This topic describes the terminology, process, protection modules, and examples for the protection configuration of Web Application Firewall (WAF).
Protection configuration process
After you add web services to WAF, you can perform the following steps to configure protection rules for the web services. The protection configuration process varies based on the access method that you use to add your web services to WAF.
Step | Cloud native mode | CNAME record mode |
1. Add a protected object. | The cloud service instances that are added to WAF in cloud native mode are automatically added as protected objects in WAF. If you want to configure different protection rules for different domain names that point to the same cloud service instance, you must manually add the domain names as protected objects in WAF. For more information, see Configure protected objects and protected object groups. |
The domain names that are added to WAF in CNAME record mode are automatically added as protected objects in WAF. |
2. (Optional) Add the protected object to a protected object group. | If you want to configure the same protection rule for multiple protected objects, you can add the protected objects to a protected object group and then configure the protection rule for the protected object group. The protection rule takes effect on all protected objects in the group. Before you can use a protected object group, you must create a protected object group and add protected objects to the group. For more information, see Create a protected object group. | |
3. Create a protection template. | Before you can enable a protection module, you must create a protection template for the protection module. Then, you can apply the protection template to specific protected objects or protected object groups. The basic protection rule and whitelist modules provide default protection templates. You do not need to create protection templates to enable these modules. If you want to enable other protection modules, you must create protection templates for the protection modules. For more information, see Protection module overview. You can create multiple protection templates that contain different protection rules and apply different protection rules to specific protected objects. For more information, see Example: Configure multiple protection templates for a protection module. | |
4. Manage protection rules. | You can manage protection rules in the protection templates of different protection modules. For example, you can create, enable, or disable protection rules. Modifications to protection rules in a protection template take effect on all protected objects to which the protection template is applied. The operations that you can perform on protection rules vary based on the protection template. For more information, see Protection module overview. | |
Protection module overview
The following table describes the protection modules that are supported by WAF and the default configuration of each protection module.
Protection module | Description | Default protection template | Configuration suggestion |
Defends against common web application attacks based on a built-in protection rule set. The common web application attacks include SQL injection, cross-site scripting (XSS), code execution, webshell upload, and command injection. | A default protection template is provided, and the template uses the protection rule set provided by WAF. By default, the protection template is enabled, and the Block action is specified. Important By default, the basic protection rule module is enabled for all protected objects that are newly added to WAF. The module automatically blocks attack requests. | We recommend that you retain the default configuration. If specific protection rules in the protection rule set block normal requests, you can configure a protection rule for the whitelist module based on the specified protection rules to prevent false positives. For more information, see Configure protection rules for the whitelist module to allow specific requests. | |
Note The rule group feature has been upgraded and iterated to the engine configuration feature. For more information, see [Announcement]. | Defends against attacks based on a group of protection rules. You can configure a custom rule group or use the default rule group. You can associate a rule group with a protection template of the basic protection module to protect your website from common web application attacks. | A default rule group is provided. | To enable a custom rule group, you must create a protection template and configure protection rules for the template. |
Allows requests that have specific characteristics to bypass the checks of all or specified protection modules. You can configure the characteristics of the requests based on your business requirements. | A default protection template is provided, but no protection rules are pre-defined in the default protection template. By default, the protection template is enabled. | If you want WAF to allow requests that have specific characteristics, you can create protection rules in the default protection template of the whitelist module. | |
Mitigates HTTP flood attacks based on built-in common HTTP flood protection algorithms. You can also configure throttling for HTTP flood protection in the custom rule module. | A default protection template is provided, but no protection rules are pre-defined in the default protection template. By default, the protection template is enabled. Note The default protection template is supported only in subscription WAF instances that run the Pro, Enterprise, or Ultimate edition. | To enable a custom protection rule, you must create a protection template and configure the protection rule in the template. | |
Identifies the scanning behaviors and characteristics of scanners to prevent attackers or scanners from scanning your websites. This helps reduce the risk of intrusions into web services and blocks unwanted scanning traffic. | A default protection template is provided, but no protection rules are pre-defined in the default protection template. By default, the protection template is enabled. Note The default protection template is supported only in subscription WAF instances that run the Pro, Enterprise, or Ultimate edition. | To enable a custom protection rule, you must create a protection template and configure the protection rule in the template. | |
Blocks requests from specified IPv4 addresses, IPv6 addresses, or CIDR blocks. You can specify the IP addresses or CIDR blocks based on your business requirements. | No default protection template is provided. By default, this protection module is disabled. | To enable this protection module, you must create a protection template and configure protection rules for the template. | |
Blocks requests, verifies requests, or records logs based on the characteristics of HTTP requests or a set of custom characteristics that you specify. When you configure a protection rule, you can turn on Rate Limiting. If a statistical object, such as an IP address or a session, matches the specified condition, the statistical object is added to the blacklist. During the specified period of time, WAF performs the specified action on all requests from the statistical object. | |||
Allows you to configure custom block pages that WAF returns to clients when the requests of the clients are blocked by WAF. You can specify a custom status code, response header, and response body. | |||
Allows you to block client IP addresses from specific regions with a few clicks. | |||
Locks specific web pages to prevent content tampering. When a locked web page receives a request, a pre-defined cached page is returned. | |||
Filters abnormal returned content and masks sensitive information, such as ID card numbers, phone numbers, bank card numbers, and sensitive words. | |||
Identifies Layer 4 and Layer 7 bot traffic by using fingerprinting techniques. | |||
Identifies bot traffic based on the characteristics of clients, traffic, behaviors, and intelligence, and blocks malicious traffic to prevent unwanted bandwidth consumption, data crawling, spam user registration, malicious orders, malicious voting, and abuse of APIs. | |||
Ensures the security of major events within a specific time range and provides precise protection for your services. | No default protection template is provided. By default, this protection module is disabled. | To enable this protection module, you must create a protection template and configure protection rules for the template. | |
Sorts the API assets of services that are protected by WAF and detects API risks, such as unauthorized access to APIs, exposure of sensitive data, and exposure of internal APIs. This protection module provides reports on API exception events, suggestions for handling detected risks, and references for API lifecycle management. | N/A. | ||
Allows you to limit the number of requests to specific servers by specifying a QPS or percentage limit and filters for traffic from selected regions. | No default protection template is provided. By default, this protection module is disabled. | To enable this protection module, you must create a protection template and configure protection rules for the template. | |
The protection capabilities of WAF vary based on the edition. For example, the traffic spike throttling module is supported only in subscription WAF instances that run the Pro edition or higher. For more information, see Editions.
Disable WAF protection
If you want to temporarily disable WAF protection, you can go to the Protected Objects page of the WAF 3.0 console and turn off WAF Protection Status.
After you disable WAF protection, traffic destined for the websites that are originally protected by WAF bypasses the protection engine of WAF, and WAF stops logging monitored and blocked requests. After you perform operations that require WAF protection to be temporarily disabled, such as emergency tests, we recommend that you go to the Protected Objects page of the WAF 3.0 console and enable WAF protection at the earliest opportunity to resume logging. This helps reduce the potential exposure of your assets. If you disable WAF protection or specific features but configure API security policies, the related detection processes still continue.
If you use a pay-as-you-go WAF instance and disable WAF protection for a short period of time, you are still charged feature fees and basic traffic fees during the period. If you enable the API security module, you are also charged traffic fees for the API security module. You are not charged request processing fees for the bot management, risk identification, or custom rule module.
You cannot turn off WAF Protection Status to disable WAF protection for Microservices Engine (MSE) or Function Compute assets that are added to WAF in cloud native mode. If your assets are added to WAF in hybrid cloud mode, you can turn off WAF Protection Status to disable WAF protection for the assets only if your WAF instance runs the required edition. For more information about the required edition, contact your business manager or submit a ticket for consultation.
Example: Configure multiple protection templates for a protection module
You can configure multiple protection templates for a protection module. You can use the protection templates to configure different protection rules for different protected objects.
In this example, the basic protection rule module is used. A default protection template is provided for the module. By default, the template is enabled, and the Action parameter is set to Block in the template. If new protected objects are added to WAF, the default protection template is automatically applied. If WAF detects an attack request that is sent to a protected object, WAF blocks the attack request.
If you want WAF to monitor the attack requests that are sent to new protected objects and block the attack requests that are sent to existing protected objects, you can perform the following operations. If WAF monitors the attack requests, WAF does not block the attack requests but rather keeps a record of the protection rules that are matched by the attack requests.
Change the value of the Action parameter to Monitor in the default protection template.
Create a protection template of the basic protection rule module. Set the Action parameter to Block and the Apply To parameter to all existing protected objects in WAF.
After you perform the preceding operations, WAF monitors requests that are sent to the new protected objects. After you confirm that WAF blocks only unwanted requests, you can apply the protection template that you create to the new protected objects.