This topic describes the terminology, process, protection modules, and examples for protection configuration of Web Application Firewall (WAF).
Protection configuration process
After you add web services to WAF, you can perform the following steps to configure protection rules for the web services . The protection configuration process varies based on the mode in which you add the web services to WAF.
Step | Cloud native mode | CNAME record mode |
1. Add a protected object . | The cloud service instances that are added to WAF are automatically added as protected objects in WAF. If you want to configure different protection rules for different domain names pointing to the same cloud service instance, you must manually add the domain names as protected objects in WAF. For more information, see Protected objects and protected object groups. | You do not need to perform this step. The domain names that are added to WAF in CNAME record mode are automatically added as protected objects in WAF. |
2. (Optional) Add a protected object to a protected object group . | If you want to configure the same protection rules for multiple protected objects, you can add the protected objects to a protected object group and then configure protection rules for the protected object group. The protection rules that are configured for the protected object group take effect for all protected objects in the group. Before you can use a protected object group, you must create a protected object group and add protected objects to the group. For more information, see Create a protected object group. | |
3. Create a protection template. | Before you can enable a protection module , you must create a protection template for the protection module. Then, you can apply the protection template to specific protected objects or protected object groups. The basic protection rule and whitelist modules provide built-in default protection templates. You do not need to create a protection template to use these modules. If you want to enable other protection modules, you must create protection templates for the protection modules. For more information, see Protection module overview. You can create multiple protection templates and then use the protection templates to configure different protection rules for different protected objects. For more information, see Example: Configure multiple protection templates for a protection module. | |
4. Manage protection rules. | You can manage protection rules in the protection templates of different protection modules. For example, you can add, enable, or disable rules. Modifications to rules in a protection template take effect for the objects to which the protection template is applied. The operations that you can perform on protection rules vary based on the protection template. For more information, see Protection module overview. | |
Protection module overview
The following table describes the protection modules that are supported by WAF and the default configurations of each protection module.
Protection module | Description | Default protection template | Configuration recommendation |
Defends against common web application attacks based on a built-in protection rule set. The common web application attacks include SQL injection, cross-site scripting (XSS), code execution, webshell upload, and command injection. | A built-in default protection template is provided, and the template contains the protection rule set provided by WAF. By default, the default protection template is enabled, and the Block action is specified. Important The basic protection rule module protects all protected objects that are newly added to WAF. The module automatically blocks attack requests. | We recommend that you retain the default configurations. If the basic protection rule set blocks normal requests, you can configure a whitelist rule to be used with the basic protection rules. For more information, see Configure whitelist rules to allow specific requests. | |
Defends against attacks based on a group of protection rules. You can configure a custom rule group or use the default rule group. You can associate a rule group with a basic protection template based on your business requirements to protect your website from common web application attacks. | A built-in default rule group is provided by WAF. | To enable a custom rule group, you must create a rule group template and configure rules for the template. | |
Allows requests that have specific characteristics to bypass the checks of all or specified protection modules. You can configure the characteristics of the requests based on your business requirements. | A built-in default protection template is provided, but no protection rules are pre-defined in the default protection template. By default, the protection template is enabled. | If you want WAF to allow requests that have specific characteristics, you must create a whitelist rule in the default protection template. | |
Mitigates HTTP flood attacks based on built-in common HTTP flood protection algorithms. You can also configure throttling for HTTP flood protection in the custom rule module. | A built-in default protection template is provided, but no protection rules are pre-defined in the default protection template. By default, the protection template is enabled. Note The default protection template takes effect only for subscription WAF Pro Edition, Enterprise Edition, and Ultimate Edition instances. | To enable custom rules, you must create a protection template and configure rules for the template. | |
Identifies the scanning behaviors and characteristics of scanners to prevent attackers or scanners from scanning your websites. This helps reduce the risk of intrusions into web services and blocks unwanted scanning traffic. | A built-in default protection template is provided, but no protection rules are pre-defined in the default protection template. By default, the protection template is enabled. Note The default protection template takes effect only for subscription WAF Pro Edition, Enterprise Edition, and Ultimate Edition instances. | To enable custom rules, you must create a protection template and configure rules for the template. | |
Blocks requests from specified IPv4 addresses, IPv6 addresses, or CIDR blocks. You can specify the IP addresses or CIDR blocks based on your business requirements. | No default protection template is provided. By default, this protection module is disabled. | To enable this protection module, you must create a protection template and configure rules for the template. | |
Blocks requests, verifies requests, or records logs based on the characteristics of HTTP requests or a set of custom characteristics that you specify. When you configure a custom rule, you can turn on Rate Limiting. After Rate Limiting is turned on, a statistical object, such as an IP address or a session, is added to the blacklist if the request rate of the statistical object exceeds the threshold value. After the statistical object is added to the blacklist, WAF performs a specified action on the requests from the statistical object during the specified period of time. | |||
Allows you to configure the block page that WAF returns to the client when a client request is blocked by WAF. You can specify the status code, response headers, and response body of the block page. | |||
Allows you to block client IP addresses from specific regions with a few clicks. | |||
Locks specific web pages to prevent content tampering. When a locked web page receives a request, a preconfigured cached page is returned. | |||
Filters abnormal returned content and masks sensitive information, such as ID card numbers, phone numbers, bank card numbers, and sensitive words. | |||
Detects Layer 4 and Layer 7 bot traffic by using fingerprinting techniques. | |||
Identifies bot traffic based on the characteristics of clients, traffic, behaviors, and intelligence, and blocks malicious traffic to prevent unwanted bandwidth consumption, data crawling, spam user registration, malicious orders, malicious voting, and abuse of APIs. | |||
Ensures the security of major events within a specific time range and provides precise protection for your services. | No default protection template is provided. By default, this protection module is disabled. | To enable this protection module, you must create a protection template and configure rules for the template. | |
Automatically sorts through the APIs of services that are protected by WAF and detects API vulnerabilities, such as unauthorized access to APIs, exposure of sensitive data, and exposure of internal APIs. This module allows you to trace API exception events by using reports, provides suggestions on how to fix detected vulnerabilities, and provides data for API lifecycle management. This helps you configure comprehensive API security protection. | N/A. | ||
Disable WAF protection
If you want to disable WAF protection, go to the Protected Objects page of the WAF 3.0 console and turn off WAF.
After you disable WAF protection, the traffic to the websites that are originally protected by WAF bypasses the protection engine of WAF, and WAF stops logging monitored and blocked requests. If you perform operations such as emergency tests that require WAF protection to be temporarily disabled, we recommend that you go to the Protected Objects page of the WAF 3.0 console and enable WAF protection again after the operations are complete to resume logging monitored and blocked requests. This helps reduce the potential exposure of your assets. If you disable WAF protection or specific features and configure the API security module, the relevant detection process is not stopped.
If you use a pay-as-you-go WAF instance and disable WAF protection for a short period of time, you are still charged feature fees and basic request fees during the period. If you enable the API security module, you are also charged traffic fees for the API security module. The billing for bot management, risk identification, and custom rules is suspended.
Disabling WAF protection for Microservices Engine (MSE) and Function Compute that are added to WAF is not supported. If you want to disable WAF protection for websites that are deployed in a hybrid cloud, the configuration applies only when the version of the hybrid cloud meets specific conditions. For more information, contact your business manager or choose Tickets to submit a ticket for consultation. Alibaba Cloud technical support will provide you with specific version information.
Example: Configure multiple protection templates for a protection module
You can configure multiple protection templates for a protection module. You can use the protection templates to configure protection rules for different protected objects to meet your business requirements.
The basic protection rule module is used in this example. A default protection template is provided. By default, the template is enabled, and the Block action is specified in the template. The default protection template is applied to all newly added protected objects in WAF. If WAF detects an attack request that is sent to a protected object, WAF blocks the attack request.
If you want WAF to monitor the attack requests that are sent to newly added protected objects and want WAF to block the attack requests that are sent to existing protected objects, you can use the following configurations. If WAF monitors the attack requests, WAF does not block the attack requests but rather keeps a record of the protection rules that are matched by the attack requests.
Change the value of the Action parameter to Monitor in the default protection template.
Create a protection template. Set the Action parameter to Block and the Apply To parameter to all existing protected objects in WAF.
After you complete the preceding configurations, WAF monitors the attack requests that are sent to the newly added protected objects. After you confirm that WAF only blocks unwanted requests, you can apply the protection template that you created to the protected objects.