All Products
Search
Document Center

Web Application Firewall:Configure protection rules for the data leakage prevention module to prevent data leaks

Last Updated:Sep 12, 2024

After you add web services to Web Application Firewall (WAF), you can configure protection rules for the data leakage prevention module to filter abnormal returned content and mask sensitive information, such as ID card numbers, phone numbers, bank card numbers, and sensitive words. Then, WAF returns the masked information or default response pages to clients. This topic describes how to create a protection template of the data leakage prevention module and add protection rules to the template.

Limits

If you enable WAF protection for Application Load Balancer (ALB) instances, Microservices Engine (MSE) instances, or Function Compute-related domain names in cloud native mode, the related protected objects do not support the data leakage prevention module.

Prerequisites

Step 1: Create a protection template of the data leakage prevention module

The data leakage prevention module does not provide default protection templates. Before you can enable protection rules of the data leakage prevention module, you must create a protection template of the module and add protection rules to the template.

  1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.

  2. In the left-side navigation pane, choose Protection Configuration > Basic Web Protection.

  3. In the Data Leakage Prevention section of the Basic Web Protection page, click Create Template.

    Note

    If this is your first time to create a protection template of the data leakage prevention module, you can also click Configure Now in the Data Leakage Prevention card in the upper part of the Basic Web Protection page.

  4. In the Create Template - Data Leakage Prevention panel, configure the parameters and click OK.

    Parameter

    Description

    Template Name

    Specify a name for the template.

    The name of the template must be 1 to 255 characters in length and can contain letters, digits, periods (.), underscores (_), and hyphens (-).

    Rule Configuration

    Click Create Rule to create a protection rule for the template. You can also create protection rules after the template is created. For more information, see Step 2: Add protection rules to a protection template of the data leakage prevention module.

    Apply To

    Select the protected objects and protected object groups to which you want to apply the template.

    You can apply only one template of a protection module to a protected object or protected object group. For more information about how to add protected objects and create protected object groups, see Configure protected objects and protected object groups.

    By default, a newly created protection template is enabled. You can perform the following operations on the protection template in the template list:

    • View the numbers of protected objects and protected object groups that are associated with the template in the Protected Object/Group column.

    • Turn on or turn off the switch in the Status column to enable or disable the template.

    • Click Edit or Delete in the Actions column to modify or delete the template.

    • Click the 展开图标 icon to the left of the template name to view the protection rules in the template.

Step 2: Add protection rules to a protection template of the data leakage prevention module

A protection template takes effect only after you add protection rules to the template. If you created protection rules when you created the protection template, you can skip this step.

  1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.

  2. In the left-side navigation pane, choose Protection Configuration > Basic Web Protection.

  3. In the Data Leakage Prevention section, find the protection template to which you want to add protection rules and click Create Rule in the Actions column.

  4. In the Create Rule dialog box, configure the parameters and click OK.

    Parameter

    Description

    Rule Name

    Specify a name for the rule.

    The name of the rule can contain letters, digits, periods (.), underscores (_), and hyphens (-).

    Match Condition

    Specify the type of sensitive information that you want to detect. Valid values:

    • Status Code: 400, 401, 402, 403, 404, 500, 501, 502, 503, 504, 405-499, and 505-599

    • Sensitive Info: ID Card Numbers, Credit Card Number, Mobile Phone Number, and Default Sensitive Words

      Important

      The data leakage prevention module can process only data in the formats that are supported in the Chinese mainland. The data includes ID card numbers, mobile phone numbers, and bank card numbers.

    You can select multiple options for Status Code and Sensitive Info.

    If you select AND, you can specify the URL for detection. This way, WAF detects sensitive information only on the specified page.

    Action

    Select the action that you want WAF to perform on the sensitive information that is detected.

    • If you set the Match Condition parameter to Status Code, you can select the following actions:

      • Monitor: records a request that matches the rule in a log and does not block the request.

      • Block: blocks a request that matches the rule and returns a block page to the client that initiates the request.

    • If you set the Match Condition parameter to Sensitive Info, you can select the following actions:

      • Monitor: records a request that matches the rule in a log and does not block the request.

      • Mask: replaces sensitive information in a request that matches the rule with asterisks (*) and does not block the request.

    By default, a newly created protection rule is enabled. You can perform the following operations on the protection rule in the rule list:

    • Turn on or turn off the switch in the Status column to enable or disable the rule.

    • Click Edit or Delete in the Actions column to modify or delete the rule.

What to do next

On the Data Leakage Prevention tab of the Security Reports page, you can view the protection details of the configured protection rules. For more information, see Data leakage prevention module.

References

  • For more information about the protection objects, protection modules, and protection process of WAF 3.0, see Protection configuration overview.

  • For more information about how to create a protection template by calling an API operation, see CreateDefenseTemplate.

  • For more information about how to create a protection rule by calling an API operation, see CreateDefenseRule.