This topic describes the release notes for Web Application Firewall (WAF) and provides links to the relevant references.
2024
Release date | Feature | Description | References |
2024-11-07 | Basic protection rule (new version) | Engine configuration and rule library management are supported. This helps protect web services in a more efficient manner. | |
2024-11-06 | Traffic spike throttling | Custom protection rules can be created to protect web services. Two throttling methods are supported: QPS and Percentage. | |
2024-03-27 | Multi-account management for enterprise-level customers | A WAF instance can be used to protect cloud resources within multiple Alibaba Cloud accounts. | |
2024-01-16 | Blocked request query | The Blocked Request Query page is provided. You can use request IDs to query blocking details. | |
2024-01-15 | Upgrade of hybrid cloud log delivery | Hybrid cloud logs can be delivered to Kafka platforms. You can configure different settings for log delivery to Syslog and Kafka platforms. |
2023
Release date | Feature | Description | References |
2023-10-12 | API security for instances outside the Chinese mainland | The API security module is supported for WAF 3.0 instances that are deployed outside the Chinese mainland. | |
2023-09-21 | Compliance check and tracing and auditing of API security | Compliance check of cross-border data transfer and tracing and auditing of sensitive data are supported by the API security module of WAF 3.0. | |
2023-08-28 | Cookie attribute configuration | Cookie attributes can be configured for protected objects in WAF 3.0. | |
2023-08-20 | IPv6 protection | IPv6 protection is supported in WAF 3.0. You can protect the IPv6 traffic of web services that are added to WAF. | |
2023-08-10 | Configuration of SSL and TLS settings | Custom configuration of Transport Layer Security (TLS) settings and SSL certificates is supported for virtual IP addresses (VIPs) of the IPv4 version. | |
2023-08-01 | Back-to-origin traffic marking, canary release of protection rules, and bot traffic analysis |
| |
2023-07-14 | Check of DNS resolution status | WAF 3.0 checks the DNS resolution status of domain names that are added and identifies domain names whose DNS resolution status is abnormal. This helps prevent web services from being affected. | |
2023-06-21 | Verification of domain name ownership | The first time a domain name is added to WAF, the ownership of the domain name must be verified. After the verification is passed, you can add subdomains of the domain name without the need to verify the ownership of the subdomains. | |
2023-06-10 | HTTPS encryption based on SM algorithms | The Enable SM-based HTTPS and Allow Access Only from SM Certificate-based Clients switches are added to HTTPS protocol settings. | |
2023-05-30 | Update to API security | Policies that use custom sensitive data types can be configured. | |
2023-05-22 | Semantic-based protection | Semantic-based protection is supported by the basic protection rule module. Semantic-based protection can be used to defend against SQL injection attacks. In addition, a switch is added to determine whether to detect non-injection attacks. | |
2023-05-18 | Update to specification downgrade |
| |
2023-04-28 | Addition of domain names as protected objects | Domain names hosted on Classic Load Balancer (CLB) and Elastic Compute Service (ECS) instances that are added to WAF in cloud native mode can be added as protected objects. | |
2023-04-14 | Traffic billing protection | The traffic billing protection feature is supported. After you enable the traffic billing protection feature for a pay-as-you-go WAF instance, the WAF instance is added to the sandbox when the peak queries per second (QPS) of the WAF instance exceeds the specified threshold for traffic billing protection. You are not charged traffic processing fees or feature fees that are generated in the hour when the WAF instance is added to the sandbox. This prevents high costs due to traffic spikes. | |
2023-03-03 | Update to API security |
| |
2023-02-24 | Major event protection and quota for hybrid cloud protection nodes |
| |
2023-02-08 | Intelligent whitelist, false positive ignoring, and loose and strict rule groups |
| |
2023-02-08 | WAF protection for custom domain names in Function Compute | The protection capabilities of WAF are integrated into Function Compute as an SDK module. You can add custom domain names bound to web applications in Function Compute to WAF in cloud native mode. WAF identifies, scrubs, and filters out malicious web traffic, and then forwards normal traffic to the backend function. | Enable WAF protection for a custom domain name bound to a web application in Function Compute |
2023-01-19 | Group-based resource management and tag-based resource management | WAF 3.0 is integrated with Alibaba Cloud Resource Management. You can use resource groups and tags to manage resources and permissions. | |
2023-01-17 | Update to bot management |
|
2022
Release date | Feature | Description | References |
2022-12-22 | API security for instances in the Chinese mainland | The API security module automatically sorts API assets in services protected by WAF and detects API risks such as unauthorized access to APIs, exposure of sensitive data, and exposure of internal APIs. The module also allows you to trace API exception events by using reports, provides suggestions on how to fix detected risks, and provides data to help you manage the API lifecycle. This way, you can implement comprehensive API security protection. | |
2022-11-29 | Configuration of the Retry Back-to-origin Requests and Back-to-origin Keep-alive Requests parameters in CNAME record mode | The Retry Back-to-origin Requests and Back-to-origin Keep-alive Requests parameters are supported to add web services to WAF in CNAME record mode. | |
2022-11-28 | Recording of custom request headers, request bodies, response headers, and response bodies in logs | The request_body, request_header, response_header, and response_info fields are added to record custom request headers, request bodies, response headers, and response bodies in logs. | |
2022-11-25 | Alerting for log storage usage | If the log storage usage of a WAF instance exceeds 80% of the log storage capacity, the system sends an alert notification for the issue by text message and email. If the log storage capacity is exhausted, WAF logs can no longer be written. We recommend that you upgrade the log storage capacity of your WAF instance at the earliest opportunity. | |
2022-11-24 | Subscription billing method | The subscription billing method is supported in WAF 3.0. You must pay for resources before you can use the resources. | |
2022-11-23 | WAF protection for Layer 4 CLB instances, Layer 7 CLB instances, and ECS instances | Layer 4 CLB instances, Layer 7 CLB instances, and ECS instances can be added to WAF by specifying traffic redirection ports. | |
2022-11-17 | Self-service specification downgrade | Self-service specification downgrade is supported. The following specifications can be downgraded: additional QPS quota, burstable QPS (pay-as-you-go) quota, additional domain name quota, and log storage capacity. | |
2022-10-30 | API operations | API operations of WAF 3.0 are released. The API operations correspond to common operations in the WAF 3.0 console. You can call the operations to perform batch processing. | |
2022-10-27 | Burstable QPS (pay-as-you-go) and sandbox | The burstable QPS (pay-as-you-go) feature is supported. The feature is suitable for scenarios in which traffic spikes occur, such as during promotional events. In the preceding scenarios, the peak service traffic may exceed the sum of the default QPS quota of your WAF edition and the additional QPS quota that you purchase. If you enable the burstable QPS (pay-as-you-go) feature, you are charged for excess QPS resource usage based on the pay-as-you-go billing method. The feature ensures service continuity and prevents your WAF instance from being added to the sandbox. | |
2022-10-19 | Monitoring and alerting | Alert rules can be configured to allow WAF to send alert notifications when attacks and abnormal traffic are detected. This way, you can check the security status of your business at the earliest opportunity. | |
2022-09-23 | Configuration of custom header fields to obtain the originating ports of clients | The Enable Traffic Mark and Source Port parameters can be selected to add a domain name to WAF. You can specify a header field that records the originating ports of clients. This way, WAF records and forwards the header field to your origin server. | |
2022-08-24 | Configuration of custom timeout periods for back-to-origin requests | Custom timeout periods for new connections, read connections, and write connections can be configured to add a domain name to WAF. | |
2022-08-12 | WAF protection for MSE instances | WAF protection can be enabled for Microservices Engine (MSE) instances. | |
2022-07-22 | Data leakage prevention | The data leakage prevention module is supported. The module filters abnormal content that is returned and masks sensitive information, such as ID card numbers, phone numbers, bank card numbers, and sensitive words. Then, WAF returns the masked information or default response pages. | Configure protection rules for the data leakage prevention module to prevent data leaks |
2022-07-22 | Website tamper-proofing | The website tamper-proofing module is supported. The module allows you to lock web pages that require protection, such as web pages that contain sensitive information. When a locked web page is requested, WAF returns a cached version of the page. This helps prevent web page tampering. | Configure protection rules for the website tamper-proofing module to prevent web page tampering |
2022-07-20 | Subscription billing method | The subscription billing method is supported in WAF 3.0. You must pay for resources before you can use the resources. The subscription billing method allows you to reserve resources and is more cost-effective than the pay-as-you-go billing method. | |
2022-07-14 | Asset center | The asset center feature is supported. You can use the feature to identify domain names in and outside Alibaba Cloud and assess risks based on the attack status of the domain names in the cloud. This helps you obtain the overall protection status of your domain names. | |
2022-06-23 | Bot management | The bot management module is supported in WAF 3.0. You can use the module to configure custom anti-crawler rules for websites and apps. This protects your business from malicious crawlers. | |
2022-05-30 | Major event protection | The major event protection module is supported. You can use the module to configure rule groups and IP address blacklists for major event protection, collaborative defense, and cookie security-related capabilities. This improves protection for customers in attack and defense scenarios. | |
2022-04-21 | HTTP flood protection | The HTTP flood protection module is supported. You can use the module to defend against HTTP flood attacks on websites. If WAF blocks HTTP flood attacks, WAF returns 405 error pages to clients. | Configure protection rules for the HTTP flood protection module to defend against HTTP flood attacks |
2022-04-21 | Region blacklist | The region blacklist module is supported. The module identifies the source regions of requests. You can configure the module to block or allow requests from specific regions to prevent malicious requests. | Configure protection rules for the region blacklist module to block requests from specific regions |
2022-01-22 | Release of WAF 3.0 | WAF 3.0 is released. WAF 3.0 supports the CNAME record mode and cloud native mode, and is integrated into the cloud native architecture of other cloud services, such as Application Load Balancer (ALB). Compared with WAF 2.0, WAF 3.0 provides more features and allows you to configure protection settings in the WAF 3.0 console in a more efficient manner. This helps improve user experience. |