard ports added | More non-standard ports are supported for protection. |
| 2017-11-24 | Support for multiple load balancing algorithms | Multiple load balancing algorithms can be selected as required to meet different business requirements. |
| 2017-10-30 | Provided application security solutions | Application security solutions are provided to protect your applications from traffic flooding attacks and data crawling. |
| 2017-10-26 | Support for WebSocket | WebSocket-compliant website service is supported. |
| 2017-08-31 | Support for error code monitoring | Error codes can be monitored. |
| 2017-08-31 | Support for query of service bandwidth | The uplink bandwidth usage and downlink bandwidth usage can be queried. |
| 2017-08-31 | Support for the query of QPS | The QPS can be queried by instance or domain name. |
| 2017-08-16 | Support for visualization of blackhole event details | The information such as attack thresholds and events that are generated when a blackhole event occurs can be viewed. |
| 2017-07-27 | Release of exclusive WAF IP addresses | Exclusive WAF IP addresses are released. You can purchase exclusive WAF IP addresses to protect specific domain names. |
| 2017-07-25 | Optimized precise access control | Policies for risk control on allowed access requests and region blocking can be configured in precise access control rules. |
| 2017-07-25 | Optimized CAPTCHA algorithm | The CAPTCHA algorithm in custom HTTP flood protection rules is optimized. This helps improve the accuracy in blocking HTTP flood attacks. |
| 2017-07-25 | Support for more logical operators | Logical operators such as "Does not exist" and "Value length range" are added to define precise access control rules. |
| 2017-07-25 | Support for detection of more HTTP fields | Rules for detection of more HTTP fields are supported in precise access control. |
| 2017-06-07 | Support for back-to-origin domain names | Back-to-origin addresses can be set to domain names in website configuration. |
| 2017-05-25 | Release of the data leakage prevention feature | A sensitive data leakage prevention scheme is released based on network security regulations. |
| 2017-04-12 | HTTPS implementation with a few clicks | HTTPS-based website access can be configured with a few clicks, without the need to modify the server configuration. |
| 2017-04-12 | Support for non-standard ports in multiple editions of WAF | Non-standard ports are supported in multiple editions of WAF for security protection. |
| 2017-03-28 | Support for the big-data threat intelligence feature | The big-data threat intelligence feature is supported. Capabilities such as security score assessment, high-risk warning, and visualization of attack information are provided. |
| 2017-03-08 | Optimized access experience | DNS records can be added with a few clicks. |
| 2017-02-09 | Support for the website tamper-proofing feature | The website tamper-proofing feature is supported to protect web page data from being tampered. |
| 2017-01-05 | Support for virtual hosts | Virtual hosts (HiChina) are supported for website security protection. |
2016
| Release date | Release notes | Description |
|---|---|---|
| 2016-12-21 | Release of WAF V3.1 | WAF V3.1 is released. This version improves the core protection capabilities of protection engines and provides features to allow you to perform operations such as blocking IP addresses from specific regions and configuring custom protection rules to block HTTP flood attacks. |
| 2016-12-01 | Provided Intelligent Semantic Analysis Engine | The Intelligent Semantic Analysis Engine is provided. Compared with the RegEx Protection Engine, this engine helps reduce false positives. |