edit-icon download-icon

Access status detection exceptions

Last Updated: Feb 05, 2018

After configuring WAF, you can view its access status in the console.

An indication of normal access is shown in the following image.

Normal

In the event of exceptions, the status prompts may display to indicate that WAF may not be connected properly. If you confirm that the domain name has been resolved to the CNAME address of WAF, and service access is also normal, you can ignore the prompt.

The access status detection is based on the following.

Note: Access status is considered normal if one of the conditions is met and the interface prompts that the website has been connected to WAF for protection.

  • Condition A: The access domain name is resolved from the CNAME.
  • Condition B: The access domain name has some traffic.

    Note: In Condition B, if there are 10 or more requests within five seconds, the system determines that the domain name has traffic. In the event of two or three requests per minute, the traffic cannot be determined as it is too low. You can view specific historical traffic information in Alibaba Cloud Security console > Web Application Firewall > Security Reports > HTTP Flood Attack.

We recommend using CNAME instead of A record to access WAF when implementing special detection of CNAME access status. This is because the CNAME record enables you to switch to another node or data room if a data room goes down or you encounter other critical errors. If you use A record, this level of disaster recovery is not obtainable. Under normal circumstances, A record access can function normally.

Descriptions of common access status exceptions

Exact domain access

WAF is accessed with a defined domain name (domain name does not contain “*“). If neither CNAME access nor traffic is present, the following exception status will be displayed.

Access failed

Wildcard domain access

WAF is accessed with a wildcard domain name, such as “*.abc.com”. Besides the normal status, wildcard domain access only has one status, which is as follows.

Access failed

The preceding image indicates that the currently connected wildcard domain name has no traffic, or the traffic is too low to be detected.

CDN and other proxies are deployed with WAF

For configuring CDN in combination with WAF, see CDN + WAF configuration.

If the access architecture is CDN > WAF, and the domain name is resolved to CDN, CNAME access of WAF cannot be detected. This is because the domain name is resolved to CDN. In addition, the traffic from CDN to WAF is very low and the access status may be considered abnormal due to low traffic.

Therefore, if the configuration is confirmed correct, the displayed access status exception does not indicate that WAF is not properly connected.

Manually testing WAF for normal protection

  1. Visit a website protected by WAF, such as www.abc.com, and open a page normally.

  2. Add “/alert (xss)” after the website URL, which is a test web attack request (for example, www.abc.com/?alert(xss)). If you get a 405 error message when you open a page, it means that the request is blocked and WAF is providing normal protection.

Thank you! We've received your feedback.