Web Application Firewall:FAQ

Category

Question

Features

• FAQ about pre-sales consulting

  • Can I use WAF to protect servers that are not deployed on Alibaba Cloud?

  • Does WAF support Cloud Web Hosting instances?

  • Can WAF protect HTTPS services?

  • Does WAF support custom ports?

  • What are the restrictions on the ports that can be added to WAF?

  • Does the QPS limit that is specified for a WAF instance apply to the entire WAF instance or a single domain name that is added to the WAF instance?

  • Does WAF support mutual TLS authentication?

  • Does WAF support the WebSocket, HTTP/2, or SPDY protocol?

  • Is the origin server affected when HTTP/2 services are added to WAF?

  • What TLS protocols does WAF support?

  • Can WAF protect websites that use NTLM authentication?

  • How does WAF improve the access security of business account APIs?

  • How do crawlers collect information by calling APIs? How do I mitigate the risks?

  • How does WAF obtain and record the originating IP addresses of clients from custom header fields?

  • What business security risks exist in the gaming business? How do I mitigate the risks?

  • What risks might arise when I provide web API services by using a domain name? How do I mitigate the risks?

  • What measures does WAF take to reduce the risk of data leaks?

  • What are the main protection engines provided by WAF?

  • How does WAF intelligently detect and handle normal requests incorrectly identified as web attacks?

  • How does WAF enhance database security defenses?

• Website access configuration

  • Can I use the internal IP address of an ECS instance as an origin IP address?

  • Can WAF protect multiple origin IP addresses for one domain name?

  • How does WAF balance request loads among multiple origin servers?

  • Does WAF support the health check feature?

  • Does WAF support the session persistence feature?

  • Does a delay occur when I change an origin IP address?

  • What are the back-to-origin CIDR blocks of WAF?

  • Are back-to-origin CIDR blocks of WAF automatically added to security groups?

  • Do I need to allow access requests from all client IP addresses?

  • Can a WAF instance that uses an exclusive IP address defend against DDoS attacks?

  • Can WAF be deployed together with CDN or Anti-DDoS Proxy?

  • Can I deploy WAF together with CDN and Anti-DDoS Proxy by using different Alibaba Cloud accounts?

  • How does WAF ensure the security of an uploaded certificate and the private key of the certificate? Does WAF decrypt HTTPS traffic and record the content of HTTPS requests?

  • A domain name is added to WAF. Why am I unable to find the domain name in the domain name list?

  • Can a domain name be added to WAF in both CNAME record mode and transparent proxy mode?

  • What do I do if a domain name that has been added to WAF no longer requires the protection of WAF?

  • Can the origin server of a domain name obtain the actual client IP addresses after the domain name is added to WAF in transparent proxy mode?

  • If the SSL certificate bound to a port is updated, do I need to re-upload the certificate in the WAF console?

  • If a domain name is hosted on multiple SLB instances, how do I add the domain name to WAF in transparent proxy mode?

  • If multiple domain names are hosted on an SLB instance, what happens if I add only one of the domain names to WAF in transparent proxy mode?

  • Why am I unable to find the Layer 7 SLB instance that I want to add to WAF in transparent proxy mode?

  • What are the main security risks of APIs and their possible impacts? How do I mitigate the risks?

• Website protection configuration

  • How do I use WAF to defend against HTTP flood attacks?

  • How long does it take for configuration modifications in the WAF console to take effect?

  • When I configure custom protection policies (ACL policies), can I enter CIDR blocks in the IP field?

  • Why does a custom protection policy whose URL match field contains a double forward slash (//) not take effect?

  • What risks might be associated with HTTP response code leaks? How do I mitigate the risks?

  • If a domain name hosted on a SLB instance is added to WAF, how can I prevent the requests that are destined for the domain name from bypassing WAF?

• Website protection analysis

  • Can I view the source IP addresses of HTTP flood attacks in the WAF console?

  • How do I query the bandwidth usage of WAF?

Website access

• How do I troubleshoot website access exceptions?

• How do I troubleshoot HTTPS access issues

• HTTPS access exceptions arising from SNI compatibility ("Certificate not trusted")

• How to handle ECS intrusion?

• What do I do if blackhole filtering is triggered for my WAF instance?

Service configuration

• Supported domain suffixes

• If my website receives requests over an unconfigured port, is the origin server threatened?

• WAF access traffic flow

• Emergency Mode of HTTP Flood Protection

• How do I troubleshoot 405 errors?

Fault analysis

• What do I do if services on non-standard ports cannot be added to WAF of the Pro edition?

• What do I do if "The HTTPS private key format is invalid" appears when I upload an HTTPS certificate file?

• How do I handle the mismatch between a certificate and its private key?

• File upload requests blocked by Alibaba Cloud WAF

• How to fix the logon status loss issue?

• What do I do if a persistent connection times out?

• Why am I unable to access miniapps on a website that I added to WAF?

• Why am I unable to access the website that I added to WAF by using specific clients?

Services

• Alibaba Cloud DNS version of WAF

Others

• Common web vulnerabilities

• Why am I unable to directly access a CNAME provided by WAF?

• Differentiate between crawler attacks and HTTP flood attacks