Update content

doc/best-practice/source/combining_waf_and_hss_to_get_improved_web_tamper_protection.rst

@@ -61,25 +61,17 @@ Configuring a Web Tamper Protection Rule in WAF
 
 #. Click |image2| in the upper left corner and choose **Web Application Firewall** under **Security & Compliance**.
 
-#. In the navigation pane on the left, choose **Website Settings**.
+#. In the navigation pane on the left, choose **Policies**.
 
-#. (Old console) In the **Policy** column of the row containing the domain name, click **Configure Policy**.
+#. Click the name of the target policy to go to the protection configuration page.
-
-#. (New console) In the **Policy** column of the row containing the domain name, click the number to go to the **Policies** page.
-
-
-   .. figure:: /_static/images/en-us_image_0000001402875172.png
-      :alt: **Figure 1** Domain name list
-
-      **Figure 1** Domain name list
 
 #. In the **Web Tamper Protection** configuration area, change **Status** if needed and click **Customize Rule** to go to the **Web Tamper Protection** page.
 
 
    .. figure:: /_static/images/en-us_image_0234822736.png
-      :alt: **Figure 2** Web Tamper Protection configuration area
+      :alt: **Figure 1** Web Tamper Protection configuration area
 
-      **Figure 2** Web Tamper Protection configuration area
+      **Figure 1** Web Tamper Protection configuration area
 
 #. In the upper left corner of the **Web Tamper Protection** page, click **Add Rule**.
 
@@ -87,9 +79,9 @@ Configuring a Web Tamper Protection Rule in WAF
 
 
    .. figure:: /_static/images/en-us_image_0000001451278204.png
-      :alt: **Figure 3** Adding a web tamper protection rule
+      :alt: **Figure 2** Adding a web tamper protection rule
 
-      **Figure 3** Adding a web tamper protection rule
+      **Figure 2** Adding a web tamper protection rule
 
    .. _waf_06_0119__en-us_topic_0110861313_table2046816299203:
 
@@ -127,9 +119,9 @@ Enabling HSS Web Tamper Protection
 
 
    .. figure:: /_static/images/en-us_image_0000001426970901.png
-      :alt: **Figure 4** Accessing HSS
+      :alt: **Figure 3** Accessing HSS
 
-      **Figure 4** Accessing HSS
+      **Figure 3** Accessing HSS
 
 #. In the displayed dialog box, click **Try the new edition** to switch to the HSS (New) console.
 
@@ -142,17 +134,17 @@ Enabling HSS Web Tamper Protection
 
 
    .. figure:: /_static/images/en-us_image_0000001427224185.png
-      :alt: **Figure 5** Adding a protected server
+      :alt: **Figure 4** Adding a protected server
 
-      **Figure 5** Adding a protected server
+      **Figure 4** Adding a protected server
 
 #. On the **Add Server** page, select the target server, select quota from the drop-down list or retain the default value, and click **Add and Enable Protection**.
 
 
    .. figure:: /_static/images/en-us_image_0000001427345353.png
-      :alt: **Figure 6** Selecting a server to enable protection
+      :alt: **Figure 5** Selecting a server to enable protection
 
-      **Figure 6** Selecting a server to enable protection
+      **Figure 5** Selecting a server to enable protection
 
 #. View the server status on the **Web Tamper Protection** page.
 

doc/best-practice/source/combining_waf_and_layer-7_load_balancers_to_protect_services_over_any_ports.rst

@@ -15,7 +15,11 @@ The following procedure describes how WAF and ELB together protect **www.example
 Prerequisites
 -------------
 
--  You have purchased a load balancer. For details about load balancers, see `Differences Between Shared and Dedicated Load Balancers <https://support.huaweicloud.com/intl/en-us/productdesc-elb/elb_pro_0004.html>`__.
+-  You have purchased a dedicated layer-7 load balancer. For details about ELB load balancer types, see `Differences Between Shared and Dedicated Load Balancers <https://support.huaweicloud.com/intl/en-us/productdesc-elb/elb_pro_0004.html>`__.
+
+   .. note::
+
+      Dedicated WAF instances issued before April 2023 cannot be used with dedicated network load balancers. If you use a dedicated network load balancer (TCP/UDP), ensure that your dedicated WAF instance has been upgraded to the latest version (issued after April 2023).
 
 -  Related ports have been enabled in the security group to which the dedicated WAF instance belongs.
 

doc/best-practice/source/configuring_an_access_control_policy_on_an_ecs_or_elb_to_protect_origin_servers.rst

@@ -7,7 +7,7 @@ Configuring an Access Control Policy on an ECS or ELB to Protect Origin Servers
 
 After you connect your website to Web Application Firewall (WAF), configure an access control policy on your origin server to allow only the WAF back-to-source IP addresses. This prevents hackers from obtaining your origin server IP addresses and then bypassing WAF to attack origin servers.
 
-This topic walks you through how to check whether origin servers have exposure risks and how to configure access control policies. This topic applies to scenarios where your origin servers are deploying on ECSs or backend servers of an ELB load balancer.
+This topic walks you through how to check whether origin servers have exposure risks and how to configure access control policies. This topic applies to scenarios where your origin servers are deploying on ECSs or have been added to backend servers of an ELB load balancer.
 
 .. note::
 

doc/best-practice/source/configuring_anti-crawler_rules_to_prevent_crawler_attacks.rst

@@ -5,7 +5,7 @@
 Configuring Anti-Crawler Rules to Prevent Crawler Attacks
 =========================================================
 
-Web crawlers facilitate network information collection and query, but they also introduce the following negative impacts:
+Web crawlers make network information collection and query easy, but they also introduce the following negative impacts:
 
 -  Web crawlers always consume too much server bandwidth and increase server load as they use specific policies to browser as much information of high value on a website as possible.
 -  Bad actors may use web crawlers to launch DoS attacks against websites. As a result, websites may fail to provide normal services due to resource exhaustion.
@@ -194,7 +194,7 @@ A CC attack protection rule uses a specific IP address, cookie, or referer to li
 .. |image4| image:: /_static/images/en-us_image_0000001182529643.png
 .. |image5| image:: /_static/images/en-us_image_0000001533461761.jpg
 .. |image6| image:: /_static/images/en-us_image_0000001483021752.png
-.. |image7| image:: /_static/images/en-us_image_0234013368.png
+.. |image7| image:: /_static/images/en-us_image_0234013391.png
 .. |image8| image:: /_static/images/en-us_image_0000001132757446.png
 .. |image9| image:: /_static/images/en-us_image_0000001533701661.jpg
 .. |image10| image:: /_static/images/en-us_image_0000001533182113.png

doc/best-practice/source/configuring_basic_web_protection.rst

@@ -111,7 +111,7 @@ You can also view protection logs generated in yesterday, today, past 3 days, pa
 
 .. _waf_06_0014__fig87764491241:
 
-.. figure:: /_static/images/en-us_image_0000001580873597.png
+.. figure:: /_static/images/en-us_image_0000001700138929.png
    :alt: **Figure 5** Events
 
    **Figure 5** Events

doc/best-practice/source/configuring_cc_attack_protection/restricting_malicious_requests_in_promotions_by_using_cookies_and_hwwafsesid.rst

@@ -42,6 +42,8 @@ Using Cookies (or User IDs) to Configure a Path-based CC Attack Protection Rule
 
 #. Configure a CC attack protection rule using a cookie or user ID to limit traffic to the path. :ref:`Figure 2 <waf_06_0031__fig10264172114018>` shows an example.
 
+   Set the following parameters based on site requirements:
+
    .. _waf_06_0031__fig10264172114018:
 
    .. figure:: /_static/images/en-us_image_0000001490530926.png
@@ -75,6 +77,9 @@ Using HWWAFSESID to Configure a CC Attack Protection Rule
 
 #. Configure a CC attack protection rule using HWWAFSESID to limit traffic to the path.
 
+   -  **User Identifier**: Select **Cookie** and set it to **HWWAFSESID**.
+   -  Other parameters: Set them to meet your service requirements.
+
 
    .. figure:: /_static/images/en-us_image_0000001555783590.png
       :alt: **Figure 4** HWWAFSESID-based rate limiting

doc/best-practice/source/connecting_a_domain_to_waf/connecting_a_domain_name_to_waf_for_websites_with_no_proxy_used.rst

@@ -44,44 +44,32 @@ The methods to change DNS records on different DNS platforms are similar. The fo
 
 #. Obtain the CNAME record.
 
-   -  If you are adding a domain name, perform the following operations to obtain the CNAME record of the domain name after configuring the basic information about the domain name:
+   a. Click |image1| in the upper left corner of the management console and select a region or project.
 
-      Click |image1| to obtain the CNAME record of the protected domain name.
+   b. Click |image2| in the upper left corner and choose **Web Application Firewall** under **Security & Compliance**.
+
+   c. In the navigation pane, choose **Website Settings**.
+
+   d. In the row of the desired domain name, click the domain name you want to test.
 
 
-      .. figure:: /_static/images/en-us_image_0000001367981573.png
+      .. figure:: /_static/images/en-us_image_0000001242204650.png
-         :alt: **Figure 2** Connecting a domain name to WAF
+         :alt: **Figure 2** Basic Information
 
-         **Figure 2** Connecting a domain name to WAF
+         **Figure 2** Basic Information
 
-   -  If you have added a domain name, perform the following steps to obtain the CNAME record of the domain name:
+   e. In the **CNAME** row, click |image3| to copy the CNAME record.
-
-      a. Click |image2| in the upper left corner of the management console and select a region or project.
-
-      b. Click |image3| in the upper left corner and choose **Web Application Firewall** under **Security & Compliance**.
-
-      c. In the navigation pane, choose **Website Settings**.
-
-      d. In the row of the desired domain name, click the domain name you want to test.
-
-
-         .. figure:: /_static/images/en-us_image_0000001242204650.png
-            :alt: **Figure 3** Basic Information
-
-            **Figure 3** Basic Information
-
-      e. In the **CNAME** row, click |image4| to copy the CNAME record.
 
 #. Change the DNS settings.
 
-   a. Access the DNS resolution page, as shown in :ref:`Figure 4 <waf_06_0018__waf_06_0022_fig165861648185013>`.
+   a. Access the DNS resolution page, as shown in :ref:`Figure 3 <waf_06_0018__waf_06_0022_fig165861648185013>`.
 
       .. _waf_06_0018__waf_06_0022_fig165861648185013:
 
       .. figure:: /_static/images/en-us_image_0000001550899193.png
-         :alt: **Figure 4** DNS page
+         :alt: **Figure 3** DNS page
 
-         **Figure 4** DNS page
+         **Figure 3** DNS page
 
    b. In the **Operation** column of the target domain name, click **Modify**. The **Modify Record Set** page is displayed.
 
@@ -105,9 +93,9 @@ The methods to change DNS records on different DNS platforms are similar. The fo
 
 
       .. figure:: /_static/images/en-us_image_0235826013.png
-         :alt: **Figure 5** Modifying a record set
+         :alt: **Figure 4** Modifying a record set
 
-         **Figure 5** Modifying a record set
+         **Figure 4** Modifying a record set
 
    d. Click **OK**.
 
@@ -117,7 +105,6 @@ The methods to change DNS records on different DNS platforms are similar. The fo
 
       It takes some time for the new DNS settings to take effect. If ping fails, wait for 5 minutes and ping again.
 
-.. |image1| image:: /_static/images/en-us_image_0000001316517938.png
+.. |image1| image:: /_static/images/en-us_image_0210924450.jpg
-.. |image2| image:: /_static/images/en-us_image_0210924450.jpg
+.. |image2| image:: /_static/images/en-us_image_0269288850.png
-.. |image3| image:: /_static/images/en-us_image_0269288850.png
+.. |image3| image:: /_static/images/en-us_image_0235603964.jpg
-.. |image4| image:: /_static/images/en-us_image_0235603964.jpg

doc/best-practice/source/handling_false_alarms_to_get_improved_basic_web_protection.rst

@@ -42,7 +42,7 @@ Procedure
 #. In the event list, search for false alarms by protected website, event type, source IP address, and URL.
 
 
-   .. figure:: /_static/images/en-us_image_0000001580873597.png
+   .. figure:: /_static/images/en-us_image_0000001700138929.png
       :alt: **Figure 1** Events
 
       **Figure 1** Events
@@ -55,7 +55,7 @@ Procedure
 
       **Figure 2** Event Details
 
-#. In the row containing the event, click **Handle False Alarm** in the **Operation** column.
+#. In the row containing the event, click **More** > **Handle False Alarm** in the **Operation** column.
 
 #. In the displayed dialog box, add a false alarm handling policy.
 

doc/best-practice/source/index.rst

@@ -22,4 +22,3 @@ Dedicated Web Application Firewall - Best Practice
    combining_waf_and_layer-7_load_balancers_to_protect_services_over_any_ports
    combining_cdn_and_waf_to_get_improved_protection_and_load_speed
    combining_waf_and_hss_to_get_improved_web_tamper_protection
-   change_history

doc/best-practice/source/obtaining_real_client_ip_addresses.rst

@@ -46,16 +46,14 @@ Constraints
 Obtaining the Client IP Address from WAF
 ----------------------------------------
 
-After a website is connected to WAF, WAF is deployed between the client and server as a reverse proxy to protect the website. You can use either of the following methods to obtain the client IP address:
+After a website is connected to WAF, WAF is deployed between the client and server as a reverse proxy to protect the website. For details, see `From Which Request Field Can WAF Obtain the Real Client IP Address? <https://support.huaweicloud.com/intl/en-us/waf_faq/waf_01_4139.html>`__
+
+The following describes how WAF uses the X-Forwarded-For and X-Real-IP variables to obtain the real IP address of a client:
 
 -  Using the **X-Forwarded-For** field to obtain the client IP address
 
    The client IP address is placed in the **X-Forwarded-For** HTTP header field. The format is as follows:
 
-   ::
-
-      X-Forwarded-For: Client IP address,Proxy 1-IP address,Proxy 2-IP address,...
-
    .. note::
 
       The first IP address included in the **X-Forwarded-For** field is the client IP address.
@@ -250,13 +248,6 @@ If an Nginx reverse proxy is deployed on your origin server, you can configure l
 
 #. Configure the following information in the corresponding location of the Nginx reverse proxy to obtain the information about the client IP address:
 
-   ::
-
-      Location ^ /<uri> {
-          proxy_pass  ....;
-          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-      }
-
 #. The backend web server obtains the real IP address of your website visitors by defining the Nginx log parameter **$http_x_forwarded_for**.
 
    **Example**

doc/best-practice/source/upgrading_dedicated_waf_instances.rst

@@ -65,18 +65,11 @@ If you have deployed only one dedicated WAF instance for your workloads, perform
 
    View the monitored metrics on Cloud Eye for the dedicated WAF instance, if there are less than five new connections, the traffic to the instance has decreased. For details, see `Viewing Metrics of a Dedicated WAF Instance <https://support.huaweicloud.com/intl/en-us/usermanual-waf/waf_01_0253.html#section2>`__.
 
-   a. Go to the **Dedicated Engine** page. :ref:`Figure 1 <waf_06_0027__waf_06_0027_en-us_topic_0257940801_fig7658182717546>` shows an example.
+   a. In the navigation pane on the left on the WAF console, choose **Instance Management** > **Dedicated Engine** to go to the dedicated WAF instance page.
 
-      .. _waf_06_0027__waf_06_0027_en-us_topic_0257940801_fig7658182717546:
+   b. In the row of the instance, click **More** > **Delete** in the **Operation** column.
 
-      .. figure:: /_static/images/en-us_image_0000001206741713.png
+   c. Click **Confirm**.
-         :alt: **Figure 1** Accessing the dedicated engine page
-
-         **Figure 1** Accessing the dedicated engine page
-
-   b. In the row of the target instance, click **Delete** in the **Operation** column.
-
-   c. Click **OK**.
 
       Resources on deleted instance are released and cannot be restored.
 
@@ -95,14 +88,7 @@ If you have deployed multiple dedicated WAF instances for your workloads, perfor
 
    View the monitored metrics on Cloud Eye for the dedicated WAF instance, if there are less than five new connections, the traffic to the instance has decreased. For details, see `Viewing Metrics of a Dedicated WAF Instance <https://support.huaweicloud.com/intl/en-us/usermanual-waf/waf_01_0253.html#section2>`__.
 
-   a. Go to the **Dedicated Engine** page. :ref:`Figure 2 <waf_06_0027__en-us_topic_0257940801_fig7658182717546>` shows an example.
+   a. In the navigation pane on the left on the WAF console, choose **Instance Management** > **Dedicated Engine** to go to the dedicated WAF instance page.
-
-      .. _waf_06_0027__en-us_topic_0257940801_fig7658182717546:
-
-      .. figure:: /_static/images/en-us_image_0000001206741713.png
-         :alt: **Figure 2** Accessing the dedicated engine page
-
-         **Figure 2** Accessing the dedicated engine page
 
    b. In the row containing the desired instance, click **Upgrade** in the **Operation** column.
 
@@ -112,9 +98,9 @@ If you have deployed multiple dedicated WAF instances for your workloads, perfor
 
 
       .. figure:: /_static/images/en-us_image_0000001569566562.png
-         :alt: **Figure 3** Upgrading the Edition of a Dedicated WAF Instance
+         :alt: **Figure 1** Upgrading the Edition of a Dedicated WAF Instance
 
-         **Figure 3** Upgrading the Edition of a Dedicated WAF Instance
+         **Figure 1** Upgrading the Edition of a Dedicated WAF Instance
 
 #. Run the curl command on any ECS in the VPC the dedicated WAF instance locates to check whether the workloads are normal.
 

doc/best-practice/source/using_lts_to_analyze_how_waf_blocks_spring_core_rce_vulnerability_in_real_time.rst

@@ -26,10 +26,10 @@ Procedure
 #. Click |image2| in the upper left corner of the page and choose **Management & Governance** > **Log Tank Service**.
 
 
-   .. figure:: /_static/images/en-us_image_0000001283050129.png
+   .. figure:: /_static/images/en-us_image_0000001436805625.png
-      :alt: **Figure 1** Log management page
+      :alt: **Figure 1** Log stream name configured for attack logs
 
-      **Figure 1** Log management page
+      **Figure 1** Log stream name configured for attack logs
 
 #. In the log group list, expand the WAF log group and choose log stream **attack**.
 
@@ -63,11 +63,6 @@ Procedure
 
    **select rule, hit_data where rule IN('XX','XX','XX','XX',)**
 
-   .. note::
-
-      -  *XX* indicates the rule ID of the Spring core RCE vulnerability. Obtain the rule ID before you query.
-      -  The **Visualization** module is available only to whitelisted users in **CN North-Beijing 4**.
-
 
    .. figure:: /_static/images/en-us_image_0000001283122541.png
       :alt: **Figure 4** Visualization query

doc/best-practice/source/using_lts_to_configure_block_alarms_for_waf_rules.rst

@@ -26,10 +26,10 @@ Quickly Analyzing Rule Block Logs
 #. Click |image2| in the upper left corner of the page and choose **Management & Governance** > **Log Tank Service**.
 
 
-   .. figure:: /_static/images/en-us_image_0000001283050129.png
+   .. figure:: /_static/images/en-us_image_0000001436805625.png
-      :alt: **Figure 1** Log management page
+      :alt: **Figure 1** Log stream name configured for attack logs
 
-      **Figure 1** Log management page
+      **Figure 1** Log stream name configured for attack logs
 
 #. In the log group list, expand the WAF log group and choose log stream **attack**.
 
@@ -67,10 +67,6 @@ Quickly Analyzing Rule Block Logs
 
    **select rule, rui, count(*) as cnt where action = 'block' group by rule, uri order by cnt desc**
 
-   .. note::
-
-      The **Visualization** module is available only to whitelisted users in **CN North-Beijing 4**.
-
 Creating an Alarm Rule
 ----------------------
 
@@ -78,9 +74,8 @@ Creating an Alarm Rule
 
 #. In the navigation pane on the left, choose **Alarms** > **Alarm Rules**.
 
-#. Click **Create**. In the dialog box displayed on the right, specify related parameters. :ref:`Table 1 <waf_06_0036__table2236113351>` describes the parameters. :ref:`Figure 4 <waf_06_0036__fig114371136347>` shows an example.
+#. Click **Create**. In the dialog box displayed on the right, specify related parameters. :ref:`Table 1 <waf_06_0036__table2236113351>` describes the parameters.
 
-   .. _waf_06_0036__fig114371136347:
 
    .. figure:: /_static/images/en-us_image_0000001283205921.png
       :alt: **Figure 4** Create Alarm Rule

doc/best-practice/source/using_lts_to_quickly_query_and_analyze_waf_access_logs.rst

@@ -26,9 +26,8 @@ Procedure
 
 #. In the **Log Group Name/ID** column, click the name of the target log group (for example, **lts-waf**) to go the log stream page.
 
-#. In the **Log Stream Name/ID** column, click the name of log stream used for WAF access logs (for example, **lts-waf-access**), as shown in :ref:`Figure 1 <waf_06_0028__fig118409019616>`. Then, select the **Raw Logs** tab.
+#. In the **Log Stream Name/ID** column, click the name of log stream used for WAF access logs (for example, **lts-waf-access**). Then, select the **Raw Logs** tab.
 
-   .. _waf_06_0028__fig118409019616:
 
    .. figure:: /_static/images/en-us_image_0000001192428132.png
       :alt: **Figure 1** Accessing the log stream page
@@ -58,20 +57,18 @@ Procedure
 
       **Figure 3** Select Log Event
 
-#. In the **Step 2 Extract fields** area, click **Intelligent Extraction** and enable (|image4|) quick analysis for the log field you want to analyze (for example, **remote_ip**) as shown in :ref:`Figure 4 <waf_06_0028__fig70238181820>`.
+#. In the **Step 2 Extract fields** area, click **Intelligent Extraction** and enable quick analysis for the log field you want to analyze (for example, **remote_ip**).
 
    **remote_IP**: IP address of a client from which the request originates.
 
-   .. _waf_06_0028__fig70238181820:
 
    .. figure:: /_static/images/en-us_image_0000001192348152.png
       :alt: **Figure 4** Selecting log fields for quick analysis
 
       **Figure 4** Selecting log fields for quick analysis
 
-#. Click **Save**. Then, LTS will start a quick analysis and do statistics for logs collected in a certain period. :ref:`Figure 5 <waf_06_0028__fig1955422842214>` shows an example.
+#. Click **Save**. Then, LTS will start a quick analysis and do statistics for logs collected in a certain period.
 
-   .. _waf_06_0028__fig1955422842214:
 
    .. figure:: /_static/images/en-us_image_0000001192109594.png
       :alt: **Figure 5** Quickly analysis of access logs
@@ -87,4 +84,3 @@ Procedure
 .. |image1| image:: /_static/images/en-us_image_0000001192435242.jpg
 .. |image2| image:: /_static/images/en-us_image_0000001237195219.png
 .. |image3| image:: /_static/images/en-us_image_0000001237388053.png
-.. |image4| image:: /_static/images/en-us_image_0000001236914655.png

doc/best-practice/source/verifying_a_global_protection_whitelist_formerly_false_alarm_masking_rule_by_simulating_requests_with_postman.rst

@@ -39,7 +39,7 @@ Procedure
 
    e. On the **Events** page, WAF **010000** rule for **XSS Attack** is hit.
 
-   f. In the row containing the event, click **Handle False Alarm** in the **Operation** column.
+   f. In the row containing the event, click **More** > **Handle False Alarm** in the **Operation** column.
 
    g. In the **Handle False Alarm** dialog box, add a global protection whitelist (formerly false alarm masking) rule as shown in :ref:`Figure 1 <waf_06_0029__fig20814122652012>`.