Web Application Firewall:WAF 3.0 FAQ

Pre-sales product capability consultation

• Does WAF perform health checks on origin servers?

• Can an exclusive IP in WAF mitigate DDoS attacks?

• How does WAF ensure the security of uploaded certificates and private keys? Does WAF decrypt HTTPS traffic and log request content?

• How does WAF obtain the client source IP and record the client IP through a custom header?

• Does WAF support cross-account use of CDN + Anti-DDoS Proxy + WAF architectures?

• What domain name suffixes are supported for CNAME onboarding?

• Does WAF protect multiple origin server IPs under a single domain?

• Can WAF be integrated with CDN or Anti-DDoS Proxy?

• Does WAF support HTTPS mutual authentication (mTLS)?

• Does WAF support WebSocket, HTTP/2, or SPDY protocols?

• Does WAF support websites that use NTLM protocol authentication?

• Is the WAF QPS limit applied to the entire WAF instance or to each domain individually?

• Does WAF support onboarding for Layer 4 TCP protocol?

Resource onboarding configuration

• What is the difference between an origin IP address and a back-to-origin IP address in WAF?

• Can the same domain use both cloud product onboarding and CNAME onboarding at the same time?

• The same domain name resolves to multiple cloud product instances. How should I onboard?

• Multiple domain names resolve to the same cloud product instance. How should I onboard?

• During CNAME onboarding, how does WAF load balance a domain-type origin (such as CNAME)?

• How to view the WAF back-to-origin IP ranges and the CNAME provided by WAF?

• The CLB, NLB, or ECS instance that you want to add cannot be found on the resource onboarding page

• For the origin IP address in WAF, should I use the public or private IP of an ECS instance?

• When you add an HTTPS listener port, the CLB certificate is incomplete

• Why does adding multiple extended certificates fail during cloud product onboarding?

• After onboarding a cloud product to WAF, do I still need to configure protected objects?

• During CNAME onboarding, why is ERR_TOO_MANY_REDIRECTS prompted after configuring HTTP back-to-origin?

• How to batch export the list of domain information that has been onboarded via CNAME?

• How to update a certificate that is about to expire?

• After cloud product onboarding, can the origin server get the real client IP?

• A weak cipher suite is reported when scanning a domain onboarded to WAF. How to configure the TLS protocol version and cipher suite to meet security requirements?

• The public IP of my origin server is exposed. How do I prevent attackers from bypassing WAF by directly attacking the origin public IP?

Post-onboarding troubleshooting

• Multiple scenarios for 502 errors after onboarding to WAF

• File upload fails after onboarding to WAF

• My website is protected by WAF, but it doesn't appear in the domain list

• Why does the error InvalidTLS occur when onboarding a CLB instance via cloud product onboarding?

• Post-onboarding website access error troubleshooting

• Post-onboarding HTTPS website access error troubleshooting

• Troubleshoot 405 errors

• What do I do if “The HTTPS private key format is invalid” appears when I upload an HTTPS certificate file?

• Troubleshoot a certificate and private key mismatch

• Web application firewall intercepts upload file requests

• How do I resolve logon status loss?

• Why am I unable to access miniapps on a website that I added to WAF?

• Why am I unable to access the website that I added to WAF by using specific clients?

• What to do if blackhole filtering is triggered for your WAF instance

Protection configuration

• Why can I not find a specific protection rule ID in the WAF console?

• Why does a custom rule not take effect after I set the match field to Body Parameter?

• How do I exclude a domain from CC protection detection?

• FAQ about protection configuration

• Common web vulnerabilities

Log management

• Does acl_action:block in WAF logs indicate that the request is actually blocked?

• Why does the upstream_addr field show "-" in logs after onboarding?

• Why are some logs missing?

• Why can I see logs older than the configured retention period?

• Value of remote_addr for an ALB instance