Protection configuration overview

This topic describes the terminology, process, protection modules, and examples for the protection configuration of Web Application Firewall (WAF).

Protection configuration process

After you add web services to WAF, you can perform the following steps to configure protection rules for the web services. The protection configuration process varies based on the access method that you use to add your web services to WAF.

Step	Cloud native mode	CNAME record mode

Step	Cloud native mode	CNAME record mode
1. Add a protected object.	The cloud service instances that are added to WAF in cloud native mode are automatically added as protected objects in WAF. If you want to configure different protection rules for different domain names that point to the same cloud service instance, you must manually add the domain names as protected objects in WAF. For more information, see Configure protected objects and protected object groups.	The domain names that are added to WAF in CNAME record mode are automatically added as protected objects in WAF.
2. (Optional) Add the protected object to a protected object group.	If you want to configure the same protection rule for multiple protected objects, you can add the protected objects to a protected object group and then configure the protection rule for the protected object group. The protection rule takes effect on all protected objects in the group. Before you can use a protected object group, you must create a protected object group and add protected objects to the group. For more information, see Create a protected object group.
3. Create a protection template.	Before you can enable a protection module, you must create a protection template for the protection module. Then, you can apply the protection template to specific protected objects or protected object groups. The core protection rule and whitelist modules provide default protection templates. You do not need to create protection templates to enable these modules. If you want to enable other protection modules, you must create protection templates for the protection modules. For more information, see Protection module overview. You can create multiple protection templates that contain different protection rules and apply different protection rules to specific protected objects. For more information, see Example: Configure multiple protection templates for a protection module.
4. Manage protection rules.	You can manage protection rules in the protection templates of different protection modules. For example, you can create, enable, or disable protection rules. Modifications to protection rules in a protection template take effect on all protected objects to which the protection template is applied. The operations that you can perform on protection rules vary based on the protection template. For more information, see Protection module overview.

Protection module overview

The following table describes the protection modules that are supported by WAF and the default configuration of each protection module.

Protection module	Description	Default protection template	Configuration suggestion

Protection module	Description	Default protection template	Configuration suggestion
Core protection rule	Defends against common web application attacks based on a built-in protection rule set. The common web application attacks include SQL injection, cross-site scripting (XSS), code execution, webshell upload, and command injection.	A default protection template is provided, and the template uses the protection rule set provided by WAF. By default, the protection template is enabled, and the Block action is specified. Important By default, the core protection rule module is enabled for all protected objects that are newly added to WAF. The module automatically blocks attack requests.	We recommend that you retain the default configuration. If specific protection rules in the protection rule set block normal requests, you can configure a protection rule for the whitelist module based on the specified protection rules to prevent false positives. For more information, see Configure protection rules for the whitelist module to allow specific requests.
Rule group Note The rule group feature has been upgraded and iterated to the engine configuration feature. For more information, see [Announcement].	Defends against attacks based on a group of protection rules. You can configure a custom rule group or use the default rule group. You can associate a rule group with a protection template of the core protection rule module to protect your website from common web application attacks.	A default rule group is provided.	To enable a custom rule group, you must create a protection template and configure protection rules for the template.
Whitelist	Allows requests that have specific characteristics to bypass the checks of all or specified protection modules. You can configure the characteristics of the requests based on your business requirements.	A default protection template is provided, but no protection rules are pre-defined in the default protection template. By default, the protection template is enabled.	If you want WAF to allow requests that have specific characteristics, you can create protection rules in the default protection template of the whitelist module.
HTTP flood protection	Mitigates HTTP flood attacks based on built-in common HTTP flood protection algorithms. You can also configure throttling for HTTP flood protection in the custom rule module.	A default protection template is provided, but no protection rules are pre-defined in the default protection template. By default, the protection template is enabled. Note The default protection template is supported only in subscription WAF instances that run the Pro, Enterprise, or Ultimate edition.	To enable a custom protection rule, you must create a protection template and configure the protection rule in the template.
Scan protection	Identifies the scanning behaviors and characteristics of scanners to prevent attackers or scanners from scanning your websites. This helps reduce the risk of intrusions into web services and blocks unwanted scanning traffic.	A default protection template is provided, but no protection rules are pre-defined in the default protection template. By default, the protection template is enabled. Note The default protection template is supported only in subscription WAF instances that run the Pro, Enterprise, or Ultimate edition.	To enable a custom protection rule, you must create a protection template and configure the protection rule in the template.
IP address blacklist	Blocks requests from specified IPv4 addresses, IPv6 addresses, or CIDR blocks. You can specify the IP addresses or CIDR blocks based on your business requirements.	No default protection template is provided. By default, this protection module is disabled.	To enable this protection module, you must create a protection template and configure protection rules for the template.
Custom rule	Blocks requests, verifies requests, or records logs based on the characteristics of HTTP requests or a set of custom characteristics that you specify. When you configure a protection rule, you can turn on Rate Limiting. If a statistical object, such as an IP address or a session, matches the specified condition, the statistical object is added to the blacklist. During the specified period of time, WAF performs the specified action on all requests from the statistical object.
Custom response	Allows you to configure custom block pages that WAF returns to clients when the requests of the clients are blocked by WAF. You can specify a custom status code, response header, and response body.
Region blacklist	Allows you to block client IP addresses from specific regions with a few clicks.
Website tamper-proofing	Locks specific web pages to prevent content tampering. When a locked web page receives a request, a pre-defined cached page is returned.
Data leakage prevention	Filters abnormal returned content and masks sensitive information, such as ID card numbers, phone numbers, bank card numbers, and sensitive words.
Bot management for basic protection	Identifies Layer 4 and Layer 7 bot traffic by using fingerprinting techniques.
Bot management for website protection	Identifies bot traffic based on the characteristics of clients, traffic, behaviors, and intelligence, and blocks malicious traffic to prevent unwanted bandwidth consumption, data crawling, spam user registration, malicious orders, malicious voting, and abuse of APIs.
Bot management for app protection
Major event protection	Ensures the security of major events within a specific time range and provides precise protection for your services.	No default protection template is provided. By default, this protection module is disabled.	To enable this protection module, you must create a protection template and configure protection rules for the template.
API security	Sorts the API assets of services that are protected by WAF and detects API risks, such as unauthorized access to APIs, exposure of sensitive data, and exposure of internal APIs. This protection module provides reports on API exception events, suggestions for handling detected risks, and references for API lifecycle management.	N/A.
Traffic spike throttling	Allows you to limit the number of requests to specific servers by specifying a QPS or percentage limit and filters for traffic from selected regions.	No default protection template is provided. By default, this protection module is disabled.	To enable this protection module, you must create a protection template and configure protection rules for the template.

Important

The protection capabilities of WAF vary based on the edition. For example, the traffic spike throttling module is supported only in subscription WAF instances that run the Pro edition or higher. For more information, see Editions.

Disable WAF protection

If you want to temporarily disable WAF protection, you can go to the Protected Objects page of the WAF 3.0 console and turn off WAF Protection Status.

After you disable WAF protection, traffic destined for the websites that are originally protected by WAF bypasses the protection engine of WAF, and WAF stops logging monitored and blocked requests. After you perform operations that require WAF protection to be temporarily disabled, such as emergency tests, we recommend that you go to the Protected Objects page of the WAF 3.0 console and enable WAF protection at the earliest opportunity to resume logging. This helps reduce the potential exposure of your assets. If you disable WAF protection or specific features but configure API security policies, the related detection processes still continue.

Important

If you use a pay-as-you-go WAF instance and disable WAF protection for a short period of time, you are still charged feature fees and basic traffic fees during the period. If you enable the API security module, you are also charged traffic fees for the API security module. You are not charged request processing fees for the bot management, risk identification, or custom rule module.

Note

You cannot turn off WAF Protection Status to disable WAF protection for Microservices Engine (MSE) or Function Compute assets that are added to WAF in cloud native mode. If your assets are added to WAF in hybrid cloud mode, you can turn off WAF Protection Status to disable WAF protection for the assets only if your WAF instance runs the required edition. For more information about the required edition, contact your business manager or submit a ticket for consultation.

Example: Configure multiple protection templates for a protection module

You can configure multiple protection templates for a protection module. You can use the protection templates to configure different protection rules for different protected objects.

In this example, the core protection rule module is used. A default protection template is provided for the module. By default, the template is enabled, and the Action parameter is set to Block in the template. If new protected objects are added to WAF, the default protection template is automatically applied. If WAF detects an attack request that is sent to a protected object, WAF blocks the attack request.

If you want WAF to monitor the attack requests that are sent to new protected objects and block the attack requests that are sent to existing protected objects, you can perform the following operations. If WAF monitors the attack requests, WAF does not block the attack requests but rather keeps a record of the protection rules that are matched by the attack requests.

Change the value of the Action parameter to Monitor in the default protection template.
Create a protection template of the core protection rule module. Set the Action parameter to Block and the Apply To parameter to all existing protected objects in WAF.

After you perform the preceding operations, WAF monitors requests that are sent to the new protected objects. After you confirm that WAF blocks only unwanted requests, you can apply the protection template that you create to the new protected objects.

Protection configuration process

Protection module overview

Disable WAF protection

Example: Configure multiple protection templates for a protection module

Sales Support

Technical Support

Connect & Report Abuse

About Alibaba Cloud

Our Global Network

Quick Start

Global Offices

Olympic Games Paris 2024 New

Stade Roland Garros – Glitz from the Past New

Place de la Concorde – “Breaking” the Barriers New

Vaires-sur-Marne Nautical Stadium – Sports with Sustainability New

International Broadcast Center – Images, Sounds, and Data that Captivate Billions New

Customer Success Stories New

Trust Center

Security & Compliance Center

Cloud Compliance Resources

Security Compliance FAQs

Product & Feature Update New

Cloud Forward

Press Room

Alibaba Cloud e-Magazine New

Alibaba Cloud in Analyst Research

Notice

Go Global Service New

Go Global Alliance with Alibaba Cloud

Asia Accelerator Hot

Information Compliance

China Gateway - MLPS 2.0 Compliance New

China Gateway - Networking

China Gateway - Global Application Acceleration New

China Gateway - Security

China Gateway - Data Security New

ICP Support Hot

China Gateway - Omnichannel Data Mid-End New

China Gateway - Organizational Data Mid-End New

China Gateway - Business Mid-End New

China Gateway - AI Service for Conversational Chatbots New

China Gateway - Online Education

China Gateway - Domain Registration

Work at Alibaba Cloud

Experienced Professionals

Students and Graduates

Free Trial

Pricing

Promo Center

Price Reduction

Pay Less and Deploy More

FinOps

Elastic Compute Service (ECS)

Simple Application Server (SAS)

Elastic GPU Service

Elastic Desktop Service (EDS)

Object Storage Service (OSS)

Cloud Enterprise Network (CEN)

Web Application Firewall (WAF)

Domain Names

Container Compute Service (ACS)

Secure Access Service Edge (SASE)

Intelligent Media Services(IMS)

Edge Security Acceleration (ESA)(Original DCDN)

Intelligent Media Management

DingTalk Enterprise

YiDA

Alibaba Cloud Model Studio

Apsara Prime - For Easy Cloud Product Selection

Alibaba Cloud ECS - Cater All Your Cloud Hosting Needs

1TB CDN—Get Free 1 TB Outbound Traffic Plan Now

Security—Under Attack? Get Free Security Support

Short Message Service - Free Testing is Available

Elastic Compute Service (ECS) Hot

CloudBox

Compute Nest

Dedicated Host Hot

ECS Bare Metal Instance

Elastic GPU Service Featured

Simple Application Server (SAS) Hot

Auto Scaling

Cloud Phone Beta

Elastic Desktop Service (EDS) Featured

Batch Compute

Elastic High Performance Computing (E-HPC)

Super Computing Cluster (SCC)

Function Compute (FC)