diff --git a/umn/source/_static/images/en-us_image_0000001081671555.jpg b/umn/source/_static/images/en-us_image_0000001081671555.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001081671555.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001081906323.jpg b/umn/source/_static/images/en-us_image_0000001081906323.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001081906323.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001082065421.jpg b/umn/source/_static/images/en-us_image_0000001082065421.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001082065421.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001126290859.png b/umn/source/_static/images/en-us_image_0000001126290859.png new file mode 100644 index 0000000..9cc3fc1 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001126290859.png differ diff --git a/umn/source/_static/images/en-us_image_0000001127096041.png b/umn/source/_static/images/en-us_image_0000001127096041.png new file mode 100644 index 0000000..7346d7f Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001127096041.png differ diff --git a/umn/source/_static/images/en-us_image_0000001127126255.png b/umn/source/_static/images/en-us_image_0000001127126255.png new file mode 100644 index 0000000..df8a9d0 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001127126255.png differ diff --git a/umn/source/_static/images/en-us_image_0000001133216533.jpg b/umn/source/_static/images/en-us_image_0000001133216533.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001133216533.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001191376107.jpg b/umn/source/_static/images/en-us_image_0000001191376107.jpg new file mode 100644 index 0000000..cc595ad Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001191376107.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001227094315.png b/umn/source/_static/images/en-us_image_0000001227094315.png new file mode 100644 index 0000000..19b0e9b Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001227094315.png differ diff --git a/umn/source/_static/images/en-us_image_0000001238212390.png b/umn/source/_static/images/en-us_image_0000001238212390.png new file mode 100644 index 0000000..930cfd6 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001238212390.png differ diff --git a/umn/source/_static/images/en-us_image_0000001238508978.jpg b/umn/source/_static/images/en-us_image_0000001238508978.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001238508978.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001238531606.png b/umn/source/_static/images/en-us_image_0000001238531606.png new file mode 100644 index 0000000..6e43f2e Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001238531606.png differ diff --git a/umn/source/_static/images/en-us_image_0000001240865319.jpg b/umn/source/_static/images/en-us_image_0000001240865319.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001240865319.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001241293100.png b/umn/source/_static/images/en-us_image_0000001241293100.png new file mode 100644 index 0000000..930cfd6 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001241293100.png differ diff --git a/umn/source/_static/images/en-us_image_0000001241765756.png b/umn/source/_static/images/en-us_image_0000001241765756.png new file mode 100644 index 0000000..6e43f2e Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001241765756.png differ diff --git a/umn/source/_static/images/en-us_image_0000001260399509.jpg b/umn/source/_static/images/en-us_image_0000001260399509.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001260399509.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001275434812.png b/umn/source/_static/images/en-us_image_0000001275434812.png new file mode 100644 index 0000000..930cfd6 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001275434812.png differ diff --git a/umn/source/_static/images/en-us_image_0000001282207201.png b/umn/source/_static/images/en-us_image_0000001282207201.png new file mode 100644 index 0000000..6e43f2e Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001282207201.png differ diff --git a/umn/source/_static/images/en-us_image_0000001282375645.png b/umn/source/_static/images/en-us_image_0000001282375645.png new file mode 100644 index 0000000..6e43f2e Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001282375645.png differ diff --git a/umn/source/_static/images/en-us_image_0000001282406385.png b/umn/source/_static/images/en-us_image_0000001282406385.png new file mode 100644 index 0000000..930cfd6 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001282406385.png differ diff --git a/umn/source/_static/images/en-us_image_0000001284383208.png b/umn/source/_static/images/en-us_image_0000001284383208.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001284383208.png differ diff --git a/umn/source/_static/images/en-us_image_0000001284790620.png b/umn/source/_static/images/en-us_image_0000001284790620.png new file mode 100644 index 0000000..9c0f873 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001284790620.png differ diff --git a/umn/source/_static/images/en-us_image_0000001284850794.png b/umn/source/_static/images/en-us_image_0000001284850794.png new file mode 100644 index 0000000..1c0acd5 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001284850794.png differ diff --git a/umn/source/_static/images/en-us_image_0000001284852786.png b/umn/source/_static/images/en-us_image_0000001284852786.png new file mode 100644 index 0000000..12c5a8d Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001284852786.png differ diff --git a/umn/source/_static/images/en-us_image_0000001284861820.png b/umn/source/_static/images/en-us_image_0000001284861820.png new file mode 100644 index 0000000..3b233e5 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001284861820.png differ diff --git a/umn/source/_static/images/en-us_image_0000001284948512.png b/umn/source/_static/images/en-us_image_0000001284948512.png new file mode 100644 index 0000000..68a0f42 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001284948512.png differ diff --git a/umn/source/_static/images/en-us_image_0000001285022128.png b/umn/source/_static/images/en-us_image_0000001285022128.png new file mode 100644 index 0000000..a197f17 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001285022128.png differ diff --git a/umn/source/_static/images/en-us_image_0000001285028708.png b/umn/source/_static/images/en-us_image_0000001285028708.png new file mode 100644 index 0000000..df03ee5 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001285028708.png differ diff --git a/umn/source/_static/images/en-us_image_0000001285178604.png b/umn/source/_static/images/en-us_image_0000001285178604.png new file mode 100644 index 0000000..1c0acd5 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001285178604.png differ diff --git a/umn/source/_static/images/en-us_image_0000001285430612.png b/umn/source/_static/images/en-us_image_0000001285430612.png new file mode 100644 index 0000000..d3181e0 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001285430612.png differ diff --git a/umn/source/_static/images/en-us_image_0000001285485922.png b/umn/source/_static/images/en-us_image_0000001285485922.png new file mode 100644 index 0000000..5484b02 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001285485922.png differ diff --git a/umn/source/_static/images/en-us_image_0000001285486134.png b/umn/source/_static/images/en-us_image_0000001285486134.png new file mode 100644 index 0000000..103b38c Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001285486134.png differ diff --git a/umn/source/_static/images/en-us_image_0000001285577484.png b/umn/source/_static/images/en-us_image_0000001285577484.png new file mode 100644 index 0000000..0206494 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001285577484.png differ diff --git a/umn/source/_static/images/en-us_image_0000001285577912.png b/umn/source/_static/images/en-us_image_0000001285577912.png new file mode 100644 index 0000000..06ba8c0 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001285577912.png differ diff --git a/umn/source/_static/images/en-us_image_0000001285588948.png b/umn/source/_static/images/en-us_image_0000001285588948.png new file mode 100644 index 0000000..d9fa5b4 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001285588948.png differ diff --git a/umn/source/_static/images/en-us_image_0000001285636510.png b/umn/source/_static/images/en-us_image_0000001285636510.png new file mode 100644 index 0000000..192aa59 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001285636510.png differ diff --git a/umn/source/_static/images/en-us_image_0000001285643550.png b/umn/source/_static/images/en-us_image_0000001285643550.png new file mode 100644 index 0000000..1cc4085 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001285643550.png differ diff --git a/umn/source/_static/images/en-us_image_0000001285661276.png b/umn/source/_static/images/en-us_image_0000001285661276.png new file mode 100644 index 0000000..74d46bd Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001285661276.png differ diff --git a/umn/source/_static/images/en-us_image_0000001285684556.png b/umn/source/_static/images/en-us_image_0000001285684556.png new file mode 100644 index 0000000..1af9d51 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001285684556.png differ diff --git a/umn/source/_static/images/en-us_image_0000001285728898.png b/umn/source/_static/images/en-us_image_0000001285728898.png new file mode 100644 index 0000000..0bbcc97 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001285728898.png differ diff --git a/umn/source/_static/images/en-us_image_0000001285737132.png b/umn/source/_static/images/en-us_image_0000001285737132.png new file mode 100644 index 0000000..7e4fa5c Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001285737132.png differ diff --git a/umn/source/_static/images/en-us_image_0000001285803110.png b/umn/source/_static/images/en-us_image_0000001285803110.png new file mode 100644 index 0000000..fcdd344 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001285803110.png differ diff --git a/umn/source/_static/images/en-us_image_0000001285811290.png b/umn/source/_static/images/en-us_image_0000001285811290.png new file mode 100644 index 0000000..00856df Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001285811290.png differ diff --git a/umn/source/_static/images/en-us_image_0000001285815180.png b/umn/source/_static/images/en-us_image_0000001285815180.png new file mode 100644 index 0000000..72407d9 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001285815180.png differ diff --git a/umn/source/_static/images/en-us_image_0000001285950994.png b/umn/source/_static/images/en-us_image_0000001285950994.png new file mode 100644 index 0000000..895f47b Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001285950994.png differ diff --git a/umn/source/_static/images/en-us_image_0000001285975220.png b/umn/source/_static/images/en-us_image_0000001285975220.png new file mode 100644 index 0000000..d03569f Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001285975220.png differ diff --git a/umn/source/_static/images/en-us_image_0000001285981628.png b/umn/source/_static/images/en-us_image_0000001285981628.png new file mode 100644 index 0000000..d0cdaf7 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001285981628.png differ diff --git a/umn/source/_static/images/en-us_image_0000001285986476.png b/umn/source/_static/images/en-us_image_0000001285986476.png new file mode 100644 index 0000000..1cb9d39 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001285986476.png differ diff --git a/umn/source/_static/images/en-us_image_0000001285992940.png b/umn/source/_static/images/en-us_image_0000001285992940.png new file mode 100644 index 0000000..fd6bca8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001285992940.png differ diff --git a/umn/source/_static/images/en-us_image_0000001286051354.png b/umn/source/_static/images/en-us_image_0000001286051354.png new file mode 100644 index 0000000..afa7592 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001286051354.png differ diff --git a/umn/source/_static/images/en-us_image_0000001286052290.png b/umn/source/_static/images/en-us_image_0000001286052290.png new file mode 100644 index 0000000..889d1c1 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001286052290.png differ diff --git a/umn/source/_static/images/en-us_image_0000001286058500.png b/umn/source/_static/images/en-us_image_0000001286058500.png new file mode 100644 index 0000000..2cb70c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001286058500.png differ diff --git a/umn/source/_static/images/en-us_image_0000001286061432.png b/umn/source/_static/images/en-us_image_0000001286061432.png new file mode 100644 index 0000000..004f239 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001286061432.png differ diff --git a/umn/source/_static/images/en-us_image_0000001286529486.png b/umn/source/_static/images/en-us_image_0000001286529486.png new file mode 100644 index 0000000..d085559 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001286529486.png differ diff --git a/umn/source/_static/images/en-us_image_0000001286548588.png b/umn/source/_static/images/en-us_image_0000001286548588.png new file mode 100644 index 0000000..b9f9566 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001286548588.png differ diff --git a/umn/source/_static/images/en-us_image_0000001287944330.png b/umn/source/_static/images/en-us_image_0000001287944330.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001287944330.png differ diff --git a/umn/source/_static/images/en-us_image_0000001287946362.png b/umn/source/_static/images/en-us_image_0000001287946362.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001287946362.png differ diff --git a/umn/source/_static/images/en-us_image_0000001287946366.png b/umn/source/_static/images/en-us_image_0000001287946366.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001287946366.png differ diff --git a/umn/source/_static/images/en-us_image_0000001287947022.png b/umn/source/_static/images/en-us_image_0000001287947022.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001287947022.png differ diff --git a/umn/source/_static/images/en-us_image_0000001288099090.png b/umn/source/_static/images/en-us_image_0000001288099090.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001288099090.png differ diff --git a/umn/source/_static/images/en-us_image_0000001288106282.png b/umn/source/_static/images/en-us_image_0000001288106282.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001288106282.png differ diff --git a/umn/source/_static/images/en-us_image_0000001288106346.png b/umn/source/_static/images/en-us_image_0000001288106346.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001288106346.png differ diff --git a/umn/source/_static/images/en-us_image_0000001288106950.png b/umn/source/_static/images/en-us_image_0000001288106950.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001288106950.png differ diff --git a/umn/source/_static/images/en-us_image_0000001288264194.png b/umn/source/_static/images/en-us_image_0000001288264194.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001288264194.png differ diff --git a/umn/source/_static/images/en-us_image_0000001288266226.png b/umn/source/_static/images/en-us_image_0000001288266226.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001288266226.png differ diff --git a/umn/source/_static/images/en-us_image_0000001288266230.png b/umn/source/_static/images/en-us_image_0000001288266230.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001288266230.png differ diff --git a/umn/source/_static/images/en-us_image_0000001288266902.png b/umn/source/_static/images/en-us_image_0000001288266902.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001288266902.png differ diff --git a/umn/source/_static/images/en-us_image_0000001288423818.png b/umn/source/_static/images/en-us_image_0000001288423818.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001288423818.png differ diff --git a/umn/source/_static/images/en-us_image_0000001288425878.png b/umn/source/_static/images/en-us_image_0000001288425878.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001288425878.png differ diff --git a/umn/source/_static/images/en-us_image_0000001288427746.png b/umn/source/_static/images/en-us_image_0000001288427746.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001288427746.png differ diff --git a/umn/source/_static/images/en-us_image_0000001317947942.jpg b/umn/source/_static/images/en-us_image_0000001317947942.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001317947942.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001324043026.png b/umn/source/_static/images/en-us_image_0000001324043026.png new file mode 100644 index 0000000..12c5a8d Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001324043026.png differ diff --git a/umn/source/_static/images/en-us_image_0000001326514597.png b/umn/source/_static/images/en-us_image_0000001326514597.png new file mode 100644 index 0000000..6e43f2e Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001326514597.png differ diff --git a/umn/source/_static/images/en-us_image_0000001326640436.png b/umn/source/_static/images/en-us_image_0000001326640436.png new file mode 100644 index 0000000..6e7d232 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001326640436.png differ diff --git a/umn/source/_static/images/en-us_image_0000001326802772.png b/umn/source/_static/images/en-us_image_0000001326802772.png new file mode 100644 index 0000000..3714595 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001326802772.png differ diff --git a/umn/source/_static/images/en-us_image_0000001327191500.png b/umn/source/_static/images/en-us_image_0000001327191500.png new file mode 100644 index 0000000..824f1e8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001327191500.png differ diff --git a/umn/source/_static/images/en-us_image_0000001327470582.png b/umn/source/_static/images/en-us_image_0000001327470582.png new file mode 100644 index 0000000..86931c5 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001327470582.png differ diff --git a/umn/source/_static/images/en-us_image_0000001336983185.jpg b/umn/source/_static/images/en-us_image_0000001336983185.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001336983185.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001337244713.png b/umn/source/_static/images/en-us_image_0000001337244713.png new file mode 100644 index 0000000..b421966 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001337244713.png differ diff --git a/umn/source/_static/images/en-us_image_0000001337404641.png b/umn/source/_static/images/en-us_image_0000001337404641.png new file mode 100644 index 0000000..9d45c05 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001337404641.png differ diff --git a/umn/source/_static/images/en-us_image_0000001337470357.png b/umn/source/_static/images/en-us_image_0000001337470357.png new file mode 100644 index 0000000..843e8e9 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001337470357.png differ diff --git a/umn/source/_static/images/en-us_image_0000001337771401.png b/umn/source/_static/images/en-us_image_0000001337771401.png new file mode 100644 index 0000000..5d69d7c Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001337771401.png differ diff --git a/umn/source/_static/images/en-us_image_0000001337772205.png b/umn/source/_static/images/en-us_image_0000001337772205.png new file mode 100644 index 0000000..dc81236 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001337772205.png differ diff --git a/umn/source/_static/images/en-us_image_0000001337772269.png b/umn/source/_static/images/en-us_image_0000001337772269.png new file mode 100644 index 0000000..8ed210b Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001337772269.png differ diff --git a/umn/source/_static/images/en-us_image_0000001337772549.png b/umn/source/_static/images/en-us_image_0000001337772549.png new file mode 100644 index 0000000..016ae82 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001337772549.png differ diff --git a/umn/source/_static/images/en-us_image_0000001337775421.png b/umn/source/_static/images/en-us_image_0000001337775421.png new file mode 100644 index 0000000..52f33ad Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001337775421.png differ diff --git a/umn/source/_static/images/en-us_image_0000001337777849.png b/umn/source/_static/images/en-us_image_0000001337777849.png new file mode 100644 index 0000000..1cc4085 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001337777849.png differ diff --git a/umn/source/_static/images/en-us_image_0000001337778441.png b/umn/source/_static/images/en-us_image_0000001337778441.png new file mode 100644 index 0000000..4820eca Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001337778441.png differ diff --git a/umn/source/_static/images/en-us_image_0000001337808105.png b/umn/source/_static/images/en-us_image_0000001337808105.png new file mode 100644 index 0000000..298b07c Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001337808105.png differ diff --git a/umn/source/_static/images/en-us_image_0000001337887457.png b/umn/source/_static/images/en-us_image_0000001337887457.png new file mode 100644 index 0000000..6f8569b Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001337887457.png differ diff --git a/umn/source/_static/images/en-us_image_0000001337894657.png b/umn/source/_static/images/en-us_image_0000001337894657.png new file mode 100644 index 0000000..4e78c1a Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001337894657.png differ diff --git a/umn/source/_static/images/en-us_image_0000001337958950.png b/umn/source/_static/images/en-us_image_0000001337958950.png new file mode 100644 index 0000000..0ef639f Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001337958950.png differ diff --git a/umn/source/_static/images/en-us_image_0000001338016357.png b/umn/source/_static/images/en-us_image_0000001338016357.png new file mode 100644 index 0000000..8ce4d5a Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001338016357.png differ diff --git a/umn/source/_static/images/en-us_image_0000001338096873.png b/umn/source/_static/images/en-us_image_0000001338096873.png new file mode 100644 index 0000000..86dcf26 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001338096873.png differ diff --git a/umn/source/_static/images/en-us_image_0000001338097417.png b/umn/source/_static/images/en-us_image_0000001338097417.png new file mode 100644 index 0000000..0bbcc97 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001338097417.png differ diff --git a/umn/source/_static/images/en-us_image_0000001338129425.png b/umn/source/_static/images/en-us_image_0000001338129425.png new file mode 100644 index 0000000..db787de Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001338129425.png differ diff --git a/umn/source/_static/images/en-us_image_0000001338155669.png b/umn/source/_static/images/en-us_image_0000001338155669.png new file mode 100644 index 0000000..5ba0311 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001338155669.png differ diff --git a/umn/source/_static/images/en-us_image_0000001338214477.png b/umn/source/_static/images/en-us_image_0000001338214477.png new file mode 100644 index 0000000..ef87a8f Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001338214477.png differ diff --git a/umn/source/_static/images/en-us_image_0000001338230701.png b/umn/source/_static/images/en-us_image_0000001338230701.png new file mode 100644 index 0000000..de668d1 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001338230701.png differ diff --git a/umn/source/_static/images/en-us_image_0000001338298405.png b/umn/source/_static/images/en-us_image_0000001338298405.png new file mode 100644 index 0000000..fd6fd03 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001338298405.png differ diff --git a/umn/source/_static/images/en-us_image_0000001338300589.png b/umn/source/_static/images/en-us_image_0000001338300589.png new file mode 100644 index 0000000..a93a1db Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001338300589.png differ diff --git a/umn/source/_static/images/en-us_image_0000001338332661.png b/umn/source/_static/images/en-us_image_0000001338332661.png new file mode 100644 index 0000000..09cde81 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001338332661.png differ diff --git a/umn/source/_static/images/en-us_image_0000001338407897.png b/umn/source/_static/images/en-us_image_0000001338407897.png new file mode 100644 index 0000000..000ca05 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001338407897.png differ diff --git a/umn/source/_static/images/en-us_image_0000001338527429.png b/umn/source/_static/images/en-us_image_0000001338527429.png new file mode 100644 index 0000000..cddf610 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001338527429.png differ diff --git a/umn/source/_static/images/en-us_image_0000001338628737.png b/umn/source/_static/images/en-us_image_0000001338628737.png new file mode 100644 index 0000000..e9b61f7 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001338628737.png differ diff --git a/umn/source/_static/images/en-us_image_0000001340304197.png b/umn/source/_static/images/en-us_image_0000001340304197.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001340304197.png differ diff --git a/umn/source/_static/images/en-us_image_0000001340304201.png b/umn/source/_static/images/en-us_image_0000001340304201.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001340304201.png differ diff --git a/umn/source/_static/images/en-us_image_0000001340305457.png b/umn/source/_static/images/en-us_image_0000001340305457.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001340305457.png differ diff --git a/umn/source/_static/images/en-us_image_0000001340305633.png b/umn/source/_static/images/en-us_image_0000001340305633.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001340305633.png differ diff --git a/umn/source/_static/images/en-us_image_0000001340306233.png b/umn/source/_static/images/en-us_image_0000001340306233.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001340306233.png differ diff --git a/umn/source/_static/images/en-us_image_0000001340306901.png b/umn/source/_static/images/en-us_image_0000001340306901.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001340306901.png differ diff --git a/umn/source/_static/images/en-us_image_0000001340308129.png b/umn/source/_static/images/en-us_image_0000001340308129.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001340308129.png differ diff --git a/umn/source/_static/images/en-us_image_0000001340308381.png b/umn/source/_static/images/en-us_image_0000001340308381.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001340308381.png differ diff --git a/umn/source/_static/images/en-us_image_0000001340424065.png b/umn/source/_static/images/en-us_image_0000001340424065.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001340424065.png differ diff --git a/umn/source/_static/images/en-us_image_0000001340424693.png b/umn/source/_static/images/en-us_image_0000001340424693.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001340424693.png differ diff --git a/umn/source/_static/images/en-us_image_0000001340425481.png b/umn/source/_static/images/en-us_image_0000001340425481.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001340425481.png differ diff --git a/umn/source/_static/images/en-us_image_0000001340426097.png b/umn/source/_static/images/en-us_image_0000001340426097.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001340426097.png differ diff --git a/umn/source/_static/images/en-us_image_0000001340426101.png b/umn/source/_static/images/en-us_image_0000001340426101.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001340426101.png differ diff --git a/umn/source/_static/images/en-us_image_0000001340427973.png b/umn/source/_static/images/en-us_image_0000001340427973.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001340427973.png differ diff --git a/umn/source/_static/images/en-us_image_0000001340583529.png b/umn/source/_static/images/en-us_image_0000001340583529.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001340583529.png differ diff --git a/umn/source/_static/images/en-us_image_0000001340585565.png b/umn/source/_static/images/en-us_image_0000001340585565.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001340585565.png differ diff --git a/umn/source/_static/images/en-us_image_0000001340585569.png b/umn/source/_static/images/en-us_image_0000001340585569.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001340585569.png differ diff --git a/umn/source/_static/images/en-us_image_0000001340586225.png b/umn/source/_static/images/en-us_image_0000001340586225.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001340586225.png differ diff --git a/umn/source/_static/images/en-us_image_0000001340663937.png b/umn/source/_static/images/en-us_image_0000001340663937.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001340663937.png differ diff --git a/umn/source/_static/images/en-us_image_0000001340665981.png b/umn/source/_static/images/en-us_image_0000001340665981.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001340665981.png differ diff --git a/umn/source/_static/images/en-us_image_0000001340666645.png b/umn/source/_static/images/en-us_image_0000001340666645.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001340666645.png differ diff --git a/umn/source/_static/images/en-us_image_0000001340667861.png b/umn/source/_static/images/en-us_image_0000001340667861.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001340667861.png differ diff --git a/umn/source/_static/images/en-us_image_0000001344294497.png b/umn/source/_static/images/en-us_image_0000001344294497.png new file mode 100644 index 0000000..bb0ac5a Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001344294497.png differ diff --git a/umn/source/_static/images/en-us_image_0000001344977541.png b/umn/source/_static/images/en-us_image_0000001344977541.png new file mode 100644 index 0000000..4d9ceca Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001344977541.png differ diff --git a/umn/source/_static/images/en-us_image_0000001345013254.png b/umn/source/_static/images/en-us_image_0000001345013254.png new file mode 100644 index 0000000..7aabd8e Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001345013254.png differ diff --git a/umn/source/_static/images/en-us_image_0000001345013500.png b/umn/source/_static/images/en-us_image_0000001345013500.png new file mode 100644 index 0000000..3de8d42 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001345013500.png differ diff --git a/umn/source/_static/images/en-us_image_0000001345171226.png b/umn/source/_static/images/en-us_image_0000001345171226.png new file mode 100644 index 0000000..498f7b8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001345171226.png differ diff --git a/umn/source/_static/images/en-us_image_0000001345173294.png b/umn/source/_static/images/en-us_image_0000001345173294.png new file mode 100644 index 0000000..9e28eed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001345173294.png differ diff --git a/umn/source/_static/images/en-us_image_0000001345332674.png b/umn/source/_static/images/en-us_image_0000001345332674.png new file mode 100644 index 0000000..6148d7a Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001345332674.png differ diff --git a/umn/source/_static/images/en-us_image_0000001345493078.png b/umn/source/_static/images/en-us_image_0000001345493078.png new file mode 100644 index 0000000..224322a Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001345493078.png differ diff --git a/umn/source/_static/images/en-us_image_0000001377910101.png b/umn/source/_static/images/en-us_image_0000001377910101.png new file mode 100644 index 0000000..cabfab8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001377910101.png differ diff --git a/umn/source/_static/images/en-us_image_0000001377911005.png b/umn/source/_static/images/en-us_image_0000001377911005.png new file mode 100644 index 0000000..38459a0 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001377911005.png differ diff --git a/umn/source/_static/images/en-us_image_0000001378030725.png b/umn/source/_static/images/en-us_image_0000001378030725.png new file mode 100644 index 0000000..f0d1561 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001378030725.png differ diff --git a/umn/source/_static/images/en-us_image_0000001378108553.png b/umn/source/_static/images/en-us_image_0000001378108553.png new file mode 100644 index 0000000..71c2b2b Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001378108553.png differ diff --git a/umn/source/_static/images/en-us_image_0000001379820401.jpg b/umn/source/_static/images/en-us_image_0000001379820401.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001379820401.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001388712885.png b/umn/source/_static/images/en-us_image_0000001388712885.png new file mode 100644 index 0000000..52b4768 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001388712885.png differ diff --git a/umn/source/_static/images/en-us_image_0000001388786649.png b/umn/source/_static/images/en-us_image_0000001388786649.png new file mode 100644 index 0000000..309cc70 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001388786649.png differ diff --git a/umn/source/_static/images/en-us_image_0000001395650509.png b/umn/source/_static/images/en-us_image_0000001395650509.png new file mode 100644 index 0000000..20937af Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001395650509.png differ diff --git a/umn/source/_static/images/en-us_image_0000001395732753.png b/umn/source/_static/images/en-us_image_0000001395732753.png new file mode 100644 index 0000000..b72846c Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001395732753.png differ diff --git a/umn/source/_static/images/en-us_image_0000001395732757.png b/umn/source/_static/images/en-us_image_0000001395732757.png new file mode 100644 index 0000000..89ada9e Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001395732757.png differ diff --git a/umn/source/_static/images/en-us_image_0000001395852973.png b/umn/source/_static/images/en-us_image_0000001395852973.png new file mode 100644 index 0000000..016757b Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001395852973.png differ diff --git a/umn/source/_static/images/en-us_image_0000001395853109.png b/umn/source/_static/images/en-us_image_0000001395853109.png new file mode 100644 index 0000000..73d421b Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001395853109.png differ diff --git a/umn/source/_static/images/en-us_image_0000001395970885.png b/umn/source/_static/images/en-us_image_0000001395970885.png new file mode 100644 index 0000000..425ca70 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001395970885.png differ diff --git a/umn/source/_static/images/en-us_image_0000001395970965.png b/umn/source/_static/images/en-us_image_0000001395970965.png new file mode 100644 index 0000000..b36aa0a Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001395970965.png differ diff --git a/umn/source/_static/images/en-us_image_0000001395972785.png b/umn/source/_static/images/en-us_image_0000001395972785.png new file mode 100644 index 0000000..7ff2470 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001395972785.png differ diff --git a/umn/source/_static/images/en-us_image_0000001396154617.png b/umn/source/_static/images/en-us_image_0000001396154617.png new file mode 100644 index 0000000..60c75eb Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001396154617.png differ diff --git a/umn/source/_static/images/en-us_image_0000001427503477.png b/umn/source/_static/images/en-us_image_0000001427503477.png new file mode 100644 index 0000000..a16b512 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001427503477.png differ diff --git a/umn/source/_static/images/en-us_image_0167644254.jpg b/umn/source/_static/images/en-us_image_0167644254.jpg new file mode 100644 index 0000000..821271f Binary files /dev/null and b/umn/source/_static/images/en-us_image_0167644254.jpg differ diff --git a/umn/source/_static/images/en-us_image_0168547060.png b/umn/source/_static/images/en-us_image_0168547060.png new file mode 100644 index 0000000..9ee58a1 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0168547060.png differ diff --git a/umn/source/_static/images/en-us_image_0168632822.png b/umn/source/_static/images/en-us_image_0168632822.png new file mode 100644 index 0000000..0404e1d Binary files /dev/null and b/umn/source/_static/images/en-us_image_0168632822.png differ diff --git a/umn/source/_static/images/en-us_image_0169130550.png b/umn/source/_static/images/en-us_image_0169130550.png new file mode 100644 index 0000000..c956deb Binary files /dev/null and b/umn/source/_static/images/en-us_image_0169130550.png differ diff --git a/umn/source/_static/images/en-us_image_0210924450.jpg b/umn/source/_static/images/en-us_image_0210924450.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0210924450.jpg differ diff --git a/umn/source/_static/images/en-us_image_0210924454.jpg b/umn/source/_static/images/en-us_image_0210924454.jpg new file mode 100644 index 0000000..821271f Binary files /dev/null and b/umn/source/_static/images/en-us_image_0210924454.jpg differ diff --git a/umn/source/_static/images/en-us_image_0212852906.png b/umn/source/_static/images/en-us_image_0212852906.png new file mode 100644 index 0000000..6443d56 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0212852906.png differ diff --git a/umn/source/_static/images/en-us_image_0234013368.png b/umn/source/_static/images/en-us_image_0234013368.png new file mode 100644 index 0000000..19b0e9b Binary files /dev/null and b/umn/source/_static/images/en-us_image_0234013368.png differ diff --git a/umn/source/_static/images/en-us_image_0246108677.png b/umn/source/_static/images/en-us_image_0246108677.png new file mode 100644 index 0000000..f9390c0 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0246108677.png differ diff --git a/umn/source/_static/images/en-us_image_0246108818.png b/umn/source/_static/images/en-us_image_0246108818.png new file mode 100644 index 0000000..27e55c1 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0246108818.png differ diff --git a/umn/source/_static/images/en-us_image_0246109037.png b/umn/source/_static/images/en-us_image_0246109037.png new file mode 100644 index 0000000..a7a3b24 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0246109037.png differ diff --git a/umn/source/_static/images/en-us_image_0246112199.png b/umn/source/_static/images/en-us_image_0246112199.png new file mode 100644 index 0000000..2fdf966 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0246112199.png differ diff --git a/umn/source/_static/images/en-us_image_0268155242.png b/umn/source/_static/images/en-us_image_0268155242.png new file mode 100644 index 0000000..ea6ebc5 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0268155242.png differ diff --git a/umn/source/_static/images/en-us_image_0269115287.png b/umn/source/_static/images/en-us_image_0269115287.png new file mode 100644 index 0000000..c44d82d Binary files /dev/null and b/umn/source/_static/images/en-us_image_0269115287.png differ diff --git a/umn/source/_static/images/en-us_image_0269496734.png b/umn/source/_static/images/en-us_image_0269496734.png new file mode 100644 index 0000000..fec4196 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0269496734.png differ diff --git a/umn/source/_static/images/en-us_image_0269497434.jpg b/umn/source/_static/images/en-us_image_0269497434.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0269497434.jpg differ diff --git a/umn/source/_static/images/en-us_image_0274310129.png b/umn/source/_static/images/en-us_image_0274310129.png new file mode 100644 index 0000000..5da9c22 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0274310129.png differ diff --git a/umn/source/_static/images/en-us_image_0282893059.jpg b/umn/source/_static/images/en-us_image_0282893059.jpg new file mode 100644 index 0000000..821271f Binary files /dev/null and b/umn/source/_static/images/en-us_image_0282893059.jpg differ diff --git a/umn/source/_static/images/en-us_image_0283637109.png b/umn/source/_static/images/en-us_image_0283637109.png new file mode 100644 index 0000000..b32fe9f Binary files /dev/null and b/umn/source/_static/images/en-us_image_0283637109.png differ diff --git a/umn/source/_static/images/en-us_image_0301168075.png b/umn/source/_static/images/en-us_image_0301168075.png new file mode 100644 index 0000000..9f433f7 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0301168075.png differ diff --git a/umn/source/applying_for_a_dedicated_waf_instance.rst b/umn/source/applying_for_a_dedicated_waf_instance.rst new file mode 100644 index 0000000..739dc45 --- /dev/null +++ b/umn/source/applying_for_a_dedicated_waf_instance.rst @@ -0,0 +1,113 @@ +:original_name: waf_01_1072.html + +.. _waf_01_1072: + +Applying for a Dedicated WAF Instance +===================================== + +If your service servers are deployed on the cloud, you can buy dedicated WAF instances (or dedicated WAF engines) to protect important websites through domain names or to protect web applications with only IP addresses. + +Prerequisites +------------- + +- You have obtained management console login credentials for an account with the **WAF Administrator** and **WAF FullAccess** permissions. +- A VPC is available. +- Resource sets have been created. + +Before You Start +---------------- + +After your application for a dedicated WAF instance succeeds, its specifications cannot be modified. + +.. important:: + + It takes about 10 minutes to create a dedicated WAF instance. If the instance is in the **Running** status, the instance has been created successfully. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the upper right corner of the page, click **Apply for Dedicated Engine**. + +#. (Optional): Select an enterprise project from the **Enterprise Project** drop-down list. + + This option is only available if you are logged in using an enterprise account, or if you have enabled enterprise projects. You can use enterprise projects to more efficiently manage cloud resources and project members. + + .. note:: + + **default**: indicates the default enterprise project. Resources that are not allocated to any enterprise projects under your account are listed in the default enterprise project. + +#. Configure instance parameters by referring to :ref:`Table 1 `. :ref:`Figure 1 ` shows an example. + + .. _waf_01_1072__en-us_topic_0000001337142545_en-us_topic_0110861189_fig5029231715163: + + .. figure:: /_static/images/en-us_image_0000001388712885.png + :alt: **Figure 1** Configuring a dedicated WAF instance + + **Figure 1** Configuring a dedicated WAF instance + + .. _waf_01_1072__en-us_topic_0000001337142545_en-us_topic_0161005736_table4295843716304: + + .. table:: **Table 1** Parameters of a dedicated WAF instance + + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Parameter | Description | + +===================================+=========================================================================================================================================================================================================================================================+ + | WAF Mode | Dedicated Mode | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Region | Generally, a WAF instance you apply for in any region can protect web services in all regions. To make a WAF instance forward your website traffic faster, select the region nearest to your services. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | AZ | Select an AZ in the selected region. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Instance Name Prefix | Set a prefix of the dedicated WAF instance name. If you apply for multiple instances at a time, the prefix to each instance name is the same. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Quantity | Set the number of WAF instances you want to apply for. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Specifications | Select specifications for your instance. WAF offers two types of specifications, 500 Mbit/s and 100 Mbit/s. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | WAF Instance Type | Your WAF instance will be connected to your network through a VPC network interface. (If ELB is used, only dedicated load balancers can be used.) | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | CPU Architecture | Select CPU architecture for your instance. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | ECS Specifications | Select ECS specifications for your instance. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | VPC | Select the VPC to which the origin server belongs. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Subnet | Select a subnet configured in the VPC. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Security Group | Select a security group in the region or click **Manage Security Group** to go to the VPC console and create a security group. After you select a security group, the WAF instance will be protected by the access rules of the security group. | + | | | + | | .. important:: | + | | | + | | NOTICE: | + | | | + | | - You can configure your security group as follows: | + | | | + | | - Inbound rules | + | | | + | | Add an inbound rule to allow incoming network traffic to pass through over a specified port based on your service requirements. For example, if you want to allow access from port 80, you can add a rule that allows **TCP** and port **80**. | + | | | + | | - Outbound rules | + | | | + | | The value is **Default**. All outgoing network traffic is allowed by default. | + | | | + | | - If your dedicated WAF instance and origin server are not in the same VPC, enable communications between the instance and the subnet of the origin server in the security group. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Tag | It is recommended that you use TMS's predefined tag function to add the same tag to different cloud resources. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +#. In the lower right corner of the page, click **Create Now**. + +#. Confirm the configuration and click **Create Now**. + +9. Click **Back to Dedicated Engine List**. On the **Dedicated Engine** page, view the instance status. + + It takes about 10 minutes to create a dedicated WAF instance. If the instance is in the **Running** status, the instance has been created. + +.. |image1| image:: /_static/images/en-us_image_0000001336983185.jpg +.. |image2| image:: /_static/images/en-us_image_0000001284383208.png diff --git a/umn/source/certificate_management/binding_a_certificate_to_a_protected_website.rst b/umn/source/certificate_management/binding_a_certificate_to_a_protected_website.rst new file mode 100644 index 0000000..9c2fe65 --- /dev/null +++ b/umn/source/certificate_management/binding_a_certificate_to_a_protected_website.rst @@ -0,0 +1,69 @@ +:original_name: waf_01_0367.html + +.. _waf_01_0367: + +Binding a Certificate to a Protected Website +============================================ + +If you configure **Client Protocol** to **HTTPS** for your website, the website needs an SSL certificate. This topic describes how to bind an SSL certificate that you have uploaded to WAF to a website. + +Prerequisites +------------- + +- Your certificate is still valid. +- Your website uses HTTPS as the client protocol. + +Constraints +----------- + +- An SSL certificate can be used for multiple protected websites. +- A protected website can use only one SSL certificate. + +Application Scenario +-------------------- + +If you configure **Client Protocol** to **HTTPS**, a certificate is required. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane, choose **Objects** > **Certificates**. + + + .. figure:: /_static/images/en-us_image_0000001285028708.png + :alt: **Figure 1** Certificate list + + **Figure 1** Certificate list + +#. In the row containing the certificate you want to use, click **Use** in the **Operation** column. + +#. In the displayed **Domain Name** dialog box, select the website you want to use the certificate to. + +#. Click **Confirm**. + +Verification +------------ + +The protected website is listed in the **Domain Name** column of the certificate. + +Other Operations +---------------- + +- To change the certificate name, move the cursor over the name of the certificate, click |image3|, and enter a certificate name. + + .. important:: + + If the certificate is in use, unbind the certificate from the domain name first. Otherwise, the certificate name cannot be changed. + +- To view details about a certificate, click **View** in the **Operation** column of the certificate. +- To delete a certificate, locate the row of the certificate and click **Delete** in the **Operation** column. + +.. |image1| image:: /_static/images/en-us_image_0269497434.jpg +.. |image2| image:: /_static/images/en-us_image_0000001340305457.png +.. |image3| image:: /_static/images/en-us_image_0269115287.png diff --git a/umn/source/certificate_management/deleting_a_certificate.rst b/umn/source/certificate_management/deleting_a_certificate.rst new file mode 100644 index 0000000..e7a1ffe --- /dev/null +++ b/umn/source/certificate_management/deleting_a_certificate.rst @@ -0,0 +1,48 @@ +:original_name: waf_01_0263.html + +.. _waf_01_0263: + +Deleting a Certificate +====================== + +This topic describes how to delete an expired or invalid certificate. + +Prerequisites +------------- + +The certificate you want to delete is not bound to a protected website. + +Constraints +----------- + +If a certificate to be deleted is bound to a website, unbind it from the website before deletion. + +Impact on the System +-------------------- + +- Deleting certificates does not affect services. +- Deleted certificates cannot be recovered. Exercise caution when performing this operation. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane, choose **Objects** > **Certificates**. + + + .. figure:: /_static/images/en-us_image_0000001285028708.png + :alt: **Figure 1** Certificate list + + **Figure 1** Certificate list + +#. In the row containing the certificate you want to delete, click **Delete** in the **Operation** column. + +#. In the displayed dialog box, click **Confirm**. + +.. |image1| image:: /_static/images/en-us_image_0000001317947942.jpg +.. |image2| image:: /_static/images/en-us_image_0000001340305633.png diff --git a/umn/source/certificate_management/index.rst b/umn/source/certificate_management/index.rst new file mode 100644 index 0000000..031807f --- /dev/null +++ b/umn/source/certificate_management/index.rst @@ -0,0 +1,20 @@ +:original_name: waf_01_0261.html + +.. _waf_01_0261: + +Certificate Management +====================== + +- :ref:`Uploading a Certificate ` +- :ref:`Binding a Certificate to a Protected Website ` +- :ref:`Deleting a Certificate ` +- :ref:`Viewing Certificate Information ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + uploading_a_certificate + binding_a_certificate_to_a_protected_website + deleting_a_certificate + viewing_certificate_information diff --git a/umn/source/certificate_management/uploading_a_certificate.rst b/umn/source/certificate_management/uploading_a_certificate.rst new file mode 100644 index 0000000..b77c02c --- /dev/null +++ b/umn/source/certificate_management/uploading_a_certificate.rst @@ -0,0 +1,120 @@ +:original_name: waf_01_0078.html + +.. _waf_01_0078: + +Uploading a Certificate +======================= + +If you select **HTTPS** for **Client Protocol** when you add a website to WAF, a certificate must be associated with the website. + +You can upload a certificate to WAF. Then you can directly select the uploaded certificate for the protected website. + +Prerequisites +------------- + +You have obtained the certificate file and certificate private key. + +Specification Limitations +------------------------- + +You can create as many certificates in WAF as the number of domain names that can be protected by your WAF instances in the same account. For example, if WAF can protect 10 domain names, you can create 10 certificates in WAF. + +Constraints +----------- + +If you import a new certificate when adding a protected website or updating a certificate, the certificate is added to the certificate list on the **Certificates** page, and the imported certificates is counted in the number of created certificates. + +Application Scenario +-------------------- + +If you select **HTTPS** for **Client Protocol**, a certificate is required. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane, choose **Objects** > **Certificates**. + + + .. figure:: /_static/images/en-us_image_0000001285028708.png + :alt: **Figure 1** Certificate list + + **Figure 1** Certificate list + +#. Click **Upload Certificate**. + +#. In the **Upload Certificate** dialog box, enter a certificate name, and copy the certificate file and private key into the corresponding text boxes. + + + .. figure:: /_static/images/en-us_image_0000001338097417.png + :alt: **Figure 2** **Upload Certificate** + + **Figure 2** **Upload Certificate** + + Only .pem certificates can be used in WAF. If the certificate is not in .pem format, convert it into .pem locally by referring to :ref:`Table 1 ` before uploading it. + + .. _waf_01_0078__waf_01_0002_table1292125414516: + + .. table:: **Table 1** Certificate conversion commands + + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------+ + | Format | Conversion Method | + +===================================+============================================================================================================================+ + | CER/CRT | Rename the **cert.crt** certificate file to **cert.pem**. | + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------+ + | PFX | - Obtain a private key. For example, run the following command to convert **cert.pfx** into **key.pem**: | + | | | + | | **openssl pkcs12 -in cert.pfx -nocerts -out key.pem -nodes** | + | | | + | | - Obtain a certificate. For example, run the following command to convert **cert.pfx** into **cert.pem**: | + | | | + | | **openssl** **pkcs12** **-in** **cert.pfx** **-nokeys** **-out** **cert.pem** | + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------+ + | P7B | a. Convert a certificate. For example, run the following command to convert **cert.p7b** into **cert.cer**: | + | | | + | | **openssl** **pkcs7** **-print_certs** **-in** **cert.p7b** **-out** **cert.cer** | + | | | + | | b. Rename certificate file **cert.cer** to **cert.pem**. | + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------+ + | DER | - Obtain a private key. For example, run the following command to convert ****privatekey.der**** into **privatekey.pem**: | + | | | + | | **openssl** **rsa** **-inform** **DER** **-outform** **PEM** **-in** **privatekey.der** **-out** **privatekey.pem** | + | | | + | | - Obtain a certificate. For example, run the following command to convert **cert.cer** into **cert.pem**: | + | | | + | | **openssl** **x509** **-inform** **der** **-in** **cert.cer** **-out cert.pem** | + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------+ + + .. note:: + + - Before running an OpenSSL command, ensure that the `OpenSSL `__ tool has been installed on the local host. + - If your local PC runs a Windows operating system, go to the command line interface (CLI) and then run the certificate conversion command. + +#. Click **Confirm**. + +Verification +------------ + +The certificate you created is displayed in the certificate list. + +Other Operations +---------------- + +- To change the certificate name, move the cursor over the name of the certificate, click |image3|, and enter a certificate name. + + .. important:: + + If the certificate is in use, unbind the certificate from the domain name first. Otherwise, the certificate name cannot be changed. + +- To view details about a certificate, click **View** in the **Operation** column of the certificate. +- In the row containing the certificate you want, click **Use** in the **Operation** column to use the certificate to the corresponding domain name. +- To delete a certificate, locate the row of the certificate and click **Delete** in the **Operation** column. + +.. |image1| image:: /_static/images/en-us_image_0269497434.jpg +.. |image2| image:: /_static/images/en-us_image_0000001340424693.png +.. |image3| image:: /_static/images/en-us_image_0269115287.png diff --git a/umn/source/certificate_management/viewing_certificate_information.rst b/umn/source/certificate_management/viewing_certificate_information.rst new file mode 100644 index 0000000..d3f0f38 --- /dev/null +++ b/umn/source/certificate_management/viewing_certificate_information.rst @@ -0,0 +1,65 @@ +:original_name: waf_01_0282.html + +.. _waf_01_0282: + +Viewing Certificate Information +=============================== + +This topic describes how to view certificate details, including the certificate name, domain name a certificate is used for, and expiration time. + +Prerequisites +------------- + +You have created or pushed a certificate to WAF. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane, choose **Objects** > **Certificates**. + + + .. figure:: /_static/images/en-us_image_0000001285028708.png + :alt: **Figure 1** Certificate list + + **Figure 1** Certificate list + +#. View the certificate information. :ref:`Table 1 ` describes the parameters. + + .. _waf_01_0282__table4349769438: + + .. table:: **Table 1** Parameter description + + +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Parameter | Parameter description | + +===================================+====================================================================================================================================================================================================================================================================================================================================+ + | Name | Certificate name. | + +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Expired | Certificate expiration time. | + | | | + | | It is recommended that you update the certificate before it expires. Otherwise, all WAF protection rules will be unable to take effect, and there can be massive impacts on the origin server, even more severe than a crashed host or website access failures. For more details, see :ref:`Updating a Certificate `. | + +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Domain Name | The domain names protected by the certificate. Each domain name must be bound to a certificate. One certificate can be used for multiple domain names. | + +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Other Operations +---------------- + +- To change the certificate name, move the cursor over the name of the certificate, click |image3|, and enter a certificate name. + + .. important:: + + If the certificate is in use, unbind the certificate from the domain name first. Otherwise, the certificate name cannot be changed. + +- To view details about a certificate, click **View** in the **Operation** column of the certificate. +- In the row containing the certificate you want, click **Use** in the **Operation** column to use the certificate to the corresponding domain name. +- To delete a certificate, locate the row of the certificate and click **Delete** in the **Operation** column. + +.. |image1| image:: /_static/images/en-us_image_0269497434.jpg +.. |image2| image:: /_static/images/en-us_image_0000001340425481.png +.. |image3| image:: /_static/images/en-us_image_0269115287.png diff --git a/umn/source/change_history.rst b/umn/source/change_history.rst new file mode 100644 index 0000000..04f25e5 --- /dev/null +++ b/umn/source/change_history.rst @@ -0,0 +1,12 @@ +:original_name: waf_01_0265.html + +.. _waf_01_0265: + +Change History +============== + +=========== ========================================= +Released On Description +=========== ========================================= +2022-10-30 This issue is the first official release. +=========== ========================================= diff --git a/umn/source/dashboard.rst b/umn/source/dashboard.rst new file mode 100644 index 0000000..892f6be --- /dev/null +++ b/umn/source/dashboard.rst @@ -0,0 +1,132 @@ +:original_name: waf_01_0021.html + +.. _waf_01_0021: + +Dashboard +========= + +This topic describes how to view event logs, including attack and request statistics, event distribution, top 10 attacked domain names, top 10 attack source IP addresses, and top 10 attacked URLs in a specified time range, such as yesterday, today, past 3 days, past 7 days, or past 30 days. + +Prerequisites +------------- + +- A domain name has been added and connected to WAF. +- WAF protection is enabled. +- At least one protection rule has been configured for the domain name. + +Specification Limitations +------------------------- + +On the **Dashboard** page, protection data of a maximum of 30 days can be viewed. + +.. _waf_01_0021__section1588682602717: + +How to Calculate QPS +-------------------- + +The QPS calculation method varies depending on the time range. For details, see :ref:`Table 1 `. + +.. _waf_01_0021__table397244618286: + +.. table:: **Table 1** QPS calculation + + +----------------------------+--------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+ + | Time Range | Average QPS Description | Peak QPS Description | + +============================+====================================================================================================================+=================================================================+ + | **Yesterday** or **Today** | The QPS curve is made with the average QPSs in every minute. | The QPS curve is made with each peak QPS in every minute. | + +----------------------------+--------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+ + | **Past 3 days** | The QPS curve is made with the average QPSs in every five minutes. | The QPS curve is made with each peak QPS in every five minutes. | + +----------------------------+--------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+ + | **Past 7 days** | The QPS curve is made with the maximum value among the average QPSs in every five minutes at a 10-minute interval. | The QPS curve is made with each peak QPS in every 10 minutes. | + +----------------------------+--------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+ + | **Past 30 days** | The QPS curve is made with the maximum value among the average QPSs in every five minutes at a one-hour interval. | The QPS curve is made with the peak QPSs in every hour. | + +----------------------------+--------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+ + +.. note:: + + Queries Per Second (QPS) indicates the number of requests per second. For example, an HTTP GET request is also called a query. The number of requests is the total number of requests in a specific time range. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the upper part of the page, specify the website, instance, and time period you want to query. + + - By default, the information about all websites you add to WAF in all enterprise projects are displayed. + - **Domain Names**: shows information about website domain names added to the WAF instance. Click **View** to go to the **Website Settings** page and view details about domain names of protected websites. + - Query time: You can select **Yesterday**, **Today**, **Past 3 days**, **Past 7 days**, or **Past 30 days**. + + + .. figure:: /_static/images/en-us_image_0000001337958950.png + :alt: **Figure 1** Setting search criteria + + **Figure 1** Setting search criteria + +#. View how many requests, attacks, and pages under each type of attacks. + + - **Requests**: shows the page views of the website, making it easy for you to view the total number of pages accessed by visitors in a certain period of time. + - **Attacks**: shows how many times the website are attacked. + - You can view how many pages are attacked by a certain type of attacks within a certain period of time. + + + .. figure:: /_static/images/en-us_image_0000001285684556.png + :alt: **Figure 2** Protection action statistics + + **Figure 2** Protection action statistics + +#. Query security data in the **Security Event Statistics** area. + + **By day**: You can select this option to view the data gathered by the day. If you leave this option unselected, you have the following options: + + - **Yesterday** and **Today**: Security event data is gathered every 2 minutes. + - **Past 3 days**: Security event data is gathered every 5 minutes. + - **Past 7 days**: Security event data is gathered every 10 minutes. + - **Past 30 days**: Security event data is gathered every hour. + + + .. figure:: /_static/images/en-us_image_0000001427503477.png + :alt: **Figure 3** Security Event Statistics + + **Figure 3** Security Event Statistics + + .. table:: **Table 2** Parameters in Security Event Statistics + + +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Parameter | Description | + +===================================+=============================================================================================================================================================================================================================================================================================================================+ + | Requests | You can view how many requests for your website as well as total attacks and attacks of each attack type. | + +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | QPS | Average number of requests per second for the domain name. For details about the values of QPS, see :ref:`How to Calculate QPS `. | + | | | + | | Queries Per Second (QPS) indicates the number of requests per second. For example, an HTTP GET request is also called a query. | + +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Bandwidth | Bandwidth usage | + +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Response Code | Response codes returned by WAF to the client or returned by the origin server to WAF along with the corresponding number of responses. You can click **WAF to Client** or **Origin Server to WAF** to view the corresponding information. | + | | | + | | The number of response codes is accumulated based on the sequence of response codes (from left to right) in the lower part of the chart. The number of response codes is the difference between two lines. If the value of a response code is 0, the line of the response code overlaps that of the previous response code. | + +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Event Distribution | Types of attack events | + | | | + | | Click an area in the **Event Distribution** area to view the type, number, and proportion of an attack. | + +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Top 10 Attacked Domain Names | The ten most attacked domain names and the number of attacks on each domain name. | + | | | + | | Click **View More** to go to the **Events** page and view more protection data. | + +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Top 10 Attack Source IP Addresses | The ten source IP addresses with the most attacks and the number of attacks from each source IP address. | + | | | + | | Click **View More** to go to the **Events** page and view more protection data. | + +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Top 10 Attacked URLs | The ten most attacked URLs and the number of attacks on each URL. | + | | | + | | Click **View More** to go to the **Events** page and view more protection data. | + +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image2| image:: /_static/images/en-us_image_0000001288106346.png diff --git a/umn/source/dedicated_waf_engine_management.rst b/umn/source/dedicated_waf_engine_management.rst new file mode 100644 index 0000000..88450a0 --- /dev/null +++ b/umn/source/dedicated_waf_engine_management.rst @@ -0,0 +1,191 @@ +:original_name: waf_01_0253.html + +.. _waf_01_0253: + +Dedicated WAF Engine Management +=============================== + +This topic describes how to manage your dedicated WAF instances (or engines), including viewing instance information, upgrading the instance edition, or deleting an instance. + +Prerequisites +------------- + +You have purchased a dedicated WAF instance. + +Viewing Information About a Dedicated WAF Instance +-------------------------------------------------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane on the left, choose **Instance Management** > **Dedicated Engine** to go to the dedicated WAF instance page. + + + .. figure:: /_static/images/en-us_image_0000001388786649.png + :alt: **Figure 1** Dedicated engine list + + **Figure 1** Dedicated engine list + +#. View information about a dedicated WAF instance. :ref:`Table 1 ` describes parameters. + + .. _waf_01_0253__table8106945160: + + .. table:: **Table 1** Parameters of a dedicated instance + + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------+ + | Parameter | Description | Example Value | + +=======================+=================================================================================================================================================================================================================+===============================+ + | Instance Name | Name automatically generated when an instance is created. | None | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------+ + | Protected Website | Domain name of the website protected by the instance. | www.example.com | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------+ + | VPC | VPC where the instance resides | vpc-waf | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------+ + | Subnet | Subnet where an instance resides | subnet-62bb | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------+ + | IP Addresses | IP address of the subnet in the VPC where the WAF instance is deployed. | 192.168.0.186 | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------+ + | Access Status | Connection status of the instance. | Accessible | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------+ + | Running Status | Status of the instance. | Running | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------+ + | Deployment | How the instance is deployed. | Standard mode (reverse proxy) | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------+ + | Specifications | Specifications of resources hosting the instance. | 8 vCPUs \| 16 GB | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------+ + | Operation | - **Cloud Eye**: View the monitoring information about the dedicated instance. For details, see :ref:`Viewing Metrics of a Dedicated WAF Instance `. | ``-`` | + | | - **Delete**: Delete the dedicated instance. For details, see :ref:`Deleting a Dedicated WAF Instance `. | | + | | - **More** > **Upgrade**: Upgrade the dedicated instance version. For details, see :ref:`Upgrading a Dedicated WAF Instance `. | | + | | - **More** > **Change Security Group**: Change the security group for the dedicated instance. For details, see :ref:`Change Security Group for a Dedicated WAF Instance `. | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------+ + +.. _waf_01_0253__section14699725145814: + +Viewing Metrics of a Dedicated WAF Instance +------------------------------------------- + +When a WAF instance is in the **Running** status, you can view the monitored metrics about the instance. + +#. Log in to the management console. + +#. Click |image3| in the upper left corner of the management console and select a region or project. + +#. Click |image4| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane on the left, choose **Instance Management** > **Dedicated Engine** to go to the dedicated WAF instance page. + + + .. figure:: /_static/images/en-us_image_0000001388786649.png + :alt: **Figure 2** Dedicated engine list + + **Figure 2** Dedicated engine list + +#. In the row of the instance, click **Cloud Eye** in the **Operation** column to go to the Cloud Eye console and view the monitoring information, such as CPU, memory, and bandwidth. + +.. _waf_01_0253__section38005331521: + +Upgrading a Dedicated WAF Instance +---------------------------------- + +Only dedicated WAF instances in the **Running** status can be upgraded to the latest version. + +.. important:: + + - It takes about 20 minutes for upgrading an instance. During the upgrade, the instance is not available and cannot protect your domain names connected to it. To prevent service interruptions, use either of the following solutions: + + - **Solution 1**: Deploy multiple dedicated WAF instances for your domain name, add them to a backend server group of your load balancer, and enable the health check policy for the load balancer. In this way, if one dedicated WAF instance is not available, WAF automatically distributes the traffic to other healthy instances. There is almost no impact on your services except that website requests might be intermittently interrupted for few seconds. + - **Solution 2**: If you deploy only one dedicated WAF instance, configure a load balancer before you start to let website traffic bypass WAF during the upgrade. After the upgrade is complete, configure the load balancer to distribute traffic to WAF. + + - If you are using the latest version of WAF, the **Upgrade** button is grayed out. + +#. Log in to the management console. + +#. Click |image5| in the upper left corner of the management console and select a region or project. + +#. Click |image6| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane on the left, choose **Instance Management** > **Dedicated Engine** to go to the dedicated WAF instance page. + + + .. figure:: /_static/images/en-us_image_0000001388786649.png + :alt: **Figure 3** Dedicated engine list + + **Figure 3** Dedicated engine list + +#. In the row containing the instance you want to upgrade, click **More** > **Upgrade** in the **Operation** column. + +#. Confirm the upgrade conditions and click **Confirm**. + +.. _waf_01_0253__section17581742182617: + +Change Security Group for a Dedicated WAF Instance +-------------------------------------------------- + +If you select **Network Interface** for **Instance Type**, you can change the security group to which your dedicated instance belongs. After you select a security group, the WAF instance will be protected by the access rules of the security group. + +#. Log in to the management console. + +#. Click |image7| in the upper left corner of the management console and select a region or project. + +#. Click |image8| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane on the left, choose **Instance Management** > **Dedicated Engine** to go to the dedicated WAF instance page. + + + .. figure:: /_static/images/en-us_image_0000001388786649.png + :alt: **Figure 4** Dedicated engine list + + **Figure 4** Dedicated engine list + +#. In the row containing the instance, choose **More** > **Change Security Group** in the **Operation** column. + +#. In the dialog box displayed, select the new security group and click **Confirm**. + +.. _waf_01_0253__section773017566122: + +Deleting a Dedicated WAF Instance +--------------------------------- + +You can delete a dedicated WAF instance at any time. A deleted dedicated WAF instance will no longer protect the website added to it. + +.. important:: + + Resources on deleted instance are released and cannot be restored. Exercise caution when performing this operation. + +#. Log in to the management console. + +#. Click |image9| in the upper left corner of the management console and select a region or project. + +#. Click |image10| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane on the left, choose **Instance Management** > **Dedicated Engine** to go to the dedicated WAF instance page. + + + .. figure:: /_static/images/en-us_image_0000001388786649.png + :alt: **Figure 5** Dedicated engine list + + **Figure 5** Dedicated engine list + +#. In the row of the instance, click **Delete** in the **Operation** column. + +#. Click **Confirm**. + + + .. figure:: /_static/images/en-us_image_0000001286058500.png + :alt: **Figure 6** Deleting an instance + + **Figure 6** Deleting an instance + +.. |image1| image:: /_static/images/en-us_image_0000001082065421.jpg +.. |image2| image:: /_static/images/en-us_image_0000001287946362.png +.. |image3| image:: /_static/images/en-us_image_0000001082065421.jpg +.. |image4| image:: /_static/images/en-us_image_0000001340308129.png +.. |image5| image:: /_static/images/en-us_image_0000001081906323.jpg +.. |image6| image:: /_static/images/en-us_image_0000001340427973.png +.. |image7| image:: /_static/images/en-us_image_0000001240865319.jpg +.. |image8| image:: /_static/images/en-us_image_0000001340667861.png +.. |image9| image:: /_static/images/en-us_image_0000001081671555.jpg +.. |image10| image:: /_static/images/en-us_image_0000001288427746.png diff --git a/umn/source/enabling_waf_protection/connecting_a_website_to_waf/index.rst b/umn/source/enabling_waf_protection/connecting_a_website_to_waf/index.rst new file mode 100644 index 0000000..4c4d376 --- /dev/null +++ b/umn/source/enabling_waf_protection/connecting_a_website_to_waf/index.rst @@ -0,0 +1,18 @@ +:original_name: waf_01_0249.html + +.. _waf_01_0249: + +Connecting a Website to WAF +=========================== + +- :ref:`Step 1: Add a Website to WAF ` +- :ref:`Step 2: Configure a Load Balancer ` +- :ref:`Step 3: Bind an EIP to a Load Balancer ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + step_1_add_a_website_to_waf + step_2_configure_a_load_balancer + step_3_bind_an_eip_to_a_load_balancer diff --git a/umn/source/enabling_waf_protection/connecting_a_website_to_waf/step_1_add_a_website_to_waf.rst b/umn/source/enabling_waf_protection/connecting_a_website_to_waf/step_1_add_a_website_to_waf.rst new file mode 100644 index 0000000..83aab9d --- /dev/null +++ b/umn/source/enabling_waf_protection/connecting_a_website_to_waf/step_1_add_a_website_to_waf.rst @@ -0,0 +1,185 @@ +:original_name: waf_01_0250.html + +.. _waf_01_0250: + +Step 1: Add a Website to WAF +============================ + +If your service servers are deployed on the cloud, you can add the domain name or IP address of the website to WAF so that the website traffic is forwarded to WAF for inspection. + +Prerequisites +------------- + +You have purchased a dedicated WAF instance. + +Constraints +----------- + +- An Internet-facing load balancer has been deployed on the website you want to protect with dedicated WAF instances. +- If your website has no layer-7 proxy server such as CDN and cloud acceleration service deployed in front of WAF and uses only layer-4 load balancers (or NAT), set **Proxy Configured** to **No**. Otherwise, **Proxy Configured** must be set to **Yes**. This ensures that WAF obtains real IP addresses of website visitors and takes protective actions configured in protection policies. + +Procedure +--------- + +#. Log in to the management console. +#. Click |image1| in the upper left corner of the management console and select a region or project. +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +4. In the navigation pane, choose **Website Settings**. + +5. In the upper left corner of the website list, click **Add Website**. + +6. Configure basic information of the domain name. :ref:`Figure 1 ` shows an example. :ref:`Table 1 ` lists parameters. + + .. _waf_01_0250__fig175731754141418: + + .. figure:: /_static/images/en-us_image_0000001337887457.png + :alt: **Figure 1** Configuring basic settings of a website + + **Figure 1** Configuring basic settings of a website + + .. _waf_01_0250__table056413271366: + + .. table:: **Table 1** Parameter description + + +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------+ + | Parameter | Description | Example Value | + +=======================+========================================================================================================================================================================================================================================================================================================================================+==========================================+ + | Website Name | Website name you specify. | WAF-DT | + +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------+ + | Protected Object | A domain name or IP address of the website to be protected. The domain name can be a single domain name or a wildcard domain name. | Single domain name: **www.example.com** | + | | | | + | | - Single domain name: Enter a single domain name. For example, www.example.com. | Wildcard domain name: **\*.example.com** | + | | - Wildcard domain name | | + | | | IP address format: *XXX.XXX.1.1* | + | | .. note:: | | + | | | | + | | Wildcard domain names cannot contain underscores (_). | | + | | | | + | | - If the server IP address of each subdomain name is the same, enter a wildcard domain name to be protected. For example, if the subdomain names **a.example.com**, **b.example.com**, and **c.example.com** have the same server IP address, you can add the wildcard domain name **\*.example.com** to WAF to protect all three. | | + | | - If the server IP addresses of subdomain names are different, add subdomain names as single domain names one by one. | | + +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------+ + | Website Remarks | Brief description of the website | test | + +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------+ + | Protected Port | Select the port that needs to be protected from the drop-down list box. | Standard ports | + | | | | + | | To protect port 80 or 443, select **Standard port** from the drop-down list. | | + +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------+ + | Server Configuration | Address of the web server. The configuration contains the **Client Protocol**, **Server protocol**, VPC, **Server Address,** and **Server Port**. | **Client Protocol**: **HTTP** | + | | | | + | | - **Client Protocol**: Protocol used for forwarding a client requests to the dedicated WAF instance. The options are **HTTP** and **HTTPS**. | **Server Protocol**: **HTTP** | + | | - **Server Protocol**: Protocol used for forwarding a client request to the origin server through the dedicated WAF instance. The options are **HTTP** and **HTTPS**. | | + | | | **VPC**: vpc-default | + | | .. note:: | | + | | | **Server Address**: *192.168.1.1* | + | | WAF can check WebSocket and WebSockets requests, which is enabled by default. | | + | | | **Server Port**: **80** | + | | - **VPC**: Select the VPC to which the dedicated WAF instance belongs. | | + | | - **Server Address**: Private IP address or domain name of the website server that a client (for example, a browser) accesses. | | + | | - **Server Port**: service port of the server to which the dedicated WAF instance forwards client requests. | | + +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------+ + | Certificate Name | If you set **Client Protocol** to **HTTPS**, an SSL certificate is required. You can select an existing certificate or import an external certificate. For details about how to import a certificate, see :ref:`Importing a New Certificate `. | ``-`` | + | | | | + | | For details about how to create a certificate, see :ref:`Uploading a Certificate `. | | + | | | | + | | .. important:: | | + | | | | + | | NOTICE: | | + | | | | + | | - Only .pem certificates can be used in WAF. If the certificate is not in .pem, convert it into a .pem certificate by referring to :ref:`Importing a New Certificate ` before uploading the certificate. | | + | | - Each domain name must have a certificate associated. A wildcard domain name can only use a wildcard domain certificate. If you only have single-domain certificates, you need to add domain names one by one in WAF. | | + +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------+ + +7. Configure **Proxy**. + + If your website has no layer-7 proxy server such as CDN and cloud acceleration service deployed in front of WAF and uses only layer-4 load balancers (or NAT), set **Proxy Configured** to **No**. Otherwise, **Proxy Configured** must be set to **Yes**. This ensures that WAF obtains real IP addresses of website visitors and takes protective actions configured in protection policies. + +8. Select a policy. By default, **system-generated policy** is selected. + + You can select a policy you configured. You can also customize rules after the domain name is connected to WAF. + + System-generated policies: + + - Basic web protection (**Log only** mode and common checks) + + The basic web protection defends against attacks such as SQL injections, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabilities, remote command execution, directory traversal, sensitive file access, and command/code injections. + + - Anti-crawler (**Log only** mode and **Scanner** feature) + + WAF only logs web scanning tasks, such as vulnerability scanning and virus scanning, such as crawling behavior of OpenVAS and Nmap. + + .. note:: + + **Log only**: WAF only logs detected attack events instead of blocking them. + +9. Click **Confirm**. + + To enable WAF protection, there are still several steps, including configuring a load balancer, binding an EIP to the load balancer, and whitelisting WAF IP addresses. You can click **Later** in this step. Then, follow the instructions and finish those steps by referring to :ref:`Step 2: Configure a Load Balancer ` and :ref:`Step 3: Bind an EIP to a Load Balancer `. + +Verification +------------ + +The initial **Access Status** of a website is **Inaccessible**. After you configure a load balancer and bind an EIP to the load balancer for your website, when a request reaches the WAF dedicated instance, the access status automatically changes to **Accessible**. + +.. _waf_01_0250__section36817893018: + +Importing a New Certificate +--------------------------- + +If you set **Client Protocol** to **HTTPS**, an SSL certificate is required. You can perform the following steps to import a new certificate. + +#. Click **Import New Certificate**. In the displayed dialog box, enter a certificate name and copy the certificate file and private key to the corresponding text boxes. + + + .. figure:: /_static/images/en-us_image_0000001285728898.png + :alt: **Figure 2** Import New Certificate + + **Figure 2** Import New Certificate + + .. note:: + + WAF encrypts and saves the private key to keep it safe. + + Only .pem certificates can be used in WAF. If the certificate is not in .pem format, convert it into .pem locally by referring to :ref:`Table 2 ` before uploading it. + + .. _waf_01_0250__waf_01_0002_table1292125414516: + + .. table:: **Table 2** Certificate conversion commands + + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------+ + | Format | Conversion Method | + +===================================+============================================================================================================================+ + | CER/CRT | Rename the **cert.crt** certificate file to **cert.pem**. | + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------+ + | PFX | - Obtain a private key. For example, run the following command to convert **cert.pfx** into **key.pem**: | + | | | + | | **openssl pkcs12 -in cert.pfx -nocerts -out key.pem -nodes** | + | | | + | | - Obtain a certificate. For example, run the following command to convert **cert.pfx** into **cert.pem**: | + | | | + | | **openssl** **pkcs12** **-in** **cert.pfx** **-nokeys** **-out** **cert.pem** | + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------+ + | P7B | a. Convert a certificate. For example, run the following command to convert **cert.p7b** into **cert.cer**: | + | | | + | | **openssl** **pkcs7** **-print_certs** **-in** **cert.p7b** **-out** **cert.cer** | + | | | + | | b. Rename certificate file **cert.cer** to **cert.pem**. | + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------+ + | DER | - Obtain a private key. For example, run the following command to convert ****privatekey.der**** into **privatekey.pem**: | + | | | + | | **openssl** **rsa** **-inform** **DER** **-outform** **PEM** **-in** **privatekey.der** **-out** **privatekey.pem** | + | | | + | | - Obtain a certificate. For example, run the following command to convert **cert.cer** into **cert.pem**: | + | | | + | | **openssl** **x509** **-inform** **der** **-in** **cert.cer** **-out cert.pem** | + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------+ + + .. note:: + + - Before running an OpenSSL command, ensure that the `OpenSSL `__ tool has been installed on the local host. + - If your local PC runs a Windows operating system, go to the command line interface (CLI) and then run the certificate conversion command. + +#. Click **OK**. + +.. |image1| image:: /_static/images/en-us_image_0000001260399509.jpg +.. |image2| image:: /_static/images/en-us_image_0000001288099090.png diff --git a/umn/source/enabling_waf_protection/connecting_a_website_to_waf/step_2_configure_a_load_balancer.rst b/umn/source/enabling_waf_protection/connecting_a_website_to_waf/step_2_configure_a_load_balancer.rst new file mode 100644 index 0000000..1774897 --- /dev/null +++ b/umn/source/enabling_waf_protection/connecting_a_website_to_waf/step_2_configure_a_load_balancer.rst @@ -0,0 +1,109 @@ +:original_name: waf_01_0251.html + +.. _waf_01_0251: + +Step 2: Configure a Load Balancer +================================= + +To ensure your dedicated WAF instance reliability, after you add a website to it, use Elastic Load Balance (ELB) to configure a load balancer and a health check for the dedicated WAF instance. + +Prerequisites +------------- + +- You have added a website to a dedicated WAF instance. + +- You have created a load balancer. + +- Related ports have been enabled in the security group to which the dedicated WAF instance belongs. + + You can configure your security group as follows: + + - Inbound rules + + Add an inbound rule to allow incoming network traffic to pass through over a specified port based on your service requirements. For example, if you want to allow access from port 80, add a rule that allows **TCP** and port **80**. + + - Outbound rules + + Retain the default settings. All outgoing network traffic is allowed by default. + +Constraints +----------- + +The listening port of the dedicated WAF instance must be the same as that configured in :ref:`Step 1: Add a Website to WAF `. + +Impact on the System +-------------------- + +If you select **Weighted round robin** for **Load Balancing Algorithm**, disable **Sticky Session**. If you enable **Sticky Session**, the same requests will be forwarded to the same dedicated WAF instance. If this instance becomes faulty, an error will occur when the requests come to it next time. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner of the page and choose **Elastic Load Balance** under **Network** to go to the ELB console. + +#. Click the name of your load balancer in the **Name** column to go to the **Basic Information** page. + +#. Click the **Listeners** tab, click **Add Listener**, and configure the listener information. :ref:`Figure 1 ` shows an example. + + .. _waf_01_0251__fig1213093341614: + + .. figure:: /_static/images/en-us_image_0000001284948512.png + :alt: **Figure 1** Configuring a listener + + **Figure 1** Configuring a listener + +#. Click **Next** and configure the backend server group and health check. :ref:`Figure 2 ` and :ref:`Figure 3 ` show examples. + + .. _waf_01_0251__fig1471975962718: + + .. figure:: /_static/images/en-us_image_0000001337470357.png + :alt: **Figure 2** Configuring a Backend Host Group + + **Figure 2** Configuring a Backend Host Group + + .. important:: + + If you select **Round robin** for **Load Balancing Algorithm**, disable **Sticky Session**. If you enable **Sticky Session**, the same requests will be forwarded to the same dedicated WAF instance. If this instance becomes faulty, an error will occur when the requests come to it next time. + + .. _waf_01_0251__fig1623212054117: + + .. figure:: /_static/images/en-us_image_0000001284790620.png + :alt: **Figure 3** Health Check Settings + + **Figure 3** Health Check Settings + +#. Click **Next: Confirm**. + +#. Click **Finish** and then **OK**. + +#. Go to the page of the added listener, select the **Backend Server Groups** tab, and click **Add**. + +#. In the **Add Backend Server** dialog box, select the dedicated WAF instance you have created. + + + .. figure:: /_static/images/en-us_image_0000001337244713.png + :alt: **Figure 4** Selecting the created dedicated WAF instance + + **Figure 4** Selecting the created dedicated WAF instance + +#. Click **Next** and configure a port for the dedicated engine. :ref:`Figure 5 ` shows an example. + + .. important:: + + The listening port of the dedicated WAF instance must be the same as that configured in :ref:`Step 1: Add a Website to WAF `. If you configure a standard port for the website, set the HTTP listening port to **80** and HTTPS listening port to **443**. + + .. _waf_01_0251__fig207213128248: + + .. figure:: /_static/images/en-us_image_0000001337404641.png + :alt: **Figure 5** Configuring a port for the dedicated WAF instance + + **Figure 5** Configuring a port for the dedicated WAF instance + +#. Click **Finish**. + +.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image2| image:: /_static/images/en-us_image_0212852906.png diff --git a/umn/source/enabling_waf_protection/connecting_a_website_to_waf/step_3_bind_an_eip_to_a_load_balancer.rst b/umn/source/enabling_waf_protection/connecting_a_website_to_waf/step_3_bind_an_eip_to_a_load_balancer.rst new file mode 100644 index 0000000..dc47300 --- /dev/null +++ b/umn/source/enabling_waf_protection/connecting_a_website_to_waf/step_3_bind_an_eip_to_a_load_balancer.rst @@ -0,0 +1,42 @@ +:original_name: waf_01_0252.html + +.. _waf_01_0252: + +Step 3: Bind an EIP to a Load Balancer +====================================== + +After you configure a load balancer for your dedicated WAF instance, you need to unbind the EIP from the origin server and then bind this EIP to the load balancer you configured. For details, see :ref:`Configuring a Load Balancer `. The request traffic then goes to the dedicated WAF instance for attack detection first and then go to the origin server, ensuring the security, stability, and availability of the origin server. + +Prerequisites +------------- + +You have configured a load balancer for a dedicated WAF instance. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner of the page and choose **Elastic Load Balance** under **Network** to go to the ELB console. + +#. .. _waf_01_0252__li11870192512125: + + On the **Elastic Load Balancers** page, locate the row that contains the load balancer configured for the origin server, click **More** in the **Operation** column, and select **Unbind IPv4 EIP**. :ref:`Figure 1 ` shows an example. + + .. _waf_01_0252__fig116641742207: + + .. figure:: /_static/images/en-us_image_0000001344294497.png + :alt: **Figure 1** Unbinding an EIP + + **Figure 1** Unbinding an EIP + +#. In the displayed dialog box, click **Yes**. + +#. On the **Load Balancers** page, locate the row that contains the load balancer configured for the dedicated WAF instance, click **More** in the **Operation** column, and select **Bind EIP**. + +#. In the **Bind EIP** dialog box, select the EIP unbound in :ref:`Step 4 ` and click **OK**. + +.. |image1| image:: /_static/images/en-us_image_0000001379820401.jpg +.. |image2| image:: /_static/images/en-us_image_0212852906.png diff --git a/umn/source/enabling_waf_protection/index.rst b/umn/source/enabling_waf_protection/index.rst new file mode 100644 index 0000000..623487f --- /dev/null +++ b/umn/source/enabling_waf_protection/index.rst @@ -0,0 +1,14 @@ +:original_name: waf_01_0070.html + +.. _waf_01_0070: + +Enabling WAF Protection +======================= + +- :ref:`Connecting a Website to WAF ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + connecting_a_website_to_waf/index diff --git a/umn/source/event_management/downloading_events_data.rst b/umn/source/event_management/downloading_events_data.rst new file mode 100644 index 0000000..bf22f96 --- /dev/null +++ b/umn/source/event_management/downloading_events_data.rst @@ -0,0 +1,91 @@ +:original_name: waf_01_0077.html + +.. _waf_01_0077: + +Downloading Events Data +======================= + +This topic describes how to download events (logged and blocked events) data for the last five days. One or more CSV files containing the event data of the current day will be generated at the beginning of the next day. + +Prerequisites +------------- + +- The website to be protected has been added to WAF. +- An event file has been generated. + +Specification Limitations +------------------------- + +- Each file can include a maximum of 5,000 events. If there are more than 5,000 events, another file is generated. +- Only event data for the last five days can be downloaded through the WAF console. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane on the left, choose **Events**. + +#. Click the **Download Events** tab and download the desired protection data. :ref:`Table 1 ` describes the parameters. + + .. _waf_01_0077__table117074311366: + + .. table:: **Table 1** Parameter description + + +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------+ + | Parameter | Description | + +===================================+=======================================================================================================================+ + | File Name | The format is *file-name*.\ **csv**. | + +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------+ + | Number of Events | Total number of blocked and logged events | + | | | + | | .. note:: | + | | | + | | The maximum number of events in a file is 10,000. If there are more than 10,000 events, another file is generated. | + +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------+ + +#. In the **Operation** column, click **Download** to download data to the local PC. + +Fields in a Protection Event Data File +-------------------------------------- + ++------------------+---------------------------------------------------------------------------------------------------------------+----------------------------------+ +| Field | Description | Example Value | ++==================+===============================================================================================================+==================================+ +| action | Protective action taken in response to the event | block | ++------------------+---------------------------------------------------------------------------------------------------------------+----------------------------------+ +| attack | Attack type | SQL Injection | ++------------------+---------------------------------------------------------------------------------------------------------------+----------------------------------+ +| body | Request content of the attack | N/A | ++------------------+---------------------------------------------------------------------------------------------------------------+----------------------------------+ +| cookie | Cookie of the attacker | N/A | ++------------------+---------------------------------------------------------------------------------------------------------------+----------------------------------+ +| headers | Header of the attacker | N/A | ++------------------+---------------------------------------------------------------------------------------------------------------+----------------------------------+ +| host | Domain name or IP address of the protected website | www.example.com | ++------------------+---------------------------------------------------------------------------------------------------------------+----------------------------------+ +| id | ID of the event. | 02-11-16-20201121060347-feb42002 | ++------------------+---------------------------------------------------------------------------------------------------------------+----------------------------------+ +| payload | The part of the attack that causes damage to the protected website | python-requests/2.20.1 | ++------------------+---------------------------------------------------------------------------------------------------------------+----------------------------------+ +| payload_location | The location of the attack that causes damage or the number of times that the URL is accessed by the attacker | user-agent | ++------------------+---------------------------------------------------------------------------------------------------------------+----------------------------------+ +| policyid | Policy ID. | d5580c8f6cd4403ebbf85892d4bbb8e4 | ++------------------+---------------------------------------------------------------------------------------------------------------+----------------------------------+ +| request_line | Request line of the attack | GET / | ++------------------+---------------------------------------------------------------------------------------------------------------+----------------------------------+ +| rule | ID of the rule against which the event is generated. | 81066 | ++------------------+---------------------------------------------------------------------------------------------------------------+----------------------------------+ +| sip | Public IP address of the web visitor/attacker | N/A | ++------------------+---------------------------------------------------------------------------------------------------------------+----------------------------------+ +| time | When the event occurred. | 2020/11/21 0:20:44 | ++------------------+---------------------------------------------------------------------------------------------------------------+----------------------------------+ +| url | URL of the protected domain name | N/A | ++------------------+---------------------------------------------------------------------------------------------------------------+----------------------------------+ + +.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image2| image:: /_static/images/en-us_image_0000001340666645.png diff --git a/umn/source/event_management/handling_false_alarms.rst b/umn/source/event_management/handling_false_alarms.rst new file mode 100644 index 0000000..81dd4f4 --- /dev/null +++ b/umn/source/event_management/handling_false_alarms.rst @@ -0,0 +1,195 @@ +:original_name: waf_01_0024.html + +.. _waf_01_0024: + +Handling False Alarms +===================== + +If you confirm that an attack event on the **Events** page is a false alarm, you can handle the event as false alarm by ignoring the URL and rule ID in basic web protection, or by deleting or disabling the corresponding protection rule you configured. After an attack event is handled as a false alarm, the event will not be displayed on the **Events** page anymore. You will no longer receive any alarm notifications about the event. + +WAF detects attacks by using built-in basic web protection rules, built-in features in anti-crawler protection, and custom rules you configured (such as CC attack protection, precise access protection, blacklist, whitelist, and geolocation access control rules). WAF will respond to detected attacks based on the protective actions (such as **Block** and **Log only**) defined in the rules and display attack events on the **Events** page. + +Prerequisites +------------- + +There is at least one false alarm event in the event list. + +Constraints +----------- + +- Only attack events blocked or recorded by preconfigured basic web protection rules and features in anti-crawler protection can be handled as false alarms. +- For events generated based on custom rules (such as a CC attack protection rule, precise protection rule, blacklist rule, whitelist rule, or geolocation access control rule), they cannot be handled as false alarms. To ignore such an event, delete or disable the custom rule hit by the event. +- An attack event can only be handled as a false alarm once. + +Impact on the System +-------------------- + +The attack event will not be displayed on the **Events** page. You will no longer receive any alarm notifications about the event. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane on the left, choose **Events**. + +#. Select the **Search** tab. Select a website from the **All protected websites** drop-down list. Then, select **Yesterday**, **Today**, **Past 3 days**, **Past 7 days**, **Past 30 days**, or a custom time range. :ref:`Figure 1 ` shows an example. :ref:`Table 1 ` and :ref:`Table 2 ` describe parameters. + + .. _waf_01_0024__fig194311743164914: + + .. figure:: /_static/images/en-us_image_0000001395650509.png + :alt: **Figure 1** Viewing protection events + + **Figure 1** Viewing protection events + + .. _waf_01_0024__table146358613417: + + .. table:: **Table 1** Event parameters + + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Parameter | Description | + +===================================+===================================================================================================================================================================================================+ + | Event Type | Type of attack. | + | | | + | | By default, **All** is selected. You can view logs of all attack types or select an attack type to view corresponding attack logs. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Protective Action | The options are **Block**, **Log only**, and **Verification code**. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Source IP Address | Public IP address of the web visitor/attacker | + | | | + | | By default, **All** is selected. You can view logs of all attack source IP addresses, select an attack source IP address, or enter an attack source IP address to view corresponding attack logs. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | URL | Attacked URL | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Event ID | ID of the event | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + + .. _waf_01_0024__table135241210519: + + .. table:: **Table 2** Parameters in the event list + + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +=======================+===========================================================================================================================================================================+=======================+ + | Time | When the attack occurred | 2021/02/04 13:20:04 | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Source IP Address | Public IP address of the web visitor/attacker | None | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Geolocation | Location where the IP address of the attack originates from | ``-`` | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Domain Name | Attacked domain name | www.example.com | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | URL | Attacked URL | /admin | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Malicious Load | The location or part of the attack that causes damage or the number of times that the URL was accessed. | id=1 and 1='1 | + | | | | + | | .. note:: | | + | | | | + | | - In a CC attack, the malicious load indicates the number of times that the URL was accessed. | | + | | - For blacklist protection events, the malicious load is left blank. | | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Event Type | Type of attack | SQL injection | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Protective Action | Protective actions configured in the rule. The options are **Block**, **Log only**, and **Verification code**. | Block | + | | | | + | | .. note:: | | + | | | | + | | If an access request matches a web tamper protection rule, information leakage prevention rule, or data masking rule, the protective action is marked as **Mismatch**. | | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Status Code | HTTP status code returned on the block page. | 418 | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + + .. note:: + + To view event details, click **Details** in the **Operation** column of the event list. + +#. After you confirm that an event is a false alarm, click **Handle False Alarm** in the **Operation** column of the row and add a false alarm masking rule. :ref:`Figure 2 ` shows an example. :ref:`Table 3 ` describes parameters. + + .. _waf_01_0024__fig16174064111318: + + .. figure:: /_static/images/en-us_image_0000001327191500.png + :alt: **Figure 2** Handling a false alarm + + **Figure 2** Handling a false alarm + + .. _waf_01_0024__table1623195815237: + + .. table:: **Table 3** Parameters + + +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ + | Parameter | Description | Example Value | + +=========================+===========================================================================================================================================================================================================================================================================================================================================================================+============================================+ + | Scope | - **All domain names**: By default, this rule will be used to all domain names that are protected by the current policy. | Specified domain names | + | | - **Specified domain names**: This rule will be used to the specified domain names that match the wildcard domain name being protected by the current policy. | | + +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ + | Domain Name | This parameter is mandatory when you select **Specified domain names** for **Scope**. | www.example.com | + | | | | + | | Enter a single domain name that matches the wildcard domain name being protected by the current policy. | | + +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ + | Condition List | Click **Add** to add conditions. At least one condition needs to be added. You can add up to 30 conditions to a protection rule. If more than one condition is added, all of the conditions must be met for the rule to be applied. A condition includes the following parameters: | Path, Include, /product | + | | | | + | | Parameters for configuring a condition are described as follows: | | + | | | | + | | - Field | | + | | - **Subfield**: Configure this field only when **Params**, **Cookie**, or **Header** is selected for **Field**. | | + | | | | + | | .. important:: | | + | | | | + | | NOTICE: | | + | | The length of a subfield cannot exceed 2,048 bytes. Only digits, letters, underscores (_), and hyphens (-) are allowed. | | + | | | | + | | - **Logic**: Select a logical relationship from the drop-down list. | | + | | - **Content**: Enter or select the content that matches the condition. | | + +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ + | Ignore WAF Protection | - **All protection**: All WAF rules do not take effect, and WAF allows all request traffic to the domain names in the rule. | Basic Web Protection | + | | - **Basic Web Protection**: You can ignore basic web protection by rule ID, attack type, or all built-in rules. For example, if XSS check is not required for a URL, you can whitelist XSS rule. | | + +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ + | Ignored Protection Type | If you select **Basic web protection** for **Ignored Protection Type**, specify the following parameters: | Attack type | + | | | | + | | - **ID**: Configure the rule by event ID. | | + | | - **Attack type**: Configure the rule by attack type, such as XSS and SQL injection. One type contains one or more rule IDs. | | + | | - **All built-in rules**: all checks enabled in :ref:`Basic Web Protection `. | | + +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ + | ID | This parameter is mandatory when you select **ID** for **Ignored Protection Type**. | 041046 | + | | | | + | | ID of an attack event on the **Events** page. If the event type is **Custom**, it has no event ID. Click **Handle False Alarm** in the row containing the attack event to obtain the ID. You are advised to configure global protection whitelist (formerly false alarm masking) rules on the **Events** page by referring to :ref:`Handling False Alarms `. | | + +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ + | Attack type | This parameter is mandatory when you select **Attack type** for **Ignored Protection Type**. | SQL injection | + | | | | + | | Select an attack type from the drop-down list box. | | + | | | | + | | WAF can defend against XSS attacks, web shells, SQL injection attacks, malicious crawlers, remote file inclusions, local file inclusions, command injection attacks, and other attacks. | | + +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ + | Rule Description | A brief description of the rule. This parameter is optional. | SQL injection attacks are not intercepted. | + +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ + | Advanced Settings | To ignore attacks of a specific field, specify the field in the **Advanced Settings** area. After you add the rule, WAF will stop blocking attack events of the specified field. | Params | + | | | | + | | Select a target field from the first drop-down list box on the left. The following fields are supported: **Params**, **Cookie**, **Header**, **Body**, and **Multipart**. | All | + | | | | + | | - If you select **Params**, **Cookie**, or **Header**, you can select **All** or **Specified field** to configure a subfield. | | + | | - If you select **Body** or **Multipart**, you can select **All**. | | + | | - If you select **Cookie**, the **Domain Name** and **Path** can be empty. | | + | | | | + | | .. note:: | | + | | | | + | | If **All** is selected, WAF will not block all attack events of the selected field. | | + +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ + +#. Click **OK**. + +Verification +------------ + +A false alarm will be deleted within about a minute after the handling configuration is done. It will no longer be displayed in the attack event details list. You can refresh the browser cache and request the page for which the false alarm masking rule is configured to check whether the configuration takes effect. + +Other Operations +---------------- + +If an event is handled as a false alarm, the rule hit will be added to the global protection whitelist (formerly false alarm masking) rule list. You can go to the **Policies** page and then switch to the Global Protection Whitelist (Formerly False Alarm Masking) page to manage the rule, including querying, disabling, deleting, and modifying the rule. For details, see :ref:`Configuring a Global Protection Whitelist (Formerly False Alarm Masking) Rule `. + +.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image2| image:: /_static/images/en-us_image_0000001288106950.png diff --git a/umn/source/event_management/index.rst b/umn/source/event_management/index.rst new file mode 100644 index 0000000..033bb2e --- /dev/null +++ b/umn/source/event_management/index.rst @@ -0,0 +1,18 @@ +:original_name: waf_01_0018.html + +.. _waf_01_0018: + +Event Management +================ + +- :ref:`Viewing Protection Event Logs ` +- :ref:`Handling False Alarms ` +- :ref:`Downloading Events Data ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + viewing_protection_event_logs + handling_false_alarms + downloading_events_data diff --git a/umn/source/event_management/viewing_protection_event_logs.rst b/umn/source/event_management/viewing_protection_event_logs.rst new file mode 100644 index 0000000..4964814 --- /dev/null +++ b/umn/source/event_management/viewing_protection_event_logs.rst @@ -0,0 +1,94 @@ +:original_name: waf_01_0156.html + +.. _waf_01_0156: + +Viewing Protection Event Logs +============================= + +On the **Events** page, you can view events generated for blocked attacks and logged only attacks. You can view details of WAF events, including the time an event occurs, origin server IP address, geographic location of the origin server IP address, malicious load, and hit rule. + +Prerequisites +------------- + +The website to be protected has been connected to WAF. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane on the left, choose **Events**. + +#. Click the **Search** tab. In the website or instance drop-down list, select a website to view corresponding event logs. The query time can be **Yesterday**, **Today**, **Past 3 days**, **Past 7 days**, **Past 30 days**, or a time range you configure. :ref:`Table 2 ` lists related parameters. + + + .. figure:: /_static/images/en-us_image_0000001395650509.png + :alt: **Figure 1** Viewing protection events + + **Figure 1** Viewing protection events + + .. table:: **Table 1** Event parameters + + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Parameter | Parameters | + +===================================+===================================================================================================================================================================================================+ + | Event Type | Type of the attack. | + | | | + | | By default, **All** is selected. You can view logs of all attack types or select an attack type to view corresponding attack logs. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Protective Action | The options are **Block**, **Log only**, and **Verification code**. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Source IP Address | Public IP address of the web visitor/attacker | + | | | + | | By default, **All** is selected. You can view logs of all attack source IP addresses, select an attack source IP address, or enter an attack source IP address to view corresponding attack logs. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | URL | Attacked URL. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Event ID | ID of the event. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + + .. _waf_01_0156__table17116135085617: + + .. table:: **Table 2** Parameters in the event list + + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +=======================+===========================================================================================================================================================================+=======================+ + | Time | When the attack occurred | 2021/02/04 13:20:04 | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Source IP Address | Public IP address of the web visitor/attacker | None | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Geolocation | Location where the IP address of the attack originates from | ``-`` | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Domain Name | Attacked domain name | www.example.com | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | URL | Attacked URL | /admin | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Malicious Load | The location or part of the attack that causes damage or the number of times that the URL was accessed. | id=1 and 1='1 | + | | | | + | | .. note:: | | + | | | | + | | - In a CC attack, the malicious load indicates the number of times that the URL was accessed. | | + | | - For blacklist protection events, the malicious load is left blank. | | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Event Type | Type of attack | SQL injection | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Protective Action | Protective actions configured in the rule. The options are **Block**, **Log only**, and **Verification code**. | Block | + | | | | + | | .. note:: | | + | | | | + | | If an access request matches a web tamper protection rule, information leakage prevention rule, or data masking rule, the protective action is marked as **Mismatch**. | | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Status Code | HTTP status code returned on the block page. | 418 | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + + .. note:: + + To view event details, click **Details** in the **Operation** column of the event list. + +.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image2| image:: /_static/images/en-us_image_0000001287947022.png diff --git a/umn/source/faqs/about_waf/index.rst b/umn/source/faqs/about_waf/index.rst new file mode 100644 index 0000000..e51de32 --- /dev/null +++ b/umn/source/faqs/about_waf/index.rst @@ -0,0 +1,16 @@ +:original_name: waf_01_0025.html + +.. _waf_01_0025: + +About WAF +========= + +- :ref:`WAF Functions ` +- :ref:`WAF Usage ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + waf_functions/index + waf_usage/index diff --git a/umn/source/faqs/about_waf/waf_functions/can_waf_block_requests_for_calling_other_apis_from_web_pages.rst b/umn/source/faqs/about_waf/waf_functions/can_waf_block_requests_for_calling_other_apis_from_web_pages.rst new file mode 100644 index 0000000..b3c25a7 --- /dev/null +++ b/umn/source/faqs/about_waf/waf_functions/can_waf_block_requests_for_calling_other_apis_from_web_pages.rst @@ -0,0 +1,10 @@ +:original_name: waf_01_0212.html + +.. _waf_01_0212: + +Can WAF Block Requests for Calling Other APIs from Web Pages? +============================================================= + +If the request data for calling other APIs on the web page is included in the domain names protected by WAF, the request data passes through WAF. WAF checks the request data and blocks it if it is an attack. + +If the request data for calling other APIs on the web page is not included in the domain names protected by WAF, the request data does not pass through WAF. WAF cannot block the request data. diff --git a/umn/source/faqs/about_waf/waf_functions/can_waf_block_spam_and_malicious_user_registrations.rst b/umn/source/faqs/about_waf/waf_functions/can_waf_block_spam_and_malicious_user_registrations.rst new file mode 100644 index 0000000..1bda9a0 --- /dev/null +++ b/umn/source/faqs/about_waf/waf_functions/can_waf_block_spam_and_malicious_user_registrations.rst @@ -0,0 +1,10 @@ +:original_name: waf_01_0280.html + +.. _waf_01_0280: + +Can WAF Block Spam and Malicious User Registrations? +==================================================== + +WAF cannot block business-related attacks, such as spam and malicious user registrations. To prevent these attacks, configure the registration verification mechanism on your website. + +WAF is designed to keep web applications stable and secure. It examines all HTTP and HTTPS requests to detect for and block suspicious network attacks, such as Structure Query Language (SQL) injections, cross-site scripting (XSS) attacks, web shell upload, command or code injections, file inclusion, unauthorized sensitive file access, third-party vulnerability exploits, Challenge Collapsar (CC) attacks, malicious crawlers, and cross-site request forgery (CSRF). diff --git a/umn/source/faqs/about_waf/waf_functions/can_waf_block_url_requests_that_contain_special_characters.rst b/umn/source/faqs/about_waf/waf_functions/can_waf_block_url_requests_that_contain_special_characters.rst new file mode 100644 index 0000000..ba6726d --- /dev/null +++ b/umn/source/faqs/about_waf/waf_functions/can_waf_block_url_requests_that_contain_special_characters.rst @@ -0,0 +1,8 @@ +:original_name: waf_01_0211.html + +.. _waf_01_0211: + +Can WAF Block URL Requests That Contain Special Characters? +=========================================================== + +No. WAF can only detect and restrict source IP addresses. diff --git a/umn/source/faqs/about_waf/waf_functions/can_waf_check_the_body_i_add_to_the_post_request.rst b/umn/source/faqs/about_waf/waf_functions/can_waf_check_the_body_i_add_to_the_post_request.rst new file mode 100644 index 0000000..760e89e --- /dev/null +++ b/umn/source/faqs/about_waf/waf_functions/can_waf_check_the_body_i_add_to_the_post_request.rst @@ -0,0 +1,10 @@ +:original_name: waf_01_0187.html + +.. _waf_01_0187: + +Can WAF Check the Body I Add to the POST Request? +================================================= + +The built-in detection of WAF checks POST data, and web shells are the files submitted in POST requests. WAF checks all data, such as forms and JSON files in POST requests based on the default protection policies. + +You can configure a precise protection rule to check the body added to POST requests. diff --git a/umn/source/faqs/about_waf/waf_functions/can_waf_limit_the_access_speed_of_a_domain_name.rst b/umn/source/faqs/about_waf/waf_functions/can_waf_limit_the_access_speed_of_a_domain_name.rst new file mode 100644 index 0000000..68f9777 --- /dev/null +++ b/umn/source/faqs/about_waf/waf_functions/can_waf_limit_the_access_speed_of_a_domain_name.rst @@ -0,0 +1,8 @@ +:original_name: waf_01_0257.html + +.. _waf_01_0257: + +Can WAF Limit the Access Speed of a Domain Name? +================================================ + +No. However, you can customize a CC attack protection rule to restrict access to a specific URL on your website based on an IP address, cookie, or Referer, mitigating CC attacks. diff --git a/umn/source/faqs/about_waf/waf_functions/can_waf_protect_an_ip_address.rst b/umn/source/faqs/about_waf/waf_functions/can_waf_protect_an_ip_address.rst new file mode 100644 index 0000000..dd4a36a --- /dev/null +++ b/umn/source/faqs/about_waf/waf_functions/can_waf_protect_an_ip_address.rst @@ -0,0 +1,17 @@ +:original_name: waf_01_0029.html + +.. _waf_01_0029: + +Can WAF Protect an IP Address? +============================== + +A WAF instance can protect IP addresses. + +Dedicated Mode +-------------- + +A dedicated or load balancing WAF instance can protect websites through either domain names or IP addresses. + +The origin server IP address configured in WAF can be a public IP address or internal IP address. + +For details about how to add a domain name to WAF, see :ref:`How Do I Add a Domain Name/IP Address to WAF? `. diff --git a/umn/source/faqs/about_waf/waf_functions/can_waf_protect_websites_accessed_through_hsts_or_ntlm_authentication.rst b/umn/source/faqs/about_waf/waf_functions/can_waf_protect_websites_accessed_through_hsts_or_ntlm_authentication.rst new file mode 100644 index 0000000..ddc06b1 --- /dev/null +++ b/umn/source/faqs/about_waf/waf_functions/can_waf_protect_websites_accessed_through_hsts_or_ntlm_authentication.rst @@ -0,0 +1,14 @@ +:original_name: waf_01_0329.html + +.. _waf_01_0329: + +Can WAF Protect Websites Accessed Through HSTS or NTLM Authentication? +====================================================================== + +Yes. WAF can protect HTTP and HTTPS applications. + +- If a website uses the HTTP Strict Transport Security (HSTS) policy, the client (such as a browser) is forced to use HTTPS to communicate with the website. This reduces the risk of session hijacking. Websites configured with HSTS policy use the HTTPS protocol. So, WAF can protect these websites. + +- Windows New Technology LAN Manager (NTLM) is an authentication method over HTTP. NTLM uses a three-way handshake to authenticate a connection. NTLM authenticates a client (such as a browser) the same way the Windows remote login authentication does. + + WAF can protect applications that use NTLM to authenticate connection between a server and client, such as a browser. diff --git a/umn/source/faqs/about_waf/waf_functions/does_waf_cache_website_data.rst b/umn/source/faqs/about_waf/waf_functions/does_waf_cache_website_data.rst new file mode 100644 index 0000000..e32f2da --- /dev/null +++ b/umn/source/faqs/about_waf/waf_functions/does_waf_cache_website_data.rst @@ -0,0 +1,8 @@ +:original_name: waf_01_0345.html + +.. _waf_01_0345: + +Does WAF Cache Website Data? +============================ + +WAF protects user data on the application layer. It supports cache configuration on static web pages. When a user accesses a web page, the system returns a cached page to the user and randomly checks whether the page has been tampered with. diff --git a/umn/source/faqs/about_waf/waf_functions/does_waf_support_application_layer_protocol-_and_content-based_access_control.rst b/umn/source/faqs/about_waf/waf_functions/does_waf_support_application_layer_protocol-_and_content-based_access_control.rst new file mode 100644 index 0000000..ecdae88 --- /dev/null +++ b/umn/source/faqs/about_waf/waf_functions/does_waf_support_application_layer_protocol-_and_content-based_access_control.rst @@ -0,0 +1,8 @@ +:original_name: waf_01_0229.html + +.. _waf_01_0229: + +Does WAF Support Application Layer Protocol- and Content-Based Access Control? +============================================================================== + +WAF supports access control over content at the application layer. HTTP and HTTPS are both application layer protocols. diff --git a/umn/source/faqs/about_waf/waf_functions/does_waf_support_file_caching.rst b/umn/source/faqs/about_waf/waf_functions/does_waf_support_file_caching.rst new file mode 100644 index 0000000..bd0a4a9 --- /dev/null +++ b/umn/source/faqs/about_waf/waf_functions/does_waf_support_file_caching.rst @@ -0,0 +1,8 @@ +:original_name: waf_01_0149.html + +.. _waf_01_0149: + +Does WAF Support File Caching? +============================== + +WAF caches only static web pages that are configured with web tamper protection and sends the cached web pages that are not tampered with to web visitors. diff --git a/umn/source/faqs/about_waf/waf_functions/how_does_waf_detect_sql_injection_and_xss_attacks.rst b/umn/source/faqs/about_waf/waf_functions/how_does_waf_detect_sql_injection_and_xss_attacks.rst new file mode 100644 index 0000000..cd8cc3a --- /dev/null +++ b/umn/source/faqs/about_waf/waf_functions/how_does_waf_detect_sql_injection_and_xss_attacks.rst @@ -0,0 +1,34 @@ +:original_name: waf_01_0457.html + +.. _waf_01_0457: + +How Does WAF Detect SQL Injection and XSS Attacks? +================================================== + +A Structured Query Language (SQL) injection is a common web attack. The attacker injects malicious SQL commands into database query strings to deceive the server into executing commands. By exploiting these commands, the attacker can obtain sensitive information, add users, export files, or even gain the highest permissions to the database or system. + +XSS attacks exploit vulnerabilities left during web page development to inject malicious instruction code into web pages so that attackers can trick visitors into loading and executing malicious web page programs attackers fabricated. These malicious web page programs are usually JavaScript, but they can also include Java, VBScript, ActiveX, Flash, or even common HTML. After an attack succeeds, the attacker may obtain various content, including but not limited to higher permissions (for example, permissions for certain operations), private content, sessions, and cookies. + +How Does WAF Detect SQL Injection Attacks? +------------------------------------------ + +WAF detects and matches SQL keywords, special characters, operators, and comment symbols. + +- SQL keywords: union, Select, from, as, asc, desc, order by, sort, and, or, load, delete, update, execute, count, top, between, declare, distinct, distinctrow, sleep, waitfor, delay, having, sysdate, when, dba_user, case, delay, and the like +- Special characters: ',; () +- Mathematical operators: **±**, **\***, **/**, **%**, and **\|** +- Operators: **=**, **>**, **<**, **>=**, **<=**, **!=**, **+=**, and **-=** +- Comment symbols: **-** or **/**/** + +How Does WAF Detect XSS Attacks? +-------------------------------- + +WAF checks HTML script tags, event processors, script protocols, and styles to prevent malicious users from injecting malicious XSS statements through client requests. + +- XSS keywords (such as **javascript**, **script**, **object**, **style**, **iframe**, **body**, **input**, **form**, **onerror**, and **alert**) +- Special characters (<, >, ', and ") +- External links (href="http://xxx/",src="http://xxx/attack.js") + +.. note:: + + Rich text can be uploaded using multipart upload instead of body. In multipart upload, rich text is stored in forms and can be decoded even if it is encoded using Base64. Analyze your services and do not use quotation marks and angle brackets as far as possible. diff --git a/umn/source/faqs/about_waf/waf_functions/index.rst b/umn/source/faqs/about_waf/waf_functions/index.rst new file mode 100644 index 0000000..c9808a9 --- /dev/null +++ b/umn/source/faqs/about_waf/waf_functions/index.rst @@ -0,0 +1,42 @@ +:original_name: waf_01_0292.html + +.. _waf_01_0292: + +WAF Functions +============= + +- :ref:`Can WAF Protect an IP Address? ` +- :ref:`What Objects Does WAF Protect? ` +- :ref:`Which OSs Does WAF Support? ` +- :ref:`Which Layers Does WAF Provide Protection At? ` +- :ref:`Does WAF Support File Caching? ` +- :ref:`Does WAF Support Application Layer Protocol- and Content-Based Access Control? ` +- :ref:`Can WAF Check the Body I Add to the POST Request? ` +- :ref:`Can WAF Limit the Access Speed of a Domain Name? ` +- :ref:`Can WAF Block URL Requests That Contain Special Characters? ` +- :ref:`Can WAF Block Spam and Malicious User Registrations? ` +- :ref:`Can WAF Block Requests for Calling Other APIs from Web Pages? ` +- :ref:`Which Web Service Framework Protocols Does WAF Support? ` +- :ref:`Can WAF Protect Websites Accessed Through HSTS or NTLM Authentication? ` +- :ref:`Does WAF Cache Website Data? ` +- :ref:`How Does WAF Detect SQL Injection and XSS Attacks? ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + can_waf_protect_an_ip_address + what_objects_does_waf_protect + which_oss_does_waf_support + which_layers_does_waf_provide_protection_at + does_waf_support_file_caching + does_waf_support_application_layer_protocol-_and_content-based_access_control + can_waf_check_the_body_i_add_to_the_post_request + can_waf_limit_the_access_speed_of_a_domain_name + can_waf_block_url_requests_that_contain_special_characters + can_waf_block_spam_and_malicious_user_registrations + can_waf_block_requests_for_calling_other_apis_from_web_pages + which_web_service_framework_protocols_does_waf_support + can_waf_protect_websites_accessed_through_hsts_or_ntlm_authentication + does_waf_cache_website_data + how_does_waf_detect_sql_injection_and_xss_attacks diff --git a/umn/source/faqs/about_waf/waf_functions/what_objects_does_waf_protect.rst b/umn/source/faqs/about_waf/waf_functions/what_objects_does_waf_protect.rst new file mode 100644 index 0000000..8b336e3 --- /dev/null +++ b/umn/source/faqs/about_waf/waf_functions/what_objects_does_waf_protect.rst @@ -0,0 +1,8 @@ +:original_name: waf_01_0134.html + +.. _waf_01_0134: + +What Objects Does WAF Protect? +============================== + +WAF can protect domain names or IP addresses. diff --git a/umn/source/faqs/about_waf/waf_functions/which_layers_does_waf_provide_protection_at.rst b/umn/source/faqs/about_waf/waf_functions/which_layers_does_waf_provide_protection_at.rst new file mode 100644 index 0000000..45f2ceb --- /dev/null +++ b/umn/source/faqs/about_waf/waf_functions/which_layers_does_waf_provide_protection_at.rst @@ -0,0 +1,8 @@ +:original_name: waf_01_0030.html + +.. _waf_01_0030: + +Which Layers Does WAF Provide Protection At? +============================================ + +WAF provides protection at seven layers, namely, the physical layer, data link layer, network layer, transport layer, session layer, presentation layer, and application layer. diff --git a/umn/source/faqs/about_waf/waf_functions/which_oss_does_waf_support.rst b/umn/source/faqs/about_waf/waf_functions/which_oss_does_waf_support.rst new file mode 100644 index 0000000..2f4a5b9 --- /dev/null +++ b/umn/source/faqs/about_waf/waf_functions/which_oss_does_waf_support.rst @@ -0,0 +1,8 @@ +:original_name: waf_01_0026.html + +.. _waf_01_0026: + +Which OSs Does WAF Support? +=========================== + +WAF is deployed on the cloud, which is irrelevant to an OS. Therefore, WAF supports any OS. A domain name server on any OS can be connected to WAF for protection. diff --git a/umn/source/faqs/about_waf/waf_functions/which_web_service_framework_protocols_does_waf_support.rst b/umn/source/faqs/about_waf/waf_functions/which_web_service_framework_protocols_does_waf_support.rst new file mode 100644 index 0000000..2d0c423 --- /dev/null +++ b/umn/source/faqs/about_waf/waf_functions/which_web_service_framework_protocols_does_waf_support.rst @@ -0,0 +1,19 @@ +:original_name: waf_01_0027.html + +.. _waf_01_0027: + +Which Web Service Framework Protocols Does WAF Support? +======================================================= + +WAF is deployed on the cloud. + +Web Application Firewall (WAF) keeps web services stable and secure. It examines all HTTP and HTTPS requests to detect and block the following attacks: Structured Query Language (SQL) injection, cross-site scripting (XSS), web shells, command and code injections, file inclusion, sensitive file access, third-party vulnerability exploits, Challenge Collapsar (CC) attacks, malicious crawlers, and cross-site request forgery (CSRF). + +WAF can examine the following requests: + +- WebSocket and WebSockets (enabled by default) + + - WebSocket request inspection is enabled by default if **Client Protocol** is set to **HTTP**. + - WebSockets request inspection is enabled by default if **Client Protocol** is set to **HTTPS**. + +- HTTP/HTTPS diff --git a/umn/source/faqs/about_waf/waf_usage/does_waf_affect_data_transmission_from_the_internal_network_to_an_external_network.rst b/umn/source/faqs/about_waf/waf_usage/does_waf_affect_data_transmission_from_the_internal_network_to_an_external_network.rst new file mode 100644 index 0000000..e718fbc --- /dev/null +++ b/umn/source/faqs/about_waf/waf_usage/does_waf_affect_data_transmission_from_the_internal_network_to_an_external_network.rst @@ -0,0 +1,8 @@ +:original_name: waf_01_0366.html + +.. _waf_01_0366: + +Does WAF Affect Data Transmission from the Internal Network to an External Network? +=================================================================================== + +No. After a website is connected to WAF, all website access requests are forwarded to WAF first. WAF detects and filters out malicious attack traffic, and returns normal traffic to the origin server to keep your origin server is secure, stable, and available. diff --git a/umn/source/faqs/about_waf/waf_usage/does_waf_affect_email_ports_or_email_receiving_and_sending.rst b/umn/source/faqs/about_waf/waf_usage/does_waf_affect_email_ports_or_email_receiving_and_sending.rst new file mode 100644 index 0000000..9071aa6 --- /dev/null +++ b/umn/source/faqs/about_waf/waf_usage/does_waf_affect_email_ports_or_email_receiving_and_sending.rst @@ -0,0 +1,8 @@ +:original_name: waf_01_0218.html + +.. _waf_01_0218: + +Does WAF Affect Email Ports or Email Receiving and Sending? +=========================================================== + +WAF protects web application pages. After your website is connected to WAF, there is no impact on your email port or email sending or receiving. diff --git a/umn/source/faqs/about_waf/waf_usage/how_do_i_obtain_the_real_ip_address_of_a_web_visitor.rst b/umn/source/faqs/about_waf/waf_usage/how_do_i_obtain_the_real_ip_address_of_a_web_visitor.rst new file mode 100644 index 0000000..7d9389b --- /dev/null +++ b/umn/source/faqs/about_waf/waf_usage/how_do_i_obtain_the_real_ip_address_of_a_web_visitor.rst @@ -0,0 +1,14 @@ +:original_name: waf_01_0062.html + +.. _waf_01_0062: + +How Do I Obtain the Real IP Address of a Web Visitor? +===================================================== + +After you connect a website to your WAF instance, WAF works as a reverse proxy between the client and the server. The real IP address of the server is hidden and only the IP address of WAF is visible to web visitors. + +Generally, a proxy such as CDN, WAF, and anti-DDoS service is deployed between the client and server. Web visitors cannot directly access the server. For example, **web visitor** > **CDN/WAF/anti-DDoS** > **origin server**. + +When forwarding requests to the downstream server, the transparent proxy server adds an **X-Forwarded-For** field to the HTTP header to identify the web visitor's real IP address in the format of **X-Forwarded-For: real IP address of the web visitor, proxy 1-IP address, proxy 2-IP address, proxy 3-IP address, ........->...**. + +Therefore, you can obtain the web visitor's real IP address from the **X-Forwarded-For** field. The first IP address in this field is the web visitor's real IP address. diff --git a/umn/source/faqs/about_waf/waf_usage/how_does_waf_forward_access_requests_when_both_a_wildcard_domain_name_and_a_single_domain_name_are_connected_to_waf.rst b/umn/source/faqs/about_waf/waf_usage/how_does_waf_forward_access_requests_when_both_a_wildcard_domain_name_and_a_single_domain_name_are_connected_to_waf.rst new file mode 100644 index 0000000..c2e606d --- /dev/null +++ b/umn/source/faqs/about_waf/waf_usage/how_does_waf_forward_access_requests_when_both_a_wildcard_domain_name_and_a_single_domain_name_are_connected_to_waf.rst @@ -0,0 +1,15 @@ +:original_name: waf_01_0361.html + +.. _waf_01_0361: + +How Does WAF Forward Access Requests When Both a Wildcard Domain Name and a Single Domain Name Are Connected to WAF? +==================================================================================================================== + +WAF preferentially forwards access requests to the single domain name. If the single domain name cannot be identified, access requests will be forwarded to the wildcard domain name. + +For example, if you connect single domain name a.example.com and wildcard domain name \*.example.com to WAF, WAF preferentially forwards access requests to single domain name a.example.com. + +If you are configuring a wildcard domain name, pay attention to the following: + +- If the server IP address of each subdomain name is the same, enter a wildcard domain name. For example, if the subdomain names **a.example.com**, **b.example.com**, and **c.example.com** have the same server IP address, you can add the wildcard domain name **\*.example.com** to WAF to protect all three. +- If the server IP addresses of subdomain names are different, add subdomain names as single domain names one by one. diff --git a/umn/source/faqs/about_waf/waf_usage/index.rst b/umn/source/faqs/about_waf/waf_usage/index.rst new file mode 100644 index 0000000..db669ad --- /dev/null +++ b/umn/source/faqs/about_waf/waf_usage/index.rst @@ -0,0 +1,26 @@ +:original_name: waf_01_0293.html + +.. _waf_01_0293: + +WAF Usage +========= + +- :ref:`Does WAF Affect Email Ports or Email Receiving and Sending? ` +- :ref:`How Do I Obtain the Real IP Address of a Web Visitor? ` +- :ref:`What Are Local File Inclusion and Remote File Inclusion? ` +- :ref:`What Is the Difference Between QPS and the Number of Requests? ` +- :ref:`What Are Concurrent Requests? ` +- :ref:`How Does WAF Forward Access Requests When Both a Wildcard Domain Name and a Single Domain Name Are Connected to WAF? ` +- :ref:`Does WAF Affect Data Transmission from the Internal Network to an External Network? ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + does_waf_affect_email_ports_or_email_receiving_and_sending + how_do_i_obtain_the_real_ip_address_of_a_web_visitor + what_are_local_file_inclusion_and_remote_file_inclusion + what_is_the_difference_between_qps_and_the_number_of_requests + what_are_concurrent_requests + how_does_waf_forward_access_requests_when_both_a_wildcard_domain_name_and_a_single_domain_name_are_connected_to_waf + does_waf_affect_data_transmission_from_the_internal_network_to_an_external_network diff --git a/umn/source/faqs/about_waf/waf_usage/what_are_concurrent_requests.rst b/umn/source/faqs/about_waf/waf_usage/what_are_concurrent_requests.rst new file mode 100644 index 0000000..ced55e7 --- /dev/null +++ b/umn/source/faqs/about_waf/waf_usage/what_are_concurrent_requests.rst @@ -0,0 +1,8 @@ +:original_name: waf_01_0222.html + +.. _waf_01_0222: + +What Are Concurrent Requests? +============================= + +The number of concurrent requests refers to the number of requests that the system can process simultaneously. When it comes to a website, concurrent requests refer to the requests from the visitors at the same time. diff --git a/umn/source/faqs/about_waf/waf_usage/what_are_local_file_inclusion_and_remote_file_inclusion.rst b/umn/source/faqs/about_waf/waf_usage/what_are_local_file_inclusion_and_remote_file_inclusion.rst new file mode 100644 index 0000000..02a160c --- /dev/null +++ b/umn/source/faqs/about_waf/waf_usage/what_are_local_file_inclusion_and_remote_file_inclusion.rst @@ -0,0 +1,15 @@ +:original_name: waf_01_0196.html + +.. _waf_01_0196: + +What Are Local File Inclusion and Remote File Inclusion? +======================================================== + +You can view security events such as file inclusion in WAF protection events to quickly locate attack sources or analyze attack events. + +Program developers write repeatedly used functions into a single file. When such functions need to be used, the file is directly invoked. The file invoking process is called file inclusion. File inclusion vulnerabilities are classified into two categories, based on whether the file is a remotely hosted file or a local file available on the web server: + +- Local file inclusion +- Remote file inclusion + +A file inclusion vulnerability allows an attacker to access unauthorized or sensitive files available on the web server or to execute malicious files on the web server by using such a file. This vulnerability is mainly due to a bad input validation mechanism, wherein the user's input that is passed to the file include commands without proper validation. The impact of this vulnerability can lead to malicious code execution on the server or reveal data present in sensitive files. diff --git a/umn/source/faqs/about_waf/waf_usage/what_is_the_difference_between_qps_and_the_number_of_requests.rst b/umn/source/faqs/about_waf/waf_usage/what_is_the_difference_between_qps_and_the_number_of_requests.rst new file mode 100644 index 0000000..0667eda --- /dev/null +++ b/umn/source/faqs/about_waf/waf_usage/what_is_the_difference_between_qps_and_the_number_of_requests.rst @@ -0,0 +1,32 @@ +:original_name: waf_01_0179.html + +.. _waf_01_0179: + +What Is the Difference Between QPS and the Number of Requests? +============================================================== + +Queries Per Second (QPS) indicates the number of requests per second. For example, an HTTP GET request is also called a query. The number of requests is the total number of requests in a specific time range. + +Queries Per Second (QPS) is the number of requests a server can handle per second. + +.. note:: + + QPS is used to measure the number of queries, or requests, per second. + +For details about QPS on the **Dashboard** page, see :ref:`Table 1 `. + +.. _waf_01_0179__table48681616133812: + +.. table:: **Table 1** QPS calculation + + +----------------------------+--------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+ + | Time Range | Average QPS Description | Peak QPS Description | + +============================+====================================================================================================================+=================================================================+ + | **Yesterday** or **Today** | The QPS curve is made with the average QPSs in every minute. | The QPS curve is made with each peak QPS in every minute. | + +----------------------------+--------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+ + | **Past 3 days** | The QPS curve is made with the average QPSs in every five minutes. | The QPS curve is made with each peak QPS in every five minutes. | + +----------------------------+--------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+ + | **Past 7 days** | The QPS curve is made with the maximum value among the average QPSs in every five minutes at a 10-minute interval. | The QPS curve is made with each peak QPS in every 10 minutes. | + +----------------------------+--------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+ + | **Past 30 days** | The QPS curve is made with the maximum value among the average QPSs in every five minutes at a one-hour interval. | The QPS curve is made with the peak QPSs in every hour. | + +----------------------------+--------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+ diff --git a/umn/source/faqs/index.rst b/umn/source/faqs/index.rst new file mode 100644 index 0000000..a57a32b --- /dev/null +++ b/umn/source/faqs/index.rst @@ -0,0 +1,20 @@ +:original_name: waf_01_0022.html + +.. _waf_01_0022: + +FAQs +==== + +- :ref:`About WAF ` +- :ref:`Website Domain Name Access Configuration ` +- :ref:`Service Interruption Check ` +- :ref:`Protection Rule Configuration ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + about_waf/index + website_domain_name_access_configuration/index + service_interruption_check/index + protection_rule_configuration/index diff --git a/umn/source/faqs/protection_rule_configuration/anti-crawler_protection/index.rst b/umn/source/faqs/protection_rule_configuration/anti-crawler_protection/index.rst new file mode 100644 index 0000000..0f1fec2 --- /dev/null +++ b/umn/source/faqs/protection_rule_configuration/anti-crawler_protection/index.rst @@ -0,0 +1,14 @@ +:original_name: waf_01_0308.html + +.. _waf_01_0308: + +Anti-Crawler Protection +======================= + +- :ref:`Why Is the Requested Page Unable to Load After JavaScript Anti-Crawler Is Enabled? ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + why_is_the_requested_page_unable_to_load_after_javascript_anti-crawler_is_enabled diff --git a/umn/source/faqs/protection_rule_configuration/anti-crawler_protection/why_is_the_requested_page_unable_to_load_after_javascript_anti-crawler_is_enabled.rst b/umn/source/faqs/protection_rule_configuration/anti-crawler_protection/why_is_the_requested_page_unable_to_load_after_javascript_anti-crawler_is_enabled.rst new file mode 100644 index 0000000..a9d6d01 --- /dev/null +++ b/umn/source/faqs/protection_rule_configuration/anti-crawler_protection/why_is_the_requested_page_unable_to_load_after_javascript_anti-crawler_is_enabled.rst @@ -0,0 +1,22 @@ +:original_name: waf_01_0254.html + +.. _waf_01_0254: + +Why Is the Requested Page Unable to Load After JavaScript Anti-Crawler Is Enabled? +================================================================================== + +After JavaScript anti-crawler is enabled, WAF returns a piece of JavaScript code to the client when the client sends a request. If the client sends a normal request to the website, triggered by the received JavaScript code, the client will automatically send the request to WAF again. WAF then forwards the request to the origin server. This process is called JavaScript verification. :ref:`Figure 1 ` shows how JavaScript verification works. + +.. _waf_01_0254__fig67621541143216: + +.. figure:: /_static/images/en-us_image_0000001126290859.png + :alt: **Figure 1** JavaScript anti-crawler detection process + + **Figure 1** JavaScript anti-crawler detection process + +.. important:: + + - To enable the JavaScript anti-crawler protection, the browser on the client must have JavaScript and cookies enabled. + - If the client does not meet the preceding requirements, only steps 1 and 2 can be performed. In this case, the client request fails to obtain the page. + + Check your services. If your website can be accessed by other means except for a browser, disable JavaScript anti-crawler protection. diff --git a/umn/source/faqs/protection_rule_configuration/basic_web_protection/how_do_i_switch_the_mode_of_basic_web_protection_from_log_only_to_block.rst b/umn/source/faqs/protection_rule_configuration/basic_web_protection/how_do_i_switch_the_mode_of_basic_web_protection_from_log_only_to_block.rst new file mode 100644 index 0000000..aee4318 --- /dev/null +++ b/umn/source/faqs/protection_rule_configuration/basic_web_protection/how_do_i_switch_the_mode_of_basic_web_protection_from_log_only_to_block.rst @@ -0,0 +1,24 @@ +:original_name: waf_01_0053.html + +.. _waf_01_0053: + +How Do I Switch the Mode of Basic Web Protection from Log Only to Block? +======================================================================== + +This FAQ guides you to switch the mode of basic web protection to **Block**. + +Perform the following operations: + +#. Log in to the management console. +#. Click |image1| in the upper left corner of the management console and select a region or project. +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. +#. In the navigation pane, choose **Website Settings**. +#. In the **Policy** column of the row containing the target website, click the number to go to the policy configuration page. +#. In the **Basic Web Protection** configuration area, set **Mode** to **Block**. + + .. important:: + + **Log only** and **Block** are merely modes of basic web protection. CC attack protection and precise protection have their own protective actions. + +.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image2| image:: /_static/images/en-us_image_0000001340426101.png diff --git a/umn/source/faqs/protection_rule_configuration/basic_web_protection/index.rst b/umn/source/faqs/protection_rule_configuration/basic_web_protection/index.rst new file mode 100644 index 0000000..4c6f0d6 --- /dev/null +++ b/umn/source/faqs/protection_rule_configuration/basic_web_protection/index.rst @@ -0,0 +1,16 @@ +:original_name: waf_01_0304.html + +.. _waf_01_0304: + +Basic Web Protection +==================== + +- :ref:`How Do I Switch the Mode of Basic Web Protection from Log Only to Block? ` +- :ref:`Which Protection Levels Can Be Set for Basic Web Protection? ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + how_do_i_switch_the_mode_of_basic_web_protection_from_log_only_to_block + which_protection_levels_can_be_set_for_basic_web_protection diff --git a/umn/source/faqs/protection_rule_configuration/basic_web_protection/which_protection_levels_can_be_set_for_basic_web_protection.rst b/umn/source/faqs/protection_rule_configuration/basic_web_protection/which_protection_levels_can_be_set_for_basic_web_protection.rst new file mode 100644 index 0000000..681f6fb --- /dev/null +++ b/umn/source/faqs/protection_rule_configuration/basic_web_protection/which_protection_levels_can_be_set_for_basic_web_protection.rst @@ -0,0 +1,26 @@ +:original_name: waf_01_0204.html + +.. _waf_01_0204: + +Which Protection Levels Can Be Set for Basic Web Protection? +============================================================ + +WAF provides three basic web protection levels: **Low**, **Medium**, and **High**. The default option is **Medium**. For details, see :ref:`Table 1 `. + +.. _waf_01_0204__table197844312280: + +.. table:: **Table 1** Protection levels + + +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Protection Level | Description | + +===================================+============================================================================================================================================================================================================================================+ + | Low | WAF only blocks the requests with obvious attack signatures. | + | | | + | | If a large number of false alarms are reported, **Low** is recommended. | + +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Medium | The default level is **Medium**, which meets a majority of web protection requirements. | + +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | High | At this level, WAF provides the finest granular protection and can intercept attacks with complex bypass features, such as Jolokia cyber attacks, common gateway interface (CGI) vulnerability detection, and Druid SQL injection attacks. | + | | | + | | To let WAF defend against more attacks but make minimum effect on normal requests, observe your workloads for a period of time first. Then, configure a global protection whitelist rule and select **High**. | + +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ diff --git a/umn/source/faqs/protection_rule_configuration/cc_attack_protection_rules/how_do_i_configure_a_cc_attack_protection_rule.rst b/umn/source/faqs/protection_rule_configuration/cc_attack_protection_rules/how_do_i_configure_a_cc_attack_protection_rule.rst new file mode 100644 index 0000000..a9b3144 --- /dev/null +++ b/umn/source/faqs/protection_rule_configuration/cc_attack_protection_rules/how_do_i_configure_a_cc_attack_protection_rule.rst @@ -0,0 +1,16 @@ +:original_name: waf_01_0035.html + +.. _waf_01_0035: + +How Do I Configure a CC Attack Protection Rule? +=============================================== + +When a service interface is under an HTTP flood attack, you can set a CC attack protection rule on the WAF console to relieve service pressure. + +WAF provides the following settings for a CC attack protection rule: + +- Number of requests allowed from a web visitor in a specified period +- Identification of web visitors based on the IP address, cookie, or referer field. +- Action when the maximum limit is reached, such as **Block** or **Verification code** + +For details, see :ref:`Configuring a CC Attack Protection Rule `. diff --git a/umn/source/faqs/protection_rule_configuration/cc_attack_protection_rules/index.rst b/umn/source/faqs/protection_rule_configuration/cc_attack_protection_rules/index.rst new file mode 100644 index 0000000..89b2535 --- /dev/null +++ b/umn/source/faqs/protection_rule_configuration/cc_attack_protection_rules/index.rst @@ -0,0 +1,16 @@ +:original_name: waf_01_0305.html + +.. _waf_01_0305: + +CC Attack Protection Rules +========================== + +- :ref:`How Do I Configure a CC Attack Protection Rule? ` +- :ref:`When Is Cookie Used to Identify Users? ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + how_do_i_configure_a_cc_attack_protection_rule + when_is_cookie_used_to_identify_users diff --git a/umn/source/faqs/protection_rule_configuration/cc_attack_protection_rules/when_is_cookie_used_to_identify_users.rst b/umn/source/faqs/protection_rule_configuration/cc_attack_protection_rules/when_is_cookie_used_to_identify_users.rst new file mode 100644 index 0000000..a83424c --- /dev/null +++ b/umn/source/faqs/protection_rule_configuration/cc_attack_protection_rules/when_is_cookie_used_to_identify_users.rst @@ -0,0 +1,10 @@ +:original_name: waf_01_0036.html + +.. _waf_01_0036: + +When Is Cookie Used to Identify Users? +====================================== + +During the configuration of a CC attack protection rule, if IP addresses cannot identify users precisely, for example, when many users share an egress IP address, use Cookie to identify users. + +If the cookie contains key values, such as the session value, of users, the key value can be used as the basis for identifying users. diff --git a/umn/source/faqs/protection_rule_configuration/index.rst b/umn/source/faqs/protection_rule_configuration/index.rst new file mode 100644 index 0000000..573072d --- /dev/null +++ b/umn/source/faqs/protection_rule_configuration/index.rst @@ -0,0 +1,20 @@ +:original_name: waf_01_0063.html + +.. _waf_01_0063: + +Protection Rule Configuration +============================= + +- :ref:`Basic Web Protection ` +- :ref:`CC Attack Protection Rules ` +- :ref:`Anti-Crawler Protection ` +- :ref:`Others ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + basic_web_protection/index + cc_attack_protection_rules/index + anti-crawler_protection/index + others/index diff --git a/umn/source/faqs/protection_rule_configuration/others/in_which_situations_will_the_waf_policies_fail.rst b/umn/source/faqs/protection_rule_configuration/others/in_which_situations_will_the_waf_policies_fail.rst new file mode 100644 index 0000000..57305d9 --- /dev/null +++ b/umn/source/faqs/protection_rule_configuration/others/in_which_situations_will_the_waf_policies_fail.rst @@ -0,0 +1,8 @@ +:original_name: waf_01_0102.html + +.. _waf_01_0102: + +In Which Situations Will the WAF Policies Fail? +=============================================== + +Normally, all requests destined for your site will pass through WAF. However, if your site is using CDN and WAF, the WAF policy targeted at the requests for caching static content will not take effect because CDN directly returns these requests to the client. diff --git a/umn/source/faqs/protection_rule_configuration/others/index.rst b/umn/source/faqs/protection_rule_configuration/others/index.rst new file mode 100644 index 0000000..149b550 --- /dev/null +++ b/umn/source/faqs/protection_rule_configuration/others/index.rst @@ -0,0 +1,18 @@ +:original_name: waf_01_0309.html + +.. _waf_01_0309: + +Others +====== + +- :ref:`In Which Situations Will the WAF Policies Fail? ` +- :ref:`Is the Path of a WAF Protection Rule Case-sensitive? ` +- :ref:`What Protection Rules Does WAF Support? ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + in_which_situations_will_the_waf_policies_fail + is_the_path_of_a_waf_protection_rule_case-sensitive + what_protection_rules_does_waf_support diff --git a/umn/source/faqs/protection_rule_configuration/others/is_the_path_of_a_waf_protection_rule_case-sensitive.rst b/umn/source/faqs/protection_rule_configuration/others/is_the_path_of_a_waf_protection_rule_case-sensitive.rst new file mode 100644 index 0000000..79b7683 --- /dev/null +++ b/umn/source/faqs/protection_rule_configuration/others/is_the_path_of_a_waf_protection_rule_case-sensitive.rst @@ -0,0 +1,8 @@ +:original_name: waf_01_0151.html + +.. _waf_01_0151: + +Is the Path of a WAF Protection Rule Case-sensitive? +==================================================== + +All paths configured for protection rules of WAF are case-sensitive. diff --git a/umn/source/faqs/protection_rule_configuration/others/what_protection_rules_does_waf_support.rst b/umn/source/faqs/protection_rule_configuration/others/what_protection_rules_does_waf_support.rst new file mode 100644 index 0000000..1df4017 --- /dev/null +++ b/umn/source/faqs/protection_rule_configuration/others/what_protection_rules_does_waf_support.rst @@ -0,0 +1,48 @@ +:original_name: waf_01_0028.html + +.. _waf_01_0028: + +What Protection Rules Does WAF Support? +======================================= + +The protection rules supported by WAF are described below. + +- Basic Web Protection + + WAF can defend against common web attacks, such as SQL injection, XSS, web shells, and Trojans in HTTP upload channels. Once these functions are enabled, protection takes effect immediately. + +- CC Attack Protection + + Flexible rate limiting policies can be set based on the IP addresses, cookies, or Referer field, mitigating CC attacks. + +- Precise Protection + + Common HTTP fields can be combined to customize protection policies, such as CSRF protection. With user-defined rules, WAF can accurately detect malicious requests and protect sensitive information in websites. + +- Blacklist and Whitelist + + Blacklist or whitelist rules allow you to block or allow specific IP addresses or address ranges, improving defense accuracy. + +- Geolocation Access Control + + Geolocation access control rules allow you to customize access control based on the source IP addresses. + +- Web Tamper Protection + + Cache configuration is performed on static web pages. When a user accesses a web page, the system returns a cached page to the user and randomly checks whether the page is tampered with. + +- Anti-crawler Protection + + This function dynamically analyzes website service models and accurately identifies crawler behavior based on data risk control and bot identification systems, such as JS Challenge. + +- Global Protection Whitelist (Formerly False Alarm Masking) + + This function ignores certain attack detection rules for specific requests. + +- Data Masking + + Data masking prevents such data as passwords from being displayed in event logs. + +- Information Leakage Prevention + + WAF prevents user's sensitive information on web pages from being disclosed, such as ID numbers, phone numbers, and email addresses. diff --git a/umn/source/faqs/service_interruption_check/how_can_i_upload_files_after_the_website_is_connected_to_waf.rst b/umn/source/faqs/service_interruption_check/how_can_i_upload_files_after_the_website_is_connected_to_waf.rst new file mode 100644 index 0000000..d8394be --- /dev/null +++ b/umn/source/faqs/service_interruption_check/how_can_i_upload_files_after_the_website_is_connected_to_waf.rst @@ -0,0 +1,14 @@ +:original_name: waf_01_0100.html + +.. _waf_01_0100: + +How Can I Upload Files After the Website Is Connected to WAF? +============================================================= + +After your website is connected to WAF, the file visitors can upload each time cannot exceed 512 MB. + +To upload a file greater than 512 MB, upload the file through: + +- IP address +- Separate web server +- FTP server diff --git a/umn/source/faqs/service_interruption_check/how_do_i_fix_an_incomplete_certificate_chain.rst b/umn/source/faqs/service_interruption_check/how_do_i_fix_an_incomplete_certificate_chain.rst new file mode 100644 index 0000000..fc7a577 --- /dev/null +++ b/umn/source/faqs/service_interruption_check/how_do_i_fix_an_incomplete_certificate_chain.rst @@ -0,0 +1,66 @@ +:original_name: waf_01_0082.html + +.. _waf_01_0082: + +How Do I Fix an Incomplete Certificate Chain? +============================================= + +If the certificate provided by the certificate authority is not found in the built-in trust store on your platform and the certificate chain does not have a certificate authority, the certificate is incomplete. If you use the incomplete certificate to access the website corresponding to the protected domain name, the access will fail. + +Use either of the following methods to fix it: + +- Manually build up a complete certificate chain and upload the certificate. (This function is available soon.) +- Purchase a new certificate and upload it. + +The latest Google Chrome version supports automatic verification of the trust chain. The following describes how to manually create a complete certificate chain: + +#. Check the certificate. Click the padlock in the address bar to view the certificate status. :ref:`Figure 1 ` shows an example. + + .. _waf_01_0082__fig3896113414308: + + .. figure:: /_static/images/en-us_image_0246108677.png + :alt: **Figure 1** Viewing the certificate + + **Figure 1** Viewing the certificate + +#. Check the certificate chain. Click **Certificate**. Select the **Certificate Path** tab and then click the certificate name to view the certificate status. :ref:`Figure 2 ` shows an example. + + .. _waf_01_0082__fig1987812411375: + + .. figure:: /_static/images/en-us_image_0246112199.png + :alt: **Figure 2** Viewing the certificate chain + + **Figure 2** Viewing the certificate chain + +#. Save the certificates to the local PC one by one. + + a. Select the certificate name and click the **Details** tab. :ref:`Figure 3 ` shows an example. + + .. _waf_01_0082__fig56008156448: + + .. figure:: /_static/images/en-us_image_0246108818.png + :alt: **Figure 3** Details + + **Figure 3** Details + + b. Click **Copy to File**, and then click **Next** as prompted. + + c. Select **Base-64 encoded X.509 (.CER)** and click **Next**. :ref:`Figure 4 ` shows an example. + + .. _waf_01_0082__fig1699010397583: + + .. figure:: /_static/images/en-us_image_0246109037.png + :alt: **Figure 4** Certificate Export Wizard + + **Figure 4** Certificate Export Wizard + +#. Rebuild the certificate. After all certificates are exported to the local PC, open the certificate file in Notepad and rebuild the certificate according to the sequence shown in :ref:`Figure 5 `. + + .. _waf_01_0082__fig1970017819312: + + .. figure:: /_static/images/en-us_image_0283637109.png + :alt: **Figure 5** Certificate rebuilding + + **Figure 5** Certificate rebuilding + +#. Upload the certificate again. diff --git a/umn/source/faqs/service_interruption_check/how_do_i_handle_false_alarms_as_waf_blocks_normal_requests_to_my_website.rst b/umn/source/faqs/service_interruption_check/how_do_i_handle_false_alarms_as_waf_blocks_normal_requests_to_my_website.rst new file mode 100644 index 0000000..b159373 --- /dev/null +++ b/umn/source/faqs/service_interruption_check/how_do_i_handle_false_alarms_as_waf_blocks_normal_requests_to_my_website.rst @@ -0,0 +1,48 @@ +:original_name: waf_01_0038.html + +.. _waf_01_0038: + +How Do I Handle False Alarms as WAF Blocks Normal Requests to My Website? +========================================================================= + +Once an attack hits a WAF rule, WAF will respond to the attack immediately according to the protective action (**Log only** or **Block**) you configured for the rule and display an event on the **Events** page. + +If a large number of false alarms are reported for a specific service, handle them on the **Events** page. To do so, you can ignore the specific URL and rule ID. Then, WAF will no longer block the same type of request to the URL. + +In the row containing the false alarm event, click **Details** in the **Operation** column and view the event details. If you are sure that the event is a false positive, handle it as a false alarm by referring to :ref:`Table 1 `. After an event is handled as a false alarm, WAF stops blocking corresponding type of event. No such type of event will be displayed on the **Events** page and you will no longer receive alarm notifications accordingly. + +.. _waf_01_0038__table1596785323120: + +.. table:: **Table 1** Handling false alarms + + +-------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Type of Hit Rule | Hit Rule | Handling Method | + +===============================+=======================================================================================================================================================================================================================================================================================================================================================+===================================================================================================================================================================================================================================================+ + | WAF built-in protection rules | - Basic web protection rules | In the row containing the attack event, click **Handle False Alarm** in the **Operation** column. For details, see :ref:`Handling False Alarms `. | + | | | | + | | Basic web protection defends against common web attacks, such as SQL injection, XSS attacks, remote buffer overflow attacks, file inclusion, Bash vulnerability exploits, remote command execution, directory traversal, sensitive file access, and command and code injections. Basic web protection also detects web shells and evasion attacks. | | + | | | | + | | - Feature-based anti-crawler protection | | + | | | | + | | Feature-based anti-crawler identifies and blocks crawler behavior from search engines, scanners, script tools, and other crawlers. | | + +-------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Custom protection rules | - CC attack protection rules | Go to the page displaying the hit rule and delete it. | + | | - Precise protection rules | | + | | - Blacklist and whitelist rules | | + | | - Geolocation access control rules | | + | | - Web tamper protection rules | | + | | - JavaScript anti-crawler protection | | + | | - Information leakage prevention rules | | + | | - Data masking rules | | + +-------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Other | Invalid access requests | Allow the blocked requests by referring to :ref:`Configuring a Precise Protection Rule `. The **Handle False Alarm** button for invalid access events are grayed out as such events are generated against a precise protection rule. | + | | | | + | | .. note:: | | + | | | | + | | If either of the following numbers in an access request exceeds 512, WAF blocks the access request as an invalid request: | | + | | | | + | | - Number of parameters in a form when **form-data** is used for POST or PUT requests | | + | | - Number of URI parameters | | + +-------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +For details, see :ref:`Handling False Alarms `. diff --git a/umn/source/faqs/service_interruption_check/how_do_i_troubleshoot_404_502_504_errors.rst b/umn/source/faqs/service_interruption_check/how_do_i_troubleshoot_404_502_504_errors.rst new file mode 100644 index 0000000..71a1500 --- /dev/null +++ b/umn/source/faqs/service_interruption_check/how_do_i_troubleshoot_404_502_504_errors.rst @@ -0,0 +1,154 @@ +:original_name: waf_01_0066.html + +.. _waf_01_0066: + +How Do I Troubleshoot 404/502/504 Errors? +========================================= + +If an error, such as 404 Not Found, 502 Bad Gateway, or 504 Gateway Timeout, occurs after a domain name is connected to WAF, use the following methods to locate the cause and remove the error: + +404 Not Found +------------- + +**Scenario 1**: When a visitor accesses your website, the page shown in :ref:`Figure 1 ` is displayed. + +.. _waf_01_0066__fig197965218316: + +.. figure:: /_static/images/en-us_image_0169130550.png + :alt: **Figure 1** 404 page + + **Figure 1** 404 page + +**Cause**: The port added to a URL is incorrect. + +- A non-standard port is configured when a domain name is connected to WAF. No port is added or the origin server port instead of the non-standard port is used to access the website. For example, use **https://www.example.com** or **https://www.example.com:80** to access the website. + + **Solution**: Add the non-standard port to the URL and access the origin server again, for example, **https://www.example.com:8080**. + +- No non-standard port is configured when a domain name is added to WAF. A non-standard port or the origin server port is used to access the website. For example, use **https://www.example.com:8080** to access the website. + + .. note:: + + If no non-standard port is configured, WAF protects services on port 80/443 by default. To protect services on other ports, re-configure domain settings. + + **Solution**: The domain name needs to be accessed directly. For example, **https://www.example.com**. + +**Scenario 2**: When a visitor accesses your website, another 404 error page is displayed instead of the page shown in :ref:`Figure 1 `. + +**Cause**: The website does not exist or has been deleted. + +**Solution**: Check your website. + +502 Bad Gateway +--------------- + +**Scenario**: Website access is normal after the WAF configuration is complete. However, after a certain period of time, a 502 Bad Gateway error is reported frequently. + +.. note:: + + If your web server is not deployed on the cloud, consult your server provider about whether the server has default block settings. If there are default block settings, ask the service provider to remove them. + +Possible causes are as follows: + +- **Cause 1**: Your website is using another security protection software. The software considers back-to-source IP addresses of WAF as malicious and blocks the requests forwarded by WAF. As a result, the site becomes inaccessible. + + **Solution**: Add the WAF IP address ranges to the whitelist of the firewall (hardware or software), security protection software, and rate limiting module. + +- **Cause 2**: Multiple backend servers are configured. However, one backend server is unreachable. + + Perform the following steps to check whether the origin server configuration is correct: + + #. Log in to the management console, click **Service List** in the upper part of the page, and choose **Security** > **Web Application Firewall (Dedicated)**. + + #. In the navigation pane, choose **Website Settings**. + + #. In the **Protected Website** column, click the domain name to go to the **Basic Information** page. + + #. In the **Server Information** area, click |image1|. On the displayed page, check whether the client protocol, server protocol, origin server address, and port used by the origin server are correct. + + #. Run the **curl** command on the host to check whether each origin server can be properly accessed. + + .. code-block:: + + curl http://xx.xx.xx.xx:yy -kvv + + *xx.xx.xx.xx* indicates the IP address of the origin server. *yy* indicates the port of the origin server. *xx.xx.xx.xx* and *yy* must belong to the same origin server. + + .. note:: + + - The host where the **curl** command can be run must meet the following requirements: + + - The network communication is normal. + - The **curl** command has been installed. `curl `__ must be manually installed on the host running the Windows operating system. **curl** is installed along with other operating systems. + + - You can also enter **http://origin server address:origin server port** in the address bar of the browser to check whether the origin server can be properly accessed. + + If **connection refused** is displayed, the origin server is unreachable and website cannot be accessed. Perform the following operations: + + - Check whether the server is running properly. If it is not, restart the server. + - Add the WAF IP address ranges to the whitelist of the firewall (hardware or software), security protection software, and rate limiting module. + +- **Cause 3**: Origin server performance + + **Solution**: Contact your website owner to rectify the fault. + +504 Gateway Timeout +------------------- + +**Scenario**: After the configuration of connecting a domain name to WAF is complete, your website works properly. However, with the increasing traffic volume, the number of 504 errors also increases. If you directly access the IP address of the origin server, the 504 error code is returned sometimes. + +The possible causes are as follows: + +- **Cause 1**: Backend server performance issues (such as too many connections or high CPU usage) + + **Solution**: + + #. Optimize the server configuration, including TCP network parameters and ulimit parameters. + + #. To handle large-scale service increase, use method 1 or method 2 to perform the processing. + + **Method 1**: Add a backend server group to the ELB. + + **Method 2**: Create an ELB. Use the EIP of ELB as the IP address of the server to connect to WAF. + + a. Log in to the management console, click **Service List** in the upper part of the page, and choose **Security** > **Web Application Firewall (Dedicated)**. + b. In the navigation pane, choose **Website Settings**. + c. In the **Protected Website** column, click the domain name to go to the **Basic Information** page. + d. In the **Server Information** area, click |image2|. On the displayed page, click **Add**. + + #. If the **Client Protocol** is **HTTPS**, you can use HTTPS on the WAF side. However, it is recommended that **HTTP** (**Server Protocol**) to forward the requests to your web server, lowering the computational demands on backend servers. + +- **Cause 2**: The WAF back-to-source IP addresses are not whitelisted or your origin server port is not enabled. + + **Solution**: Whitelist the WAF back-to-source IP addresses in the corresponding ECS security groups. + +- **Cause 3**: The origin server has a firewall and the firewall blocks the WAF IP addresses. + + **Solution**: Whitelist the WAF back-to-source IP addresses in the corresponding ECS security groups or uninstall the firewall software except WAF. + +- **Cause 4**: Connection timeout and read timeout + + **Solution** + + - Database queries are slow. + + - Tune services to shorten the query duration and improve user experience. + - Modify the request interaction mode so that the persistent connection can have some data transmitted within 60 seconds, such as ACK packets, heartbeat packets, keep-alive packets, and other packets that can keep the session alive. + + - It takes a long time to upload large files. + + - Tune services to shorten the file upload time. + - An FTP server is recommended for file upload. + - Upload the file through an IP address or a domain name that is not protected by WAF. + - The default timeout period for a dedicated WAF instance to respond origin servers is 180s. + + - The origin server is faulty. + + Check whether the origin server works properly. + +- **Cause 5**: The bandwidth of the origin server exceeds the upper limit. + + **Solution**: Increase the bandwidth of the origin server. + +.. |image1| image:: /_static/images/en-us_image_0167644254.jpg +.. |image2| image:: /_static/images/en-us_image_0167644254.jpg diff --git a/umn/source/faqs/service_interruption_check/index.rst b/umn/source/faqs/service_interruption_check/index.rst new file mode 100644 index 0000000..7e43078 --- /dev/null +++ b/umn/source/faqs/service_interruption_check/index.rst @@ -0,0 +1,28 @@ +:original_name: waf_01_0127.html + +.. _waf_01_0127: + +Service Interruption Check +========================== + +- :ref:`How Do I Troubleshoot 404/502/504 Errors? ` +- :ref:`How Do I Handle False Alarms as WAF Blocks Normal Requests to My Website? ` +- :ref:`What Is the Connection Timeout Duration of WAF? Can I Manually Set the Timeout Duration? ` +- :ref:`Why Are HTTPS Requests Denied on Some Mobile Phones? ` +- :ref:`How Do I Fix an Incomplete Certificate Chain? ` +- :ref:`Why Does My Certificate Not Match the Key? ` +- :ref:`Why Am I Seeing Error Code 418? ` +- :ref:`How Can I Upload Files After the Website Is Connected to WAF? ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + how_do_i_troubleshoot_404_502_504_errors + how_do_i_handle_false_alarms_as_waf_blocks_normal_requests_to_my_website + what_is_the_connection_timeout_duration_of_waf_can_i_manually_set_the_timeout_duration + why_are_https_requests_denied_on_some_mobile_phones + how_do_i_fix_an_incomplete_certificate_chain + why_does_my_certificate_not_match_the_key + why_am_i_seeing_error_code_418 + how_can_i_upload_files_after_the_website_is_connected_to_waf diff --git a/umn/source/faqs/service_interruption_check/what_is_the_connection_timeout_duration_of_waf_can_i_manually_set_the_timeout_duration.rst b/umn/source/faqs/service_interruption_check/what_is_the_connection_timeout_duration_of_waf_can_i_manually_set_the_timeout_duration.rst new file mode 100644 index 0000000..38804b8 --- /dev/null +++ b/umn/source/faqs/service_interruption_check/what_is_the_connection_timeout_duration_of_waf_can_i_manually_set_the_timeout_duration.rst @@ -0,0 +1,15 @@ +:original_name: waf_01_0160.html + +.. _waf_01_0160: + +What Is the Connection Timeout Duration of WAF? Can I Manually Set the Timeout Duration? +======================================================================================== + +- The default timeout duration for connections between a browser and WAF is 120 seconds, which cannot be manually set. + +- The default timeout duration for connections between WAF and your origin server is 60 seconds. You can customize a timeout duration. + + On the **Basic Information** page, enable **Timeout Settings** and click |image1|. Then, specify **WAF-to-Server connection timeout (s)**, **Read timeout (s)**, and **Write timeout (s)** and click |image2| to save settings. + +.. |image1| image:: /_static/images/en-us_image_0000001238531606.png +.. |image2| image:: /_static/images/en-us_image_0000001238212390.png diff --git a/umn/source/faqs/service_interruption_check/why_am_i_seeing_error_code_418.rst b/umn/source/faqs/service_interruption_check/why_am_i_seeing_error_code_418.rst new file mode 100644 index 0000000..fe6ab5e --- /dev/null +++ b/umn/source/faqs/service_interruption_check/why_am_i_seeing_error_code_418.rst @@ -0,0 +1,11 @@ +:original_name: waf_01_0198.html + +.. _waf_01_0198: + +Why Am I Seeing Error Code 418? +=============================== + +If the request contains malicious load and is intercepted by WAF, error 418 is reported when you access the domain name protected by WAF. You can view WAF protection logs to view the cause. + +- If you confirm that the request is a normal service request, you can handle the false alarm to prevent the recurrence of the protection event. +- If you confirm that the protection event is not a false alarm, your website is attacked and the malicious request is blocked by WAF. diff --git a/umn/source/faqs/service_interruption_check/why_are_https_requests_denied_on_some_mobile_phones.rst b/umn/source/faqs/service_interruption_check/why_are_https_requests_denied_on_some_mobile_phones.rst new file mode 100644 index 0000000..1efdad9 --- /dev/null +++ b/umn/source/faqs/service_interruption_check/why_are_https_requests_denied_on_some_mobile_phones.rst @@ -0,0 +1,15 @@ +:original_name: waf_01_0093.html + +.. _waf_01_0093: + +Why Are HTTPS Requests Denied on Some Mobile Phones? +==================================================== + +If your visitors receive a page similar to the one in :ref:`Figure 1 ` when they try to access your website through a mobile phone, an incomplete certificate chain is uploaded when you connect the website to WAF. Rectify the fault by referring to :ref:`How Do I Fix an Incomplete Certificate Chain? ` + +.. _waf_01_0093__fig181295331076: + +.. figure:: /_static/images/en-us_image_0168547060.png + :alt: **Figure 1** Access failed + + **Figure 1** Access failed diff --git a/umn/source/faqs/service_interruption_check/why_does_my_certificate_not_match_the_key.rst b/umn/source/faqs/service_interruption_check/why_does_my_certificate_not_match_the_key.rst new file mode 100644 index 0000000..0b1a79e --- /dev/null +++ b/umn/source/faqs/service_interruption_check/why_does_my_certificate_not_match_the_key.rst @@ -0,0 +1,40 @@ +:original_name: waf_01_1082.html + +.. _waf_01_1082: + +Why Does My Certificate Not Match the Key? +========================================== + +After an HTTPS certificate is uploaded to the AAD or WAF console, a message is displayed indicating that the certificate and key do not match. + +Solution +-------- + ++-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Possible Cause | How to Fix | ++===================================================================+====================================================================================================================================================================================================================================================================================+ +| The uploaded certificate does not match the uploaded private key. | #. Run the following commands to check the MD5 hash values of the certificate and private key file: | +| | | +| | .. code-block:: | +| | | +| | openssl x509 -noout -modulus -in |openssl md5 | +| | openssl rsa -noout -modulus -in |openssl md5 | +| | | +| | #. Check whether the MD5 values of the certificate and private key file are the same. If they are different, the certificate file and private key file are associated with different domain names, and the content of the certificate does not match that of the private key file. | +| | | +| | #. If the certificate does not match the private key file, upload the correct certificate and private key file. | ++-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Incorrect RSA private key format | #. Run the following command to generate a new private key: | +| | | +| | .. code-block:: | +| | | +| | openssl rsa -in -out | +| | | +| | #. Upload the private key again. | ++-------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Other Operations +---------------- + +- :ref:`How Do I Fix an Incomplete Certificate Chain? ` +- :ref:`Why Are HTTPS Requests Denied on Some Mobile Phones? ` diff --git a/umn/source/faqs/website_domain_name_access_configuration/certificate_management/how_do_i_convert_a_certificate_into_pem_format.rst b/umn/source/faqs/website_domain_name_access_configuration/certificate_management/how_do_i_convert_a_certificate_into_pem_format.rst new file mode 100644 index 0000000..e51b18a --- /dev/null +++ b/umn/source/faqs/website_domain_name_access_configuration/certificate_management/how_do_i_convert_a_certificate_into_pem_format.rst @@ -0,0 +1,45 @@ +:original_name: waf_01_0313.html + +.. _waf_01_0313: + +How Do I Convert a Certificate into PEM Format? +=============================================== + +Only .pem certificates can be used in WAF. If the certificate is not in .pem format, convert it into .pem locally by referring to :ref:`Table 1 ` before uploading it. + +.. _waf_01_0313__waf_01_0002_table1292125414516: + +.. table:: **Table 1** Certificate conversion commands + + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------+ + | Format | Conversion Method | + +===================================+============================================================================================================================+ + | CER/CRT | Rename the **cert.crt** certificate file to **cert.pem**. | + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------+ + | PFX | - Obtain a private key. For example, run the following command to convert **cert.pfx** into **key.pem**: | + | | | + | | **openssl pkcs12 -in cert.pfx -nocerts -out key.pem -nodes** | + | | | + | | - Obtain a certificate. For example, run the following command to convert **cert.pfx** into **cert.pem**: | + | | | + | | **openssl** **pkcs12** **-in** **cert.pfx** **-nokeys** **-out** **cert.pem** | + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------+ + | P7B | #. Convert a certificate. For example, run the following command to convert **cert.p7b** into **cert.cer**: | + | | | + | | **openssl** **pkcs7** **-print_certs** **-in** **cert.p7b** **-out** **cert.cer** | + | | | + | | #. Rename certificate file **cert.cer** to **cert.pem**. | + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------+ + | DER | - Obtain a private key. For example, run the following command to convert ****privatekey.der**** into **privatekey.pem**: | + | | | + | | **openssl** **rsa** **-inform** **DER** **-outform** **PEM** **-in** **privatekey.der** **-out** **privatekey.pem** | + | | | + | | - Obtain a certificate. For example, run the following command to convert **cert.cer** into **cert.pem**: | + | | | + | | **openssl** **x509** **-inform** **der** **-in** **cert.cer** **-out cert.pem** | + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------+ + +.. note:: + + - Before running an OpenSSL command, ensure that the `OpenSSL `__ tool has been installed on the local host. + - If your local PC runs a Windows operating system, go to the command line interface (CLI) and then run the certificate conversion command. diff --git a/umn/source/faqs/website_domain_name_access_configuration/certificate_management/how_do_i_select_a_certificate_when_configuring_a_wildcard_domain_name.rst b/umn/source/faqs/website_domain_name_access_configuration/certificate_management/how_do_i_select_a_certificate_when_configuring_a_wildcard_domain_name.rst new file mode 100644 index 0000000..8028557 --- /dev/null +++ b/umn/source/faqs/website_domain_name_access_configuration/certificate_management/how_do_i_select_a_certificate_when_configuring_a_wildcard_domain_name.rst @@ -0,0 +1,8 @@ +:original_name: waf_01_0135.html + +.. _waf_01_0135: + +How Do I Select a Certificate When Configuring a Wildcard Domain Name? +====================================================================== + +Each domain name must correspond to a certificate. A wildcard domain name can only be used for a wildcard domain certificate. If you only have single-domain certificates, you need to add domain names one by one in WAF. diff --git a/umn/source/faqs/website_domain_name_access_configuration/certificate_management/index.rst b/umn/source/faqs/website_domain_name_access_configuration/certificate_management/index.rst new file mode 100644 index 0000000..ece28b8 --- /dev/null +++ b/umn/source/faqs/website_domain_name_access_configuration/certificate_management/index.rst @@ -0,0 +1,16 @@ +:original_name: waf_01_0301.html + +.. _waf_01_0301: + +Certificate Management +====================== + +- :ref:`How Do I Select a Certificate When Configuring a Wildcard Domain Name? ` +- :ref:`How Do I Convert a Certificate into PEM Format? ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + how_do_i_select_a_certificate_when_configuring_a_wildcard_domain_name + how_do_i_convert_a_certificate_into_pem_format diff --git a/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/does_waf_support_wildcard_domain_names.rst b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/does_waf_support_wildcard_domain_names.rst new file mode 100644 index 0000000..329900e --- /dev/null +++ b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/does_waf_support_wildcard_domain_names.rst @@ -0,0 +1,19 @@ +:original_name: waf_01_0190.html + +.. _waf_01_0190: + +Does WAF Support Wildcard Domain Names? +======================================= + +Yes. When adding a domain name to WAF, you can configure a single domain name or a wildcard domain name based on your service requirements. The details are as follows: + +- Single domain name + + Configure a single domain name to be protected. For example, www.example.com + +- Wildcard domain name + + You can configure a wildcard domain name to let WAF protect multi-level domain names under the wildcard domain name. + + - If the server IP address of each subdomain name is the same, enter a wildcard domain name to be protected. For example, if the subdomain names **a.example.com**, **b.example.com**, and **c.example.com** have the same server IP address, you can directly add the wildcard domain name **\*.example.com** to WAF for protection. + - If each subdomain name points to different server IP addresses, add subdomain names as single domain names one by one. diff --git a/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/how_do_i_add_a_domain_name_ip_address_to_waf.rst b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/how_do_i_add_a_domain_name_ip_address_to_waf.rst new file mode 100644 index 0000000..de644ff --- /dev/null +++ b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/how_do_i_add_a_domain_name_ip_address_to_waf.rst @@ -0,0 +1,8 @@ +:original_name: waf_01_0176.html + +.. _waf_01_0176: + +How Do I Add a Domain Name/IP Address to WAF? +============================================= + +After you connect a domain name or IP address of the website you want to protect to WAF, WAF works as a reverse proxy between the client and the server. The real IP address of the server is hidden and only the IP address of WAF is visible to web visitors. For details, see :ref:`Step 1: Add a Website to WAF `. diff --git a/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/how_do_i_configure_domain_names_to_be_protected_when_adding_domain_names.rst b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/how_do_i_configure_domain_names_to_be_protected_when_adding_domain_names.rst new file mode 100644 index 0000000..e6ae38d --- /dev/null +++ b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/how_do_i_configure_domain_names_to_be_protected_when_adding_domain_names.rst @@ -0,0 +1,46 @@ +:original_name: waf_01_0105.html + +.. _waf_01_0105: + +How Do I Configure Domain Names to Be Protected When Adding Domain Names? +========================================================================= + +Before using WAF, you need to add domain names to be protected to WAF based on your web service protection requirements. WAF supports addition of single domain names and wildcard domain names. This section describes how to configure domain names to be protected. + +Basic Concepts +-------------- + +- Wildcard domain name + + A wildcard domain name is a domain name that contains the wildcard **\*** and starts with **\*.**. + + For example, **\*.example.com** is a correct wildcard domain name, but **\*.*.example.com** is not. + + .. note:: + + A wildcard domain name counts as one domain name. + +- Single domain name + + A single domain name is also called a common domain name and is a specific domain name (a non-wildcard domain name). + + For example, **www.example.com** or **example.com** is a single domain name. + + .. note:: + + For example, **www.example.com** counts as a domain name and so does **a.www.example.com**. + +Selecting a Domain Name Type +---------------------------- + +WAF supports single domain names and wildcard domain names. + +The domain name purchased from the DNS service provider is a single domain name (example.com). The domain name added to WAF can be example.com, a subdomain name (for example, a.xample.com), or wildcard domain name (``*``.example.com). You can select a domain name type based on the following scenarios: + +- If services of a domain name to be protected are the same, enter a single domain name. For example, if all the services of www.example.com to be protected are services on port 8080, set **Domain Name** to a single domain name **www.example.com**. +- If the server IP address of each subdomain name is the same, enter a wildcard domain name to be protected. For example, if the server IP addresses corresponding to a.example.com, b.example.com, and c.example.com are the same, **Domain Name** can be set to a wildcard domain name **\*.example.com**. +- If the server IP addresses of subdomain names are different, add subdomain names as single domain names one by one. + +.. note:: + + You are advised to set the added domain name to be protected to be the same as the domain name that is set at the DNS provider. diff --git a/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/how_do_i_safely_delete_a_protected_domain_name.rst b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/how_do_i_safely_delete_a_protected_domain_name.rst new file mode 100644 index 0000000..cf583e2 --- /dev/null +++ b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/how_do_i_safely_delete_a_protected_domain_name.rst @@ -0,0 +1,38 @@ +:original_name: waf_01_0041.html + +.. _waf_01_0041: + +How Do I Safely Delete a Protected Domain Name? +=============================================== + +The deletion operation cannot be cancelled. Exercise caution when performing this operation. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane, choose **Website Settings**. + +#. In the row containing the website domain name you want to delete, click **Delete** in the **Operation** column. + +#. In the displayed confirmation dialog box, confirm the deletion. + + If you want to retain the policy applied to the domain name, select **Retain the policy of this domain name**. + + + .. figure:: /_static/images/en-us_image_0000001285577484.png + :alt: **Figure 1** Deleting a protected domain name from WAF + + **Figure 1** Deleting a protected domain name from WAF + +#. Click **OK**. + + If **Domain name deleted successfully** is displayed in the upper right corner, the domain name of the website was deleted. + +.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image2| image:: /_static/images/en-us_image_0000001340304197.png diff --git a/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/index.rst b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/index.rst new file mode 100644 index 0000000..c4c22be --- /dev/null +++ b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/index.rst @@ -0,0 +1,24 @@ +:original_name: waf_01_0299.html + +.. _waf_01_0299: + +Domain Name and Port Configuration +================================== + +- :ref:`How Do I Add a Domain Name/IP Address to WAF? ` +- :ref:`How Do I Configure Domain Names to Be Protected When Adding Domain Names? ` +- :ref:`What Data Is Required for Connecting a Domain Name/IP Address to WAF? ` +- :ref:`How Do I Safely Delete a Protected Domain Name? ` +- :ref:`What Are the Precautions for Configuring Multiple Server Addresses for Backend Servers? ` +- :ref:`Does WAF Support Wildcard Domain Names? ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + how_do_i_add_a_domain_name_ip_address_to_waf + how_do_i_configure_domain_names_to_be_protected_when_adding_domain_names + what_data_is_required_for_connecting_a_domain_name_ip_address_to_waf + how_do_i_safely_delete_a_protected_domain_name + what_are_the_precautions_for_configuring_multiple_server_addresses_for_backend_servers + does_waf_support_wildcard_domain_names diff --git a/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/what_are_the_precautions_for_configuring_multiple_server_addresses_for_backend_servers.rst b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/what_are_the_precautions_for_configuring_multiple_server_addresses_for_backend_servers.rst new file mode 100644 index 0000000..f711553 --- /dev/null +++ b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/what_are_the_precautions_for_configuring_multiple_server_addresses_for_backend_servers.rst @@ -0,0 +1,18 @@ +:original_name: waf_01_0104.html + +.. _waf_01_0104: + +What Are the Precautions for Configuring Multiple Server Addresses for Backend Servers? +======================================================================================= + +- When configuring multiple server addresses for the same domain name, pay attention to the following: + + - For domain names mapping to non-standard ports + + The client protocol, server protocol, and server for each piece of server configuration must be the same. + + - For domain names mapping to standard ports + + The client protocol, server protocol, and server for each piece of server configuration can be different. + +- When a domain name is added, WAF supports addition of multiple server IP addresses. WAF routes legitimate requests back to origin servers in polling mode, reducing the pressure on the servers and protecting the origin servers. For example, two backend server IP addresses (IP-A and IP-B) are added. When there are 10 requests for accessing the domain name, five requests are forwarded by WAF to the server identified by IP-A, and the other five requests are forwarded by WAF to the server identified by IP-B. diff --git a/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/what_data_is_required_for_connecting_a_domain_name_ip_address_to_waf.rst b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/what_data_is_required_for_connecting_a_domain_name_ip_address_to_waf.rst new file mode 100644 index 0000000..9cd2160 --- /dev/null +++ b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/what_data_is_required_for_connecting_a_domain_name_ip_address_to_waf.rst @@ -0,0 +1,21 @@ +:original_name: waf_01_0157.html + +.. _waf_01_0157: + +What Data Is Required for Connecting a Domain Name/IP Address to WAF? +===================================================================== + +Prepare information required for connecting a domain name or IP address to WAF based on the mode of WAF instance you plan to buy. + +The following data is required: + +- Domain name/IP address +- Port: the service port corresponding to the domain name to be protected. WAF supports non-standard ports. +- Server information + + - **Client Protocol**: protocol used by a client to access a server. + - **Server Protocol**: protocol over which WAF forwards client requests to the server. + - **Server Address:** IP address or domain name of the web server for client-side access. + - **Server Port**: service port over which the WAF instance forwards client requests to the origin server. + +- Certificate: If HTTPS is set for **Client Protocol**, associate the certificate to WAF. diff --git a/umn/source/faqs/website_domain_name_access_configuration/index.rst b/umn/source/faqs/website_domain_name_access_configuration/index.rst new file mode 100644 index 0000000..140de74 --- /dev/null +++ b/umn/source/faqs/website_domain_name_access_configuration/index.rst @@ -0,0 +1,16 @@ +:original_name: waf_01_0124.html + +.. _waf_01_0124: + +Website Domain Name Access Configuration +======================================== + +- :ref:`Domain Name and Port Configuration ` +- :ref:`Certificate Management ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + domain_name_and_port_configuration/index + certificate_management/index diff --git a/umn/source/index.rst b/umn/source/index.rst index 076a8ca..d75e611 100644 --- a/umn/source/index.rst +++ b/umn/source/index.rst @@ -2,3 +2,22 @@ Dedicated Web Application Firewall - User Guide =============================================== +.. toctree:: + :maxdepth: 1 + + service_overview/index + overview + applying_for_a_dedicated_waf_instance + enabling_waf_protection/index + website_domain_name_management/index + certificate_management/index + rule_configuration/index + dashboard + event_management/index + policy_management/index + dedicated_waf_engine_management + viewing_product_details + permissions_management/index + monitored_metrics + faqs/index + change_history diff --git a/umn/source/monitored_metrics.rst b/umn/source/monitored_metrics.rst new file mode 100644 index 0000000..a02edb8 --- /dev/null +++ b/umn/source/monitored_metrics.rst @@ -0,0 +1,171 @@ +:original_name: waf_01_1372.html + +.. _waf_01_1372: + +Monitored Metrics +================= + +Introduction +------------ + +This topic describes metrics reported by dedicated WAF to Cloud Eye as well as their namespaces and dimensions. You can use APIs provided by Cloud Eye to query the metrics of the monitored object and alarms generated for dedicated WAF. You can also query them on the Cloud Eye console. + +namespaces +---------- + +SYS.WAF + +.. note:: + + A namespace is an abstract collection of resources and objects. Multiple namespaces can be created in a single cluster with the data isolated from each other. This enables namespaces to share the same cluster services without affecting each other. + +Metrics for Dedicated WAF Instances +----------------------------------- + +.. table:: **Table 1** Metrics for dedicated waf instances + + +-------------------------------+-----------------------------+------------------------------------------------------------------------------+-------------------+-------------------------+--------------------------------+ + | Metric ID | Metric Name | Description | Value Range | Monitored Object | Monitoring Interval (Raw Data) | + +===============================+=============================+==============================================================================+===================+=========================+================================+ + | cpu_util | CPU Usage | CPU usage of the monitored object | 0% to 100% | Dedicated WAF instances | 1 minute | + | | | | | | | + | | | Unit: percentage (%) | Value type: Float | | | + | | | | | | | + | | | Collection method: 100% minus idle CPU usage percentage | | | | + +-------------------------------+-----------------------------+------------------------------------------------------------------------------+-------------------+-------------------------+--------------------------------+ + | mem_util | Memory Usage | Memory usage of the monitored object | 0% to 100% | Dedicated WAF instances | 1 minute | + | | | | | | | + | | | Unit: percentage (%) | Value type: Float | | | + | | | | | | | + | | | Collection method: 100% minus idle memory percentage | | | | + +-------------------------------+-----------------------------+------------------------------------------------------------------------------+-------------------+-------------------------+--------------------------------+ + | disk_util | Disk Usage | Disk usage of the monitored object | 0% to 100% | Dedicated WAF instances | 1 minute | + | | | | | | | + | | | Unit: percentage (%) | Value type: Float | | | + | | | | | | | + | | | Collection method: 100% minus idle disk space percentage | | | | + +-------------------------------+-----------------------------+------------------------------------------------------------------------------+-------------------+-------------------------+--------------------------------+ + | disk_avail_size | Available Disk Space | Available disk space of the monitored object | >= 0 bytes | Dedicated WAF instances | 1 minute | + | | | | | | | + | | | Unit: byte, KB, MB, GB, TB or PB | Value type: Float | | | + | | | | | | | + | | | Collection mode: size of free disk space | | | | + +-------------------------------+-----------------------------+------------------------------------------------------------------------------+-------------------+-------------------------+--------------------------------+ + | disk_read_bytes_rate | Disk Read Rate | Number of bytes the monitored object reads from the disk per second | >=0 byte/s | Dedicated WAF instances | 1 minute | + | | | | | | | + | | | Unit: byte/s, KB/s, MB/s, or GB/s | Value type: Float | | | + | | | | | | | + | | | Collection mode: number of bytes read from the disk per second | | | | + +-------------------------------+-----------------------------+------------------------------------------------------------------------------+-------------------+-------------------------+--------------------------------+ + | disk_write_bytes_rate | Disk Write Rate | Number of bytes the monitored object writes into the disk per second | >=0 byte/s | Dedicated WAF instances | 1 minute | + | | | | | | | + | | | Unit: byte/s, KB/s, MB/s, or GB/s | Value type: Float | | | + | | | | | | | + | | | Collection mode: number of bytes written into the disk per second | | | | + +-------------------------------+-----------------------------+------------------------------------------------------------------------------+-------------------+-------------------------+--------------------------------+ + | disk_read_requests_rate | Disk Read Requests | Number of requests the monitored object reads from the disk per second | >=0 request/s | Dedicated WAF instances | 1 minute | + | | | | | | | + | | | Unit: Requests/s | Value type: Float | | | + | | | | | | | + | | | Collection mode: number of read requests processed by the disk per second | | | | + +-------------------------------+-----------------------------+------------------------------------------------------------------------------+-------------------+-------------------------+--------------------------------+ + | disk_write_requests_rate | Disk Write Requests | Number of requests the monitored object writes into the disk per second | >=0 request/s | Dedicated WAF instances | 1 minute | + | | | | | | | + | | | Unit: Requests/s | Value type: Float | | | + | | | | | | | + | | | Collection method: Number of write requests processed by the disk per second | | | | + +-------------------------------+-----------------------------+------------------------------------------------------------------------------+-------------------+-------------------------+--------------------------------+ + | network_incoming_bytes_rate | Incoming Traffic | Incoming traffic per second on the monitored object | >=0 byte/s | Dedicated WAF instances | 1 minute | + | | | | | | | + | | | Unit: | Value type: Float | | | + | | | | | | | + | | | byte/s, KB/s, MB/s, or GB/s | | | | + | | | | | | | + | | | Collection method: Incoming traffic over the NIC per second | | | | + +-------------------------------+-----------------------------+------------------------------------------------------------------------------+-------------------+-------------------------+--------------------------------+ + | network_outgoing_bytes_rate | Outgoing Traffic | Outgoing traffic per second on the monitored object | >=0 byte/s | Dedicated WAF instances | 1 minute | + | | | | | | | + | | | Unit: | Value type: Float | | | + | | | | | | | + | | | byte/s, KB/s, MB/s, or GB/s | | | | + | | | | | | | + | | | Collection method: Outgoing traffic over the NIC per second | | | | + +-------------------------------+-----------------------------+------------------------------------------------------------------------------+-------------------+-------------------------+--------------------------------+ + | network_incoming_packets_rate | Incoming Packet Rate | Incoming packets per second on the monitored object | >=0 packet/s | Dedicated WAF instances | 1 minute | + | | | | | | | + | | | Unit: | Value type: Int | | | + | | | | | | | + | | | packet/s | | | | + | | | | | | | + | | | Collection method: Incoming packets over the NIC per second | | | | + +-------------------------------+-----------------------------+------------------------------------------------------------------------------+-------------------+-------------------------+--------------------------------+ + | network_outgoing_packets_rate | Outgoing Packet Rate | Outgoing packets per second on the monitored object | >=0 packet/s | Dedicated WAF instances | 1 minute | + | | | | | | | + | | | Unit: | Value type: Int | | | + | | | | | | | + | | | packet/s | | | | + | | | | | | | + | | | Collection method: Outgoing packets over the NIC per second | | | | + +-------------------------------+-----------------------------+------------------------------------------------------------------------------+-------------------+-------------------------+--------------------------------+ + | concurrent_connections | Concurrent Connections | Number of concurrent connections being processed | >=0 count | Dedicated WAF instances | 1 minute | + | | | | | | | + | | | Unit: count | Value type: Int | | | + | | | | | | | + | | | Collection method: Number of concurrent connections in the system | | | | + +-------------------------------+-----------------------------+------------------------------------------------------------------------------+-------------------+-------------------------+--------------------------------+ + | active_connections | Active Connections | Number of active connections | >=0 count | Dedicated WAF instances | 1 minute | + | | | | | | | + | | | Unit: count | Value type: Int | | | + | | | | | | | + | | | Collection method: Number of active connections in the system | | | | + +-------------------------------+-----------------------------+------------------------------------------------------------------------------+-------------------+-------------------------+--------------------------------+ + | latest_policy_sync_time | Latest Rule Synchronization | Time elapsed for the WAF to synchronize the latest custom rules | >=0 ms | Dedicated WAF instances | 1 minute | + | | | | | | | + | | | Unit: ms | Value type: Int | | | + | | | | | | | + | | | Collection method: Time elapsed for synchronizing to the last policies | | | | + +-------------------------------+-----------------------------+------------------------------------------------------------------------------+-------------------+-------------------------+--------------------------------+ + +Dimensions +---------- + +=============== ==================================== +Key Value +=============== ==================================== +instance_id ID of the dedicated WAF instance +waf_instance_id ID of the website protected with WAF +=============== ==================================== + +Example of Raw Data Format of Monitored Metrics +----------------------------------------------- + +.. code-block:: + + [ + { + "metric": { + // Namespace + "namespace": "SYS.WAF", + "dimensions": [ + { + // Dimension name, for example, protected website + "name": "waf_instance_id", + // ID of the monitored object in this dimension, for example, ID of the protected website + "value": "082db2f542e0438aa520035b3e99cd99" + } + ], + //Metric ID + "metric_name": "waf_http_2xx" + }, + // Time to live, which is predefined for the metric + "ttl": 172800, + // Metric value + "value": 0.0, + // Metric unit + "unit": "Count", + // Metric value type + "type": "float", + // Collection time for the metric + "collect_time": 1637677359778 + } + ] diff --git a/umn/source/overview.rst b/umn/source/overview.rst new file mode 100644 index 0000000..75dfb7e --- /dev/null +++ b/umn/source/overview.rst @@ -0,0 +1,120 @@ +:original_name: waf_01_0071.html + +.. _waf_01_0071: + +Overview +======== + +Website Service Review +---------------------- + +Sort out all website services you want to protect with WAF. This helps you learn about your workloads and specific data of your workloads so that you can choose and configure appropriate protection policies. + +.. table:: **Table 1** Website services + + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Item | Description | + +=============================================================================================================+=================================================================================================================================================================================================================================+ + | **Website and Service Information** | | + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Daily peak traffic of website/web application services, including the bandwidth (in Mbit/s) and QPS | Use it as the basis for selecting the service bandwidth and QPS specifications. | + | | | + | | .. note:: | + | | | + | | If your website traffic peak exceeds the maximum QPS specifications you are using, WAF will stop checking the traffic and directly forward it to the origin server. There is no protection for your website or applications. | + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Major user group (for example, major locations where the requests originate from) | Determine the attack source and then set geolocation access control rules to block users from these locations. | + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Whether the service uses a C/S architecture | If yes, check whether there is an app client, Windows client, Linux client, code callback, or any other client. | + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Location where the origin server is deployed | Decide which region you want to buy the instance. | + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Operating system (Linux or Windows) and web service middleware (Apache, Nginx, or IIS) of the origin server | Check whether access control is enabled for the origin server. If yes, whitelist WAF IP addresses. | + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Domain protocol | Check whether WAF supports the communication protocol used by your site. | + | | | + | | .. note:: | + | | | + | | WAF can protect your website only when **Client Protocol** and **Server Protocol** are configured based on the real situation of your website. | + | | | + | | - **Client Protocol**: the protocol used by a client (for example, a browser) to access your website. You can select **HTTP** or **HTTPS**. | + | | - **Server Protocol**: the protocol used by WAF to forward requests from the client (such as a browser) to the origin server. You can select **HTTP** or **HTTPS**. | + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Service port | Check whether your service ports are within the port range supported by WAF. | + | | | + | | - Standard ports | + | | | + | | - 80: default port when the client protocol is HTTP | + | | - 443: default port when the client protocol is HTTPS | + | | | + | | - Non-standard ports | + | | | + | | Ports other than ports 80 and 443 For Non-standard ports supported by WAF, see :ref:`Non-Standard Ports `. | + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Whether TLSv1.0 or weak encryption suite is supported | Check whether WAF supports the encryption suite used by your site. | + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Whether advanced anti-DDoS, CDN, or other proxy services are deployed in front of WAF. | Check whether a proxy is used and whether domain name is resolved to a correct address. | + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Whether the client supports Server Name Indication (for HTTPS services) | If your domain name supports HTTPS, the client and server must support Server Name Indication (SNI). | + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Service interaction | Understand the service interaction process and service processing logic to facilitate subsequent configuration of protection policies. | + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Active users | Determine the severity of an attack event to take a low-risk measure to respond it. | + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | **Services and Attacks** | | + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Service types and features (such as games, cards, websites, or apps) | Help analyze the attack signatures. | + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Inbound traffic range and connection status of a single user or a single IP address | Help determine whether a rate limiting policy can be configured per IP address. | + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | User group attribute | For example, individual users, Internet cafe users, or proxy users | + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Whether your website experienced large-volumetric attacks, the attack type, and maximum peak traffic | Determine whether a DDoS protection service is required and determine the DDoS protection specifications based on the peak attack traffic. | + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Whether your website experienced CC attacks and the maximum peak QPS in a CC attack | Configure the protection policies based on attack signatures. | + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Whether the pressure test has been performed | Evaluate the request processing performance of the origin server to determine whether service anomaly occurs due to attacks. | + +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +How to Use WAF +-------------- + +:ref:`Table 2 ` describes the procedure to use WAF. + +.. _waf_01_0071__table186068221358: + +.. table:: **Table 2** Procedure to use WAF + + +--------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Step | Description | + +======================================+==================================================================================================================================================================================================+ + | Applying for dedicated WAF instances | Apply for a dedicated WAF instance. | + | | | + | | For details, see :ref:`Applying for a Dedicated WAF Instance `. | + +--------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Adding a website to WAF | Add the website you want to protect to WAF. | + | | | + | | For details, see :ref:`Step 1: Add a Website to WAF `. | + +--------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Enabling WAF protection | Enable WAF protection to protect added website. | + | | | + | | .. note:: | + | | | + | | - Using WAF does not affect your web server performance because the WAF engine is not running on your web server. | + | | - After your domain name is connected to WAF, there will be a latency of tens of milliseconds, which might be raised based on the size of the requested page or number of incoming requests. | + +--------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Configuring protection rules | Use WAF built-in protection rules and configure custom rules to protect your website. For more details, see :ref:`Rule Configuration `. | + +--------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Handling false alarms | Mask blocked or logged events which are handled as false alarms. For more details, see :ref:`Handling False Alarms `. | + +--------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Viewing **Dashboard** | View protection data of yesterday, today, last 3 days, last 7 days, or last 30 days. For more details, see :ref:`Dashboard `. | + +--------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +For details about how to connect your website to WAF, see :ref:`Figure 1 `. + +.. _waf_01_0071__fig1654619194251: + +.. figure:: /_static/images/en-us_image_0274310129.png + :alt: **Figure 1** Flowchart of connecting a website to WAF + + **Figure 1** Flowchart of connecting a website to WAF diff --git a/umn/source/permissions_management/index.rst b/umn/source/permissions_management/index.rst new file mode 100644 index 0000000..5e224e2 --- /dev/null +++ b/umn/source/permissions_management/index.rst @@ -0,0 +1,16 @@ +:original_name: waf_01_0096.html + +.. _waf_01_0096: + +Permissions Management +====================== + +- :ref:`WAF Custom Policies ` +- :ref:`WAF Permissions and Supported Actions ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + waf_custom_policies + waf_permissions_and_supported_actions diff --git a/umn/source/permissions_management/waf_custom_policies.rst b/umn/source/permissions_management/waf_custom_policies.rst new file mode 100644 index 0000000..864fcaf --- /dev/null +++ b/umn/source/permissions_management/waf_custom_policies.rst @@ -0,0 +1,74 @@ +:original_name: waf_01_0243.html + +.. _waf_01_0243: + +WAF Custom Policies +=================== + +Custom policies can be created to supplement the system-defined policies of WAF. + +Example Custom Policies +----------------------- + +- Example 1: Allowing users to query the protected domain list + + .. code-block:: + + { + "Version": "1.1", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "waf:instance:list" + ] + } + ] + } + +- Example 2: Denying the user request of deleting web tamper protection rules + + A deny policy must be used together with other policies. If the permissions assigned to a user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions. + + The following method can be used if you need to assign permissions of the **WAF FullAccess** policy to a user but also forbid the user from deleting web tamper protection rules (**waf:antiTamperRule:delete**). Create a custom policy with the action to delete web tamper protection rules, set its **Effect** to **Deny**, and assign both this policy and the **WAF FullAccess** policy to the group the user belongs to. Then the user can perform all operations on WAF except deleting web tamper protection rules. The following is a policy for denying web tamper protection rule deletion. + + .. code-block:: + + { + "Version": "1.1", + "Statement": [ + { + "Effect": "Deny", + "Action": [ + "waf:antiTamperRule:delete" + ] + }, + ] + } + +- Multi-action policy + + A custom policy can contain the actions of multiple services that are of the project-level type. The following is an example policy containing actions of multiple services: + + .. code-block:: + + { + "Version": "1.1", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "waf:instance:get", + "waf:certificate:get" + ] + }, + { + "Effect": "Allow", + "Action": [ + "hss:hosts:switchVersion", + "hss:hosts:manualDetect", + "hss:manualDetectStatus:get" + ] + } + ] + } diff --git a/umn/source/permissions_management/waf_permissions_and_supported_actions.rst b/umn/source/permissions_management/waf_permissions_and_supported_actions.rst new file mode 100644 index 0000000..89cdfbc --- /dev/null +++ b/umn/source/permissions_management/waf_permissions_and_supported_actions.rst @@ -0,0 +1,140 @@ +:original_name: waf_01_0244.html + +.. _waf_01_0244: + +WAF Permissions and Supported Actions +===================================== + +This topic describes fine-grained permissions management for your WAF instances. If your account does not need individual IAM users, then you may skip over this topic. + +By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and assign permissions policies to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions. + +You can grant users permissions by using roles and policies. Roles are provided by IAM to define service-based permissions depending on user's job responsibilities. Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. + +Supported Actions +----------------- + +WAF provides system-defined policies that can be directly used in IAM. You can also create custom policies and use them to supplement system-defined policies, implementing more refined access control. + +- Permission: A statement in a policy that allows or denies certain operations. +- Action: Specific operations that are allowed or denied. + ++----------------------------------------------------+----------------------------------+ +| Permission | Action | ++====================================================+==================================+ +| Querying an information leakage prevention rule | waf:antiLeakageRule:get | ++----------------------------------------------------+----------------------------------+ +| Querying a web tamper protection rule | waf:antiTamperRule:get | ++----------------------------------------------------+----------------------------------+ +| Querying a CC attack protection rule | waf:ccRule:get | ++----------------------------------------------------+----------------------------------+ +| Querying a precise protection rule | waf:preciseProtectionRule:get | ++----------------------------------------------------+----------------------------------+ +| Querying a false alarm masking rule | waf:falseAlarmMaskRule:get | ++----------------------------------------------------+----------------------------------+ +| Querying a data masking rule | waf:privacyRule:get | ++----------------------------------------------------+----------------------------------+ +| Querying a blacklist or whitelist rule | waf:whiteBlackIpRule:get | ++----------------------------------------------------+----------------------------------+ +| Querying a geolocation access control rule | waf:geoIpRule:get | ++----------------------------------------------------+----------------------------------+ +| Querying a certificate | waf:certificate:get | ++----------------------------------------------------+----------------------------------+ +| Modifying WAF certificates | waf:certificate:put | ++----------------------------------------------------+----------------------------------+ +| Querying a protection event | waf:event:get | ++----------------------------------------------------+----------------------------------+ +| Querying a protected domain | waf:instance:get | ++----------------------------------------------------+----------------------------------+ +| Querying a protection policy | waf:policy:get | ++----------------------------------------------------+----------------------------------+ +| Querying quota package information | waf:bundle:get | ++----------------------------------------------------+----------------------------------+ +| Querying the protection event download link | waf:dumpEventLink:get | ++----------------------------------------------------+----------------------------------+ +| Querying configurations | waf:consoleConfig:get | ++----------------------------------------------------+----------------------------------+ +| Querying the back-to-source IP address segment | waf:sourceIp:get | ++----------------------------------------------------+----------------------------------+ +| Updating an information leakage prevention rule | waf:antiLeakageRule:put | ++----------------------------------------------------+----------------------------------+ +| Updating a web tamper protection rule | waf:antiTamperRule:put | ++----------------------------------------------------+----------------------------------+ +| Updating a CC attack protection rule | waf:ccRuleRule:put | ++----------------------------------------------------+----------------------------------+ +| Updating a precise protection rule | waf:preciseProtectionRule:put | ++----------------------------------------------------+----------------------------------+ +| Updating a false alarm masking rule | waf:falseAlarmMaskRule:put | ++----------------------------------------------------+----------------------------------+ +| Updating a data masking rule | waf:privacyRule:put | ++----------------------------------------------------+----------------------------------+ +| Updating an IP address blacklist or whitelist rule | waf:whiteBlackIpRule:put | ++----------------------------------------------------+----------------------------------+ +| Updating a geolocation access control rule | waf:geoIpRule:put | ++----------------------------------------------------+----------------------------------+ +| Updating a protected domain | waf:instance:put | ++----------------------------------------------------+----------------------------------+ +| Updating a protection policy | waf:policy:put | ++----------------------------------------------------+----------------------------------+ +| Deleting an information leakage prevention rule | waf:antiLeakageRule:delete | ++----------------------------------------------------+----------------------------------+ +| Deleting a web tamper protection rule | waf:antiTamperRule:delete | ++----------------------------------------------------+----------------------------------+ +| Deleting a CC attack protection rule | waf:ccRule:delete | ++----------------------------------------------------+----------------------------------+ +| Configuring a precise protection rule | waf:preciseProtectionRule:delete | ++----------------------------------------------------+----------------------------------+ +| Deleting a false alarm masking rule | waf:falseAlarmMaskRule:delete | ++----------------------------------------------------+----------------------------------+ +| Deleting a data masking rule | waf:privacyRule:delete | ++----------------------------------------------------+----------------------------------+ +| Deleting a blacklist or whitelist rule | waf:whiteBlackIpRule:delete | ++----------------------------------------------------+----------------------------------+ +| Deleting a geolocation access control rule | waf:geoIpRule:delete | ++----------------------------------------------------+----------------------------------+ +| Deleting a protected domain | waf:instance:delete | ++----------------------------------------------------+----------------------------------+ +| Deleting a protection policy | waf:policy:delete | ++----------------------------------------------------+----------------------------------+ +| Adding an information leakage prevention rule | waf:antiLeakageRule:create | ++----------------------------------------------------+----------------------------------+ +| Adding a web tamper protection rule | waf:antiTamperRule:create | ++----------------------------------------------------+----------------------------------+ +| Adding a CC attack protection rules | waf:ccRule:create | ++----------------------------------------------------+----------------------------------+ +| Adding a precise protection rule | waf:preciseProtectionRule:create | ++----------------------------------------------------+----------------------------------+ +| Creating a false alarm masking rule | waf:falseAlarmMaskRule:create | ++----------------------------------------------------+----------------------------------+ +| Adding a data masking rule | waf:privacyRule:create | ++----------------------------------------------------+----------------------------------+ +| Adding a blacklist or whitelist rule | waf:whiteBlackIpRule:create | ++----------------------------------------------------+----------------------------------+ +| Adding a geolocation access control rule | waf:geoIpRule:create | ++----------------------------------------------------+----------------------------------+ +| Adding a certificate | waf:certificate:create | ++----------------------------------------------------+----------------------------------+ +| Adding a domain | waf:instance:create | ++----------------------------------------------------+----------------------------------+ +| Adding a policy | waf:policy:create | ++----------------------------------------------------+----------------------------------+ +| Querying information leakage prevention rules | waf:antiLeakageRule:list | ++----------------------------------------------------+----------------------------------+ +| Querying web tamper protection rules | waf:antiTamperRule:list | ++----------------------------------------------------+----------------------------------+ +| Querying CC attack protection rules | waf:ccRuleRule:list | ++----------------------------------------------------+----------------------------------+ +| Querying precise protection rules | waf:preciseProtectionRule:list | ++----------------------------------------------------+----------------------------------+ +| Querying the false alarm masking rule list | waf:falseAlarmMaskRule:list | ++----------------------------------------------------+----------------------------------+ +| Querying data masking rules | waf:privacyRule:list | ++----------------------------------------------------+----------------------------------+ +| Querying blacklist and whitelist rules | waf:whiteBlackIpRule:list | ++----------------------------------------------------+----------------------------------+ +| Querying geolocation access control rules | waf:geoIpRule:list | ++----------------------------------------------------+----------------------------------+ +| Querying the protection domains | waf:instance:list | ++----------------------------------------------------+----------------------------------+ +| Querying protection policies | waf:policy:list | ++----------------------------------------------------+----------------------------------+ diff --git a/umn/source/policy_management/adding_a_policy.rst b/umn/source/policy_management/adding_a_policy.rst new file mode 100644 index 0000000..119ffbc --- /dev/null +++ b/umn/source/policy_management/adding_a_policy.rst @@ -0,0 +1,57 @@ +:original_name: waf_01_0074.html + +.. _waf_01_0074: + +Adding a Policy +=============== + +A policy is a combination of rules, such as basic web protection, blacklist, whitelist, and precise protection rules. A policy can be applied to multiple domain names, but only one policy can be used for a domain name. This topic describes how to add a policy to your WAF instance. + +Prerequisites +------------- + +A website has been added to WAF. + +Constraints +----------- + +A protected website domain name can use only one policy. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane on the left, choose **Policies**. + +#. In the upper left corner, click **Add Policy**. + + + .. figure:: /_static/images/en-us_image_0000001338407897.png + :alt: **Figure 1** Policies + + **Figure 1** Policies + +#. In the displayed dialog box, enter the policy name and click **Confirm**. The added policy will be displayed in the policy list. + + + .. figure:: /_static/images/en-us_image_0000001338527429.png + :alt: **Figure 2** Add Policy + + **Figure 2** Add Policy + +#. In the **Policy Name** column, click the policy name. On the displayed page, add rules to the policy by referring to :ref:`Rule Configurations `. + +Other Operations +---------------- + +- To modify a policy name, click |image3| next to the policy name. In the dialog box displayed, enter a new policy name. +- To delete a rule, click **Delete** in the row containing the rule. + +.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image2| image:: /_static/images/en-us_image_0000001288266902.png +.. |image3| image:: /_static/images/en-us_image_0301168075.png diff --git a/umn/source/policy_management/adding_rules_to_one_or_more_policies.rst b/umn/source/policy_management/adding_rules_to_one_or_more_policies.rst new file mode 100644 index 0000000..1f9f75b --- /dev/null +++ b/umn/source/policy_management/adding_rules_to_one_or_more_policies.rst @@ -0,0 +1,65 @@ +:original_name: waf_01_0061.html + +.. _waf_01_0061: + +Adding Rules to One or More Policies +==================================== + +This topic describes how to add rules to one or more policies. + +Prerequisites +------------- + +A website has been added to WAF. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane on the left, choose **Policies**. + +#. In the upper left corner of the page, click **All Rules**. + + + .. figure:: /_static/images/en-us_image_0000001286529486.png + :alt: **Figure 1** View Rules + + **Figure 1** View Rules + +#. In the upper left corner above a rule to be added, click **Add Rule**. + + + .. figure:: /_static/images/en-us_image_0000001344977541.png + :alt: **Figure 2** Adding a rule to one or more policies + + **Figure 2** Adding a rule to one or more policies + +#. Select one or more policies from the **Policy Name** drop-down list. + +#. Set other parameters. + + - To add a CC attack protection rule, see :ref:`Table 1 `. + - To add a precise protection rule, see :ref:`Table 1 `. + - To add a blacklist or whitelist rule, see :ref:`Table 1 `. + - To add a geolocation access control rule, see :ref:`Table 1 `. + - To add a WTP rule, see :ref:`Table 1 `. + - To add an information leakage prevention rule, see :ref:`Table 1 `. + - To add a global protection whitelist rule, see :ref:`Table 1 `. + - To add a data masking rule, see :ref:`Table 1 `. + +#. Click **OK**. + +Other Operations +---------------- + +- After a rule is added, the rule is **Enabled** by default. To disable it, click **Disable** in the **Operation** column of the target rule. You can also select multiple rules and click **Disable** above the rule list to disable them all together. +- To modify a rule, locate the row that contains the rule and click **Modify** in the **Operation** column. You can also select multiple rules and click **Modify** above the list to modify them all together. +- To delete a rule, locate the row that contains the rule and click **Delete** in the **Operation** column. You can also select multiple rules and click **Delete** above the list to delete them all together. + +.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image2| image:: /_static/images/en-us_image_0000001340586225.png diff --git a/umn/source/policy_management/applying_a_policy_to_your_website.rst b/umn/source/policy_management/applying_a_policy_to_your_website.rst new file mode 100644 index 0000000..d735b35 --- /dev/null +++ b/umn/source/policy_management/applying_a_policy_to_your_website.rst @@ -0,0 +1,51 @@ +:original_name: waf_01_0075.html + +.. _waf_01_0075: + +Applying a Policy to Your Website +================================= + +This topic describes how to apply a policy to your protected website. + +Prerequisites +------------- + +A website has been added to WAF. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane on the left, choose **Policies**. + +#. In the row containing the policy you want to apply to a website, click **Add Domain Name** in the **Operation** column. + + + .. figure:: /_static/images/en-us_image_0000001286051354.png + :alt: **Figure 1** Adding a domain name to a policy + + **Figure 1** Adding a domain name to a policy + +#. Select one or more domain names from the **Domain Name** drop-down list. :ref:`Figure 2 ` shows an example. + + .. important:: + + - A protected domain name can use only one policy, but one policy can be applied to multiple domain names. + - To delete a policy that has been applied to domain names, add these domain names to other policies first. Then, click **Delete** in the **Operation** column of the policy you want to delete. + + .. _waf_01_0075__fig8829399338: + + .. figure:: /_static/images/en-us_image_0000001286052290.png + :alt: **Figure 2** Selecting one or more domain names + + **Figure 2** Selecting one or more domain names + +#. Click **Confirm**. + +.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image2| image:: /_static/images/en-us_image_0000001340306901.png diff --git a/umn/source/policy_management/index.rst b/umn/source/policy_management/index.rst new file mode 100644 index 0000000..ff9ea1b --- /dev/null +++ b/umn/source/policy_management/index.rst @@ -0,0 +1,18 @@ +:original_name: waf_01_0055.html + +.. _waf_01_0055: + +Policy Management +================= + +- :ref:`Adding a Policy ` +- :ref:`Adding Rules to One or More Policies ` +- :ref:`Applying a Policy to Your Website ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + adding_a_policy + adding_rules_to_one_or_more_policies + applying_a_policy_to_your_website diff --git a/umn/source/rule_configuration/adding_a_reference_table.rst b/umn/source/rule_configuration/adding_a_reference_table.rst new file mode 100644 index 0000000..6763e0e --- /dev/null +++ b/umn/source/rule_configuration/adding_a_reference_table.rst @@ -0,0 +1,100 @@ +:original_name: waf_01_0081.html + +.. _waf_01_0081: + +Adding a Reference Table +======================== + +This topic describes how to create a reference table to batch configure protection metrics of a single type, such as **Path**, **User Agent**, **IP**, **Params**, **Cookie**, **Referer**, and **Header**. A reference table can be referenced by CC attack protection rules and precise protection rules. + +Prerequisites +------------- + +A website has been added to WAF. + +Application Scenarios +--------------------- + +You can use a reference table when you configure protection fields in batches for CC attack protection rules and precise access protection rules. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane, choose **Website Settings**. + +#. In the **Policy** column of the row containing the target website, click the number to go to the policy configuration page. + +#. In the **CC Attack Protection** or **Precise Protection** area, click **Customize Rule**. + +#. Click **Reference Table Management** in the upper left corner of the list. + + + .. figure:: /_static/images/en-us_image_0000001395970965.png + :alt: **Figure 1** Reference Table Management + + **Figure 1** Reference Table Management + +#. On the **Reference Table Management** page, click **Add Reference Table**. + + + .. figure:: /_static/images/en-us_image_0000001345171226.png + :alt: **Figure 2** Add Reference Table + + **Figure 2** Add Reference Table + +#. In the **Add Reference Table** dialog box, specify the parameters by referring to :ref:`Table 1 `. + + + .. figure:: /_static/images/en-us_image_0000001338298405.png + :alt: **Figure 3** Adding a reference table + + **Figure 3** Adding a reference table + + .. _waf_01_0081__table22291637155812: + + .. table:: **Table 1** Parameter description + + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +=======================+=============================================================================================================================================================================+=======================+ + | Name | Table name you entered | test | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Type | - **Path**: A URL to be protected, excluding a domain name | **Path** | + | | | | + | | - **User Agent**: A user agent of the scanner to be protected | | + | | | | + | | - **IP**: An IP address of the visitor to be protected. | | + | | | | + | | - **Params**: A request parameter to be protected | | + | | | | + | | - **Cookie**: A small piece of data to identify web visitors | | + | | | | + | | - **Referer**: A user-defined request resource | | + | | | | + | | For example, if the protected path is **/admin/xxx** and you do not want visitors to be able to access it from *www.test.com*, set **Value** to **http://www.test.com**. | | + | | | | + | | - **Header**: A user-defined HTTP header | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Value | Value of the corresponding **Type**. Wildcards are not allowed. | **/buy/phone/** | + | | | | + | | .. note:: | | + | | | | + | | Click **Add** to add more than one value. | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +#. Click **Confirm**. You can then view the added reference table in the reference table list. + +Other Operations +---------------- + +- To modify a reference table, click **Modify** in the row containing the reference table. +- To delete a reference table, click **Delete** in the row containing the reference table. + +.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image2| image:: /_static/images/en-us_image_0000001287946366.png diff --git a/umn/source/rule_configuration/configuration_guidance.rst b/umn/source/rule_configuration/configuration_guidance.rst new file mode 100644 index 0000000..7770173 --- /dev/null +++ b/umn/source/rule_configuration/configuration_guidance.rst @@ -0,0 +1,97 @@ +:original_name: waf_01_0129.html + +.. _waf_01_0129: + +Configuration Guidance +====================== + +How WAF Engine Works +-------------------- + +The built-in protection rules of WAF help you defend against common web application attacks, including XSS attacks, SQL injection, crawlers, and web shells. You can customize protection rules to let WAF better protect your website services using these custom rules. :ref:`Figure 1 ` shows how WAF engine built-in protection rules work. :ref:`Figure 2 ` shows the detection sequence of user-defined rules. + +.. _waf_01_0129__en-us_topic_0000001271159206_en-us_topic_0199698323_fig1628214208241: + +.. figure:: /_static/images/en-us_image_0000001286548588.png + :alt: **Figure 1** WAF engine detection process + + **Figure 1** WAF engine detection process + +.. _waf_01_0129__en-us_topic_0000001271159206_en-us_topic_0199698323_fig2084820326445: + +.. figure:: /_static/images/en-us_image_0000001338628737.png + :alt: **Figure 2** Priorities of custom protection rules + + **Figure 2** Priorities of custom protection rules + +Response actions + +- Pass: The current request is unconditionally permitted after a protection rule is matched. +- Block: The current request is blocked after a rule is matched. +- CAPTCHA: The system will perform human-machine verification after a rule is matched. +- Redirect: The system will notify you to redirect the request after a rule is matched. +- Log: Only attack information is recorded after a rule is matched. +- Mask: The system will anonymize sensitive information after a rule is matched. + +Protection Rule Configuration Methods +------------------------------------- + +WAF provides the following customized configuration methods to simplify the configuration process. Select a proper configuration method to meet your service requirements. + +**Method 1: Configuring protection rules for a single domain name** + +This method is recommended when you have few domain name services or have different configuration rules for domain name services. + +.. note:: + + After a domain name is added to WAF, WAF automatically associates a protection policy with the domain name, and protection rules configured for the domain name are also added to the protection policy by default. If there are domain names applicable to the protection policy, you can directly add them to the policy. For details, see :ref:`Applying a Policy to Your Website `. + +- Where to configure + + #. In the navigation pane, choose **Website Settings**. + #. In the **Policy** column of the row containing the target website, click the number to go to the **Policies** page. + +- Protection rules you can configure on the rule configuration page + + .. table:: **Table 1** Configurable protection rules + + +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------+ + | Protection Rule | Description | Reference | + +==================================================================+====================================================================================================================================================================================================================+====================================================================================================+ + | Basic web protection rules | With an extensive reputation database, WAF defends against Open Web Application Security Project (OWASP) top 10 threats, and detects and blocks threats, such as malicious scanners, IP addresses, and web shells. | :ref:`Configuring Basic Web Protection Rules ` | + +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------+ + | CC attack protection rules | CC attack protection rules can be customized to restrict access to a specific URL on your website based on a unique IP address, cookie, or referer field, mitigating CC attacks. | :ref:`Configuring a CC Attack Protection Rule ` | + +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------+ + | Precise protection rules | You can customize protection rules by combining HTTP headers, cookies, URLs, request parameters, and client IP addresses. | :ref:`Configuring a Precise Protection Rule ` | + +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------+ + | Blacklist and whitelist rules | You can configure blacklist and whitelist rules to block, log only, or allow access requests from specified IP addresses. | :ref:`Configuring an IP Address Blacklist or Whitelist Rule ` | + +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------+ + | Geolocation access control rules | You can customize these rules to allow or block requests from a specific country or region. | :ref:`Configuring a Geolocation Access Control Rule ` | + +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------+ + | Web tamper protection rules | You can configure these rules to prevent a static web page from being tampered with. | :ref:`Configuring a Web Tamper Protection Rule ` | + +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------+ + | Website anti-crawler protection | This function dynamically analyzes website service models and accurately identifies crawler behavior based on data risk control and bot identification systems, such as JS Challenge. | :ref:`Configuring Anti-Crawler Rules ` | + +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------+ + | Information leakage prevention rules | You can add two types of information leakage prevention rules. | :ref:`Configuring an Information Leakage Prevention Rule ` | + | | | | + | | - Sensitive information filtering: prevents disclosure of sensitive information (such as ID numbers, phone numbers, and email addresses). | | + | | - Response code interception: blocks the specified HTTP status codes. | | + +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------+ + | Global protection whitelist (formerly false alarm masking) rules | You can configure these rules to let WAF ignore certain rules for specific requests. | :ref:`Configuring a Global Protection Whitelist (Formerly False Alarm Masking) Rule ` | + +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------+ + | Data masking rules | You can configure data masking rules to prevent sensitive data such as passwords from being displayed in event logs. | :ref:`Configuring a Data Masking Rule ` | + +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------+ + +**Method 2: Configuring protection rules for multiple domain names** + +This method is recommended if you have many domain name services and require the same protection policy for multiple domain names. This method greatly reduces repeated configuration workloads and improves the protection efficiency. + +- Where to configure + + In the navigation pane on the left, choose **Policies**. + +- Procedure + + #. Add a policy. For details, see :ref:`Adding a Policy `. + #. Configure protection rules. For details, see :ref:`Adding Rules to One or More Policies `. + #. Batch add multiple domain names to the policy. For details, see :ref:`Applying a Policy to Your Website `. diff --git a/umn/source/rule_configuration/configuring_a_cc_attack_protection_rule.rst b/umn/source/rule_configuration/configuring_a_cc_attack_protection_rule.rst new file mode 100644 index 0000000..91f909c --- /dev/null +++ b/umn/source/rule_configuration/configuring_a_cc_attack_protection_rule.rst @@ -0,0 +1,201 @@ +:original_name: waf_01_0009.html + +.. _waf_01_0009: + +Configuring a CC Attack Protection Rule +======================================= + +You can customize a CC attack protection rule to restrict access to a specific URL on your website based on an IP address, cookie, or Referer, mitigating CC attacks. To make your custom CC attack protection rules take effect, ensure that you have enabled CC attack protection. + +Prerequisites +------------- + +A website has been added to WAF. + +Constraints +----------- + +- It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the **Events** page. +- A reference table can be added to a CC attack protection rule. The reference table takes effect for all protected domain names. +- A CC attack protection rule offers protective actions such as **Verification code** and **Block** for your choice. For example, you can configure a CC attack protection rule to block requests from a visit for 600 seconds by identifying their cookie (name field) if the visitor accessed a URL (for example, /admin*) of your website over 10 times within 60 seconds. +- The path in a CC attack protection rule must be set to a URL (excluding the domain name). This parameter allows prefix match and exact match. + + - Prefix match: A path ending with \* indicates that the path is used as a prefix. The \* can be used as a wildcard value. For example, to protect **/admin/test.php** or **/adminabc**, you can set **Path** to **/admin\***. + - Exact match: The path to be entered must be the same as the path to be protected. For example, to protect **/admin**, then **Path** must be set to **/admin**. + +Procedure +--------- + +#. Log in to the management console. +#. Click |image1| in the upper left corner of the management console and select a region or project. +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. +#. In the navigation pane, choose **Website Settings**. + +5. In the **Policy** column of the row containing the target website, click the number to go to the policy configuration page. + +6. In the **CC Attack Protection** configuration area, change **Status** if needed and click **Customize Rule** to go to the **CC Attack Protection** page. + + + .. figure:: /_static/images/en-us_image_0000001285588948.png + :alt: **Figure 1** CC Attack Protection configuration area + + **Figure 1** CC Attack Protection configuration area + +7. In the upper left corner of the **CC Attack Protection** page, click **Add Rule**. + +8. In the displayed dialog box, configure a CC attack protection rule by referring to :ref:`Table 1 `. + + If a visitor whose cookie is **name** accesses a page on your website where the address includes **/admin** at the end (for example, https://www.example.com/adminlogic) more than 10 times within 60 seconds, WAF blocks the requests from visitors of the same cookie **name** for 600s and returns the page configured for **Page Content**. :ref:`Figure 2 ` shows the configurations. + + .. _waf_01_0009__fig172782071413: + + .. figure:: /_static/images/en-us_image_0000001285430612.png + :alt: **Figure 2** Adding a CC attack protection rule + + **Figure 2** Adding a CC attack protection rule + + .. _waf_01_0009__table1173915209149: + + .. table:: **Table 1** Rule parameters + + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------+ + | Parameter | Description | Example Value | + +=======================+=======================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+=============================================================================================+ + | Mode | - **Standard**: Only the protection path of a domain name can be restricted. | **Standard** | + | | - **Advanced**: The path, IP address, cookie, header, and params fields can all be restricted. | | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------+ + | Path | Set this parameter only when **Standard** is selected for **Mode**. | **/admin\*** | + | | | | + | | Part of the URL without the domain name. | | + | | | | + | | - Prefix match: A path ending with \* indicates that the path is used as a prefix. The \* can be used as a wildcard value. For example, to protect **/admin/test.php** or **/adminabc**, you can set **Path** to **/admin\***. | | + | | - Exact match: The path to be entered must be the same as the path to be protected. For example, to protect **/admin**, then **Path** must be set to **/admin**. | | + | | | | + | | .. note:: | | + | | | | + | | - The path supports prefix and exact matches only but does not support regular expressions. | | + | | - The path cannot contain two or more consecutive slashes. For example, **///admin**. If you enter **///admin**, WAF will convert **///** to **/**. | | + | | - The path is case-sensitive. | | + | | - If **Path** is set to **/**, all paths of the website are protected. | | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------+ + | Condition List | Set this parameter only when **Advanced** is selected for **Mode**. | **Path** **Include** **/admin** | + | | | | + | | Click **Add** to add conditions. At least one condition is required, but up to 30 conditions are allowed. If you add more than one condition, the rule will only take effect if all of the conditions are met. | | + | | | | + | | - **Field**: The options are **Path**, **IP**, **Cookie**, **Header**, and **Params**. | | + | | - **Subfield**: Configure this field only when **Cookie**, **Header**, or **Params** is selected for **Field**. | | + | | | | + | | .. important:: | | + | | | | + | | NOTICE: | | + | | The length of a subfield cannot exceed 2048 bytes. Only digits, letters, underscores (_), and hyphens (-) are allowed. | | + | | | | + | | - **Logic**: Select a logical relationship from the drop-down list. | | + | | | | + | | .. note:: | | + | | | | + | | If you set **Logic** to **Include any value**, **Exclude any value**, **Equal to any value**, **Not equal to any value**, **Prefix is any value**, **Prefix is not any of them**, **Suffix is any value**, or **Suffix is not any of them**, select an existing reference table. For details, see :ref:`Adding a Reference Table `. | | + | | | | + | | - **Content**: Enter or select the content that matches the condition. | | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------+ + | Rate Limit Mode | - **Per IP address**: A website visitor is identified by the IP address. | **Per user** | + | | - **Per user**: A website visitor is identified by the key value of **Cookie** or **Header**. | | + | | - **Other**: A website visitor is identified by the Referer field (user-defined request source). | | + | | | | + | | .. note:: | | + | | | | + | | If you set **Rate Limit Mode** to **Other**, set **Content** of **Referer** to a complete URL containing the domain name. The **Content** field supports prefix match and exact match only, but cannot contain two or more consecutive slashes, for example, **///admin**. If you enter **///admin**, WAF will convert it to **/admin**. | | + | | | | + | | For example, if **Path** is **/admin**, and you do not want visitors to access the page from **www.test.com**, set **Content** of **Referer** to **http://www.test.com**. | | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------+ + | User Identifier | This parameter is mandatory when you select **Per user** for **Rate Limit Mode**. | name | + | | | | + | | - **Cookie**: A cookie field name. You need to configure an attribute variable name in the cookie that can uniquely identify a web visitor based on your website requirements. This field does not support regular expressions. Only complete matches are supported. | | + | | | | + | | For example, if a website uses the **name** field in the cookie to uniquely identify a website visitor, select **name**. | | + | | | | + | | - **Header**: Set the user-defined HTTP header you want to protect. You need to configure the HTTP header that can identify web visitors based on your website requirements. | | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------+ + | Rate Limit | The number of requests allowed from a website visitor in the rate limit period. If the number of requests exceeds the rate limit, WAF takes the action you configure for **Protective Action**. | **10** requests allowed in **60** seconds | + | | | | + | | **All WAF instances**: Requests to on one or more WAF instances will be counted together according to the rate limit mode you select. By default, requests to each WAF instance are counted. If you enable this, WAF will count requests to all your WAF instances for triggering this rule. To enable user-based rate limiting, **Per user** or **Other** (**Referer** must be configured) instead of **Per IP address** must be selected for **Rate Limit Mode**. This is because IP address-based rate limiting cannot limit the access rate of a specific user. However, in user-based rate limiting, requests may be forwarded to one or more WAF instances. Therefore, **All WAF instances** must be enabled for triggering the rule precisely. | | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------+ + | Protective Action | The action that WAF will take if the number of requests exceeds **Rate Limit** you configured. The options are as follows: | **Block** | + | | | | + | | - **Verification code**: WAF allows requests that trigger the rule as long as your website visitors complete the required verification. | | + | | | | + | | - **Block**: WAF blocks requests that trigger the rule. | | + | | | | + | | - **Block dynamically**: WAF blocks requests that trigger the rule based on **Allowable Frequency**, which you configure after the first rate limit period is over. | | + | | | | + | | The protective action is supported only when **Advanced** is selected for **Mode**. | | + | | | | + | | - **Log only**: WAF only logs requests that trigger the rule. You can :ref:`download event data ` and view the protection logs of a specific domain name. | | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------+ + | Allowable Frequency | This parameter can be set if you select **Block dynamically** for **Protective Action**. | **8** requests allowed in **60** seconds | + | | | | + | | WAF blocks requests that trigger the rule based on **Rate Limit** first. Then, in the following rate limit period, WAF blocks requests that trigger the rule based on **Allowable Frequency** you configure. | | + | | | | + | | **Allowable Frequency** cannot be larger than **Rate Limit**. | | + | | | | + | | .. note:: | | + | | | | + | | If you set **Allowable Frequency** to **0**, WAF blocks all requests that trigger the rule in the next rate limit period. | | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------+ + | Block Duration | Period of time for which to block the item when you set **Protective Action** to **Block**. | **600** seconds | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------+ + | Block Page | The page displayed if the maximum number of requests has been reached. This parameter is configured only when **Protective Action** is set to **Block**. | **Custom** | + | | | | + | | - If you select **Default settings**, the default block page is displayed. | | + | | - If you select **Custom**, a custom error message is displayed. | | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------+ + | Block Page Type | If you select **Custom** for **Block Page**, select a type of block page. The options are: | **text/html** | + | | | | + | | - **application/jsontext/html** | | + | | - **text/htmltext/xml** | | + | | - **text/xml** | | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------+ + | Page Content | If you select **Custom** for **Block Page**, configure the content to be returned. | Page content styles corresponding to different page types are as follows: | + | | | | + | | | - **text/html**: Forbidden | + | | | - **application/json**: {"msg": "Forbidden"} | + | | | - **text/xml**: Forbidden | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------+ + | Rule Description | A description of the rule. This parameter is optional. | None | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------+ + +9. Click **Confirm**. You can then view the added CC attack protection rule in the CC rule list. + + + .. figure:: /_static/images/en-us_image_0000001396154617.png + :alt: **Figure 3** CC rule list + + **Figure 3** CC rule list + + - To disable a rule, click **Disable** in the **Operation** column of the rule. The default **Rule Status** is **Enabled**. + - To modify a rule, click **Modify** in the row containing the rule. + - To delete a rule, click **Delete** in the row containing the rule. + +Protection Effect +----------------- + +If you have configured a CC attack protection rule for your domain name, with **Protective Action** set to **Block**, as shown in :ref:`Figure 2 `, to verify WAF is protecting your website (**www.example.com**) against the configured CC attack protection rule: + +#. Clear the browser cache and enter the domain name in the address box of a browser to check whether the website is accessible. + + - If the website is inaccessible, connect the website domain name to WAF by following the instructions in :ref:`Step 1: Add a Website to WAF `. + - If the website is accessible, go to :ref:`Step 2 `. + +#. .. _waf_01_0009__li88102353919: + + Clear the browser cache, enter **http://www.example.com/admin** in the address bar, and refresh the page 10 times within 60 seconds. In normal cases, the custom block page will be displayed the eleventh time you refresh the page, and the requested page will be accessible when you refresh the page 600 seconds later. + + If you select **Verification code** for protective action, a verification code is required for visitors to continue the access if they exceed the configured rate limit. + + |image3| + +#. Return to the WAF console. In the navigation pane, choose **Events**. On the displayed page, view or :ref:`download events data `. + +.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image2| image:: /_static/images/en-us_image_0000001340585569.png +.. |image3| image:: /_static/images/en-us_image_0000001191376107.jpg diff --git a/umn/source/rule_configuration/configuring_a_data_masking_rule.rst b/umn/source/rule_configuration/configuring_a_data_masking_rule.rst new file mode 100644 index 0000000..b3c55a9 --- /dev/null +++ b/umn/source/rule_configuration/configuring_a_data_masking_rule.rst @@ -0,0 +1,121 @@ +:original_name: waf_01_0017.html + +.. _waf_01_0017: + +Configuring a Data Masking Rule +=============================== + +This topic describes how to configure data masking rules. You can configure data masking rules to prevent sensitive data such as passwords from being displayed in event logs. + +Prerequisites +------------- + +A website has been added to WAF. + +Constraints +----------- + +- It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the **Events** page. + +Impact on the System +-------------------- + +Sensitive data in the events will be masked to protect your website visitor's privacy. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane, choose **Website Settings**. + +#. In the **Policy** column of the row containing the target website, click the number to go to the **Policies** page. + +#. In the **Data Masking** configuration area, change **Status** if needed and click **Customize Rule**. + + + .. figure:: /_static/images/en-us_image_0000001285661276.png + :alt: **Figure 1** Data Masking configuration area + + **Figure 1** Data Masking configuration area + +#. In the upper left corner of the **Data Masking** page, click **Add Rule**. + +#. In the displayed dialog box, specify the parameters described in :ref:`Table 1 `. + + + .. figure:: /_static/images/en-us_image_0000001285981628.png + :alt: **Figure 2** Adding a data masking rule + + **Figure 2** Adding a data masking rule + + .. _waf_01_0017__table4696626918715: + + .. table:: **Table 1** Rule parameters + + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------+ + | Parameter | Description | Example Value | + +=======================+=======================================================================================================================================================================================================+==============================================================================================================================+ + | Path | Part of the URL that does not include the domain name. | **/admin/login.php** | + | | | | + | | - Prefix match: The path ending with \* indicates that the path is used as a prefix. For example, if the path to be protected is **/admin/test.php** or **/adminabc**, set **Path** to **/admin\***. | For example, if the URL to be protected is **http://www.example.com/admin/login.php**, set **Path** to **/admin/login.php**. | + | | - Exact match: The path to be entered must match the path to be protected. If the path to be protected is **/admin**, set **Path** to **/admin**. | | + | | | | + | | .. note:: | | + | | | | + | | - The path supports prefix and exact matches only and does not support regular expressions. | | + | | - The path cannot contain two or more consecutive slashes. For example, **///admin**. If you enter **///admin**, WAF converts **///** to **/**. | | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------+ + | Masked Field | A field set to be masked | - If **Masked Field** is **Params** and **Field Name** is **id**, content that matches **id** is masked. | + | | | - If **Masked Field** is **Cookie** and **Field Name** is **name**, content that matches **name** is masked. | + | | - **Params**: A request parameter | | + | | - **Cookie**: A small piece of data to identify web visitors | | + | | - **Header**: A user-defined HTTP header | | + | | - **Form**: A form parameter | | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------+ + | Field Name | Set the parameter based on **Masked Field**. The masked field will not be displayed in logs. | | + | | | | + | | .. important:: | | + | | | | + | | NOTICE: | | + | | The length of a subfield cannot exceed 2,048 bytes. Only digits, letters, underscores (_), and hyphens (-) are allowed. | | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------+ + | Rule Description | A brief description of the rule. This parameter is optional. | None | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------+ + +#. Click **Confirm**. The added data masking rule is displayed in the list of data masking rules. + +Other Operations +---------------- + +- To disable a rule, click **Disable** in the **Operation** column of the rule. The default **Rule Status** is **Enabled**. +- To modify a rule, click **Modify** in the row containing the rule. +- To delete a rule, click **Delete** in the row containing the rule. + +Configuration Example - Masking the Cookie Field +------------------------------------------------ + +To verify that WAF is protecting your domain name *www.example.com* against a data masking rule (with **Cookie** selected for **Masked Field** and **jsessionid** entered in **Field Name**): + +#. Add a data masking rule. + + + .. figure:: /_static/images/en-us_image_0000001285986476.png + :alt: **Figure 3** Select **Cookie** for **Masked Field** and enter **jsessionid** in **Field Name**. + + **Figure 3** Select **Cookie** for **Masked Field** and enter **jsessionid** in **Field Name**. + +#. Enable data masking. + +#. In the navigation pane on the left, choose **Events**. + +#. In the row containing the event hit the rule, click **Details** in the **Operation** column and view the event details. + + Data in the **jsessionid** cookie field is masked. + +.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image2| image:: /_static/images/en-us_image_0000001287946362.png diff --git a/umn/source/rule_configuration/configuring_a_geolocation_access_control_rule.rst b/umn/source/rule_configuration/configuring_a_geolocation_access_control_rule.rst new file mode 100644 index 0000000..b59ec66 --- /dev/null +++ b/umn/source/rule_configuration/configuring_a_geolocation_access_control_rule.rst @@ -0,0 +1,99 @@ +:original_name: waf_01_0013.html + +.. _waf_01_0013: + +Configuring a Geolocation Access Control Rule +============================================= + +This topic describes how to configure a geolocation access control rule. A geolocation access control rule allows you to control IP addresses forwarded from or to specified countries and regions. + +Prerequisites +------------- + +A website has been added to WAF. + +Constraints +----------- + +- One region can be configured in only one geolocation access control rule. +- It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the **Events** page. + +.. _waf_01_0013__section61533550183130: + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane, choose **Website Settings**. + +#. In the **Policy** column of the row containing the target website, click the number to go to the **Policies** page. + +#. In the **Geolocation Access Control** configuration area, change **Status** if needed and click **Customize Rule**. + + + .. figure:: /_static/images/en-us_image_0000001285950994.png + :alt: **Figure 1** Geolocation Access Control configuration area + + **Figure 1** Geolocation Access Control configuration area + +#. In the upper left corner of the **Geolocation Access Control** page, click **Add Rule**. + +#. In the displayed dialog box, add a geolocation access control rule by referring to :ref:`Table 1 `. + + + .. figure:: /_static/images/en-us_image_0000001377911005.png + :alt: **Figure 2** Adding a geolocation access control rule + + **Figure 2** Adding a geolocation access control rule + + .. _waf_01_0013__table157961352154713: + + .. table:: **Table 1** Rule parameters + + +-------------------+------------------------------------------------------------------------------------------------+---------------+ + | Parameter | Description | Example Value | + +===================+================================================================================================+===============+ + | Rule Description | A brief description of the rule. This parameter is optional. | waf | + +-------------------+------------------------------------------------------------------------------------------------+---------------+ + | Geolocation | Geographical scope of the IP address. | ``-`` | + +-------------------+------------------------------------------------------------------------------------------------+---------------+ + | Protective Action | Action WAF will take if the rule is hit. You can select **Block**, **Allow**, or **Log only**. | **Block** | + +-------------------+------------------------------------------------------------------------------------------------+---------------+ + +#. Click **Confirm**. You can then view the added rule in the list of the geolocation access control rules. + + + .. figure:: /_static/images/en-us_image_0000001345013254.png + :alt: **Figure 3** List of geolocation access control rules + + **Figure 3** List of geolocation access control rules + + - To disable a rule, click **Disable** in the **Operation** column of the rule. The default **Rule Status** is **Enabled**. + - To modify a rule, click **Modify** in the row containing the rule. + - To delete a rule, click **Delete** in the row containing the rule. + +Protection Effect +----------------- + +To verify WAF is protecting your website (**www.example.com**) against a rule: + +#. Clear the browser cache and enter the domain name in the address box of a browser to check whether the website is accessible. + + - If the website is inaccessible, connect the website domain name to WAF by following the instructions in :ref:`Step 1: Add a Website to WAF `. + - If the website is accessible, go to :ref:`2 `. + +#. .. _waf_01_0013__li885731953512: + + Add a geolocation access control rule by referring to :ref:`Procedure `. + +#. Clear the browser cache and access **http://www.example.com**. Normally, WAF blocks such requests and returns the block page. + +#. Go to the WAF console. In the navigation pane on the left, choose **Events**. On the displayed page, view or :ref:`download events data `. + +.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image2| image:: /_static/images/en-us_image_0000001340306233.png diff --git a/umn/source/rule_configuration/configuring_a_global_protection_whitelist_formerly_false_alarm_masking_rule.rst b/umn/source/rule_configuration/configuring_a_global_protection_whitelist_formerly_false_alarm_masking_rule.rst new file mode 100644 index 0000000..729126d --- /dev/null +++ b/umn/source/rule_configuration/configuring_a_global_protection_whitelist_formerly_false_alarm_masking_rule.rst @@ -0,0 +1,147 @@ +:original_name: waf_01_0016.html + +.. _waf_01_0016: + +Configuring a Global Protection Whitelist (Formerly False Alarm Masking) Rule +============================================================================= + +Once an attack hits a WAF basic web protection rule or a feature-library anti-crawler rule, WAF will respond to the attack immediately according to the protective action (**Log only** or **Block**) you configured for the rule and display an event on the **Events** page. + +You can add false alarm masking rules to let WAF ignore certain rule IDs or event types (for example, skip XSS checks for a specific URL). + +- If you select **All protection** for **Ignore WAF Protection**, all WAF rules do not take effect, and WAF allows all request traffic to the domain names in the rule. +- If you select **Basic Web Protection** for **Ignore WAF Protection**, you can ignore basic web protection by rule ID, attack type, or all built-in rules. For example, if XSS check is not required for a URL, you can whitelist XSS rule. + +Prerequisites +------------- + +A website has been added to WAF. + +Constraints +----------- + +- If you select **Basic web protection** for **Ignore WAF Protection**, global protection whitelist (formerly false alarm masking) rules take effect only for events triggered against WAF built-in rules in **Basic Web Protection** and anti-crawler rules under **Feature Library**. + + - Basic web protection rules + + Basic web protection defends against common web attacks, such as SQL injection, XSS attacks, remote buffer overflow attacks, file inclusion, Bash vulnerability exploits, remote command execution, directory traversal, sensitive file access, and command and code injections. Basic web protection also detects web shells and evasion attacks. + + - Feature-based anti-crawler protection + + Feature-based anti-crawler identifies and blocks crawler behavior from search engines, scanners, script tools, and other crawlers. + +- It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the **Events** page. +- You can configure a global protection whitelist (formerly false alarm masking) rule by referring to :ref:`Handling False Alarms `. After handling a false alarm, you can view the rule in the rule list. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane, choose **Website Settings**. + +#. In the **Policy** column of the row containing the target website, click the number to go to the **Policies** page. + +#. In the **Global Protection Whitelist (Formerly False Alarm Masking)** configuration area, click **Status** if needed. Then, click **Customize Rule**. + + + .. figure:: /_static/images/en-us_image_0000001326640436.png + :alt: **Figure 1** Global Protection Whitelist configuration area + + **Figure 1** Global Protection Whitelist configuration area + +#. In the upper left corner of the **Global Protection Whitelist** page, click **Add Rule**. + +#. Add a global whitelist rule by referring to :ref:`Table 1 `. :ref:`Figure 2 ` shows an example. + + .. _waf_01_0016__fig1658541018715: + + .. figure:: /_static/images/en-us_image_0000001326802772.png + :alt: **Figure 2** Add Global Protection Whitelist Rule + + **Figure 2** Add Global Protection Whitelist Rule + + .. _waf_01_0016__table1623195815237: + + .. table:: **Table 1** Parameters + + +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ + | Parameter | Description | Example Value | + +=========================+===========================================================================================================================================================================================================================================================================================================================================================================+============================================+ + | Scope | - **All domain names**: By default, this rule will be used to all domain names that are protected by the current policy. | Specified domain names | + | | - **Specified domain names**: This rule will be used to the specified domain names that match the wildcard domain name being protected by the current policy. | | + +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ + | Domain Name | This parameter is mandatory when you select **Specified domain names** for **Scope**. | www.example.com | + | | | | + | | Enter a single domain name that matches the wildcard domain name being protected by the current policy. | | + +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ + | Condition List | Click **Add** to add conditions. At least one condition needs to be added. You can add up to 30 conditions to a protection rule. If more than one condition is added, all of the conditions must be met for the rule to be applied. A condition includes the following parameters: | Path, Include, /product | + | | | | + | | Parameters for configuring a condition are described as follows: | | + | | | | + | | - Field | | + | | - **Subfield**: Configure this field only when **Params**, **Cookie**, or **Header** is selected for **Field**. | | + | | | | + | | .. important:: | | + | | | | + | | NOTICE: | | + | | The length of a subfield cannot exceed 2,048 bytes. Only digits, letters, underscores (_), and hyphens (-) are allowed. | | + | | | | + | | - **Logic**: Select a logical relationship from the drop-down list. | | + | | - **Content**: Enter or select the content that matches the condition. | | + +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ + | Ignore WAF Protection | - **All protection**: All WAF rules do not take effect, and WAF allows all request traffic to the domain names in the rule. | Basic Web Protection | + | | - **Basic Web Protection**: You can ignore basic web protection by rule ID, attack type, or all built-in rules. For example, if XSS check is not required for a URL, you can whitelist XSS rule. | | + +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ + | Ignored Protection Type | If you select **Basic web protection** for **Ignored Protection Type**, specify the following parameters: | Attack type | + | | | | + | | - **ID**: Configure the rule by event ID. | | + | | - **Attack type**: Configure the rule by attack type, such as XSS and SQL injection. One type contains one or more rule IDs. | | + | | - **All built-in rules**: all checks enabled in :ref:`Basic Web Protection `. | | + +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ + | ID | This parameter is mandatory when you select **ID** for **Ignored Protection Type**. | 041046 | + | | | | + | | ID of an attack event on the **Events** page. If the event type is **Custom**, it has no event ID. Click **Handle False Alarm** in the row containing the attack event to obtain the ID. You are advised to configure global protection whitelist (formerly false alarm masking) rules on the **Events** page by referring to :ref:`Handling False Alarms `. | | + +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ + | Attack type | This parameter is mandatory when you select **Attack type** for **Ignored Protection Type**. | SQL injection | + | | | | + | | Select an attack type from the drop-down list box. | | + | | | | + | | WAF can defend against XSS attacks, web shells, SQL injection attacks, malicious crawlers, remote file inclusions, local file inclusions, command injection attacks, and other attacks. | | + +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ + | Rule Description | A brief description of the rule. This parameter is optional. | SQL injection attacks are not intercepted. | + +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ + | Advanced Settings | To ignore attacks of a specific field, specify the field in the **Advanced Settings** area. After you add the rule, WAF will stop blocking attack events of the specified field. | Params | + | | | | + | | Select a target field from the first drop-down list box on the left. The following fields are supported: **Params**, **Cookie**, **Header**, **Body**, and **Multipart**. | All | + | | | | + | | - If you select **Params**, **Cookie**, or **Header**, you can select **All** or **Specified field** to configure a subfield. | | + | | - If you select **Body** or **Multipart**, you can select **All**. | | + | | - If you select **Cookie**, the **Domain Name** and **Path** can be empty. | | + | | | | + | | .. note:: | | + | | | | + | | If **All** is selected, WAF will not block all attack events of the selected field. | | + +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ + +#. Click **OK**. + + + .. figure:: /_static/images/en-us_image_0000001345013500.png + :alt: **Figure 3** Global protection whitelist (formerly false alarm masking) rules + + **Figure 3** Global protection whitelist (formerly false alarm masking) rules + +Other Operations +---------------- + +- To disable a rule, click **Disable** in the **Operation** column of the rule. The default **Rule Status** is **Enabled**. +- To modify a global protection whitelist (formerly false alarm masking) rule, click **Modify** in the row containing the rule. +- To delete a global protection whitelist (formerly false alarm masking) rule, click **Delete** in the row containing the rule. + +.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image2| image:: /_static/images/en-us_image_0000001288266226.png diff --git a/umn/source/rule_configuration/configuring_a_known_attack_source_rule.rst b/umn/source/rule_configuration/configuring_a_known_attack_source_rule.rst new file mode 100644 index 0000000..23de903 --- /dev/null +++ b/umn/source/rule_configuration/configuring_a_known_attack_source_rule.rst @@ -0,0 +1,100 @@ +:original_name: waf_01_0271.html + +.. _waf_01_0271: + +Configuring a Known Attack Source Rule +====================================== + +If WAF blocks a malicious request by IP address, Cookie, or Params, you can configure a known attack source rule to let WAF automatically block all requests from the attack source for a blocking duration set in the known attack source rule. For example, if a blocked malicious request originates from an IP address and you set the blocking duration to 500 seconds, WAF will block the IP address for 500 seconds after the known attack source rule takes effect. + +Prerequisites +------------- + +A website has been added to WAF. + +Constraints +----------- + +- For a known attack source rule to take effect, it must be enabled when you configure basic web protection, precise protection, blacklist, or whitelist protection rules. +- It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the **Events** page. +- Before adding a known attack source rule for malicious requests blocked by Cookie or Params, a traffic identifier must be configured for the corresponding domain name. For more details, see :ref:`Configuring a Traffic Identifier for a Known Attack Source `. + +Specification Limitations +------------------------- + +- You can configure up to six blocking types. Each type can have one known attack source rule configured. +- The maximum time an IP address can be blocked for is 30 minutes. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane, choose **Website Settings**. + +#. In the **Policy** column of the row containing the target website, click the number to go to the policy configuration page. + +#. In the **Known Attack Source** configuration area, change **Status** if needed and click **Customize Rule** to go to the **Known Attack Source** page. :ref:`Figure 1 ` shows an example. + + .. _waf_01_0271__fig0358162863015: + + .. figure:: /_static/images/en-us_image_0000001338230701.png + :alt: **Figure 1** Known Attack Source configuration + + **Figure 1** Known Attack Source configuration + +#. In the upper left corner of the known attack source rules, click **Add Known Attack Source Rule**. + +#. In the displayed dialog box, specify the parameters by referring to :ref:`Table 1 `. :ref:`Figure 2 ` shows an example. + + .. _waf_01_0271__fig16699125187: + + .. figure:: /_static/images/en-us_image_0000001285992940.png + :alt: **Figure 2** Add Known Attack Source Rule + + **Figure 2** Add Known Attack Source Rule + + .. _waf_01_0271__table147241231818: + + .. table:: **Table 1** Known attack source parameters + + +-----------------------+--------------------------------------------------------------+-----------------------------------+ + | Parameter | Description | Example Value | + +=======================+==============================================================+===================================+ + | Blocking Type | Specifies the blocking type. The options are: | **Long-term IP address blocking** | + | | | | + | | - **Long-term IP address blocking** | | + | | - **Short-term IP address blocking** | | + | | - **Long-term Cookie blocking** | | + | | - **Short-term Cookie blocking** | | + | | - **Long-term Params blocking** | | + | | - **Short-term Params blocking** | | + +-----------------------+--------------------------------------------------------------+-----------------------------------+ + | Blocking Duration (s) | The blocking duration must be an integer and range from: | 500 | + | | | | + | | - (300, 1800] for long-term blocking | | + | | - (0, 300] for short-term blocking | | + +-----------------------+--------------------------------------------------------------+-----------------------------------+ + | Rule Description | A brief description of the rule. This parameter is optional. | None | + +-----------------------+--------------------------------------------------------------+-----------------------------------+ + +#. Click **Confirm**. You can then view the added known attack source rule in the list. + + + .. figure:: /_static/images/en-us_image_0000001395852973.png + :alt: **Figure 3** Known attack source rules + + **Figure 3** Known attack source rules + +Other Operations +---------------- + +- To modify a rule, click **Modify** in row containing the rule. +- To delete a rule, click **Delete** in the row containing the rule. + +.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image2| image:: /_static/images/en-us_image_0000001340665981.png diff --git a/umn/source/rule_configuration/configuring_a_precise_protection_rule.rst b/umn/source/rule_configuration/configuring_a_precise_protection_rule.rst new file mode 100644 index 0000000..05bf0b7 --- /dev/null +++ b/umn/source/rule_configuration/configuring_a_precise_protection_rule.rst @@ -0,0 +1,206 @@ +:original_name: waf_01_0010.html + +.. _waf_01_0010: + +Configuring a Precise Protection Rule +===================================== + +WAF allows you to customize protection rules by combining HTTP headers, cookies, URLs, request parameters, and client IP addresses. + +You can combine common HTTP fields, such as **IP**, **Path**, **Referer**, **User Agent**, and **Params** in a protection rule to let WAF allow, block, or only log the requests that match the combined conditions. + +A reference table can be added to a precise protection rule. The reference table takes effect for all protected domain names. + +Prerequisites +------------- + +A website has been added to WAF. + +Application Scenarios +--------------------- + +Precise protection rules are used for anti-leeching and website management background protection. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane, choose **Website Settings**. + +#. In the **Policy** column of the row containing the target website, click the number to go to the policy configuration page. + +#. In the **Precise Protection** configuration area, change **Status** as needed and click **Customize Rule** to go to the **Precise Protection** page. + + + .. figure:: /_static/images/en-us_image_0000001337808105.png + :alt: **Figure 1** Precise Protection configuration area + + **Figure 1** Precise Protection configuration area + +#. On the **Precise Protection** page, set **Detection Mode**. :ref:`Figure 2 ` shows an example. + + Two detection modes are available: + + - **Instant Detection**: If a request matches a configured precise protection rule, WAF immediately ends threat detection and blocks the request. + + - **Full Detection**: If a request matches a configured precise protection rule, WAF finishes its scan first and then blocks all requests that match the configured precise protection rule. + + .. _waf_01_0010__fig1818193165213: + + .. figure:: /_static/images/en-us_image_0000001338129425.png + :alt: **Figure 2** Setting Detection Mode + + **Figure 2** Setting Detection Mode + +#. Click **Add Rule**. + +#. In the displayed dialog box, add a rule by referring to :ref:`Table 1 `. + + The settings shown in :ref:`Figure 3 ` are used as an example. If a visitor tries to access a URL containing **/admin**, WAF will block the request. + + .. important:: + + To ensure that WAF blocks only attack requests, configure **Protective Action** to **Log only** first and check whether normal requests are blocked on the **Events** page. If no normal requests are blocked, configure **Protective Action** to **Block**. + + .. _waf_01_0010__fig39459217174738: + + .. figure:: /_static/images/en-us_image_0000001327470582.png + :alt: **Figure 3** Add Precise Protection Rule + + **Figure 3** Add Precise Protection Rule + + .. _waf_01_0010__table2299936310457: + + .. table:: **Table 1** Rule parameters + + +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------+ + | Parameter | Description | Example Value | + +=======================+==============================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+===================================+ + | Protective Action | You can select **Block**, **Allow**, or **Log only**. Default value: **Block** | **Block** | + +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------+ + | Known Attack Source | If you set **Protective Action** to **Block**, you can select a blocking type for a known attack source rule. Then, WAF blocks requests matching the configured **IP**, **Cookie**, or **Params** for a length of time that depends on the selected blocking type. | **Long-term IP address blocking** | + +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------+ + | Effective Date | Select **Immediate** to enable the rule immediately, or select **Custom** to configure when you wish the rule to be enabled. | **Immediate** | + +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------+ + | Condition List | Click **Add** to add conditions. At least one condition needs to be added. You can add up to 30 conditions to a protection rule. If more than one condition is added, all of the conditions must be met for the rule to be applied. A condition includes the following parameters: | **Path** **Include** **/admin** | + | | | | + | | Parameters for configuring a condition are described as follows: | | + | | | | + | | - **Field** | | + | | - **Subfield**: Configure this field only when **Params**, **Cookie**, or **Header** is selected for **Field**. | | + | | | | + | | .. important:: | | + | | | | + | | NOTICE: | | + | | The length of a subfield cannot exceed 2,048 bytes. Only digits, letters, underscores (_), and hyphens (-) are allowed. | | + | | | | + | | - **Logic**: Select a logical relationship from the drop-down list. | | + | | | | + | | .. note:: | | + | | | | + | | - If **Include any value**, **Exclude any value**, **Equal to any value**, **Not equal to any value**, **Prefix is any value**, **Prefix is not any of them**, **Suffix is any value**, or **Suffix is not any of them** is selected, select an existing reference table in the **Content** drop-down list. For details, see :ref:`Adding a Reference Table `. | | + | | - **Exclude any value**, **Not equal to any value**, **Prefix is not any of them**, and **Suffix is not any of them** indicates, respectively, that WAF performs the protection action (block, allow, or log only) when the field in the access request does not contain, is not equal to, or the prefix or suffix is not any value set in the reference table. For example, assume that **Path** field is set to **Exclude any value** and the **test** reference table is selected. If *test1*, *test2*, and *test3* are set in the **test** reference table, WAF performs the protection action when the path of the access request does not contain *test1*, *test2*, or *test3*. | | + | | | | + | | - **Content**: Enter or select the content of condition matching. | | + | | | | + | | .. note:: | | + | | | | + | | For more details about the configurations in general, see :ref:`Table 2 `. | | + +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------+ + | Priority | Rule priority. If you have added multiple rules, rules are matched by priority. The smaller the value you set, the higher the priority. | **5** | + +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------+ + | Rule Description | A brief description of the rule. This parameter is optional. | None | + +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------+ + + .. _waf_01_0010__table13543174312394: + + .. table:: **Table 2** Condition list configurations + + +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ + | Field | Example Subfield | Logic | Example Content | + +==================================================================================================================================================================================================+==================+========================================================+===========================================================================================+ + | **Path**: Part of a URL that does not include a domain name. This value supports exact matches only. For example, if the path to be protected is **/admin**, **Path** must be set to **/admin**. | None | Select a logical relationship from the drop-down list. | **/buy/phone/** | + | | | | | + | | | | .. important:: | + | | | | | + | | | | NOTICE: | + | | | | If **Path** is set to **/**, all paths of the website are protected. | + +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ + | **User Agent**: A user agent of the scanner to be checked. | None | | **Mozilla/5.0 (Windows NT 6.1)** | + +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ + | **IP**: An IP address of the visitor for the protection. | None | | XXX.XXX.1.1 | + +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ + | **Params**: A request parameter. | **sttl** | | **201901150929** | + +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ + | **Referer**: A user-defined request resource. | None | | http://www.test.com | + | | | | | + | For example, if the protected path is **/admin/xxx** and you do not want visitors to access the page from **www.test.com**, set **Content** to **http://www.test.com**. | | | | + +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ + | **Cookie**: A small piece of data to identify web visitors. | **name** | | jsessionid | + +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ + | **Header**: A user-defined HTTP header. | **Accept** | | **text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8** | + +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ + | **Method**: the user-defined request method. | None | | **GET**, **POST**, **PUT**, **DELETE**, and **PATCH** | + +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ + | **Request Line**: Length of a user-defined request line. | None | | **50** | + +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ + | **Request**: Length of a user-defined request. It includes the request header, request line, and request body. | None | | None | + +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ + | **Protocol**: the protocol of the request. | None | | http | + +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ + +#. Click **Confirm**. You can then view the added precise protection rule in the protection rule list. + + + .. figure:: /_static/images/en-us_image_0000001395970885.png + :alt: **Figure 4** Protection rules + + **Figure 4** Protection rules + + - To disable a rule, click **Disable** in the **Operation** column of the rule. The default **Rule Status** is **Enabled**. + - To modify a rule, click **Modify** in the row containing the rule. + - To delete a rule, click **Delete** in the row containing the rule. + +Protection Effect +----------------- + +If you have configured a precise protection rule as shown in :ref:`Figure 3 ` for your domain name, to verify WAF is protecting your website (**www.example.com**) against the rule: + +#. Clear the browser cache and enter the domain name in the address bar to check whether the website is accessible. + + - If the website is inaccessible, connect the website domain name to WAF by following the instructions in :ref:`Step 1: Add a Website to WAF `. + - If the website is accessible, go to :ref:`Step 2 `. + +#. .. _waf_01_0010__li1160182620213: + + Clear the browser cache and enter **http://www.example.com/admin** (or any page containing **/admin**) in the address bar. Normally, WAF blocks the requests that meet the conditions and returns the block page. + +#. Return to the WAF console. In the navigation pane, click **Events**. On the displayed page, view or :ref:`download events data `. + +Configuration Example - Blocking a Certain Type of Attack Requests +------------------------------------------------------------------ + +Analysis of a specific type of WordPress pingback attack shows that the **User Agent** field contains WordPress. See :ref:`Figure 5 `. + +.. _waf_01_0010__fig16451834185616: + +.. figure:: /_static/images/en-us_image_0168632822.png + :alt: **Figure 5** WordPress pingback attack + + **Figure 5** WordPress pingback attack + +A precise rule as shown in the figure can block this type of attack. + + +.. figure:: /_static/images/en-us_image_0000001378030725.png + :alt: **Figure 6** User Agent configuration + + **Figure 6** User Agent configuration + +.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image2| image:: /_static/images/en-us_image_0000001288266230.png diff --git a/umn/source/rule_configuration/configuring_a_web_tamper_protection_rule.rst b/umn/source/rule_configuration/configuring_a_web_tamper_protection_rule.rst new file mode 100644 index 0000000..f2a650f --- /dev/null +++ b/umn/source/rule_configuration/configuring_a_web_tamper_protection_rule.rst @@ -0,0 +1,111 @@ +:original_name: waf_01_0014.html + +.. _waf_01_0014: + +Configuring a Web Tamper Protection Rule +======================================== + +WAF can cache configuration for static web pages of websites. After you configure a web tamper protection rule, WAF can: + +- Return directly the cached web page to the normal web visitor to accelerate request response. + +- Return the cached original web pages to visitors if an attacker has tampered with the static web pages. This ensures that your website visitors always get the right web pages. + +- Protect all resources in the web page path. For example, if a web tamper protection rule is configured for static page **www.example.com/admin**, WAF protects all resources in the **/admin** directory. + + So, if the URL in the value of the **Referer** request header is the same as the configured anti-tamper path, for example, **/admin**, all resources (resources ending with png, jpg, jpeg, gif, bmp, css or js) hit by the request are also cached. + +Prerequisites +------------- + +A website has been added to WAF. + +Constraints +----------- + +It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the **Events** page. + +Application Scenarios +--------------------- + +- Quicker response to requests + + After a web tamper protection rule is configured, WAF caches static web pages on the server. When receiving a request from a web visitor, WAF directly returns the cached web page to the web visitor. + +- Web tamper protection + + If an attacker modifies a static web page on the server, WAF still returns the cached original web page to visitors. Visitors never see the pages that were tampered with. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane, choose **Website Settings**. + +#. In the **Policy** column of the row containing the target website, click the number to go to the **Policies** page. + +#. In the **Web Tamper Protection** configuration area, change **Status** if needed and click **Customize Rule** to go to the **Web Tamper Protection** page. + + + .. figure:: /_static/images/en-us_image_0000001338155669.png + :alt: **Figure 1** Web Tamper Protection configuration area + + **Figure 1** Web Tamper Protection configuration area + +#. In the upper left corner of the **Web Tamper Protection** page, click **Add Rule**. + +#. In the displayed dialog box, specify the parameters by referring to :ref:`Table 1 `. + + + .. figure:: /_static/images/en-us_image_0000001285636510.png + :alt: **Figure 2** Adding a web tamper protection rule + + **Figure 2** Adding a web tamper protection rule + + .. _waf_01_0014__table2046816299203: + + .. table:: **Table 1** Rule parameters + + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +=======================+=====================================================================================================================================================+=======================+ + | Domain Name | Domain name of the website to be protected | **www.example.com** | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Path | A part of the URL, not including the domain name | **/admin** | + | | | | + | | A URL is used to define the address of a web page. The basic URL format is as follows: | | + | | | | + | | Protocol name://Domain name or IP address[:Port]/[Path/.../File name]. | | + | | | | + | | For example, if the URL is **http://www.example.com/admin**, set **Path** to **/admin**. | | + | | | | + | | .. note:: | | + | | | | + | | - The path does not support regular expressions. | | + | | - The path cannot contain two or more consecutive slashes. For example, **///admin**. If you enter **///admin**, WAF converts **///** to **/**. | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Rule Description | A brief description of the rule. This parameter is optional. | None | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +#. Click **Confirm**. You can view the rule in the list of web tamper protection rules. + + + .. figure:: /_static/images/en-us_image_0000001395853109.png + :alt: **Figure 3** List of web tamper protection rules + + **Figure 3** List of web tamper protection rules + +Other Operations +---------------- + +- To disable a rule, click **Disable** in the **Operation** column of the rule. The default **Rule Status** is **Enabled**. +- To update cache of a protected web page, click **Update Cache** in the row containing the corresponding web tamper protection rule. If the rule fails to be updated, WAF will return the recently cached page but not the latest page. +- To delete a rule, click **Delete** in the row containing the rule. + +.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image2| image:: /_static/images/en-us_image_0000001288425878.png diff --git a/umn/source/rule_configuration/configuring_an_information_leakage_prevention_rule.rst b/umn/source/rule_configuration/configuring_an_information_leakage_prevention_rule.rst new file mode 100644 index 0000000..d88c120 --- /dev/null +++ b/umn/source/rule_configuration/configuring_an_information_leakage_prevention_rule.rst @@ -0,0 +1,127 @@ +:original_name: waf_01_0054.html + +.. _waf_01_0054: + +Configuring an Information Leakage Prevention Rule +================================================== + +You can add two types of information leakage prevention rules. + +- Sensitive information filtering: prevents disclosure of sensitive information (such as ID numbers, phone numbers, and email addresses). +- Response code interception: blocks the specified HTTP status codes. + +Prerequisites +------------- + +A website has been added to WAF. + +Constraints +----------- + +It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the **Events** page. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane, choose **Website Settings**. + +#. In the **Policy** column of the row containing the target website, click the number to go to the **Policies** page. + +#. In the **Information Leakage Prevention** configuration area, change **Status** if needed and click **Customize Rule**. + + + .. figure:: /_static/images/en-us_image_0000001338214477.png + :alt: **Figure 1** Information Leakage Prevention configuration area + + **Figure 1** Information Leakage Prevention configuration area + +#. In the upper left corner of the **Information Leakage Prevention** page, click **Add Rule**. + +#. In the dialog box displayed, add an information leakage prevention rule by referring to :ref:`Table 1 `. :ref:`Figure 2 ` and :ref:`Figure 3 ` show two examples. + + Information leakage prevention rules prevent sensitive information (such as ID numbers, phone numbers, and email addresses) from being disclosed. This type of rule can also block specified HTTP status codes. + + **Sensitive information filtering**: Configure rules to mask sensitive information, such as phone numbers and ID numbers, from web pages. For example, you can set the following protection rules to mask sensitive information, such as ID numbers, phone numbers, and email addresses: + + .. _waf_01_0054__fig1077215502209: + + .. figure:: /_static/images/en-us_image_0000001285815180.png + :alt: **Figure 2** Sensitive information leakage + + **Figure 2** Sensitive information leakage + + **Response code interception**: An error page of a specific HTTP response code may contain sensitive information. You can configure rules to block such error pages to prevent such information from being leaked out. For example, you can set the following rule to block error pages of specified HTTP response codes 404, 502, and 503. + + .. _waf_01_0054__fig134221027101710: + + .. figure:: /_static/images/en-us_image_0000001285975220.png + :alt: **Figure 3** Blocking response codes + + **Figure 3** Blocking response codes + + .. _waf_01_0054__table242612276178: + + .. table:: **Table 1** Rule parameters + + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+ + | Parameter | Description | Example Value | + +=======================+======================================================================================================================================================================================+=====================================+ + | Path | A part of the URL that does not include the domain name. The URL can contain sensitive information (such as ID numbers, phone numbers, and email addresses) or a blocked error code. | **/admin\*** | + | | | | + | | - Prefix match: Only the prefix of the path to be entered must match that of the path to be protected. | | + | | | | + | | If the path to be protected is **/admin**, set **Path** to **/admin\***. | | + | | | | + | | - Exact match: The path to be entered must match the path to be protected. | | + | | | | + | | If the path to be protected is **/admin**, set **Path** to **/admin**. | | + | | | | + | | .. note:: | | + | | | | + | | - The path supports prefix and exact matches only. Regular expressions are not supported. | | + | | - The path cannot contain two or more consecutive slashes. For example, **///admin**. If you enter **///admin**, the WAF engine converts **///** to **/**. | | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+ + | Type | - **Sensitive information filtering** | **Sensitive information filtering** | + | | - **Response code interception**: Enable WAF to block the specified HTTP response code page. | | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+ + | Content | Information to be protected. Options are **Identification card**, **Phone number**, and **Email**. | **Identification card** | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+ + | Rule Description | A brief description of the rule. This parameter is optional. | None | + +-----------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------+ + +#. Click **Confirm**. The added information leakage prevention rule is displayed in the list of information leakage prevention rules. + + + .. figure:: /_static/images/en-us_image_0000001395972785.png + :alt: **Figure 4** List of information leakage prevention rules + + **Figure 4** List of information leakage prevention rules + +Other Operations +---------------- + +- To disable a rule, click **Disable** in the **Operation** column of the rule. The default **Rule Status** is **Enabled**. +- To modify a rule, click **Modify** in the row containing the rule. +- To delete a rule, click **Delete** in the row containing the rule. + +Configuration Example — Masking Sensitive Information +----------------------------------------------------- + +To verify that WAF is protecting your domain name *www.example.com* against an information leakage prevention rule: + +#. Add an information leakage prevention rule. + +#. Enabling information leakage prevention. + +#. Clear the browser cache and access http://www.example.com/admin/. + + The email address, phone number, and identity number on the returned page are masked. + +.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image2| image:: /_static/images/en-us_image_0000001340585565.png diff --git a/umn/source/rule_configuration/configuring_an_ip_address_blacklist_or_whitelist_rule.rst b/umn/source/rule_configuration/configuring_an_ip_address_blacklist_or_whitelist_rule.rst new file mode 100644 index 0000000..6ab6efc --- /dev/null +++ b/umn/source/rule_configuration/configuring_an_ip_address_blacklist_or_whitelist_rule.rst @@ -0,0 +1,118 @@ +:original_name: waf_01_0012.html + +.. _waf_01_0012: + +Configuring an IP Address Blacklist or Whitelist Rule +===================================================== + +You can configure blacklist and whitelist rules to block, log only, or allow access requests from specific IP addresses or IP address ranges. + +Prerequisites +------------- + +A website has been added to WAF. + +Constraints +----------- + +- WAF does not support batch import of blacklists or whitelists. To configure multiple IP address or IP address range rules, add blacklist and whitelist rules one by one to allow or block specified IP addresses or IP address ranges. +- It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the **Events** page. + +Impact on the System +-------------------- + +If an IP address is added to a blacklist or whitelist, WAF blocks or allows requests from that IP address without checking whether the requests are malicious. + +.. _waf_01_0012__section61533550183130: + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane, choose **Website Settings**. + +#. In the **Policy** column of the row containing the target website, click the number to go to the policy configuration page. + +#. In the **Blacklist and Whitelist** configuration area, change **Status** as needed and click **Customize Rule**. + + + .. figure:: /_static/images/en-us_image_0000001338300589.png + :alt: **Figure 1** Blacklist and Whitelist configuration area + + **Figure 1** Blacklist and Whitelist configuration area + +#. In the upper left corner of the **Blacklist and Whitelist** page, click **Add Rule**. + +#. In the displayed dialog box, specify the parameters by referring to :ref:`Table 1 `. + + .. note:: + + - If you select **Log only** for **Protective Action** for an IP address, WAF only identifies and logs requests from the IP address. + - Other IP addresses are evaluated based on other configured WAF protection rules. + + + .. figure:: /_static/images/en-us_image_0000001377910101.png + :alt: **Figure 2** Adding a blacklist or whitelist rule + + **Figure 2** Adding a blacklist or whitelist rule + + .. _waf_01_0012__table147241231818: + + .. table:: **Table 1** Rule parameters + + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------+ + | Parameter | Description | Example Value | + +=======================+=====================================================================================================================================================================================================================================================+===============================+ + | Rule Name | Rule name you entered. | WAF | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------+ + | IP Address/Range | IP addresses or IP address ranges are supported. | XXX.XXX.2.3 | + | | | | + | | - IP address: IP address to be added to the blacklist or whitelist | | + | | - IP address range: IP address and subnet mask defining a network segment | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------+ + | Protective Action | - **Block**: Select **Block** if you want to blacklist an IP address or IP address range. | Block | + | | - **Allow**: Select **Allow** if you want to whitelist an IP address or IP address range. | | + | | - **Log only**: Select **Log only** if you want to observe an IP address or IP address range. Then, WAF determines whether the IP address or IP address range are blacklisted or whitelisted based on the :ref:`events data `. | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------+ + | Known Attack Source | If you select **Block** for **Protective Action**, you can select a blocking type of a known attack source rule. WAF will block requests matching the configured IP address, Cookie, or Params for a length of time configured as part of the rule. | Long-term IP address blocking | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------+ + | Rule Description | A brief description of the rule. This parameter is optional. | None | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------+ + +#. Click **OK**. You can then view the added rule in the list of blacklist and whitelist rules. + + + .. figure:: /_static/images/en-us_image_0000001345332674.png + :alt: **Figure 3** Blacklist or whitelist rules + + **Figure 3** Blacklist or whitelist rules + + - To disable a rule, click **Disable** in the **Operation** column of the rule. The default **Rule Status** is **Enabled**. + - To modify a rule, click **Modify** in the row containing the rule. + - To delete a rule, click **Delete** in the row containing the rule. + +Protection Effect +----------------- + +If you have added domain name **www.example.com** to this rule, to verify WAF is protecting the corresponding website: + +#. Clear the browser cache and enter the domain name in the address bar to check whether the website is accessible. + + - If the website is inaccessible, connect the website domain name to WAF by following the instructions in :ref:`Step 1: Add a Website to WAF `. + - If the website is accessible, go to :ref:`Step 2 `. + +#. .. _waf_01_0012__li885731953512: + + Blacklist the IP address of a client according to the instructions in :ref:`Procedure `. + +#. Clear the browser cache and access **http://www.example.com**. Normally, WAF blocks such requests and returns the block page. + +#. Return to the WAF console. In the navigation pane, choose **Events**. On the displayed page, view or :ref:`download events data `. + +.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image2| image:: /_static/images/en-us_image_0000001288106282.png diff --git a/umn/source/rule_configuration/configuring_anti-crawler_rules.rst b/umn/source/rule_configuration/configuring_anti-crawler_rules.rst new file mode 100644 index 0000000..e2605f3 --- /dev/null +++ b/umn/source/rule_configuration/configuring_anti-crawler_rules.rst @@ -0,0 +1,255 @@ +:original_name: waf_01_0015.html + +.. _waf_01_0015: + +Configuring Anti-Crawler Rules +============================== + +You can configure website anti-crawler protection rules to protect against search engines, scanners, script tools, and other crawlers, and use JavaScript to create custom anti-crawler protection rules. + +Prerequisites +------------- + +A website has been added to WAF. + +Constraints +----------- + +- Cookies must be enabled and JavaScript supported by any browser used to access a website protected by anti-crawler protection rules. + +- If your service is connected to CDN, exercise caution when using the JS anti-crawler function. + + CDN caching may impact JS anti-crawler performance and page accessibility. + +- WAF only logs JavaScript challenge and JavaScript authentication events. No other protective actions can be configured for JavaScript challenge and authentication. + +- WAF JavaScript-based anti-crawler rules only check GET requests and do not check POST requests. + +How JavaScript Anti-Crawler Protection Works +-------------------------------------------- + +:ref:`Figure 1 ` shows how JavaScript anti-crawler detection works, which includes JavaScript challenges (step 1 and step 2) and JavaScript authentication (step 3). + +.. _waf_01_0015__fig0891191071116: + +.. figure:: /_static/images/en-us_image_0000001127096041.png + :alt: **Figure 1** JavaScript Anti-Crawler protection process + + **Figure 1** JavaScript Anti-Crawler protection process + +If JavaScript anti-crawler is enabled when a client sends a request, WAF returns a piece of JavaScript code to the client. + +- If the client sends a normal request to the website, triggered by the received JavaScript code, the client will automatically send the request to WAF again. WAF then forwards the request to the origin server. This process is called JavaScript verification. +- If the client is a crawler, it cannot be triggered by the received JavaScript code and will not send a request to WAF again. The client fails JavaScript authentication. +- If a client crawler fabricates a WAF authentication request and sends the request to WAF, the WAF will block the request. The client fails JavaScript authentication. + +By collecting statistics on the number of JavaScript challenges and authentication responses, the system calculates how many requests the JavaScript anti-crawler defends. In :ref:`Figure 2 `, the JavaScript anti-crawler has logged 18 events, 16 of which are JavaScript challenge responses, and 2 of which are JavaScript authentication responses. **Others** is the number of WAF authentication requests fabricated by the crawler. + +.. _waf_01_0015__fig10806185634312: + +.. figure:: /_static/images/en-us_image_0000001127126255.png + :alt: **Figure 2** Parameters of a JavaScript anti-crawler protection rule + + **Figure 2** Parameters of a JavaScript anti-crawler protection rule + +.. important:: + + WAF only logs JavaScript challenge and JavaScript authentication events. No other protective actions can be configured for JavaScript challenge and authentication. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane, choose **Website Settings**. + +#. In the **Policy** column of the row containing the target website, click the number to go to the **Policies** page. + +#. .. _waf_01_0015__li11722104461314: + + In the **Anti-Crawler** configuration area, enable anti-crawler using the toggle on the right, as shown in :ref:`Figure 3 `. If you enable this function, click **Configure Anti-Crawler**. + + .. _waf_01_0015__fig193788379: + + .. figure:: /_static/images/en-us_image_0000001395732753.png + :alt: **Figure 3** Anti-Crawler configuration area + + **Figure 3** Anti-Crawler configuration area + +#. Select the **Feature Library** tab and enable the protection by referring to :ref:`Table 1 `. :ref:`Figure 4 ` shows an example. + + A feature-based anti-crawler rule has two protective actions: + + - **Block** + + WAF blocks and logs detected attacks. + + - **Log only** + + Detected attacks are logged only. This is the default protective action. + + **Scanner** is enabled by default, but you can enable other protection types if needed. + + .. _waf_01_0015__fig127337271541: + + .. figure:: /_static/images/en-us_image_0000001285803110.png + :alt: **Figure 4** Feature Library + + **Figure 4** Feature Library + + .. _waf_01_0015__table173611272418: + + .. table:: **Table 1** Anti-crawler detection features + + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Type | Description | Remarks | + +=======================+=======================================================================================================================================================================+===================================================================================================================================================================================================================================================================================+ + | Search Engine | This rule is used to block web crawlers, such as Googlebot and Baiduspider, from collecting content from your site. | If you enable this rule, WAF detects and blocks search engine crawlers. | + | | | | + | | | .. note:: | + | | | | + | | | If **Search Engine** is not enabled, WAF does not block POST requests from Googlebot or Baiduspider. If you want to block POST requests from Baiduspider, use the configuration described in :ref:`Configuration Example - Search Engine `. | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Scanner | This rule is used to block scanners, such as OpenVAS and Nmap. A scanner scans for vulnerabilities, viruses, and other jobs. | After you enable this rule, WAF detects and blocks scanner crawlers. | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Script Tool | This rule is used to block script tools. A script tool is often used to execute automatic tasks and program scripts, such as HttpClient, OkHttp, and Python programs. | If you enable this rule, WAF detects and blocks the execution of automatic tasks and program scripts. | + | | | | + | | | .. note:: | + | | | | + | | | If your application uses scripts such as HttpClient, OkHttp, and Python, disable **Script Tool**. Otherwise, WAF will identify such script tools as crawlers and block the application. | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Other | This rule is used to block crawlers used for other purposes, such as site monitoring, using access proxies, and web page analysis. | If you enable this rule, WAF detects and blocks crawlers that are used for various purposes. | + | | | | + | | .. note:: | | + | | | | + | | To avoid being blocked by WAF, crawlers may use a large number of IP address proxies. | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +#. Select the **JavaScript** tab and configure **Status** and **Protective Action**. + + **JavaScript** anti-crawler is disabled by default. To enable it, click |image3| and click **Confirm** in the displayed dialog box. |image4| indicates that JavaScript anti-crawler is enabled. + + + .. figure:: /_static/images/en-us_image_0000001395732757.png + :alt: **Figure 5** JavaScript + + **Figure 5** JavaScript + + .. important:: + + - Cookies must be enabled and JavaScript supported by any browser used to access a website protected by anti-crawler protection rules. + + - If your service is connected to CDN, exercise caution when using the JS anti-crawler function. + + CDN caching may impact JS anti-crawler performance and page accessibility. + +#. Configure a JavaScript-based anti-crawler rule by referring to :ref:`Table 2 `. + + Two protective actions are provided: **Protect all paths** and **Protect a specified path**. + + - To protect all paths except a specified path + + Select **Protect all paths**, but then in the upper left corner of the page, click **Exclude Path**. Configure the required parameters in the displayed dialog box and click **OK**. + + + .. figure:: /_static/images/en-us_image_0000001285485922.png + :alt: **Figure 6** Exclude Path + + **Figure 6** Exclude Path + + - To protect a specified path only + + Select **Protect a specified path**. In the upper left corner of the page, click **Add Path**. In the displayed dialog box, configure required parameters and click **OK**. + + + .. figure:: /_static/images/en-us_image_0000001285486134.png + :alt: **Figure 7** Add Path + + **Figure 7** Add Path + + .. _waf_01_0015__table888894565019: + + .. table:: **Table 2** Parameters of a JavaScript-based anti-crawler protection rule + + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +=======================+=====================================================================================================================================================+=======================+ + | Rule Name | Name of the rule | wafjs | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Path | A part of the URL, not including the domain name | /admin | + | | | | + | | A URL is used to define the address of a web page. The basic URL format is as follows: | | + | | | | + | | Protocol name://Domain name or IP address[:Port]/[Path/.../File name]. | | + | | | | + | | For example, if the URL is **http://www.example.com/admin**, set **Path** to **/admin**. | | + | | | | + | | .. note:: | | + | | | | + | | - The path does not support regular expressions. | | + | | - The path cannot contain two or more consecutive slashes. For example, **///admin**. If you enter **///admin**, WAF converts **///** to **/**. | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Logic | Select a logical relationship from the drop-down list. | Include | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Rule Description | A brief description of the rule. | None | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +Other Operations +---------------- + +- To disable a rule, click **Disable** in the **Operation** column of the rule. The default **Rule Status** is **Enabled**. +- To modify a rule, click **Modify** in the row containing the rule. +- To delete a rule, click **Delete** in the row containing the rule. + +Configuration Example - Logging Script Crawlers Only +---------------------------------------------------- + +To verify that WAF is protecting domain name **www.example.com** against an anti-crawler rule: + +#. Execute a JavaScript tool to crawl web page content. + +#. On the **Feature Library** tab, enable **Script Tool** and select **Log only** for **Protective Action**. (If WAF detects an attack, it logs the attack only.) + + + .. figure:: /_static/images/en-us_image_0000001285811290.png + :alt: **Figure 8** Enabling Script Tool + + **Figure 8** Enabling Script Tool + +#. Enable anti-crawler protection. + + + .. figure:: /_static/images/en-us_image_0000001395732753.png + :alt: **Figure 9** Anti-Crawler configuration area + + **Figure 9** Anti-Crawler configuration area + +#. In the navigation pane on the left, choose **Events** to go to the **Events** page. + +.. _waf_01_0015__section1110674010446: + +Configuration Example - Search Engine +------------------------------------- + +The following shows how to allow the search engine of Baidu or Google and block the POST request of Baidu. + +#. Set **Status** of **Search Engine** to |image5| by referring to the instructions in :ref:`Step 6 `. + +#. Configure a precise protection rule by referring to :ref:`Configuring a Precise Protection Rule `, as shown in :ref:`Figure 10 `. + + .. _waf_01_0015__fig1439052051516: + + .. figure:: /_static/images/en-us_image_0000001338332661.png + :alt: **Figure 10** Blocking POST requests + + **Figure 10** Blocking POST requests + +.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image2| image:: /_static/images/en-us_image_0000001340426097.png +.. |image3| image:: /_static/images/en-us_image_0234013368.png +.. |image4| image:: /_static/images/en-us_image_0000001285643550.png +.. |image5| image:: /_static/images/en-us_image_0000001227094315.png diff --git a/umn/source/rule_configuration/configuring_basic_web_protection_rules.rst b/umn/source/rule_configuration/configuring_basic_web_protection_rules.rst new file mode 100644 index 0000000..b42409d --- /dev/null +++ b/umn/source/rule_configuration/configuring_basic_web_protection_rules.rst @@ -0,0 +1,175 @@ +:original_name: waf_01_0008.html + +.. _waf_01_0008: + +Configuring Basic Web Protection Rules +====================================== + +After this function is enabled, WAF can defend against common web attacks, such as SQL injections, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabilities, remote command execution, directory traversal, sensitive file access, and command/code injections. You can also enable other checks in basic web protection, such as web shell detection, deep inspection against evasion attacks, and header inspection. + +.. important:: + + Basic web protection has two modes: **Block** and **Log only**. + +Prerequisites +------------- + +A website has been added to WAF. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane, choose **Website Settings**. + +#. In the **Policy** column of the row containing the target website, click the number to go to the policy configuration page. + +#. In the **Basic Web Protection** configuration area, change **Status** and **Mode** as needed by referring to :ref:`Table 1 `. + + + .. figure:: /_static/images/en-us_image_0000001285577912.png + :alt: **Figure 1** Basic Web Protection configuration area + + **Figure 1** Basic Web Protection configuration area + + .. _waf_01_0008__table42360431192825: + + .. table:: **Table 1** Parameter description + + +-----------------------------------+-----------------------------------------------------+ + | Parameter | Description | + +===================================+=====================================================+ + | Status | Status of Basic Web Protection | + | | | + | | - |image3|: enabled. | + | | - |image4|: disabled | + +-----------------------------------+-----------------------------------------------------+ + | Mode | - **Block**: WAF blocks and logs detected attacks. | + | | - **Log only**: WAF only logs detected attacks. | + +-----------------------------------+-----------------------------------------------------+ + +#. In the **Basic Web Protection** configuration area, click **Advanced Settings**. + +#. Click the **Protection Status** tab, and enable protection types one by one by referring to :ref:`Table 3 `. :ref:`Figure 2 ` shows an example. + + .. _waf_01_0008__fig17347539113910: + + .. figure:: /_static/images/en-us_image_0000001337778441.png + :alt: **Figure 2** Basic web protection + + **Figure 2** Basic web protection + + a. Set the protection level. + + In the upper part of the page, set **Protection Level** to **Low**, **Medium**, or **High**. The default value is **Medium**. + + .. table:: **Table 2** Protection levels + + +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Protection Level | Description | + +===================================+============================================================================================================================================================================================================================================+ + | Low | WAF only blocks the requests with obvious attack signatures. | + | | | + | | If a large number of false alarms are reported, **Low** is recommended. | + +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Medium | The default level is **Medium**, which meets a majority of web protection requirements. | + +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | High | At this level, WAF provides the finest granular protection and can intercept attacks with complex bypass features, such as Jolokia cyber attacks, common gateway interface (CGI) vulnerability detection, and Druid SQL injection attacks. | + | | | + | | To let WAF defend against more attacks but make minimum effect on normal requests, observe your workloads for a period of time first. Then, configure a global protection whitelist rule and select **High**. | + +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + + b. Set the protection type. + + .. important:: + + By default, **General Check** is enabled. You can enable other protection types by referring to :ref:`Table 3 `. + + .. _waf_01_0008__table1054818371898: + + .. table:: **Table 3** Protection types + + +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Type | Description | + +===================================+===============================================================================================================================================================================================================================================================================================+ + | General Check | Defends against attacks such as SQL injections, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabilities, remote command execution, directory traversal, sensitive file access, and command/code injections. SQL injection attacks are mainly detected based on semantics. | + | | | + | | .. note:: | + | | | + | | If you enable **General Check**, WAF checks your websites based on the built-in rules. | + +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Webshell Detection | Protects against web shells from upload interface. | + | | | + | | .. note:: | + | | | + | | If you enable **Webshell Detection**, WAF detects web page Trojan horses inserted through the upload interface. | + +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Deep Inspection | Identifies and blocks evasion attacks, such as the ones that use homomorphic character obfuscation, command injection with deformed wildcard characters, UTF7, data URI scheme, and other techniques. | + | | | + | | .. note:: | + | | | + | | If you enable **Deep Inspection**, WAF detects and defends against evasion attacks in depth. | + +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Header Inspection | This function is disabled by default. When it is disabled, General Check will check some of the header fields, such as User-Agent, Content-type, Accept-Language, and Cookie. | + | | | + | | .. note:: | + | | | + | | If you enable this function, WAF checks all header fields in the requests. | + +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +#. Click the **Protection Rules** tab to view details. For more details about the parameters, see :ref:`Table 4 `. + + .. note:: + + Click |image5| to search for a rule by **CVE ID**, **Risk Severity**, **Application Type**, or **Protection Type**. + + .. _waf_01_0008__table19135226105218: + + .. table:: **Table 4** Protection rules + + +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Parameter | Description | + +===================================+==========================================================================================================================================================================================================================================================================================================================================================================================================================+ + | Rule ID | The protection rule ID, which is generated automatically. | + +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Rule Description | Details of attacks the protection rule is configured for. | + +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | CVE ID | Common Vulnerabilities & Exposures (CVE) ID, which corresponds to the protection rule. For non-CVE vulnerabilities, a double dash (--) is displayed. | + +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Risk Severity | The severity of the vulnerability, including: | + | | | + | | - High | + | | - Medium | + | | - Low | + +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Application Type | The application type the protection rule is used for. | + +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Protection Type | The type of the protection rule. WAF can discover SQL injection, command injection, XSS attacks, XML external entity (XXE) injection, Expression Language (EL) Injection, CSRF, SSRF, local file inclusion, remote file inclusion, website Trojans, malicious crawlers, session fixation attacks, deserialization vulnerabilities, remote command execution, information leakage, DoS attacks, source code/data leakage. | + +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Protection Effect +----------------- + +If **General Check** is enabled and **Mode** is set to **Block** for your domain name, to verify WAF is protecting your website (**www.example.com**) against general check items: + +#. Clear the browser cache and enter the domain name in the address box of a browser to check whether the website is accessible. + + - If the website is inaccessible, connect the website domain name to WAF by following the instructions in :ref:`Step 1: Add a Website to WAF `. + - If the website is accessible, go to :ref:`Step 2 `. + +#. .. _waf_01_0008__li2057953372517: + + Clear the browser cache and enter **http://www.example.com?id=1%27%20or%201=1** in the address box of the browser to simulate an SQL injection attack. + +#. Return to the WAF console. In the navigation pane, choose **Events**. On the displayed page, view or :ref:`download events data `. + +.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image2| image:: /_static/images/en-us_image_0000001340426101.png +.. |image3| image:: /_static/images/en-us_image_0000001337777849.png +.. |image4| image:: /_static/images/en-us_image_0269496734.png +.. |image5| image:: /_static/images/en-us_image_0268155242.png diff --git a/umn/source/rule_configuration/index.rst b/umn/source/rule_configuration/index.rst new file mode 100644 index 0000000..0648402 --- /dev/null +++ b/umn/source/rule_configuration/index.rst @@ -0,0 +1,38 @@ +:original_name: waf_01_0007.html + +.. _waf_01_0007: + +Rule Configuration +================== + +- :ref:`Configuration Guidance ` +- :ref:`Configuring Basic Web Protection Rules ` +- :ref:`Configuring a CC Attack Protection Rule ` +- :ref:`Configuring a Precise Protection Rule ` +- :ref:`Adding a Reference Table ` +- :ref:`Configuring an IP Address Blacklist or Whitelist Rule ` +- :ref:`Configuring a Known Attack Source Rule ` +- :ref:`Configuring a Geolocation Access Control Rule ` +- :ref:`Configuring a Web Tamper Protection Rule ` +- :ref:`Configuring Anti-Crawler Rules ` +- :ref:`Configuring an Information Leakage Prevention Rule ` +- :ref:`Configuring a Global Protection Whitelist (Formerly False Alarm Masking) Rule ` +- :ref:`Configuring a Data Masking Rule ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + configuration_guidance + configuring_basic_web_protection_rules + configuring_a_cc_attack_protection_rule + configuring_a_precise_protection_rule + adding_a_reference_table + configuring_an_ip_address_blacklist_or_whitelist_rule + configuring_a_known_attack_source_rule + configuring_a_geolocation_access_control_rule + configuring_a_web_tamper_protection_rule + configuring_anti-crawler_rules + configuring_an_information_leakage_prevention_rule + configuring_a_global_protection_whitelist_formerly_false_alarm_masking_rule + configuring_a_data_masking_rule diff --git a/umn/source/service_overview/application_scenarios.rst b/umn/source/service_overview/application_scenarios.rst new file mode 100644 index 0000000..8de7da3 --- /dev/null +++ b/umn/source/service_overview/application_scenarios.rst @@ -0,0 +1,47 @@ +:original_name: waf_01_0046.html + +.. _waf_01_0046: + +Application Scenarios +===================== + +Common protection +----------------- + +WAF helps you defend against common web attacks, such as command injection and sensitive file access. + +Protection for online shopping mall promotion activities +-------------------------------------------------------- + +Countless malicious requests may be sent to service interfaces during online promotions. WAF allows configurable rate limiting policies to defend against CC attacks. This prevents services from breaking down due to many concurrent requests, ensuring response to legitimate requests. + +Protection against zero-day vulnerabilities +------------------------------------------- + +Services cannot recover quickly from impact of zero-day vulnerabilities in third-party web frameworks and plug-ins. WAF updates the preset protection rules immediately to add an additional protection layer to such web frameworks and plug-ins, and this layer can react faster than fixing the vulnerabilities. + +Data leakage prevention +----------------------- + +WAF prevents malicious actors from using methods such as SQL injection and web shells to bypass application security and gain remote access to web databases. You can configure anti-data leakage rules on WAF to provide the following functions: + +- Precise identification + + WAF uses semantic analysis & regex to examine traffic from different dimensions, precisely detecting malicious traffic. + +- Distortion attack detection + + WAF detects a wide range of distortion attack patterns with 7 decoding methods to prevent bypass attempts. + +Web page tampering prevention +----------------------------- + +WAF ensures that attackers cannot leave backdoors on your web servers or tamper with your web page content, preventing damage to your credibility. You can configure web tamper protection rules on WAF to provide the following functions: + +- Website malicious code detection + + You can configure WAF to detect malicious code injected into web servers and ensure secure visits to web pages. + +- Web page tampering prevention + + WAF prevents attackers from tampering with web page content or publishing inappropriate information that can damage your reputation. diff --git a/umn/source/service_overview/functions.rst b/umn/source/service_overview/functions.rst new file mode 100644 index 0000000..36600bf --- /dev/null +++ b/umn/source/service_overview/functions.rst @@ -0,0 +1,173 @@ +:original_name: waf_01_0094.html + +.. _waf_01_0094: + +Functions +========= + +WAF makes it easier for you to handle web security risks. + +HTTP/HTTPS Service Protection +----------------------------- + +WAF keeps applications stable and secure. It examines HTTP and HTTPS requests to detect and block attacks, such as Structure Query Language (SQL) injections, cross-site scripting (XSS), web shell upload, command or code injections, file inclusion, sensitive file access, third-party vulnerability exploits, CC attacks, malicious crawlers, and cross-site request forgery (CSRF). + +WebSocket/WebSockets +-------------------- + +WAF supports the WebSocket/WebSockets protocol, which is enabled by default. + +Basic Web Protection +-------------------- + +With an extensive preset reputation database, WAF defends against Open Web Application Security Project (OWASP) top 10 threats, malicious scanners, IP addresses, web shells, and other threats. + +- All-around protection + + WAF detects and blocks varied attacks, such as SQL injection, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabilities, directory (path) traversal attacks, sensitive file access, command and code injections, web shells, backdoors, malicious HTTP requests, and third-party vulnerability exploits. + +- Precise identification + + - WAF uses built-in semantic analysis engine and regex engine and supports configuring of blacklist/whitelist rules, which reduces false positives. + + - WAF supports anti-escape and automatic restoration of common codes, which improves the capability of recognizing deformation web attacks. + + WAF can decode the following types of code: url_encode, Unicode, XML, OCT, hexadecimal, HTML escape, and base64 code, case confusion, JavaScript, shell, and PHP concatenation confusion + +CC Attack Prevention +-------------------- + +You can customize a CC attack protection rule to restrict access to a specific URL on your website based on an IP address, cookie, or Referer, mitigating CC attacks. Protective actions of CC attack protection rules include **Verification code**, **Block**, **Dynamically block**, and **Log only**. + +- Flexible policy configuration + + WAF allows you to flexibly set rate limiting policies by IP address, cookie, or Referer field. + +- Returned page customization + + You can customize returned content and page types to meet diverse service needs. + +GUI-based Security Data +----------------------- + +WAF provides a GUI-based interface for you to monitor attack information and event logs in real time. + +- Centralized policy configuration + + On the WAF console, you can configure policies applicable to multiple protected domain names in a centralized manner so that the policies can be quickly delivered and take effect. + +- Traffic and event statistics + + WAF displays the number of requests, the number and types of security events, and log information in real time. + +.. _waf_01_0094__section13907174905412: + +Non-Standard Ports +------------------ + +WAF can protect standard ports, such as 80 and 443 and a wide range of non-standard ports. + +.. table:: **Table 1** Supported ports + + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+ + | Port Category | HTTP Protocol | HTTPS Protocol | Port Limit | + +===================================+===========================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+============================================================================================================================================================================================================+============+ + | Standard ports | 80 | 443 | Unlimited | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+ + | Non-standard ports (182 in total) | 9945, 9770, 81, 82, 83, 84, 88, 89, 800, 808, 1000, 1090, 3128, 3333, 3501, 3601, 4444, 5000, 5222, 5555, 5601, 6001, 6666, 6788, 6789, 6842, 6868, 7000, 7001, 7002, 7003, 7004, 7005, 7006, 7009, 7010, 7011, 7012, 7013, 7014, 7015, 7016, 7018, 7019, 7020, 7021, 7022, 7023, 7024, 7025, 7026, 7070, 7081, 7082, 7083, 7088, 7097, 7777, 7800, 7979, 8000, 8001, 8002, 8003, 8008, 8009, 8010, 8020, 8021, 8022, 8025, 8026, 8077, 8078, 8080, 8085, 8086, 8087, 8088, 8089, 8090, 8091, 8092, 8093, 8094, 8095, 8096, 8097, 8098, 8106, 8118, 8181, 8334, 8336, 8800, 8686, 8888, 8889, 8989, 8999, 9000, 9001, 9002, 9003, 9080, 9200, 9802, 10000, 10001, 10080, 12601, 86, 9021, 9023, 9027, 9037, 9081, 9082, 9201, 9205, 9207, 9208, 9209, 9210, 9211, 9212, 9213, 48800, 87, 97, 7510, 9180, 9898, 9908, 9916, 9918, 9919, 9928, 9929, 9939, 28080, 33702, 8011, 8012, 8013, 8014, 8015, 8016, 8017, and 8070 | 8750, 8445, 18010, 4443, 5443, 6443, 7443, 8081, 8082, 8083, 8084, 8443, 8843, 9443, 8553, 8663, 9553, 9663, 18110, 18381, 18980, 28443, 18443, 8033, 18000, 19000, 7072, 7073, 8803, 8804, 8805, and 9999 | Unlimited | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+ + +Precise Protection +------------------ + +Support precise logic- and parameter-based access control policies. + +- A variety of parameter conditions + + Set conditions with combinations of common HTTP parameters, such as **IP**, **URL**, **Referer**, **User Agent**, **Params**, and **Header**. + +- Abundant logical conditions + + WAF blocks or allows traffic based on logical conditions, such as "Include", "Exclude", "Equal to", "Not equal to", "Prefix is", and "Prefix is not." + +Malicious Scanner and Crawler Prevention +---------------------------------------- + +Blocks web page crawling with user-defined scanner and crawler rules. This feature improves protection accuracy. + +IP Address Blacklist and Whitelist +---------------------------------- + +This function allows you to blacklist or whitelist IP addresses or an IP address range to improve defense accuracy. + +Known Attack Source +------------------- + +- If WAF blocks a malicious request by IP address, Cookie, or Params, you can configure a known attack source rule to let WAF automatically block all requests from the attack source for a blocking duration set in the known attack source rule. +- Known attack source rules can be set based on attacks blocked against the basic web protection, precise access protection, and blacklist and whitelist rules. + +Connection Protection +--------------------- + +If a large number of 502 Bad Gateway and 504 Gateway Timeout errors are detected, you can enable WAF breakdown protection and connection protection to let WAF suspend your website and protect your origin servers from being crashed. When the 502/504 error requests and pending URL requests reach the thresholds you configure, WAF enables corresponding protection for your website. + +Configuring Connection Timeout +------------------------------ + +- The default timeout duration for connections between a browser and WAF is 120 seconds, which cannot be manually set. + +- The default timeout duration for connections between WAF and your origin server is 60 seconds. You can customize a timeout duration. + + In the **Basic Information** area on the website information page, enable **Timeout Settings**. Then, click |image1| next to **WAF-to-Server Connection Timeout**, **Read Timeout**, and **Write Timeout**, modify settings one by one, and click |image2| to save. + +Geolocation Access Control +-------------------------- + +You can allow some web requests and block others based on the geographical locations of IP addresses that the requests originate from. + +Web Page Tampering Prevention +----------------------------- + +You can configure cache for static web pages. When a user accesses a web page, the system returns a cached page to the user and randomly checks whether the page is tampered with. + +Anti-Crawler Protection +----------------------- + +WAF dynamically analyzes your website service models and accurately identifies crawler behavior based on data risk control and bot identification systems. + +- Feature library + + Blocks web page crawling with user-defined scanner and crawler rules. This feature improves protection accuracy. + +- JavaScript + + Identifies and blocks JavaScript crawling with user-defined rules. + +Global Protection Whitelist (Formerly False Alarm Masking) +---------------------------------------------------------- + +This function enables you to ignore certain attack detection rules for specific requests. + +Data Masking +------------ + +WAF masks sensitive information, such as usernames and passwords, in the event log. + +Information Leakage Prevention +------------------------------ + +WAF prevents your sensitive information from being disclosed on web pages, such as ID numbers, phone numbers, and email addresses. + +Reliable +-------- + +WAF can be deployed on multiple clusters in multiple regions based on the load balancing principle. This can prevent single point of failures (SPOFs) and ensure online smooth capacity expansion, maximizing service stability. + +Event Management +---------------- + +- WAF allows you to view and handle false alarms for blocked or logged events. +- You can download events data over the past five days. + +.. |image1| image:: /_static/images/en-us_image_0000001326514597.png +.. |image2| image:: /_static/images/en-us_image_0000001275434812.png diff --git a/umn/source/service_overview/index.rst b/umn/source/service_overview/index.rst new file mode 100644 index 0000000..62b8477 --- /dev/null +++ b/umn/source/service_overview/index.rst @@ -0,0 +1,26 @@ +:original_name: waf_01_0064.html + +.. _waf_01_0064: + +Service Overview +================ + +- :ref:`What Is Web Application Firewall? ` +- :ref:`Specifications ` +- :ref:`Functions ` +- :ref:`Product Advantages ` +- :ref:`Application Scenarios ` +- :ref:`WAF Permissions Management ` +- :ref:`WAF and Other Services ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + what_is_web_application_firewall + specifications + functions + product_advantages + application_scenarios + waf_permissions_management + waf_and_other_services diff --git a/umn/source/service_overview/product_advantages.rst b/umn/source/service_overview/product_advantages.rst new file mode 100644 index 0000000..3dd4cc4 --- /dev/null +++ b/umn/source/service_overview/product_advantages.rst @@ -0,0 +1,26 @@ +:original_name: waf_01_0065.html + +.. _waf_01_0065: + +Product Advantages +================== + +WAF examines web traffic from multiple dimensions to accurately identify malicious requests and filter attacks, reducing the risks of data being tampered with or stolen. + +Precisely and Efficiently Identify Threats +------------------------------------------ + +- WAF uses rule and AI dual engines and integrates our latest security rules and best practices. +- You can configure enterprise-grade policies to protect your website more precisely, including custom alarm pages, combining multiple conditions in a CC attack protection rule, and blacklisting or whitelisting a large number of IP addresses. + +Zero-Day Vulnerabilities Patched Fast +------------------------------------- + +A specialized security team provides 24/7 service support to fix zero-day vulnerabilities within 2 hours. + +Strong Protection for User Data Privacy +--------------------------------------- + +- Sensitive information, such as accounts and passwords, in attack logs can be anonymized. +- PCI-DSS checks for SSL encryption are available. +- The minimum TLS protocol version and cipher suite can be configured. diff --git a/umn/source/service_overview/specifications.rst b/umn/source/service_overview/specifications.rst new file mode 100644 index 0000000..8f27198 --- /dev/null +++ b/umn/source/service_overview/specifications.rst @@ -0,0 +1,78 @@ +:original_name: waf_01_0272.html + +.. _waf_01_0272: + +Specifications +============== + +WAF is deployed in dedicated mode. The following tables describe specifications and functions of the dedicated WAF instances. + +Dedicated Mode +-------------- + +:ref:`Table 1 ` describes dedicated WAF instances. + +.. _waf_01_0272__table680245522517: + +.. table:: **Table 1** Dedicated mode description + + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------+ + | Item | Description | + +===================================+===================================================================================================================+ + | Deployment mode | Dedicated WAF instances | + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------+ + | Application scenarios | Service servers are deployed on the cloud. | + | | | + | | Suitable for large enterprise websites that have a large service scale and have customized security requirements. | + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------+ + | Protection objects | Domain names or IP addresses | + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------+ + | Advantages | - Enable cloud and on-premises deployment. | + | | - Enable exclusive use of WAF instance. | + | | - Meet requirements for protection against large-scale traffic attacks. | + | | - Deploy dedicated WAF instances in a VPC to reduce network latency. | + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------+ + +Service Scale +------------- + +For more details, see :ref:`Table 2 `. + +.. _waf_01_0272__en-us_topic_0110861186_table15136121131817: + +.. table:: **Table 2** Service specifications + + +-------------------------------------------------------------------------+---------------------------------------------------------+ + | Service metrics | Specifications | + +=========================================================================+=========================================================+ + | Peak rate of normal service requests | - 2,000 QPS (WAF instance specifications: 100 Mbit/s) | + | | - 10,000 QPS (WAF instance specifications: 500 Mbit/s) | + +-------------------------------------------------------------------------+---------------------------------------------------------+ + | Service bandwidth threshold (Origin servers are deployed on the cloud.) | - 100 Mbit/s (WAF instance specifications: 100 Mbit/s) | + | | - 500 Mbit/s (WAF instance specifications: 500 Mbit/s) | + +-------------------------------------------------------------------------+---------------------------------------------------------+ + | Number of domains | 2,000 (Supports 2,000 top-level domain names) | + +-------------------------------------------------------------------------+---------------------------------------------------------+ + | Peak rate of CC attack protection | 500,000 QPS | + +-------------------------------------------------------------------------+---------------------------------------------------------+ + | CC attack protection rules | 100 | + +-------------------------------------------------------------------------+---------------------------------------------------------+ + | Precise protection rules | 100 | + +-------------------------------------------------------------------------+---------------------------------------------------------+ + | IP address blacklist and whitelist rules | 100 | + +-------------------------------------------------------------------------+---------------------------------------------------------+ + | Geolocation access control rules | 100 | + +-------------------------------------------------------------------------+---------------------------------------------------------+ + | Web tamper protection rules | 100 | + +-------------------------------------------------------------------------+---------------------------------------------------------+ + | Information leakage prevention rules | 100 | + +-------------------------------------------------------------------------+---------------------------------------------------------+ + | Global Protection Whitelist (Formerly False Alarm Masking) | 1,000 | + +-------------------------------------------------------------------------+---------------------------------------------------------+ + | Data masking rules | 100 | + +-------------------------------------------------------------------------+---------------------------------------------------------+ + +.. important:: + + - The number of domains is the total number of top-level domain names (for example, example.com), single domain names/subdomain names (for example, www.example.com), and wildcard domain names (for example, \*.example.com). + - If a domain name maps to different ports, each port is considered to represent a different domain name. For example, **www.example.com:8080** and **www.example.com:8081** are counted towards your quota as two distinct domain names. diff --git a/umn/source/service_overview/waf_and_other_services.rst b/umn/source/service_overview/waf_and_other_services.rst new file mode 100644 index 0000000..ab42c23 --- /dev/null +++ b/umn/source/service_overview/waf_and_other_services.rst @@ -0,0 +1,102 @@ +:original_name: waf_01_0051.html + +.. _waf_01_0051: + +WAF and Other Services +====================== + +This topic describes WAF and other cloud services. + +CTS +--- + +.. table:: **Table 1** WAF operations that can be recorded by CTS + + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Operation | Resource Type | Trace Name | + +===============================================================================================+===============+=====================+ + | Creating a WAF instance | instance | createInstance | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Deleting a WAF instance | instance | deleteInstance | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Modifying a WAF instance | instance | alterInstanceName | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Modifying the protection status of a WAF instance | instance | modifyProtectStatus | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Modifying the connection status of a WAF instance | instance | modifyAccessStatus | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Creating a WAF policy | policy | createPolicy | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Applying a WAF policy | policy | applyToHost | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Modifying a policy | policy | modifyPolicy | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Deleting a WAF policy | policy | deletePolicy | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Uploading a certificate | certificate | createCertificate | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Changing the name of a certificate | certificate | modifyCertificate | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Adding a CC attack protection rule | policy | createCc | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Modifying a CC attack protection rule | policy | modifyCc | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Deleting a CC attack protection rule | policy | deleteCc | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Adding a precise protection rule | policy | createCustom | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Modifying a precise protection rule | policy | modifyCustom | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Deleting a precise protection rule | policy | deleteCustom | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Adding an IP address blacklist or whitelist rule | policy | createWhiteblackip | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Modifying an IP address blacklist or whitelist rule | policy | modifyWhiteblackip | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Deleting an IP address blacklist or whitelist rule | policy | deleteWhiteblackip | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Creating/updating a web tamper protection rule | policy | createAntitamper | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Deleting a web tamper protection rule | policy | deleteAntitamper | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Creating a false alarm maskingglobal protection whitelist (formerly false alarm masking) rule | policy | createIgnore | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Deleting a false alarm maskingglobal protection whitelist (formerly false alarm masking) rule | policy | deleteIgnore | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Adding a data masking rule | policy | createPrivacy | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Modifying a data masking rule | policy | modifyPrivacy | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Deleting a data masking rule | policy | deletePrivacy | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + +Cloud Eye +--------- + +Cloud Eye monitors the indicators of the dedicated WAF, so that you can understand the protection status of the dedicated WAF in a timely manner, and set protection policies accordingly. For details, see the *Cloud Eye User Guide*. + +For details about WAF monitored metrics, see :ref:`WAF Monitored Metrics `. + +ELB +--- + +You can add your WAF instances to a load balancer so that your website traffic is distributed by the load balancer across WAF instances for detection and then forwarded by WAF to the origin server. In this way, website traffic will be protected even if one of your WAF instances becomes faulty. + +IAM +--- + +Identity and Access Management (IAM) provides the permission management function for WAF. Only users granted WAF Administrator permissions can use WAF. To obtain this permission, contact the users who have the Security Administrator permissions. + +TMS +--- + +Tag Management Service (TMS) is a visualized service for fast and unified tag management that enables you to label and manage WAF instances by tags. + +.. table:: **Table 2** WAF operations supported by TMS + + =========================== ============= ================= + Operation Resource Type Trace Name + =========================== ============= ================= + Creating a WAF instance tag Tag createResourceTag + Deleting a WAF instance tag Tag deleteResourceTag + =========================== ============= ================= diff --git a/umn/source/service_overview/waf_permissions_management.rst b/umn/source/service_overview/waf_permissions_management.rst new file mode 100644 index 0000000..b8b6d05 --- /dev/null +++ b/umn/source/service_overview/waf_permissions_management.rst @@ -0,0 +1,43 @@ +:original_name: waf_01_0052.html + +.. _waf_01_0052: + +WAF Permissions Management +========================== + +If you need to assign different permissions to employees in your enterprise to access your WAF resources, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your resources. + +With IAM, you can use your account to create IAM users, and assign permissions to the users to control their access to specific resources. For example, some software developers in your enterprise need to use WAF resources but must not delete them or perform any high-risk operations. To achieve this result, you can create IAM users for the software developers and grant them only the permissions required for using WAF resources. + +If your account does not need individual IAM users for permissions management, then you may skip over this chapter. + +WAF Permissions +--------------- + +By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions. + +WAF is a project-level service deployed and accessed in specific physical regions. To assign WAF permissions to a user group, specify the scope as region-specific projects and select projects for the permissions to take effect. If **All projects** is selected, the permissions will take effect for the user group in all region-specific projects. When accessing WAF, the users need to switch to a region where they have been authorized to use the WAF service. + +You can grant users permissions by using roles and policies. + +- Roles: A type of coarse-grained authorization mechanism that defines permissions related to users responsibilities. Only a limited number of service-level roles for authorization are available. You need to also assign other dependent roles for the permission control to take effect. Roles are not ideal for fine-grained authorization and secure access control. +- Policies: A fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization and meets secure access control requirements. For example, you can grant WAF users only the permissions for managing a certain type of resources. Most policies define permissions based on APIs. For the API actions supported by WAF, see :ref:`WAF Permissions and Supported Actions `. + +:ref:`Table 1 ` lists all the system roles supported by WAF. + +.. _waf_01_0052__table1409182914134: + +.. table:: **Table 1** System policies supported by WAF + + +--------------------+-----------------------------------+-----------------------+------------------------------------------------------------------------------------------------+ + | Role/Policy Name | Description | Category | Dependencies | + +====================+===================================+=======================+================================================================================================+ + | WAF Administrator | Administrator permissions for WAF | System-defined role | Dependent on the **Tenant Guest** and **Server Administrator** roles. | + | | | | | + | | | | - **Tenant Guest**: A global role, which must be assigned in the global project. | + | | | | - **Server Administrator**: A project-level role, which must be assigned in the same project. | + +--------------------+-----------------------------------+-----------------------+------------------------------------------------------------------------------------------------+ + | WAF FullAccess | All permissions for WAF | System-defined policy | None. | + +--------------------+-----------------------------------+-----------------------+------------------------------------------------------------------------------------------------+ + | WAF ReadOnlyAccess | Read-only permissions for WAF. | System-defined policy | | + +--------------------+-----------------------------------+-----------------------+------------------------------------------------------------------------------------------------+ diff --git a/umn/source/service_overview/what_is_web_application_firewall.rst b/umn/source/service_overview/what_is_web_application_firewall.rst new file mode 100644 index 0000000..c2f37d3 --- /dev/null +++ b/umn/source/service_overview/what_is_web_application_firewall.rst @@ -0,0 +1,10 @@ +:original_name: waf_01_0045.html + +.. _waf_01_0045: + +What Is Web Application Firewall? +================================= + +Web Application Firewall (WAF) keeps web services stable and secure. It examines all HTTP and HTTPS requests to detect and block the following attacks: Structured Query Language (SQL) injection, cross-site scripting (XSS), web shells, command and code injections, file inclusion, sensitive file access, third-party vulnerability exploits, Challenge Collapsar (CC) attacks, malicious crawlers, and cross-site request forgery (CSRF). + +After you enable a WAF instance, add your website domain to the WAF instance on the WAF console. All public network traffic for your website then goes to WAF first. WAF identifies and filters out the illegitimate traffic, and routes only the legitimate traffic to your origin server to ensure site security. diff --git a/umn/source/viewing_product_details.rst b/umn/source/viewing_product_details.rst new file mode 100644 index 0000000..8a8f3a4 --- /dev/null +++ b/umn/source/viewing_product_details.rst @@ -0,0 +1,38 @@ +:original_name: waf_01_0319.html + +.. _waf_01_0319: + +Viewing Product Details +======================= + +On the **Product Details** page, you can view information about all your WAF instances, including the edition, domain quotas, and specifications. + +Prerequisites +------------- + +You have purchased a WAF instance. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane on the left, choose **Instance Management** > **Product Details**. + +#. On the **Product Details** page, view the WAF edition, specifications, and expiration time. + + - Click **Details** to view the detailed specifications of the current WAF edition. + - When you move the cursor to the WAF edition shown in the upper right corner of the page, the specifications are displayed. + + + .. figure:: /_static/images/en-us_image_0000001286061432.png + :alt: **Figure 1** Product information + + **Figure 1** Product information + +.. |image1| image:: /_static/images/en-us_image_0000001133216533.jpg +.. |image2| image:: /_static/images/en-us_image_0000001340308381.png diff --git a/umn/source/website_domain_name_management/configuring_a_traffic_identifier_for_a_known_attack_source.rst b/umn/source/website_domain_name_management/configuring_a_traffic_identifier_for_a_known_attack_source.rst new file mode 100644 index 0000000..2a35380 --- /dev/null +++ b/umn/source/website_domain_name_management/configuring_a_traffic_identifier_for_a_known_attack_source.rst @@ -0,0 +1,66 @@ +:original_name: waf_01_0270.html + +.. _waf_01_0270: + +Configuring a Traffic Identifier for a Known Attack Source +========================================================== + +WAF allows you to configure traffic identifiers by IP address, session, or user tag to block possibly malicious requests from known attack sources based on **IP address**, **Cookie**, or **Params**. + +Prerequisites +------------- + +The website to be protected has been added to WAF. + +Constraints +----------- + +- If the IP address tag is configured, ensure that the protected website has a layer-7 proxy configured in front of WAF and that **Proxy Configured** is set to **Yes** for the protected website. + + If the IP address tag is not configured, WAF identifies the client IP address by default. + +- Before enabling Cookie- or Params-based known attack source rules, configure a session or user tag for the corresponding website domain name. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane, choose **Website Settings**. + +#. In the **Domain Name** column, click the domain name of the target website to go to the basic information page. + +#. In the **Traffic Identifier** area, click |image3| next to **IP Tag**, **Session Tag**, or **User Tag** to configure a traffic identifier by referring to :ref:`Table 1 `. :ref:`Figure 1 ` shows an example. + + .. _waf_01_0270__fig165215137120: + + .. figure:: /_static/images/en-us_image_0000001284861820.png + :alt: **Figure 1** Traffic Identifier + + **Figure 1** Traffic Identifier + + .. _waf_01_0270__table17733717165019: + + .. table:: **Table 1** Traffic identifier parameters + + +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Tag | Description | Example Value | + +=======================+==================================================================================================================================================================================================================+=======================+ + | IP Tag | HTTP request header field of the original client IP address. | X-Forwarded-For | + | | | | + | | Ensure that the protected website has a layer-7 proxy configured in front of WAF and that **Proxy Configured** under the website basic information settings is set to **Yes** for this parameter to take effect. | | + +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Session Tag | This tag is used to block possibly malicious requests based on the cookie attributes of an attack source. Configure this parameter to block requests based on cookie attributes. | jssessionid | + +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | User Tag | This tag is used to block possibly malicious requests based on the Params attribute of an attack source. Configure this parameter to block requests based on the Params attributes. | name | + +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +#. Click **Confirm**. + +.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image2| image:: /_static/images/en-us_image_0000001288423818.png +.. |image3| image:: /_static/images/en-us_image_0210924454.jpg diff --git a/umn/source/website_domain_name_management/configuring_connection_protection.rst b/umn/source/website_domain_name_management/configuring_connection_protection.rst new file mode 100644 index 0000000..eeccc5e --- /dev/null +++ b/umn/source/website_domain_name_management/configuring_connection_protection.rst @@ -0,0 +1,82 @@ +:original_name: waf_01_1172.html + +.. _waf_01_1172: + +Configuring Connection Protection +================================= + +If a large number of 502 Bad Gateway and 504 Gateway Timeout errors are detected, you can enable WAF breakdown protection and connection protection to let WAF suspend your website and protect your origin servers from being crashed. When the 502/504 error requests and pending URL requests reach the thresholds you configure, WAF enables corresponding protection for your website. + +Prerequisites +------------- + +- The website you want to protect has been added to WAF. +- You have upgraded the dedicated WAF instance to the latest version. For details, see :ref:`Upgrading a Dedicated WAF Instance `. + +Constraints +----------- + +- You have selected **Dedicated mode** for your website deployment. +- The :ref:`dedicated WAF instance must be upgraded to the latest version ` before you enable **Connection Protection**, or your website workloads may be interrupted. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane, choose **Website Settings**. + +#. In the **Domain Name** column, click the domain name of the website to go to the basic information page. + + .. _waf_01_1172__waf_01_1169_fig7279164301510: + + .. figure:: /_static/images/en-us_image_0000001285178604.png + :alt: **Figure 1** Basic Information area + + **Figure 1** Basic Information area + +#. In the **Connection Protection** area, click the status toggle to enable it. + +#. Click |image3| next to each parameter, edit **Breakdown Protection** and **Connection Protection** parameters to meet your requirements, and click |image4| to save settings. :ref:`Table 1 ` describes these parameters. + + .. _waf_01_1172__table172097131662: + + .. table:: **Table 1** Connection Protection parameters + + +-----------------------+---------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+ + | Parameter | | Description | Example Value | + +=======================+=======================================+=====================================================================================================================================================================================+=================+ + | Breakdown Protection | 502/504 Error Threshold | 30s 502/504 Error Threshold | 1000 | + +-----------------------+---------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+ + | | 502/504 Error Percentage (%) | A breakdown is triggered when the 502/504 error threshold and percentage threshold have been reached. | 90 | + +-----------------------+---------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+ + | | Initial Downtime (s) | Protection period upon the first breakdown. During this period, WAF stops forwarding client requests. | 180 | + +-----------------------+---------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+ + | | Multiplier for Consecutive Breakdowns | The maximum multiplier you can use for consecutive breakdowns. The number of breakdowns are counted from 0 every time the accumulated breakdown protection duration reaches 3,600s. | 3 | + | | | | | + | | | For example, assume that **Initial Downtime (s)** is set to 180s and **Multiplier for Consecutive Breakdowns** is set to 3. | | + | | | | | + | | | - If the breakdown is triggered for the second time, that is, less than 3, the protection duration is 360s (180s x 2). | | + | | | - If the breakdown is triggered for the third or fourth time, that is, equal to or greater than 3, the protection duration is 540s (180s x 3). | | + | | | - When the accumulated downtime duration exceeds 1 hour (3,600s), the number of breakdowns are counted from 0. | | + +-----------------------+---------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+ + | Connection Protection | Pending URL Request Threshold | Connection Protection is triggered when the number of read URL requests reaches the threshold you configure. | 6,000 | + +-----------------------+---------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+ + | | Duration (s) | Protection duration. During this period, WAF stops forwarding client requests. | 60 | + +-----------------------+---------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+ + + .. note:: + + The following uses **Connection Protection** settings in :ref:`Figure 1 ` as an example to describe how the protection works. + + - **Breakdown Protection**: When the number of 502/504 errors returned by the protected website exceeds 1,000 and accounts for 90% or more of the total access requests of the website for the first time, the first breakdown protection is triggered. During the first breakdown protection, WAF stops forwarding client requests for 180s (that is, blocks visitors access to the website for 180s). If a second consecutive breakdown protection is triggered, WAF stops forwarding client requests for 360s (180 x 2). If a third or more consecutive breakdowns are triggered, WAF stops forwarding client requests for 540s (180s x 3). The breakdowns are counted from 0 when the total downtime duration exceeds one hour (3,600s). + - **Connection Protection**: When the number of read URL requests in the waiting queue exceeds 6,000, WAF stops forwarding client requests for 60 seconds and returns the maintenance page of the website to visitors. + +.. |image1| image:: /_static/images/en-us_image_0000001238508978.jpg +.. |image2| image:: /_static/images/en-us_image_0000001287944330.png +.. |image3| image:: /_static/images/en-us_image_0000001241765756.png +.. |image4| image:: /_static/images/en-us_image_0000001241293100.png diff --git a/umn/source/website_domain_name_management/configuring_connection_timeout.rst b/umn/source/website_domain_name_management/configuring_connection_timeout.rst new file mode 100644 index 0000000..ed53be8 --- /dev/null +++ b/umn/source/website_domain_name_management/configuring_connection_timeout.rst @@ -0,0 +1,46 @@ +:original_name: waf_01_1171.html + +.. _waf_01_1171: + +Configuring Connection Timeout +============================== + +If you want to set a timeout duration for each request between your WAF instance and origin server, enable **Timeout Settings** and specify **WAF-to-Server connection timeout (s)**, **Read timeout (s)**, and **Write timeout (s)**. This function cannot be disabled once it is enabled. + +.. note:: + + - The default timeout duration for connections between a browser and WAF is 120 seconds, which cannot be manually set. + - The default timeout duration for the connection between WAF and an origin server is 60 seconds. This topic walks you through how to customize the timeout duration. + +Prerequisites +------------- + +The website you want to protect has been added to WAF. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane, choose **Website Settings**. + +#. In the **Domain Name** column, click the domain name of the website to go to the basic information page. + + + .. figure:: /_static/images/en-us_image_0000001285178604.png + :alt: **Figure 1** Basic Information area + + **Figure 1** Basic Information area + +#. In the **Timeout Settings** row, click the **Status** toggle and enable it if needed. + +#. Click |image3|, specify **WAF-to-Server connection timeout (s)**, **Read timeout (s)**, and **Write timeout (s)**, and click |image4| to save settings. + +.. |image1| image:: /_static/images/en-us_image_0000001238508978.jpg +.. |image2| image:: /_static/images/en-us_image_0000001287944330.png +.. |image3| image:: /_static/images/en-us_image_0000001282207201.png +.. |image4| image:: /_static/images/en-us_image_0000001282406385.png diff --git a/umn/source/website_domain_name_management/configuring_pci_dss_3ds_certification_check_and_tls_version.rst b/umn/source/website_domain_name_management/configuring_pci_dss_3ds_certification_check_and_tls_version.rst new file mode 100644 index 0000000..b748b95 --- /dev/null +++ b/umn/source/website_domain_name_management/configuring_pci_dss_3ds_certification_check_and_tls_version.rst @@ -0,0 +1,224 @@ +:original_name: waf_01_0169.html + +.. _waf_01_0169: + +Configuring PCI DSS/3DS Certification Check and TLS Version +=========================================================== + +Transport Layer Security (TLS) provides confidentiality and ensures data integrity for data sent between applications over the Internet. HTTPS is a network protocol constructed based on TLS and HTTP and can be used for encrypted transmission and identity authentication. If you set **Client Protocol** to **HTTPS**, set the minimum TLS version and cipher suite (a set of multiple cryptographic algorithms) for your domain name to block requests that use a TLS version earlier than the configured one. + +TLS v1.0 and the cipher suite 1 are configured by default in WAF for general security. To protect your websites better, set the minimum TLS version to a later version and select a more secure cipher suite. + +Prerequisites +------------- + +- The website to be protected has been added to WAF. +- Your website uses HTTPS as the client protocol. + +Application Scenarios +--------------------- + +By default, the minimum TLS version configured for WAF is **TLS v1.0**. To ensure website security, configure the right TLS version for your service requirements. :ref:`Table 1 ` lists the recommended minimum TLS versions for different scenarios. + +.. _waf_01_0169__table19196118195712: + +.. table:: **Table 1** Recommended minimum TLS versions + + +------------------------------------------------------------------------------------------------------------------+-----------------------------------+---------------------------------------------------------------------------------+ + | Scenario | Minimum TLS Version (Recommended) | Protection Effect | + +==================================================================================================================+===================================+=================================================================================+ + | Websites that handle critical business data, such as sites used in banking, finance, securities, and e-commerce. | TLS v1.2 | WAF automatically blocks website access requests that use TLS v1.0 or TLS v1.1. | + +------------------------------------------------------------------------------------------------------------------+-----------------------------------+---------------------------------------------------------------------------------+ + | Websites with basic security requirements, for example, small- and medium-sized enterprise websites. | TLS v1.1 | WAF automatically blocks website access requests that use TLS v1.0. | + +------------------------------------------------------------------------------------------------------------------+-----------------------------------+---------------------------------------------------------------------------------+ + | Client applications with no special security requirements | TLS v1.0 | Requests using any TLS protocols can access the website. | + +------------------------------------------------------------------------------------------------------------------+-----------------------------------+---------------------------------------------------------------------------------+ + +The recommended cipher suite in WAF is **Cipher suite 1**. Cipher suite 1 offers a good mix of browser compatibility and security. For details about each cipher suite, see :ref:`Table 2 `. + +.. _waf_01_0169__table173581645172115: + +.. table:: **Table 2** Description of cipher suites + + +-----------------------+------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Cipher Suite Name | Supported cryptographic algorithms | Description | + +=======================+====================================+===================================================================================================================================================================+ + | Default cipher suite | - ECDHE-RSA-AES256-SHA384 | - Compatibility: Good. | + | | - AES256-SHA256 | | + | | - HIGH | A wide range of browsers are supported. | + | | - !MD5 | | + | | - !aNULL | - Security: Average | + | | - !eNULL | | + | | - !NULL | | + | | - !DH | | + | | - !EDH | | + | | - !AESGCM | | + +-----------------------+------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Cipher suite 1 | - ECDHE-ECDSA-AES256-GCM-SHA384 | Recommended configuration. | + | | - HIGH | | + | | - !MEDIUM | - Compatibility: Good. | + | | - !LOW | | + | | - !aNULL | A wide range of browsers are supported. | + | | - !eNULL | | + | | - !DES | - Security: Good | + | | - !MD5 | | + | | - !PSK | | + | | - !kRSA | | + | | - !SRP | | + | | - !3DES | | + | | - !DSS | | + | | - !EXP | | + | | - !CAMELLIA | | + | | - @STRENGTH | | + +-----------------------+------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Cipher suite 2 | - EECDH+AESGCM | - Compatibility: Average. | + | | - EDH+AESGCM | | + | | | Strict compliance with forward secrecy requirements of PCI DSS and excellent protection, but browsers of earlier versions may be unable to access the website. | + | | | | + | | | - Security: Excellent | + +-----------------------+------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Cipher suite 3 | - ECDHE-RSA-AES128-GCM-SHA256 | - Compatibility: Average. | + | | - ECDHE-RSA-AES256-GCM-SHA384 | | + | | - ECDHE-RSA-AES256-SHA384 | Earlier versions of browsers may be unable to access the website. | + | | - HIGH | | + | | - !MD5 | - Security: Excellent. | + | | - !aNULL | | + | | - !eNULL | Multiple algorithms, such as ECDHE, DHE-GCM, and RSA-AES-GCM, are supported. | + | | - !NULL | | + | | - !DH | | + | | - !EDH | | + +-----------------------+------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Cipher suite 4 | - ECDHE-RSA-AES256-GCM-SHA384 | - Compatibility: Good. | + | | - ECDHE-RSA-AES128-GCM-SHA256 | | + | | - ECDHE-RSA-AES256-SHA384 | A wide range of browsers are supported. | + | | - AES256-SHA256 | | + | | - HIGH | - Security: Average. | + | | - !MD5 | | + | | - !aNULL | The GCM algorithm is supported. | + | | - !eNULL | | + | | - !NULL | | + | | - !EDH | | + +-----------------------+------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +The TLS cipher suites in WAF are compatible with all browsers and clients of later versions but are incompatible with some browsers of earlier versions. :ref:`Table 3 ` lists the incompatible browsers and clients if the TLS v1.0 protocol is used. + +.. important:: + + It is recommended that compatibility tests should be carried out on the service environment to ensure service stability. + +.. _waf_01_0169__table893015311885: + +.. table:: **Table 3** Incompatible browsers and clients for cipher suites under TLS v1.0 + + +---------------------------------------------+----------------------+----------------+----------------+----------------+----------------+ + | Browser/Client | Default Cipher Suite | Cipher Suite 1 | Cipher Suite 2 | Cipher Suite 3 | Cipher Suite 4 | + +=============================================+======================+================+================+================+================+ + | Google Chrome 63 /macOS High Sierra 10.13.2 | Not compatible | Compatible | Compatible | Compatible | Not compatible | + +---------------------------------------------+----------------------+----------------+----------------+----------------+----------------+ + | Google Chrome 49/ Windows XP SP3 | Not compatible | Not compatible | Not compatible | Not compatible | Not compatible | + +---------------------------------------------+----------------------+----------------+----------------+----------------+----------------+ + | Internet Explorer 6 | Not compatible | Not compatible | Not compatible | Not compatible | Not compatible | + | | | | | | | + | /Windows XP | | | | | | + +---------------------------------------------+----------------------+----------------+----------------+----------------+----------------+ + | Internet Explorer 8 | Not compatible | Not compatible | Not compatible | Not compatible | Not compatible | + | | | | | | | + | /Windows XP | | | | | | + +---------------------------------------------+----------------------+----------------+----------------+----------------+----------------+ + | Safari 6/iOS 6.0.1 | Compatible | Compatible | Not compatible | Compatible | Compatible | + +---------------------------------------------+----------------------+----------------+----------------+----------------+----------------+ + | Safari 7/iOS 7.1 | Compatible | Compatible | Not compatible | Compatible | Compatible | + +---------------------------------------------+----------------------+----------------+----------------+----------------+----------------+ + | Safari 7/OS X 10.9 | Compatible | Compatible | Not compatible | Compatible | Compatible | + +---------------------------------------------+----------------------+----------------+----------------+----------------+----------------+ + | Safari 8/iOS 8.4 | Compatible | Compatible | Not compatible | Compatible | Compatible | + +---------------------------------------------+----------------------+----------------+----------------+----------------+----------------+ + | Safari 8/OS X 10.10 | Compatible | Compatible | Not compatible | Compatible | Compatible | + +---------------------------------------------+----------------------+----------------+----------------+----------------+----------------+ + | Internet Explorer | Compatible | Compatible | Not compatible | Compatible | Compatible | + | | | | | | | + | 7/Windows Vista | | | | | | + +---------------------------------------------+----------------------+----------------+----------------+----------------+----------------+ + | Internet Explorer 8, 9, or 10 | Compatible | Compatible | Not compatible | Compatible | Compatible | + | | | | | | | + | /Windows 7 | | | | | | + +---------------------------------------------+----------------------+----------------+----------------+----------------+----------------+ + | Internet Explorer 10 | Compatible | Compatible | Not compatible | Compatible | Compatible | + | | | | | | | + | /Windows Phone 8.0 | | | | | | + +---------------------------------------------+----------------------+----------------+----------------+----------------+----------------+ + | Java 7u25 | Compatible | Compatible | Not compatible | Compatible | Compatible | + +---------------------------------------------+----------------------+----------------+----------------+----------------+----------------+ + | OpenSSL 0.9.8y | Not compatible | Not compatible | Not compatible | Not compatible | Not compatible | + +---------------------------------------------+----------------------+----------------+----------------+----------------+----------------+ + | Safari 5.1.9/OS X 10.6.8 | Compatible | Compatible | Not compatible | Compatible | Compatible | + +---------------------------------------------+----------------------+----------------+----------------+----------------+----------------+ + | Safari 6.0.4/OS X 10.8.4 | Compatible | Compatible | Not compatible | Compatible | Compatible | + +---------------------------------------------+----------------------+----------------+----------------+----------------+----------------+ + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Security** > **Web Application Firewall (Dedicated)**. + +#. In the navigation pane, choose **Website Settings**. + +#. In the **Domain Name** column, click the domain name of the website to go to the basic information page. + +#. In the **Compliance Certification** row, you can select **PCI DSS** and/or **PCI 3DS** to allow WAF to check your website for the corresponding PCI certification compliance. In the **TLS Configuration** row, click |image3| to complete TLS configuration. :ref:`Figure 1 ` shows an example. + + .. _waf_01_0169__fig158391141135917: + + .. figure:: /_static/images/en-us_image_0000001337771401.png + :alt: **Figure 1** TLS configuration modification + + **Figure 1** TLS configuration modification + + - Select **PCI DSS**. In the displayed **Warning** dialog box, click **OK** to enable the PCI DSS certification check. + + |image4| + + .. important:: + + If PCI DSS certification check is enabled, the minimum TLS version and cypher suite cannot be changed. + + - Select **PCI 3DS**. In the displayed **Warning** dialog box, click **OK** to enable the PCI 3DS certification check. + + |image5| + + .. important:: + + - If PCI 3DS certification check is enabled, the minimum TLS version cannot be changed. + - Once enabled, the PCI 3DS certification check cannot be disabled. + +#. In the displayed **TLS Configuration** dialog box, select the minimum TLS version and cipher suite. :ref:`Figure 2 ` shows an example. + + .. _waf_01_0169__fig1518314493518: + + .. figure:: /_static/images/en-us_image_0000001337772549.png + :alt: **Figure 2** TLS Configuration + + **Figure 2** TLS Configuration + + Select the minimum TLS version you need. The options are as follows: + + - **TLS v1.0**: the default version. Requests using TLS v1.0 or later can access the domain name. + - **TLS v1.1**: Only requests using TLS v1.1 or later can access the domain name. + - **TLS v1.2**: Only requests using TLS v1.2 or later can access the domain name. + +#. Click **OK**. + +Verification +------------ + +If the **Minimum TLS Version** is set to **TLS v1.2**, the website can be accessed over connections secured by TLS v1.2 or later, but cannot be accessed over connections secured by TLS v1.1 or earlier. + +.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image2| image:: /_static/images/en-us_image_0000001340424065.png +.. |image3| image:: /_static/images/en-us_image_0210924454.jpg +.. |image4| image:: /_static/images/en-us_image_0000001337772205.png +.. |image5| image:: /_static/images/en-us_image_0000001337772269.png diff --git a/umn/source/website_domain_name_management/editing_server_information.rst b/umn/source/website_domain_name_management/editing_server_information.rst new file mode 100644 index 0000000..494da93 --- /dev/null +++ b/umn/source/website_domain_name_management/editing_server_information.rst @@ -0,0 +1,64 @@ +:original_name: waf_01_0001.html + +.. _waf_01_0001: + +Editing Server Information +========================== + +This topic describes how to edit or add server information for a website to be protected. + +Applicable scenarios: + +- Modify server information, including **Client Protocol**, **Server Protocol**, **VPC**, **Server Address**, and **Server Port**. +- Add server configurations. +- Update a certificate by referring to :ref:`Updating a Certificate `. + +Prerequisites +------------- + +A website has been added to WAF. + +Impact on the System +-------------------- + +Modifying the server configuration does not affect services. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane, choose **Website Settings**. + +#. In the **Domain Name** column, click the domain name of the website to go to the basic information page. + +#. In the **Server Information** area, click |image3|. + + + .. figure:: /_static/images/en-us_image_0000001285022128.png + :alt: **Figure 1** Server Information + + **Figure 1** Server Information + +#. On the **Edit Server Information** page, edit the server configurations (such as client protocol and associated certificate). + + .. note:: + + - For details about certificate, see :ref:`Updating a Certificate `. + - WAF supports configuring of multiple backend servers. To add a backend server, click **Add**. + + + .. figure:: /_static/images/en-us_image_0000001337775421.png + :alt: **Figure 2** Edit Server Information + + **Figure 2** Edit Server Information + +#. Click **Confirm**. + +.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image2| image:: /_static/images/en-us_image_0000001288264194.png +.. |image3| image:: /_static/images/en-us_image_0282893059.jpg diff --git a/umn/source/website_domain_name_management/index.rst b/umn/source/website_domain_name_management/index.rst new file mode 100644 index 0000000..a673b08 --- /dev/null +++ b/umn/source/website_domain_name_management/index.rst @@ -0,0 +1,32 @@ +:original_name: waf_01_0067.html + +.. _waf_01_0067: + +Website Domain Name Management +============================== + +- :ref:`Viewing Basic Information ` +- :ref:`Switching WAF Working Mode ` +- :ref:`Configuring PCI DSS/3DS Certification Check and TLS Version ` +- :ref:`Configuring Connection Timeout ` +- :ref:`Configuring Connection Protection ` +- :ref:`Updating a Certificate ` +- :ref:`Configuring a Traffic Identifier for a Known Attack Source ` +- :ref:`Editing Server Information ` +- :ref:`Modifying the Alarm Page ` +- :ref:`Removing a Protected Website from WAF ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + viewing_basic_information + switching_waf_working_mode + configuring_pci_dss_3ds_certification_check_and_tls_version + configuring_connection_timeout + configuring_connection_protection + updating_a_certificate + configuring_a_traffic_identifier_for_a_known_attack_source + editing_server_information + modifying_the_alarm_page + removing_a_protected_website_from_waf diff --git a/umn/source/website_domain_name_management/modifying_the_alarm_page.rst b/umn/source/website_domain_name_management/modifying_the_alarm_page.rst new file mode 100644 index 0000000..df54b91 --- /dev/null +++ b/umn/source/website_domain_name_management/modifying_the_alarm_page.rst @@ -0,0 +1,65 @@ +:original_name: waf_01_0154.html + +.. _waf_01_0154: + +Modifying the Alarm Page +======================== + +If a visitor is blocked by WAF, the **Default** block page of WAF is returned by default. You can also configure **Custom** or **Redirection** for the block page to be returned as required. + +Prerequisites +------------- + +A website has been added to WAF. + +Constraints +----------- + +- The content of the text/html, text/xml, and application/json pages can be configured on the **Custom** block page to be returned. +- The root domain name of the redirection address must be the same as the currently protected domain name (including a wildcard domain name). For example, if the protected domain name is **www.example.com** and the port is 8080, the redirection URL can be set to **http://www.example.com:8080/error.html**. + +Procedure +--------- + +#. Log in to the management console. +#. Click |image1| in the upper left corner of the management console and select a region or project. +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. +#. In the navigation pane, choose **Website Settings**. +#. In the **Domain Name** column, click the domain name of the website to go to the basic information page. +#. Click |image3| next to the page template name in the row where **Alarm Page** is located. In the displayed **Alarm Page** dialog box, specify **Page Template**. + + - To use the built-in page, select **Default**. An HTTP code 418 is returned. + + + .. figure:: /_static/images/en-us_image_0000001338016357.png + :alt: **Figure 1** Default alarm page + + **Figure 1** Default alarm page + + - To customize the alarm page, select **Custom** and configure following parameters. + + - **HTTP Return Code**: return code configured on a custom page. + - **Block Page Type**: The options are **text/html**, **text/xml**, and **application/json**. + - **Page Content**: Configure the page content based on the selected value for **Block Page Type**. + + + .. figure:: /_static/images/en-us_image_0000001338096873.png + :alt: **Figure 2** Custom alarm page + + **Figure 2** Custom alarm page + + - To configure a redirection URL, select **Redirection**. + + + .. figure:: /_static/images/en-us_image_0000001285737132.png + :alt: **Figure 3** Redirection alarm page + + **Figure 3** Redirection alarm page + + The root domain name of the redirection URL must be the same as the currently protected domain name (including a wildcard domain name). For example, if the protected domain name is **www.example.com** and the port is 8080, the redirection URL can be set to **http://www.example.com:8080/error.html**. + +#. Click **Confirm**. + +.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image2| image:: /_static/images/en-us_image_0000001340583529.png +.. |image3| image:: /_static/images/en-us_image_0210924454.jpg diff --git a/umn/source/website_domain_name_management/removing_a_protected_website_from_waf.rst b/umn/source/website_domain_name_management/removing_a_protected_website_from_waf.rst new file mode 100644 index 0000000..f908a2d --- /dev/null +++ b/umn/source/website_domain_name_management/removing_a_protected_website_from_waf.rst @@ -0,0 +1,48 @@ +:original_name: waf_01_0005.html + +.. _waf_01_0005: + +Removing a Protected Website from WAF +===================================== + +This topic describes how to remove a website from WAF if you no longer need to protect it. + +Prerequisites +------------- + +A website domain name has been added to WAF. + +Impact on the System +-------------------- + +It takes about a minute to remove a website from WAF, but once this action is started, it cannot be cancelled. Exercise caution when removing a website from WAF. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane, choose **Website Settings**. + +#. In the row containing the website domain name you want to delete, click **Delete** in the **Operation** column. + +#. In the displayed confirmation dialog box, confirm the deletion. + + If you want to retain the policy applied to the domain name, select **Retain the policy of this domain name**. + + + .. figure:: /_static/images/en-us_image_0000001285577484.png + :alt: **Figure 1** Deleting a protected domain name from WAF + + **Figure 1** Deleting a protected domain name from WAF + +#. Click **OK**. + + If **Domain name deleted successfully** is displayed in the upper right corner, the domain name of the website was deleted. + +.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image2| image:: /_static/images/en-us_image_0000001340304197.png diff --git a/umn/source/website_domain_name_management/switching_waf_working_mode.rst b/umn/source/website_domain_name_management/switching_waf_working_mode.rst new file mode 100644 index 0000000..af7bab9 --- /dev/null +++ b/umn/source/website_domain_name_management/switching_waf_working_mode.rst @@ -0,0 +1,47 @@ +:original_name: waf_01_0003.html + +.. _waf_01_0003: + +Switching WAF Working Mode +========================== + +You can change the working mode of WAF. WAF can work in **Enabled** or **Suspended** mode. + +Prerequisites +------------- + +The domain name of the website to be protected has been connected to WAF. + +Application Scenarios +--------------------- + +- **Enabled**: In this mode, WAF defends your website against attacks based on configured policies. +- **Suspended**: If a large number of normal requests are blocked, for example, status code 418 is frequently returned, then you can switch the mode to **Suspended**. In this mode, your website is not protected because WAF only forwards requests. It does not scan for or log attacks. This mode is risky. You are advised to use the false alarm masking rules to reduce false alarms. + +Impact on the System +-------------------- + +In the **Suspended** mode, your website is not protected because WAF only forwards requests. It does not scan for attacks. To avoid normal requests from being blocked, configure false alarm masking rules, instead of using the **Suspended** mode. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane, choose **Website Settings**. + +#. In the **Mode** column of the row containing the target domain name, click |image3| and select a working mode. + + + .. figure:: /_static/images/en-us_image_0000001345173294.png + :alt: **Figure 1** Switching WAF working mode + + **Figure 1** Switching WAF working mode + +.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image2| image:: /_static/images/en-us_image_0000001340304201.png +.. |image3| image:: /_static/images/en-us_image_0000001324043026.png diff --git a/umn/source/website_domain_name_management/updating_a_certificate.rst b/umn/source/website_domain_name_management/updating_a_certificate.rst new file mode 100644 index 0000000..abbcef3 --- /dev/null +++ b/umn/source/website_domain_name_management/updating_a_certificate.rst @@ -0,0 +1,112 @@ +:original_name: waf_01_0262.html + +.. _waf_01_0262: + +Updating a Certificate +====================== + +If you set **Client Protocol** to **HTTPS** when you add a website to WAF, upload a certificate and use it for your website. + +- If your website certificate is about to expire, purchase a new certificate before the expiration date and update the certificate associated with the website in WAF. +- If you plan to update the certificate associated with the website, associate a new certificate with your website on the WAF console. + +Prerequisites +------------- + +- The website to be protected has been added to WAF. +- Your website uses HTTPS as the client protocol. + +Constraints +----------- + +- Each domain name must have a certificate associated. A wildcard domain name can only use a wildcard domain certificate. If you only have single-domain certificates, add domain names one by one in WAF. +- Only .pem certificates can be used in WAF. If the certificate is not in .pem, before uploading it, convert it to .pem by referring to :ref:`Step 6 `. + +Impact on the System +-------------------- + +- It is recommended that you update the certificate before it expires. Otherwise, all WAF protection rules will fail to take effect, and there can be massive impacts on the origin server, even more severe than a crashed host or website access failures. +- Updating certificates does not affect services. The old certificate still works during the certificate replacement. The new certificate will take over the job once it has been uploaded and successfully associated with the domain name. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane, choose **Website Settings**. + +#. In the **Domain Name** column, click the domain name of the website to go to the basic information page. + +#. .. _waf_01_0262__li5865132352711: + + Click |image3| next to the certificate name. In the **Update Certificate** dialog box, import a new certificate or select an existing certificate. + + - If you select **Import new certificate** for **Update Method**, enter a certificate name, and copy and paste the certificate file and private key into the corresponding text boxes. :ref:`Figure 1 ` shows an example. + + .. note:: + + WAF encrypts and saves the private key to keep it safe. + + .. _waf_01_0262__fig1518314493518: + + .. figure:: /_static/images/en-us_image_0000001337894657.png + :alt: **Figure 1** Update Certificate + + **Figure 1** Update Certificate + + Only .pem certificates can be used in WAF. If the certificate is not in .pem format, convert it into .pem locally by referring to :ref:`Table 1 ` before uploading it. + + .. _waf_01_0262__waf_01_0002_table1292125414516: + + .. table:: **Table 1** Certificate conversion commands + + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------+ + | Format | Conversion Method | + +===================================+============================================================================================================================+ + | CER/CRT | Rename the **cert.crt** certificate file to **cert.pem**. | + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------+ + | PFX | - Obtain a private key. For example, run the following command to convert **cert.pfx** into **key.pem**: | + | | | + | | **openssl pkcs12 -in cert.pfx -nocerts -out key.pem -nodes** | + | | | + | | - Obtain a certificate. For example, run the following command to convert **cert.pfx** into **cert.pem**: | + | | | + | | **openssl** **pkcs12** **-in** **cert.pfx** **-nokeys** **-out** **cert.pem** | + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------+ + | P7B | a. Convert a certificate. For example, run the following command to convert **cert.p7b** into **cert.cer**: | + | | | + | | **openssl** **pkcs7** **-print_certs** **-in** **cert.p7b** **-out** **cert.cer** | + | | | + | | b. Rename certificate file **cert.cer** to **cert.pem**. | + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------+ + | DER | - Obtain a private key. For example, run the following command to convert ****privatekey.der**** into **privatekey.pem**: | + | | | + | | **openssl** **rsa** **-inform** **DER** **-outform** **PEM** **-in** **privatekey.der** **-out** **privatekey.pem** | + | | | + | | - Obtain a certificate. For example, run the following command to convert **cert.cer** into **cert.pem**: | + | | | + | | **openssl** **x509** **-inform** **der** **-in** **cert.cer** **-out cert.pem** | + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------+ + + .. note:: + + - Before running an OpenSSL command, ensure that the `OpenSSL `__ tool has been installed on the local host. + - If your local PC runs a Windows operating system, go to the command line interface (CLI) and then run the certificate conversion command. + + - If you select **Select existing certificate** for **Update Method**, select an existing certificate from the **Certificate Name** drop-down list. + + + .. figure:: /_static/images/en-us_image_0000001378108553.png + :alt: **Figure 2** Selecting an existing certificate + + **Figure 2** Selecting an existing certificate + +#. Click **Confirm**. + +.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image2| image:: /_static/images/en-us_image_0000001340663937.png +.. |image3| image:: /_static/images/en-us_image_0210924454.jpg diff --git a/umn/source/website_domain_name_management/viewing_basic_information.rst b/umn/source/website_domain_name_management/viewing_basic_information.rst new file mode 100644 index 0000000..d3b9f21 --- /dev/null +++ b/umn/source/website_domain_name_management/viewing_basic_information.rst @@ -0,0 +1,87 @@ +:original_name: waf_01_0020.html + +.. _waf_01_0020: + +Viewing Basic Information +========================= + +This topic describes how to view the basic information about a protected website, switch WAF working mode, and delete a domain name of a protected website from WAF. + +Prerequisites +------------- + +A website has been connected to WAF. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane, choose **Website Settings**. + +#. View the protected website lists. For details about parameters, see :ref:`Table 1 `. + + + .. figure:: /_static/images/en-us_image_0000001345493078.png + :alt: **Figure 1** Website list + + **Figure 1** Website list + + .. _waf_01_0020__table125091352115811: + + .. table:: **Table 1** Parameter description + + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Parameter | Description | + +===================================+=========================================================================================================================================================================================================================================================================================================================================================================================================+ + | Domain Name | Domain name or IP address of a website to be protected. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Deployment Mode | How your WAF instance is deployed for your website. Only **Dedicated mode** is available. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Last 3 Days | Protection status of the domain name over the past three days. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Mode | WAF mode of the protected domain name. Click **Switch** and select one of the following working modes: Click |image3| and select one of the following working mode: | + | | | + | | - **Enabled**: WAF is enabled. | + | | - **Suspended**: WAF is disabled. If a large number of normal requests are blocked, for example, status code 418 is frequently returned, then you can switch the mode to **Suspended**. In this mode, your website is not protected because WAF only forwards requests. It does not scan for attacks. This mode is risky. You are advised to use the false alarm masking rules to reduce false alarms. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Policy | The total number of protection policies configured in WAF. You can click a number to go to the rule configuration page. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Access Progress/Status | The progress of connecting your website to WAF or the website access status. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Operation | To remove a protected website from WAF, click **Delete**. | + | | | + | | .. warning:: | + | | | + | | The deletion operation cannot be cancelled. Exercise caution when performing this operation. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +#. In the **Domain Name** column, click the domain name of the website to go to the basic information page. + +#. View the basic information about the domain name of the protected website. :ref:`Figure 2 ` shows an example.View the basic information about the protected website. + + .. _waf_01_0020__fig1068529619241: + + .. figure:: /_static/images/en-us_image_0000001284850794.png + :alt: **Figure 2** Basic Information + + **Figure 2** Basic Information + + - Update the certificate: If you select **HTTPS** for **Client Protocol**, an SSL certificate is required. To update the certificate, click |image4| next to the certificate name in the **Certificate Name** row. Then, in the displayed dialog box, upload a new certificate or select an existing certificate. For more details, see :ref:`Updating a Certificate `. + - Update the TLS version and TLS cipher suite for accessing the origin server: If you select **HTTPS** for **Client Protocol**, you can change TLS version to a more secure one. To do so, click |image5| next to the TLS Configuration field. Then, in the displayed dialog box, select the desired TLS version and TLS cipher suite. For more details, see :ref:`Configuring PCI DSS/3DS Certification Check and TLS Version `. + - Modify the field of **Proxy Configured**: Click |image6|. In the displayed dialog box, select **Yes** if your web server is using a proxy. + - Customize the alarm page: Click |image7|. In the displayed dialog box, select **Custom** or **Redirection** and complete required configurations. By default, **Alarm Page** is **Default**. + - If you want to set a timeout duration for each request, enable **Timeout Settings** and click |image8|\ to specify **WAF-to-Server Connection Timeout (s)**, **Read Timeout (s)**, and **Write Timeout (s)**. This function cannot be disabled after being enabled. For details, see :ref:`Configuring Connection Timeout `. + +.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image2| image:: /_static/images/en-us_image_0000001288099090.png +.. |image3| image:: /_static/images/en-us_image_0000001284852786.png +.. |image4| image:: /_static/images/en-us_image_0210924454.jpg +.. |image5| image:: /_static/images/en-us_image_0210924454.jpg +.. |image6| image:: /_static/images/en-us_image_0210924454.jpg +.. |image7| image:: /_static/images/en-us_image_0210924454.jpg +.. |image8| image:: /_static/images/en-us_image_0000001282375645.png