All Products
Search
Document Center

Web Application Firewall:Release notes

Last Updated:Nov 29, 2024

This topic describes the release notes for Web Application Firewall (WAF) and provides links to the relevant references.

2024

Release date

Feature

Description

References

2024-11-07

Basic protection rule (new version)

Engine configuration and rule library management are supported. This helps protect web services in a more efficient manner.

Configure the basic protection rule module

2024-11-06

Traffic spike throttling

Custom protection rules can be created to protect web services. Two throttling methods are supported: QPS and Percentage.

Traffic spike throttling

2024-03-27

Multi-account management for enterprise-level customers

A WAF instance can be used to protect cloud resources within multiple Alibaba Cloud accounts.

Use the multi-account management feature

2024-01-16

Blocked request query

The Blocked Request Query page is provided. You can use request IDs to query blocking details.

Query blocked requests

2024-01-15

Upgrade of hybrid cloud log delivery

Hybrid cloud logs can be delivered to Kafka platforms. You can configure different settings for log delivery to Syslog and Kafka platforms.

Hybrid cloud log delivery

2023

Release date

Feature

Description

References

2023-10-12

API security for instances outside the Chinese mainland

The API security module is supported for WAF 3.0 instances that are deployed outside the Chinese mainland.

API security

2023-09-21

Compliance check and tracing and auditing of API security

Compliance check of cross-border data transfer and tracing and auditing of sensitive data are supported by the API security module of WAF 3.0.

API security

2023-08-28

Cookie attribute configuration

Cookie attributes can be configured for protected objects in WAF 3.0.

Configure protected objects and protected object groups

2023-08-20

IPv6 protection

IPv6 protection is supported in WAF 3.0. You can protect the IPv6 traffic of web services that are added to WAF.

Enable IPv6 protection

2023-08-10

Configuration of SSL and TLS settings

Custom configuration of Transport Layer Security (TLS) settings and SSL certificates is supported for virtual IP addresses (VIPs) of the IPv4 version.

Configure default SSL or TLS settings

2023-08-01

Back-to-origin traffic marking, canary release of protection rules, and bot traffic analysis

  • The following features are supported by the bot management module:

    • Bot traffic analysis.

    • Back-to-origin traffic marking for detected bot behavior.

    • Canary release of protection rules. A protection rule can be applied to a specific proportion of protected objects.

  • Canary release of protection rules are supported by the custom rule module. A protection rule can be applied to a specific proportion of protected objects.

2023-07-14

Check of DNS resolution status

WAF 3.0 checks the DNS resolution status of domain names that are added and identifies domain names whose DNS resolution status is abnormal. This helps prevent web services from being affected.

2023-06-21

Verification of domain name ownership

The first time a domain name is added to WAF, the ownership of the domain name must be verified. After the verification is passed, you can add subdomains of the domain name without the need to verify the ownership of the subdomains.

2023-06-10

HTTPS encryption based on SM algorithms

The Enable SM-based HTTPS and Allow Access Only from SM Certificate-based Clients switches are added to HTTPS protocol settings.

Add a domain name to WAF

2023-05-30

Update to API security

Policies that use custom sensitive data types can be configured.

API security

2023-05-22

Semantic-based protection

Semantic-based protection is supported by the basic protection rule module. Semantic-based protection can be used to defend against SQL injection attacks. In addition, a switch is added to determine whether to detect non-injection attacks.

Basic protection rules and rule groups

2023-05-18

Update to specification downgrade

  • The number of exclusive IP addresses can be reduced.

  • Bot management for web application protection, bot management for app protection, and API security can be disabled by downgrading a WAF instance.

Upgrade or downgrade a WAF instance

2023-04-28

Addition of domain names as protected objects

Domain names hosted on Classic Load Balancer (CLB) and Elastic Compute Service (ECS) instances that are added to WAF in cloud native mode can be added as protected objects.

Configure protected objects and protected object groups

2023-04-14

Traffic billing protection

The traffic billing protection feature is supported. After you enable the traffic billing protection feature for a pay-as-you-go WAF instance, the WAF instance is added to the sandbox when the peak queries per second (QPS) of the WAF instance exceeds the specified threshold for traffic billing protection. You are not charged traffic processing fees or feature fees that are generated in the hour when the WAF instance is added to the sandbox. This prevents high costs due to traffic spikes.

2023-03-03

Update to API security

  • The API security module can be enabled for pay-as-you-go WAF instances.

  • Custom policies can be configured.

API security

2023-02-24

Major event protection and quota for hybrid cloud protection nodes

  • Major event protection:

    • In the Ultimate edition, the feature is enabled by default. In the Pro and Enterprise editions, you can temporarily upgrade your instance to enable the feature by day. In the Basic edition, the feature is not supported.

    • The period of time during which the major event protection feature can be enabled for a WAF Pro or Enterprise instance must be greater than or equal to 30 days.

  • Hybrid cloud mode:

    • In the Enterprise and Ultimate editions, the hybrid cloud mode is supported, and one hybrid cloud protection node is provided by default.

    • In the Basic and Pro editions, the hybrid cloud mode is not supported. If you need to use the hybrid cloud mode, you must upgrade your WAF instance to the Enterprise or Ultimate edition.

    • In the Enterprise and Ultimate editions, if you purchase an additional quota of 1 for hybrid cloud protection nodes, you can add 100 additional domain names to WAF in hybrid cloud mode free of charge. If you purchase an additional quota of 2 or more, you can add 200 additional domain names to WAF in hybrid cloud mode free of charge.

2023-02-08

Intelligent whitelist, false positive ignoring, and loose and strict rule groups

  • The intelligent whitelist feature is supported. After you enable the feature, WAF performs intelligent learning based on historical service traffic and identifies protection rules that may cause false positives. Then, WAF adds the URLs that are incorrectly blocked to the intelligent whitelist. This prevents normal requests from being blocked.

  • Built-in loose rule groups and strict rule groups are provided.

  • The Ignore False Positive button is added in the basic protection rule module. You can click the button to add attacker IP addresses to the whitelist.

2023-02-08

WAF protection for custom domain names in Function Compute

The protection capabilities of WAF are integrated into Function Compute as an SDK module. You can add custom domain names bound to web applications in Function Compute to WAF in cloud native mode. WAF identifies, scrubs, and filters out malicious web traffic, and then forwards normal traffic to the backend function.

Enable WAF protection for a custom domain name bound to a web application in Function Compute

2023-01-19

Group-based resource management and tag-based resource management

WAF 3.0 is integrated with Alibaba Cloud Resource Management. You can use resource groups and tags to manage resources and permissions.

2023-01-17

Update to bot management

  • The following features are supported by the bot management module:

    • Basic protection: You can enable the feature to protect websites from medium and low-level bot traffic.

    • Slider CAPTCHA verification, strict slider CAPTCHA verification, intelligent protection, and threat intelligence: The features are supported by bot management for app protection.

    • Scheduled activation: Bot management for web application protection and app protection can take effect at a specified point in time.

  • The security report of the bot management module is optimized. You can view details about attacks to trace and analyze the attacks.

2022

Release date

Feature

Description

References

2022-12-22

API security for instances in the Chinese mainland

The API security module automatically sorts API assets in services protected by WAF and detects API risks such as unauthorized access to APIs, exposure of sensitive data, and exposure of internal APIs. The module also allows you to trace API exception events by using reports, provides suggestions on how to fix detected risks, and provides data to help you manage the API lifecycle. This way, you can implement comprehensive API security protection.

API security

2022-11-29

Configuration of the Retry Back-to-origin Requests and Back-to-origin Keep-alive Requests parameters in CNAME record mode

The Retry Back-to-origin Requests and Back-to-origin Keep-alive Requests parameters are supported to add web services to WAF in CNAME record mode.

CNAME record mode

2022-11-28

Recording of custom request headers, request bodies, response headers, and response bodies in logs

The request_body, request_header, response_header, and response_info fields are added to record custom request headers, request bodies, response headers, and response bodies in logs.

Log fields

2022-11-25

Alerting for log storage usage

If the log storage usage of a WAF instance exceeds 80% of the log storage capacity, the system sends an alert notification for the issue by text message and email. If the log storage capacity is exhausted, WAF logs can no longer be written. We recommend that you upgrade the log storage capacity of your WAF instance at the earliest opportunity.

Upgrade log storage capacity

2022-11-24

Subscription billing method

The subscription billing method is supported in WAF 3.0. You must pay for resources before you can use the resources.

Subscription billing overview

2022-11-23

WAF protection for Layer 4 CLB instances, Layer 7 CLB instances, and ECS instances

Layer 4 CLB instances, Layer 7 CLB instances, and ECS instances can be added to WAF by specifying traffic redirection ports.

2022-11-17

Self-service specification downgrade

Self-service specification downgrade is supported. The following specifications can be downgraded: additional QPS quota, burstable QPS (pay-as-you-go) quota, additional domain name quota, and log storage capacity.

Upgrade or downgrade a WAF instance

2022-10-30

API operations

API operations of WAF 3.0 are released. The API operations correspond to common operations in the WAF 3.0 console. You can call the operations to perform batch processing.

List of operations by function

2022-10-27

Burstable QPS (pay-as-you-go) and sandbox

The burstable QPS (pay-as-you-go) feature is supported. The feature is suitable for scenarios in which traffic spikes occur, such as during promotional events. In the preceding scenarios, the peak service traffic may exceed the sum of the default QPS quota of your WAF edition and the additional QPS quota that you purchase. If you enable the burstable QPS (pay-as-you-go) feature, you are charged for excess QPS resource usage based on the pay-as-you-go billing method. The feature ensures service continuity and prevents your WAF instance from being added to the sandbox.

2022-10-19

Monitoring and alerting

Alert rules can be configured to allow WAF to send alert notifications when attacks and abnormal traffic are detected. This way, you can check the security status of your business at the earliest opportunity.

Configure WAF alerting

2022-09-23

Configuration of custom header fields to obtain the originating ports of clients

The Enable Traffic Mark and Source Port parameters can be selected to add a domain name to WAF. You can specify a header field that records the originating ports of clients. This way, WAF records and forwards the header field to your origin server.

Add a domain name to WAF

2022-08-24

Configuration of custom timeout periods for back-to-origin requests

Custom timeout periods for new connections, read connections, and write connections can be configured to add a domain name to WAF.

Add a domain name to WAF

2022-08-12

WAF protection for MSE instances

WAF protection can be enabled for Microservices Engine (MSE) instances.

Enable WAF protection for an MSE instance

2022-07-22

Data leakage prevention

The data leakage prevention module is supported. The module filters abnormal content that is returned and masks sensitive information, such as ID card numbers, phone numbers, bank card numbers, and sensitive words. Then, WAF returns the masked information or default response pages.

Configure protection rules for the data leakage prevention module to prevent data leaks

2022-07-22

Website tamper-proofing

The website tamper-proofing module is supported. The module allows you to lock web pages that require protection, such as web pages that contain sensitive information. When a locked web page is requested, WAF returns a cached version of the page. This helps prevent web page tampering.

Configure protection rules for the website tamper-proofing module to prevent web page tampering

2022-07-20

Subscription billing method

The subscription billing method is supported in WAF 3.0. You must pay for resources before you can use the resources. The subscription billing method allows you to reserve resources and is more cost-effective than the pay-as-you-go billing method.

Subscription billing overview

2022-07-14

Asset center

The asset center feature is supported. You can use the feature to identify domain names in and outside Alibaba Cloud and assess risks based on the attack status of the domain names in the cloud. This helps you obtain the overall protection status of your domain names.

Asset center

2022-06-23

Bot management

The bot management module is supported in WAF 3.0. You can use the module to configure custom anti-crawler rules for websites and apps. This protects your business from malicious crawlers.

2022-05-30

Major event protection

The major event protection module is supported. You can use the module to configure rule groups and IP address blacklists for major event protection, collaborative defense, and cookie security-related capabilities. This improves protection for customers in attack and defense scenarios.

Major event protection

2022-04-21

HTTP flood protection

The HTTP flood protection module is supported. You can use the module to defend against HTTP flood attacks on websites. If WAF blocks HTTP flood attacks, WAF returns 405 error pages to clients.

Configure protection rules for the HTTP flood protection module to defend against HTTP flood attacks

2022-04-21

Region blacklist

The region blacklist module is supported. The module identifies the source regions of requests. You can configure the module to block or allow requests from specific regions to prevent malicious requests.

Configure protection rules for the region blacklist module to block requests from specific regions

2022-01-22

Release of WAF 3.0

WAF 3.0 is released. WAF 3.0 supports the CNAME record mode and cloud native mode, and is integrated into the cloud native architecture of other cloud services, such as Application Load Balancer (ALB). Compared with WAF 2.0, WAF 3.0 provides more features and allows you to configure protection settings in the WAF 3.0 console in a more efficient manner. This helps improve user experience.

WAF 3.0 released, WAF 2.0 end-of-sale