edit-icon download-icon

WAF FAQ

Last Updated: Jul 11, 2018

Answers

Can servers outside Alibaba Cloud use WAF?

Yes, WAF can protect any web server/applications that can be accessed through the Internet, whether it is inside or outside Alibaba Cloud. You can protect your web service in AWS, Azure, or any other cloud and data centers.

Note: Domain names accessed within Mainland China must apply for an ICP license at the Ministry of Industry and Information Technology.

Does WAF support cloud virtual hosts?

The Business and Enterprise editions of WAF support exclusive virtual hosts, which can be configured after WAF is enabled.

Shared hosts use shared IP addresses, which means that the origin is used by multiple users. We recommend that you not to configure WAF separately.

How to prevent HTTP flood attacks?

WAF provides HTTP flood protection in the Normal and Emergency modes. You can switch the protection mode based on the actual situation. For more information, see Configure the HTTP flood protection mode.

For better protection effects and lower false positives rate, you can use the WAF Business Edition or WAF Enterprise Edition, to customize or request the security professional to customize targeted protection policies for you. For more information, see Customize HTTP flood protection.

Does WAF support HTTPS?

Yes, all editions of WAF fully support HTTPS businesses and wildcard domain names.

WAF can handle HTTPS traffic if the SSL certificate and key are uploaded as needed. WAF decrypts the requests, examines the data, and then encrypts them again, before forwarding them back to the origin.

Does WAF support user-defined ports?

The Business and Enterprise editions of WAF support user-defined non-standard ports. The Business version supports up to 10 non-standard ports and the Enterprise version supports up to 50 non-standard ports.

Does the QPS limitation of WAF aim at the QPS summarized by the whole WAF instances or the QPS upper limit for one configured domain name?

The QPS limitation of WAF is for all WAF instances. For example, if the configuration of your WAF protects three domain names, then the accumulated QPS of the three domain names cannot exceed the upper limit. If the accumulated QPS exceeds the QPS limitation of WAF instances, rate limiting is triggered and packet loss may occur.

Which edition of WAF provides security against malicious SMS.

All editions of WAF provides security against malicious SMS. For more information, see How to select the WAF edition.

Can the origin IP address in WAF be set to an internal network IP address of ECS?

In WAF, traffic is returned to origin through a public network. Direct entry of an internal network IP address is not supported.

Can WAF be connected together with CDN or Anti-DDoS IP?

The WAF is fully compatible with CDN and Anti-DDoS services.

Fundamental architecture: Client > Anti-DDoS > CDN > WAF > SLB > Origin

Note: Any omission within does not disturb the default service sequence.

For service combination with Anti-DDoS or CDN, WAF’s CNAME must be entered as the origin for Anti-DDoS or CDN. This action turns the traffic towards WAF after it goes through Anti-DDoS or CDN. WAF then returns the traffic to the origin.

For more information, see Use Anti-DDoS Pro with WAF and Use CDN with WAF.

Can WAF protect IP addresses of multiple origins under one domain name?

An individual domain protection can hold up to 20 origin IPs. These IPs are separated with commas.

If multiple origins are added to one domain, WAF loads balance requests based on the round-robin method, and performs health checks for all the origins. When WAF fails to get a response from any origin, WAF stops forwarding requests to that origin until it returns to normal.

How does WAF share load when multiple origins are configured?

If you configure multiple origin IP addresses, WAF automatically uses polling to perform a load balance to access requests.

Does WAF support health check?

By default, WAF enables health check. WAF checks the access status of all origin IP addresses. If an origin IP address does not respond, WAF does not forward any requests to the origin IP address until the access status of the IP address is completely recovered.

Does WAF support session persistence?

Yes, WAF supports session persistence. However, you have to enable the function by submitting a ticket to the technical support team.

Can there be a delay, when an origin IP address of WAF is being modified?

Not really. Once the origin IP address that is protected by WAF gets modified, the modification is effective within a minute.

When does the modified configuration take effect in WAF console?

Generally, the modified configuration is effective within a minute.

What is the back-to-source IP address of WAF?

You can view the back-to-source IP address of WAF in the Alibaba Cloud Security WAF console. For more information, see How to View the WAF back-to-source IP address.

Does WAF automatically add its back-to-source IP addresses to the security group?

No, WAF does not automatically add its back-to-source IP addresses to the security group. If your origin is deployed with other firewall or host security protection software, we recommend that you manually add the WAF back-to-source IP addresses to the whitelist.

For more information, see Protect the origin.

Do I need to allow accesses from all client IP addresses to enable WAF back-to-source?

No, because according to your service type you can only allow the WAF back-to-source IP addresses or IP addresses of all clients.

For the Web service, we recommend that you only allow the WAF back-to-source IP addresses to protect the origin.

Can the source IP addresses of HTTP flood attacks be viewed in WAF console?

For the WAF Enterprise edition, you can view the full logs of source IP addresses of HTTP flood attacks on the service analysis page.

How to query the bandwidth traffic used by WAF?

You can view query the used bandwidth traffic on the overview page in the WAF console.

Does the IP field in HTTP ACL policies of WAF support entry of a network segment?

Yes, WAF supports the entry of an IP network segment in the IP field of HTTP ACL policies.

How soon can a disabled IP address be recovered, after the malicious IP penalty function is disabled?

The disabled IP address is released six minutes later once the malicious IP penalty function is disabled.

What are the features of the Anti-DDoS capability provided by WAF?

  • WAF provides independent IP addresses to each user. These IP addresses are also subject to Anti-DDoS blackhole policies, and are consistent with ECS and Server Load Balancer.
  • The blackhole threshold for WAF is the same as the ECS default threshold in the current region.
  • You can purchase Anti-DDoS Pro to protect your website against DDoS attacks.

Does WAF support HTTPS two-way authentication?

No. Now, WAF does not support HTTPS two-way authentication.

Does WAF support Websocket and HTTP 2.0 or SPDY protocol?

WAF is already supporting the WebSocket protocol. However, it currently does not support HTTP 2.0 or SPDY protocol.

Which SSL protocols are supported by WAF?

Supported SSL protocols:

  • TLSv1
  • TLSv1.1
  • TLSv1.2

Example of SSL_ciphers suite:

  1. "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"
Thank you! We've received your feedback.