diff --git a/umn/source/_static/images/en-us_image_0234013368.png b/umn/source/_static/images/en-us_image_0000001074633189.png similarity index 100% rename from umn/source/_static/images/en-us_image_0234013368.png rename to umn/source/_static/images/en-us_image_0000001074633189.png diff --git a/umn/source/_static/images/en-us_image_0000001074658084.png b/umn/source/_static/images/en-us_image_0000001074658084.png new file mode 100644 index 0000000..7395b77 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001074658084.png differ diff --git a/umn/source/_static/images/en-us_image_0000001076524573.png b/umn/source/_static/images/en-us_image_0000001076524573.png new file mode 100644 index 0000000..fec4196 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001076524573.png differ diff --git a/umn/source/_static/images/en-us_image_0000001119487028.png b/umn/source/_static/images/en-us_image_0000001119487028.png deleted file mode 100644 index 8f1d810..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001119487028.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001260399509.jpg b/umn/source/_static/images/en-us_image_0000001133216533.jpg similarity index 100% rename from umn/source/_static/images/en-us_image_0000001260399509.jpg rename to umn/source/_static/images/en-us_image_0000001133216533.jpg diff --git a/umn/source/_static/images/en-us_image_0000001182095000.png b/umn/source/_static/images/en-us_image_0000001182095000.png deleted file mode 100644 index 38889db..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001182095000.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001488605878.jpg b/umn/source/_static/images/en-us_image_0000001188966422.jpg similarity index 100% rename from umn/source/_static/images/en-us_image_0000001488605878.jpg rename to umn/source/_static/images/en-us_image_0000001188966422.jpg diff --git a/umn/source/_static/images/en-us_image_0000001224193241.jpg b/umn/source/_static/images/en-us_image_0000001224193241.jpg deleted file mode 100644 index cc595ad..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001224193241.jpg and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001225545453.png b/umn/source/_static/images/en-us_image_0000001225545453.png new file mode 100644 index 0000000..b6dfa2c Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001225545453.png differ diff --git a/umn/source/_static/images/en-us_image_0000001275434812.png b/umn/source/_static/images/en-us_image_0000001275434812.png deleted file mode 100644 index 930cfd6..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001275434812.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001285430612.png b/umn/source/_static/images/en-us_image_0000001285430612.png deleted file mode 100644 index d3181e0..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001285430612.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001285485922.png b/umn/source/_static/images/en-us_image_0000001285485922.png deleted file mode 100644 index 5484b02..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001285485922.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001285486134.png b/umn/source/_static/images/en-us_image_0000001285486134.png deleted file mode 100644 index 103b38c..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001285486134.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001285588948.png b/umn/source/_static/images/en-us_image_0000001285588948.png deleted file mode 100644 index d9fa5b4..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001285588948.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001285643550.png b/umn/source/_static/images/en-us_image_0000001285643550.png new file mode 100644 index 0000000..1cc4085 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001285643550.png differ diff --git a/umn/source/_static/images/en-us_image_0000001286061432.png b/umn/source/_static/images/en-us_image_0000001286061432.png new file mode 100644 index 0000000..004f239 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001286061432.png differ diff --git a/umn/source/_static/images/en-us_image_0000001326514597.png b/umn/source/_static/images/en-us_image_0000001326514597.png deleted file mode 100644 index 6e43f2e..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001326514597.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001327191500.png b/umn/source/_static/images/en-us_image_0000001327191500.png deleted file mode 100644 index 824f1e8..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001327191500.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001327470582.png b/umn/source/_static/images/en-us_image_0000001327470582.png deleted file mode 100644 index 86931c5..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001327470582.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001493489874.jpg b/umn/source/_static/images/en-us_image_0000001335953214.jpg similarity index 100% rename from umn/source/_static/images/en-us_image_0000001493489874.jpg rename to umn/source/_static/images/en-us_image_0000001335953214.jpg diff --git a/umn/source/_static/images/en-us_image_0000001336165028.png b/umn/source/_static/images/en-us_image_0000001336165028.png new file mode 100644 index 0000000..2fd6b81 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001336165028.png differ diff --git a/umn/source/_static/images/en-us_image_0000001337771401.png b/umn/source/_static/images/en-us_image_0000001337771401.png deleted file mode 100644 index 5d69d7c..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001337771401.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001337772549.png b/umn/source/_static/images/en-us_image_0000001337772549.png deleted file mode 100644 index 016ae82..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001337772549.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001337887457.png b/umn/source/_static/images/en-us_image_0000001337887457.png deleted file mode 100644 index 6f8569b..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001337887457.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001337958950.png b/umn/source/_static/images/en-us_image_0000001337958950.png deleted file mode 100644 index 0ef639f..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001337958950.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001338097417.png b/umn/source/_static/images/en-us_image_0000001338097417.png deleted file mode 100644 index 0bbcc97..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001338097417.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001287947022.png b/umn/source/_static/images/en-us_image_0000001340308381.png similarity index 100% rename from umn/source/_static/images/en-us_image_0000001287947022.png rename to umn/source/_static/images/en-us_image_0000001340308381.png diff --git a/umn/source/_static/images/en-us_image_0000001493806486.jpg b/umn/source/_static/images/en-us_image_0000001368128877.jpg similarity index 100% rename from umn/source/_static/images/en-us_image_0000001493806486.jpg rename to umn/source/_static/images/en-us_image_0000001368128877.jpg diff --git a/umn/source/_static/images/en-us_image_0000001377911005.png b/umn/source/_static/images/en-us_image_0000001377911005.png deleted file mode 100644 index 38459a0..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001377911005.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001493990116.jpg b/umn/source/_static/images/en-us_image_0000001379513829.jpg similarity index 100% rename from umn/source/_static/images/en-us_image_0000001493990116.jpg rename to umn/source/_static/images/en-us_image_0000001379513829.jpg diff --git a/umn/source/_static/images/en-us_image_0000001379638185.jpg b/umn/source/_static/images/en-us_image_0000001379638185.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001379638185.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001539325965.png b/umn/source/_static/images/en-us_image_0000001379794013.png similarity index 100% rename from umn/source/_static/images/en-us_image_0000001539325965.png rename to umn/source/_static/images/en-us_image_0000001379794013.png diff --git a/umn/source/_static/images/en-us_image_0000001388786649.png b/umn/source/_static/images/en-us_image_0000001388786649.png deleted file mode 100644 index 309cc70..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001388786649.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001395650509.png b/umn/source/_static/images/en-us_image_0000001395650509.png deleted file mode 100644 index 20937af..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001395650509.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001395732757.png b/umn/source/_static/images/en-us_image_0000001395732757.png deleted file mode 100644 index 89ada9e..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001395732757.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001402328652.jpg b/umn/source/_static/images/en-us_image_0000001402328652.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001402328652.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001427503477.png b/umn/source/_static/images/en-us_image_0000001427503477.png deleted file mode 100644 index a16b512..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001427503477.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001191376107.jpg b/umn/source/_static/images/en-us_image_0000001481923368.jpg similarity index 100% rename from umn/source/_static/images/en-us_image_0000001191376107.jpg rename to umn/source/_static/images/en-us_image_0000001481923368.jpg diff --git a/umn/source/_static/images/en-us_image_0000001482832030.jpg b/umn/source/_static/images/en-us_image_0000001482832030.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001482832030.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001483010166.jpg b/umn/source/_static/images/en-us_image_0000001483010166.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001483010166.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001483011470.jpg b/umn/source/_static/images/en-us_image_0000001483011470.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001483011470.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001519222274.png b/umn/source/_static/images/en-us_image_0000001519222274.png new file mode 100644 index 0000000..25b8034 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001519222274.png differ diff --git a/umn/source/_static/images/en-us_image_0000001529293989.png b/umn/source/_static/images/en-us_image_0000001529293989.png deleted file mode 100644 index 3fcf4c4..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001529293989.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001533330749.jpg b/umn/source/_static/images/en-us_image_0000001533330749.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001533330749.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001533970929.png b/umn/source/_static/images/en-us_image_0000001533970929.png deleted file mode 100644 index 2133581..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001533970929.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001545291713.png b/umn/source/_static/images/en-us_image_0000001545291713.png new file mode 100644 index 0000000..f9bbd75 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001545291713.png differ diff --git a/umn/source/_static/images/en-us_image_0000001556300637.png b/umn/source/_static/images/en-us_image_0000001556300637.png new file mode 100644 index 0000000..e0fd836 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001556300637.png differ diff --git a/umn/source/_static/images/en-us_image_0000001288099090.png b/umn/source/_static/images/en-us_image_0000001572891172.png similarity index 100% rename from umn/source/_static/images/en-us_image_0000001288099090.png rename to umn/source/_static/images/en-us_image_0000001572891172.png diff --git a/umn/source/_static/images/en-us_image_0000001586593518.png b/umn/source/_static/images/en-us_image_0000001586593518.png new file mode 100644 index 0000000..05135bb Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001586593518.png differ diff --git a/umn/source/_static/images/en-us_image_0000001626813677.png b/umn/source/_static/images/en-us_image_0000001626813677.png new file mode 100644 index 0000000..c25bf5e Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001626813677.png differ diff --git a/umn/source/_static/images/en-us_image_0000001288106950.png b/umn/source/_static/images/en-us_image_0000001652007168.png similarity index 100% rename from umn/source/_static/images/en-us_image_0000001288106950.png rename to umn/source/_static/images/en-us_image_0000001652007168.png diff --git a/umn/source/_static/images/en-us_image_0000001657133813.png b/umn/source/_static/images/en-us_image_0000001657133813.png new file mode 100644 index 0000000..a1f6562 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001657133813.png differ diff --git a/umn/source/_static/images/en-us_image_0000001288266230.png b/umn/source/_static/images/en-us_image_0000001658761758.png similarity index 100% rename from umn/source/_static/images/en-us_image_0000001288266230.png rename to umn/source/_static/images/en-us_image_0000001658761758.png diff --git a/umn/source/_static/images/en-us_image_0000001667743969.png b/umn/source/_static/images/en-us_image_0000001667743969.png new file mode 100644 index 0000000..e497cd6 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001667743969.png differ diff --git a/umn/source/_static/images/en-us_image_0000001675705730.png b/umn/source/_static/images/en-us_image_0000001675705730.png new file mode 100644 index 0000000..726c8e0 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001675705730.png differ diff --git a/umn/source/_static/images/en-us_image_0000001676279753.png b/umn/source/_static/images/en-us_image_0000001676279753.png new file mode 100644 index 0000000..8e83604 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001676279753.png differ diff --git a/umn/source/_static/images/en-us_image_0000001677145090.png b/umn/source/_static/images/en-us_image_0000001677145090.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001677145090.png differ diff --git a/umn/source/_static/images/en-us_image_0000001677232290.png b/umn/source/_static/images/en-us_image_0000001677232290.png new file mode 100644 index 0000000..3dbc2f4 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001677232290.png differ diff --git a/umn/source/_static/images/en-us_image_0000001682988666.png b/umn/source/_static/images/en-us_image_0000001682988666.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001682988666.png differ diff --git a/umn/source/_static/images/en-us_image_0000001683533946.png b/umn/source/_static/images/en-us_image_0000001683533946.png new file mode 100644 index 0000000..96f39e0 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001683533946.png differ diff --git a/umn/source/_static/images/en-us_image_0000001683558966.png b/umn/source/_static/images/en-us_image_0000001683558966.png new file mode 100644 index 0000000..2aaa9fc Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001683558966.png differ diff --git a/umn/source/_static/images/en-us_image_0000001683585920.png b/umn/source/_static/images/en-us_image_0000001683585920.png new file mode 100644 index 0000000..ccd7216 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001683585920.png differ diff --git a/umn/source/_static/images/en-us_image_0000001683743464.png b/umn/source/_static/images/en-us_image_0000001683743464.png new file mode 100644 index 0000000..b418f26 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001683743464.png differ diff --git a/umn/source/_static/images/en-us_image_0000001683746324.png b/umn/source/_static/images/en-us_image_0000001683746324.png new file mode 100644 index 0000000..e5be086 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001683746324.png differ diff --git a/umn/source/_static/images/en-us_image_0000001683774038.png b/umn/source/_static/images/en-us_image_0000001683774038.png new file mode 100644 index 0000000..3b7eae5 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001683774038.png differ diff --git a/umn/source/_static/images/en-us_image_0000001683894232.png b/umn/source/_static/images/en-us_image_0000001683894232.png new file mode 100644 index 0000000..4e53d4a Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001683894232.png differ diff --git a/umn/source/_static/images/en-us_image_0000001684022218.png b/umn/source/_static/images/en-us_image_0000001684022218.png new file mode 100644 index 0000000..37ed019 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001684022218.png differ diff --git a/umn/source/_static/images/en-us_image_0000001684024078.png b/umn/source/_static/images/en-us_image_0000001684024078.png new file mode 100644 index 0000000..31ed6f3 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001684024078.png differ diff --git a/umn/source/_static/images/en-us_image_0000001684030226.png b/umn/source/_static/images/en-us_image_0000001684030226.png new file mode 100644 index 0000000..5a31de3 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001684030226.png differ diff --git a/umn/source/_static/images/en-us_image_0000001684033930.png b/umn/source/_static/images/en-us_image_0000001684033930.png new file mode 100644 index 0000000..ded1b2f Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001684033930.png differ diff --git a/umn/source/_static/images/en-us_image_0000001684085100.png b/umn/source/_static/images/en-us_image_0000001684085100.png new file mode 100644 index 0000000..9848c8f Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001684085100.png differ diff --git a/umn/source/_static/images/en-us_image_0000001684111682.png b/umn/source/_static/images/en-us_image_0000001684111682.png new file mode 100644 index 0000000..5b8e508 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001684111682.png differ diff --git a/umn/source/_static/images/en-us_image_0000001684193230.png b/umn/source/_static/images/en-us_image_0000001684193230.png new file mode 100644 index 0000000..185671d Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001684193230.png differ diff --git a/umn/source/_static/images/en-us_image_0000001684228264.png b/umn/source/_static/images/en-us_image_0000001684228264.png new file mode 100644 index 0000000..ec0fc5e Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001684228264.png differ diff --git a/umn/source/_static/images/en-us_image_0000001684305004.png b/umn/source/_static/images/en-us_image_0000001684305004.png new file mode 100644 index 0000000..1c20eb0 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001684305004.png differ diff --git a/umn/source/_static/images/en-us_image_0000001684444678.png b/umn/source/_static/images/en-us_image_0000001684444678.png new file mode 100644 index 0000000..e35e6f9 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001684444678.png differ diff --git a/umn/source/_static/images/en-us_image_0000001685273988.png b/umn/source/_static/images/en-us_image_0000001685273988.png new file mode 100644 index 0000000..538a3ca Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001685273988.png differ diff --git a/umn/source/_static/images/en-us_image_0000001711487817.png b/umn/source/_static/images/en-us_image_0000001711487817.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001711487817.png differ diff --git a/umn/source/_static/images/en-us_image_0000001730827877.png b/umn/source/_static/images/en-us_image_0000001730827877.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001730827877.png differ diff --git a/umn/source/_static/images/en-us_image_0000001731610061.png b/umn/source/_static/images/en-us_image_0000001731610061.png new file mode 100644 index 0000000..15fb884 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001731610061.png differ diff --git a/umn/source/_static/images/en-us_image_0000001731648345.png b/umn/source/_static/images/en-us_image_0000001731648345.png new file mode 100644 index 0000000..55460ac Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001731648345.png differ diff --git a/umn/source/_static/images/en-us_image_0000001731681777.png b/umn/source/_static/images/en-us_image_0000001731681777.png new file mode 100644 index 0000000..92371ac Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001731681777.png differ diff --git a/umn/source/_static/images/en-us_image_0000001731801353.png b/umn/source/_static/images/en-us_image_0000001731801353.png new file mode 100644 index 0000000..92371ac Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001731801353.png differ diff --git a/umn/source/_static/images/en-us_image_0000001731808501.png b/umn/source/_static/images/en-us_image_0000001731808501.png new file mode 100644 index 0000000..c716c49 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001731808501.png differ diff --git a/umn/source/_static/images/en-us_image_0000001731887045.png b/umn/source/_static/images/en-us_image_0000001731887045.png new file mode 100644 index 0000000..65e5aff Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001731887045.png differ diff --git a/umn/source/_static/images/en-us_image_0000001731889333.png b/umn/source/_static/images/en-us_image_0000001731889333.png new file mode 100644 index 0000000..c8da88b Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001731889333.png differ diff --git a/umn/source/_static/images/en-us_image_0000001731912757.png b/umn/source/_static/images/en-us_image_0000001731912757.png new file mode 100644 index 0000000..2956ab1 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001731912757.png differ diff --git a/umn/source/_static/images/en-us_image_0000001732014393.png b/umn/source/_static/images/en-us_image_0000001732014393.png new file mode 100644 index 0000000..8afa8bd Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001732014393.png differ diff --git a/umn/source/_static/images/en-us_image_0000001732020137.png b/umn/source/_static/images/en-us_image_0000001732020137.png new file mode 100644 index 0000000..ded1b2f Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001732020137.png differ diff --git a/umn/source/_static/images/en-us_image_0000001732030241.png b/umn/source/_static/images/en-us_image_0000001732030241.png new file mode 100644 index 0000000..67ce12c Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001732030241.png differ diff --git a/umn/source/_static/images/en-us_image_0000001732035733.png b/umn/source/_static/images/en-us_image_0000001732035733.png new file mode 100644 index 0000000..ee833dd Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001732035733.png differ diff --git a/umn/source/_static/images/en-us_image_0000001732065117.png b/umn/source/_static/images/en-us_image_0000001732065117.png new file mode 100644 index 0000000..3d7001d Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001732065117.png differ diff --git a/umn/source/_static/images/en-us_image_0000001732089213.png b/umn/source/_static/images/en-us_image_0000001732089213.png new file mode 100644 index 0000000..98e8098 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001732089213.png differ diff --git a/umn/source/_static/images/en-us_image_0000001732142997.png b/umn/source/_static/images/en-us_image_0000001732142997.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001732142997.png differ diff --git a/umn/source/_static/images/en-us_image_0000001732183425.png b/umn/source/_static/images/en-us_image_0000001732183425.png new file mode 100644 index 0000000..04d4e24 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001732183425.png differ diff --git a/umn/source/_static/images/en-us_image_0000001732186817.png b/umn/source/_static/images/en-us_image_0000001732186817.png new file mode 100644 index 0000000..c1dfd71 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001732186817.png differ diff --git a/umn/source/_static/images/en-us_image_0000001732213921.png b/umn/source/_static/images/en-us_image_0000001732213921.png new file mode 100644 index 0000000..b594fd5 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001732213921.png differ diff --git a/umn/source/_static/images/en-us_image_0000001732225393.png b/umn/source/_static/images/en-us_image_0000001732225393.png new file mode 100644 index 0000000..e4cd44d Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001732225393.png differ diff --git a/umn/source/_static/images/en-us_image_0000001732267765.png b/umn/source/_static/images/en-us_image_0000001732267765.png new file mode 100644 index 0000000..ef8c37f Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001732267765.png differ diff --git a/umn/source/_static/images/en-us_image_0000001732411573.png b/umn/source/_static/images/en-us_image_0000001732411573.png new file mode 100644 index 0000000..f1016f5 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001732411573.png differ diff --git a/umn/source/_static/images/en-us_image_0000001732417057.png b/umn/source/_static/images/en-us_image_0000001732417057.png new file mode 100644 index 0000000..01ef4d9 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001732417057.png differ diff --git a/umn/source/_static/images/en-us_image_0000001732455909.png b/umn/source/_static/images/en-us_image_0000001732455909.png new file mode 100644 index 0000000..dce5e76 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001732455909.png differ diff --git a/umn/source/_static/images/en-us_image_0000001732479705.png b/umn/source/_static/images/en-us_image_0000001732479705.png new file mode 100644 index 0000000..c61c00f Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001732479705.png differ diff --git a/umn/source/_static/images/en-us_image_0000001732567617.png b/umn/source/_static/images/en-us_image_0000001732567617.png new file mode 100644 index 0000000..955c0d3 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001732567617.png differ diff --git a/umn/source/_static/images/en-us_image_0000001732971653.png b/umn/source/_static/images/en-us_image_0000001732971653.png new file mode 100644 index 0000000..37acdf1 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001732971653.png differ diff --git a/umn/source/_static/images/en-us_image_0000001732975481.png b/umn/source/_static/images/en-us_image_0000001732975481.png new file mode 100644 index 0000000..60c2069 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001732975481.png differ diff --git a/umn/source/_static/images/en-us_image_0000001733092845.png b/umn/source/_static/images/en-us_image_0000001733092845.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001733092845.png differ diff --git a/umn/source/_static/images/en-us_image_0000001733107861.png b/umn/source/_static/images/en-us_image_0000001733107861.png new file mode 100644 index 0000000..1330f94 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001733107861.png differ diff --git a/umn/source/_static/images/en-us_image_0149271990.jpg b/umn/source/_static/images/en-us_image_0149271990.jpg new file mode 100644 index 0000000..821271f Binary files /dev/null and b/umn/source/_static/images/en-us_image_0149271990.jpg differ diff --git a/umn/source/_static/images/en-us_image_0169130550.png b/umn/source/_static/images/en-us_image_0169130550.png index c956deb..6b0054c 100644 Binary files a/umn/source/_static/images/en-us_image_0169130550.png and b/umn/source/_static/images/en-us_image_0169130550.png differ diff --git a/umn/source/_static/images/en-us_image_0234084842.png b/umn/source/_static/images/en-us_image_0234084842.png new file mode 100644 index 0000000..b587616 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0234084842.png differ diff --git a/umn/source/_static/images/en-us_image_0246108677.png b/umn/source/_static/images/en-us_image_0246108677.png deleted file mode 100644 index f9390c0..0000000 Binary files a/umn/source/_static/images/en-us_image_0246108677.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0274310129.png b/umn/source/_static/images/en-us_image_0274310129.png deleted file mode 100644 index 5da9c22..0000000 Binary files a/umn/source/_static/images/en-us_image_0274310129.png and /dev/null differ diff --git a/umn/source/change_history.rst b/umn/source/change_history.rst index 670f460..c862fb9 100644 --- a/umn/source/change_history.rst +++ b/umn/source/change_history.rst @@ -5,13 +5,58 @@ Change History ============== -+-----------------------------------+--------------------------------------------------------------------------------------------------------------+ -| Released On | Description | -+===================================+==============================================================================================================+ -| 2023-03-30 | This issue is the second official release. | -| | | -| | - :ref:`Adding a Reference Table `: Added the description of the function of reference tables. | -| | - Added :ref:`Does WAF Support Two-Way SSL Authentication? ` | -+-----------------------------------+--------------------------------------------------------------------------------------------------------------+ -| 2022-10-30 | This issue is the first official release. | -+-----------------------------------+--------------------------------------------------------------------------------------------------------------+ ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Released On | Description | ++===================================+=============================================================================================================================================================================+ +| 2023-10-30 | This issue is the third official release. | +| | | +| | - Adjusted the document structure. | +| | - Added the following content: | +| | | +| | - :ref:`Service Request/Specification ` | +| | - :ref:`Step 5: Test Dedicated WAF ` | +| | - :ref:`About WAF Protection ` | +| | - :ref:`Can WAF Block Data Packets in multipart/form-data Format? ` | +| | - :ref:`Does a Dedicated WAF Instance Support Cross-VPC Protection? ` | +| | - :ref:`What Are the Differences Between WAF Forwarding and Nginx Forwarding? ` | +| | - :ref:`Does WAF Block Customized POST Requests? ` | +| | - :ref:`Does WAF Have the IPS Module? ` | +| | - :ref:`Can WAF Defend Against the Apache Struts2 Remote Code Execution Vulnerability (CVE-2021-31805)? ` | +| | - :ref:`Why Does the Vulnerability Scanning Tool Report Disabled Non-standard Ports for My WAF-Protected Website? ` | +| | - :ref:`How Does WAF Block Requests? ` | +| | - :ref:`Can WAF Block Requests When a Certificate Is Mounted on ELB? ` | +| | - :ref:`Does WAF Affect My Existing Workloads and Server Running? ` | +| | - :ref:`How Do I Configure My Server to Allow Only Requests from WAF? ` | +| | - :ref:`Why Do Cookies Contain the HWWAFSESID or HWWAFSESTIME field? ` | +| | - :ref:`How Do I Configure WAF If a Reverse Proxy Server Is Deployed for My Website? ` | +| | - :ref:`Do I Need to Make Some Changes in WAF If the Security Group for Origin Server (Address) Is Changed? ` | +| | - :ref:`Can WAF Protect Multiple Domain Names That Point to the Same Origin Server? ` | +| | - :ref:`What Can I Do If One of Ports on an Origin Server Does Not Require WAF Protection? ` | +| | - :ref:`Do I Need to Import the Certificates That Have Been Uploaded to ELB to WAF? ` | +| | - :ref:`Why Is My Domain Name or IP Address Inaccessible? ` | +| | - :ref:`Why Does WAF Block Normal Requests as Invalid Requests? ` | +| | - :ref:`How Do I Solve the Problem of Excessive Redirection Times? ` | +| | - :ref:`Why Does the Website Login Page Continuously Refreshed After a Domain Name Is Connected to WAF? ` | +| | - :ref:`Why Does the Requested Page Respond Slowly After the HTTP Forwarding Policy Is Configured? ` | +| | - :ref:`Why Is the Requested Page Unable to Load After JavaScript Anti-Crawler Is Enabled? ` | +| | - :ref:`Why Does the Page Fail to Be Refreshed After WTP Is Enabled? ` | +| | - :ref:`What Are the Differences Between Blacklist/Whitelist Rules and Precise Protection Rules on Blocking Access Requests from Specified IP Addresses? ` | +| | - :ref:`What Do I Do If a Scanner, such as AppScan, Detects that the Cookie Is Missing Secure or HttpOnly? ` | +| | | +| | - Modified the following content: | +| | | +| | - :ref:`Website Settings ` | +| | - :ref:`WAF Operation Guide ` | +| | - :ref:`How to Configure WAF Protection ` | +| | - :ref:`Configuring PCI DSS/3DS Certification Check and Configuring the Minimum TLS Version and Cipher Suite ` | +| | - :ref:`Configuring a CC Attack Protection Rule ` | +| | - :ref:`Dashboard ` | +| | - :ref:`Event Management ` | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2023-03-30 | This issue is the second official release. | +| | | +| | - :ref:`Creating a Reference Table to Configure Protection Metrics In Batches `: Added the description of the function of reference tables. | +| | - Added :ref:`Does WAF Support Two-Way SSL Authentication? ` | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 2022-10-30 | This issue is the first official release. | ++-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ diff --git a/umn/source/configuring_protection_policies/how_to_configure_waf_protection.rst b/umn/source/configuring_protection_policies/how_to_configure_waf_protection.rst new file mode 100644 index 0000000..e21ef48 --- /dev/null +++ b/umn/source/configuring_protection_policies/how_to_configure_waf_protection.rst @@ -0,0 +1,84 @@ +:original_name: waf_01_0129.html + +.. _waf_01_0129: + +How to Configure WAF Protection +=============================== + +This topic walks you through how to configure WAF protection policies, how WAF engine works, and protection rule priorities. + +Process of Configuring Policies +------------------------------- + +After adding your website to WAF, you can start to configure a protection policy for your website. + ++------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Step | Description | ++========================================================================+=================================================================================================================================================================================================================================================+ +| :ref:`Step 1: (Optional) Adding a Protection Policy ` | After a domain name is added to WAF, WAF automatically applies a protection policy to the domain name. The policy contains the default protection rules of WAF. If you need to use a custom protection policy, you can add a protection policy. | ++------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| :ref:`Step 2: Configuring Rules for a Protection Policy ` | A protection policy is a collection of protection rules. :ref:`Table 1 ` lists the types of protection rules supported by WAF. | ++------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| :ref:`Step 3: Adding a Domain Name to a Policy ` | A protection policy can apply to multiple domain names, so you can add more than one domain names to a protection policy you think applicable. | ++------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +.. _waf_01_0129__en-us_topic_0000001271159206_en-us_topic_0199698323_table14874354152011: + +.. table:: **Table 1** Configurable protection rules + + +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------+ + | Protection Rule | Description | Reference | + +==================================================================+====================================================================================================================================================================================================================+===========================================================================================================================+ + | Basic web protection rules | With an extensive reputation database, WAF defends against Open Web Application Security Project (OWASP) top 10 threats, and detects and blocks threats, such as malicious scanners, IP addresses, and web shells. | :ref:`Configuring Basic Protection Rules to Defend Against Common Web Attacks ` | + +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------+ + | CC attack protection rules | CC attack protection rules can be customized to restrict access to a specific URL on your website based on a unique IP address, cookie, or referer field, mitigating CC attacks. | :ref:`Configuring a CC Attack Protection Rule ` | + +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------+ + | Precise protection rules | You can customize protection rules by combining HTTP headers, cookies, URLs, request parameters, and client IP addresses. | :ref:`Configuring Custom Precise Protection Rules ` | + +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------+ + | Blacklist and whitelist rules | You can configure blacklist and whitelist rules to block, log only, or allow access requests from specified IP addresses. | :ref:`Configuring IP Address Blacklist and Whitelist Rules to Block or Allow Specified IP Addresses ` | + +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------+ + | Known attack source rules | These rules can block the IP addresses from which blocked malicious requests originate. These rules are dependent on other rules. | :ref:`Configuring a Known Attack Source Rule to Block Specific Visitors for a Specified Duration ` | + +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------+ + | Geolocation access control rules | You can customize these rules to allow or block requests from a specific country or region. | :ref:`Configuring Geolocation Access Control Rules to Block or Allow Requests from Specific Locations ` | + +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------+ + | Web tamper protection rules | You can configure these rules to prevent a static web page from being tampered with. | :ref:`Configuring Web Tamper Protection Rules to Prevent Static Web Pages from Being Tampered With ` | + +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------+ + | Website anti-crawler protection | This function dynamically analyzes website service models and accurately identifies crawler behavior based on data risk control and bot identification systems, such as JS Challenge. | :ref:`Configuring Anti-Crawler Rules ` | + +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------+ + | Information leakage prevention rules | You can add two types of information leakage prevention rules. | :ref:`Configuring Information Leakage Prevention Rules to Protect Sensitive Information form Leakage ` | + | | | | + | | - Sensitive information filtering: prevents disclosure of sensitive information (such as ID numbers, phone numbers, and email addresses). | | + | | - Response code interception: blocks the specified HTTP status codes. | | + +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------+ + | Global protection whitelist (formerly false alarm masking) rules | You can configure these rules to let WAF ignore certain rules for specific requests. | :ref:`Configuring a Global Protection Whitelist (Formerly False Alarm Masking) Rule to Ignore False Alarms ` | + +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------+ + | Data masking rules | You can configure data masking rules to prevent sensitive data such as passwords from being displayed in event logs. | :ref:`Configuring Data Masking Rules to Prevent Privacy Information Leakage ` | + +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------+ + +How WAF Engine Works +-------------------- + +The built-in protection rules of WAF help you defend against common web application attacks, including XSS attacks, SQL injection, crawlers, and web shells. You can customize protection rules to let WAF better protect your website services using these custom rules. :ref:`Figure 1 ` shows how WAF engine built-in protection rules work. :ref:`Figure 2 ` shows the detection sequence of user-defined rules. + +.. _waf_01_0129__en-us_topic_0000001271159206_en-us_topic_0199698323_fig1628214208241: + +.. figure:: /_static/images/en-us_image_0000001286548588.png + :alt: **Figure 1** WAF engine work process + + **Figure 1** WAF engine work process + +.. _waf_01_0129__en-us_topic_0000001271159206_en-us_topic_0199698323_fig2084820326445: + +.. figure:: /_static/images/en-us_image_0000001338628737.png + :alt: **Figure 2** Priorities of custom protection rules + + **Figure 2** Priorities of custom protection rules + +Response actions + +- Pass: The current request is unconditionally permitted after a protection rule is matched. +- Block: The current request is blocked after a rule is matched. +- CAPTCHA: The system will perform human-machine verification after a rule is matched. +- Redirect: The system will notify you to redirect the request after a rule is matched. +- Log: Only attack information is recorded after a rule is matched. +- Mask: The system will anonymize sensitive information after a rule is matched. diff --git a/umn/source/configuring_protection_policies/index.rst b/umn/source/configuring_protection_policies/index.rst new file mode 100644 index 0000000..9347871 --- /dev/null +++ b/umn/source/configuring_protection_policies/index.rst @@ -0,0 +1,22 @@ +:original_name: waf_01_0055.html + +.. _waf_01_0055: + +Configuring Protection Policies +=============================== + +- :ref:`How to Configure WAF Protection ` +- :ref:`Step 1: (Optional) Adding a Protection Policy ` +- :ref:`Step 2: Configuring Rules for a Protection Policy ` +- :ref:`Step 3: Adding a Domain Name to a Policy ` +- :ref:`(Optional) Adding Rules to One or More Policies ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + how_to_configure_waf_protection + step_1_optional_adding_a_protection_policy + step_2_configuring_rules_for_a_protection_policy/index + step_3_adding_a_domain_name_to_a_policy + optional_adding_rules_to_one_or_more_policies diff --git a/umn/source/policy_management/adding_rules_to_one_or_more_policies.rst b/umn/source/configuring_protection_policies/optional_adding_rules_to_one_or_more_policies.rst similarity index 90% rename from umn/source/policy_management/adding_rules_to_one_or_more_policies.rst rename to umn/source/configuring_protection_policies/optional_adding_rules_to_one_or_more_policies.rst index 947aaa8..6d4cc83 100644 --- a/umn/source/policy_management/adding_rules_to_one_or_more_policies.rst +++ b/umn/source/configuring_protection_policies/optional_adding_rules_to_one_or_more_policies.rst @@ -2,8 +2,8 @@ .. _waf_01_0061: -Adding Rules to One or More Policies -==================================== +(Optional) Adding Rules to One or More Policies +=============================================== This topic describes how to add rules to one or more policies. @@ -45,9 +45,15 @@ Procedure #. Select one or more policies from the **Policy Name** drop-down list. + + .. figure:: /_static/images/en-us_image_0000001732213921.png + :alt: **Figure 3** Adding a rule to one or more policies + + **Figure 3** Adding a rule to one or more policies + #. Set other parameters. - - To add a CC attack protection rule, see :ref:`Table 1 `. + - To add a CC attack protection rule, see :ref:`Table 1 `. - To add a precise protection rule, see :ref:`Table 1 `. - To add a blacklist or whitelist rule, see :ref:`Table 1 `. - To add a geolocation access control rule, see :ref:`Table 1 `. diff --git a/umn/source/policy_management/creating_a_protection_policy.rst b/umn/source/configuring_protection_policies/step_1_optional_adding_a_protection_policy.rst similarity index 95% rename from umn/source/policy_management/creating_a_protection_policy.rst rename to umn/source/configuring_protection_policies/step_1_optional_adding_a_protection_policy.rst index 9a1b039..d6179cd 100644 --- a/umn/source/policy_management/creating_a_protection_policy.rst +++ b/umn/source/configuring_protection_policies/step_1_optional_adding_a_protection_policy.rst @@ -2,8 +2,8 @@ .. _waf_01_0074: -Creating a Protection Policy -============================ +Step 1: (Optional) Adding a Protection Policy +============================================= A policy is a combination of rules, such as basic web protection, blacklist, whitelist, and precise protection rules. A policy can be applied to multiple domain names, but only one policy can be used for a domain name. This topic describes how to add a policy to your WAF instance. diff --git a/umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/condition_field_description.rst b/umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/condition_field_description.rst new file mode 100644 index 0000000..6f114fa --- /dev/null +++ b/umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/condition_field_description.rst @@ -0,0 +1,72 @@ +:original_name: waf_01_3271.html + +.. _waf_01_3271: + +Condition Field Description +=========================== + +When setting a CC attack protection rule, precise access protection rule, or global whitelist rule, you need to configure condition fields in the rule to define the request attributes to trigger the rule. This topic describes the fields that you can specify in conditions to trigger a rule. + +What Is a Condition Field? +-------------------------- + +A condition field specifies the request attribute WAF checks against protection rules. When configuring a :ref:`CC attack protection rule `, :ref:`precise access protection rule `, or :ref:`global protection whitelist (formerly false alarm masking) rule `, you can define condition fields to specify request attributes to trigger the rule. If a request meets the conditions set in a rule, the request matches the rule. WAF handles the request based on the action (for example, allow, block, or log only) set in the rule. + + +.. figure:: /_static/images/en-us_image_0000001675705730.png + :alt: **Figure 1** Condition field + + **Figure 1** Condition field + +A condition field consists of the field, logic, and content. Example: + +- Example 1: If **Field** is set to **Path**, **logic** to **Include**, and **Content** to **/admin**, a request matches the rule when the requested path contains /admin. +- Example 2: If **Field** is set to **IP**, **Logic** to **Equal to**, and **Content** to **192.XX.XX.3**, a request matches the rule when the client IP address is 192.XX.XX.3. + +Supported Condition Fields +-------------------------- + +.. _waf_01_3271__table13543174312394: + +.. table:: **Table 1** Condition list configurations + + +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+----------------------------------------------------------------------------+-------------------------------------------------------------------------------------------+ + | Field | Subfield | Logic | Content (Example) | + +==================================================================================================================================================================================================+=================+============================================================================+===========================================================================================+ + | **Path**: Part of a URL that does not include a domain name. This value supports exact matches only. For example, if the path to be protected is **/admin**, **Path** must be set to **/admin**. | -- | Select the desired logical relationship from the **Logic** drop-down list. | */buy/phone/* | + | | | | | + | | | | .. important:: | + | | | | | + | | | | NOTICE: | + | | | | | + | | | | - If **Path** is set to **/**, all paths of the website are protected. | + | | | | - The path content cannot contain the following special characters: (``' "<>&*#%\?``) | + +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+----------------------------------------------------------------------------+-------------------------------------------------------------------------------------------+ + | **User Agent**: A user agent of the scanner to be protected | -- | | *Mozilla/5.0 (Windows NT 6.1)* | + +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+----------------------------------------------------------------------------+-------------------------------------------------------------------------------------------+ + | **IP**: An IP address of the visitor to be protected. | -- | | XXX.XXX.1.1 | + +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+----------------------------------------------------------------------------+-------------------------------------------------------------------------------------------+ + | **Params**: A request parameter to be protected | - All fields | | 201901150929 | + | | - Any subfield | | | + | | - Custom | | | + +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+----------------------------------------------------------------------------+-------------------------------------------------------------------------------------------+ + | **Referer**: A user-defined request resource | -- | | http://www.test.com | + | | | | | + | For example, if the protected path is **/admin/xxx** and you do not want visitors to access the page from **www.test.com**, set **Content** to **http://www.test.com**. | | | | + +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+----------------------------------------------------------------------------+-------------------------------------------------------------------------------------------+ + | **Cookie**: A small piece of data to identify web visitors | - All fields | | jsessionid | + | | - Any subfield | | | + | | - Custom | | | + +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+----------------------------------------------------------------------------+-------------------------------------------------------------------------------------------+ + | **Header**: A user-defined HTTP header | - All fields | | *text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8* | + | | - Any subfield | | | + | | - Custom | | | + +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+----------------------------------------------------------------------------+-------------------------------------------------------------------------------------------+ + | **Method**: the user-defined request method. | -- | | **GET**, **POST**, **PUT**, **DELETE**, and **PATCH** | + +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+----------------------------------------------------------------------------+-------------------------------------------------------------------------------------------+ + | **Request Line**: Length of a user-defined request line. | -- | | 50 | + +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+----------------------------------------------------------------------------+-------------------------------------------------------------------------------------------+ + | **Request**: Length of a user-defined request. It includes the request header, request line, and request body. | -- | | -- | + +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+----------------------------------------------------------------------------+-------------------------------------------------------------------------------------------+ + | **Protocol**: the protocol of the request. | -- | | http | + +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+----------------------------------------------------------------------------+-------------------------------------------------------------------------------------------+ diff --git a/umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/configuring_a_cc_attack_protection_rule.rst b/umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/configuring_a_cc_attack_protection_rule.rst new file mode 100644 index 0000000..4f45481 --- /dev/null +++ b/umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/configuring_a_cc_attack_protection_rule.rst @@ -0,0 +1,175 @@ +:original_name: waf_01_0009.html + +.. _waf_01_0009: + +Configuring a CC Attack Protection Rule +======================================= + +CC attack protection can limit the access to a protected website based on a single IP address, cookie, or referer. To use this protection, ensure that you have toggled on **CC Attack Protection**). + +A reference table can be added to a CC attack protection rule. The reference table takes effect for all protected domain names. + +.. note:: + + If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the **Enterprise Project** drop-down list and configure protection policies for the domain names in the project. + +Prerequisites +------------- + +A website has been added to WAF. + +Constraints +----------- + +- It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the **Events** page. +- If you set **Logic** to **Include any value**, **Exclude any value**, **Equal to any value**, **Not equal to any value**, **Prefix is any value**, **Prefix is not any of them**, **Suffix is any value**, or **Suffix is not any of them**, select an existing reference table. For details, see :ref:`Creating a Reference Table to Configure Protection Metrics In Batches `. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane on the left, choose **Policies**. + +#. Click the name of the target policy to go to the protection configuration page. + +#. In the **CC Attack Protection** configuration area, change **Status** if needed and click **Customize Rule** to go to the **CC Attack Protection** page. + + + .. figure:: /_static/images/en-us_image_0000001731808501.png + :alt: **Figure 1** CC Attack Protection configuration area + + **Figure 1** CC Attack Protection configuration area + +#. In the upper left corner of the **CC Attack Protection** page, click **Add Rule**. + +#. In the displayed dialog box, configure a CC attack protection rule by referring to :ref:`Table 1 `. + + + .. figure:: /_static/images/en-us_image_0000001683774038.png + :alt: **Figure 2** Adding a CC attack protection rule + + **Figure 2** Adding a CC attack protection rule + + .. _waf_01_0009__table480817611214: + + .. table:: **Table 1** Rule parameters + + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------+ + | Parameter | Description | Example Value | + +=======================+=====================================================================================================================================================================================================================================================================================================================================================================================================+=============================================================================================+ + | Rule Description | A brief description of the rule. This parameter is optional. | -- | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------+ + | Rate Limit Mode | - **Per IP address**: A website visitor is identified by the IP address. | -- | + | | - **Per user**: A website visitor is identified by the key value of **Cookie** or **Header**. | | + | | - **Other**: A website visitor is identified by the Referer field (user-defined request source). | | + | | | | + | | .. note:: | | + | | | | + | | If you set **Rate Limit Mode** to **Other**, set **Content** of **Referer** to a complete URL containing the domain name. The **Content** field supports prefix match and exact match only, but cannot contain two or more consecutive slashes, for example, **///admin**. If you enter **///admin**, WAF will convert it to **/admin**. | | + | | | | + | | For example, if you do not want visitors to access www.test.com, set **Referer** to **http://www.test.com**. | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------+ + | User Identifier | This parameter is mandatory when you select **Per user** for **Rate Limit Mode**. | name | + | | | | + | | - **Cookie**: A cookie field name. You need to configure an attribute variable name in the cookie that can uniquely identify a web visitor based on your website requirements. This field does not support regular expressions. Only complete matches are supported. | | + | | | | + | | For example, if a website uses the **name** field in the cookie to uniquely identify a website visitor, select **name**. | | + | | | | + | | - **Header**: Set the user-defined HTTP header you want to protect. You need to configure the HTTP header that can identify web visitors based on your website requirements. | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------+ + | Trigger | Click **Add** to add conditions. At least one condition is required, but up to 30 conditions are allowed. If you add more than one condition, the rule will only take effect if all of the conditions are met. | **Path** **Include** **/admin** | + | | | | + | | - **Field**: The options are **Path**, **IPv4**, **Cookie**, **Header**, and **Params**. | | + | | - **Subfield**: Configure this field only when **IPv4**, **Cookie**, **Header**, or **Params** is selected for **Field**. | | + | | | | + | | .. important:: | | + | | | | + | | NOTICE: | | + | | The length of a subfield cannot exceed 2,048 bytes. Only digits, letters, underscores (_), and hyphens (-) are allowed. | | + | | | | + | | - **Logic**: Select a logical relationship from the drop-down list. | | + | | | | + | | .. note:: | | + | | | | + | | If you set **Logic** to **Include any value**, **Exclude any value**, **Equal to any value**, **Not equal to any value**, **Prefix is any value**, **Prefix is not any of them**, **Suffix is any value**, or **Suffix is not any of them**, select an existing reference table. For details, see :ref:`Creating a Reference Table to Configure Protection Metrics In Batches `. | | + | | | | + | | - **Content**: Enter or select the content that matches the condition. | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------+ + | Rate Limit | The number of requests allowed from a website visitor in the rate limit period. If the number of requests exceeds the rate limit, WAF takes the action you configure for **Protective Action**. | **10** requests allowed in **60** seconds | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------+ + | Protective Action | The action that WAF will take if the number of requests exceeds **Rate Limit** you configured. The options are as follows: | Block | + | | | | + | | - **Verification code**: WAF allows requests that trigger the rule as long as your website visitors complete the required verification. | | + | | - **Block**: WAF blocks requests that trigger the rule. | | + | | - **Block dynamically**: WAF blocks requests that trigger the rule based on **Allowable Frequency**, which you configure after the first rate limit period is over. | | + | | - **Log only**: WAF only logs requests that trigger the rule. You can :ref:`download events data ` and view the protection logs of the domain name. | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------+ + | Allowable Frequency | This parameter can be set if you select **Block dynamically** for **Protective Action**. | **8** requests allowed in **60** seconds | + | | | | + | | WAF blocks requests that trigger the rule based on **Rate Limit** first. Then, in the following rate limit period, WAF blocks requests that trigger the rule based on **Allowable Frequency** you configure. | | + | | | | + | | **Allowable Frequency** cannot be larger than **Rate Limit**. | | + | | | | + | | .. note:: | | + | | | | + | | If you set **Allowable Frequency** to **0**, WAF blocks all requests that trigger the rule in the next rate limit period. | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------+ + | Block Duration | Period of time for which to block the item when you set **Protective Action** to **Block**. | **600** seconds | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------+ + | Block Page | The page displayed if the request limit has been reached. This parameter is configured only when **Protective Action** is set to **Block**. | Custom | + | | | | + | | - If you select **Default settings**, the default block page is displayed. | | + | | - If you select **Custom**, a custom error message is displayed. | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------+ + | Block Page Type | If you select **Custom** for **Block Page**, select a type of the block page among options **application/json**, **text/html**, and **text/xml**. | text/html | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------+ + | Page Content | If you select **Custom** for **Block Page**, configure the content to be returned. | Page content styles corresponding to different page types are as follows: | + | | | | + | | | - **text/html**: Forbidden | + | | | - **application/json**: {"msg": "Forbidden"} | + | | | - **text/xml**: Forbidden | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------+ + +#. Click **OK**. You can then view the added CC attack protection rule in the CC rule list. + + - To disable a rule, click **Disable** in the **Operation** column of the rule. The default **Rule Status** is **Enabled**. + - To modify a rule, click **Modify** in the row containing the rule. + - To delete a rule, click **Delete** in the row containing the rule. + +Configuration Example - Verification Code +----------------------------------------- + +If domain name **www.example.com** has been connected to WAF, perform the following steps to verify that WAF CAPTCHA verification is enabled. + +#. Add a CC attack protection rule with **Protection Action** set to **Verification code**. + + + .. figure:: /_static/images/en-us_image_0000001731912757.png + :alt: **Figure 3** Verification code + + **Figure 3** Verification code + +#. Enable CC attack protection. + + + .. figure:: /_static/images/en-us_image_0000001731808501.png + :alt: **Figure 4** CC Attack Protection configuration area + + **Figure 4** CC Attack Protection configuration area + +#. Clear the browser cache and access http://www.example.com/admin/. + + If you access the page 10 times within 60 seconds, a verification code is required when you attempt to access the page for the eleventh time. You need to enter the verification code to continue the access. + + |image3| + +#. Go to the WAF console. In the navigation pane on the left, choose **Events**. View the event on the **Events** page. + +.. |image1| image:: /_static/images/en-us_image_0000001402328652.jpg +.. |image2| image:: /_static/images/en-us_image_0000001658761758.png +.. |image3| image:: /_static/images/en-us_image_0000001481923368.jpg diff --git a/umn/source/rule_configuration/configuring_a_global_protection_whitelist_formerly_false_alarm_masking_rule.rst b/umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/configuring_a_global_protection_whitelist_formerly_false_alarm_masking_rule_to_ignore_false_alarms.rst similarity index 62% rename from umn/source/rule_configuration/configuring_a_global_protection_whitelist_formerly_false_alarm_masking_rule.rst rename to umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/configuring_a_global_protection_whitelist_formerly_false_alarm_masking_rule_to_ignore_false_alarms.rst index 86bbd37..be5bae9 100644 --- a/umn/source/rule_configuration/configuring_a_global_protection_whitelist_formerly_false_alarm_masking_rule.rst +++ b/umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/configuring_a_global_protection_whitelist_formerly_false_alarm_masking_rule_to_ignore_false_alarms.rst @@ -2,16 +2,22 @@ .. _waf_01_0016: -Configuring a Global Protection Whitelist (Formerly False Alarm Masking) Rule -============================================================================= +Configuring a Global Protection Whitelist (Formerly False Alarm Masking) Rule to Ignore False Alarms +==================================================================================================== Once an attack hits a WAF basic web protection rule or a feature-library anti-crawler rule, WAF will respond to the attack immediately according to the protective action (**Log only** or **Block**) you configured for the rule and display an event on the **Events** page. +When WAF detects a malicious attack that matches the basic web protection rule or custom rules you configure, it processes the attack event based on the protective action in the hit rule. + You can add false alarm masking rules to let WAF ignore certain rule IDs or event types (for example, skip XSS checks for a specific URL). - If you select **All protection** for **Ignore WAF Protection**, all WAF rules do not take effect, and WAF allows all request traffic to the domain names in the rule. - If you select **Basic Web Protection** for **Ignore WAF Protection**, you can ignore basic web protection by rule ID, attack type, or all built-in rules. For example, if XSS check is not required for a URL, you can whitelist XSS rule. +.. note:: + + If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the **Enterprise Project** drop-down list and configure protection policies for the domain names in the project. + Prerequisites ------------- @@ -43,9 +49,9 @@ Procedure #. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. -#. In the navigation pane on the left, choose **Website Settings**. +#. In the navigation pane on the left, choose **Policies**. -#. In the **Policy** column of the row containing the target website, click the number to go to the **Policies** page. +#. Click the name of the target policy to go to the protection configuration page. #. In the **Global Protection Whitelist (Formerly False Alarm Masking)** configuration area, click **Status** if needed. Then, click **Customize Rule**. @@ -69,66 +75,66 @@ Procedure .. table:: **Table 1** Parameters - +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ - | Parameter | Description | Example Value | - +=========================+===========================================================================================================================================================================================================================================================================================================================================================================+============================================+ - | Scope | - **All domain names**: By default, this rule will be used to all domain names that are protected by the current policy. | Specified domain names | - | | - **Specified domain names**: This rule will be used to the specified domain names that match the wildcard domain name being protected by the current policy. | | - +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ - | Domain Name | This parameter is mandatory when you select **Specified domain names** for **Scope**. | www.example.com | - | | | | - | | Enter a single domain name that matches the wildcard domain name being protected by the current policy. | | - +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ - | Condition List | Click **Add** to add conditions. At least one condition needs to be added. You can add up to 30 conditions to a protection rule. If more than one condition is added, all of the conditions must be met for the rule to be applied. A condition includes the following parameters: | Path, Include, /product | - | | | | - | | Parameters for configuring a condition are described as follows: | | - | | | | - | | - Field | | - | | - **Subfield**: Configure this field only when **Params**, **Cookie**, or **Header** is selected for **Field**. | | - | | | | - | | .. important:: | | - | | | | - | | NOTICE: | | - | | The length of a subfield cannot exceed 2,048 bytes. Only digits, letters, underscores (_), and hyphens (-) are allowed. | | - | | | | - | | - **Logic**: Select a logical relationship from the drop-down list. | | - | | - **Content**: Enter or select the content that matches the condition. | | - +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ - | Ignore WAF Protection | - **All protection**: All WAF rules do not take effect, and WAF allows all request traffic to the domain names in the rule. | Basic Web Protection | - | | - **Basic Web Protection**: You can ignore basic web protection by rule ID, attack type, or all built-in rules. For example, if XSS check is not required for a URL, you can whitelist XSS rule. | | - +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ - | Ignored Protection Type | If you select **Basic web protection** for **Ignored Protection Type**, specify the following parameters: | Attack type | - | | | | - | | - **ID**: Configure the rule by event ID. | | - | | - **Attack type**: Configure the rule by attack type, such as XSS and SQL injection. One type contains one or more rule IDs. | | - | | - **All built-in rules**: all checks enabled in :ref:`Basic Web Protection `. | | - +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ - | ID | This parameter is mandatory when you select **ID** for **Ignored Protection Type**. | 041046 | - | | | | - | | ID of an attack event on the **Events** page. If the event type is **Custom**, it has no event ID. Click **Handle False Alarm** in the row containing the attack event to obtain the ID. You are advised to configure global protection whitelist (formerly false alarm masking) rules on the **Events** page by referring to :ref:`Handling False Alarms `. | | - +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ - | Attack type | This parameter is mandatory when you select **Attack type** for **Ignored Protection Type**. | SQL injection | - | | | | - | | Select an attack type from the drop-down list box. | | - | | | | - | | WAF can defend against XSS attacks, web shells, SQL injection attacks, malicious crawlers, remote file inclusions, local file inclusions, command injection attacks, and other attacks. | | - +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ - | Rule Description | A brief description of the rule. This parameter is optional. | SQL injection attacks are not intercepted. | - +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ - | Advanced Settings | To ignore attacks of a specific field, specify the field in the **Advanced Settings** area. After you add the rule, WAF will stop blocking attack events of the specified field. | Params | - | | | | - | | Select a target field from the first drop-down list box on the left. The following fields are supported: **Params**, **Cookie**, **Header**, **Body**, and **Multipart**. | All | - | | | | - | | - If you select **Params**, **Cookie**, or **Header**, you can select **All** or **Specified field** to configure a subfield. | | - | | - If you select **Body** or **Multipart**, you can select **All**. | | - | | - If you select **Cookie**, the **Domain Name** and **Path** can be empty. | | - | | | | - | | .. note:: | | - | | | | - | | If **All** is selected, WAF will not block all attack events of the selected field. | | - +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ + +-------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ + | Parameter | Description | Example Value | + +=========================+====================================================================================================================================================================================================================================================================================+============================================+ + | Scope | - **All domain names**: By default, this rule will be used to all domain names that are protected by the current policy. | Specified domain names | + | | - **Scope**: Specify a domain name range this rule applies to. | | + +-------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ + | Domain Name | This parameter is mandatory when you select **Specified domain names** for **Scope**. | www.example.com | + | | | | + | | Enter a single domain name that matches the wildcard domain name being protected by the current policy. | | + +-------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ + | Condition List | Click **Add** to add conditions. At least one condition needs to be added. You can add up to 30 conditions to a protection rule. If more than one condition is added, all of the conditions must be met for the rule to be applied. A condition includes the following parameters: | Path, Include, /product | + | | | | + | | Parameters for configuring a condition are described as follows: | | + | | | | + | | - Field | | + | | - **Subfield**: Configure this field only when **Params**, **Cookie**, or **Header** is selected for **Field**. | | + | | | | + | | .. important:: | | + | | | | + | | NOTICE: | | + | | The length of a subfield cannot exceed 2,048 bytes. Only digits, letters, underscores (_), and hyphens (-) are allowed. | | + | | | | + | | - **Logic**: Select a logical relationship from the drop-down list. | | + | | - **Content**: Enter or select the content that matches the condition. | | + +-------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ + | Ignore WAF Protection | - **All protection**: All WAF rules do not take effect, and WAF allows all request traffic to the domain names in the rule. | Basic Web Protection | + | | - **Basic Web Protection**: You can ignore basic web protection by rule ID, attack type, or all built-in rules. For example, if XSS check is not required for a URL, you can whitelist XSS rule. | | + +-------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ + | Ignored Protection Type | If you select **Basic web protection** for **Ignored Protection Type**, specify the following parameters: | Attack type | + | | | | + | | - **ID**: Configure the rule by event ID. | | + | | - **Attack type**: Configure the rule by attack type, such as XSS and SQL injection. One type contains one or more rule IDs. | | + | | - **All built-in rules**: all checks enabled in :ref:`Basic Web Protection `. | | + +-------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ + | ID | This parameter is mandatory when you select **ID** for **Ignored Protection Type**. | 041046 | + | | | | + | | ID of an attack event on the **Events** page. If the event type is **Custom**, it has no event ID. You are advised to handle false alarms on the **Events** page. | | + +-------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ + | Attack type | This parameter is mandatory when you select **Attack type** for **Ignored Protection Type**. | SQL injection | + | | | | + | | Select an attack type from the drop-down list box. | | + | | | | + | | WAF can defend against XSS attacks, web shells, SQL injection attacks, malicious crawlers, remote file inclusions, local file inclusions, command injection attacks, and other attacks. | | + +-------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ + | Rule Description | A brief description of the rule. This parameter is optional. | SQL injection attacks are not intercepted. | + +-------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ + | Advanced Settings | To ignore attacks of a specific field, specify the field in the **Advanced Settings** area. After you add the rule, WAF will stop blocking attack events of the specified field. | Params | + | | | | + | | Select a target field from the first drop-down list box on the left. The following fields are supported: **Params**, **Cookie**, **Header**, **Body**, and **Multipart**. | All | + | | | | + | | - If you select **Params**, **Cookie**, or **Header**, you can select **All** or **Specified field** to configure a subfield. | | + | | - If you select **Body** or **Multipart**, you can select **All**. | | + | | - If you select **Cookie**, the **Domain Name** can be empty. | | + | | | | + | | .. note:: | | + | | | | + | | If **All** is selected, WAF will not block all attack events of the selected field. | | + +-------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ -#. Click **OK**. +#. Click **Confirm**. Other Operations ---------------- diff --git a/umn/source/rule_configuration/configuring_a_known_attack_source_rule.rst b/umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/configuring_a_known_attack_source_rule_to_block_specific_visitors_for_a_specified_duration.rst similarity index 88% rename from umn/source/rule_configuration/configuring_a_known_attack_source_rule.rst rename to umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/configuring_a_known_attack_source_rule_to_block_specific_visitors_for_a_specified_duration.rst index 2f1b871..ce23a33 100644 --- a/umn/source/rule_configuration/configuring_a_known_attack_source_rule.rst +++ b/umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/configuring_a_known_attack_source_rule_to_block_specific_visitors_for_a_specified_duration.rst @@ -2,11 +2,13 @@ .. _waf_01_0271: -Configuring a Known Attack Source Rule -====================================== +Configuring a Known Attack Source Rule to Block Specific Visitors for a Specified Duration +========================================================================================== If WAF blocks a malicious request by IP address, Cookie, or Params, you can configure a known attack source rule to let WAF automatically block all requests from the attack source for a blocking duration set in the known attack source rule. For example, if a blocked malicious request originates from an IP address and you set the blocking duration to 500 seconds, WAF will block the IP address for 500 seconds after the known attack source rule takes effect. +Known attack source rules can be used by basic web protection, precise protection, IP address blacklist, and IP address whitelist rules. You can use known attack source rules in basic web protection, precise protection, and IP blacklist or whitelist rules as long as you set **Protective Action** to **Block** for these rules. + .. note:: If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the **Enterprise Project** drop-down list and configure protection policies for the domain names in the project. @@ -14,7 +16,7 @@ If WAF blocks a malicious request by IP address, Cookie, or Params, you can conf Prerequisites ------------- -A website has been added to WAF. +You have :ref:`added your website to a policy `. Constraints ----------- @@ -38,9 +40,9 @@ Procedure #. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. -#. In the navigation pane on the left, choose **Website Settings**. +#. In the navigation pane on the left, choose **Policies**. -#. In the **Policy** column of the row containing the target website, click the number to go to the policy configuration page. +#. Click the name of the target policy to go to the protection configuration page. #. In the **Known Attack Source** configuration area, change **Status** if needed and click **Customize Rule** to go to the **Known Attack Source** page. @@ -125,15 +127,21 @@ Assume that domain name *www.example.com* has been connected to WAF and a visito #. Add a blacklist and whitelist rule to block *XXX.XXX.248.195*. Select **Long-term Cookie blocking** for **Known Attack Source**. + + .. figure:: /_static/images/en-us_image_0000001683894232.png + :alt: **Figure 6** Specifying a known attack source rule + + **Figure 6** Specifying a known attack source rule + #. Clear the browser cache and access http://www.example.com. When a request from IP address *XXX.XXX.248.195*, WAF blocks the access. When WAF detects that the cookie of the access request from the IP address is **jsessionid**, WAF blocks the access request for 10 minutes. .. figure:: /_static/images/en-us_image_0000001286879252.png - :alt: **Figure 6** Block page + :alt: **Figure 7** Block page - **Figure 6** Block page + **Figure 7** Block page #. Go to the WAF console. In the navigation pane on the left, choose **Events**. View the event on the **Events** page. diff --git a/umn/source/rule_configuration/configuring_anti-crawler_rules.rst b/umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/configuring_anti-crawler_rules.rst similarity index 93% rename from umn/source/rule_configuration/configuring_anti-crawler_rules.rst rename to umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/configuring_anti-crawler_rules.rst index a053e37..ded0933 100644 --- a/umn/source/rule_configuration/configuring_anti-crawler_rules.rst +++ b/umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/configuring_anti-crawler_rules.rst @@ -14,7 +14,7 @@ You can configure website anti-crawler protection rules to protect against searc Prerequisites ------------- -A website has been added to WAF. +You have :ref:`added your website to a policy `. Constraints ----------- @@ -69,9 +69,9 @@ Procedure #. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. -#. In the navigation pane on the left, choose **Website Settings**. +#. In the navigation pane on the left, choose **Policies**. -#. In the **Policy** column of the row containing the target website, click the number to go to the **Policies** page. +#. Click the name of the target policy to go to the protection configuration page. #. .. _waf_01_0015__li11722104461314: @@ -91,6 +91,13 @@ Procedure WAF blocks and logs detected attacks. + .. caution:: + + Enabling this feature may have the following impacts: + + - Blocking requests of search engines may affect your website SEO. + - Blocking scripts may block some applications because those applications may trigger anti-crawler rules if their user-agent field is not modified. + - **Log only** Detected attacks are logged only. This is the default protective action. @@ -136,7 +143,7 @@ Procedure **JavaScript** anti-crawler is disabled by default. To enable it, click |image3| and click **Confirm** in the displayed dialog box. - .. figure:: /_static/images/en-us_image_0000001395732757.png + .. figure:: /_static/images/en-us_image_0000001684111682.png :alt: **Figure 5** JavaScript **Figure 5** JavaScript @@ -151,27 +158,27 @@ Procedure #. Configure a JavaScript-based anti-crawler rule by referring to :ref:`Table 2 `. - Two protective actions are provided: **Protect all paths** and **Protect a specified path**. + Two protective actions are provided: **Protect all requests** and **Protect specified requests**. - To protect all paths except a specified path - Set **Protection Mode** to **Protect all paths**. Then, click **Exclude Path**, configure protected paths, and click **OK**. + Set **Protection Mode** to **Protect all paths**. Then, click **Exclude Path**, configure protected paths, and click **Confirm**. - .. figure:: /_static/images/en-us_image_0000001285485922.png - :alt: **Figure 6** Exclude Path + .. figure:: /_static/images/en-us_image_0000001732183425.png + :alt: **Figure 6** Exclude Rule - **Figure 6** Exclude Path + **Figure 6** Exclude Rule - To protect a specified path only - Set **Protection Mode** to **Protect a specified path**. Then, click **Add Rule**, configure protected paths, and click **OK**. + Set **Protection Mode** to **Protect specified requests**, click **Add Rule**, configure the request rule, and click **Confirm**. - .. figure:: /_static/images/en-us_image_0000001285486134.png - :alt: **Figure 7** Add Path + .. figure:: /_static/images/en-us_image_0000001732186817.png + :alt: **Figure 7** Add Rule - **Figure 7** Add Path + **Figure 7** Add Rule .. _waf_01_0015__table888894565019: @@ -199,6 +206,8 @@ Procedure +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | Rule Description | A brief description of the rule. | None | +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Effective Date | Immediate | Immediate | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ Other Operations ---------------- @@ -241,7 +250,7 @@ The following shows how to allow the search engine of Baidu or Google and block #. Set **Status** of **Search Engine** to |image4| by referring to the instructions in :ref:`Step 6 `. -#. Configure a precise protection rule by referring to :ref:`Configuring a Precise Protection Rule `. +#. Configure a precise protection rule by referring to :ref:`Configuring Custom Precise Protection Rules `. .. figure:: /_static/images/en-us_image_0000001338332661.png @@ -251,5 +260,5 @@ The following shows how to allow the search engine of Baidu or Google and block .. |image1| image:: /_static/images/en-us_image_0000001532628161.jpg .. |image2| image:: /_static/images/en-us_image_0000001340426097.png -.. |image3| image:: /_static/images/en-us_image_0234013368.png +.. |image3| image:: /_static/images/en-us_image_0000001285643550.png .. |image4| image:: /_static/images/en-us_image_0000001227094315.png diff --git a/umn/source/rule_configuration/configuring_basic_web_protection_rules.rst b/umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/configuring_basic_protection_rules_to_defend_against_common_web_attacks.rst similarity index 90% rename from umn/source/rule_configuration/configuring_basic_web_protection_rules.rst rename to umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/configuring_basic_protection_rules_to_defend_against_common_web_attacks.rst index 8d53991..07700c3 100644 --- a/umn/source/rule_configuration/configuring_basic_web_protection_rules.rst +++ b/umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/configuring_basic_protection_rules_to_defend_against_common_web_attacks.rst @@ -2,8 +2,8 @@ .. _waf_01_0008: -Configuring Basic Web Protection Rules -====================================== +Configuring Basic Protection Rules to Defend Against Common Web Attacks +======================================================================= After this function is enabled, WAF can defend against common web attacks, such as SQL injections, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabilities, remote command execution, directory traversal, sensitive file access, and command/code injections. You can also enable other checks in basic web protection, such as web shell detection, deep inspection against evasion attacks, and header inspection. @@ -18,7 +18,16 @@ After this function is enabled, WAF can defend against common web attacks, such Prerequisites ------------- -A website has been added to WAF. +You have :ref:`added your website to a policy `. + +Constraints +----------- + +- Basic web protection has two modes: **Block** and **Log only**. +- It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the **Events** page. +- If you select **Block** for **Basic Web Protection**, you can :ref:`configure access control criteria for a known attack source `. WAF will block requests matching the configured IP address, cookie, or params for a length of time configured as part of the rule. + +.. _waf_01_0008__section61533550183130: Procedure --------- @@ -29,9 +38,9 @@ Procedure #. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. -#. In the navigation pane on the left, choose **Website Settings**. +#. In the navigation pane on the left, choose **Policies**. -#. In the **Policy** column of the row containing the target website, click the number to go to the policy configuration page. +#. Click the name of the target policy to go to the protection configuration page. #. In the **Basic Web Protection** configuration area, change **Status** and **Mode** as needed by referring to :ref:`Table 1 `. @@ -62,7 +71,7 @@ Procedure #. Click the **Protection Status** tab, and enable protection types one by one by referring to :ref:`Table 3 `. - .. figure:: /_static/images/en-us_image_0000001533970929.png + .. figure:: /_static/images/en-us_image_0000001731801353.png :alt: **Figure 2** Basic web protection **Figure 2** Basic web protection @@ -148,28 +157,46 @@ If domain name **www.example.com** has been connected to WAF, perform the follow #. Enable **General Check** in **Basic Web Protection** and set the protection mode to **Block**. + + .. figure:: /_static/images/en-us_image_0000001731681777.png + :alt: **Figure 3** Enabling General Check + + **Figure 3** Enabling General Check + #. Enable WAF basic web protection. .. figure:: /_static/images/en-us_image_0000001285577912.png - :alt: **Figure 3** Basic Web Protection configuration area + :alt: **Figure 4** Basic Web Protection configuration area - **Figure 3** Basic Web Protection configuration area + **Figure 4** Basic Web Protection configuration area #. Clear the browser cache and enter a simulated SQL injection (for example, http://www.example.com?id=' or 1=1) in the address box. - WAF blocks the access request. :ref:`Figure 4 ` shows an example block page. + WAF blocks the access request. :ref:`Figure 5 ` shows an example block page. .. _waf_01_0008__fig4672124158: .. figure:: /_static/images/en-us_image_0000001179033432.png - :alt: **Figure 4** Block page + :alt: **Figure 5** Block page - **Figure 4** Block page + **Figure 5** Block page #. Go to the WAF console. In the navigation pane on the left, choose **Events**. View the event on the **Events** page. +Configuration Example - Blocking Baidu POST Requests +---------------------------------------------------- + +To allow the search engine of Baidu or Google and block the POST request of Baidu: + +#. Set **Status** of **Search Engine** to |image5| by referring to :ref:`Procedure `. +#. Configure a rule by referring to :ref:`Configuring Custom Precise Protection Rules `. + + - Set **Method** to **POST**. + - Configure the **User Agent** field to include Baiduspider. + .. |image1| image:: /_static/images/en-us_image_0000001482063812.jpg .. |image2| image:: /_static/images/en-us_image_0000001340426101.png .. |image3| image:: /_static/images/en-us_image_0000001337777849.png .. |image4| image:: /_static/images/en-us_image_0269496734.png +.. |image5| image:: /_static/images/en-us_image_0000001076524573.png diff --git a/umn/source/rule_configuration/configuring_a_precise_protection_rule.rst b/umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/configuring_custom_precise_protection_rules.rst similarity index 72% rename from umn/source/rule_configuration/configuring_a_precise_protection_rule.rst rename to umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/configuring_custom_precise_protection_rules.rst index e1af177..84c4f30 100644 --- a/umn/source/rule_configuration/configuring_a_precise_protection_rule.rst +++ b/umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/configuring_custom_precise_protection_rules.rst @@ -2,8 +2,8 @@ .. _waf_01_0010: -Configuring a Precise Protection Rule -===================================== +Configuring Custom Precise Protection Rules +=========================================== WAF allows you to customize protection rules by combining HTTP headers, cookies, URLs, request parameters, and client IP addresses. @@ -18,13 +18,14 @@ A reference table can be added to a precise protection rule. The reference table Prerequisites ------------- -A website has been added to WAF. +You have :ref:`added your website to a policy `. Constraints ----------- - It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the **Events** page. -- If you configure **Protective Action** to **Block** for a precise protection rule, you can configure a known attack source rule by referring to :ref:`Configuring a Known Attack Source Rule `. WAF will block requests matching the configured IP address, Cookie, or Params for a length of time configured as part of the rule. +- If you configure **Protective Action** to **Block** for a precise protection rule, you can configure a known attack source rule by referring to :ref:`Configuring a Known Attack Source Rule to Block Specific Visitors for a Specified Duration `. WAF will block requests matching the configured IP address, Cookie, or Params for a length of time configured as part of the rule. +- The path content cannot contain the following special characters: (``' "<>&*#%\?``) Application Scenarios --------------------- @@ -40,9 +41,9 @@ Procedure #. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. -#. In the navigation pane on the left, choose **Website Settings**. +#. In the navigation pane on the left, choose **Policies**. -#. In the **Policy** column of the row containing the target website, click the number to go to the policy configuration page. +#. Click the name of the target policy to go to the protection configuration page. #. In the **Precise Protection** configuration area, change **Status** as needed and click **Customize Rule** to go to the **Precise Protection** page. @@ -78,7 +79,7 @@ Procedure .. _waf_01_0010__fig39459217174738: - .. figure:: /_static/images/en-us_image_0000001327470582.png + .. figure:: /_static/images/en-us_image_0000001731887045.png :alt: **Figure 3** Add Precise Protection Rule **Figure 3** Add Precise Protection Rule @@ -90,11 +91,7 @@ Procedure +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------+ | Parameter | Description | Example Value | +=======================+==============================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+===================================+ - | Protective Action | You can select **Block**, **Allow**, or **Log only**. Default value: **Block** | **Block** | - +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------+ - | Known Attack Source | If you set **Protective Action** to **Block**, you can select a blocking type for a known attack source rule. Then, WAF blocks requests matching the configured **IP**, **Cookie**, or **Params** for a length of time that depends on the selected blocking type. | **Long-term IP address blocking** | - +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------+ - | Effective Date | Select **Immediate** to enable the rule immediately, or select **Custom** to configure when you wish the rule to be enabled. | **Immediate** | + | Rule Description | A brief description of the rule. This parameter is optional. | None | +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------+ | Condition List | Click **Add** to add conditions. At least one condition needs to be added. You can add up to 30 conditions to a protection rule. If more than one condition is added, all of the conditions must be met for the rule to be applied. A condition includes the following parameters: | **Path** **Include** **/admin** | | | | | @@ -106,63 +103,29 @@ Procedure | | | | | | .. note:: | | | | | | - | | - If **Include any value**, **Exclude any value**, **Equal to any value**, **Not equal to any value**, **Prefix is any value**, **Prefix is not any of them**, **Suffix is any value**, or **Suffix is not any of them** is selected, select an existing reference table in the **Content** drop-down list. For details, see :ref:`Adding a Reference Table `. | | + | | - If **Include any value**, **Exclude any value**, **Equal to any value**, **Not equal to any value**, **Prefix is any value**, **Prefix is not any of them**, **Suffix is any value**, or **Suffix is not any of them** is selected, select an existing reference table in the **Content** drop-down list. For details, see :ref:`Creating a Reference Table to Configure Protection Metrics In Batches `. | | | | - **Exclude any value**, **Not equal to any value**, **Prefix is not any of them**, and **Suffix is not any of them** indicates, respectively, that WAF performs the protection action (block, allow, or log only) when the field in the access request does not contain, is not equal to, or the prefix or suffix is not any value set in the reference table. For example, assume that **Path** field is set to **Exclude any value** and the **test** reference table is selected. If *test1*, *test2*, and *test3* are set in the **test** reference table, WAF performs the protection action when the path of the access request does not contain *test1*, *test2*, or *test3*. | | | | | | | | - **Content**: Enter or select the content of condition matching. | | | | | | | | .. note:: | | | | | | - | | For more details about the configurations in general, see :ref:`Table 2 `. | | + | | For more details about the configurations in general, see :ref:`Table 1 `. | | + +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------+ + | Protective Action | You can select **Block**, **Allow**, or **Log only**. Default value: **Block** | **Block** | + +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------+ + | Known Attack Source | If you set **Protective Action** to **Block**, you can select a blocking type for a known attack source rule. Then, WAF blocks requests matching the configured **IP**, **Cookie**, or **Params** for a length of time that depends on the selected blocking type. | **Long-term IP address blocking** | +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------+ | Priority | Rule priority. If you have added multiple rules, rules are matched by priority. The smaller the value you set, the higher the priority. | **5** | + | | | | + | | .. important:: | | + | | | | + | | NOTICE: | | + | | If multiple precise access control rules have the same priority, WAF matches the rules in the sequence of time the rules are added. | | +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------+ - | Rule Description | A brief description of the rule. This parameter is optional. | None | + | Effective Date | Select **Immediate** to enable the rule immediately, or select **Custom** to configure when you wish the rule to be enabled. | **Immediate** | +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------+ - .. _waf_01_0010__table13543174312394: - - .. table:: **Table 2** Condition list configurations - - +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ - | Field | Subfield | Logic | Example Content | - +==================================================================================================================================================================================================+=================+========================================================+===========================================================================================+ - | **Path**: Part of a URL that does not include a domain name. This value supports exact matches only. For example, if the path to be protected is **/admin**, **Path** must be set to **/admin**. | None | Select a logical relationship from the drop-down list. | **/buy/phone/** | - | | | | | - | | | | .. important:: | - | | | | | - | | | | NOTICE: | - | | | | If **Path** is set to **/**, all paths of the website are protected. | - +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ - | **User Agent**: A user agent of the scanner to be checked. | None | | **Mozilla/5.0 (Windows NT 6.1)** | - +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ - | **IP**: An IP address of the visitor for the protection. | -- | | XXX.XXX.1.1 | - +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ - | **Params**: A request parameter. | - All fields | | **201901150929** | - | | - Any subfield | | | - | | - Custom | | | - +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ - | **Referer**: A user-defined request resource. | -- | | http://www.test.com | - | | | | | - | For example, if the protected path is **/admin/xxx** and you do not want visitors to access the page from **www.test.com**, set **Content** to **http://www.test.com**. | | | | - +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ - | **Cookie**: A small piece of data to identify web visitors. | - All fields | | jsessionid | - | | - Any subfield | | | - | | - Custom | | | - +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ - | **Header**: A user-defined HTTP header. | - All fields | | **text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8** | - | | - Any subfield | | | - | | - Custom | | | - +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ - | **Method**: the user-defined request method. | None | | **GET**, **POST**, **PUT**, **DELETE**, and **PATCH** | - +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ - | **Request Line**: Length of a user-defined request line. | None | | **50** | - +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ - | **Request**: Length of a user-defined request. It includes the request header, request line, and request body. | None | | None | - +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ - | **Protocol**: the protocol of the request. | None | | http | - +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ - #. Click **Confirm**. You can then view the added precise protection rule in the protection rule list. - To disable a rule, click **Disable** in the **Operation** column of the rule. The default **Rule Status** is **Enabled**. @@ -204,17 +167,58 @@ A precise rule as shown in the figure can block this type of attack. **Figure 5** User Agent configuration +Configuration Example - Blocking Attack Requests to a Certain URL +----------------------------------------------------------------- + +If a large number of IP addresses are accessing a URL that does not exist, configure the following protection rule to block such requests to reduce resource usage on the origin server. + + +.. figure:: /_static/images/en-us_image_0000001731889333.png + :alt: **Figure 6** Blocking requests to a specific URL + + **Figure 6** Blocking requests to a specific URL + +Configuration Example - Blocking Requests with null Fields +---------------------------------------------------------- + +You can configure precise protection rules to block requests having null fields. + + +.. figure:: /_static/images/en-us_image_0000001732014393.png + :alt: **Figure 7** Blocking requests with empty Referer + + **Figure 7** Blocking requests with empty Referer + Configuration Example - Blocking Specified File Types (ZIP, TAR, and DOCX) -------------------------------------------------------------------------- -You can configure file types that match the path field to block specific files of certain types. For example, if you want to block .zip files, you can configure a precise protection rule as shown in :ref:`Figure 6 ` to block access requests of .zip files. +You can configure file types that match the path field to block specific files of certain types. For example, if you want to block .zip files, you can configure a precise protection rule as shown in :ref:`Figure 8 ` to block access requests of .zip files. .. _waf_01_0010__fig1599818616112: .. figure:: /_static/images/en-us_image_0000001499416648.png - :alt: **Figure 6** Blocking requests of specific file types + :alt: **Figure 8** Blocking requests of specific file types - **Figure 6** Blocking requests of specific file types + **Figure 8** Blocking requests of specific file types + +Configuration Example - Allowing a Specified IP Address to Access Your Website +------------------------------------------------------------------------------ + +You can configure two precise protection rules, one to block all requests, as shown in :ref:`Figure 9 `, but then another one to allow the access from a specific IP address, as shown in :ref:`Figure 10 `. + +.. _waf_01_0010__fig11661145013158: + +.. figure:: /_static/images/en-us_image_0000001732020137.png + :alt: **Figure 9** Blocking all requests + + **Figure 9** Blocking all requests + +.. _waf_01_0010__fig866195019151: + +.. figure:: /_static/images/en-us_image_0000001684022218.png + :alt: **Figure 10** Allowing the access of a specified IP address + + **Figure 10** Allowing the access of a specified IP address Configuration Example - Allowing a Specific IP Address to Access a Certain URL ------------------------------------------------------------------------------ @@ -222,10 +226,10 @@ Configuration Example - Allowing a Specific IP Address to Access a Certain URL You can configure multiple conditions in the **Condition List** field. If an access request meets the conditions in the list, WAF will allow the request from a specific IP address to access a specified URL. -.. figure:: /_static/images/en-us_image_0000001182095000.png - :alt: **Figure 7** Allowing specific IP addresses to access specified URLs +.. figure:: /_static/images/en-us_image_0000001684024078.png + :alt: **Figure 11** Allowing specific IP addresses to access specified URLs - **Figure 7** Allowing specific IP addresses to access specified URLs + **Figure 11** Allowing specific IP addresses to access specified URLs .. |image1| image:: /_static/images/en-us_image_0000001532904513.jpg -.. |image2| image:: /_static/images/en-us_image_0000001288266230.png +.. |image2| image:: /_static/images/en-us_image_0000001340585569.png diff --git a/umn/source/rule_configuration/configuring_a_data_masking_rule.rst b/umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/configuring_data_masking_rules_to_prevent_privacy_information_leakage.rst similarity index 95% rename from umn/source/rule_configuration/configuring_a_data_masking_rule.rst rename to umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/configuring_data_masking_rules_to_prevent_privacy_information_leakage.rst index cf19dbc..7ddd56c 100644 --- a/umn/source/rule_configuration/configuring_a_data_masking_rule.rst +++ b/umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/configuring_data_masking_rules_to_prevent_privacy_information_leakage.rst @@ -2,15 +2,19 @@ .. _waf_01_0017: -Configuring a Data Masking Rule -=============================== +Configuring Data Masking Rules to Prevent Privacy Information Leakage +===================================================================== This topic describes how to configure data masking rules. You can configure data masking rules to prevent sensitive data such as passwords from being displayed in event logs. +.. note:: + + If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the **Enterprise Project** drop-down list and configure protection policies for the domain names in the project. + Prerequisites ------------- -A website has been added to WAF. +You have :ref:`added your website to a policy `. Constraints ----------- @@ -31,9 +35,9 @@ Procedure #. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. -#. In the navigation pane on the left, choose **Website Settings**. +#. In the navigation pane on the left, choose **Policies**. -#. In the **Policy** column of the row containing the target website, click the number to go to the **Policies** page. +#. Click the name of the target policy to go to the protection configuration page. #. In the **Data Masking** configuration area, change **Status** if needed and click **Customize Rule**. diff --git a/umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/configuring_geolocation_access_control_rules_to_block_or_allow_requests_from_specific_locations.rst b/umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/configuring_geolocation_access_control_rules_to_block_or_allow_requests_from_specific_locations.rst new file mode 100644 index 0000000..feec523 --- /dev/null +++ b/umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/configuring_geolocation_access_control_rules_to_block_or_allow_requests_from_specific_locations.rst @@ -0,0 +1,177 @@ +:original_name: waf_01_0013.html + +.. _waf_01_0013: + +Configuring Geolocation Access Control Rules to Block or Allow Requests from Specific Locations +=============================================================================================== + +WAF can identify where a request originates. You can set geolocation access control rules in just a few clicks and let WAF block or allow requests from a certain region. A geolocation access control rule allows you to allow or block requests from IP addresses from specified countries or regions. + +.. note:: + + If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the **Enterprise Project** drop-down list and configure protection policies for the domain names in the project. + +Prerequisites +------------- + +You have :ref:`added your website to a policy `. + +Constraints +----------- + +- One region can be configured in only one geolocation access control rule. +- It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the **Events** page. + +.. _waf_01_0013__section61533550183130: + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane on the left, choose **Policies**. + +#. Click the name of the target policy to go to the protection configuration page. + +#. In the **Geolocation Access Control** configuration area, change **Status** if needed and click **Customize Rule**. + + + .. figure:: /_static/images/en-us_image_0000001285950994.png + :alt: **Figure 1** Geolocation Access Control configuration area + + **Figure 1** Geolocation Access Control configuration area + +#. In the upper left corner of the **Geolocation Access Control** page, click **Add Rule**. + +#. In the displayed dialog box, add a geolocation access control rule by referring to :ref:`Table 1 `. + + + .. figure:: /_static/images/en-us_image_0000001732065117.png + :alt: **Figure 2** Adding a geolocation access control rule + + **Figure 2** Adding a geolocation access control rule + + .. _waf_01_0013__table157961352154713: + + .. table:: **Table 1** Rule parameters + + +-------------------+------------------------------------------------------------------------------------------------+---------------+ + | Parameter | Description | Example Value | + +===================+================================================================================================+===============+ + | Rule Description | A brief description of the rule. This parameter is optional. | waf | + +-------------------+------------------------------------------------------------------------------------------------+---------------+ + | Geolocation | Geographical scope of the IP address. | ``-`` | + +-------------------+------------------------------------------------------------------------------------------------+---------------+ + | Protective Action | Action WAF will take if the rule is hit. You can select **Block**, **Allow**, or **Log only**. | **Block** | + +-------------------+------------------------------------------------------------------------------------------------+---------------+ + +#. Click **Confirm**. You can then view the added rule in the list of the geolocation access control rules. + + - To disable a rule, click **Disable** in the **Operation** column of the rule. The default **Rule Status** is **Enabled**. + - To modify a rule, click **Modify** in the row containing the rule. + - To delete a rule, click **Delete** in the row containing the rule. + +Configuration Example - Allowing Access Requests from IP Addresses in a Specified Region +---------------------------------------------------------------------------------------- + +Assume that domain name *www.example.com* has been connected to WAF and you want to allow only IP addresses in Australia to access the domain name. Perform the following steps: + +#. Add a geolocation access control rule: Select **Australia** for **Geolocation** and select **Allow** for **Protective Action**. + + + .. figure:: /_static/images/en-us_image_0000001732089213.png + :alt: **Figure 3** Selecting Allow for Protective Action + + **Figure 3** Selecting Allow for Protective Action + +#. Enable geolocation access control. + + + .. figure:: /_static/images/en-us_image_0000001285950994.png + :alt: **Figure 4** Geolocation Access Control configuration area + + **Figure 4** Geolocation Access Control configuration area + +#. Configure a precise protection rule to block all requests. + + + .. figure:: /_static/images/en-us_image_0000001684033930.png + :alt: **Figure 5** Blocking all access requests + + **Figure 5** Blocking all access requests + +#. Clear the browser cache and access http://www.example.com. + + When an access request from IP addresses outside **Australia** accesses the page, WAF blocks the access request. + + + .. figure:: /_static/images/en-us_image_0000001179033432.png + :alt: **Figure 6** Block page + + **Figure 6** Block page + +#. Go to the WAF console. In the navigation pane on the left, choose **Events**. View the event on the **Events** page. You will see that all requests not from **Australia** have been blocked. + +Configuration Example - Blocking Access Requests from IP Addresses in a Specified Region +---------------------------------------------------------------------------------------- + +Assume that domain name *www.example.com* has been connected to WAF and you want to block all IP addresses from **Australia** to access the domain name. The following shows how to configure a rule to this end: + +#. Add a geolocation access control rule, select **Australia** for **Geolocation** and **Block** for **Protective Action**. + + + .. figure:: /_static/images/en-us_image_0000001684085100.png + :alt: **Figure 7** Blocking access requests from a specific region + + **Figure 7** Blocking access requests from a specific region + +#. Enable geolocation access control. + + + .. figure:: /_static/images/en-us_image_0000001285950994.png + :alt: **Figure 8** Geolocation Access Control configuration area + + **Figure 8** Geolocation Access Control configuration area + +#. Clear the browser cache and access http://www.example.com. + + When an access request from IP addresses inside **Australia** accesses the page, WAF blocks the access request. + + + .. figure:: /_static/images/en-us_image_0000001179033432.png + :alt: **Figure 9** Block page + + **Figure 9** Block page + +#. Go to the WAF console. In the navigation pane on the left, choose **Events**. View the event on the **Events** page. + + + .. figure:: /_static/images/en-us_image_0000001225545453.png + :alt: **Figure 10** Viewing events - blocking access requests from IP addresses in a region + + **Figure 10** Viewing events - blocking access requests from IP addresses in a region + +Protection Effect +----------------- + +To verify WAF is protecting your website (**www.example.com**) against a rule: + +#. Clear the browser cache and enter the domain name in the address box of a browser to check whether the website is accessible. + + - If the website is inaccessible, connect the website domain name to WAF by following the instructions in :ref:`Step 1: Add a Website to WAF `. + - If the website is accessible, go to :ref:`2 `. + +#. .. _waf_01_0013__li885731953512: + + Add a geolocation access control rule by referring to :ref:`Procedure `. + +#. Clear the browser cache and access **http://www.example.com**. Normally, WAF blocks such requests and returns the block page. + +#. Go to the WAF console. In the navigation pane on the left, choose **Events**. On the displayed page, view or :ref:`download events data `. + +.. |image1| image:: /_static/images/en-us_image_0000001482227824.jpg +.. |image2| image:: /_static/images/en-us_image_0000001340306233.png diff --git a/umn/source/rule_configuration/configuring_an_information_leakage_prevention_rule.rst b/umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/configuring_information_leakage_prevention_rules_to_protect_sensitive_information_form_leakage.rst similarity index 94% rename from umn/source/rule_configuration/configuring_an_information_leakage_prevention_rule.rst rename to umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/configuring_information_leakage_prevention_rules_to_protect_sensitive_information_form_leakage.rst index 9e121ea..810834c 100644 --- a/umn/source/rule_configuration/configuring_an_information_leakage_prevention_rule.rst +++ b/umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/configuring_information_leakage_prevention_rules_to_protect_sensitive_information_form_leakage.rst @@ -2,8 +2,8 @@ .. _waf_01_0054: -Configuring an Information Leakage Prevention Rule -================================================== +Configuring Information Leakage Prevention Rules to Protect Sensitive Information form Leakage +============================================================================================== You can add two types of information leakage prevention rules. @@ -17,12 +17,12 @@ You can add two types of information leakage prevention rules. Prerequisites ------------- -A website has been added to WAF. +You have :ref:`added your website to a policy `. Constraints ----------- -It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the **Events** page. +- It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the **Events** page. Procedure --------- @@ -33,9 +33,9 @@ Procedure #. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. -#. In the navigation pane on the left, choose **Website Settings**. +#. In the navigation pane on the left, choose **Policies**. -#. In the **Policy** column of the row containing the target website, click the number to go to the **Policies** page. +#. Click the name of the target policy to go to the protection configuration page. #. In the **Information Leakage Prevention** configuration area, change **Status** if needed and click **Customize Rule**. diff --git a/umn/source/rule_configuration/configuring_an_ip_address_blacklist_or_whitelist_rule.rst b/umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/configuring_ip_address_blacklist_and_whitelist_rules_to_block_or_allow_specified_ip_addresses.rst similarity index 74% rename from umn/source/rule_configuration/configuring_an_ip_address_blacklist_or_whitelist_rule.rst rename to umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/configuring_ip_address_blacklist_and_whitelist_rules_to_block_or_allow_specified_ip_addresses.rst index 6bcfcd0..0c2c385 100644 --- a/umn/source/rule_configuration/configuring_an_ip_address_blacklist_or_whitelist_rule.rst +++ b/umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/configuring_ip_address_blacklist_and_whitelist_rules_to_block_or_allow_specified_ip_addresses.rst @@ -2,8 +2,8 @@ .. _waf_01_0012: -Configuring an IP Address Blacklist or Whitelist Rule -===================================================== +Configuring IP Address Blacklist and Whitelist Rules to Block or Allow Specified IP Addresses +============================================================================================= You can configure blacklist and whitelist rules to block, log only, or allow access requests from specific IP addresses or IP address ranges. @@ -14,14 +14,15 @@ You can configure blacklist and whitelist rules to block, log only, or allow acc Prerequisites ------------- -A website has been added to WAF. +You have :ref:`added your website to a policy `. Constraints ----------- - WAF does not support batch import of blacklists or whitelists. To configure multiple IP address or IP address range rules, add blacklist and whitelist rules one by one to allow or block specified IP addresses or IP address ranges. - It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the **Events** page. -- If you configure **Protective Action** to **Block** for a blacklist or whitelist rule, you can configure a known attack source rule by referring to :ref:`Configuring a Known Attack Source Rule `. WAF will block requests matching the configured IP address, Cookie, or Params for a length of time configured as part of the rule. +- The address 0.0.0.0/0 cannot be added to a WAF IP address blacklist or whitelist, and if a whitelist conflicts with a blacklist, the whitelist rule takes priority. If you want to allow only a specific IP address within a range of blocked addresses, add a blacklist rule to block the range and then add a whitelist rule to allow the individual address you wish to allow. +- If you set **Protective Action** of a blacklist or whitelist rule to **Block**, you can :ref:`configure known attack source rules to block the attack source IP address for a specified period of time `. WAF will block requests matching the configured IP address, Cookie, or Params for a block duration you specify. Impact on the System -------------------- @@ -39,9 +40,9 @@ Procedure #. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. -#. In the navigation pane on the left, choose **Website Settings**. +#. In the navigation pane on the left, choose **Policies**. -#. In the **Policy** column of the row containing the target website, click the number to go to the policy configuration page. +#. Click the name of the target policy to go to the protection configuration page. #. In the **Blacklist and Whitelist** configuration area, change **Status** as needed and click **Customize Rule**. @@ -113,5 +114,61 @@ If you have added domain name **www.example.com** to this rule, to verify WAF is #. Return to the WAF console. In the navigation pane, choose **Events**. On the displayed page, view or :ref:`download events data `. +Example Configuration - Allowing a Specified IP Addresses +--------------------------------------------------------- + +If domain name *www.example.com* has been connected to WAF, you can perform the following steps to verify the rule takes effect: + +#. Add the following two blacklist and whitelist rules to block all IP addresses: + + + .. figure:: /_static/images/en-us_image_0000001684030226.png + :alt: **Figure 3** Blocking IP address range 1.0.0.0/1 + + **Figure 3** Blocking IP address range 1.0.0.0/1 + + + .. figure:: /_static/images/en-us_image_0000001732030241.png + :alt: **Figure 4** Blocking IP address range 128.0.0.0/1 + + **Figure 4** Blocking IP address range 128.0.0.0/1 + + You can also add a precise protection rule to block all access requests, as shown in :ref:`Figure 5 `. + + .. _waf_01_0012__fig489116305597: + + .. figure:: /_static/images/en-us_image_0000001684033930.png + :alt: **Figure 5** Blocking all access requests + + **Figure 5** Blocking all access requests + + For details, see :ref:`Configuring Custom Precise Protection Rules `. + +#. .. _waf_01_0012__li839632265215: + + Refer to :ref:`Figure 6 ` and add a whitelist rule to allow a specified IP address, for example, *XXX.XXX.2.3*. + + .. _waf_01_0012__fig5519155016115: + + .. figure:: /_static/images/en-us_image_0000001732035733.png + :alt: **Figure 6** Allowing the access of a specified IP address + + **Figure 6** Allowing the access of a specified IP address + +#. Enable the white and blacklist protection. + +#. Clear the browser cache and access http://www.example.com. + + If the IP address of a visitor is not the one specified in :ref:`Step 2 `, WAF blocks the access request. :ref:`Figure 7 ` shows an example of the block page. + + .. _waf_01_0012__fig11778435913: + + .. figure:: /_static/images/en-us_image_0000001179033432.png + :alt: **Figure 7** Block page + + **Figure 7** Block page + +#. Go to the WAF console. In the navigation pane on the left, choose **Events**. View the event on the **Events** page. + .. |image1| image:: /_static/images/en-us_image_0000001532867165.jpg .. |image2| image:: /_static/images/en-us_image_0000001288106282.png diff --git a/umn/source/rule_configuration/configuring_a_web_tamper_protection_rule.rst b/umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/configuring_web_tamper_protection_rules_to_prevent_static_web_pages_from_being_tampered_with.rst similarity index 84% rename from umn/source/rule_configuration/configuring_a_web_tamper_protection_rule.rst rename to umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/configuring_web_tamper_protection_rules_to_prevent_static_web_pages_from_being_tampered_with.rst index 1509d92..011feec 100644 --- a/umn/source/rule_configuration/configuring_a_web_tamper_protection_rule.rst +++ b/umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/configuring_web_tamper_protection_rules_to_prevent_static_web_pages_from_being_tampered_with.rst @@ -2,32 +2,36 @@ .. _waf_01_0014: -Configuring a Web Tamper Protection Rule -======================================== +Configuring Web Tamper Protection Rules to Prevent Static Web Pages from Being Tampered With +============================================================================================ -WAF can cache configuration for static web pages of websites. After you configure a web tamper protection rule, WAF can: - -- Return directly the cached web page to the normal web visitor to accelerate request response. - -- Return the cached original web pages to visitors if an attacker has tampered with the static web pages. This ensures that your website visitors always get the right web pages. - -- Protect all resources in the web page path. For example, if a web tamper protection rule is configured for static page **www.example.com/admin**, WAF protects all resources in the **/admin** directory. - - So, if the URL in the value of the **Referer** request header is the same as the configured anti-tamper path, for example, **/admin**, all resources (resources ending with png, jpg, jpeg, gif, bmp, css or js) hit by the request are also cached. +You can set web tamper protection rules to protect specific website pages (such as the ones contain important content) from being tampered with. If a web page protected with such a rule is requested, WAF returns the origin page it has cached based on the rule so that visitors always receive the authenticate web pages. .. note:: If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the **Enterprise Project** drop-down list and configure protection policies for the domain names in the project. +How It Works +------------ + +- Return directly the cached web page to the normal web visitor to accelerate request response. + +- Return the cached original web pages to visitors if an attacker has tampered with the static web pages. This ensures that your website visitors always get the right web pages. + +- Protect all resources in the web page path. For example, if a web tamper protection rule is configured for a static page pointed to *www.example.com/index.html*, WAF protects the web page pointed to */index.html* and related resources associated with the web page. + + So, if the URL in the **Referer** header field is the same as the configured anti-tamper path, for example, **/index.html**, all resources (resources ending with png, jpg, jpeg, gif, bmp, css or js) matching the request are also cached. + Prerequisites ------------- -A website has been added to WAF. +You have :ref:`added your website to a policy `. Constraints ----------- -It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the **Events** page. +- It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the **Events** page. +- Ensure that the origin server response contains the **Content-Type** response header, or WAF may fail to cache the origin server response. Application Scenarios --------------------- @@ -49,9 +53,9 @@ Procedure #. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. -#. In the navigation pane on the left, choose **Website Settings**. +#. In the navigation pane on the left, choose **Policies**. -#. In the **Policy** column of the row containing the target website, click the number to go to the **Policies** page. +#. Click the name of the target policy to go to the protection configuration page. #. In the **Web Tamper Protection** configuration area, change **Status** if needed and click **Customize Rule** to go to the **Web Tamper Protection** page. diff --git a/umn/source/rule_configuration/adding_a_reference_table.rst b/umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/creating_a_reference_table_to_configure_protection_metrics_in_batches.rst similarity index 90% rename from umn/source/rule_configuration/adding_a_reference_table.rst rename to umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/creating_a_reference_table_to_configure_protection_metrics_in_batches.rst index de34111..dcfe0f6 100644 --- a/umn/source/rule_configuration/adding_a_reference_table.rst +++ b/umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/creating_a_reference_table_to_configure_protection_metrics_in_batches.rst @@ -2,12 +2,12 @@ .. _waf_01_0081: -Adding a Reference Table -======================== +Creating a Reference Table to Configure Protection Metrics In Batches +===================================================================== This topic describes how to create a reference table to batch configure protection metrics of a single type, such as **Path**, **User Agent**, **IP**, **Params**, **Cookie**, **Referer**, and **Header**. A reference table can be referenced by CC attack protection rules and precise protection rules. -New reference tables will be synchronized to CC attack protection rules and precise protection rules. When you configure a CC attack protection rule or precise protection rule, if the **Logic** field in the **Trigger** list is set to **Include any value**, **Exclude any value**, **Equal to any value**, **Not equal to any value**, **Prefix is any value**, **Prefix is not any value**, **Suffix is any value**, or **Suffix is not any value**, you can select an appropriate reference table from the **Content** drop-down list. +When you configure a CC attack protection rule or precise protection rule, if the **Logic** field in the **Trigger** list is set to **Include any value**, **Exclude any value**, **Equal to any value**, **Not equal to any value**, **Prefix is any value**, **Prefix is not any value**, **Suffix is any value**, or **Suffix is not any value**, you can select an appropriate reference table from the **Content** drop-down list. .. note:: @@ -16,12 +16,12 @@ New reference tables will be synchronized to CC attack protection rules and prec Prerequisites ------------- -A website has been added to WAF. +You have :ref:`added your website to a policy `. Application Scenarios --------------------- -You can use a reference table when you configure protection fields in batches for CC attack protection rules and precise access protection rules. +Reference tables can be used for configuring multiple protection fields in CC attack protection and precise protection rules. Procedure --------- @@ -32,9 +32,9 @@ Procedure #. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. -#. In the navigation pane on the left, choose **Website Settings**. +#. In the navigation pane on the left, choose **Policies**. -#. In the **Policy** column of the row containing the target website, click the number to go to the policy configuration page. +#. Click the name of the target policy to go to the protection configuration page. #. In the **CC Attack Protection** or **Precise Protection** area, click **Customize Rule**. diff --git a/umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/index.rst b/umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/index.rst new file mode 100644 index 0000000..921b763 --- /dev/null +++ b/umn/source/configuring_protection_policies/step_2_configuring_rules_for_a_protection_policy/index.rst @@ -0,0 +1,38 @@ +:original_name: waf_01_0007.html + +.. _waf_01_0007: + +Step 2: Configuring Rules for a Protection Policy +================================================= + +- :ref:`Configuring Basic Protection Rules to Defend Against Common Web Attacks ` +- :ref:`Configuring a CC Attack Protection Rule ` +- :ref:`Configuring Custom Precise Protection Rules ` +- :ref:`Configuring IP Address Blacklist and Whitelist Rules to Block or Allow Specified IP Addresses ` +- :ref:`Configuring Geolocation Access Control Rules to Block or Allow Requests from Specific Locations ` +- :ref:`Configuring Web Tamper Protection Rules to Prevent Static Web Pages from Being Tampered With ` +- :ref:`Configuring Anti-Crawler Rules ` +- :ref:`Configuring Information Leakage Prevention Rules to Protect Sensitive Information form Leakage ` +- :ref:`Configuring a Global Protection Whitelist (Formerly False Alarm Masking) Rule to Ignore False Alarms ` +- :ref:`Configuring Data Masking Rules to Prevent Privacy Information Leakage ` +- :ref:`Creating a Reference Table to Configure Protection Metrics In Batches ` +- :ref:`Configuring a Known Attack Source Rule to Block Specific Visitors for a Specified Duration ` +- :ref:`Condition Field Description ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + configuring_basic_protection_rules_to_defend_against_common_web_attacks + configuring_a_cc_attack_protection_rule + configuring_custom_precise_protection_rules + configuring_ip_address_blacklist_and_whitelist_rules_to_block_or_allow_specified_ip_addresses + configuring_geolocation_access_control_rules_to_block_or_allow_requests_from_specific_locations + configuring_web_tamper_protection_rules_to_prevent_static_web_pages_from_being_tampered_with + configuring_anti-crawler_rules + configuring_information_leakage_prevention_rules_to_protect_sensitive_information_form_leakage + configuring_a_global_protection_whitelist_formerly_false_alarm_masking_rule_to_ignore_false_alarms + configuring_data_masking_rules_to_prevent_privacy_information_leakage + creating_a_reference_table_to_configure_protection_metrics_in_batches + configuring_a_known_attack_source_rule_to_block_specific_visitors_for_a_specified_duration + condition_field_description diff --git a/umn/source/policy_management/applying_a_policy_to_your_website.rst b/umn/source/configuring_protection_policies/step_3_adding_a_domain_name_to_a_policy.rst similarity index 80% rename from umn/source/policy_management/applying_a_policy_to_your_website.rst rename to umn/source/configuring_protection_policies/step_3_adding_a_domain_name_to_a_policy.rst index d8e9a34..f0275f5 100644 --- a/umn/source/policy_management/applying_a_policy_to_your_website.rst +++ b/umn/source/configuring_protection_policies/step_3_adding_a_domain_name_to_a_policy.rst @@ -2,11 +2,15 @@ .. _waf_01_0075: -Applying a Policy to Your Website -================================= +Step 3: Adding a Domain Name to a Policy +======================================== This topic describes how to apply a policy to your protected website. +.. note:: + + If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the **Enterprise Project** drop-down list and configure protection policies for the domain names in batches. + Prerequisites ------------- diff --git a/umn/source/dashboard.rst b/umn/source/dashboard.rst index c1c124b..88a2992 100644 --- a/umn/source/dashboard.rst +++ b/umn/source/dashboard.rst @@ -30,17 +30,17 @@ The QPS calculation method varies depending on the time range. For details, see .. table:: **Table 1** QPS calculation - +----------------------------+--------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+ - | Time Range | Average QPS Description | Peak QPS Description | - +============================+====================================================================================================================+=================================================================+ - | **Yesterday** or **Today** | The QPS curve is made with the average QPSs in every minute. | The QPS curve is made with each peak QPS in every minute. | - +----------------------------+--------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+ - | **Past 3 days** | The QPS curve is made with the average QPSs in every five minutes. | The QPS curve is made with each peak QPS in every five minutes. | - +----------------------------+--------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+ - | **Past 7 days** | The QPS curve is made with the maximum value among the average QPSs in every five minutes at a 10-minute interval. | The QPS curve is made with each peak QPS in every 10 minutes. | - +----------------------------+--------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+ - | **Past 30 days** | The QPS curve is made with the maximum value among the average QPSs in every five minutes at a one-hour interval. | The QPS curve is made with the peak QPSs in every hour. | - +----------------------------+--------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+ + +----------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+ + | Time Range | Average QPS Description | Peak QPS Description | + +============================+===================================================================================================================+=================================================================+ + | **Yesterday** or **Today** | The QPS curve is made with the average QPS in every minute. | The QPS curve is made with each peak QPS in every minute. | + +----------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+ + | **Past 3 days** | The QPS curve is made with the average QPS in every five minutes. | The QPS curve is made with each peak QPS in every five minutes. | + +----------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+ + | **Past 7 days** | The QPS curve is made with the maximum value among the average QPS in every five minutes at a 10-minute interval. | The QPS curve is made with each peak QPS in every 10 minutes. | + +----------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+ + | **Past 30 days** | The QPS curve is made with the maximum value among the average QPS in every five minutes at a one-hour interval. | The QPS curve is made with the peak QPS in every hour. | + +----------------------------+-------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------+ .. note:: @@ -55,14 +55,14 @@ Procedure #. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. -#. In the upper part of the page, specify the website, instance, and time range for your query. +#. In the upper part of the page, select a project from the **Enterprise Project** drop-down list. Then, specify the website, instance, and time range for your query. - By default, the information about all websites you add to WAF in all enterprise projects are displayed. - - **Domain Names**: shows information about website domain names added to the WAF instance. Click **View** to go to the **Website Settings** page and view details about domain names of protected websites. + - **Domain Names**: shows information about websites added to the WAF instance in the selected enterprise project. Click **View** to go to the **Website Settings** page and view details about domain names of protected websites. - Query time: You can select **Yesterday**, **Today**, **Past 3 days**, **Past 7 days**, or **Past 30 days**. - .. figure:: /_static/images/en-us_image_0000001337958950.png + .. figure:: /_static/images/en-us_image_0000001731610061.png :alt: **Figure 1** Setting search criteria **Figure 1** Setting search criteria @@ -72,6 +72,7 @@ Procedure - **Requests**: shows the page views of the website, making it easy for you to view the total number of pages accessed by visitors in a certain period of time. - **Attacks**: shows how many times the website are attacked. - You can view how many pages are attacked by a certain type of attacks within a certain period of time. + - You can click **Show Details** to view the details of the 10 domain names with the most requests, attacks, and basic web protection, precise protection, CC attack protection, and anti-crawler protection actions. .. figure:: /_static/images/en-us_image_0000001285684556.png @@ -89,7 +90,7 @@ Procedure - **Past 30 days**: Security event data is gathered every hour. - .. figure:: /_static/images/en-us_image_0000001427503477.png + .. figure:: /_static/images/en-us_image_0000001683533946.png :alt: **Figure 3** Security Event Statistics **Figure 3** Security Event Statistics @@ -105,7 +106,7 @@ Procedure | | | | | Queries Per Second (QPS) indicates the number of requests per second. For example, an HTTP GET request is also called a query. | +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Bandwidth | Bandwidth usage | + | Bytes Sent/Received | Bandwidth usage | | | | | | The value of sent and received bytes is calculated by adding the values of **request_length** and **upstream_bytes_received** by time, so the value is different from the network bandwidth monitored on the EIP. This value is also affected by web page compression, connection reuse, and TCP retransmission. | +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ diff --git a/umn/source/dedicated_waf_engine_management.rst b/umn/source/dedicated_waf_engine_management.rst deleted file mode 100644 index 4024f00..0000000 --- a/umn/source/dedicated_waf_engine_management.rst +++ /dev/null @@ -1,195 +0,0 @@ -:original_name: waf_01_0253.html - -.. _waf_01_0253: - -Dedicated WAF Engine Management -=============================== - -This topic describes how to manage your dedicated WAF instances (or engines), including viewing instance information, upgrading the instance edition, or deleting an instance. - -.. note:: - - If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instances locate. Then, you can select the project from the **Enterprise Project** drop-down list and manage dedicated WAF instances in the project. - -Prerequisites -------------- - -You have applied for a dedicated WAF instance. - -Viewing Information About a Dedicated WAF Instance --------------------------------------------------- - -#. Log in to the management console. - -#. Click |image1| in the upper left corner of the management console and select a region or project. - -#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. - -#. In the navigation pane on the left, choose **Instance Management** > **Dedicated Engine** to go to the dedicated WAF instance page. - - - .. figure:: /_static/images/en-us_image_0000001388786649.png - :alt: **Figure 1** Dedicated engine list - - **Figure 1** Dedicated engine list - -#. View information about a dedicated WAF instance. :ref:`Table 1 ` describes parameters. - - .. _waf_01_0253__table8106945160: - - .. table:: **Table 1** Parameters of a dedicated instance - - +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------+ - | Parameter | Description | Example Value | - +=======================+=================================================================================================================================================================================================================+===============================+ - | Instance Name | Name automatically generated when an instance is created. | None | - +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------+ - | Protected Website | Domain name of the website protected by the instance. | www.example.com | - +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------+ - | VPC | VPC where the instance resides | vpc-waf | - +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------+ - | Subnet | Subnet where an instance resides | subnet-62bb | - +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------+ - | IP Addresses | IP address of the subnet in the VPC where the WAF instance is deployed. | 192.168.0.186 | - +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------+ - | Access Status | Connection status of the instance. | Accessible | - +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------+ - | Running Status | Status of the instance. | Running | - +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------+ - | Deployment | How the instance is deployed. | Standard mode (reverse proxy) | - +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------+ - | Specifications | Specifications of resources hosting the instance. | 8 vCPUs \| 16 GB | - +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------+ - | Operation | - **Cloud Eye**: View the monitoring information about the dedicated instance. For details, see :ref:`Viewing Metrics of a Dedicated WAF Instance `. | ``-`` | - | | - **Delete**: Delete the dedicated instance. For details, see :ref:`Deleting a Dedicated WAF Instance `. | | - | | - **More** > **Upgrade**: Upgrade the dedicated instance version. For details, see :ref:`Upgrading a Dedicated WAF Instance `. | | - | | - **More** > **Change Security Group**: Change the security group for the dedicated instance. For details, see :ref:`Change Security Group for a Dedicated WAF Instance `. | | - +-----------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------+ - -.. _waf_01_0253__section14699725145814: - -Viewing Metrics of a Dedicated WAF Instance -------------------------------------------- - -When a WAF instance is in the **Running** status, you can view the monitored metrics about the instance. - -#. Log in to the management console. - -#. Click |image3| in the upper left corner of the management console and select a region or project. - -#. Click |image4| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. - -#. In the navigation pane on the left, choose **Instance Management** > **Dedicated Engine** to go to the dedicated WAF instance page. - - - .. figure:: /_static/images/en-us_image_0000001388786649.png - :alt: **Figure 2** Dedicated engine list - - **Figure 2** Dedicated engine list - -#. In the row of the instance, click **Cloud Eye** in the **Operation** column to go to the Cloud Eye console and view the monitoring information, such as CPU, memory, and bandwidth. - -.. _waf_01_0253__section38005331521: - -Upgrading a Dedicated WAF Instance ----------------------------------- - -Only dedicated WAF instances in the **Running** status can be upgraded to the latest version. - -.. important:: - - - It takes about 20 minutes for upgrading an instance. During the upgrade, the instance is not available and cannot protect your domain names connected to it. To prevent service interruptions, use either of the following solutions: - - - **Solution 1**: Deploy multiple dedicated WAF instances for your domain name, add them to a backend server group of your load balancer, and enable the health check policy for the load balancer. In this way, if one dedicated WAF instance is not available, WAF automatically distributes the traffic to other healthy instances. There is almost no impact on your services except that website requests might be intermittently interrupted for few seconds. - - **Solution 2**: If you deploy only one dedicated WAF instance, configure a load balancer before you start to let website traffic bypass WAF during the upgrade. After the upgrade is complete, configure the load balancer to distribute traffic to WAF. - - - If you are using the latest version of WAF, the **Upgrade** button is grayed out. - -#. Log in to the management console. - -#. Click |image5| in the upper left corner of the management console and select a region or project. - -#. Click |image6| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. - -#. In the navigation pane on the left, choose **Instance Management** > **Dedicated Engine** to go to the dedicated WAF instance page. - - - .. figure:: /_static/images/en-us_image_0000001388786649.png - :alt: **Figure 3** Dedicated engine list - - **Figure 3** Dedicated engine list - -#. In the row containing the instance you want to upgrade, click **More** > **Upgrade** in the **Operation** column. - -#. Confirm the upgrade conditions and click **Confirm**. - -.. _waf_01_0253__section17581742182617: - -Change Security Group for a Dedicated WAF Instance --------------------------------------------------- - -If you select **Network Interface** for **Instance Type**, you can change the security group to which your dedicated instance belongs. After you select a security group, the WAF instance will be protected by the access rules of the security group. - -#. Log in to the management console. - -#. Click |image7| in the upper left corner of the management console and select a region or project. - -#. Click |image8| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. - -#. In the navigation pane on the left, choose **Instance Management** > **Dedicated Engine** to go to the dedicated WAF instance page. - - - .. figure:: /_static/images/en-us_image_0000001388786649.png - :alt: **Figure 4** Dedicated engine list - - **Figure 4** Dedicated engine list - -#. In the row containing the instance, choose **More** > **Change Security Group** in the **Operation** column. - -#. In the dialog box displayed, select the new security group and click **Confirm**. - -.. _waf_01_0253__section773017566122: - -Deleting a Dedicated WAF Instance ---------------------------------- - -You can delete a dedicated WAF instance anytime. A deleted dedicated WAF instance will no longer protect the website added to it. - -.. important:: - - Resources on deleted instance are released and cannot be restored. Exercise caution when performing this operation. - -#. Log in to the management console. - -#. Click |image9| in the upper left corner of the management console and select a region or project. - -#. Click |image10| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. - -#. In the navigation pane on the left, choose **Instance Management** > **Dedicated Engine** to go to the dedicated WAF instance page. - - - .. figure:: /_static/images/en-us_image_0000001388786649.png - :alt: **Figure 5** Dedicated engine list - - **Figure 5** Dedicated engine list - -#. In the row of the instance, click **Delete** in the **Operation** column. - -#. Click **Confirm**. - - - .. figure:: /_static/images/en-us_image_0000001286058500.png - :alt: **Figure 6** Deleting an instance - - **Figure 6** Deleting an instance - -.. |image1| image:: /_static/images/en-us_image_0000001082065421.jpg -.. |image2| image:: /_static/images/en-us_image_0000001287946362.png -.. |image3| image:: /_static/images/en-us_image_0000001082065421.jpg -.. |image4| image:: /_static/images/en-us_image_0000001340308129.png -.. |image5| image:: /_static/images/en-us_image_0000001081906323.jpg -.. |image6| image:: /_static/images/en-us_image_0000001340427973.png -.. |image7| image:: /_static/images/en-us_image_0000001240865319.jpg -.. |image8| image:: /_static/images/en-us_image_0000001340667861.png -.. |image9| image:: /_static/images/en-us_image_0000001081671555.jpg -.. |image10| image:: /_static/images/en-us_image_0000001288427746.png diff --git a/umn/source/enabling_lts_for_waf_logging.rst b/umn/source/enabling_lts_for_waf_logging.rst deleted file mode 100644 index 5856d13..0000000 --- a/umn/source/enabling_lts_for_waf_logging.rst +++ /dev/null @@ -1,375 +0,0 @@ -:original_name: waf_01_0172.html - -.. _waf_01_0172: - -Enabling LTS for WAF Logging -============================ - -After you authorize WAF to access Log Tank Service (LTS), you can use the WAF logs recorded by LTS for quick and efficient real-time analysis, device O&M management, and analysis of service trends. - -LTS analyzes and processes a large number of logs. It enables you to process logs in real-time, efficiently, and securely. Logs can be stored in LTS for seven days by default but you can configure LTS for up to 30 days if needed. Logs earlier than 30 days are automatically deleted. However, you can configure LTS to dump those logs to an Object Storage Service (OBS) bucket or enable Data Ingestion Service (DIS) for long-term storage. - -Prerequisites -------------- - -- You have applied for your WAF. -- The website to be protected has been added to WAF. - -Impact on the System --------------------- - -Enabling LTS for WAF does not affect WAF performance. - -Enabling LTS for WAF Protection Event Logging ---------------------------------------------- - -#. Log in to the management console. - -#. Click |image1| in the upper left corner of the management console and select a region or project. - -#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. - -#. In the navigation pane on the left, choose **Events**. - -#. Click the **Configure Logs** tab, enable LTS (|image3|), and select a log group and log stream. :ref:`Table 1 ` describes the parameters. - - - .. figure:: /_static/images/en-us_image_0000001555272665.png - :alt: **Figure 1** Configuring logs - - **Figure 1** Configuring logs - - .. _waf_01_0172__table11535733111515: - - .. table:: **Table 1** Log configuration - - +-----------------------+-----------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Parameter | Description | Example Value | - +=======================+=============================================================================================================================+=======================+ - | Log Group | Select a log group or click **View Log Group** to go to the LTS console and create a log group. | lts-group-waf | - +-----------------------+-----------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Attack Log | Select a log stream or click **View Log Stream** to go to the LTS console and create a log stream. | lts-topic-waf-attack | - | | | | - | | An attack log includes information about event type, protective action, and attack source IP address of each attack. | | - +-----------------------+-----------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Access Log | Select a log stream or click **View Log Stream** to go to the LTS console and create a log stream. | lts-topic-waf-access | - | | | | - | | An access log includes key information about access time, client IP address, and resource URL of each HTTP access requests. | | - +-----------------------+-----------------------------------------------------------------------------------------------------------------------------+-----------------------+ - -#. Click **OK**. - - You can view WAF protection event logs on the LTS console. - -Viewing WAF Protection Event Logs on LTS ----------------------------------------- - -After enabling LTS, perform the following steps to view and analyze WAF logs on the LTS console. - -#. Log in to the management console. -#. Click |image4| in the upper left corner of the management console and select a region or project. -#. Click |image5| in the upper left corner of the page and choose **Management & Deployment** > **Log Tank Service**. -#. In the log group list, click |image6| to expand the WAF log group (for example, **lts-group-waf**). -#. View protection event logs. - - - View attack logs. - - a. In the log stream list, click the name of the configured attack log stream. - - b. View attack logs. - - - .. figure:: /_static/images/en-us_image_0000001550850865.png - :alt: **Figure 2** Viewing attack logs - - **Figure 2** Viewing attack logs - - - View access logs. - - a. In the log stream list, click the name of the configured access log stream. - - b. View access logs. - - - .. figure:: /_static/images/en-us_image_0000001499773388.png - :alt: **Figure 3** Viewing access logs - - **Figure 3** Viewing access logs - -WAF access_log Field --------------------- - -+------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| Field | Type | Field Description | Description | -+========================+=================+===================================================================================+===============================================================================================================================================================================================================================+ -| requestid | string | Random ID | The value is the same as the last eight characters of the **req_id** field in the attack log. | -+------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| time | string | Time an access request is received. | GMT time a log is generated. | -+------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| eng_ip | string | IP address of the WAF engine | ``-`` | -+------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| hostid | string | Domain name identifier of the access request. | Protected domain name ID (upstream_id). | -+------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| tenantid | string | Account ID | Your account | -+------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| projectid | string | ID of the project the protected domain name belongs to | Project ID of a user in a specific region. | -+------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| remote_ip | string | IP address from which a client request originates. | IP address from which a client request originates. | -| | | | | -| | | | .. important:: | -| | | | | -| | | | NOTICE: | -| | | | If a layer-7 proxy is deployed in front of WAF, this field indicates the IP address of the proxy node closest to WAF. The real IP address of the visitor is specified by the **x-forwarded-for** and **x_real_ip** fields. | -+------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| x-forwarded-for | string | A string of IP addresses for a proxy when the proxy is deployed in front of WAF. | The sting includes one or more IP addresses. | -| | | | | -| | | | The leftmost IP address is the originating IP address of the client. Each time the proxy server receives a request, it adds the source IP address of the request to the right of the originating IP address. | -+------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| x_real_ip | string | Real IP address of the client when a proxy is deployed in front of WAF. | Real IP address of the client, which is identified by the proxy. | -+------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| cdn_src_ip | string | Client IP address identified by CDN when CDN is deployed in front of WAF | This field specifies the real IP address of the client if CDN is deployed in front of WAF. | -| | | | | -| | | | .. important:: | -| | | | | -| | | | NOTICE: | -| | | | Some CDN vendors may use other fields. WAF records only the most common fields. | -+------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| scheme | string | Request protocol | Protocols that can be used in the request: | -| | | | | -| | | | - HTTP | -| | | | - HTTPS | -+------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| response_code | string | Response code | Response status code returned by the origin server to WAF. | -+------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| method | string | Request method. | Request type in a request line. Generally, the value is **GET** or **POST**. | -+------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| http_host | string | Domain name of the requested server. | Address, domain name, or IP address entered in the address box of a browser. | -+------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| url | string | Request URL. | Path in a URL (excluding the domain name). | -+------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| request_length | string | Request length. | The request length includes the access request address, HTTP request header, and number of bytes in the request body. | -+------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| bytes_send | string | Total number of bytes sent to the client. | Number of bytes sent by WAF to the client. | -+------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| body_bytes_sent | string | Total number of bytes of the response body sent to the client | Number of bytes of the response body sent by WAF to the client | -+------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| upstream_addr | string | Address of the backend server. | IP address of the origin server for which a request is destined. For example, if WAF forwards requests to an ECS, the IP address of the ECS is returned to this parameter. | -+------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| request_time | string | Request processing time | Processing time starts when the first byte of the client is read. | -+------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| upstream_response_time | string | Backend server response time. | Time when the backend server responds to the WAF request. | -+------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| upstream_status | string | Response code of the backend server. | Response status code returned by the backend server to WAF. | -+------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| upstream_connect_time | string | Time elapsed for origin servers to connect to backend servers | Time for the origin server to establish a connection to its backend servers. If the backend service uses an encryption protocol, this parameter includes the handshake time. | -+------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| upstream_header_time | string | Time used by the backend server to receive the first byte of the response header. | ``-`` | -+------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| bind_ip | string | WAF engine back-to-source IP address. | Back-to-source IP address used by the WAF engine. | -+------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| group_id | string | LTS log group ID | ID of the log group for interconnecting WAF with LTS. | -+------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| access_stream_id | string | Log stream ID. | ID of **access_stream** of the user in the log group identified by the **group_id** field. | -+------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| engine_id | string | WAF engine ID | Unique ID of the WAF engine. | -+------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| time_iso8601 | string | ISO 8601 time format of logs. | ``-`` | -+------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| sni | string | Domain name requested through SNI. | ``-`` | -+------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| tls_version | string | Protocol version for establishing an SSL connection. | TLS version used in the request. | -+------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| ssl_curves | string | Curve group list supported by the client. | ``-`` | -+------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| ssl_session_reused | string | SSL session reuse | Whether the SSL session can be reused | -| | | | | -| | | | **r**: Yes | -| | | | | -| | | | **.**: No | -+------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| process_time | string | Detection duration | ``-`` | -+------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - -WAF request_log field description ---------------------------------- - -+-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ -| Field | Type | Field Description | Description | -+===================+=================+=====================================================================+==============================================================================================================+ -| scheme | string | Request protocol | Protocols that can be used in the request: | -| | | | | -| | | | - HTTP | -| | | | - https | -+-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ -| hport | string | Listening port for the engine | ``-`` | -+-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ -| body_bytes_sent | string | Total number of bytes of the response body sent to the client. | ``-`` | -+-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ -| hostid | string | Protected domain name ID (upstream_id). | ``-`` | -+-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ -| time_iso8601 | string | ISO 8601 time format of logs. | ``-`` | -+-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ -| host | string | Domain name of the requested server. | ``-`` | -+-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ -| tenantid | string | Account ID | ``-`` | -+-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ -| inet_ip | string | IP address of the engine | ``-`` | -+-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ -| backend.protocol | string | Current backend protocol | ``-`` | -+-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ -| backend.alive | string | Current backend status | ``-`` | -+-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ -| backend.port | string | Current backend port | ``-`` | -+-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ -| backend.host | string | Current backend host value | ``-`` | -+-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ -| backend.type | string | Current backend host type | Type of the backend host. It can be a domain name or an IP address. | -+-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ -| id | string | Request ID | The last eight characters are the same as the first eight characters of the **requestid** in the access log. | -+-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ -| sip | string | IP address from which a client request originates. | ``-`` | -+-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ -| sport | string | Port used by the IP address from which a client request originates. | ``-`` | -+-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ -| projectid | string | ID of the project the protected domain name belongs to | ``-`` | -+-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ -| cookie | string | Cookie | ``-`` | -+-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ -| method | string | Request method. | ``-`` | -+-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ -| uri | string | Request URI | ``-`` | -+-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ -| request_stream_id | string | Log stream ID | ID of **request_stream** of the user in the log group identified by the **group_id** field. | -+-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ -| group_id | string | Log group ID | LTS log group ID | -+-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ -| engine_id | string | Unique ID of the engine | ``-`` | -+-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ -| header | string | Header content | ``-`` | -+-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ -| time | string | Log time | ``-`` | -+-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ -| category | string | Log category | The value is **request**. | -+-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ -| status | string | Response code | ``-`` | -+-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ - -WAF attack_log field description --------------------------------- - -+------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ -| Field | Type | Field Description | Description | -+========================+======================================================================+========================================================================+============================================================================================+ -| category | string | Log category | The value is **attack**. | -+------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ -| time | string | Log time | ``-`` | -+------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ -| time_iso8601 | string | ISO 8601 time format of logs. | ``-`` | -+------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ -| policy_id | string | Policy ID | ``-`` | -+------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ -| level | string | Protection level | Protection level of a built-in rule in basic web protection | -| | | | | -| | | | - **1**: Low | -| | | | - **2**: Medium | -| | | | - **3**: High | -+------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ -| attack | string | Type of attack | Attack type. This parameter is listed in attack logs only. | -| | | | | -| | | | - **default**: default attacks | -| | | | - **sqli**: SQL injections | -| | | | - **xss**: cross-site scripting (XSS) attacks | -| | | | - **webshell**: web shells | -| | | | - **robot**: malicious crawlers | -| | | | - **cmdi**: command injections | -| | | | - **rfi**: remote file inclusion attacks | -| | | | - **lfi**: local file inclusion attacks | -| | | | - **illegal**: unauthorized requests | -| | | | - **vuln**: exploits | -| | | | - **cc**: attacks that hit the CC protection rules | -| | | | - **custom_custom**: attacks that hit a precise protection rule | -| | | | - **custom_whiteip**: attacks that hit an IP address blacklist or whitelist rule | -| | | | - **custom_geoip**: attacks that hit a geolocation access control rule | -| | | | - **antitamper**: attacks that hit a web tamper protection rule | -| | | | - **anticrawler**: attacks that hit the JS challenge anti-crawler rule | -| | | | - **leakage**: vulnerabilities that hit an information leakage prevention rule | -| | | | - **followed_action**: The source is marked as a known attack source. | -+------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ -| action | string | Protective action | WAF defense action. | -| | | | | -| | | | - **block**: WAF blocks attacks. | -| | | | - **log**: WAF only logs detected attacks. | -| | | | - **captcha**: Verification code | -+------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ -| sub_type | string | Crawler types | When **attack** is set to **robot**, this parameter cannot be left blank. | -| | | | | -| | | | - **script_tool**: Script tools | -| | | | - **search_engine**: Search engines | -| | | | - **scanner:** Scanning tools | -| | | | - **uncategorized**: Other crawlers | -+------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ -| rule | string | ID of the triggered rule or the description of the custom policy type. | ``-`` | -+------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ -| location | string | Location triggering the malicious load | ``-`` | -+------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ -| hit_data | string | String triggering the malicious load | ``-`` | -+------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ -| resp_headers | string | Response header | ``-`` | -+------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ -| resp_body | string | Response body | ``-`` | -+------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ -| backend | string | Address of the backend server to which the request is forwarded. | ``-`` | -+------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ -| status | string | Response status code | ``-`` | -+------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ -| reqid | string | Random ID | ``-`` | -+------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ -| id | string | Attack ID | ID of the attack | -+------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ -| method | string | Request method | ``-`` | -+------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ -| sip | string | Client request IP address | ``-`` | -+------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ -| sport | string | Client request port | ``-`` | -+------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ -| host | string | Requested domain name | ``-`` | -+------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ -| http_host | string | Domain name of the requested server. | ``-`` | -+------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ -| hport | string | Port of the requested server. | ``-`` | -+------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ -| uri | string | Request URL. | The domain is excluded. | -+------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ -| header | A JSON string. A JSON table is obtained after the string is decoded. | Request header | ``-`` | -+------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ -| multipart | A JSON string. A JSON table is obtained after the string is decoded. | Request multipart header | This parameter is used to upload files. | -+------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ -| cookie | A JSON string. A JSON table is obtained after the string is decoded. | Cookie of the request | ``-`` | -+------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ -| params | A JSON string. A JSON table is obtained after the string is decoded. | Params value following the request URI. | ``-`` | -+------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ -| body_bytes_sent | string | Total number of bytes of the response body sent to the client. | Total number of bytes of the response body sent by WAF to the client. | -+------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ -| upstream_response_time | string | Backend server response time. | ``-`` | -+------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ -| process_time | string | Detection duration | ``-`` | -+------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ -| engine_id | string | Unique ID of the engine | ``-`` | -+------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ -| group_id | string | Log group ID | LTS log group ID | -+------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ -| attack_stream_id | string | Log stream ID | ID of **access_stream** of the user in the log group identified by the **group_id** field. | -+------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ -| hostid | string | Protected domain name ID (upstream_id). | ``-`` | -+------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ -| tenantid | string | Account ID | ``-`` | -+------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ -| projectid | string | ID of the project the protected domain name belongs to | ``-`` | -+------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ - -.. |image1| image:: /_static/images/en-us_image_0000001482072692.jpg -.. |image2| image:: /_static/images/en-us_image_0000001550676585.png -.. |image3| image:: /_static/images/en-us_image_0000001550677993.png -.. |image4| image:: /_static/images/en-us_image_0000001188007266.jpg -.. |image5| image:: /_static/images/en-us_image_0000001550561697.png -.. |image6| image:: /_static/images/en-us_image_0000001387002182.png diff --git a/umn/source/enabling_waf_protection/connecting_a_website_to_waf/connection_process_dedicated_mode.rst b/umn/source/enabling_waf_protection/connecting_a_website_to_waf/connection_process_dedicated_mode.rst deleted file mode 100644 index 52f9419..0000000 --- a/umn/source/enabling_waf_protection/connecting_a_website_to_waf/connection_process_dedicated_mode.rst +++ /dev/null @@ -1,30 +0,0 @@ -:original_name: waf_01_0326.html - -.. _waf_01_0326: - -Connection Process (Dedicated Mode) -=================================== - -To let your dedicated WAF instance protect your website, the domain name of the website must be connected to the WAF instance so that the website incoming traffic can go to WAF first. - -Constraints ------------ - -Dedicated WAF instances can only protect web applications and websites that are accessible through domain names or IP addresses. - -Processes of Connecting a Website to WAF ----------------------------------------- - -After purchasing a dedicated WAF instance, complete the required configurations by following the process shown in :ref:`Figure 1 `. - -.. _waf_01_0326__fig3118103718294: - -.. figure:: /_static/images/en-us_image_0000001171626489.png - :alt: **Figure 1** Process of connecting a website to a dedicated WAF instance - - **Figure 1** Process of connecting a website to a dedicated WAF instance - -Fixing Inaccessible Websites ----------------------------- - -If a domain name fails to be connected to WAF, its access status is **Inaccessible**. To fix this issue, see :ref:`Why Is My Domain Name or IP Address Inaccessible? ` diff --git a/umn/source/enabling_waf_protection/connecting_a_website_to_waf/step_1_add_a_website_to_waf.rst b/umn/source/enabling_waf_protection/connecting_a_website_to_waf/step_1_add_a_website_to_waf.rst deleted file mode 100644 index 6869a42..0000000 --- a/umn/source/enabling_waf_protection/connecting_a_website_to_waf/step_1_add_a_website_to_waf.rst +++ /dev/null @@ -1,235 +0,0 @@ -:original_name: waf_01_0250.html - -.. _waf_01_0250: - -Step 1: Add a Website to WAF -============================ - -If your service servers are deployed on the cloud, you can add the domain name or IP address of the website to WAF so that the website traffic is forwarded to WAF for inspection. - -.. note:: - - If you have enabled enterprise projects, you can select your enterprise project from the **Enterprise Project** drop-down list and add websites to be protected in the project. - -Prerequisites -------------- - -You have applied for a dedicated WAF instance. - -Constraints ------------ - -- An Internet-facing load balancer has been deployed on the website you want to protect with dedicated WAF instances. -- If your website has no layer-7 proxy server such as CDN and cloud acceleration service deployed in front of WAF and uses only layer-4 load balancers (or NAT), set **Proxy Configured** to **No**. Otherwise, **Proxy Configured** must be set to **Yes**. This ensures that WAF obtains real IP addresses of website visitors and takes protective actions configured in protection policies. - -Collecting Domain Name/IP Address Information ---------------------------------------------- - -Before adding a domain name or IP address, obtain the information listed in :ref:`Table 1 `. - -.. _waf_01_0250__table1252463519439: - -.. table:: **Table 1** Domain name or IP address details required - - +------------------------+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+ - | Information | Parameter | Description | Example Value | - +========================+===================+===========================================================================================================================================================================================================================+=================+ - | Parameters | Protected Website | - Domain name: used by visitors to access your website. A domain name consists of letters separated by dots (.). It is a human readable address that maps to the machine readable IP address of your server. | www.example.com | - | | | - IP: IP address of the website. | | - +------------------------+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+ - | | Protected Port | The service port corresponding to the domain name of the website you want to protect. | 80 | - | | | | | - | | | - Standard ports | | - | | | | | - | | | - 80: default port when the client protocol is set to HTTP | | - | | | - 443: default port when the client protocol is set to HTTPS | | - | | | | | - | | | - Non-standard ports | | - | | | | | - | | | Ports other than ports 80 and 443 | | - | | | | | - | | | .. important:: | | - | | | | | - | | | NOTICE: | | - | | | If your website uses a non-standard port, check whether the WAF edition you plan to buy can protect the non-standard port before you make a purchase. For details, see :ref:`Ports Supported by WAF `. | | - +------------------------+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+ - | | Client Protocol | Protocol used by a client (for example, a browser) to access the website. WAF supports HTTP and HTTPS. | HTTP | - +------------------------+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+ - | | Server Protocol | Protocol used by WAF to forward requests to the client (such as a browser). The options are **HTTP** and **HTTPS**. | HTTP | - +------------------------+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+ - | | VPC | Select the VPC to which the dedicated WAF instance belongs. | vpc-default | - +------------------------+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+ - | | Server Address | Private IP address or domain name of the website server that a client (for example, a browser) accesses | 192.168.1.1 | - +------------------------+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+ - | (Optional) Certificate | Certificate Name | If you set **Client Protocol** to **HTTPS**, you are required to configure a certificate on WAF and associate the certificate with the domain name. | None | - | | | | | - | | | .. important:: | | - | | | | | - | | | NOTICE: | | - | | | Only .pem certificates can be used in WAF. If a certificate is not in .pem, convert it by referring to :ref:`How Do I Convert a Certificate into PEM Format? `. | | - +------------------------+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+ - -Procedure ---------- - -#. Log in to the management console. -#. Click |image1| in the upper left corner of the management console and select a region or project. -#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. - -4. In the navigation pane, choose **Website Settings**. - -5. In the upper left corner of the website list, click **Add Website**. - -6. Configure basic information of the domain name referring to :ref:`Table 2 `. - - - .. figure:: /_static/images/en-us_image_0000001337887457.png - :alt: **Figure 1** Configuring basic settings of a website - - **Figure 1** Configuring basic settings of a website - - .. _waf_01_0250__table056413271366: - - .. table:: **Table 2** Parameter description - - +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------+ - | Parameter | Description | Example Value | - +=======================+========================================================================================================================================================================================================================================================================================================================================+==========================================+ - | Website Name | Website name you specify. | WAF-DT | - +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------+ - | Protected Object | A domain name or IP address of the website to be protected. The domain name can be a single domain name or a wildcard domain name. | Single domain name: **www.example.com** | - | | | | - | | - Single domain name: Enter a single domain name. For example, www.example.com. | Wildcard domain name: **\*.example.com** | - | | - Wildcard domain name | | - | | | IP address format: *XXX.XXX.1.1* | - | | .. note:: | | - | | | | - | | Wildcard domain names cannot contain underscores (_). | | - | | | | - | | - If the server IP address of each subdomain name is the same, enter a wildcard domain name to be protected. For example, if the subdomain names **a.example.com**, **b.example.com**, and **c.example.com** have the same server IP address, you can add the wildcard domain name **\*.example.com** to WAF to protect all three. | | - | | - If the server IP addresses of subdomain names are different, add subdomain names as single domain names one by one. | | - +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------+ - | Website Remarks | Brief description of the website | test | - +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------+ - | Protected Port | Select the port that needs to be protected from the drop-down list box. | Standard ports | - | | | | - | | To protect port 80 or 443, select **Standard port** from the drop-down list. | | - +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------+ - | Server Configuration | Address of the web server. The configuration contains the **Client Protocol**, **Server protocol**, VPC, **Server Address,** and **Server Port**. | **Client Protocol**: **HTTP** | - | | | | - | | - **Client Protocol**: Protocol used for forwarding a client requests to the dedicated WAF instance. The options are **HTTP** and **HTTPS**. | **Server Protocol**: **HTTP** | - | | - **Server Protocol**: Protocol used for forwarding a client request to the origin server through the dedicated WAF instance. The options are **HTTP** and **HTTPS**. | | - | | | **VPC**: vpc-default | - | | .. note:: | | - | | | **Server Address**: *192.168.1.1* | - | | WAF can check WebSocket and WebSockets requests, which is enabled by default. | | - | | | **Server Port**: **80** | - | | - **VPC**: Select the VPC to which the dedicated WAF instance belongs. | | - | | - **Server Address**: Private IP address or domain name of the website server that a client (for example, a browser) accesses. | | - | | - **Server Port**: service port of the server to which the dedicated WAF instance forwards client requests. | | - +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------+ - | Certificate Name | If you set **Client Protocol** to **HTTPS**, an SSL certificate is required. You can select an existing certificate or import an external certificate. For details about how to import a certificate, see :ref:`Importing a New Certificate `. | ``-`` | - | | | | - | | For details about how to create a certificate, see :ref:`Uploading a Certificate `. | | - | | | | - | | .. important:: | | - | | | | - | | NOTICE: | | - | | | | - | | - Only .pem certificates can be used in WAF. If the certificate is not in .pem, convert it into a .pem certificate by referring to :ref:`Importing a New Certificate ` before uploading the certificate. | | - | | - Each domain name must have a certificate associated. A wildcard domain name can only use a wildcard domain certificate. If you only have single-domain certificates, you need to add domain names one by one in WAF. | | - +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------+ - -7. Configure **Proxy**. - - If your website has no layer-7 proxy server such as CDN and cloud acceleration service deployed in front of WAF and uses only layer-4 load balancers (or NAT), set **Proxy Configured** to **No**. Otherwise, **Proxy Configured** must be set to **Yes**. This ensures that WAF obtains real IP addresses of website visitors and takes protective actions configured in protection policies. - -8. Select a policy. By default, **system-generated policy** is selected. - - You can select a policy you configured. You can also customize rules after the domain name is connected to WAF. - - System-generated policies: - - - Basic web protection (**Log only** mode and common checks) - - The basic web protection defends against attacks such as SQL injections, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabilities, remote command execution, directory traversal, sensitive file access, and command/code injections. - - - Anti-crawler (**Log only** mode and **Scanner** feature) - - WAF only logs web scanning tasks, such as vulnerability scanning and virus scanning, such as crawling behavior of OpenVAS and Nmap. - - .. note:: - - **Log only**: WAF only logs detected attack events instead of blocking them. - -9. Click **Confirm**. - - To enable WAF protection, there are still several steps, including configuring a load balancer, binding an EIP to the load balancer, and whitelisting WAF IP addresses. You can click **Later** in this step. Then, follow the instructions and finish those steps by referring to :ref:`Step 2: Configure a Load Balancer ` and :ref:`Step 3: Bind an EIP to a Load Balancer `. - -Verification ------------- - -The initial **Access Status** of a website is **Inaccessible**. After you configure a load balancer and bind an EIP to the load balancer for your website, when a request reaches the WAF dedicated instance, the access status automatically changes to **Accessible**. - -.. _waf_01_0250__section36817893018: - -Importing a New Certificate ---------------------------- - -If you set **Client Protocol** to **HTTPS**, an SSL certificate is required. You can perform the following steps to import a new certificate. - -#. Click **Import New Certificate**. In the displayed dialog box, enter a certificate name and copy the certificate file and private key to the corresponding text boxes. - - - .. figure:: /_static/images/en-us_image_0000001285728898.png - :alt: **Figure 2** Import New Certificate - - **Figure 2** Import New Certificate - - .. note:: - - WAF encrypts and saves the private key to keep it safe. - - Only .pem certificates can be used in WAF. If the certificate is not in .pem format, convert it into .pem locally by referring to :ref:`Table 3 ` before uploading it. - - .. _waf_01_0250__waf_01_0002_table1292125414516: - - .. table:: **Table 3** Certificate conversion commands - - +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------+ - | Format | Conversion Method | - +===================================+============================================================================================================================+ - | CER/CRT | Rename the **cert.crt** certificate file to **cert.pem**. | - +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------+ - | PFX | - Obtain a private key. For example, run the following command to convert **cert.pfx** into **key.pem**: | - | | | - | | **openssl pkcs12 -in cert.pfx -nocerts -out key.pem -nodes** | - | | | - | | - Obtain a certificate. For example, run the following command to convert **cert.pfx** into **cert.pem**: | - | | | - | | **openssl** **pkcs12** **-in** **cert.pfx** **-nokeys** **-out** **cert.pem** | - +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------+ - | P7B | a. Convert a certificate. For example, run the following command to convert **cert.p7b** into **cert.cer**: | - | | | - | | **openssl** **pkcs7** **-print_certs** **-in** **cert.p7b** **-out** **cert.cer** | - | | | - | | b. Rename certificate file **cert.cer** to **cert.pem**. | - +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------+ - | DER | - Obtain a private key. For example, run the following command to convert ****privatekey.der**** into **privatekey.pem**: | - | | | - | | **openssl** **rsa** **-inform** **DER** **-outform** **PEM** **-in** **privatekey.der** **-out** **privatekey.pem** | - | | | - | | - Obtain a certificate. For example, run the following command to convert **cert.cer** into **cert.pem**: | - | | | - | | **openssl** **x509** **-inform** **der** **-in** **cert.cer** **-out cert.pem** | - +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------+ - - .. note:: - - - Before running an OpenSSL command, ensure that the `OpenSSL `__ tool has been installed on the local host. - - If your local PC runs a Windows operating system, go to the command line interface (CLI) and then run the certificate conversion command. - -#. Click **Confirm**. - -.. |image1| image:: /_static/images/en-us_image_0000001260399509.jpg -.. |image2| image:: /_static/images/en-us_image_0000001288099090.png diff --git a/umn/source/enabling_waf_protection/connecting_a_website_to_waf/step_2_configure_a_load_balancer.rst b/umn/source/enabling_waf_protection/connecting_a_website_to_waf/step_2_configure_a_load_balancer.rst deleted file mode 100644 index f06e56a..0000000 --- a/umn/source/enabling_waf_protection/connecting_a_website_to_waf/step_2_configure_a_load_balancer.rst +++ /dev/null @@ -1,74 +0,0 @@ -:original_name: waf_01_0251.html - -.. _waf_01_0251: - -Step 2: Configure a Load Balancer -================================= - -To ensure your dedicated WAF instance reliability, after you add a website to it, use Elastic Load Balance (ELB) to configure a load balancer and a health check for the dedicated WAF instance. - -Prerequisites -------------- - -- You have added a website to a dedicated WAF instance. - -- You have created a load balancer. - -- Related ports have been enabled in the security group to which the dedicated WAF instance belongs. - - You can configure your security group as follows: - - - Inbound rules - - Add an inbound rule to allow incoming network traffic to pass through over a specified port based on your service requirements. For example, if you want to allow access from port 80, add a rule that allows **TCP** and port **80**. - - - Outbound rules - - Retain the default settings. All outgoing network traffic is allowed by default. - -Constraints ------------ - -The listening port of the dedicated WAF instance must be the same as that configured in :ref:`Step 1: Add a Website to WAF `. - -Impact on the System --------------------- - -If you select **Weighted round robin** for **Load Balancing Algorithm**, disable **Sticky Session**. If you enable **Sticky Session**, the same requests will be forwarded to the same dedicated WAF instance. If this instance becomes faulty, an error will occur when the requests come to it next time. - -Procedure ---------- - -#. Log in to the management console. -#. Click |image1| in the upper left corner of the management console and select a region or project. -#. Click |image2| in the upper left corner of the page and choose **Elastic Load Balance** under **Network** to go to the **Load Balancers** page. -#. Click the name of the load balancer in the **Name** column to go to the **Basic Information** page. -#. Locate the **IP as a Backend** row, enable the function. In the displayed dialog box, click **OK**. -#. Click the **Listeners** tab, click **Add Listener**, and configure the listener name, front-end protocol, and port. -#. Click **Next: Configure Request Routing Policy**. - - .. important:: - - If you select **Round robin** for **Load Balancing Algorithm**, disable **Sticky Session**. If you enable **Sticky Session**, the same requests will be forwarded to the same dedicated WAF instance. If this instance becomes faulty, an error will occur when the requests come to it next time. - -#. Click **Next: Add Backend Server**. Then, select the **IP as Backend Servers** tab. - - .. important:: - - In the health check configuration, **Protocol** can only be set to **TCP**, or the health check will fail and ELB will not forward traffic to the backend WAF. - -#. Click **Add IP as Backend Server**. In the displayed dialog box, configure **Backend Server IP Address** and **Backend Port**. - - - **Backend Server IP Address**: Enter the IP address of the dedicated WAF engine, which you can obtain from the dedicated engine list. - - **Backend Port**: Use the same one you configured in :ref:`Step 1: Add a Website to WAF `. If you configure a standard port for the website, set the HTTP listening port to **80** and HTTPS listening port to **443**. - -#. Click **OK**. -#. Click **Next: Confirm**, confirm the information, and click **Submit**. - -Verification ------------- - -If the **Health Check Result** is **Healthy**, the load balancer is configured. - -.. |image1| image:: /_static/images/en-us_image_0000001488605878.jpg -.. |image2| image:: /_static/images/en-us_image_0000001539325965.png diff --git a/umn/source/enabling_waf_protection/connecting_a_website_to_waf/step_3_bind_an_eip_to_a_load_balancer.rst b/umn/source/enabling_waf_protection/connecting_a_website_to_waf/step_3_bind_an_eip_to_a_load_balancer.rst deleted file mode 100644 index 75cdfb8..0000000 --- a/umn/source/enabling_waf_protection/connecting_a_website_to_waf/step_3_bind_an_eip_to_a_load_balancer.rst +++ /dev/null @@ -1,41 +0,0 @@ -:original_name: waf_01_0252.html - -.. _waf_01_0252: - -Step 3: Bind an EIP to a Load Balancer -====================================== - -After you configure a load balancer for your dedicated WAF instance, you need to unbind the EIP from the origin server and then bind this EIP to the load balancer you configured. For details, see :ref:`Configuring a Load Balancer `. The request traffic then goes to the dedicated WAF instance for attack detection first and then go to the origin server, ensuring the security, stability, and availability of the origin server. - -Prerequisites -------------- - -You have configured a load balancer for a dedicated WAF instance. - -Procedure ---------- - -#. Log in to the management console. - -#. Click |image1| in the upper left corner of the management console and select a region or project. - -#. Click |image2| in the upper left corner of the page and choose **Elastic Load Balance** under **Network** to go to the ELB console. - -#. .. _waf_01_0252__li11870192512125: - - On the **Elastic Load Balancers** page, locate the row that contains the load balancer configured for the origin server. Then, in the **Operation** column, click **More** >\ **Unbind IPv4/6 EIP**. - - - .. figure:: /_static/images/en-us_image_0000001344294497.png - :alt: **Figure 1** Unbinding an EIP - - **Figure 1** Unbinding an EIP - -#. In the displayed dialog box, click **Yes**. - -#. On the **Load Balancers** page, locate the row that contains the load balancer configured for the dedicated WAF instance, click **More** in the **Operation** column, and select **Bind IPv4/6 EIP**. - -#. In the **Bind EIP** dialog box, select the EIP unbound in :ref:`Step 4 ` and click **OK**. - -.. |image1| image:: /_static/images/en-us_image_0000001379820401.jpg -.. |image2| image:: /_static/images/en-us_image_0212852906.png diff --git a/umn/source/enabling_waf_protection/index.rst b/umn/source/enabling_waf_protection/index.rst deleted file mode 100644 index a3669f8..0000000 --- a/umn/source/enabling_waf_protection/index.rst +++ /dev/null @@ -1,16 +0,0 @@ -:original_name: waf_01_0070.html - -.. _waf_01_0070: - -Enabling WAF Protection -======================= - -- :ref:`Ports Supported by WAF ` -- :ref:`Connecting a Website to WAF ` - -.. toctree:: - :maxdepth: 1 - :hidden: - - ports_supported_by_waf - connecting_a_website_to_waf/index diff --git a/umn/source/event_management/downloading_events_data.rst b/umn/source/event_management/downloading_events_data.rst index e7a160d..1d9958a 100644 --- a/umn/source/event_management/downloading_events_data.rst +++ b/umn/source/event_management/downloading_events_data.rst @@ -40,17 +40,17 @@ Procedure .. table:: **Table 1** Parameter description - +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------+ - | Parameter | Description | - +===================================+=======================================================================================================================+ - | File Name | The format is *file-name*.\ **csv**. | - +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------+ - | Number of Events | Total number of blocked and logged events | - | | | - | | .. note:: | - | | | - | | The maximum number of events in a file is 10,000. If there are more than 10,000 events, another file is generated. | - +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------+ + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------+ + | Parameter | Description | + +===================================+=====================================================================================================================+ + | File Name | The format is *file-name*.\ **csv**. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------+ + | Number of Events | Total number of blocked and logged events | + | | | + | | .. note:: | + | | | + | | Each file can include a maximum of 5,000 events. If there are more than 5,000 events, another file is generated. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------+ #. In the **Operation** column, click **Download** to download data to the local PC. diff --git a/umn/source/event_management/enabling_lts_for_waf_logging.rst b/umn/source/event_management/enabling_lts_for_waf_logging.rst new file mode 100644 index 0000000..1b91f93 --- /dev/null +++ b/umn/source/event_management/enabling_lts_for_waf_logging.rst @@ -0,0 +1,378 @@ +:original_name: waf_01_0172.html + +.. _waf_01_0172: + +Enabling LTS for WAF Logging +============================ + +After you authorize WAF to access Log Tank Service (LTS), you can use the WAF logs recorded by LTS for quick and efficient real-time analysis, device O&M management, and analysis of service trends. + +LTS analyzes and processes a large number of logs. It enables you to process logs in real-time, efficiently, and securely. Logs can be stored in LTS for seven days by default but you can configure LTS for up to 30 days if needed. Logs earlier than 30 days are automatically deleted. However, you can configure LTS to dump those logs to an Object Storage Service (OBS) bucket or enable Data Ingestion Service (DIS) for long-term storage. + +Prerequisites +------------- + +- You have applied for your WAF. +- The website to be protected has been added to WAF. + +Impact on the System +-------------------- + +Enabling LTS for WAF does not affect WAF performance. + +Enabling LTS for WAF Protection Event Logging +--------------------------------------------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane on the left, choose **Events**. + +#. Click the **Configure Logs** tab, enable LTS (|image3|), and select a log group and log stream. :ref:`Table 1 ` describes the parameters. + + + .. figure:: /_static/images/en-us_image_0000001555272665.png + :alt: **Figure 1** Configuring logs + + **Figure 1** Configuring logs + + .. _waf_01_0172__table11535733111515: + + .. table:: **Table 1** Log configuration + + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +=======================+=============================================================================================================================+=======================+ + | Log Group | Select a log group or click **View Log Group** to go to the LTS console and create a log group. | lts-group-waf | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Attack Log | Select a log stream or click **View Log Stream** to go to the LTS console and create a log stream. | lts-topic-waf-attack | + | | | | + | | An attack log includes information about event type, protective action, and attack source IP address of each attack. | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Access Log | Select a log stream or click **View Log Stream** to go to the LTS console and create a log stream. | lts-topic-waf-access | + | | | | + | | An access log includes key information about access time, client IP address, and resource URL of each HTTP access requests. | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +#. Click **OK**. + + You can view WAF protection event logs on the LTS console. + +Viewing WAF Protection Event Logs on LTS +---------------------------------------- + +After enabling LTS, perform the following steps to view and analyze WAF logs on the LTS console. + +#. Log in to the management console. +#. Click |image4| in the upper left corner of the management console and select a region or project. +#. Click |image5| in the upper left corner of the page and choose **Management & Deployment** > **Log Tank Service**. +#. In the log group list, click |image6| to expand the WAF log group (for example, **lts-group-waf**). +#. View protection event logs. + + - View attack logs. + + a. In the log stream list, click the name of the configured attack log stream. + + b. View attack logs. + + + .. figure:: /_static/images/en-us_image_0000001550850865.png + :alt: **Figure 2** Viewing attack logs + + **Figure 2** Viewing attack logs + + - View access logs. + + a. In the log stream list, click the name of the configured access log stream. + + b. View access logs. + + + .. figure:: /_static/images/en-us_image_0000001499773388.png + :alt: **Figure 3** Viewing access logs + + **Figure 3** Viewing access logs + +WAF access_log Field +-------------------- + ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Field | Type | Field Description | Description | ++=====================================+=================+===================================================================================+===============================================================================================================================================================================================================================+ +| access_log.requestid | string | Random ID | The value is the same as the last eight characters of the **req_id** field in the attack log. | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.time | string | Access time | GMT time a log is generated. | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.connection_requests | string | Sequence number of the request over the connection | ``-`` | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.eng_ip | string | IP address of the WAF engine | ``-`` | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.pid | string | The engine that processes the request | Engine (worker PID). | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.hostid | string | Domain name identifier of the access request. | Protected domain name ID (upstream_id). | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.tenantid | string | Account ID | Your account. | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.projectid | string | ID of the project the protected domain name belongs to | Project ID of a user in a specific region. | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.remote_ip | string | Remote IP address of the request at layer 4 | IP address from which a client request originates. | +| | | | | +| | | | .. important:: | +| | | | | +| | | | NOTICE: | +| | | | If a layer-7 proxy is deployed in front of WAF, this field indicates the IP address of the proxy node closest to WAF. The real IP address of the visitor is specified by the **x-forwarded-for** and **x_real_ip** fields. | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.remote_port | string | Remote port of the request at layer 4 | Port used by the IP address from which a client request originates | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.sip | string | IP address of the client that sends the request | For example, XFF. | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.scheme | string | Request protocol | Protocols that can be used in the request: | +| | | | | +| | | | - HTTP | +| | | | - HTTPS | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.response_code | string | Response code | Response status code returned by the origin server to WAF. | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.method | string | Request method. | Request type in a request line. Generally, the value is **GET** or **POST**. | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.http_host | string | Domain name of the requested server. | Address, domain name, or IP address entered in the address box of a browser. | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.url | string | Request URL. | Path in a URL (excluding the domain name). | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.request_length | string | Request length. | The request length includes the access request address, HTTP request header, and number of bytes in the request body. | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.bytes_send | string | Total number of bytes sent to the client. | Number of bytes sent by WAF to the client. | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.body_bytes_sent | string | Total number of bytes of the response body sent to the client | Number of bytes of the response body sent by WAF to the client | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.upstream_addr | string | Address of the backend server. | IP address of the origin server for which a request is destined. For example, if WAF forwards requests to an ECS, the IP address of the ECS is returned to this parameter. | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.request_time | string | Request processing time | Processing time starts when the first byte of the client is read (unit: s). | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.upstream_response_time | string | Backend server response time | Time the backend server responds to the WAF request (unit: s). | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.upstream_status | string | Backend server response code | Response status code returned by the backend server to WAF. | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.upstream_connect_time | string | Time elapsed for origin servers to connect to backend servers | Time for the origin server to establish a connection to its backend servers. If the backend service uses an encryption protocol, this parameter includes the handshake time (unit: s). | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.upstream_header_time | string | Time used by the backend server to receive the first byte of the response header. | ``-`` | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.bind_ip | string | WAF engine back-to-source IP address. | Back-to-source IP address used by the WAF engine. | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.group_id | string | LTS log group ID | ID of the log group for interconnecting WAF with LTS. | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.access_stream_id | string | Log stream ID. | ID of **access_stream** of the user in the log group identified by the **group_id** field. | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.engine_id | string | WAF engine ID | Unique ID of the WAF engine. | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.time_iso8601 | string | ISO 8601 time format of logs. | ``-`` | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.sni | string | Domain name requested through SNI. | ``-`` | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.tls_version | string | Protocol version for establishing an SSL connection. | TLS version used in the request. | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.ssl_curves | string | Curve group list supported by the client. | ``-`` | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.ssl_session_reused | string | SSL session reuse | Whether the SSL session can be reused | +| | | | | +| | | | **r**: Yes | +| | | | | +| | | | **.**: No | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.process_time | string | Engine attack detection duration (unit: ms) | ``-`` | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.args | string | The parameter data in the URL | ``-`` | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.x_forwarded_for | string | IP address chain for a proxy when the proxy is deployed in front of WAF. | The sting includes one or more IP addresses. | +| | | | | +| | | | The leftmost IP address is the originating IP address of the client. Each time the proxy server receives a request, it adds the source IP address of the request to the right of the originating IP address. | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.cdn_src_ip | string | Client IP address identified by CDN when CDN is deployed in front of WAF | This field specifies the real IP address of the client if CDN is deployed in front of WAF. | +| | | | | +| | | | .. important:: | +| | | | | +| | | | NOTICE: | +| | | | Some CDN vendors may use other fields. WAF records only the most common fields. | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.x_real_ip | string | Real IP address of the client when a proxy is deployed in front of WAF. | Real IP address of the client, which is identified by the proxy. | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.intel_crawler | string | Used for intelligence anti-crawler analysis. | ``-`` | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.ssl_ciphers_md5 | string | MD5 value of the SSL cipher (ssl_ciphers). | ``-`` | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.ssl_cipher | string | SSL cipher used. | ``-`` | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.web_tag | string | Website name. | ``-`` | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.user_agent | string | User agent in the request header. | ``-`` | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.upstream_response_length | string | Backend server response size. | ``-`` | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.region_id | string | Region where the request is received. | ``-`` | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.enterprise_project_id | string | ID of the enterprise project that the requested domain name belongs to. | ``-`` | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.referer | string | Referer content in the request header. | The value can contain a maximum of 128 characters. Characters over 128 characters will be truncated. | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_log.rule | string | Protection rule that the request matched. | If multiple rules are matched, only one rule is displayed. | ++-------------------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +WAF attack_log field description +-------------------------------- + ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| Field | Type | Field Description | Description | ++===================================+======================================================================+=============================================================================+===========================================================================================================+ +| attack_log.category | string | Log category | The value is **attack**. | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.time | string | Log time | ``-`` | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.time_iso8601 | string | ISO 8601 time format of logs. | ``-`` | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.policy_id | string | Policy ID | ``-`` | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.level | string | Protection level | Protection level of a built-in rule in basic web protection | +| | | | | +| | | | - **1**: Low | +| | | | - **2**: Medium | +| | | | - **3**: High | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.attack | string | Type of attack | Attack type. This parameter is listed in attack logs only. | +| | | | | +| | | | - **default**: default attacks | +| | | | - **sqli**: SQL injections | +| | | | - **xss**: cross-site scripting (XSS) attacks | +| | | | - **webshell**: web shells | +| | | | - **robot**: malicious crawlers | +| | | | - **cmdi**: command injections | +| | | | - **rfi**: remote file inclusion attacks | +| | | | - **lfi**: local file inclusion attacks | +| | | | - **illegal**: unauthorized requests | +| | | | - **vuln**: exploits | +| | | | - **cc**: attacks that hit the CC protection rules | +| | | | - **custom_custom**: attacks that hit a precise protection rule | +| | | | - **custom_whiteblackip**: attacks that hit an IP address blacklist or whitelist rule | +| | | | - **custom_geoip**: attacks that hit a geolocation access control rule | +| | | | - **antitamper**: attacks that hit a web tamper protection rule | +| | | | - **anticrawler**: attacks that hit the JS challenge anti-crawler rule | +| | | | - **leakage**: vulnerabilities that hit an information leakage prevention rule | +| | | | - **antiscan_high_freq_scan**: Attacks that hit malicious scanning rules. | +| | | | - **followed_action**: The source is marked as a known attack source. | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.action | string | Protective action | WAF defense action. | +| | | | | +| | | | - **block**: WAF blocks attacks. | +| | | | - **log**: WAF only logs detected attacks. | +| | | | - **captcha**: Verification code | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.sub_type | string | Crawler types | When **attack** is set to **robot**, this parameter cannot be left blank. | +| | | | | +| | | | - **script_tool**: Script tools | +| | | | - **search_engine**: Search engines | +| | | | - **scanner:** Scanning tools | +| | | | - **uncategorized**: Other crawlers | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.rule | string | ID of the triggered rule or the description of the custom policy type. | ``-`` | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.rule_name | string | Description of a custom rule type. | This field is empty when a basic protection rule is matched. | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.location | string | Location triggering the malicious load | ``-`` | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.req_body | sting | Request body. | ``-`` | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.resp_headers | string | Response header | ``-`` | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.hit_data | string | String triggering the malicious load | ``-`` | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.resp_body | string | Response body | ``-`` | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.backend.protocol | string | Backend protocol. | ``-`` | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.backend.alive | string | Backend server status. | ``-`` | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.backend.port | string | Backend server port. | ``-`` | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.backend.host | string | Backend server host value. | ``-`` | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.backend.type | string | Backend server type. | IP address or domain name. | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.backend.weight | number | Backend server weight. | ``-`` | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.status | string | Response status code | ``-`` | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.upstream_status | string | Origin server response code. | ``-`` | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.reqid | string | Random ID | The value consists of the engine IP address suffix, request timestamp, and request ID allocated by Nginx. | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.requestid | string | Unique ID of the request. | Request ID allocated by Nginx. | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.id | string | Attack ID | ID of the attack | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.method | string | Request method | ``-`` | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.sip | string | Client request IP address | ``-`` | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.sport | string | Client request port | ``-`` | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.host | string | Requested domain name | ``-`` | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.http_host | string | Domain name of the requested server. | ``-`` | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.hport | string | Port of the requested server. | ``-`` | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.uri | string | Request URL. | The domain is excluded. | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.header | A JSON string. A JSON table is obtained after the string is decoded. | Request header | ``-`` | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.mutipart | A JSON string. A JSON table is obtained after the string is decoded. | Request multipart header | This parameter is used to upload files. | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.cookie | A JSON string. A JSON table is obtained after the string is decoded. | Cookie of the request | ``-`` | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.params | A JSON string. A JSON table is obtained after the string is decoded. | Params value following the request URI. | ``-`` | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.body_bytes_sent | string | Total number of bytes of the response body sent to the client. | Total number of bytes of the response body sent by WAF to the client. | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.upstream_response_time | string | Backend server response time. | ``-`` | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.engine_id | string | Unique ID of the engine | ``-`` | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.region_id | string | ID of the region where the engine is located. | ``-`` | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.engine_ip | string | Engine IP address. | ``-`` | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.process_time | string | Detection duration | ``-`` | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.remote_ip | string | Layer-4 IP address of the client that sends the request. | ``-`` | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.x_forwarded_for | string | Content of **X-Forwarded-For** in the request header. | ``-`` | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.cdn_src_ip | string | Content of **Cdn-Src-Ip** in the request header. | ``-`` | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.x_real_ip | string | Content of **X-Real-IP** in the request header. | ``-`` | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.group_id | string | Log group ID | LTS log group ID | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.attack_stream_id | string | Log stream ID | ID of **access_stream** of the user in the log group identified by the **group_id** field. | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.hostid | string | Protected domain name ID (upstream_id). | ``-`` | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.tenantid | string | Account ID | ``-`` | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.projectid | string | ID of the project the protected domain name belongs to | ``-`` | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.enterprise_project_id | string | ID of the enterprise project that the requested domain name belongs to. | ``-`` | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.web_tag | string | Website name. | ``-`` | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ +| attack_log.req_body | string | Request body. (If the request body larger than 1 KB, it will be truncated.) | ``-`` | ++-----------------------------------+----------------------------------------------------------------------+-----------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------+ + +.. |image1| image:: /_static/images/en-us_image_0000001482072692.jpg +.. |image2| image:: /_static/images/en-us_image_0000001550676585.png +.. |image3| image:: /_static/images/en-us_image_0000001550677993.png +.. |image4| image:: /_static/images/en-us_image_0000001188007266.jpg +.. |image5| image:: /_static/images/en-us_image_0000001550561697.png +.. |image6| image:: /_static/images/en-us_image_0000001387002182.png diff --git a/umn/source/event_management/handling_false_alarms.rst b/umn/source/event_management/handling_false_alarms.rst index cba0fd1..c7b0c05 100644 --- a/umn/source/event_management/handling_false_alarms.rst +++ b/umn/source/event_management/handling_false_alarms.rst @@ -5,7 +5,7 @@ Handling False Alarms ===================== -If you confirm that an attack event on the **Events** page is a false alarm, you can handle the event as false alarm by ignoring the URL and rule ID in basic web protection, or by deleting or disabling the corresponding protection rule you configured. After an attack event is handled as a false alarm, the event will not be displayed on the **Events** page anymore. You will no longer receive any alarm notifications about the event. +If you confirm that an attack event on the **Events** page is a false alarm, you can handle the event as false alarm by ignoring the URL and rule ID in basic web protection, or by deleting or disabling the corresponding protection rule you configured. After an attack event is handled as a false alarm, the event will not be displayed on the **Events** page anymore. WAF detects attacks by using built-in basic web protection rules, built-in features in anti-crawler protection, and custom rules you configured (such as CC attack protection, precise access protection, blacklist, whitelist, and geolocation access control rules). WAF will respond to detected attacks based on the protective actions (such as **Block** and **Log only**) defined in the rules and display attack events on the **Events** page. @@ -17,182 +17,148 @@ There is at least one false alarm event in the event list. Constraints ----------- -- Only attack events blocked or recorded by preconfigured basic web protection rules and features in anti-crawler protection can be handled as false alarms. +- Only attack events blocked or recorded by built-in basic web protection rules and features in anti-crawler protection can be handled as false alarms. - For events generated based on custom rules (such as a CC attack protection rule, precise protection rule, blacklist rule, whitelist rule, or geolocation access control rule), they cannot be handled as false alarms. To ignore such an event, delete or disable the custom rule hit by the event. - An attack event can only be handled as a false alarm once. +- The attack event will not be displayed on the **Events** page. Application Scenarios --------------------- Sometimes normal service requests may be blocked by WAF. For example, suppose you deploy a web application on an ECS and then add the public domain name associated with that application to WAF. If you enable basic web protection for that application, WAF may block the access requests that match the basic web protection rules. As a result, the website cannot be accessed through its domain name. However, the website can still be accessed through the IP address. In this case, you can handle the false alarms to allow normal access requests to the application. -Impact on the System --------------------- - -The attack event will not be displayed on the **Events** page. You will no longer receive any alarm notifications about the event. - Procedure --------- #. Log in to the management console. - -#. Click |image1| in the upper left corner of the management console and select a region or project. - -#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. - +#. Click |image1| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. #. In the navigation pane on the left, choose **Events**. +#. Click the **Search** tab. In the website or instance drop-down list, select a website to view corresponding event logs. The query time can be **Yesterday**, **Today**, **Past 3 days**, **Past 7 days**, **Past 30 days**, or a time range you configure. +#. In the event list, handle events. -#. Select the **Search** tab. Select a website from the **All protected websites** drop-down list. Then, select **Yesterday**, **Today**, **Past 3 days**, **Past 7 days**, **Past 30 days**, or a custom time range. :ref:`Table 1 ` and :ref:`Table 2 ` describe parameters. + - If you confirm that an event is a false alarm, locate the row containing the event. In the **Operation** column, click **More** > **Handle as False Alarm** and handle the hit rule. - .. figure:: /_static/images/en-us_image_0000001395650509.png - :alt: **Figure 1** Viewing protection events + .. figure:: /_static/images/en-us_image_0000001683743464.png + :alt: **Figure 1** Handling a false alarm - **Figure 1** Viewing protection events + **Figure 1** Handling a false alarm - .. _waf_01_0024__table146358613417: + .. table:: **Table 1** Parameters - .. table:: **Table 1** Event parameters + +-------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ + | Parameter | Description | Example Value | + +=========================+====================================================================================================================================================================================================================================================================================+============================================+ + | Scope | - **All domain names**: By default, this rule will be used to all domain names that are protected by the current policy. | Specified domain names | + | | - **Scope**: Specify a domain name range this rule applies to. | | + +-------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ + | Domain Name | This parameter is mandatory when you select **Specified domain names** for **Scope**. | www.example.com | + | | | | + | | Enter a single domain name that matches the wildcard domain name being protected by the current policy. | | + +-------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ + | Condition List | Click **Add** to add conditions. At least one condition needs to be added. You can add up to 30 conditions to a protection rule. If more than one condition is added, all of the conditions must be met for the rule to be applied. A condition includes the following parameters: | Path, Include, /product | + | | | | + | | Parameters for configuring a condition are described as follows: | | + | | | | + | | - Field | | + | | - **Subfield**: Configure this field only when **Params**, **Cookie**, or **Header** is selected for **Field**. | | + | | | | + | | .. important:: | | + | | | | + | | NOTICE: | | + | | The length of a subfield cannot exceed 2,048 bytes. Only digits, letters, underscores (_), and hyphens (-) are allowed. | | + | | | | + | | - **Logic**: Select a logical relationship from the drop-down list. | | + | | - **Content**: Enter or select the content that matches the condition. | | + +-------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ + | Ignore WAF Protection | - **All protection**: All WAF rules do not take effect, and WAF allows all request traffic to the domain names in the rule. | Basic Web Protection | + | | - **Basic Web Protection**: You can ignore basic web protection by rule ID, attack type, or all built-in rules. For example, if XSS check is not required for a URL, you can whitelist XSS rule. | | + +-------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ + | Ignored Protection Type | If you select **Basic web protection** for **Ignored Protection Type**, specify the following parameters: | Attack type | + | | | | + | | - **ID**: Configure the rule by event ID. | | + | | - **Attack type**: Configure the rule by attack type, such as XSS and SQL injection. One type contains one or more rule IDs. | | + | | - **All built-in rules**: all checks enabled in :ref:`Basic Web Protection `. | | + +-------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ + | ID | This parameter is mandatory when you select **ID** for **Ignored Protection Type**. | 041046 | + | | | | + | | ID of an attack event on the **Events** page. If the event type is **Custom**, it has no event ID. You are advised to handle false alarms on the **Events** page. | | + +-------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ + | Attack type | This parameter is mandatory when you select **Attack type** for **Ignored Protection Type**. | SQL injection | + | | | | + | | Select an attack type from the drop-down list box. | | + | | | | + | | WAF can defend against XSS attacks, web shells, SQL injection attacks, malicious crawlers, remote file inclusions, local file inclusions, command injection attacks, and other attacks. | | + +-------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ + | Rule Description | A brief description of the rule. This parameter is optional. | SQL injection attacks are not intercepted. | + +-------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ + | Advanced Settings | To ignore attacks of a specific field, specify the field in the **Advanced Settings** area. After you add the rule, WAF will stop blocking attack events of the specified field. | Params | + | | | | + | | Select a target field from the first drop-down list box on the left. The following fields are supported: **Params**, **Cookie**, **Header**, **Body**, and **Multipart**. | All | + | | | | + | | - If you select **Params**, **Cookie**, or **Header**, you can select **All** or **Specified field** to configure a subfield. | | + | | - If you select **Body** or **Multipart**, you can select **All**. | | + | | - If you select **Cookie**, the **Domain Name** can be empty. | | + | | | | + | | .. note:: | | + | | | | + | | If **All** is selected, WAF will not block all attack events of the selected field. | | + +-------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ - +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Parameter | Description | - +===================================+===================================================================================================================================================================================================+ - | Event Type | Type of attack. | - | | | - | | By default, **All** is selected. You can view logs of all attack types or select an attack type to view corresponding attack logs. | - +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Protective Action | The options are **Block**, **Log only**, and **Verification code**. | - +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Source IP Address | Public IP address of the web visitor/attacker | - | | | - | | By default, **All** is selected. You can view logs of all attack source IP addresses, select an attack source IP address, or enter an attack source IP address to view corresponding attack logs. | - +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | URL | Attacked URL | - +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Event ID | ID of the event | - +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + - Add the source IP address to an address group. Locate the row containing the desired event, in the **Operation** column, click **More** > **Add to Address Group**. The source IP address triggering the event will be blocked or allowed based on the policy used for the address group. - .. _waf_01_0024__table135241210519: - - .. table:: **Table 2** Parameters in the event list - - +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Parameter | Description | Example Value | - +=======================+===========================================================================================================================================================================+=======================+ - | Time | When the attack occurred | 2021/02/04 13:20:04 | - +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Source IP Address | Public IP address of the web visitor/attacker | None | - +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Geolocation | Location where the IP address of the attack originates from | ``-`` | - +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Domain Name | Attacked domain name | www.example.com | - +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | URL | Attacked URL | /admin | - +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Malicious Load | The location or part of the attack that causes damage or the number of times that the URL was accessed. | id=1 and 1='1 | - | | | | - | | .. note:: | | - | | | | - | | - In a CC attack, the malicious load indicates the number of times that the URL was accessed. | | - | | - For blacklist protection events, the malicious load is left blank. | | - +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Event Type | Type of attack | SQL injection | - +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Protective Action | Protective actions configured in the rule. The options are **Block**, **Log only**, and **Verification code**. | Block | - | | | | - | | .. note:: | | - | | | | - | | If an access request matches a web tamper protection rule, information leakage prevention rule, or data masking rule, the protective action is marked as **Mismatch**. | | - +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Status Code | HTTP status code returned on the block page. | 418 | - +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - - .. note:: - - To view event details, click **Details** in the **Operation** column of the event list. - -#. After you confirm that an event is a false alarm, click **Handle False Alarm** in the **Operation** column of the row and add a false alarm masking rule. :ref:`Table 3 ` describes parameters. + **Add to**: You can select an existing address group or create an address group. - .. figure:: /_static/images/en-us_image_0000001327191500.png - :alt: **Figure 2** Handling a false alarm + .. figure:: /_static/images/en-us_image_0000001683585920.png + :alt: **Figure 2** Add to Address Group - **Figure 2** Handling a false alarm + **Figure 2** Add to Address Group - .. _waf_01_0024__table1623195815237: + - Add the source IP address to a blacklist or whitelist rule of the corresponding protected domain name. Locate the row containing the desired event. In the **Operation** column, click **More** > **Add to Blacklist/Whitelist**. Then, the source IP address will be blocked or allowed based on the protective action configured in the blacklist or whitelist rule. - .. table:: **Table 3** Parameters - +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ - | Parameter | Description | Example Value | - +=========================+===========================================================================================================================================================================================================================================================================================================================================================================+============================================+ - | Scope | - **All domain names**: By default, this rule will be used to all domain names that are protected by the current policy. | Specified domain names | - | | - **Specified domain names**: This rule will be used to the specified domain names that match the wildcard domain name being protected by the current policy. | | - +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ - | Domain Name | This parameter is mandatory when you select **Specified domain names** for **Scope**. | www.example.com | - | | | | - | | Enter a single domain name that matches the wildcard domain name being protected by the current policy. | | - +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ - | Condition List | Click **Add** to add conditions. At least one condition needs to be added. You can add up to 30 conditions to a protection rule. If more than one condition is added, all of the conditions must be met for the rule to be applied. A condition includes the following parameters: | Path, Include, /product | - | | | | - | | Parameters for configuring a condition are described as follows: | | - | | | | - | | - Field | | - | | - **Subfield**: Configure this field only when **Params**, **Cookie**, or **Header** is selected for **Field**. | | - | | | | - | | .. important:: | | - | | | | - | | NOTICE: | | - | | The length of a subfield cannot exceed 2,048 bytes. Only digits, letters, underscores (_), and hyphens (-) are allowed. | | - | | | | - | | - **Logic**: Select a logical relationship from the drop-down list. | | - | | - **Content**: Enter or select the content that matches the condition. | | - +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ - | Ignore WAF Protection | - **All protection**: All WAF rules do not take effect, and WAF allows all request traffic to the domain names in the rule. | Basic Web Protection | - | | - **Basic Web Protection**: You can ignore basic web protection by rule ID, attack type, or all built-in rules. For example, if XSS check is not required for a URL, you can whitelist XSS rule. | | - +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ - | Ignored Protection Type | If you select **Basic web protection** for **Ignored Protection Type**, specify the following parameters: | Attack type | - | | | | - | | - **ID**: Configure the rule by event ID. | | - | | - **Attack type**: Configure the rule by attack type, such as XSS and SQL injection. One type contains one or more rule IDs. | | - | | - **All built-in rules**: all checks enabled in :ref:`Basic Web Protection `. | | - +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ - | ID | This parameter is mandatory when you select **ID** for **Ignored Protection Type**. | 041046 | - | | | | - | | ID of an attack event on the **Events** page. If the event type is **Custom**, it has no event ID. Click **Handle False Alarm** in the row containing the attack event to obtain the ID. You are advised to configure global protection whitelist (formerly false alarm masking) rules on the **Events** page by referring to :ref:`Handling False Alarms `. | | - +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ - | Attack type | This parameter is mandatory when you select **Attack type** for **Ignored Protection Type**. | SQL injection | - | | | | - | | Select an attack type from the drop-down list box. | | - | | | | - | | WAF can defend against XSS attacks, web shells, SQL injection attacks, malicious crawlers, remote file inclusions, local file inclusions, command injection attacks, and other attacks. | | - +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ - | Rule Description | A brief description of the rule. This parameter is optional. | SQL injection attacks are not intercepted. | - +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ - | Advanced Settings | To ignore attacks of a specific field, specify the field in the **Advanced Settings** area. After you add the rule, WAF will stop blocking attack events of the specified field. | Params | - | | | | - | | Select a target field from the first drop-down list box on the left. The following fields are supported: **Params**, **Cookie**, **Header**, **Body**, and **Multipart**. | All | - | | | | - | | - If you select **Params**, **Cookie**, or **Header**, you can select **All** or **Specified field** to configure a subfield. | | - | | - If you select **Body** or **Multipart**, you can select **All**. | | - | | - If you select **Cookie**, the **Domain Name** and **Path** can be empty. | | - | | | | - | | .. note:: | | - | | | | - | | If **All** is selected, WAF will not block all attack events of the selected field. | | - +-------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------+ + .. figure:: /_static/images/en-us_image_0000001683746324.png + :alt: **Figure 3** Add to Blacklist/Whitelist -#. Click **OK**. + **Figure 3** Add to Blacklist/Whitelist + + .. table:: **Table 2** Parameter + + +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Parameter | Description | + +===================================+=====================================================================================================================================================================================================================================================+ + | Add to | - Existing rule | + | | - New rule | + +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Rule Name | - If you select **Existing rule** for **Add to**, select a rule name from the drop-down list. | + | | - If you select **New rule** for **Add to**, customize a blacklist or whitelist rule. | + +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | IP Address/Range/Group | This parameter is mandatory when you select **New rule** for **Add to**. | + | | | + | | You can select **IP address/Range** or **Address Group** to add IP addresses a blacklist or whitelist rule. | + +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Group Name | This parameter is mandatory when you select **Address group** for **IP Address/Range/Group**. | + | | | + | | Select an address group from the drop-down list. | + +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Protective Action | - **Block**: Select **Block** if you want to blacklist an IP address or IP address range. | + | | - **Allow**: Select **Allow** if you want to whitelist an IP address or IP address range. | + | | - **Log only**: Select **Log only** if you want to observe an IP address or IP address range. | + +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Known Attack Source | If you select **Block** for **Protective Action**, you can select a blocking type of a known attack source rule. WAF will block requests matching the configured IP address, Cookie, or Params for a length of time configured as part of the rule. | + +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Rule Description | A brief description of the rule. This parameter is optional. | + +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ Verification ------------ -A false alarm will be deleted within about a minute after the handling configuration is done. It will no longer be displayed in the attack event details list. You can refresh the browser cache and request the page for which the false alarm masking rule is configured to check whether the configuration takes effect. +A false alarm will be deleted within about a minute after the handling configuration is done. It will no longer be displayed in the attack event details list. You can refresh the browser cache and request the page for which the global protection whitelist (formerly false alarm masking) rule is configured to check whether the configuration takes effect. Other Operations ---------------- -If an event is handled as a false alarm, the rule hit will be added to the global protection whitelist (formerly false alarm masking) rule list. You can go to the **Policies** page and then switch to the **Global Protection Whitelist (Formerly False Alarm Masking)** page to manage the rule, including querying, disabling, deleting, and modifying the rule. For more details, see :ref:`Configuring a Global Protection Whitelist (Formerly False Alarm Masking) Rule `. +If an event is handled as a false alarm, the rule hit will be added to the global protection whitelist (formerly false alarm masking) rule list. You can go to the **Policies** page and then switch to the **Global Protection Whitelist (Formerly False Alarm Masking)** page to manage the rule, including querying, disabling, deleting, and modifying the rule. For more details, see :ref:`Configuring a Global Protection Whitelist (Formerly False Alarm Masking) Rule to Ignore False Alarms `. -.. |image1| image:: /_static/images/en-us_image_0000001493990116.jpg -.. |image2| image:: /_static/images/en-us_image_0000001288106950.png +.. |image1| image:: /_static/images/en-us_image_0000001652007168.png diff --git a/umn/source/event_management/index.rst b/umn/source/event_management/index.rst index 033bb2e..bfe18d3 100644 --- a/umn/source/event_management/index.rst +++ b/umn/source/event_management/index.rst @@ -8,6 +8,7 @@ Event Management - :ref:`Viewing Protection Event Logs ` - :ref:`Handling False Alarms ` - :ref:`Downloading Events Data ` +- :ref:`Enabling LTS for WAF Logging ` .. toctree:: :maxdepth: 1 @@ -16,3 +17,4 @@ Event Management viewing_protection_event_logs handling_false_alarms downloading_events_data + enabling_lts_for_waf_logging diff --git a/umn/source/event_management/viewing_protection_event_logs.rst b/umn/source/event_management/viewing_protection_event_logs.rst index 75cad27..81fbf03 100644 --- a/umn/source/event_management/viewing_protection_event_logs.rst +++ b/umn/source/event_management/viewing_protection_event_logs.rst @@ -19,7 +19,9 @@ The website to be protected has been connected to WAF. Constraints ----------- -If the security software installed on your server blocks the event file from being downloaded, close the software and download the file again. +- If the security software installed on your server blocks the event file from being downloaded, close the software and download the file again. +- On the WAF console, you can view the event data for all protected domain names over the last 30 days. You can authorize LTS to log WAF activities so that you can view attack and access logs and store all logs for a long time. For more details, see. :ref:`Enabling LTS for WAF Logging `. +- If you switch the WAF working mode for a website to **Suspended**, WAF only forwards all requests to the website without inspection. It does not log any attack events neither. Procedure --------- @@ -32,35 +34,53 @@ Procedure #. In the navigation pane on the left, choose **Events**. -#. Click the **Search** tab. In the website or instance drop-down list, select a website to view corresponding event logs. The query time can be **Yesterday**, **Today**, **Past 3 days**, **Past 7 days**, **Past 30 days**, or a time range you configure. :ref:`Table 2 ` lists related parameters. +#. Click the **Search** tab. In the website or instance drop-down list, select a website to view corresponding event logs. The query time can be **Yesterday**, **Today**, **Past 3 days**, **Past 7 days**, **Past 30 days**, or a time range you configure. + + - **Events over Time**: displays the WAF protection status of the selected website within the selected time range. + - **Top Tens**: WAF displays top 10 attacks, attacked websites, attack source IP addresses, and attacked URLs for a selected time range. You can click |image3| to copy the data in the corresponding chart. - .. figure:: /_static/images/en-us_image_0000001395650509.png - :alt: **Figure 1** Viewing protection events + .. figure:: /_static/images/en-us_image_0000001683558966.png + :alt: **Figure 1** Events - **Figure 1** Viewing protection events + **Figure 1** Events - .. table:: **Table 1** Event parameters +#. In the **Events** area, view the event details. + + - Configure a filter by combining several conditions. Then, click **OK**. Conditions will be displayed above the event list. :ref:`Table 2 ` lists parameters for filter conditions. + - In the upper left corner of the event list, click **Export** to export events. If the number of events is less than 200, the events are exported to your local PC. If the number of events is greater than or equal to 200, the event record is displayed on the **Downloads** page. You can download the events on the **Downloads** page. + - Click |image4| to select fields you want to display in the event lists. + - To view event details, locate the row containing the event and click **Details** in the **Operation** column. + + + .. figure:: /_static/images/en-us_image_0000001731648345.png + :alt: **Figure 2** Events + + **Figure 2** Events + + .. table:: **Table 1** Search condition fields +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Parameter | Parameters | + | Parameter | Parameter | +===================================+===================================================================================================================================================================================================+ + | Event ID | ID of the event. | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Event Type | Type of the attack. | | | | | | By default, **All** is selected. You can view logs of all attack types or select an attack type to view corresponding attack logs. | +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Rule ID | ID of a built-in protection rule in WAF basic web protection | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Protective Action | The options are **Block**, **Log only**, and **Verification code**. | +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Source IP Address | Public IP address of the web visitor/attacker | | | | | | By default, **All** is selected. You can view logs of all attack source IP addresses, select an attack source IP address, or enter an attack source IP address to view corresponding attack logs. | +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | URL | Attacked URL. | - +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Event ID | ID of the event. | + | URL | Attacked URL | +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - .. _waf_01_0156__table17116135085617: + .. _waf_01_0156__table188191012103314: .. table:: **Table 2** Parameters in the event list @@ -69,20 +89,13 @@ Procedure +=======================+===========================================================================================================================================================================+=======================+ | Time | When the attack occurred | 2021/02/04 13:20:04 | +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Source IP Address | Public IP address of the web visitor/attacker | None | - +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Geolocation | Location where the IP address of the attack originates from | ``-`` | + | Source IP Address | Public IP address of the web visitor/attacker | ``-`` | +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | Domain Name | Attacked domain name | www.example.com | +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | URL | Attacked URL | /admin | + | Rule ID | ID of a built-in protection rule in WAF basic web protection | ``-`` | +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Malicious Load | The location or part of the attack that causes damage or the number of times that the URL was accessed. | id=1 and 1='1 | - | | | | - | | .. note:: | | - | | | | - | | - In a CC attack, the malicious load indicates the number of times that the URL was accessed. | | - | | - For blacklist protection events, the malicious load is left blank. | | + | URL | Attacked URL | /admin | +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | Event Type | Type of attack | SQL injection | +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ @@ -94,10 +107,17 @@ Procedure +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ | Status Code | HTTP status code returned on the block page. | 418 | +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Malicious Load | The location or part of the attack that causes damage or the number of times that the URL was accessed. | id=1 and 1='1 | + | | | | + | | .. note:: | | + | | | | + | | - In a CC attack, the malicious load indicates the number of times that the URL was accessed. | | + | | - For blacklist protection events, the malicious load is left blank. | | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Enterprise Project | Enterprise project your websites belong to. | default | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - .. note:: - - To view event details, click **Details** in the **Operation** column of the event list. - -.. |image1| image:: /_static/images/en-us_image_0000001493806486.jpg -.. |image2| image:: /_static/images/en-us_image_0000001287947022.png +.. |image1| image:: /_static/images/en-us_image_0000001335953214.jpg +.. |image2| image:: /_static/images/en-us_image_0000001652007168.png +.. |image3| image:: /_static/images/en-us_image_0000001586593518.png +.. |image4| image:: /_static/images/en-us_image_0000001336165028.png diff --git a/umn/source/faqs/about_waf/waf_functions/about_waf_protection.rst b/umn/source/faqs/about_waf/waf_functions/about_waf_protection.rst index b0875bc..401da24 100644 --- a/umn/source/faqs/about_waf/waf_functions/about_waf_protection.rst +++ b/umn/source/faqs/about_waf/waf_functions/about_waf_protection.rst @@ -10,10 +10,30 @@ What Is a Protection IP Address? A protection IP address in WAF is the IP address of a website you use WAF to protect. +Does Cloud WAF Use Fixed IP Addresses for Domain Resolution? +------------------------------------------------------------ + +After a domain name is added to WAF in cloud mode, WAF randomly assigns a CNAME record to the domain name for domain name resolution. This CNAME record is randomly assigned from the WAF IP address pool and is not fixed. + +Will the CNAME Record Be Changed If the IP Address of the Origin Server Has Been Changed? +----------------------------------------------------------------------------------------- + +If you are using a cloud WAF instance, the CNAME record will not be changed when origin server IP addresses have been changed. + +Do I Need to Add the Domain Name to WAF Again If the Domain Name IP Address Has Been Changed? +--------------------------------------------------------------------------------------------- + +If the IP address of the website does not change, you do not need to reconfigure it in WAF. If the website resolves a new IP address, you need to add it in WAF again. + +Do I Need to Bind an EIP to WAF? +-------------------------------- + +No EIPs are required for cloud WAF instances. Dedicated WAF instances need to work with layer-7 dedicated load balancers. These load balancers need to use EIPs as service addresses. + Does WAF Support Vulnerability Detection? ----------------------------------------- -The basic web protection function of WAF can detect and block threats such as third-party security tool vulnerability attacks. If you enable the scanner item when configuring basic web protection rules, WAF detects scanners and crawlers, such as OpenVAS and Nmap. +WAF enables customizable anti-crawler rules to detect and block threats such as third-party security tool vulnerability attacks. If you enable the scanner item when configuring anti-crawler rules, WAF detects scanners and crawlers, such as OpenVAS and Nmap. Does WAF Support Protocols Used in MS Exchange? ----------------------------------------------- @@ -36,3 +56,8 @@ Can WAF Protect All Domain Names Mapped to My Website IP Address If I Have Conne No. In dedicated mode, the origin server IP address can be connected to WAF, and the IP address can be a private or internal IP address. WAF protects only the traffic accessed through the IP address but cannot protect the traffic to the domain name mapped to the IP address. To protect a domain name, connect the domain name to WAF. + +Can WAF Protect Websites in the C/S Architecture? +------------------------------------------------- + +In the C/S architecture, WAF can protect only websites that use the layer-7 HTTP/HTTPS protocol. diff --git a/umn/source/faqs/about_waf/waf_functions/can_i_use_waf_to_check_health_status_of_servers.rst b/umn/source/faqs/about_waf/waf_functions/can_i_use_waf_to_check_health_status_of_servers.rst new file mode 100644 index 0000000..8e9ab56 --- /dev/null +++ b/umn/source/faqs/about_waf/waf_functions/can_i_use_waf_to_check_health_status_of_servers.rst @@ -0,0 +1,8 @@ +:original_name: waf_01_0140.html + +.. _waf_01_0140: + +Can I Use WAF to Check Health Status of Servers? +================================================ + +No. If you want to check health status of servers, the combination of ELB and WAF is recommended for your workloads. After you configure a load balancer in ELB, you can enable health checks for servers and use the EIP of the load balancer as the server IP address to establish connections between servers and WAF. diff --git a/umn/source/faqs/about_waf/waf_functions/can_my_waf_instances_be_automatically_scalable.rst b/umn/source/faqs/about_waf/waf_functions/can_my_waf_instances_be_automatically_scalable.rst new file mode 100644 index 0000000..236264c --- /dev/null +++ b/umn/source/faqs/about_waf/waf_functions/can_my_waf_instances_be_automatically_scalable.rst @@ -0,0 +1,8 @@ +:original_name: waf_01_0337.html + +.. _waf_01_0337: + +Can My WAF Instances Be Automatically Scalable? +=============================================== + +No. diff --git a/umn/source/faqs/about_waf/waf_functions/can_waf_defend_against_the_apache_struts2_remote_code_execution_vulnerability_cve-2021-31805.rst b/umn/source/faqs/about_waf/waf_functions/can_waf_defend_against_the_apache_struts2_remote_code_execution_vulnerability_cve-2021-31805.rst index a63721b..f4ad95d 100644 --- a/umn/source/faqs/about_waf/waf_functions/can_waf_defend_against_the_apache_struts2_remote_code_execution_vulnerability_cve-2021-31805.rst +++ b/umn/source/faqs/about_waf/waf_functions/can_waf_defend_against_the_apache_struts2_remote_code_execution_vulnerability_cve-2021-31805.rst @@ -6,3 +6,10 @@ Can WAF Defend Against the Apache Struts2 Remote Code Execution Vulnerability (C =============================================================================================== Yes. WAF basic web protection rules can defend against the Apache Struts2 remote code execution vulnerability (CVE-2021-31805). + +Configuration Procedure +----------------------- + +#. :ref:`Apply for a dedicated WAF instance. `. +#. Add the website domain name to WAF and connect it to WAF. For details, see :ref:`Connecting a Website to WAF (Dedicated Mode) `. +#. In the **Basic Web Protection** configuration area, set **Mode** to **Block**. For details, see :ref:`Configuring Basic Protection Rules to Defend Against Common Web Attacks `. diff --git a/umn/source/faqs/about_waf/waf_functions/does_waf_block_customized_post_requests.rst b/umn/source/faqs/about_waf/waf_functions/does_waf_block_customized_post_requests.rst index 6fe650d..35a54f0 100644 --- a/umn/source/faqs/about_waf/waf_functions/does_waf_block_customized_post_requests.rst +++ b/umn/source/faqs/about_waf/waf_functions/does_waf_block_customized_post_requests.rst @@ -10,6 +10,6 @@ No. WAF does not block user-defined POST requests. :ref:`Figure 1 ` - :ref:`Which OSs Does WAF Support? ` - :ref:`Which Layers Does WAF Provide Protection At? ` +- :ref:`Can I Use WAF to Check Health Status of Servers? ` - :ref:`Does WAF Support File Caching? ` - :ref:`About WAF Protection ` - :ref:`Does WAF Support Two-Way SSL Authentication? ` @@ -26,13 +27,15 @@ WAF Functions - :ref:`Does WAF Have the IPS Module? ` - :ref:`Which Web Service Framework Protocols Does WAF Support? ` - :ref:`Can WAF Protect Websites Accessed Through HSTS or NTLM Authentication? ` +- :ref:`Can My WAF Instances Be Automatically Scalable? ` - :ref:`What Are the Differences Between WAF Forwarding and Nginx Forwarding? ` - :ref:`Does WAF Cache Website Data? ` - :ref:`Is WAF a Hardware Firewall or a Software Firewall? ` - :ref:`Is There Any Impact on Origin Servers If I Enable HTTP/2 in WAF? ` -- :ref:`How Does WAF Detect SQL Injection and XSS Attacks? ` +- :ref:`How Does WAF Detect SQL Injection, XSS, and PHP Injection Attacks? ` - :ref:`Can WAF Defend Against the Apache Struts2 Remote Code Execution Vulnerability (CVE-2021-31805)? ` - :ref:`Does a Dedicated WAF Instance Support Cross-VPC Protection? ` +- :ref:`What Are the Restrictions on Load Balancers Configured for Dedicated WAF Instances? ` .. toctree:: :maxdepth: 1 @@ -42,6 +45,7 @@ WAF Functions what_objects_does_waf_protect which_oss_does_waf_support which_layers_does_waf_provide_protection_at + can_i_use_waf_to_check_health_status_of_servers does_waf_support_file_caching about_waf_protection does_waf_support_two-way_ssl_authentication @@ -59,10 +63,12 @@ WAF Functions does_waf_have_the_ips_module which_web_service_framework_protocols_does_waf_support can_waf_protect_websites_accessed_through_hsts_or_ntlm_authentication + can_my_waf_instances_be_automatically_scalable what_are_the_differences_between_waf_forwarding_and_nginx_forwarding does_waf_cache_website_data is_waf_a_hardware_firewall_or_a_software_firewall is_there_any_impact_on_origin_servers_if_i_enable_http_2_in_waf - how_does_waf_detect_sql_injection_and_xss_attacks + how_does_waf_detect_sql_injection_xss_and_php_injection_attacks can_waf_defend_against_the_apache_struts2_remote_code_execution_vulnerability_cve-2021-31805 does_a_dedicated_waf_instance_support_cross-vpc_protection + what_are_the_restrictions_on_load_balancers_configured_for_dedicated_waf_instances diff --git a/umn/source/faqs/about_waf/waf_functions/is_there_any_impact_on_origin_servers_if_i_enable_http_2_in_waf.rst b/umn/source/faqs/about_waf/waf_functions/is_there_any_impact_on_origin_servers_if_i_enable_http_2_in_waf.rst index 901d9b9..8620247 100644 --- a/umn/source/faqs/about_waf/waf_functions/is_there_any_impact_on_origin_servers_if_i_enable_http_2_in_waf.rst +++ b/umn/source/faqs/about_waf/waf_functions/is_there_any_impact_on_origin_servers_if_i_enable_http_2_in_waf.rst @@ -5,4 +5,4 @@ Is There Any Impact on Origin Servers If I Enable HTTP/2 in WAF? ================================================================ -Yes. HTTP/2 is not supported between WAF and the origin server. This means if you enable HTTP/2 in WAF, WAF can process HTTP/2 requests from clients, but WAF can only forward the requests to origin server using HTTP 1.0/1.1. Therefore, service bandwidth of origin servers may rise as multiplexing in HTTP/2 may become invalid for origin servers. +Yes. HTTP/2 is not supported between WAF and the origin server. This means if you enable HTTP/2 in WAF, WAF can process HTTP/2 requests from clients, but WAF can only forward the requests to origin server using HTTP 1.0/1.1. In this situation, the origin server request traffic may rise as multiplexing in HTTP/2 may become invalid for origin servers. diff --git a/umn/source/faqs/about_waf/waf_functions/what_are_the_restrictions_on_load_balancers_configured_for_dedicated_waf_instances.rst b/umn/source/faqs/about_waf/waf_functions/what_are_the_restrictions_on_load_balancers_configured_for_dedicated_waf_instances.rst new file mode 100644 index 0000000..a20a4ea --- /dev/null +++ b/umn/source/faqs/about_waf/waf_functions/what_are_the_restrictions_on_load_balancers_configured_for_dedicated_waf_instances.rst @@ -0,0 +1,12 @@ +:original_name: waf_01_0461.html + +.. _waf_01_0461: + +What Are the Restrictions on Load Balancers Configured for Dedicated WAF Instances? +=================================================================================== + +Only dedicated layer-7 load balancers can be used for dedicated WAF instances. + +.. note:: + + Dedicated WAF instances issued before April 2023 cannot be used with dedicated network load balancers. If you use a dedicated network load balancer, ensure that your dedicated WAF instance has been upgraded to the latest version (which issued after April 2023). diff --git a/umn/source/faqs/about_waf/waf_usage/does_gzip_on_the_origin_server_affect_waf.rst b/umn/source/faqs/about_waf/waf_usage/does_gzip_on_the_origin_server_affect_waf.rst new file mode 100644 index 0000000..3df257d --- /dev/null +++ b/umn/source/faqs/about_waf/waf_usage/does_gzip_on_the_origin_server_affect_waf.rst @@ -0,0 +1,8 @@ +:original_name: waf_01_0365.html + +.. _waf_01_0365: + +Does gzip on the Origin Server Affect WAF? +========================================== + +If gzip is enabled on the origin server, WAF may incorrectly block normal access requests from the origin server. If the blocked request is a normal access request, you can handle the event as a false alarm by referring to :ref:`Handling False Alarms `. After an event is handled as a false alarm, WAF stops blocking corresponding type of event. No such type of event will be displayed on the **Events** page and you will no longer receive alarm notifications accordingly. diff --git a/umn/source/faqs/about_waf/waf_usage/does_waf_support_custom_authorization_policies.rst b/umn/source/faqs/about_waf/waf_usage/does_waf_support_custom_authorization_policies.rst new file mode 100644 index 0000000..cfd2425 --- /dev/null +++ b/umn/source/faqs/about_waf/waf_usage/does_waf_support_custom_authorization_policies.rst @@ -0,0 +1,12 @@ +:original_name: waf_01_0192.html + +.. _waf_01_0192: + +Does WAF Support Custom Authorization Policies? +=============================================== + +WAF supports custom authorization policies. With IAM, you can: + +- Create IAM users for employees based on the organizational structure of your enterprise. Each IAM user has their own security credentials, providing access to WAF resources. +- Grant only the permissions required for users to perform a task. +- Entrust an account or cloud service to perform professional and efficient O&M on your WAF resources. diff --git a/umn/source/faqs/about_waf/waf_usage/how_is_the_load_balanced_when_multiple_origin_servers_are_configured_in_waf.rst b/umn/source/faqs/about_waf/waf_usage/how_is_the_load_balanced_when_multiple_origin_servers_are_configured_in_waf.rst new file mode 100644 index 0000000..d25977b --- /dev/null +++ b/umn/source/faqs/about_waf/waf_usage/how_is_the_load_balanced_when_multiple_origin_servers_are_configured_in_waf.rst @@ -0,0 +1,8 @@ +:original_name: waf_01_0468.html + +.. _waf_01_0468: + +How Is the Load Balanced When Multiple Origin Servers Are Configured in WAF? +============================================================================ + +If you have configured multiple origin server IP addresses, WAF uses the weighted round robin algorithm to distribute access requests by default. You can also customize a load balancing algorithm as required. diff --git a/umn/source/faqs/about_waf/waf_usage/index.rst b/umn/source/faqs/about_waf/waf_usage/index.rst index 50bd403..0a74a32 100644 --- a/umn/source/faqs/about_waf/waf_usage/index.rst +++ b/umn/source/faqs/about_waf/waf_usage/index.rst @@ -13,13 +13,16 @@ WAF Usage - :ref:`What Is the Difference Between QPS and the Number of Requests? ` - :ref:`What Are Concurrent Requests? ` - :ref:`Can WAF Block Requests When a Certificate Is Mounted on ELB? ` +- :ref:`Does WAF Support Custom Authorization Policies? ` - :ref:`Does WAF Affect My Existing Workloads and Server Running? ` - :ref:`How Do I Configure My Server to Allow Only Requests from WAF? ` - :ref:`Why Do Cookies Contain the HWWAFSESID or HWWAFSESTIME field? ` - :ref:`How Do I Configure WAF If a Reverse Proxy Server Is Deployed for My Website? ` - :ref:`How Does WAF Forward Access Requests When Both a Wildcard Domain Name and a Single Domain Name Are Connected to WAF? ` +- :ref:`Does gzip on the Origin Server Affect WAF? ` - :ref:`Does WAF Affect Data Transmission from the Internal Network to an External Network? ` - :ref:`Do I Need to Make Some Changes in WAF If the Security Group for Origin Server (Address) Is Changed? ` +- :ref:`How Is the Load Balanced When Multiple Origin Servers Are Configured in WAF? ` .. toctree:: :maxdepth: 1 @@ -33,10 +36,13 @@ WAF Usage what_is_the_difference_between_qps_and_the_number_of_requests what_are_concurrent_requests can_waf_block_requests_when_a_certificate_is_mounted_on_elb + does_waf_support_custom_authorization_policies does_waf_affect_my_existing_workloads_and_server_running how_do_i_configure_my_server_to_allow_only_requests_from_waf why_do_cookies_contain_the_hwwafsesid_or_hwwafsestime_field how_do_i_configure_waf_if_a_reverse_proxy_server_is_deployed_for_my_website how_does_waf_forward_access_requests_when_both_a_wildcard_domain_name_and_a_single_domain_name_are_connected_to_waf + does_gzip_on_the_origin_server_affect_waf does_waf_affect_data_transmission_from_the_internal_network_to_an_external_network do_i_need_to_make_some_changes_in_waf_if_the_security_group_for_origin_server_address_is_changed + how_is_the_load_balanced_when_multiple_origin_servers_are_configured_in_waf diff --git a/umn/source/faqs/about_waf/waf_usage/what_is_the_difference_between_qps_and_the_number_of_requests.rst b/umn/source/faqs/about_waf/waf_usage/what_is_the_difference_between_qps_and_the_number_of_requests.rst index 0667eda..dd8444e 100644 --- a/umn/source/faqs/about_waf/waf_usage/what_is_the_difference_between_qps_and_the_number_of_requests.rst +++ b/umn/source/faqs/about_waf/waf_usage/what_is_the_difference_between_qps_and_the_number_of_requests.rst @@ -19,14 +19,14 @@ For details about QPS on the **Dashboard** page, see :ref:`Table 1 ` +- :ref:`Service Request/Specification ` - :ref:`Website Domain Name Access Configuration ` - :ref:`Service Interruption Check ` - :ref:`Protection Rule Configuration ` @@ -15,6 +16,7 @@ FAQs :hidden: about_waf/index + service_request_specification/index website_domain_name_access_configuration/index service_interruption_check/index protection_rule_configuration/index diff --git a/umn/source/faqs/protection_rule_configuration/basic_web_protection/how_do_i_switch_the_mode_of_basic_web_protection_from_log_only_to_block.rst b/umn/source/faqs/protection_rule_configuration/basic_web_protection/how_do_i_switch_the_mode_of_basic_web_protection_from_log_only_to_block.rst index fce9957..5418f6d 100644 --- a/umn/source/faqs/protection_rule_configuration/basic_web_protection/how_do_i_switch_the_mode_of_basic_web_protection_from_log_only_to_block.rst +++ b/umn/source/faqs/protection_rule_configuration/basic_web_protection/how_do_i_switch_the_mode_of_basic_web_protection_from_log_only_to_block.rst @@ -12,8 +12,8 @@ Perform the following operations: #. Log in to the management console. #. Click |image1| in the upper left corner of the management console and select a region or project. #. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. -#. In the navigation pane, choose **Website Settings**. -#. In the **Policy** column of the row containing the target website, click the number to go to the policy configuration page. +#. In the navigation pane on the left, choose **Policies**. +#. Click the name of the target policy to go to the protection configuration page. #. In the **Basic Web Protection** configuration area, set **Mode** to **Block**. .. important:: diff --git a/umn/source/faqs/protection_rule_configuration/cc_attack_protection_rules/how_do_i_configure_a_cc_attack_protection_rule.rst b/umn/source/faqs/protection_rule_configuration/cc_attack_protection_rules/how_do_i_configure_a_cc_attack_protection_rule.rst index c8d795e..a9b3144 100644 --- a/umn/source/faqs/protection_rule_configuration/cc_attack_protection_rules/how_do_i_configure_a_cc_attack_protection_rule.rst +++ b/umn/source/faqs/protection_rule_configuration/cc_attack_protection_rules/how_do_i_configure_a_cc_attack_protection_rule.rst @@ -13,4 +13,4 @@ WAF provides the following settings for a CC attack protection rule: - Identification of web visitors based on the IP address, cookie, or referer field. - Action when the maximum limit is reached, such as **Block** or **Verification code** -For details, see :ref:`Configuring a CC Attack Protection Rule `. +For details, see :ref:`Configuring a CC Attack Protection Rule `. diff --git a/umn/source/faqs/protection_rule_configuration/cc_attack_protection_rules/index.rst b/umn/source/faqs/protection_rule_configuration/cc_attack_protection_rules/index.rst index 89b2535..2e8e67b 100644 --- a/umn/source/faqs/protection_rule_configuration/cc_attack_protection_rules/index.rst +++ b/umn/source/faqs/protection_rule_configuration/cc_attack_protection_rules/index.rst @@ -5,6 +5,7 @@ CC Attack Protection Rules ========================== +- :ref:`What Is the Peak Rate of CC Attack Protection? ` - :ref:`How Do I Configure a CC Attack Protection Rule? ` - :ref:`When Is Cookie Used to Identify Users? ` @@ -12,5 +13,6 @@ CC Attack Protection Rules :maxdepth: 1 :hidden: + what_is_the_peak_rate_of_cc_attack_protection how_do_i_configure_a_cc_attack_protection_rule when_is_cookie_used_to_identify_users diff --git a/umn/source/faqs/protection_rule_configuration/cc_attack_protection_rules/what_is_the_peak_rate_of_cc_attack_protection.rst b/umn/source/faqs/protection_rule_configuration/cc_attack_protection_rules/what_is_the_peak_rate_of_cc_attack_protection.rst new file mode 100644 index 0000000..ba5e692 --- /dev/null +++ b/umn/source/faqs/protection_rule_configuration/cc_attack_protection_rules/what_is_the_peak_rate_of_cc_attack_protection.rst @@ -0,0 +1,45 @@ +:original_name: waf_01_0425.html + +.. _waf_01_0425: + +What Is the Peak Rate of CC Attack Protection? +============================================== + +It depends on the WAF edition you are using. For details, see :ref:`Table 1 `. + +.. _waf_01_0425__en-us_topic_0110861186_table15136121131817: + +.. table:: **Table 1** Applicable service scales + + +--------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Service Scale | Dedicated Mode | + +======================================+==========================================================================================================================================================================================================+ + | Peak rate of normal service requests | The following lists the specifications of a single instance. | + | | | + | | - Specifications: WI-500. Referenced performance: | + | | | + | | - HTTP services - Recommended QPS: 5,000. Maximum QPS: 10,000. | + | | - HTTPS services - Recommended QPS: 4,000. Maximum QPS: 8,000. | + | | - WebSocket service - Maximum concurrent connections: 5,000 | + | | - Maximum WAF-to-server persistent connections: 60,000 | + | | | + | | - Specifications: WI-100. Referenced performance: | + | | | + | | - HTTP services - Recommended QPS: 1,000. Maximum QPS: 2,000. | + | | - HTTPS services - Recommended QPS: 800. Maximum QPS: 1,600 | + | | - WebSocket service - Maximum concurrent connections: 1,000 | + | | - Maximum WAF-to-server persistent connections: 60,000 | + | | | + | | .. important:: | + | | | + | | NOTICE: | + | | Maximum QPS values are for reference only. They may vary depending on your businesses. The real-world QPS is related to the request size and the type and quantity of protection rules you customize. | + +--------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Peak rate of CC attack protection | - Specifications: WI-500. Referenced performance: | + | | | + | | Maximum QPS: 20,000 | + | | | + | | - Specifications: WI-100. Referenced performance: | + | | | + | | Maximum QPS: 4,000 | + +--------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ diff --git a/umn/source/faqs/protection_rule_configuration/others/how_do_i_allow_only_specified_ip_addresses_to_access_protected_websites.rst b/umn/source/faqs/protection_rule_configuration/others/how_do_i_allow_only_specified_ip_addresses_to_access_protected_websites.rst new file mode 100644 index 0000000..1729aa0 --- /dev/null +++ b/umn/source/faqs/protection_rule_configuration/others/how_do_i_allow_only_specified_ip_addresses_to_access_protected_websites.rst @@ -0,0 +1,121 @@ +:original_name: waf_01_0312.html + +.. _waf_01_0312: + +How Do I Allow Only Specified IP Addresses to Access Protected Websites? +======================================================================== + +After you add the website to WAF, configure blacklist and whitelist rules or precise protection rules to allow only specified IP addresses to access the website. WAF then blocks all source IP addresses except the specified ones. + +Configuring IP Address Blacklist and Whitelist Rules to Block All Source IP Addresses Except the Specified Ones +--------------------------------------------------------------------------------------------------------------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. Click |image3| in the upper left corner and choose **Web Application Firewall** under **Security**. + +#. In the navigation pane on the left, choose **Policies**. + +#. Click the name of the target policy to go to the protection configuration page. + +#. In the **Blacklist and Whitelist** configuration area, enable the protection. :ref:`Figure 1 ` shows an example. + + .. _waf_01_0312__fig0358162863015: + + .. figure:: /_static/images/en-us_image_0000001338300589.png + :alt: **Figure 1** Blacklist and Whitelist configuration area + + **Figure 1** Blacklist and Whitelist configuration area + +#. Click **Customize Rule**. On the displayed page, click **Add Rule** in the upper left corner. + +#. In the **Add Blacklist or Whitelist Rule** dialog box, add two blacklist rules to block all source IP addresses. + + + .. figure:: /_static/images/en-us_image_0000001684030226.png + :alt: **Figure 2** Blocking IP address range 1.0.0.0/1 + + **Figure 2** Blocking IP address range 1.0.0.0/1 + + + .. figure:: /_static/images/en-us_image_0000001732030241.png + :alt: **Figure 3** Blocking IP address range 128.0.0.0/1 + + **Figure 3** Blocking IP address range 128.0.0.0/1 + +#. Click **Add Rule**. In the displayed **Add Blacklist or Whitelist Rule** dialog box, add a rule for the specified IP address or IP address range. + + For example, if you want to allow *XXX.XX.2.3* to access your website, add a protection rule as shown in :ref:`Figure 4 `. + + .. _waf_01_0312__fig444873511498: + + .. figure:: /_static/images/en-us_image_0000001732035733.png + :alt: **Figure 4** Allowing the access of a specified IP address + + **Figure 4** Allowing the access of a specified IP address + +Configuring a Precise Protection Rule to Block All Source IP Addresses Except the Specified Ones +------------------------------------------------------------------------------------------------ + +#. Log in to the management console. + +#. Click |image4| in the upper left corner of the management console and select a region or project. + +#. Click |image5| in the upper left corner and choose **Web Application Firewall** under **Security**. + +#. In the navigation pane on the left, choose **Policies**. + +#. Click the name of the target policy to go to the protection configuration page. + +#. In the **Precise Protection** configuration area, enable the protection. :ref:`Figure 5 ` shows an example. + + .. _waf_01_0312__fig275911394277: + + .. figure:: /_static/images/en-us_image_0000001337808105.png + :alt: **Figure 5** Precise Protection configuration area + + **Figure 5** Precise Protection configuration area + +#. Click **Customize Rule**. In the upper left corner of the displayed page, click **Add Rule**. + +#. .. _waf_01_0312__li123452332541: + + In the displayed **Add Precise Protection Rule** dialog box, add a protection rule as shown in :ref:`Figure 6 ` to block all requests. + + .. caution:: + + The priority value here must be greater than that configured in :ref:`Step 9 ` because allowing access has a higher priority than blocking access and a smaller priority value indicates a higher priority. + + .. _waf_01_0312__fig163451833195414: + + .. figure:: /_static/images/en-us_image_0000001732020137.png + :alt: **Figure 6** Blocking all requests + + **Figure 6** Blocking all requests + +#. .. _waf_01_0312__li15907173419260: + + Click **Add Rule**. In the displayed **Add Precise Protection Rule** dialog box, add a rule for the specified IP address. + + For example, if you want to allow 192.168.2.3 to access the website, add a protection rule as shown in :ref:`Figure 7 `. + + .. caution:: + + The priority value here must be smaller than that configured in :ref:`Step 8 ` because allowing access has a higher priority than blocking access and a smaller priority value indicates a higher priority. + + .. _waf_01_0312__fig18908103413269: + + .. figure:: /_static/images/en-us_image_0000001684022218.png + :alt: **Figure 7** Allowing the access of a specified IP address + + **Figure 7** Allowing the access of a specified IP address + +.. |image1| image:: /_static/images/en-us_image_0000001483011470.jpg +.. |image2| image:: /_static/images/en-us_image_0000001572891172.png +.. |image3| image:: /_static/images/en-us_image_0000001730827877.png +.. |image4| image:: /_static/images/en-us_image_0000001482832030.jpg +.. |image5| image:: /_static/images/en-us_image_0000001682988666.png diff --git a/umn/source/faqs/protection_rule_configuration/others/how_do_i_allow_requests_from_only_ip_addresses_in_a_specified_geographical_region.rst b/umn/source/faqs/protection_rule_configuration/others/how_do_i_allow_requests_from_only_ip_addresses_in_a_specified_geographical_region.rst new file mode 100644 index 0000000..bf3ff27 --- /dev/null +++ b/umn/source/faqs/protection_rule_configuration/others/how_do_i_allow_requests_from_only_ip_addresses_in_a_specified_geographical_region.rst @@ -0,0 +1,28 @@ +:original_name: waf_01_0215.html + +.. _waf_01_0215: + +How Do I Allow Requests from Only IP Addresses in a Specified Geographical Region? +================================================================================== + +If you allow only IP addresses in a region to access the protected domain name, for example, only IP addresses from **Australia** can access the protected domain name, take the following steps: + +.. note:: + + Geolocation access control rules have higher priority than built-in WAF rules. If you configure a geolocation access control rule to allow IP addresses from a certain location, WAF then forwards traffic from those IP addresses without performing basic web protection checks. + +#. Add a geolocation access control rule: Select **Australia** for **Geolocation** and select **Allow** for **Protective Action**. + + + .. figure:: /_static/images/en-us_image_0000001732089213.png + :alt: **Figure 1** Selecting Allow for Protective Action + + **Figure 1** Selecting Allow for Protective Action + +#. Configure a precise protection rule to block all requests. + + + .. figure:: /_static/images/en-us_image_0000001684033930.png + :alt: **Figure 2** Blocking all access requests + + **Figure 2** Blocking all access requests diff --git a/umn/source/faqs/protection_rule_configuration/others/index.rst b/umn/source/faqs/protection_rule_configuration/others/index.rst index f241816..1495e74 100644 --- a/umn/source/faqs/protection_rule_configuration/others/index.rst +++ b/umn/source/faqs/protection_rule_configuration/others/index.rst @@ -7,8 +7,11 @@ Others - :ref:`In Which Situations Will the WAF Policies Fail? ` - :ref:`Is the Path of a WAF Protection Rule Case-sensitive? ` -- :ref:`What Protection Rules Does WAF Support? ` +- :ref:`How Do I Allow Requests from Only IP Addresses in a Specified Geographical Region? ` +- :ref:`What Working Modes and Protection Mechanisms Does WAF Have? ` +- :ref:`What Types of Protection Rules Does WAF Support? ` - :ref:`Which of the WAF Protection Rules Support the Log-Only Protective Action? ` +- :ref:`How Do I Allow Only Specified IP Addresses to Access Protected Websites? ` - :ref:`Why Does the Page Fail to Be Refreshed After WTP Is Enabled? ` - :ref:`What Are the Differences Between Blacklist/Whitelist Rules and Precise Protection Rules on Blocking Access Requests from Specified IP Addresses? ` - :ref:`What Do I Do If a Scanner, such as AppScan, Detects that the Cookie Is Missing Secure or HttpOnly? ` @@ -19,8 +22,11 @@ Others in_which_situations_will_the_waf_policies_fail is_the_path_of_a_waf_protection_rule_case-sensitive - what_protection_rules_does_waf_support + how_do_i_allow_requests_from_only_ip_addresses_in_a_specified_geographical_region + what_working_modes_and_protection_mechanisms_does_waf_have + what_types_of_protection_rules_does_waf_support which_of_the_waf_protection_rules_support_the_log-only_protective_action + how_do_i_allow_only_specified_ip_addresses_to_access_protected_websites why_does_the_page_fail_to_be_refreshed_after_wtp_is_enabled what_are_the_differences_between_blacklist_whitelist_rules_and_precise_protection_rules_on_blocking_access_requests_from_specified_ip_addresses what_do_i_do_if_a_scanner_such_as_appscan_detects_that_the_cookie_is_missing_secure_or_httponly diff --git a/umn/source/faqs/protection_rule_configuration/others/what_are_the_differences_between_blacklist_whitelist_rules_and_precise_protection_rules_on_blocking_access_requests_from_specified_ip_addresses.rst b/umn/source/faqs/protection_rule_configuration/others/what_are_the_differences_between_blacklist_whitelist_rules_and_precise_protection_rules_on_blocking_access_requests_from_specified_ip_addresses.rst index 99fa350..180d659 100644 --- a/umn/source/faqs/protection_rule_configuration/others/what_are_the_differences_between_blacklist_whitelist_rules_and_precise_protection_rules_on_blocking_access_requests_from_specified_ip_addresses.rst +++ b/umn/source/faqs/protection_rule_configuration/others/what_are_the_differences_between_blacklist_whitelist_rules_and_precise_protection_rules_on_blocking_access_requests_from_specified_ip_addresses.rst @@ -11,12 +11,12 @@ Both of them can block access requests from specified IP addresses. :ref:`Table .. table:: **Table 1** Differences between blacklist and whitelist rules and precise protection rules - +-------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Protection Rules | Protection | WAF Inspection Sequence | - +===============================+===========================================================================================================================================================================================================+======================================================================================================================================================+ - | Blacklist and whitelist rules | This type or rules can block, log only, or allow access requests from a specified IP address or IP address range. | Blacklist and whitelist rules have the highest priority. | - | | | | - | | | WAF filters access requests based on the protection rules and the triggering sequence. For details, see :ref:`Configuration Guidance `. | - +-------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Precise protection rules | You can combine common HTTP fields, such as **IP**, **Path**, **Referer**, **User Agent**, and **Params** in a protection rule to let WAF allow or block the requests that match the combined conditions. | Precise protection rules have lower priority compared with blacklist and whitelist rules. | - +-------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ + +-------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------+ + | Protection Rules | Protection | WAF Inspection Sequence | + +===============================+===========================================================================================================================================================================================================+===========================================================================================+ + | Blacklist and whitelist rules | This type or rules can block, log only, or allow access requests from a specified IP address or IP address range. | Blacklist and whitelist rules have the highest priority. | + | | | | + | | | WAF checks access requests based on the protection rules and the triggering sequence. | + +-------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------+ + | Precise protection rules | You can combine common HTTP fields, such as **IP**, **Path**, **Referer**, **User Agent**, and **Params** in a protection rule to let WAF allow or block the requests that match the combined conditions. | Precise protection rules have lower priority compared with blacklist and whitelist rules. | + +-------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------+ diff --git a/umn/source/faqs/protection_rule_configuration/others/what_protection_rules_does_waf_support.rst b/umn/source/faqs/protection_rule_configuration/others/what_protection_rules_does_waf_support.rst deleted file mode 100644 index 1df4017..0000000 --- a/umn/source/faqs/protection_rule_configuration/others/what_protection_rules_does_waf_support.rst +++ /dev/null @@ -1,48 +0,0 @@ -:original_name: waf_01_0028.html - -.. _waf_01_0028: - -What Protection Rules Does WAF Support? -======================================= - -The protection rules supported by WAF are described below. - -- Basic Web Protection - - WAF can defend against common web attacks, such as SQL injection, XSS, web shells, and Trojans in HTTP upload channels. Once these functions are enabled, protection takes effect immediately. - -- CC Attack Protection - - Flexible rate limiting policies can be set based on the IP addresses, cookies, or Referer field, mitigating CC attacks. - -- Precise Protection - - Common HTTP fields can be combined to customize protection policies, such as CSRF protection. With user-defined rules, WAF can accurately detect malicious requests and protect sensitive information in websites. - -- Blacklist and Whitelist - - Blacklist or whitelist rules allow you to block or allow specific IP addresses or address ranges, improving defense accuracy. - -- Geolocation Access Control - - Geolocation access control rules allow you to customize access control based on the source IP addresses. - -- Web Tamper Protection - - Cache configuration is performed on static web pages. When a user accesses a web page, the system returns a cached page to the user and randomly checks whether the page is tampered with. - -- Anti-crawler Protection - - This function dynamically analyzes website service models and accurately identifies crawler behavior based on data risk control and bot identification systems, such as JS Challenge. - -- Global Protection Whitelist (Formerly False Alarm Masking) - - This function ignores certain attack detection rules for specific requests. - -- Data Masking - - Data masking prevents such data as passwords from being displayed in event logs. - -- Information Leakage Prevention - - WAF prevents user's sensitive information on web pages from being disclosed, such as ID numbers, phone numbers, and email addresses. diff --git a/umn/source/faqs/protection_rule_configuration/others/what_types_of_protection_rules_does_waf_support.rst b/umn/source/faqs/protection_rule_configuration/others/what_types_of_protection_rules_does_waf_support.rst new file mode 100644 index 0000000..9b105b6 --- /dev/null +++ b/umn/source/faqs/protection_rule_configuration/others/what_types_of_protection_rules_does_waf_support.rst @@ -0,0 +1,41 @@ +:original_name: waf_01_0028.html + +.. _waf_01_0028: + +What Types of Protection Rules Does WAF Support? +================================================ + +:ref:`Table 1 ` lists all protection rules you can use in WAF. + +.. _waf_01_0028__table195788527221: + +.. table:: **Table 1** Configurable protection rules + + +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Protection Rule | Description | + +==================================================================+====================================================================================================================================================================================================================+ + | Basic web protection rules | With an extensive reputation database, WAF defends against Open Web Application Security Project (OWASP) top 10 threats, and detects and blocks threats, such as malicious scanners, IP addresses, and web shells. | + +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | CC attack protection rules | CC attack protection rules can be customized to restrict access to a specific URL on your website based on a unique IP address, cookie, or referer field, mitigating CC attacks. | + +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Precise protection rules | WAF allows you to customize protection rules by combining HTTP headers, cookies, URLs, request parameters, and client IP addresses. | + +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Blacklist and whitelist rules | You can configure blacklist and whitelist rules to block, log only, or allow access requests from specified IP addresses. | + +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Known attack source rules | These rules can block the IP addresses from which blocked malicious requests originate. These rules are dependent on other rules. | + +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Geolocation access control rules | You can customize these rules to allow or block requests from a specific country or region. | + +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Web tamper protection rules | You can configure these rules to prevent a static web page from being tampered with. | + +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Website anti-crawler protection | This function dynamically analyzes website service models and accurately identifies crawler behavior based on data risk control and bot identification systems, such as JS Challenge. | + +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Information leakage prevention rules | You can add two types of information leakage prevention rules. | + | | | + | | - Sensitive information filtering: prevents disclosure of sensitive information (such as ID numbers, phone numbers, and email addresses). | + | | - Response code interception: blocks the specified HTTP status codes. | + +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Global protection whitelist (formerly false alarm masking) rules | This function ignores certain attack detection rules for specific requests. | + +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Data masking rules | You can configure data masking rules to prevent sensitive data such as passwords from being displayed in event logs. | + +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ diff --git a/umn/source/faqs/protection_rule_configuration/others/what_working_modes_and_protection_mechanisms_does_waf_have.rst b/umn/source/faqs/protection_rule_configuration/others/what_working_modes_and_protection_mechanisms_does_waf_have.rst new file mode 100644 index 0000000..7b6262c --- /dev/null +++ b/umn/source/faqs/protection_rule_configuration/others/what_working_modes_and_protection_mechanisms_does_waf_have.rst @@ -0,0 +1,48 @@ +:original_name: waf_01_0235.html + +.. _waf_01_0235: + +What Working Modes and Protection Mechanisms Does WAF Have? +=========================================================== + +After you connect a domain name to your WAF instance, WAF works as a reverse proxy between the client and server. The real IP address of the server is hidden and only the IP address of WAF is visible to web visitors. + +WAF supports the following working modes: + +- Enabled +- Suspended + +:ref:`Table 1 ` describes the protection mechanism. + +.. _waf_01_0235__table1728231455410: + +.. table:: **Table 1** Supported protection mechanism + + +-----------------------------------+----------------------------------------------------------+ + | Protection Rule | Protective Action | + +===================================+==========================================================+ + | Basic web protection rules | - Block | + | | - Log only | + +-----------------------------------+----------------------------------------------------------+ + | CC attack protection rules | - Verification code | + | | - Block | + | | - Block dynamically | + | | - Log only | + +-----------------------------------+----------------------------------------------------------+ + | Precise protection rules | - Block | + | | - Allow | + | | - Log only | + +-----------------------------------+----------------------------------------------------------+ + | Blacklist and whitelist rules | - Block | + | | - Allow | + | | - Log only | + +-----------------------------------+----------------------------------------------------------+ + | Geolocation access control rules | - Block | + | | - Allow | + | | - Log only | + +-----------------------------------+----------------------------------------------------------+ + | Website anti-crawler protection | Protective actions for feature-based anti-crawler rules: | + | | | + | | - Block | + | | - Log only | + +-----------------------------------+----------------------------------------------------------+ diff --git a/umn/source/faqs/protection_rule_configuration/others/why_does_the_page_fail_to_be_refreshed_after_wtp_is_enabled.rst b/umn/source/faqs/protection_rule_configuration/others/why_does_the_page_fail_to_be_refreshed_after_wtp_is_enabled.rst index 4d2f6b3..f07894a 100644 --- a/umn/source/faqs/protection_rule_configuration/others/why_does_the_page_fail_to_be_refreshed_after_wtp_is_enabled.rst +++ b/umn/source/faqs/protection_rule_configuration/others/why_does_the_page_fail_to_be_refreshed_after_wtp_is_enabled.rst @@ -13,9 +13,9 @@ Web Tamper Protection (WTP) supports only caching of static web pages. Perform t #. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. -#. In the navigation pane on the left, choose **Website Settings**. +#. In the navigation pane on the left, choose **Policies**. -#. In the **Policy** column of the row containing the domain name, click **Configure Policy**. +#. Click the name of the target policy to go to the protection configuration page. #. In the **Web Tamper Protection** configuration area, check whether this function is enabled. diff --git a/umn/source/faqs/protection_rule_configuration/precise_protection_rules/can_a_path_containing_sharp_be_matched_in_a_precise_protection_rule.rst b/umn/source/faqs/protection_rule_configuration/precise_protection_rules/can_a_path_containing_sharp_be_matched_in_a_precise_protection_rule.rst new file mode 100644 index 0000000..518d825 --- /dev/null +++ b/umn/source/faqs/protection_rule_configuration/precise_protection_rules/can_a_path_containing_sharp_be_matched_in_a_precise_protection_rule.rst @@ -0,0 +1,14 @@ +:original_name: waf_01_2217.html + +.. _waf_01_2217: + +Can a Path Containing # Be Matched in a Precise Protection Rule? +================================================================ + +The path added to a precise protection rule cannot contain special characters (``'"<>&*# %\?``). + +The number sign (#) is a client parameter. Parameters following the number sign (#) are not transferred to the server for web page location. WAF and browsers do not consider the content following the number sign (#) as URL parameters. Therefore, the parameters cannot be obtained. + +|image1| + +.. |image1| image:: /_static/images/en-us_image_0000001626813677.png diff --git a/umn/source/faqs/protection_rule_configuration/precise_protection_rules/can_a_precise_protection_rule_take_effect_in_a_specified_period.rst b/umn/source/faqs/protection_rule_configuration/precise_protection_rules/can_a_precise_protection_rule_take_effect_in_a_specified_period.rst index f8f899c..cc7cd9d 100644 --- a/umn/source/faqs/protection_rule_configuration/precise_protection_rules/can_a_precise_protection_rule_take_effect_in_a_specified_period.rst +++ b/umn/source/faqs/protection_rule_configuration/precise_protection_rules/can_a_precise_protection_rule_take_effect_in_a_specified_period.rst @@ -5,6 +5,6 @@ Can a Precise Protection Rule Take Effect in a Specified Period? ================================================================ -WAF does not allow precise protection access rules to take effect in a specified period. +Precise access protection rules can take effect in a specified period. You can set precise protection rules to filter access requests based on a combination of common HTTP fields (such as IP address, path, referer, user agent, and params) to allow or block the requests that match the conditions. diff --git a/umn/source/faqs/protection_rule_configuration/precise_protection_rules/how_can_i_allow_access_from_.js_files.rst b/umn/source/faqs/protection_rule_configuration/precise_protection_rules/how_can_i_allow_access_from_.js_files.rst new file mode 100644 index 0000000..35f9299 --- /dev/null +++ b/umn/source/faqs/protection_rule_configuration/precise_protection_rules/how_can_i_allow_access_from_.js_files.rst @@ -0,0 +1,12 @@ +:original_name: waf_01_3217.html + +.. _waf_01_3217: + +How Can I Allow Access from .js Files? +====================================== + +You can configure a precise protection rule in WAF to allow access from paths with the suffix .js. The configuration is as follows: + +|image1| + +.. |image1| image:: /_static/images/en-us_image_0000001676279753.png diff --git a/umn/source/faqs/protection_rule_configuration/precise_protection_rules/index.rst b/umn/source/faqs/protection_rule_configuration/precise_protection_rules/index.rst index 9e0ecc7..683ad5d 100644 --- a/umn/source/faqs/protection_rule_configuration/precise_protection_rules/index.rst +++ b/umn/source/faqs/protection_rule_configuration/precise_protection_rules/index.rst @@ -6,9 +6,13 @@ Precise Protection rules ======================== - :ref:`Can a Precise Protection Rule Take Effect in a Specified Period? ` +- :ref:`Can a Path Containing # Be Matched in a Precise Protection Rule? ` +- :ref:`How Can I Allow Access from .js Files? ` .. toctree:: :maxdepth: 1 :hidden: can_a_precise_protection_rule_take_effect_in_a_specified_period + can_a_path_containing_sharp_be_matched_in_a_precise_protection_rule + how_can_i_allow_access_from_.js_files diff --git a/umn/source/faqs/service_interruption_check/how_can_i_upload_files_after_the_website_is_connected_to_waf.rst b/umn/source/faqs/service_interruption_check/how_can_i_upload_files_after_the_website_is_connected_to_waf.rst index d8394be..da73432 100644 --- a/umn/source/faqs/service_interruption_check/how_can_i_upload_files_after_the_website_is_connected_to_waf.rst +++ b/umn/source/faqs/service_interruption_check/how_can_i_upload_files_after_the_website_is_connected_to_waf.rst @@ -5,10 +5,10 @@ How Can I Upload Files After the Website Is Connected to WAF? ============================================================= -After your website is connected to WAF, the file visitors can upload each time cannot exceed 512 MB. +After your website is connected to WAF, you can upload a file no larger than 10 GB each time. -To upload a file greater than 512 MB, upload the file through: +To upload a file larger than 10 GB, upload the file through any of the following: - IP address -- Separate web server +- Separate web server that is not protected by WAF - FTP server diff --git a/umn/source/faqs/service_interruption_check/how_do_i_fix_an_incomplete_certificate_chain.rst b/umn/source/faqs/service_interruption_check/how_do_i_fix_an_incomplete_certificate_chain.rst index fc7a577..e8ee6fe 100644 --- a/umn/source/faqs/service_interruption_check/how_do_i_fix_an_incomplete_certificate_chain.rst +++ b/umn/source/faqs/service_interruption_check/how_do_i_fix_an_incomplete_certificate_chain.rst @@ -10,57 +10,50 @@ If the certificate provided by the certificate authority is not found in the bui Use either of the following methods to fix it: - Manually build up a complete certificate chain and upload the certificate. (This function is available soon.) -- Purchase a new certificate and upload it. +- Upload the correct certificate. The latest Google Chrome version supports automatic verification of the trust chain. The following describes how to manually create a complete certificate chain: -#. Check the certificate. Click the padlock in the address bar to view the certificate status. :ref:`Figure 1 ` shows an example. +#. Check the certificate. Click the padlock in the address bar to view the certificate status. - .. _waf_01_0082__fig3896113414308: - - .. figure:: /_static/images/en-us_image_0246108677.png - :alt: **Figure 1** Viewing the certificate - - **Figure 1** Viewing the certificate - -#. Check the certificate chain. Click **Certificate**. Select the **Certificate Path** tab and then click the certificate name to view the certificate status. :ref:`Figure 2 ` shows an example. +#. Check the certificate chain. Click **Certificate**. Select the **Certificate Path** tab and then click the certificate name to view the certificate status. :ref:`Figure 1 ` shows an example. .. _waf_01_0082__fig1987812411375: .. figure:: /_static/images/en-us_image_0246112199.png - :alt: **Figure 2** Viewing the certificate chain + :alt: **Figure 1** Viewing the certificate chain - **Figure 2** Viewing the certificate chain + **Figure 1** Viewing the certificate chain #. Save the certificates to the local PC one by one. - a. Select the certificate name and click the **Details** tab. :ref:`Figure 3 ` shows an example. + a. Select the certificate name and click the **Details** tab. :ref:`Figure 2 ` shows an example. .. _waf_01_0082__fig56008156448: .. figure:: /_static/images/en-us_image_0246108818.png - :alt: **Figure 3** Details + :alt: **Figure 2** Details - **Figure 3** Details + **Figure 2** Details b. Click **Copy to File**, and then click **Next** as prompted. - c. Select **Base-64 encoded X.509 (.CER)** and click **Next**. :ref:`Figure 4 ` shows an example. + c. Select **Base-64 encoded X.509 (.CER)** and click **Next**. :ref:`Figure 3 ` shows an example. .. _waf_01_0082__fig1699010397583: .. figure:: /_static/images/en-us_image_0246109037.png - :alt: **Figure 4** Certificate Export Wizard + :alt: **Figure 3** Certificate Export Wizard - **Figure 4** Certificate Export Wizard + **Figure 3** Certificate Export Wizard -#. Rebuild the certificate. After all certificates are exported to the local PC, open the certificate file in Notepad and rebuild the certificate according to the sequence shown in :ref:`Figure 5 `. +#. Rebuild the certificate. After all certificates are exported to the local PC, open the certificate file in Notepad and rebuild the certificate according to the sequence shown in :ref:`Figure 4 `. .. _waf_01_0082__fig1970017819312: .. figure:: /_static/images/en-us_image_0283637109.png - :alt: **Figure 5** Certificate rebuilding + :alt: **Figure 4** Certificate rebuilding - **Figure 5** Certificate rebuilding + **Figure 4** Certificate rebuilding #. Upload the certificate again. diff --git a/umn/source/faqs/service_interruption_check/how_do_i_handle_false_alarms_as_waf_blocks_normal_requests_to_my_website.rst b/umn/source/faqs/service_interruption_check/how_do_i_handle_false_alarms_as_waf_blocks_normal_requests_to_my_website.rst index b159373..fb60b77 100644 --- a/umn/source/faqs/service_interruption_check/how_do_i_handle_false_alarms_as_waf_blocks_normal_requests_to_my_website.rst +++ b/umn/source/faqs/service_interruption_check/how_do_i_handle_false_alarms_as_waf_blocks_normal_requests_to_my_website.rst @@ -15,34 +15,35 @@ In the row containing the false alarm event, click **Details** in the **Operatio .. table:: **Table 1** Handling false alarms - +-------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Type of Hit Rule | Hit Rule | Handling Method | - +===============================+=======================================================================================================================================================================================================================================================================================================================================================+===================================================================================================================================================================================================================================================+ - | WAF built-in protection rules | - Basic web protection rules | In the row containing the attack event, click **Handle False Alarm** in the **Operation** column. For details, see :ref:`Handling False Alarms `. | - | | | | - | | Basic web protection defends against common web attacks, such as SQL injection, XSS attacks, remote buffer overflow attacks, file inclusion, Bash vulnerability exploits, remote command execution, directory traversal, sensitive file access, and command and code injections. Basic web protection also detects web shells and evasion attacks. | | - | | | | - | | - Feature-based anti-crawler protection | | - | | | | - | | Feature-based anti-crawler identifies and blocks crawler behavior from search engines, scanners, script tools, and other crawlers. | | - +-------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Custom protection rules | - CC attack protection rules | Go to the page displaying the hit rule and delete it. | - | | - Precise protection rules | | - | | - Blacklist and whitelist rules | | - | | - Geolocation access control rules | | - | | - Web tamper protection rules | | - | | - JavaScript anti-crawler protection | | - | | - Information leakage prevention rules | | - | | - Data masking rules | | - +-------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Other | Invalid access requests | Allow the blocked requests by referring to :ref:`Configuring a Precise Protection Rule `. The **Handle False Alarm** button for invalid access events are grayed out as such events are generated against a precise protection rule. | - | | | | - | | .. note:: | | - | | | | - | | If either of the following numbers in an access request exceeds 512, WAF blocks the access request as an invalid request: | | - | | | | - | | - Number of parameters in a form when **form-data** is used for POST or PUT requests | | - | | - Number of URI parameters | | - +-------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +-------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Type of Hit Rule | Hit Rule | Handling Method | + +===============================+=======================================================================================================================================================================================================================================================================================================================================================+=========================================================================================================================================================================================================================================================+ + | WAF built-in protection rules | - Basic web protection rules | In the row containing the attack event, click **Handle False Alarm** in the **Operation** column. For details, see :ref:`Handling False Alarms `. | + | | | | + | | Basic web protection defends against common web attacks, such as SQL injection, XSS attacks, remote buffer overflow attacks, file inclusion, Bash vulnerability exploits, remote command execution, directory traversal, sensitive file access, and command and code injections. Basic web protection also detects web shells and evasion attacks. | | + | | | | + | | - Feature-based anti-crawler protection | | + | | | | + | | Feature-based anti-crawler identifies and blocks crawler behavior from search engines, scanners, script tools, and other crawlers. | | + +-------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Custom protection rules | - CC attack protection rules | Go to the page displaying the hit rule and delete it. | + | | - Precise protection rules | | + | | - Blacklist and whitelist rules | | + | | - Geolocation access control rules | | + | | - Web tamper protection rules | | + | | - JavaScript anti-crawler protection | | + | | - Information leakage prevention rules | | + | | - Data masking rules | | + +-------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Other | Invalid access requests | Allow the blocked requests by referring to :ref:`Configuring Custom Precise Protection Rules `. The **Handle False Alarm** button for invalid access events are grayed out as such events are generated against a precise protection rule. | + | | | | + | | .. note:: | | + | | | | + | | If either of the following cases, WAF blocks the access request as an invalid request: | | + | | | | + | | - When **form-data** is used for POST or PUT requests, the number of parameters in a form exceeds 8,192. | | + | | - The URI contains more than 2,048 parameters. | | + | | - The number of headers exceeds 512. | | + +-------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ For details, see :ref:`Handling False Alarms `. diff --git a/umn/source/faqs/service_interruption_check/how_do_i_troubleshoot_404_502_504_errors.rst b/umn/source/faqs/service_interruption_check/how_do_i_troubleshoot_404_502_504_errors.rst index b983ec7..8e233b1 100644 --- a/umn/source/faqs/service_interruption_check/how_do_i_troubleshoot_404_502_504_errors.rst +++ b/umn/source/faqs/service_interruption_check/how_do_i_troubleshoot_404_502_504_errors.rst @@ -21,11 +21,25 @@ If an error, such as 404 Not Found, 502 Bad Gateway, or 504 Gateway Timeout, occ **Cause**: The port added to a URL is incorrect. -- A non-standard port is configured when a domain name is connected to WAF. No port is added or the origin server port instead of the non-standard port is used to access the website. For example, use **https://www.example.com** or **https://www.example.com:80** to access the website. +- A non-standard port is configured when a domain name is connected to WAF. No port is added or the origin server port instead of the non-standard port is used to access the website. For example, use **https://www.example.com** or **https://www.example.com:80** to access the website. :ref:`Figure 2 ` shows an example. + + .. _waf_01_0066__fig953011674311: + + .. figure:: /_static/images/en-us_image_0000001732971653.png + :alt: **Figure 2** Configuration of a non-standard port + + **Figure 2** Configuration of a non-standard port **Solution**: Add the non-standard port to the URL and access the origin server again, for example, **https://www.example.com:8080**. -- No non-standard port is configured when a domain name is added to WAF. A non-standard port or the origin server port is used to access the website. For example, use **https://www.example.com:8080** to access the website. +- No non-standard port is configured when a domain name is added to WAF. A non-standard port or the origin server port is used to access the website. For example, use **https://www.example.com:8080** to access the website. :ref:`Figure 3 ` shows an example. + + .. _waf_01_0066__fig145761043195313: + + .. figure:: /_static/images/en-us_image_0000001732975481.png + :alt: **Figure 3** Non-standard port not configured + + **Figure 3** Non-standard port not configured .. note:: diff --git a/umn/source/faqs/service_interruption_check/index.rst b/umn/source/faqs/service_interruption_check/index.rst index 5149f2d..3833778 100644 --- a/umn/source/faqs/service_interruption_check/index.rst +++ b/umn/source/faqs/service_interruption_check/index.rst @@ -19,6 +19,10 @@ Service Interruption Check - :ref:`Why Does the Website Login Page Continuously Refreshed After a Domain Name Is Connected to WAF? ` - :ref:`Why Does the Requested Page Respond Slowly After the HTTP Forwarding Policy Is Configured? ` - :ref:`How Can I Upload Files After the Website Is Connected to WAF? ` +- :ref:`Why Am I Seeing Error Code 414 Request-URI Too Large? ` +- :ref:`What Do I Do If the Protocol Is Not Supported and the Client and Server Do Not Support Common SSL Protocol Versions or Cipher Suites? ` +- :ref:`Why Cannot I Access the Dedicated Engine Page? ` +- :ref:`Why Is the Bar Mitzvah Attack on SSL/TLS Detected? ` .. toctree:: :maxdepth: 1 @@ -38,3 +42,7 @@ Service Interruption Check why_does_the_website_login_page_continuously_refreshed_after_a_domain_name_is_connected_to_waf why_does_the_requested_page_respond_slowly_after_the_http_forwarding_policy_is_configured how_can_i_upload_files_after_the_website_is_connected_to_waf + why_am_i_seeing_error_code_414_request-uri_too_large + what_do_i_do_if_the_protocol_is_not_supported_and_the_client_and_server_do_not_support_common_ssl_protocol_versions_or_cipher_suites + why_cannot_i_access_the_dedicated_engine_page + why_is_the_bar_mitzvah_attack_on_ssl_tls_detected diff --git a/umn/source/faqs/service_interruption_check/what_do_i_do_if_the_protocol_is_not_supported_and_the_client_and_server_do_not_support_common_ssl_protocol_versions_or_cipher_suites.rst b/umn/source/faqs/service_interruption_check/what_do_i_do_if_the_protocol_is_not_supported_and_the_client_and_server_do_not_support_common_ssl_protocol_versions_or_cipher_suites.rst new file mode 100644 index 0000000..da12255 --- /dev/null +++ b/umn/source/faqs/service_interruption_check/what_do_i_do_if_the_protocol_is_not_supported_and_the_client_and_server_do_not_support_common_ssl_protocol_versions_or_cipher_suites.rst @@ -0,0 +1,16 @@ +:original_name: waf_01_1311.html + +.. _waf_01_1311: + +What Do I Do If the Protocol Is Not Supported and the Client and Server Do Not Support Common SSL Protocol Versions or Cipher Suites? +===================================================================================================================================== + +Symptom +------- + +After a domain name is connected to WAF, the website cannot be accessed. A message is displayed, indicating that the protocol is not supported. The client and server do not support common SSL protocol versions or cipher suites. + +Solution +-------- + +Select the default cipher suite for **Cipher Suite** in the **TLS Configuration** dialog box. For details, see :ref:`Configuring PCI DSS/3DS Certification Check and TLS Version `. diff --git a/umn/source/faqs/service_interruption_check/what_is_the_connection_timeout_duration_of_waf_can_i_manually_set_the_timeout_duration.rst b/umn/source/faqs/service_interruption_check/what_is_the_connection_timeout_duration_of_waf_can_i_manually_set_the_timeout_duration.rst index 05b5da4..738cf22 100644 --- a/umn/source/faqs/service_interruption_check/what_is_the_connection_timeout_duration_of_waf_can_i_manually_set_the_timeout_duration.rst +++ b/umn/source/faqs/service_interruption_check/what_is_the_connection_timeout_duration_of_waf_can_i_manually_set_the_timeout_duration.rst @@ -5,9 +5,9 @@ What Is the Connection Timeout Duration of WAF? Can I Manually Set the Timeout Duration? ======================================================================================== -- The default timeout duration for connections between a browser and WAF is 120 seconds, which cannot be manually set. +- The default timeout period for connections from a browser to WAF is 120 seconds. The value varies depending on your browser settings and cannot be changed on the WAF console page. -- The default timeout duration for connections between WAF and your origin server is 60 seconds. You can customize a timeout duration. +- The default timeout duration for connections between WAF and your origin server is 60 seconds. You can customize a timeout duration on the WAF console. On the **Basic Information** page, enable **Timeout Settings** and click |image1|. Then, specify **WAF-to-Server connection timeout (s)**, **Read timeout (s)**, and **Write timeout (s)** and click |image2| to save settings. diff --git a/umn/source/faqs/service_interruption_check/why_am_i_seeing_error_code_414_request-uri_too_large.rst b/umn/source/faqs/service_interruption_check/why_am_i_seeing_error_code_414_request-uri_too_large.rst new file mode 100644 index 0000000..308b03a --- /dev/null +++ b/umn/source/faqs/service_interruption_check/why_am_i_seeing_error_code_414_request-uri_too_large.rst @@ -0,0 +1,61 @@ +:original_name: waf_01_0311.html + +.. _waf_01_0311: + +Why Am I Seeing Error Code 414 Request-URI Too Large? +===================================================== + +Symptoms +-------- + +After a protected website is connected to WAF, the website is inaccessible and the error message "414 Request-URI Too Large" is displayed, as shown in :ref:`Figure 1 `. + +.. _waf_01_0311__fig43341217162111: + +.. figure:: /_static/images/en-us_image_0000001074658084.png + :alt: **Figure 1** Error Code 414 Request-URI Too Large + + **Figure 1** Error Code 414 Request-URI Too Large + +Possible Causes +--------------- + +The client browser cannot parse JavaScript. In this situation, the client browser caches the page that contains the JavaScript code returned by WAF. Each time the protected website is requested, the cached page is accessed. WAF then verifies that the access request is from an invalid browser or crawler. The access request verification fails. As a result, an infinite loop occurs, the URI length exceeds the browser limit, and the website becomes inaccessible. + +After JavaScript anti-crawler is enabled, WAF returns a piece of JavaScript code to the client when the client sends a request. If the client sends a normal request to the website, triggered by the received JavaScript code, the client will automatically send the request to WAF again. WAF then forwards the request to the origin server. This process is called JavaScript verification. :ref:`Figure 2 ` shows how JavaScript verification works. + +.. _waf_01_0311__fig67621541143216: + +.. figure:: /_static/images/en-us_image_0000001126290859.png + :alt: **Figure 2** JavaScript anti-crawler detection process + + **Figure 2** JavaScript anti-crawler detection process + +Handling Suggestions +-------------------- + +Disable the JavaScript anti-crawler protection by performing the following steps: + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane on the left, choose **Policies**. + +#. Click the name of the target policy to go to the protection configuration page. + +#. In the **Anti-Crawler** configuration area, click **Configure Anti-Crawler**. + + + .. figure:: /_static/images/en-us_image_0000001395732753.png + :alt: **Figure 3** Anti-Crawler configuration area + + **Figure 3** Anti-Crawler configuration area + +#. Click the **JavaScript** tab and disable the JavaScript anti-crawler protection. Its status changes to |image3|. + +.. |image1| image:: /_static/images/en-us_image_0000001533330749.jpg +.. |image2| image:: /_static/images/en-us_image_0000001677145090.png +.. |image3| image:: /_static/images/en-us_image_0000001074633189.png diff --git a/umn/source/faqs/service_interruption_check/why_am_i_seeing_error_code_523.rst b/umn/source/faqs/service_interruption_check/why_am_i_seeing_error_code_523.rst index c561f50..b44a97d 100644 --- a/umn/source/faqs/service_interruption_check/why_am_i_seeing_error_code_523.rst +++ b/umn/source/faqs/service_interruption_check/why_am_i_seeing_error_code_523.rst @@ -5,16 +5,65 @@ Why Am I Seeing Error Code 523? =============================== -If a request passes through WAF twice, WAF blocks the request to prevent an infinite loop. In this case, error 523 is displayed when you access the domain name protected by WAF. +If a request goes through WAF over four times, WAF will block the request and return error code 523 to avoid endless loops. If error code 523 is returned for your website requests, check how many WAF instances you are using. -Use the following methods to resolve the issue: +Cause 1: A website is connected to more than four WAF instances. +---------------------------------------------------------------- -- Direct the request to the internal DNS server so that the request can bypass the public network. +Error code 523 will return if a website has been connected to different types of WAF instances -- Configure the hosts file of the origin server. +**Solution** - The following uses the Windows operating system as an example. +Route website traffic to bypass redundant WAF instances. - #. Use a text editor to open the **hosts** file. Generally, the **hosts** file is stored in the **C:\\Windows\\System32\\drivers\\etc\\** directory. - #. Add a record about the IP address of the origin server to the hosts file. - #. Save the modification and exit. +#. Log in to the WAF management console. + +#. In the navigation pane on the left, choose **Website Settings**. + +#. Locate the website for which 523 error code is returned, retain one configuration, and delete the website from redundant WAF instances. For details, see :ref:`Removing a Protected Website from WAF `. + + To prevent service interruptions due to such deletions, perform the following operations before deleting a website from WAF: + + Cloud mode: Go to your DNS provider and resolve your domain name to the IP address of the origin server. Otherwise, the traffic to your domain name cannot be routed to the origin server. + + **Dedicated mode**: Remove redundant WAF instances from the backend server group of the load balancer so that no requests are forwarding to those WAF instances. . + +Cause 2: A Third-party Interface That Uses WAF Was Called +--------------------------------------------------------- + +When a request is forwarded to the third-party API, header and cookie are forwarded without being changed. Only the host is modified. This makes WAF count the requests without clearing historical records. + +**Solution** + +Modify the header field in the reverse proxy request. The operations are as follows: + +.. important:: + + This method can be used only when Nginx is deployed after WAF on the user traffic link. + +#. Use **proxy_set_header** to redefine the request header sent to the proxy server. Run the following command to open the Nginx configuration file: + + (The following command is used when Nginx is installed in the **/opt/nginx/** directory. Change the directory based on your situation.) + + **vi /opt/nginx/conf/nginx.conf** + +#. Add **proxy_set_header X-CloudWAF-Traffic-Tag 0** to the Nginx configuration file. The following is an example: + + .. code-block:: + + location ^~/test/ { + ...... + proxy_set_header Host $proxy_host; + proxy_set_header X-CloudWAF-Traffic-Tag 0; + ...... + proxy_pass http://x.x.x.x; + } + +Cause 3: Origin Server IP address Was Mistakenly Set to an IP Address of WAF or A Proxy in Front of WAF +------------------------------------------------------------------------------------------------------- + +If the origin server address is mistakenly set to the back-to-source IP address of WAF or an IP address of the proxy in front of WAF, the website requests go to an endless loop and error code 523 is returned. + +**Solution** + +Check the origin server configurations and enter a correct origin server address. diff --git a/umn/source/faqs/service_interruption_check/why_cannot_i_access_the_dedicated_engine_page.rst b/umn/source/faqs/service_interruption_check/why_cannot_i_access_the_dedicated_engine_page.rst new file mode 100644 index 0000000..01ff45e --- /dev/null +++ b/umn/source/faqs/service_interruption_check/why_cannot_i_access_the_dedicated_engine_page.rst @@ -0,0 +1,21 @@ +:original_name: waf_01_1312.html + +.. _waf_01_1312: + +Why Cannot I Access the Dedicated Engine Page? +============================================== + +Symptom +------- + +Error message "Failed to request IAM. Please check the current user's IAM permissions." is displayed when a user attempted to access the **Dedicate Engine** page under **Instance Management**. + +Possible Cause +-------------- + +The **IAM ReadOnly** permission is not granted to the login account. + +Solution +-------- + +Assign the **IAM ReadOnly** permission to your account. diff --git a/umn/source/faqs/service_interruption_check/why_does_waf_block_normal_requests_as_invalid_requests.rst b/umn/source/faqs/service_interruption_check/why_does_waf_block_normal_requests_as_invalid_requests.rst index c0c4a60..83a3871 100644 --- a/umn/source/faqs/service_interruption_check/why_does_waf_block_normal_requests_as_invalid_requests.rst +++ b/umn/source/faqs/service_interruption_check/why_does_waf_block_normal_requests_as_invalid_requests.rst @@ -20,12 +20,13 @@ After a website is connected to WAF, a normal access request is blocked by WAF. Possible Cause -------------- -If either of the following numbers in an access request exceeds 512, WAF blocks the access request as an invalid request: +If either of the following cases, WAF blocks the access request as an invalid request: -- Number of parameters in a form when **form-data** is used for POST or PUT requests -- Number of URI parameters +- When **form-data** is used for POST or PUT requests, the number of parameters in a form exceeds 8,192. +- The URI contains more than 2,048 parameters. +- The number of headers exceeds 512. Solution -------- -If you confirm that the blocked request is a normal request, allow it by referring to :ref:`Configuring a Precise Protection Rule `. +If you confirm that the blocked request is a normal request, allow it by :ref:`Configuring Custom Precise Protection Rules `. diff --git a/umn/source/faqs/service_interruption_check/why_is_my_domain_name_or_ip_address_inaccessible.rst b/umn/source/faqs/service_interruption_check/why_is_my_domain_name_or_ip_address_inaccessible.rst index be572b0..344ff24 100644 --- a/umn/source/faqs/service_interruption_check/why_is_my_domain_name_or_ip_address_inaccessible.rst +++ b/umn/source/faqs/service_interruption_check/why_is_my_domain_name_or_ip_address_inaccessible.rst @@ -27,7 +27,7 @@ Refer to :ref:`Figure 2 ` and :ref:`Table 1 ` +- :ref:`Where Can I View the Inbound and Outbound Bandwidths of a Protected Website? ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + where_can_i_query_the_service_qps_of_the_current_waf_service + where_can_i_view_the_inbound_and_outbound_bandwidths_of_a_protected_website diff --git a/umn/source/faqs/service_request_specification/about_service_requests/where_can_i_query_the_service_qps_of_the_current_waf_service.rst b/umn/source/faqs/service_request_specification/about_service_requests/where_can_i_query_the_service_qps_of_the_current_waf_service.rst new file mode 100644 index 0000000..320f690 --- /dev/null +++ b/umn/source/faqs/service_request_specification/about_service_requests/where_can_i_query_the_service_qps_of_the_current_waf_service.rst @@ -0,0 +1,8 @@ +:original_name: waf_01_0228.html + +.. _waf_01_0228: + +Where Can I Query the Service QPS of the Current WAF Service? +============================================================= + +You can query the inbound bandwidth or QPS quota usage of the origin server IP address on the origin server. diff --git a/umn/source/faqs/service_request_specification/about_service_requests/where_can_i_view_the_inbound_and_outbound_bandwidths_of_a_protected_website.rst b/umn/source/faqs/service_request_specification/about_service_requests/where_can_i_view_the_inbound_and_outbound_bandwidths_of_a_protected_website.rst new file mode 100644 index 0000000..30d77af --- /dev/null +++ b/umn/source/faqs/service_request_specification/about_service_requests/where_can_i_view_the_inbound_and_outbound_bandwidths_of_a_protected_website.rst @@ -0,0 +1,15 @@ +:original_name: waf_01_0368.html + +.. _waf_01_0368: + +Where Can I View the Inbound and Outbound Bandwidths of a Protected Website? +============================================================================ + +On the **Dashboard** page, you can view the bandwidth usage about the protected website or instance. The procedure is as follows: + +#. Log in to the management console. +#. Click |image1| in the upper left corner of the management console and select a region or project. +#. In the website or instance drop-down list, select the website or instance you want to check and select a time range (yesterday, today, past 3 days, past 7 days, or past 30 days). +#. In the **Security Event Statistics** area, select the **Bytes Sent/Received** tab and view the inbound and outbound bandwidths. + +.. |image1| image:: /_static/images/en-us_image_0000001188966422.jpg diff --git a/umn/source/faqs/service_request_specification/index.rst b/umn/source/faqs/service_request_specification/index.rst new file mode 100644 index 0000000..fd92d96 --- /dev/null +++ b/umn/source/faqs/service_request_specification/index.rst @@ -0,0 +1,16 @@ +:original_name: waf_01_0170.html + +.. _waf_01_0170: + +Service Request/Specification +============================= + +- :ref:`WAF Instance Specifications Change ` +- :ref:`About Service Requests ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + waf_instance_specifications_change/index + about_service_requests/index diff --git a/umn/source/faqs/service_request_specification/waf_instance_specifications_change/index.rst b/umn/source/faqs/service_request_specification/waf_instance_specifications_change/index.rst new file mode 100644 index 0000000..4f2d7c0 --- /dev/null +++ b/umn/source/faqs/service_request_specification/waf_instance_specifications_change/index.rst @@ -0,0 +1,14 @@ +:original_name: waf_01_0296.html + +.. _waf_01_0296: + +WAF Instance Specifications Change +================================== + +- :ref:`What Are the Impacts When QPS Exceeds the Allowed Peak Rate? ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + what_are_the_impacts_when_qps_exceeds_the_allowed_peak_rate diff --git a/umn/source/faqs/service_request_specification/waf_instance_specifications_change/what_are_the_impacts_when_qps_exceeds_the_allowed_peak_rate.rst b/umn/source/faqs/service_request_specification/waf_instance_specifications_change/what_are_the_impacts_when_qps_exceeds_the_allowed_peak_rate.rst new file mode 100644 index 0000000..a792401 --- /dev/null +++ b/umn/source/faqs/service_request_specification/waf_instance_specifications_change/what_are_the_impacts_when_qps_exceeds_the_allowed_peak_rate.rst @@ -0,0 +1,36 @@ +:original_name: waf_01_0227.html + +.. _waf_01_0227: + +What Are the Impacts When QPS Exceeds the Allowed Peak Rate? +============================================================ + +If the QPS specifications you select cannot handle the daily peak traffic of protected website/application services, WAF stops protect the website when your website QPS exceeds what your WAF edition supports. This will cause traffic limiting, random packet loss, or even service to be unavailable, frozen, or delayed for a certain period of time. + +The following describes the QPS specifications supported by dedicated WAF instances in different deployments. + +- Normal peak requests for a single instance: + + - Specifications: WI-500. Referenced performance: + + - HTTP services - Recommended QPS: 5,000. Maximum QPS: 10,000. + - HTTPS services - Recommended QPS: 4,000. Maximum QPS: 8,000. + - WebSocket service - Maximum concurrent connections: 5,000 + - Maximum WAF-to-server persistent connections: 60,000 + + - Specifications: WI-100. Referenced performance: + + - HTTP services - Recommended QPS: 1,000. Maximum QPS: 2,000. + - HTTPS services - Recommended QPS: 800. Maximum QPS: 1,600 + - WebSocket service - Maximum concurrent connections: 1,000 + - Maximum WAF-to-server persistent connections: 60,000 + +- Peak rate of CC attack protection + + - Specifications: WI-500. Referenced performance: + + Maximum QPS: 20,000 + + - Specifications: WI-100. Referenced performance: + + Maximum QPS: 4,000 diff --git a/umn/source/faqs/website_domain_name_access_configuration/certificate_management/how_do_i_modify_a_certificate.rst b/umn/source/faqs/website_domain_name_access_configuration/certificate_management/how_do_i_modify_a_certificate.rst new file mode 100644 index 0000000..66c1729 --- /dev/null +++ b/umn/source/faqs/website_domain_name_access_configuration/certificate_management/how_do_i_modify_a_certificate.rst @@ -0,0 +1,21 @@ +:original_name: waf_01_0068.html + +.. _waf_01_0068: + +How Do I Modify a Certificate? +============================== + +If the purchased certificate is about to expire, you are advised to purchase a new certificate before the expiration date and update the certificate associated with the domain name in WAF. + +Perform the following operations: + +#. Log in to the management console. +#. Click |image1| in the upper left corner of the management console and select a region or project. +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. +#. In the navigation pane on the left, choose **Website Settings**. +#. In the **Protected Website** column, click the domain name of the website to go to the basic information page. +#. Click |image3| next to **Server Information**. If **Client Protocol** is **HTTPS**, select a new certificate from the certificate drop-down list or import a new certificate. + +.. |image1| image:: /_static/images/en-us_image_0000001483010166.jpg +.. |image2| image:: /_static/images/en-us_image_0000001732142997.png +.. |image3| image:: /_static/images/en-us_image_0149271990.jpg diff --git a/umn/source/faqs/website_domain_name_access_configuration/certificate_management/index.rst b/umn/source/faqs/website_domain_name_access_configuration/certificate_management/index.rst index aa5cbf9..b49aad8 100644 --- a/umn/source/faqs/website_domain_name_access_configuration/certificate_management/index.rst +++ b/umn/source/faqs/website_domain_name_access_configuration/certificate_management/index.rst @@ -6,6 +6,7 @@ Certificate Management ====================== - :ref:`How Do I Select a Certificate When Configuring a Wildcard Domain Name? ` +- :ref:`How Do I Modify a Certificate? ` - :ref:`Do I Need to Import the Certificates That Have Been Uploaded to ELB to WAF? ` - :ref:`How Do I Convert a Certificate into PEM Format? ` @@ -14,5 +15,6 @@ Certificate Management :hidden: how_do_i_select_a_certificate_when_configuring_a_wildcard_domain_name + how_do_i_modify_a_certificate do_i_need_to_import_the_certificates_that_have_been_uploaded_to_elb_to_waf how_do_i_convert_a_certificate_into_pem_format diff --git a/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/can_i_configure_multiple_load_balancers_for_a_dedicated_waf_instance.rst b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/can_i_configure_multiple_load_balancers_for_a_dedicated_waf_instance.rst new file mode 100644 index 0000000..325d196 --- /dev/null +++ b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/can_i_configure_multiple_load_balancers_for_a_dedicated_waf_instance.rst @@ -0,0 +1,8 @@ +:original_name: waf_01_3242.html + +.. _waf_01_3242: + +Can I Configure Multiple Load Balancers for a Dedicated WAF Instance? +===================================================================== + +Yes. You can add a dedicated WAF instance to backend server groups of more than one load balancers. diff --git a/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/do_i_have_to_configure_the_same_port_as_that_of_the_origin_server_when_adding_a_domain_name_to_waf.rst b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/do_i_have_to_configure_the_same_port_as_that_of_the_origin_server_when_adding_a_website_to_waf.rst similarity index 91% rename from umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/do_i_have_to_configure_the_same_port_as_that_of_the_origin_server_when_adding_a_domain_name_to_waf.rst rename to umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/do_i_have_to_configure_the_same_port_as_that_of_the_origin_server_when_adding_a_website_to_waf.rst index 7a9f7f3..6d9f37a 100644 --- a/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/do_i_have_to_configure_the_same_port_as_that_of_the_origin_server_when_adding_a_domain_name_to_waf.rst +++ b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/do_i_have_to_configure_the_same_port_as_that_of_the_origin_server_when_adding_a_website_to_waf.rst @@ -2,8 +2,8 @@ .. _waf_01_0279: -Do I Have to Configure the Same Port as That of the Origin Server When Adding a Domain Name to WAF? -=================================================================================================== +Do I Have to Configure the Same Port as That of the Origin Server When Adding a Website to WAF? +=============================================================================================== No. When you add a domain name to WAF, configure the server port to the port of the protected website. The origin server port is the service port used by WAF to forward your website requests. More details about port configuration are described as follows: diff --git a/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/how_do_i_safely_delete_a_protected_domain_name.rst b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/how_do_i_safely_delete_a_protected_domain_name.rst index 0d85926..a14db02 100644 --- a/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/how_do_i_safely_delete_a_protected_domain_name.rst +++ b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/how_do_i_safely_delete_a_protected_domain_name.rst @@ -7,5 +7,5 @@ How Do I Safely Delete a Protected Domain Name? To delete a website from WAF, see :ref:`Removing a Protected Website from WAF `. Before you start, get yourself familiar with the following precautions: -- Before removing a website from WAF, go to your DNS provider and resolve your domain name to the IP address of the origin server, or the traffic to your domain name cannot be routed to the origin server. +- In cloud mode, if you want to remove a protected website from WAF, go to the DNS platform and translate the domain name to the origin server IP address before you remove it. Otherwise, traffic intended to the domain name will not be directed to the origin server. - It takes a while to remove a website from WAF, but once this action is started, it cannot be cancelled. Exercise caution when removing a website from WAF. diff --git a/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/how_do_i_use_a_dedicated_waf_instance_to_protect_non-standard_ports_that_are_not_supported_by_the_dedicated_instance.rst b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/how_do_i_use_a_dedicated_waf_instance_to_protect_non-standard_ports_that_are_not_supported_by_the_dedicated_instance.rst index 18da85b..3bb9d37 100644 --- a/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/how_do_i_use_a_dedicated_waf_instance_to_protect_non-standard_ports_that_are_not_supported_by_the_dedicated_instance.rst +++ b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/how_do_i_use_a_dedicated_waf_instance_to_protect_non-standard_ports_that_are_not_supported_by_the_dedicated_instance.rst @@ -24,7 +24,7 @@ Perform the following steps: In the upper left corner of the website list, click **Add Website**. On the displayed page, select **Dedicated mode**, enter the wildcard domain name **\*.example.com** corresponding to **www.example.com:1234** in the **Domain Name** text box, and select a port (for example, 81) from the **Protected Port** drop-down list. - c. Select **Yes** for **Proxy** and click **OK**. + c. Select **Yes** for **Proxy Configured** and click **Confirm**. d. Close the dialog box displayed. @@ -41,7 +41,7 @@ Perform the following steps: g. Click **Add IP as Backend Server**. In the displayed dialog box, configure **Backend Server IP Address** and **Backend Port**. - **Backend Server IP Address**: Enter the IP address of the dedicated WAF engine, which you can obtain from the dedicated engine list. - - **Backend Port**: 81, which is the same as the non-standard port you selected in :ref:`2.b `. + - **Backend Port**: 81, which is the same as the port you configured in :ref:`2.b `. h. Click **OK**. i. Click **Next: Confirm**, confirm the information, and click **Submit**. diff --git a/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/index.rst b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/index.rst index 252fe59..19119b5 100644 --- a/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/index.rst +++ b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/index.rst @@ -10,13 +10,15 @@ Domain Name and Port Configuration - :ref:`How Do I Use a Dedicated WAF Instance to Protect Non-Standard Ports That Are Not Supported by the Dedicated Instance? ` - :ref:`Can WAF Protect Multiple Domain Names That Point to the Same Origin Server? ` - :ref:`How Do I Configure Domain Names to Be Protected When Adding Domain Names? ` -- :ref:`Do I Have to Configure the Same Port as That of the Origin Server When Adding a Domain Name to WAF? ` +- :ref:`Do I Have to Configure the Same Port as That of the Origin Server When Adding a Website to WAF? ` - :ref:`What Can I Do If One of Ports on an Origin Server Does Not Require WAF Protection? ` - :ref:`What Data Is Required for Connecting a Domain Name/IP Address to WAF? ` - :ref:`How Do I Safely Delete a Protected Domain Name? ` - :ref:`Can I Change the Domain Name That Has Been Added to WAF? ` - :ref:`What Are the Precautions for Configuring Multiple Server Addresses for Backend Servers? ` - :ref:`Does WAF Support Wildcard Domain Names? ` +- :ref:`Can I Configure Multiple Load Balancers for a Dedicated WAF Instance? ` +- :ref:`Why Am I Seeing the "Someone else has already added this domain name. Please confirm that the domain name belongs to you" Error Message? ` .. toctree:: :maxdepth: 1 @@ -27,10 +29,12 @@ Domain Name and Port Configuration how_do_i_use_a_dedicated_waf_instance_to_protect_non-standard_ports_that_are_not_supported_by_the_dedicated_instance can_waf_protect_multiple_domain_names_that_point_to_the_same_origin_server how_do_i_configure_domain_names_to_be_protected_when_adding_domain_names - do_i_have_to_configure_the_same_port_as_that_of_the_origin_server_when_adding_a_domain_name_to_waf + do_i_have_to_configure_the_same_port_as_that_of_the_origin_server_when_adding_a_website_to_waf what_can_i_do_if_one_of_ports_on_an_origin_server_does_not_require_waf_protection what_data_is_required_for_connecting_a_domain_name_ip_address_to_waf how_do_i_safely_delete_a_protected_domain_name can_i_change_the_domain_name_that_has_been_added_to_waf what_are_the_precautions_for_configuring_multiple_server_addresses_for_backend_servers does_waf_support_wildcard_domain_names + can_i_configure_multiple_load_balancers_for_a_dedicated_waf_instance + why_am_i_seeing_the_someone_else_has_already_added_this_domain_name._please_confirm_that_the_domain_name_belongs_to_you_error_message diff --git a/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/what_data_is_required_for_connecting_a_domain_name_ip_address_to_waf.rst b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/what_data_is_required_for_connecting_a_domain_name_ip_address_to_waf.rst index 9cd2160..2a96213 100644 --- a/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/what_data_is_required_for_connecting_a_domain_name_ip_address_to_waf.rst +++ b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/what_data_is_required_for_connecting_a_domain_name_ip_address_to_waf.rst @@ -5,7 +5,7 @@ What Data Is Required for Connecting a Domain Name/IP Address to WAF? ===================================================================== -Prepare information required for connecting a domain name or IP address to WAF based on the mode of WAF instance you plan to buy. +Prepare information required for connecting a domain name or IP address to WAF based on the mode of WAF instance you plan to apply for. The following data is required: @@ -15,7 +15,7 @@ The following data is required: - **Client Protocol**: protocol used by a client to access a server. - **Server Protocol**: protocol over which WAF forwards client requests to the server. - - **Server Address:** IP address or domain name of the web server for client-side access. + - **Server Address**: private IP address of the website server. - **Server Port**: service port over which the WAF instance forwards client requests to the origin server. - Certificate: If HTTPS is set for **Client Protocol**, associate the certificate to WAF. diff --git a/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/which_non-standard_ports_does_waf_support.rst b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/which_non-standard_ports_does_waf_support.rst index 7b4e456..8df2a20 100644 --- a/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/which_non-standard_ports_does_waf_support.rst +++ b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/which_non-standard_ports_does_waf_support.rst @@ -5,7 +5,7 @@ Which Non-Standard Ports Does WAF Support? ========================================== -In addition to standard ports 80 and 443, WAF supports multiple non-standard ports. The non-standard ports vary depending on the edition and billing mode you select. +In addition to standard ports 80 and 443, WAF supports lots of non-standard ports. Supported non-standard ports vary depending on the edition and billing mode you select. Each combination of a domain name and a non-standard port is counted towards the domain name quota of the WAF edition you are using. For example, www.example.com:8080 and www.example.com:8081 use two domain names of the quota. If you want to protect web services over multiple ports with the same domain name, add the domain name and each port to WAF. diff --git a/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/why_am_i_seeing_the_someone_else_has_already_added_this_domain_name._please_confirm_that_the_domain_name_belongs_to_you_error_message.rst b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/why_am_i_seeing_the_someone_else_has_already_added_this_domain_name._please_confirm_that_the_domain_name_belongs_to_you_error_message.rst new file mode 100644 index 0000000..09f01ee --- /dev/null +++ b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/why_am_i_seeing_the_someone_else_has_already_added_this_domain_name._please_confirm_that_the_domain_name_belongs_to_you_error_message.rst @@ -0,0 +1,8 @@ +:original_name: waf_01_3243.html + +.. _waf_01_3243: + +Why Am I Seeing the "Someone else has already added this domain name. Please confirm that the domain name belongs to you" Error Message? +======================================================================================================================================== + +Someone else has already added this domain name. You need to confirm that the domain name belongs to you. If the domain name belongs to you, contact technical support. Your domain name might have been added to WAF under another account. If you want to add it to WAF under the current account, delete it from another account first. diff --git a/umn/source/index.rst b/umn/source/index.rst index 4e49620..558e2f8 100644 --- a/umn/source/index.rst +++ b/umn/source/index.rst @@ -6,20 +6,15 @@ Dedicated Web Application Firewall - User Guide :maxdepth: 1 service_overview/index - overview + waf_operation_guide applying_for_a_dedicated_waf_instance - enabling_waf_protection/index - website_domain_name_management/index - certificate_management/index - rule_configuration/index dashboard event_management/index - enabling_lts_for_waf_logging - policy_management/index - dedicated_waf_engine_management - managing_projects_and_enterprise_projects + configuring_protection_policies/index + website_settings/index + object_management/index + system_management/index permissions_management/index - key_operations_recorded_by_cts/index - monitored_metrics + monitoring_and_auditing/index faqs/index change_history diff --git a/umn/source/key_operations_recorded_by_cts/index.rst b/umn/source/monitoring_and_auditing/auditing/index.rst similarity index 87% rename from umn/source/key_operations_recorded_by_cts/index.rst rename to umn/source/monitoring_and_auditing/auditing/index.rst index 67fe8b2..a994f1f 100644 --- a/umn/source/key_operations_recorded_by_cts/index.rst +++ b/umn/source/monitoring_and_auditing/auditing/index.rst @@ -2,8 +2,8 @@ .. _waf_01_0058: -Key Operations Recorded by CTS -============================== +Auditing +======== - :ref:`WAF Operations Recorded by CTS ` CTS provides records of operations on WAF. With CTS, you can query, audit, and backtrack these operations. For details, see the *Cloud Trace Service User Guide*. diff --git a/umn/source/key_operations_recorded_by_cts/viewing_an_audit_trace.rst b/umn/source/monitoring_and_auditing/auditing/viewing_an_audit_trace.rst similarity index 100% rename from umn/source/key_operations_recorded_by_cts/viewing_an_audit_trace.rst rename to umn/source/monitoring_and_auditing/auditing/viewing_an_audit_trace.rst diff --git a/umn/source/key_operations_recorded_by_cts/waf_operations_recorded_by_cts.rst b/umn/source/monitoring_and_auditing/auditing/waf_operations_recorded_by_cts.rst similarity index 97% rename from umn/source/key_operations_recorded_by_cts/waf_operations_recorded_by_cts.rst rename to umn/source/monitoring_and_auditing/auditing/waf_operations_recorded_by_cts.rst index 7fe72ee..8f76782 100644 --- a/umn/source/key_operations_recorded_by_cts/waf_operations_recorded_by_cts.rst +++ b/umn/source/monitoring_and_auditing/auditing/waf_operations_recorded_by_cts.rst @@ -7,11 +7,7 @@ WAF Operations Recorded by CTS CTS provides records of operations on WAF. With CTS, you can query, audit, and backtrack these operations. For details, see the *Cloud Trace Service User Guide*. -:ref:`Table 1 ` lists WAF operations recorded by CTS. - -.. _waf_01_0059__table5821116193525: - -.. table:: **Table 1** WAF operations that can be recorded by CTS +.. table:: **Table 1** WAF Operations Recorded by CTS +-----------------------------------------------------------------------------------------------+---------------+---------------------+ | Operation | Resource Type | Trace Name | diff --git a/umn/source/monitoring_and_auditing/index.rst b/umn/source/monitoring_and_auditing/index.rst new file mode 100644 index 0000000..bc59a7b --- /dev/null +++ b/umn/source/monitoring_and_auditing/index.rst @@ -0,0 +1,16 @@ +:original_name: waf_01_8371.html + +.. _waf_01_8371: + +Monitoring and Auditing +======================= + +- :ref:`Auditing ` +- :ref:`Monitored Metrics ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + auditing/index + monitored_metrics diff --git a/umn/source/monitored_metrics.rst b/umn/source/monitoring_and_auditing/monitored_metrics.rst similarity index 100% rename from umn/source/monitored_metrics.rst rename to umn/source/monitoring_and_auditing/monitored_metrics.rst diff --git a/umn/source/certificate_management/binding_a_certificate_to_a_protected_website.rst b/umn/source/object_management/certificate_management/binding_a_certificate_to_a_protected_website.rst similarity index 92% rename from umn/source/certificate_management/binding_a_certificate_to_a_protected_website.rst rename to umn/source/object_management/certificate_management/binding_a_certificate_to_a_protected_website.rst index 9612ec7..812f809 100644 --- a/umn/source/certificate_management/binding_a_certificate_to_a_protected_website.rst +++ b/umn/source/object_management/certificate_management/binding_a_certificate_to_a_protected_website.rst @@ -54,7 +54,8 @@ Other Operations If the certificate is in use, unbind the certificate from the domain name first. Otherwise, the certificate name cannot be changed. - To view details about a certificate, click **View** in the **Operation** column of the certificate. -- To delete a certificate, locate the row of the certificate and click **Delete** in the **Operation** column. +- To delete a certificate, locate the row of the certificate and click **More** > **Delete** in the **Operation** column. +- To update a certificate, locate the row of the certificate and click **More** > **Update** in the **Operation** column. .. |image1| image:: /_static/images/en-us_image_0269497434.jpg .. |image2| image:: /_static/images/en-us_image_0000001340305457.png diff --git a/umn/source/certificate_management/deleting_a_certificate.rst b/umn/source/object_management/certificate_management/deleting_a_certificate.rst similarity index 100% rename from umn/source/certificate_management/deleting_a_certificate.rst rename to umn/source/object_management/certificate_management/deleting_a_certificate.rst diff --git a/umn/source/certificate_management/index.rst b/umn/source/object_management/certificate_management/index.rst similarity index 100% rename from umn/source/certificate_management/index.rst rename to umn/source/object_management/certificate_management/index.rst index 031807f..72cf0ae 100644 --- a/umn/source/certificate_management/index.rst +++ b/umn/source/object_management/certificate_management/index.rst @@ -7,8 +7,8 @@ Certificate Management - :ref:`Uploading a Certificate ` - :ref:`Binding a Certificate to a Protected Website ` -- :ref:`Deleting a Certificate ` - :ref:`Viewing Certificate Information ` +- :ref:`Deleting a Certificate ` .. toctree:: :maxdepth: 1 @@ -16,5 +16,5 @@ Certificate Management uploading_a_certificate binding_a_certificate_to_a_protected_website - deleting_a_certificate viewing_certificate_information + deleting_a_certificate diff --git a/umn/source/certificate_management/uploading_a_certificate.rst b/umn/source/object_management/certificate_management/uploading_a_certificate.rst similarity index 93% rename from umn/source/certificate_management/uploading_a_certificate.rst rename to umn/source/object_management/certificate_management/uploading_a_certificate.rst index ab17566..bad959f 100644 --- a/umn/source/certificate_management/uploading_a_certificate.rst +++ b/umn/source/object_management/certificate_management/uploading_a_certificate.rst @@ -7,7 +7,7 @@ Uploading a Certificate If you select **HTTPS** for **Client Protocol** when you add a website to WAF, a certificate must be associated with the website. -You can upload a certificate to WAF. Then you can directly select the uploaded certificate for the protected website. +If you upload a certificate to WAF, you can directly select the certificate when adding a website to WAF. .. note:: @@ -44,12 +44,12 @@ Procedure #. In the navigation pane, choose **Objects** > **Certificates**. -#. Click **Upload Certificate**. +#. Click **Add Certificate**. -#. In the **Upload Certificate** dialog box, enter a certificate name, and copy the certificate file and private key into the corresponding text boxes. +#. In the displayed dialog box, enter a certificate name, and copy the certificate file and private key into the corresponding text boxes. - .. figure:: /_static/images/en-us_image_0000001338097417.png + .. figure:: /_static/images/en-us_image_0000001732479705.png :alt: **Figure 1** **Upload Certificate** **Figure 1** **Upload Certificate** @@ -111,7 +111,8 @@ Other Operations - To view details about a certificate, click **View** in the **Operation** column of the certificate. - In the row containing the certificate you want, click **Use** in the **Operation** column to use the certificate to the corresponding domain name. -- To delete a certificate, locate the row of the certificate and click **Delete** in the **Operation** column. +- To delete a certificate, locate the row of the certificate and click **More** > **Delete** in the **Operation** column. +- To update a certificate, locate the row of the certificate and click **More** > **Update** in the **Operation** column. .. |image1| image:: /_static/images/en-us_image_0269497434.jpg .. |image2| image:: /_static/images/en-us_image_0000001340424693.png diff --git a/umn/source/certificate_management/viewing_certificate_information.rst b/umn/source/object_management/certificate_management/viewing_certificate_information.rst similarity index 83% rename from umn/source/certificate_management/viewing_certificate_information.rst rename to umn/source/object_management/certificate_management/viewing_certificate_information.rst index da62acb..abdbbfb 100644 --- a/umn/source/certificate_management/viewing_certificate_information.rst +++ b/umn/source/object_management/certificate_management/viewing_certificate_information.rst @@ -10,7 +10,7 @@ This topic describes how to view certificate details, including the certificate Prerequisites ------------- -You have created or pushed a certificate to WAF. +You have created a certificate to WAF. Procedure --------- @@ -25,6 +25,12 @@ Procedure #. View the certificate information. :ref:`Table 1 ` describes the parameters. + + .. figure:: /_static/images/en-us_image_0000001684444678.png + :alt: **Figure 1** Certificate list + + **Figure 1** Certificate list + .. _waf_01_0282__table42671747141413: .. table:: **Table 1** Certificate parameters @@ -40,6 +46,8 @@ Procedure +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Domain Name | The domain names protected by the certificate. Each domain name must be bound to a certificate. One certificate can be used for multiple domain names. | +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Enterprise Project | The enterprise project that the certificate belongs to. | + +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ Other Operations ---------------- @@ -52,7 +60,8 @@ Other Operations - To view details about a certificate, click **View** in the **Operation** column of the certificate. - In the row containing the certificate you want, click **Use** in the **Operation** column to use the certificate to the corresponding domain name. -- To delete a certificate, locate the row of the certificate and click **Delete** in the **Operation** column. +- To delete a certificate, locate the row of the certificate and click **More** > **Delete** in the **Operation** column. +- To update a certificate, locate the row of the certificate and click **More** > **Update** in the **Operation** column. .. |image1| image:: /_static/images/en-us_image_0269497434.jpg .. |image2| image:: /_static/images/en-us_image_0000001340425481.png diff --git a/umn/source/object_management/index.rst b/umn/source/object_management/index.rst new file mode 100644 index 0000000..9765c68 --- /dev/null +++ b/umn/source/object_management/index.rst @@ -0,0 +1,14 @@ +:original_name: waf_01_3276.html + +.. _waf_01_3276: + +Object Management +================= + +- :ref:`Certificate Management ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + certificate_management/index diff --git a/umn/source/overview.rst b/umn/source/overview.rst deleted file mode 100644 index f0bc164..0000000 --- a/umn/source/overview.rst +++ /dev/null @@ -1,120 +0,0 @@ -:original_name: waf_01_0071.html - -.. _waf_01_0071: - -Overview -======== - -Website Service Review ----------------------- - -Sort out all website services you want to protect with WAF. This helps you learn about your workloads and specific data of your workloads so that you can choose and configure appropriate protection policies. - -.. table:: **Table 1** Website services - - +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Item | Description | - +=============================================================================================================+=================================================================================================================================================================================================================================+ - | **Website and Service Information** | | - +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Daily peak traffic of website/web application services, including the bandwidth (in Mbit/s) and QPS | Use it as the basis for selecting the service bandwidth and QPS specifications. | - | | | - | | .. note:: | - | | | - | | If your website traffic peak exceeds the maximum QPS specifications you are using, WAF will stop checking the traffic and directly forward it to the origin server. There is no protection for your website or applications. | - +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Major user group (for example, major locations where the requests originate from) | Determine the attack source and then set geolocation access control rules to block users from these locations. | - +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Whether the service uses a C/S architecture | If yes, check whether there is an app client, Windows client, Linux client, code callback, or any other client. | - +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Location where the origin server is deployed | Decide which region you want to buy the instance. | - +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Operating system (Linux or Windows) and web service middleware (Apache, Nginx, or IIS) of the origin server | Check whether access control is enabled for the origin server. If yes, whitelist WAF IP addresses. | - +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Domain protocol | Check whether WAF supports the communication protocol used by your site. | - | | | - | | .. note:: | - | | | - | | WAF can protect your website only when **Client Protocol** and **Server Protocol** are configured based on the real situation of your website. | - | | | - | | - **Client Protocol**: the protocol used by a client (for example, a browser) to access your website. You can select **HTTP** or **HTTPS**. | - | | - **Server Protocol**: the protocol used by WAF to forward requests from the client (such as a browser) to the origin server. You can select **HTTP** or **HTTPS**. | - +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Service port | Check whether your service ports are within the port range supported by WAF. | - | | | - | | - Standard ports | - | | | - | | - 80: default port when the client protocol is HTTP | - | | - 443: default port when the client protocol is HTTPS | - | | | - | | - Non-standard ports | - | | | - | | Ports other than ports 80 and 443. For non-standard ports supported by WAF, see :ref:`Non-Standard Ports `. | - +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Whether TLSv1.0 or weak encryption suite is supported | Check whether WAF supports the encryption suite used by your site. | - +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Whether advanced anti-DDoS, CDN, or other proxy services are deployed in front of WAF. | Check whether a proxy is used and whether domain name is resolved to a correct address. | - +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Whether the client supports Server Name Indication (for HTTPS services) | If your domain name supports HTTPS, the client and server must support Server Name Indication (SNI). | - +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Service interaction | Understand the service interaction process and service processing logic to facilitate subsequent configuration of protection policies. | - +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Active users | Determine the severity of an attack event to take a low-risk measure to respond it. | - +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | **Services and Attacks** | | - +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Service types and features (such as games, cards, websites, or apps) | Help analyze the attack signatures. | - +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Inbound traffic range and connection status of a single user or a single IP address | Help determine whether a rate limiting policy can be configured per IP address. | - +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | User group attribute | For example, individual users, Internet cafe users, or proxy users | - +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Whether your website experienced large-volumetric attacks, the attack type, and maximum peak traffic | Determine whether a DDoS protection service is required and determine the DDoS protection specifications based on the peak attack traffic. | - +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Whether your website experienced CC attacks and the maximum peak QPS in a CC attack | Configure the protection policies based on attack signatures. | - +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Whether the pressure test has been performed | Evaluate the request processing performance of the origin server to determine whether service anomaly occurs due to attacks. | - +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - -How to Use WAF --------------- - -:ref:`Table 2 ` describes the procedure to use WAF. - -.. _waf_01_0071__table186068221358: - -.. table:: **Table 2** Procedure to use WAF - - +--------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Step | Description | - +======================================+==================================================================================================================================================================================================+ - | Applying for dedicated WAF instances | Apply for a dedicated WAF instance. | - | | | - | | For details, see :ref:`Applying for a Dedicated WAF Instance `. | - +--------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Adding a website to WAF | Add the website you want to protect to WAF. | - | | | - | | For details, see :ref:`Step 1: Add a Website to WAF `. | - +--------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Enabling WAF protection | Enable WAF protection to protect added website. | - | | | - | | .. note:: | - | | | - | | - Using WAF does not affect your web server performance because the WAF engine is not running on your web server. | - | | - After your domain name is connected to WAF, there will be a latency of tens of milliseconds, which might be raised based on the size of the requested page or number of incoming requests. | - +--------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Configuring protection rules | Use WAF built-in protection rules and configure custom rules to protect your website. For more details, see :ref:`Rule Configuration `. | - +--------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Handling false alarms | Mask blocked or logged events which are handled as false alarms. For more details, see :ref:`Handling False Alarms `. | - +--------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Viewing **Dashboard** | View protection data of yesterday, today, last 3 days, last 7 days, or last 30 days. For more details, see :ref:`Dashboard `. | - +--------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - -For details about how to connect your website to WAF, see :ref:`Figure 1 `. - -.. _waf_01_0071__fig1654619194251: - -.. figure:: /_static/images/en-us_image_0274310129.png - :alt: **Figure 1** Flowchart of connecting a website to WAF - - **Figure 1** Flowchart of connecting a website to WAF diff --git a/umn/source/managing_projects_and_enterprise_projects.rst b/umn/source/permissions_management/authorizing_and_associating_an_enterprise_project.rst similarity index 52% rename from umn/source/managing_projects_and_enterprise_projects.rst rename to umn/source/permissions_management/authorizing_and_associating_an_enterprise_project.rst index 0b067f7..1cec546 100644 --- a/umn/source/managing_projects_and_enterprise_projects.rst +++ b/umn/source/permissions_management/authorizing_and_associating_an_enterprise_project.rst @@ -2,29 +2,17 @@ .. _waf_01_0317: -Managing Projects and Enterprise Projects -========================================= +Authorizing and Associating an Enterprise Project +================================================= -Creating a Project and Assigning Permissions --------------------------------------------- - -- Creating a project - - Log in to the management console, click the username in the upper right corner, and select **Identity and Access Management**. In the navigation pane on the left, choose **Projects**. In the right pane, click **Create Project**. On the displayed **Create Project** page, select a region and enter a project name. - -- Authorization - - You can assign permissions (of resources and operations) to user groups to associate projects with user groups. You can add users to a user group to control which projects they can access and what resources they can perform operations on. To do so, perform the following operations: - - #. On the **User Groups** page, locate the target user group and click **Permissions** in the **Operation** column. Then, select the required cloud resource permission sets for the project. - #. On the **Users** page, locate the target user and click **Modify** in the **Operation** column. In the **Users Group** area, add a user group for the user. +Enterprise Management service provides unified cloud resource management based on enterprise projects, and resource and personnel management within enterprise projects. Enterprise projects can be managed by one or more user groups. You can create WAF enterprise projects on the Enterprise Management console to manage your WAF resources centrally. Creating an Enterprise Project and Assigning Permissions -------------------------------------------------------- - Creating an enterprise project - On the management console, click **Enterprise** in the upper right corner to go to the **Enterprise Management** page. In the navigation pane on the left, choose ****Enterprise** Project Management**. Then, click **Create Enterprise Project** and enter a name. + On the management console, click **Enterprise** in the upper right corner to go to the **Enterprise Management** page. Click **Create Enterprise Project** and enter a name. .. note:: @@ -41,12 +29,10 @@ Creating an Enterprise Project and Assigning Permissions To use an enterprise project to manage cloud resources, associate resources with the enterprise project. - - Associate a WAF instance with an enterprise project during purchase. - - On the page for buying WAF, select an enterprise project from the **Enterprise Project** drop-down list. + - Associate a WAF instance with an enterprise project when applying for WAF - Add WAF instances to an enterprise project after a WAF instance is purchased. - On the **Enterprise Project Management** page, add existing WAF instances purchased under your account to an enterprise project. + On the **Enterprise Project Management** page, add existing WAF instances under your account to an enterprise project. Value **default** indicates the default enterprise project. Resources that are not allocated to any enterprise projects under your account are listed in the default enterprise project. diff --git a/umn/source/permissions_management/iam_permissions_management/creating_a_user_group_and_granting_permissions.rst b/umn/source/permissions_management/iam_permissions_management/creating_a_user_group_and_granting_permissions.rst new file mode 100644 index 0000000..89d3bd6 --- /dev/null +++ b/umn/source/permissions_management/iam_permissions_management/creating_a_user_group_and_granting_permissions.rst @@ -0,0 +1,64 @@ +:original_name: waf_01_0098.html + +.. _waf_01_0098: + +Creating a User Group and Granting Permissions +============================================== + +With `IAM `__, you can: + +- Create IAM users for employees based on the organizational structure of your enterprise. Each IAM user has their own security credentials, providing access to WAF resources. +- Grant only the permissions required for users to perform a task. +- Entrust an account or cloud service to perform professional and efficient O&M on your WAF resources. + +If your account does not require individual IAM users, skip this chapter. + +This topic describes the procedure for granting permissions (see :ref:`Figure 1 `). + +Prerequisites +------------- + +Learn about the permissions supported by WAF in :ref:`Table 1 ` and choose policies or roles based on your requirements. For the system policies of other services, see `System Permissions `__. + +.. _waf_01_0098__table59949279269: + +.. table:: **Table 1** System policies supported by WAF + + +--------------------+-----------------------------------+-----------------------+------------------------------------------------------------------------------------------------+ + | Role/Policy Name | Description | Category | Dependencies | + +====================+===================================+=======================+================================================================================================+ + | WAF Administrator | Administrator permissions for WAF | System-defined role | Dependent on the **Tenant Guest** and **Server Administrator** roles. | + | | | | | + | | | | - **Tenant Guest**: A global role, which must be assigned in the global project. | + | | | | - **Server Administrator**: A project-level role, which must be assigned in the same project. | + +--------------------+-----------------------------------+-----------------------+------------------------------------------------------------------------------------------------+ + | WAF FullAccess | All permissions for WAF | System-defined policy | None. | + +--------------------+-----------------------------------+-----------------------+------------------------------------------------------------------------------------------------+ + | WAF ReadOnlyAccess | Read-only permissions for WAF. | System-defined policy | | + +--------------------+-----------------------------------+-----------------------+------------------------------------------------------------------------------------------------+ + +Process Flow +------------ + +.. _waf_01_0098__fig673713328586: + +.. figure:: /_static/images/en-us_image_0234084842.png + :alt: **Figure 1** Process for granting permissions + + **Figure 1** Process for granting permissions + +#. .. _waf_01_0098__li16514141414819: + + `Create a user group and assign permissions `__. + + Create a user group on the IAM console, and attach the **WAF Administrator** permission to the group. + +#. `Create a user and add the user to the user group `__. + + Create a user on the IAM console and add the user to the group created in :ref:`1 `. + +#. `Log in to the management console as the created user `__ and verify the permissions. + + Log in to the WAF console by using the newly created user, and verify that the user only has **WAF Administrator** permissions for WAF. + + Choose any other service in Service List. If a message appears indicating that you have insufficient permissions to access the service, the **WAF Administrator** policy has already taken effect. diff --git a/umn/source/permissions_management/iam_permissions_management/index.rst b/umn/source/permissions_management/iam_permissions_management/index.rst new file mode 100644 index 0000000..3598ddb --- /dev/null +++ b/umn/source/permissions_management/iam_permissions_management/index.rst @@ -0,0 +1,18 @@ +:original_name: waf_01_0096.html + +.. _waf_01_0096: + +IAM Permissions Management +========================== + +- :ref:`Creating a User Group and Granting Permissions ` +- :ref:`WAF Custom Policies ` +- :ref:`WAF Permissions and Supported Actions ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + creating_a_user_group_and_granting_permissions + waf_custom_policies + waf_permissions_and_supported_actions diff --git a/umn/source/permissions_management/waf_custom_policies.rst b/umn/source/permissions_management/iam_permissions_management/waf_custom_policies.rst similarity index 82% rename from umn/source/permissions_management/waf_custom_policies.rst rename to umn/source/permissions_management/iam_permissions_management/waf_custom_policies.rst index 864fcaf..fb52ecc 100644 --- a/umn/source/permissions_management/waf_custom_policies.rst +++ b/umn/source/permissions_management/iam_permissions_management/waf_custom_policies.rst @@ -5,7 +5,14 @@ WAF Custom Policies =================== -Custom policies can be created to supplement the system-defined policies of WAF. +Custom policies can be created to supplement the system-defined policies of WAF. For details about the actions supported by custom policies, see :ref:`WAF Permissions and Supported Actions `. + +You can create custom policies in either of the following ways: + +- Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax. +- JSON: Edit JSON policies from scratch or based on an existing policy. + +For details, see `Creating a Custom Policy `__. The following section contains examples of common WAF custom policies. Example Custom Policies ----------------------- diff --git a/umn/source/permissions_management/waf_permissions_and_supported_actions.rst b/umn/source/permissions_management/iam_permissions_management/waf_permissions_and_supported_actions.rst similarity index 100% rename from umn/source/permissions_management/waf_permissions_and_supported_actions.rst rename to umn/source/permissions_management/iam_permissions_management/waf_permissions_and_supported_actions.rst diff --git a/umn/source/permissions_management/index.rst b/umn/source/permissions_management/index.rst index 5e224e2..448f568 100644 --- a/umn/source/permissions_management/index.rst +++ b/umn/source/permissions_management/index.rst @@ -1,16 +1,16 @@ -:original_name: waf_01_0096.html +:original_name: waf_01_3278.html -.. _waf_01_0096: +.. _waf_01_3278: Permissions Management ====================== -- :ref:`WAF Custom Policies ` -- :ref:`WAF Permissions and Supported Actions ` +- :ref:`Authorizing and Associating an Enterprise Project ` +- :ref:`IAM Permissions Management ` .. toctree:: :maxdepth: 1 :hidden: - waf_custom_policies - waf_permissions_and_supported_actions + authorizing_and_associating_an_enterprise_project + iam_permissions_management/index diff --git a/umn/source/policy_management/index.rst b/umn/source/policy_management/index.rst deleted file mode 100644 index 6d5ce57..0000000 --- a/umn/source/policy_management/index.rst +++ /dev/null @@ -1,18 +0,0 @@ -:original_name: waf_01_0055.html - -.. _waf_01_0055: - -Policy Management -================= - -- :ref:`Creating a Protection Policy ` -- :ref:`Adding Rules to One or More Policies ` -- :ref:`Applying a Policy to Your Website ` - -.. toctree:: - :maxdepth: 1 - :hidden: - - creating_a_protection_policy - adding_rules_to_one_or_more_policies - applying_a_policy_to_your_website diff --git a/umn/source/rule_configuration/configuration_guidance.rst b/umn/source/rule_configuration/configuration_guidance.rst deleted file mode 100644 index 7ab0794..0000000 --- a/umn/source/rule_configuration/configuration_guidance.rst +++ /dev/null @@ -1,99 +0,0 @@ -:original_name: waf_01_0129.html - -.. _waf_01_0129: - -Configuration Guidance -====================== - -How WAF Engine Works --------------------- - -The built-in protection rules of WAF help you defend against common web application attacks, including XSS attacks, SQL injection, crawlers, and web shells. You can customize protection rules to let WAF better protect your website services using these custom rules. :ref:`Figure 1 ` shows how WAF engine built-in protection rules work. :ref:`Figure 2 ` shows the detection sequence of user-defined rules. - -.. _waf_01_0129__en-us_topic_0000001271159206_en-us_topic_0199698323_fig1628214208241: - -.. figure:: /_static/images/en-us_image_0000001286548588.png - :alt: **Figure 1** WAF engine detection process - - **Figure 1** WAF engine detection process - -.. _waf_01_0129__en-us_topic_0000001271159206_en-us_topic_0199698323_fig2084820326445: - -.. figure:: /_static/images/en-us_image_0000001338628737.png - :alt: **Figure 2** Priorities of custom protection rules - - **Figure 2** Priorities of custom protection rules - -Response actions - -- Pass: The current request is unconditionally permitted after a protection rule is matched. -- Block: The current request is blocked after a rule is matched. -- CAPTCHA: The system will perform human-machine verification after a rule is matched. -- Redirect: The system will notify you to redirect the request after a rule is matched. -- Log: Only attack information is recorded after a rule is matched. -- Mask: The system will anonymize sensitive information after a rule is matched. - -Protection Rule Configuration Methods -------------------------------------- - -WAF provides the following customized configuration methods to simplify the configuration process. Select a proper configuration method to meet your service requirements. - -**Method 1: Configuring protection rules for a single domain name** - -This method is recommended when you have few domain name services or have different configuration rules for domain name services. - -.. note:: - - After a domain name is added to WAF, WAF automatically associates a protection policy with the domain name, and protection rules configured for the domain name are also added to the protection policy by default. If there are domain names applicable to the protection policy, you can directly add them to the policy. For details, see :ref:`Applying a Policy to Your Website `. - -- Where to configure - - #. In the navigation pane, choose **Website Settings**. - #. In the **Policy** column of the row containing the target website, click the number to go to the **Policies** page. - -- Protection rules you can configure on the rule configuration page - - .. table:: **Table 1** Configurable protection rules - - +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------+ - | Protection Rule | Description | Reference | - +==================================================================+====================================================================================================================================================================================================================+====================================================================================================+ - | Basic web protection rules | With an extensive reputation database, WAF defends against Open Web Application Security Project (OWASP) top 10 threats, and detects and blocks threats, such as malicious scanners, IP addresses, and web shells. | :ref:`Configuring Basic Web Protection Rules ` | - +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------+ - | CC attack protection rules | CC attack protection rules can be customized to restrict access to a specific URL on your website based on a unique IP address, cookie, or referer field, mitigating CC attacks. | :ref:`Configuring a CC Attack Protection Rule ` | - +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------+ - | Precise protection rules | You can customize protection rules by combining HTTP headers, cookies, URLs, request parameters, and client IP addresses. | :ref:`Configuring a Precise Protection Rule ` | - +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------+ - | Blacklist and whitelist rules | You can configure blacklist and whitelist rules to block, log only, or allow access requests from specified IP addresses. | :ref:`Configuring an IP Address Blacklist or Whitelist Rule ` | - +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------+ - | Known attack source rules | These rules can block the IP addresses from which blocked malicious requests originate. These rules are dependent on other rules. | :ref:`Configuring a Known Attack Source Rule ` | - +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------+ - | Geolocation access control rules | You can customize these rules to allow or block requests from a specific country or region. | :ref:`Configuring a Geolocation Access Control Rule ` | - +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------+ - | Web tamper protection rules | You can configure these rules to prevent a static web page from being tampered with. | :ref:`Configuring a Web Tamper Protection Rule ` | - +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------+ - | Website anti-crawler protection | This function dynamically analyzes website service models and accurately identifies crawler behavior based on data risk control and bot identification systems, such as JS Challenge. | :ref:`Configuring Anti-Crawler Rules ` | - +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------+ - | Information leakage prevention rules | You can add two types of information leakage prevention rules. | :ref:`Configuring an Information Leakage Prevention Rule ` | - | | | | - | | - Sensitive information filtering: prevents disclosure of sensitive information (such as ID numbers, phone numbers, and email addresses). | | - | | - Response code interception: blocks the specified HTTP status codes. | | - +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------+ - | Global protection whitelist (formerly false alarm masking) rules | You can configure these rules to let WAF ignore certain rules for specific requests. | :ref:`Configuring a Global Protection Whitelist (Formerly False Alarm Masking) Rule ` | - +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------+ - | Data masking rules | You can configure data masking rules to prevent sensitive data such as passwords from being displayed in event logs. | :ref:`Configuring a Data Masking Rule ` | - +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------+ - -**Method 2: Configuring protection rules for multiple domain names** - -This method is recommended if you have many domain name services and require the same protection policy for multiple domain names. This method greatly reduces repeated configuration workloads and improves the protection efficiency. - -- Where to configure - - In the navigation pane on the left, choose **Policies**. - -- Procedure - - #. Add a policy. For details, see :ref:`Creating a Protection Policy `. - #. Configure protection rules. For details, see :ref:`Adding Rules to One or More Policies `. - #. Batch add multiple domain names to the policy. For details, see :ref:`Applying a Policy to Your Website `. diff --git a/umn/source/rule_configuration/configuring_a_cc_attack_protection_rule.rst b/umn/source/rule_configuration/configuring_a_cc_attack_protection_rule.rst deleted file mode 100644 index 5c90f17..0000000 --- a/umn/source/rule_configuration/configuring_a_cc_attack_protection_rule.rst +++ /dev/null @@ -1,219 +0,0 @@ -:original_name: waf_01_1209.html - -.. _waf_01_1209: - -Configuring a CC Attack Protection Rule -======================================= - -You can customize a CC attack protection rule to restrict access to a specific URL on your website based on an IP address, cookie, or Referer, mitigating CC attacks. To make your custom CC attack protection rules take effect, ensure that you have enabled CC attack protection. - -.. note:: - - If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the **Enterprise Project** drop-down list and configure protection policies for the domain names in the project. - -Prerequisites -------------- - -A website has been added to WAF. - -Constraints ------------ - -- It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the **Events** page. -- A reference table can be added to a CC attack protection rule. The reference table takes effect for all protected domain names. -- A CC attack protection rule offers protective actions such as **Verification code** and **Block** for your choice. For example, you can configure a CC attack protection rule to block requests from a visit for 600 seconds by identifying their cookie (name field) if the visitor accessed a URL (for example, /admin*) of your website over 10 times within 60 seconds. - -Procedure ---------- - -#. Log in to the management console. -#. Click |image1| in the upper left corner of the management console and select a region or project. -#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. -#. In the navigation pane on the left, choose **Website Settings**. - -5. In the **Policy** column of the row containing the target website, click the number to go to the policy configuration page. - -6. In the **CC Attack Protection** configuration area, change **Status** if needed and click **Customize Rule** to go to the **CC Attack Protection** page. - - - .. figure:: /_static/images/en-us_image_0000001285588948.png - :alt: **Figure 1** CC Attack Protection configuration area - - **Figure 1** CC Attack Protection configuration area - -7. In the upper left corner of the **CC Attack Protection** page, click **Add Rule**. - -8. In the displayed dialog box, configure a CC attack protection rule by referring to :ref:`Table 1 `. - - If a visitor whose cookie is **name** accesses a page on your website where the address includes **/admin** at the end (for example, https://www.example.com/adminlogic) more than 10 times within 60 seconds, WAF blocks the requests from visitors of the same cookie **name** for 600s and returns the page configured for **Page Content**. :ref:`Figure 2 ` shows the configurations. - - .. _waf_01_1209__fig172782071413: - - .. figure:: /_static/images/en-us_image_0000001285430612.png - :alt: **Figure 2** Adding a CC attack protection rule - - **Figure 2** Adding a CC attack protection rule - - .. _waf_01_1209__table1173915209149: - - .. table:: **Table 1** Rule parameters - - +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------+ - | Parameter | Description | Example Value | - +=======================+=======================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+=============================================================================================+ - | Mode | - **Standard**: Only the protection path of a domain name can be restricted. | **Standard** | - | | - **Advanced**: The path, IP address, cookie, header, and params fields can all be restricted. | | - +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------+ - | Path | Set this parameter only when **Standard** is selected for **Mode**. | **/admin\*** | - | | | | - | | Part of the URL without the domain name. | | - | | | | - | | - Prefix match: A path ending with \* indicates that the path is used as a prefix. The \* can be used as a wildcard value. For example, to protect **/admin/test.php** or **/adminabc**, you can set **Path** to **/admin\***. | | - | | - Exact match: The path to be entered must be the same as the path to be protected. For example, to protect **/admin**, then **Path** must be set to **/admin**. | | - | | | | - | | .. note:: | | - | | | | - | | - The path supports prefix and exact matches only but does not support regular expressions. | | - | | - The path cannot contain two or more consecutive slashes. For example, **///admin**. If you enter **///admin**, WAF will convert **///** to **/**. | | - | | - The path is case-sensitive. | | - | | - If **Path** is set to **/**, all paths of the website are protected. | | - +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------+ - | Condition List | Set this parameter only when **Advanced** is selected for **Mode**. | **Path** **Include** **/admin** | - | | | | - | | Click **Add** to add conditions. At least one condition is required, but up to 30 conditions are allowed. If you add more than one condition, the rule will only take effect if all of the conditions are met. | | - | | | | - | | - **Field**: The options are **Path**, **IP**, **Cookie**, **Header**, and **Params**. | | - | | - **Subfield**: Configure this field only when **Cookie**, **Header**, or **Params** is selected for **Field**. | | - | | | | - | | .. important:: | | - | | | | - | | NOTICE: | | - | | The length of a subfield cannot exceed 2048 bytes. Only digits, letters, underscores (_), and hyphens (-) are allowed. | | - | | | | - | | - **Logic**: Select a logical relationship from the drop-down list. | | - | | | | - | | .. note:: | | - | | | | - | | If you set **Logic** to **Include any value**, **Exclude any value**, **Equal to any value**, **Not equal to any value**, **Prefix is any value**, **Prefix is not any of them**, **Suffix is any value**, or **Suffix is not any of them**, select an existing reference table. For details, see :ref:`Adding a Reference Table `. | | - | | | | - | | - **Content**: Enter or select the content that matches the condition. | | - +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------+ - | Rate Limit Mode | - **Per IP address**: A website visitor is identified by the IP address. | **Per user** | - | | - **Per user**: A website visitor is identified by the key value of **Cookie** or **Header**. | | - | | - **Other**: A website visitor is identified by the Referer field (user-defined request source). | | - | | | | - | | .. note:: | | - | | | | - | | If you set **Rate Limit Mode** to **Other**, set **Content** of **Referer** to a complete URL containing the domain name. The **Content** field supports prefix match and exact match only, but cannot contain two or more consecutive slashes, for example, **///admin**. If you enter **///admin**, WAF will convert it to **/admin**. | | - | | | | - | | For example, if **Path** is **/admin**, and you do not want visitors to access the page from **www.test.com**, set **Content** of **Referer** to **http://www.test.com**. | | - +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------+ - | User Identifier | This parameter is mandatory when you select **Per user** for **Rate Limit Mode**. | name | - | | | | - | | - **Cookie**: A cookie field name. You need to configure an attribute variable name in the cookie that can uniquely identify a web visitor based on your website requirements. This field does not support regular expressions. Only complete matches are supported. | | - | | | | - | | For example, if a website uses the **name** field in the cookie to uniquely identify a website visitor, select **name**. | | - | | | | - | | - **Header**: Set the user-defined HTTP header you want to protect. You need to configure the HTTP header that can identify web visitors based on your website requirements. | | - +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------+ - | Rate Limit | The number of requests allowed from a website visitor in the rate limit period. If the number of requests exceeds the rate limit, WAF takes the action you configure for **Protective Action**. | **10** requests allowed in **60** seconds | - | | | | - | | **All WAF instances**: Requests to on one or more WAF instances will be counted together according to the rate limit mode you select. By default, requests to each WAF instance are counted. If you enable this, WAF will count requests to all your WAF instances for triggering this rule. To enable user-based rate limiting, **Per user** or **Other** (**Referer** must be configured) instead of **Per IP address** must be selected for **Rate Limit Mode**. This is because IP address-based rate limiting cannot limit the access rate of a specific user. However, in user-based rate limiting, requests may be forwarded to one or more WAF instances. Therefore, **All WAF instances** must be enabled for triggering the rule precisely. | | - +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------+ - | Protective Action | The action that WAF will take if the number of requests exceeds **Rate Limit** you configured. The options are as follows: | **Block** | - | | | | - | | - **Verification code**: WAF allows requests that trigger the rule as long as your website visitors complete the required verification. | | - | | | | - | | - **Block**: WAF blocks requests that trigger the rule. | | - | | | | - | | - **Block dynamically**: WAF blocks requests that trigger the rule based on **Allowable Frequency**, which you configure after the first rate limit period is over. | | - | | | | - | | The protective action is supported only when **Advanced** is selected for **Mode**. | | - | | | | - | | - **Log only**: WAF only logs requests that trigger the rule. You can :ref:`download event data ` and view the protection logs of a specific domain name. | | - +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------+ - | Allowable Frequency | This parameter can be set if you select **Block dynamically** for **Protective Action**. | **8** requests allowed in **60** seconds | - | | | | - | | WAF blocks requests that trigger the rule based on **Rate Limit** first. Then, in the following rate limit period, WAF blocks requests that trigger the rule based on **Allowable Frequency** you configure. | | - | | | | - | | **Allowable Frequency** cannot be larger than **Rate Limit**. | | - | | | | - | | .. note:: | | - | | | | - | | If you set **Allowable Frequency** to **0**, WAF blocks all requests that trigger the rule in the next rate limit period. | | - +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------+ - | Block Duration | Period of time for which to block the item when you set **Protective Action** to **Block**. | **600** seconds | - +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------+ - | Block Page | The page displayed if the maximum number of requests has been reached. This parameter is configured only when **Protective Action** is set to **Block**. | **Custom** | - | | | | - | | - If you select **Default settings**, the default block page is displayed. | | - | | - If you select **Custom**, a custom error message is displayed. | | - +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------+ - | Block Page Type | If you select **Custom** for **Block Page**, select a type of block page. The options are: | **text/html** | - | | | | - | | - **application/jsontext/html** | | - | | - **text/htmltext/xml** | | - | | - **text/xml** | | - +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------+ - | Page Content | If you select **Custom** for **Block Page**, configure the content to be returned. | Page content styles corresponding to different page types are as follows: | - | | | | - | | | - **text/html**: Forbidden | - | | | - **application/json**: {"msg": "Forbidden"} | - | | | - **text/xml**: Forbidden | - +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------+ - | Rule Description | A description of the rule. This parameter is optional. | None | - +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------+ - -9. Click **Confirm**. You can then view the added CC attack protection rule in the CC rule list. - - - To disable a rule, click **Disable** in the **Operation** column of the rule. The default **Rule Status** is **Enabled**. - - To modify a rule, click **Modify** in the row containing the rule. - - To delete a rule, click **Delete** in the row containing the rule. - -Protection Effect ------------------ - -If you have configured a CC attack protection rule for your domain name, with **Protective Action** set to **Block**, as shown in :ref:`Figure 2 `, to verify WAF is protecting your website (**www.example.com**) against the configured CC attack protection rule: - -#. Clear the browser cache and enter the domain name in the address box of a browser to check whether the website is accessible. - - - If the website is inaccessible, connect the website domain name to WAF by following the instructions in :ref:`Step 1: Add a Website to WAF `. - - If the website is accessible, go to :ref:`Step 2 `. - -#. .. _waf_01_1209__li88102353919: - - Clear the browser cache, enter **http://www.example.com/admin** in the address bar, and refresh the page 10 times within 60 seconds. In normal cases, the custom block page will be displayed the eleventh time you refresh the page, and the requested page will be accessible when you refresh the page 600 seconds later. - - If you select **Verification code** for protective action, a verification code is required for visitors to continue the access if they exceed the configured rate limit. - - |image3| - -#. Return to the WAF console. In the navigation pane, choose **Events**. On the displayed page, view or :ref:`download events data `. - -Configuration Example - Verification Code ------------------------------------------ - -If domain name **www.example.com** has been connected to WAF, perform the following steps to verify that WAF CAPTCHA verification is enabled. - -#. Add a CC attack protection rule with **Protection Action** set to **Verification code**. - -#. Enable CC attack protection. - - - .. figure:: /_static/images/en-us_image_0000001285588948.png - :alt: **Figure 3** CC Attack Protection configuration area - - **Figure 3** CC Attack Protection configuration area - -#. Clear the browser cache and access http://www.example.com/admin/. - - If you access the page for 10 times within 60 seconds, a verification code is required when you attempt to access the page for the eleventh time. You need to enter the verification code to continue the access. - - |image4| - -#. Go to the WAF console. In the navigation pane on the left, choose **Events**. View the event on the **Events** page. - -.. |image1| image:: /_static/images/en-us_image_0000001493489874.jpg -.. |image2| image:: /_static/images/en-us_image_0000001340585569.png -.. |image3| image:: /_static/images/en-us_image_0000001191376107.jpg -.. |image4| image:: /_static/images/en-us_image_0000001224193241.jpg diff --git a/umn/source/rule_configuration/configuring_a_geolocation_access_control_rule.rst b/umn/source/rule_configuration/configuring_a_geolocation_access_control_rule.rst deleted file mode 100644 index 4dde8ab..0000000 --- a/umn/source/rule_configuration/configuring_a_geolocation_access_control_rule.rst +++ /dev/null @@ -1,93 +0,0 @@ -:original_name: waf_01_0013.html - -.. _waf_01_0013: - -Configuring a Geolocation Access Control Rule -============================================= - -This topic describes how to configure a geolocation access control rule. A geolocation access control rule allows you to control IP addresses forwarded from or to specified countries and regions. - -Prerequisites -------------- - -A website has been added to WAF. - -Constraints ------------ - -- One region can be configured in only one geolocation access control rule. -- It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the **Events** page. - -.. _waf_01_0013__section61533550183130: - -Procedure ---------- - -#. Log in to the management console. - -#. Click |image1| in the upper left corner of the management console and select a region or project. - -#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. - -#. In the navigation pane on the left, choose **Website Settings**. - -#. In the **Policy** column of the row containing the target website, click the number to go to the **Policies** page. - -#. In the **Geolocation Access Control** configuration area, change **Status** if needed and click **Customize Rule**. - - - .. figure:: /_static/images/en-us_image_0000001285950994.png - :alt: **Figure 1** Geolocation Access Control configuration area - - **Figure 1** Geolocation Access Control configuration area - -#. In the upper left corner of the **Geolocation Access Control** page, click **Add Rule**. - -#. In the displayed dialog box, add a geolocation access control rule by referring to :ref:`Table 1 `. - - - .. figure:: /_static/images/en-us_image_0000001377911005.png - :alt: **Figure 2** Adding a geolocation access control rule - - **Figure 2** Adding a geolocation access control rule - - .. _waf_01_0013__table157961352154713: - - .. table:: **Table 1** Rule parameters - - +-------------------+------------------------------------------------------------------------------------------------+---------------+ - | Parameter | Description | Example Value | - +===================+================================================================================================+===============+ - | Rule Description | A brief description of the rule. This parameter is optional. | waf | - +-------------------+------------------------------------------------------------------------------------------------+---------------+ - | Geolocation | Geographical scope of the IP address. | ``-`` | - +-------------------+------------------------------------------------------------------------------------------------+---------------+ - | Protective Action | Action WAF will take if the rule is hit. You can select **Block**, **Allow**, or **Log only**. | **Block** | - +-------------------+------------------------------------------------------------------------------------------------+---------------+ - -#. Click **Confirm**. You can then view the added rule in the list of the geolocation access control rules. - - - To disable a rule, click **Disable** in the **Operation** column of the rule. The default **Rule Status** is **Enabled**. - - To modify a rule, click **Modify** in the row containing the rule. - - To delete a rule, click **Delete** in the row containing the rule. - -Protection Effect ------------------ - -To verify WAF is protecting your website (**www.example.com**) against a rule: - -#. Clear the browser cache and enter the domain name in the address box of a browser to check whether the website is accessible. - - - If the website is inaccessible, connect the website domain name to WAF by following the instructions in :ref:`Step 1: Add a Website to WAF `. - - If the website is accessible, go to :ref:`2 `. - -#. .. _waf_01_0013__li885731953512: - - Add a geolocation access control rule by referring to :ref:`Procedure `. - -#. Clear the browser cache and access **http://www.example.com**. Normally, WAF blocks such requests and returns the block page. - -#. Go to the WAF console. In the navigation pane on the left, choose **Events**. On the displayed page, view or :ref:`download events data `. - -.. |image1| image:: /_static/images/en-us_image_0000001482227824.jpg -.. |image2| image:: /_static/images/en-us_image_0000001340306233.png diff --git a/umn/source/rule_configuration/index.rst b/umn/source/rule_configuration/index.rst deleted file mode 100644 index 6ae3059..0000000 --- a/umn/source/rule_configuration/index.rst +++ /dev/null @@ -1,38 +0,0 @@ -:original_name: waf_01_0007.html - -.. _waf_01_0007: - -Rule Configuration -================== - -- :ref:`Configuration Guidance ` -- :ref:`Configuring Basic Web Protection Rules ` -- :ref:`Configuring a CC Attack Protection Rule ` -- :ref:`Configuring a Precise Protection Rule ` -- :ref:`Adding a Reference Table ` -- :ref:`Configuring an IP Address Blacklist or Whitelist Rule ` -- :ref:`Configuring a Known Attack Source Rule ` -- :ref:`Configuring a Geolocation Access Control Rule ` -- :ref:`Configuring a Web Tamper Protection Rule ` -- :ref:`Configuring Anti-Crawler Rules ` -- :ref:`Configuring an Information Leakage Prevention Rule ` -- :ref:`Configuring a Global Protection Whitelist (Formerly False Alarm Masking) Rule ` -- :ref:`Configuring a Data Masking Rule ` - -.. toctree:: - :maxdepth: 1 - :hidden: - - configuration_guidance - configuring_basic_web_protection_rules - configuring_a_cc_attack_protection_rule - configuring_a_precise_protection_rule - adding_a_reference_table - configuring_an_ip_address_blacklist_or_whitelist_rule - configuring_a_known_attack_source_rule - configuring_a_geolocation_access_control_rule - configuring_a_web_tamper_protection_rule - configuring_anti-crawler_rules - configuring_an_information_leakage_prevention_rule - configuring_a_global_protection_whitelist_formerly_false_alarm_masking_rule - configuring_a_data_masking_rule diff --git a/umn/source/service_overview/functions.rst b/umn/source/service_overview/functions.rst index 0bb6a58..d0c9fbe 100644 --- a/umn/source/service_overview/functions.rst +++ b/umn/source/service_overview/functions.rst @@ -5,184 +5,94 @@ Functions ========= -WAF makes it easier for you to handle web security risks. - -Protection for IP Addresses and Domain Names (Wildcard, Top-level, and Second-Level Domain Names) -------------------------------------------------------------------------------------------------- - -Objects supported by dedicated WAF instances: domain names or IP addresses of web applications on a cloud or on-premises data centers - -HTTP/HTTPS Service Protection ------------------------------ - -WAF keeps applications stable and secure. It examines HTTP and HTTPS requests to detect and block attacks, such as Structure Query Language (SQL) injections, cross-site scripting (XSS), web shell upload, command or code injections, file inclusion, sensitive file access, third-party vulnerability exploits, CC attacks, malicious crawlers, and cross-site request forgery (CSRF). - -WebSocket/WebSockets --------------------- - -WAF supports the WebSocket/WebSockets protocol, which is enabled by default. - -PCI DSS/PCI 3DS Compliance Certification and TLS Checks -------------------------------------------------------- - -- TLS has three versions (TLS v1.0, TLS v1.1, and TLS v1.2) and five cipher suites. You can select the one best fits your business needs. -- WAF supports PCI DSS and PCI 3DS compliance certification check. - -Basic Web Protection --------------------- - -With an extensive preset reputation database, WAF defends against Open Web Application Security Project (OWASP) top 10 threats, malicious scanners, IP addresses, web shells, and other threats. - -- All-around protection - - WAF detects and blocks varied attacks, such as SQL injection, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabilities, directory (path) traversal attacks, sensitive file access, command and code injections, web shells, backdoors, malicious HTTP requests, and third-party vulnerability exploits. - -- Web shell detection - - WAF protects against web shells from upload interface. - -- Precise identification - - - WAF uses built-in semantic analysis engine and regex engine and supports configuring of blacklist/whitelist rules, which reduces false positives. - - - WAF supports anti-escape and automatic restoration of common codes, which improves the capability of recognizing deformation web attacks. - - WAF can decode the following types of code: url_encode, Unicode, XML, OCT, hexadecimal, HTML escape, and base64 code, case confusion, JavaScript, shell, and PHP concatenation confusion - -- Deep inspection - - WAF identifies and blocks evasion attacks, such as the ones that use homomorphic character obfuscation, command injection with deformed wildcard characters, UTF7, data URI scheme, and other techniques. - -- Header detection - - WAF detects all header fields in the requests. - -CC Attack Prevention --------------------- - -A CC attack protection rule can limit access to a specific path (URL) of the protected website based on a specific IP address, cookie, or referer in access requests. So, WAF can accurately identify and mitigate CC attacks, such as brute-force attacks by exploiting weak passwords. Protective actions of CC attack protection rules include **Verification code**, **Block**, **Dynamically block**, and **Log only**. - -- Flexible policy configuration - - WAF allows you to flexibly set rate limiting policies by IP address, cookie, or Referer field. - -- Returned page customization - - You can customize returned content and page types to meet diverse service needs. - -GUI-based Security Data ------------------------ - -WAF provides a GUI-based interface for you to monitor attack information and event logs in real time. - -- Centralized policy configuration - - On the WAF console, you can configure policies applicable to multiple protected domain names in a centralized manner so that the policies can be quickly delivered and take effect. - -- Traffic and event statistics - - WAF displays the number of requests, the number and types of security events, and log information in real time. - -.. _waf_01_0094__section13907174905412: - -Non-Standard Ports ------------------- - -WAF can protect standard ports, such as 80 and 443 and a wide range of non-standard ports. - -.. table:: **Table 1** Supported ports - - +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+ - | Port Category | HTTP Protocol | HTTPS Protocol | Port Limit | - +===================================+===========================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+============================================================================================================================================================================================================+============+ - | Standard ports | 80 | 443 | Unlimited | - +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+ - | Non-standard ports (182 in total) | 9945, 9770, 81, 82, 83, 84, 88, 89, 800, 808, 1000, 1090, 3128, 3333, 3501, 3601, 4444, 5000, 5222, 5555, 5601, 6001, 6666, 6788, 6789, 6842, 6868, 7000, 7001, 7002, 7003, 7004, 7005, 7006, 7009, 7010, 7011, 7012, 7013, 7014, 7015, 7016, 7018, 7019, 7020, 7021, 7022, 7023, 7024, 7025, 7026, 7070, 7081, 7082, 7083, 7088, 7097, 7777, 7800, 7979, 8000, 8001, 8002, 8003, 8008, 8009, 8010, 8020, 8021, 8022, 8025, 8026, 8077, 8078, 8080, 8085, 8086, 8087, 8088, 8089, 8090, 8091, 8092, 8093, 8094, 8095, 8096, 8097, 8098, 8106, 8118, 8181, 8334, 8336, 8800, 8686, 8888, 8889, 8989, 8999, 9000, 9001, 9002, 9003, 9080, 9200, 9802, 10000, 10001, 10080, 12601, 86, 9021, 9023, 9027, 9037, 9081, 9082, 9201, 9205, 9207, 9208, 9209, 9210, 9211, 9212, 9213, 48800, 87, 97, 7510, 9180, 9898, 9908, 9916, 9918, 9919, 9928, 9929, 9939, 28080, 33702, 8011, 8012, 8013, 8014, 8015, 8016, 8017, and 8070 | 8750, 8445, 18010, 4443, 5443, 6443, 7443, 8081, 8082, 8083, 8084, 8443, 8843, 9443, 8553, 8663, 9553, 9663, 18110, 18381, 18980, 28443, 18443, 8033, 18000, 19000, 7072, 7073, 8803, 8804, 8805, and 9999 | Unlimited | - +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+ - -Precise Protection ------------------- - -Support precise logic- and parameter-based access control policies. - -- A variety of parameter conditions - - Set conditions with combinations of common HTTP parameters, such as **IP**, **URL**, **Referer**, **User Agent**, **Params**, and **Header**. - -- Abundant logical conditions - - WAF blocks or allows traffic based on logical conditions, such as "Include", "Exclude", "Equal to", "Not equal to", "Prefix is", and "Prefix is not." - -Malicious Scanner and Crawler Prevention ----------------------------------------- - -Blocks web page crawling with user-defined scanner and crawler rules. This feature improves protection accuracy. - -IP Address Blacklist and Whitelist ----------------------------------- - -This function allows you to blacklist or whitelist IP addresses or an IP address range to improve defense accuracy. - -Known Attack Source -------------------- - -- If WAF blocks a malicious request by IP address, Cookie, or Params, you can configure a known attack source rule to let WAF automatically block all requests from the attack source for a blocking duration set in the known attack source rule. -- Known attack source rules can be set based on attacks blocked against the basic web protection, precise access protection, and blacklist and whitelist rules. - -Connection Protection ---------------------- - -If a large number of 502 Bad Gateway and 504 Gateway Timeout errors are detected, you can enable WAF breakdown protection and connection protection to let WAF suspend your website and protect your origin servers from being crashed. When the 502/504 error requests and pending URL requests reach the thresholds you configure, WAF enables corresponding protection for your website. - -Configuring Connection Timeout ------------------------------- - -- The default timeout duration for connections between a browser and WAF is 120 seconds, which cannot be manually set. - -- The default timeout duration for connections between WAF and your origin server is 60 seconds. You can customize a timeout duration. - - In the **Basic Information** area on the website information page, enable **Timeout Settings**. Then, click |image1| next to **WAF-to-Server Connection Timeout**, **Read Timeout**, and **Write Timeout**, modify settings one by one, and click |image2| to save. - -Geolocation Access Control --------------------------- - -You can allow some web requests and block others based on the geographical locations of IP addresses that the requests originate from. - -Web Page Tampering Prevention ------------------------------ - -You can configure cache for static web pages. When a user accesses a web page, the system returns a cached page to the user and randomly checks whether the page is tampered with. - -Anti-Crawler Protection ------------------------ - -WAF dynamically analyzes your website service models and accurately identifies crawler behavior based on data risk control and bot identification systems. - -Global Protection Whitelist (Formerly False Alarm Masking) ----------------------------------------------------------- - -This function enables you to ignore certain attack detection rules for specific requests. - -Data Masking ------------- - -WAF masks sensitive information, such as usernames and passwords, in the event log. - -Information Leakage Prevention ------------------------------- - -WAF prevents your sensitive information from being disclosed on web pages, such as ID numbers, phone numbers, and email addresses. - -Reliable --------- - -WAF can be deployed on multiple clusters in multiple regions based on the load balancing principle. This can prevent single point of failures (SPOFs) and ensure online smooth capacity expansion, maximizing service stability. - -Event Management ----------------- - -- WAF allows you to view and handle false alarms for blocked or logged events. -- You can download events data over the past five days. - -.. |image1| image:: /_static/images/en-us_image_0000001326514597.png -.. |image2| image:: /_static/images/en-us_image_0000001275434812.png +WAF helps you protect services from various web security risks. The following table lists the functions of WAF. + ++-------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Function | | Description | ++=====================================+===================================================================================================================================================================================================================================================================+===============================================================================================================================================================================================================================================================================================================================+ +| Service configuration | Protection for IP addresses and domain names (wildcard, top-level, and second-level domain names) | Objects supported by dedicated WAF instances: domain names or IP addresses of web applications on a cloud or on-premises data center | ++-------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| | HTTP/HTTPS service protection | WAF can protect HTTP and HTTPS traffic for a website. | ++-------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| | WebSocket/WebSockets | WAF can check WebSocket and WebSockets requests, which is enabled by default. | ++-------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| | Non-standard port protection | In addition to standard ports 80 and 443, WAF also supports non-standard ports. | ++-------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Web application security protection | Basic Web Protection | With an extensive reputation database, WAF defends against Open Web Application Security Project (OWASP) top 10 threats, and detects and blocks threats, such as malicious scanners, IP addresses, and web shells. | +| | | | +| | .. note:: | - All-around protection | +| | | | +| | If you set **Protective Action** to **Block**, you can use the known attack source function. It means that if WAF blocks malicious requests from a visitor, you can enable this function to let WAF block requests from the same visitor for a period of time. | WAF detects and blocks varied attacks, such as SQL injection, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabilities, directory (path) traversal attacks, sensitive file access, command and code injections, web shells, backdoors, malicious HTTP requests, and third-party vulnerability exploits. | +| | | | +| | | - Web shell detection | +| | | | +| | | WAF protects against web shells from upload interface. | +| | | | +| | | - Precise identification | +| | | | +| | | - WAF uses built-in semantic analysis engine and regex engine and supports configuring of blacklist/whitelist rules, which reduces false positives. | +| | | | +| | | - WAF supports anti-escape and automatic restoration of common codes, which improves the capability of recognizing deformation web attacks. | +| | | | +| | | WAF can decode the following types of code: url_encode, Unicode, XML, OCT, hexadecimal, HTML escape, and base64 code, case confusion, JavaScript, shell, and PHP concatenation confusion | +| | | | +| | | - Deep inspection | +| | | | +| | | WAF identifies and blocks evasion attacks, such as the ones that use homomorphic character obfuscation, command injection with deformed wildcard characters, UTF7, data URI scheme, and other techniques. | +| | | | +| | | - Header detection | +| | | | +| | | WAF detects all header fields in the requests. | ++-------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| | CC attack protection rules | WAF can restrict access to a specific URL on your website based on a unique IP address, cookie, or referer field, mitigating CC attacks. | ++-------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| | Precise protection rules | WAF enables you to combine common HTTP fields (such as IP, path, referer, user agent, and params) to configure powerful and precise access control policies. You can configure precision protection rules to protect workloads from hotlinking and block requests with empty fields. | +| | | | +| | .. note:: | | +| | | | +| | If you set **Protective Action** to **Block**, you can use the known attack source function. It means that if WAF blocks malicious requests from a visitor, you can enable this function to let WAF block requests from the same visitor for a period of time. | | ++-------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| | Blacklist and whitelist rules | You can configure blacklist and whitelist rules to block, log only, or allow access requests from specified IP addresses. | +| | | | +| | .. note:: | | +| | | | +| | If you set **Protective Action** to **Block**, you can use the known attack source function. It means that if WAF blocks malicious requests from a visitor, WAF will proactively block requests from the same visitor for a period of time. | | ++-------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| | Geolocation access control rules | You can customize these rules to allow or block requests from a specific country or region. | ++-------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| | Web tamper protection rules | You can configure these rules to prevent a static web page from being tampered with. | ++-------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| | Website anti-crawler protection | WAF dynamically analyzes your website service models and accurately identifies crawler behavior based on data risk control and bot identification systems. | ++-------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| | Information leakage prevention rules | You can add two types of information leakage prevention rules. | +| | | | +| | | - Sensitive information filtering: prevents disclosure of sensitive information (such as ID numbers, phone numbers, and email addresses). | +| | | - Response code interception: blocks the specified HTTP status codes. | ++-------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| | Global protection whitelist (formerly false alarm masking) rules | This function ignores certain attack detection rules for specific requests. | ++-------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| | Data masking rules | You can configure data masking rules to prevent sensitive data such as passwords from being displayed in event logs. | ++-------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Advanced settings | PCI DSS/PCI 3DS compliance certification and TLS checks | - TLS has three versions (TLS v1.0, TLS v1.1, and TLS v1.2) and seven cipher suites. You can select the one best fits your business needs. | +| | | - WAF supports PCI DSS and PCI 3DS compliance certification check. | ++-------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| | Connection protection | When the 502/504 error requests and pending URL requests reach the thresholds you configure, WAF enables corresponding protection for your website. | ++-------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| | Configuring connection timeout | - The default timeout period for connections from a browser to WAF is 120 seconds. The value varies depending on your browser settings and cannot be changed on the WAF console page. | +| | | - The default timeout duration for connections between WAF and your origin server is 60 seconds. You can customize a timeout duration on the WAF console. | ++-------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Event management | | - WAF allows you to view and handle false alarms for blocked or logged events. | +| | | - You can download events data over the past five days. | ++-------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| GUI-based security data | | WAF provides a GUI-based interface for you to monitor attack information and event logs in real time. | +| | | | +| | | - Centralized policy configuration | +| | | | +| | | On the WAF console, you can configure policies applicable to multiple protected domain names in a centralized manner so that the policies can be quickly delivered and take effect. | +| | | | +| | | - Traffic and event statistics | +| | | | +| | | WAF displays the number of requests, the number and types of security events, and log information in real time. | ++-------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| High flexibility and reliability | | WAF can be deployed on multiple clusters in multiple regions based on the load balancing principle. This can prevent single points of failure (SPOFs) and ensure online smooth capacity expansion, maximizing service stability. | ++-------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ diff --git a/umn/source/service_overview/product_advantages.rst b/umn/source/service_overview/product_advantages.rst index 3dd4cc4..8cbe66e 100644 --- a/umn/source/service_overview/product_advantages.rst +++ b/umn/source/service_overview/product_advantages.rst @@ -13,11 +13,6 @@ Precisely and Efficiently Identify Threats - WAF uses rule and AI dual engines and integrates our latest security rules and best practices. - You can configure enterprise-grade policies to protect your website more precisely, including custom alarm pages, combining multiple conditions in a CC attack protection rule, and blacklisting or whitelisting a large number of IP addresses. -Zero-Day Vulnerabilities Patched Fast -------------------------------------- - -A specialized security team provides 24/7 service support to fix zero-day vulnerabilities within 2 hours. - Strong Protection for User Data Privacy --------------------------------------- diff --git a/umn/source/service_overview/product_specifications.rst b/umn/source/service_overview/product_specifications.rst index 3e9bb6e..61821c0 100644 --- a/umn/source/service_overview/product_specifications.rst +++ b/umn/source/service_overview/product_specifications.rst @@ -42,54 +42,69 @@ For more details, see :ref:`Table 2 `. .. table:: **Table 2** Applicable service scale - +---------------------------------------------------------------------------+------------------------------------------------------------------------------------+ - | Service Metrics | Specifications | - +===========================================================================+====================================================================================+ - | Peak rate of normal service requests | - Specifications: WI-500. Referenced performance: | - | | | - | | - Throughput: 500 Mbit/s; QPS: 10,000 | - | | - WAF-to-Server connections supported: 60,000 per instance or 5,000 per domain | - | | | - | | - Specifications: WI-100. Referenced performance: | - | | | - | | - Throughput: 100 Mbit/s; QPS: 2,000 | - | | - WAF-to-Server connections supported: 60,000 per instance or 5,000 per domain | - +---------------------------------------------------------------------------+------------------------------------------------------------------------------------+ - | Service bandwidth threshold (The origin server is deployed on the cloud.) | - Specifications: WI-500. Referenced performance: | - | | | - | | - Throughput: 500 Mbit/s; QPS: 10,000 | - | | - WAF-to-Server connections supported: 60,000 per instance or 5,000 per domain | - | | | - | | - Specifications: WI-100. Referenced performance: | - | | | - | | - Throughput: 100 Mbit/s; QPS: 2,000 | - | | - WAF-to-Server connections supported: 60,000 per instance or 5,000 per domain | - +---------------------------------------------------------------------------+------------------------------------------------------------------------------------+ - | Number of domain names | 2,000 (Supports 2,000 top-level domain names) | - +---------------------------------------------------------------------------+------------------------------------------------------------------------------------+ - | Quantity of supported ports | - Standard ports: Unlimited | - | | - Non-standard ports: Unlimited | - +---------------------------------------------------------------------------+------------------------------------------------------------------------------------+ - | Peak rate of CC attack protection | 500,000 QPS | - +---------------------------------------------------------------------------+------------------------------------------------------------------------------------+ - | CC attack protection rules | 100 | - +---------------------------------------------------------------------------+------------------------------------------------------------------------------------+ - | Precise protection rules | 100 | - +---------------------------------------------------------------------------+------------------------------------------------------------------------------------+ - | Reference table rules | 100 | - +---------------------------------------------------------------------------+------------------------------------------------------------------------------------+ - | IP address blacklist and whitelist rules | 100 | - +---------------------------------------------------------------------------+------------------------------------------------------------------------------------+ - | Geolocation access control rules | 100 | - +---------------------------------------------------------------------------+------------------------------------------------------------------------------------+ - | Web tamper protection rules | 100 | - +---------------------------------------------------------------------------+------------------------------------------------------------------------------------+ - | Information leakage prevention rules | 100 | - +---------------------------------------------------------------------------+------------------------------------------------------------------------------------+ - | Global Protection Whitelist (Formerly False Alarm Masking) | 1,000 | - +---------------------------------------------------------------------------+------------------------------------------------------------------------------------+ - | Data masking rules | 100 | - +---------------------------------------------------------------------------+------------------------------------------------------------------------------------+ + +------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Service Metrics | Specifications | + +============================================================+==========================================================================================================================================================================================================+ + | Peak rate of normal service requests | The following lists the specifications of a single instance. | + | | | + | | - Specifications: WI-500. Referenced performance: | + | | | + | | - HTTP services - Recommended QPS: 5,000. Maximum QPS: 10,000. | + | | - HTTPS services - Recommended QPS: 4,000. Maximum QPS: 8,000. | + | | - WebSocket service - Maximum concurrent connections: 5,000 | + | | - Maximum WAF-to-server persistent connections: 60,000 | + | | | + | | - Specifications: WI-100. Referenced performance: | + | | | + | | - HTTP services - Recommended QPS: 1,000. Maximum QPS: 2,000. | + | | - HTTPS services - Recommended QPS: 800. Maximum QPS: 1,600 | + | | - WebSocket service - Maximum concurrent connections: 1,000 | + | | - Maximum WAF-to-server persistent connections: 60,000 | + | | | + | | .. important:: | + | | | + | | NOTICE: | + | | Maximum QPS values are for reference only. They may vary depending on your businesses. The real-world QPS is related to the request size and the type and quantity of protection rules you customize. | + +------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Service bandwidth threshold | - Specifications: WI-500. Referenced performance: | + | | | + | | Throughput: 500 Mbit/s | + | | | + | | - Specifications: WI-100. Referenced performance: | + | | | + | | Throughput: 100 Mbit/s | + +------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Number of domain names | 2,000 (Supports 2,000 top-level domain names) | + +------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Quantity of supported ports | - Standard ports: Unlimited | + | | - Non-standard ports: Unlimited | + +------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Peak rate of CC attack protection | - Specifications: WI-500. Referenced performance: | + | | | + | | Maximum QPS: 20,000 | + | | | + | | - Specifications: WI-100. Referenced performance: | + | | | + | | Maximum QPS: 4,000 | + +------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | CC attack protection rules | 100 | + +------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Precise protection rules | 100 | + +------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Reference table rules | 100 | + +------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | IP address blacklist and whitelist rules | 1,000 | + +------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Geolocation access control rules | 100 | + +------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Web tamper protection rules | 100 | + +------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Information leakage prevention rules | 100 | + +------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Global Protection Whitelist (Formerly False Alarm Masking) | 1,000 | + +------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Data masking rules | 100 | + +------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ .. important:: diff --git a/umn/source/service_overview/waf_and_other_services.rst b/umn/source/service_overview/waf_and_other_services.rst index 4e37e7c..e690ec0 100644 --- a/umn/source/service_overview/waf_and_other_services.rst +++ b/umn/source/service_overview/waf_and_other_services.rst @@ -10,67 +10,7 @@ This topic describes WAF and other cloud services. CTS --- -.. table:: **Table 1** WAF operations that can be recorded by CTS - - +-----------------------------------------------------------------------------------------------+---------------+---------------------+ - | Operation | Resource Type | Trace Name | - +===============================================================================================+===============+=====================+ - | Creating a WAF instance | instance | createInstance | - +-----------------------------------------------------------------------------------------------+---------------+---------------------+ - | Deleting a WAF instance | instance | deleteInstance | - +-----------------------------------------------------------------------------------------------+---------------+---------------------+ - | Modifying a WAF instance | instance | alterInstanceName | - +-----------------------------------------------------------------------------------------------+---------------+---------------------+ - | Modifying the protection status of a WAF instance | instance | modifyProtectStatus | - +-----------------------------------------------------------------------------------------------+---------------+---------------------+ - | Modifying the connection status of a WAF instance | instance | modifyAccessStatus | - +-----------------------------------------------------------------------------------------------+---------------+---------------------+ - | Creating a WAF policy | policy | createPolicy | - +-----------------------------------------------------------------------------------------------+---------------+---------------------+ - | Applying a WAF policy | policy | applyToHost | - +-----------------------------------------------------------------------------------------------+---------------+---------------------+ - | Modifying a policy | policy | modifyPolicy | - +-----------------------------------------------------------------------------------------------+---------------+---------------------+ - | Deleting a WAF policy | policy | deletePolicy | - +-----------------------------------------------------------------------------------------------+---------------+---------------------+ - | Uploading a certificate | certificate | createCertificate | - +-----------------------------------------------------------------------------------------------+---------------+---------------------+ - | Changing the name of a certificate | certificate | modifyCertificate | - +-----------------------------------------------------------------------------------------------+---------------+---------------------+ - | Deleting a certificate | certificate | deleteCertificate | - +-----------------------------------------------------------------------------------------------+---------------+---------------------+ - | Adding a CC attack protection rule | policy | createCc | - +-----------------------------------------------------------------------------------------------+---------------+---------------------+ - | Modifying a CC attack protection rule | policy | modifyCc | - +-----------------------------------------------------------------------------------------------+---------------+---------------------+ - | Deleting a CC attack protection rule | policy | deleteCc | - +-----------------------------------------------------------------------------------------------+---------------+---------------------+ - | Adding a precise protection rule | policy | createCustom | - +-----------------------------------------------------------------------------------------------+---------------+---------------------+ - | Modifying a precise protection rule | policy | modifyCustom | - +-----------------------------------------------------------------------------------------------+---------------+---------------------+ - | Deleting a precise protection rule | policy | deleteCustom | - +-----------------------------------------------------------------------------------------------+---------------+---------------------+ - | Adding an IP address blacklist or whitelist rule | policy | createWhiteblackip | - +-----------------------------------------------------------------------------------------------+---------------+---------------------+ - | Modifying an IP address blacklist or whitelist rule | policy | modifyWhiteblackip | - +-----------------------------------------------------------------------------------------------+---------------+---------------------+ - | Deleting an IP address blacklist or whitelist rule | policy | deleteWhiteblackip | - +-----------------------------------------------------------------------------------------------+---------------+---------------------+ - | Creating/updating a web tamper protection rule | policy | createAntitamper | - +-----------------------------------------------------------------------------------------------+---------------+---------------------+ - | Deleting a web tamper protection rule | policy | deleteAntitamper | - +-----------------------------------------------------------------------------------------------+---------------+---------------------+ - | Creating a global protection whitelist (formerly false alarm masking) rule | policy | createIgnore | - +-----------------------------------------------------------------------------------------------+---------------+---------------------+ - | Deleting a false alarm maskingglobal protection whitelist (formerly false alarm masking) rule | policy | deleteIgnore | - +-----------------------------------------------------------------------------------------------+---------------+---------------------+ - | Adding a data masking rule | policy | createPrivacy | - +-----------------------------------------------------------------------------------------------+---------------+---------------------+ - | Modifying a data masking rule | policy | modifyPrivacy | - +-----------------------------------------------------------------------------------------------+---------------+---------------------+ - | Deleting a data masking rule | policy | deletePrivacy | - +-----------------------------------------------------------------------------------------------+---------------+---------------------+ +Cloud Trace Service (CTS) records all WAF operations for you to query, audit, and backtrack. Cloud Eye --------- @@ -106,7 +46,7 @@ TMS Tag Management Service (TMS) is a visualized service for fast and unified tag management that enables you to label and manage WAF instances by tags. -.. table:: **Table 2** WAF operations supported by TMS +.. table:: **Table 1** WAF operations supported by TMS =========================== ============= ================= Operation Resource Type Trace Name diff --git a/umn/source/service_overview/what_is_web_application_firewall.rst b/umn/source/service_overview/what_is_web_application_firewall.rst index ef1c697..19239c5 100644 --- a/umn/source/service_overview/what_is_web_application_firewall.rst +++ b/umn/source/service_overview/what_is_web_application_firewall.rst @@ -12,7 +12,7 @@ After you enable a WAF instance, add your website domain to the WAF instance on How WAF Works ------------- -After purchasing WAF, add the website to WAF on the WAF console. After a website is connected to WAF, all website access requests are forwarded to WAF first. WAF detects and filters out malicious attack traffic, and returns normal traffic to the origin server to ensure that the origin server is secure, stable, and available. +After applying for WAF, add the website to WAF on the WAF console. After a website is connected to WAF, all website access requests are forwarded to WAF first. WAF detects and filters out malicious attack traffic, and returns normal traffic to the origin server to ensure that the origin server is secure, stable, and available. .. figure:: /_static/images/en-us_image_0000001197423825.png diff --git a/umn/source/system_management/dedicated_waf_engine_management.rst b/umn/source/system_management/dedicated_waf_engine_management.rst new file mode 100644 index 0000000..f2a0f08 --- /dev/null +++ b/umn/source/system_management/dedicated_waf_engine_management.rst @@ -0,0 +1,189 @@ +:original_name: waf_01_0253.html + +.. _waf_01_0253: + +Dedicated WAF Engine Management +=============================== + +This topic describes how to manage your dedicated WAF instances (or engines), including viewing instance information, viewing instance monitoring configurations, upgrading the instance edition, or deleting an instance. + +.. note:: + + If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instances locate. Then, you can select the project from the **Enterprise Project** drop-down list and manage dedicated WAF instances in the project. + +Prerequisites +------------- + +- You have applied for a dedicated WAF instance. +- Your login account has the **IAM ReadOnly** permission. + +Viewing Information About a Dedicated WAF Instance +-------------------------------------------------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane on the left, choose **Instance Management** > **Dedicated Engine** to go to the dedicated WAF instance page. + + + .. figure:: /_static/images/en-us_image_0000001732567617.png + :alt: **Figure 1** Dedicated engine list + + **Figure 1** Dedicated engine list + +#. View information about a dedicated WAF instance. :ref:`Table 1 ` describes parameters. + + .. _waf_01_0253__table8106945160: + + .. table:: **Table 1** Key parameters of dedicated WAF instances + + +-------------------+-------------------------------------------------------------------------+-------------------------------+ + | Parameter | Description | Example Value | + +===================+=========================================================================+===============================+ + | Instance Name | Name automatically generated when an instance is created. | None | + +-------------------+-------------------------------------------------------------------------+-------------------------------+ + | Protected Website | Domain name of the website protected by the instance. | www.example.com | + +-------------------+-------------------------------------------------------------------------+-------------------------------+ + | VPC | VPC where the instance resides | vpc-waf | + +-------------------+-------------------------------------------------------------------------+-------------------------------+ + | Subnet | Subnet where an instance resides | subnet-62bb | + +-------------------+-------------------------------------------------------------------------+-------------------------------+ + | IP Addresses | IP address of the subnet in the VPC where the WAF instance is deployed. | 192.168.0.186 | + +-------------------+-------------------------------------------------------------------------+-------------------------------+ + | Access Status | Connection status of the instance. | Accessible | + +-------------------+-------------------------------------------------------------------------+-------------------------------+ + | Running Status | Status of the instance. | Running | + +-------------------+-------------------------------------------------------------------------+-------------------------------+ + | Edition | Dedicated WAF | 202304 | + +-------------------+-------------------------------------------------------------------------+-------------------------------+ + | Deployment | How the instance is deployed. | Standard mode (reverse proxy) | + +-------------------+-------------------------------------------------------------------------+-------------------------------+ + | Specifications | Specifications of resources hosting the instance. | 8 vCPUs \| 16 GB | + +-------------------+-------------------------------------------------------------------------+-------------------------------+ + +Viewing Metrics of a Dedicated WAF Instance +------------------------------------------- + +When a WAF instance is in the **Running** status, you can view the monitored metrics about the instance. + +#. Log in to the management console. + +#. Click |image3| in the upper left corner of the management console and select a region or project. + +#. Click |image4| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane on the left, choose **Instance Management** > **Dedicated Engine** to go to the dedicated WAF instance page. + + + .. figure:: /_static/images/en-us_image_0000001732567617.png + :alt: **Figure 2** Dedicated engine list + + **Figure 2** Dedicated engine list + +#. In the row of the instance, click **Cloud Eye** in the **Operation** column to go to the Cloud Eye console and view the monitoring information, such as CPU, memory, and bandwidth. + +.. _waf_01_0253__section38005331521: + +Upgrading a Dedicated WAF Instance +---------------------------------- + +Only dedicated WAF instances in the **Running** status can be upgraded to the latest version. + +.. important:: + + - It takes about 20 minutes for upgrading an instance. During the upgrade, the instance is not available and cannot protect your domain names connected to it. To prevent service interruptions, use either of the following solutions: + + - **Solution 1**: Deploy multiple dedicated WAF instances for your domain name, add them to a backend server group of your load balancer, and enable the health check policy for the load balancer. In this way, if one dedicated WAF instance is not available, WAF automatically distributes the traffic to other healthy instances. There is almost no impact on your services except that website requests might be intermittently interrupted for few seconds. + - **Solution 2**: If you deploy only one dedicated WAF instance, configure a load balancer before you start to let website traffic bypass WAF during the upgrade. After the upgrade is complete, configure the load balancer to distribute traffic to WAF. + + - If you are using the latest version of WAF, the **Upgrade** button is grayed out. + +#. Log in to the management console. + +#. Click |image5| in the upper left corner of the management console and select a region or project. + +#. Click |image6| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane on the left, choose **Instance Management** > **Dedicated Engine** to go to the dedicated WAF instance page. + + + .. figure:: /_static/images/en-us_image_0000001732567617.png + :alt: **Figure 3** Dedicated engine list + + **Figure 3** Dedicated engine list + +#. In the row containing the instance you want to upgrade, click **Upgrade** in the **Operation** column. + +#. Confirm the upgrade conditions and click **Confirm**. + + Click **View Details** to view details of all dedicated WAF instance versions. + +Change Security Group for a Dedicated WAF Instance +-------------------------------------------------- + +If you select **Network Interface** for **Instance Type**, you can change the security group to which your dedicated instance belongs. After you select a security group, the WAF instance will be protected by the access rules of the security group. + +#. Log in to the management console. + +#. Click |image7| in the upper left corner of the management console and select a region or project. + +#. Click |image8| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane on the left, choose **Instance Management** > **Dedicated Engine** to go to the dedicated WAF instance page. + + + .. figure:: /_static/images/en-us_image_0000001732567617.png + :alt: **Figure 4** Dedicated engine list + + **Figure 4** Dedicated engine list + +#. In the row containing the instance, choose **More** > **Change Security Group** in the **Operation** column. + +#. In the dialog box displayed, select the new security group and click **Confirm**. + +Deleting a Dedicated WAF Instance +--------------------------------- + +You can delete a dedicated WAF instance anytime. A deleted dedicated WAF instance will no longer protect the website added to it. + +.. important:: + + Resources on deleted instance are released and cannot be restored. Exercise caution when performing this operation. + +#. Log in to the management console. + +#. Click |image9| in the upper left corner of the management console and select a region or project. + +#. Click |image10| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane on the left, choose **Instance Management** > **Dedicated Engine** to go to the dedicated WAF instance page. + + + .. figure:: /_static/images/en-us_image_0000001732567617.png + :alt: **Figure 5** Dedicated engine list + + **Figure 5** Dedicated engine list + +#. In the row of the instance, click **More** > **Delete** in the **Operation** column. + +#. Click **Confirm**. + + + .. figure:: /_static/images/en-us_image_0000001286058500.png + :alt: **Figure 6** Deleting an instance + + **Figure 6** Deleting an instance + +.. |image1| image:: /_static/images/en-us_image_0000001082065421.jpg +.. |image2| image:: /_static/images/en-us_image_0000001287946362.png +.. |image3| image:: /_static/images/en-us_image_0000001082065421.jpg +.. |image4| image:: /_static/images/en-us_image_0000001340308129.png +.. |image5| image:: /_static/images/en-us_image_0000001081906323.jpg +.. |image6| image:: /_static/images/en-us_image_0000001340427973.png +.. |image7| image:: /_static/images/en-us_image_0000001240865319.jpg +.. |image8| image:: /_static/images/en-us_image_0000001340667861.png +.. |image9| image:: /_static/images/en-us_image_0000001081671555.jpg +.. |image10| image:: /_static/images/en-us_image_0000001288427746.png diff --git a/umn/source/system_management/index.rst b/umn/source/system_management/index.rst new file mode 100644 index 0000000..61cd897 --- /dev/null +++ b/umn/source/system_management/index.rst @@ -0,0 +1,16 @@ +:original_name: waf_01_3277.html + +.. _waf_01_3277: + +System Management +================= + +- :ref:`Dedicated WAF Engine Management ` +- :ref:`Viewing Product Details ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + dedicated_waf_engine_management + viewing_product_details diff --git a/umn/source/system_management/viewing_product_details.rst b/umn/source/system_management/viewing_product_details.rst new file mode 100644 index 0000000..01eea27 --- /dev/null +++ b/umn/source/system_management/viewing_product_details.rst @@ -0,0 +1,41 @@ +:original_name: waf_01_0319.html + +.. _waf_01_0319: + +Viewing Product Details +======================= + +On the **Product Details** page, you can view information about all your WAF instances, including the edition, domain quotas, and specifications. + +.. note:: + + If you have enabled enterprise projects, you can select your enterprise project from the **Enterprise Project** drop-down list and view products in the project. + +Prerequisites +------------- + +You have applied for a WAF instance. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane on the left, choose **Instance Management** > **Product Details**. + +#. On the **Product Details** page, view the WAF edition you are using, specifications, and expiration time. + + - To view details about the WAF edition you are using, click **Details**. + + + .. figure:: /_static/images/en-us_image_0000001286061432.png + :alt: **Figure 1** Product information + + **Figure 1** Product information + +.. |image1| image:: /_static/images/en-us_image_0000001133216533.jpg +.. |image2| image:: /_static/images/en-us_image_0000001340308381.png diff --git a/umn/source/waf_operation_guide.rst b/umn/source/waf_operation_guide.rst new file mode 100644 index 0000000..d268f7a --- /dev/null +++ b/umn/source/waf_operation_guide.rst @@ -0,0 +1,73 @@ +:original_name: waf_01_0071.html + +.. _waf_01_0071: + +WAF Operation Guide +=================== + +After you enable the WAF service, you need to connect your website domain name to WAF so that all access requests are forwarded to WAF for protection. + +.. _waf_01_0071__section47661922219: + +Procedure for Using WAF +----------------------- + +:ref:`Figure 1 ` shows the procedure. :ref:`Table 1 ` describes the procedure. + +.. _waf_01_0071__fig107710194117: + +.. figure:: /_static/images/en-us_image_0000001677232290.png + :alt: **Figure 1** Procedure for using WAF + + **Figure 1** Procedure for using WAF + +.. _waf_01_0071__table19118111420519: + +.. table:: **Table 1** Procedure for using WAF + + +-----------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Operation | Description | + +=====================================================+============================================================================================================================================================================================================================+ + | :ref:`Apply for a WAF instance `. | Apply for a dedicated WAF instance. | + +-----------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | :ref:`Add a website to WAF `. | Add websites you want to protect to your WAF instance. | + | | | + | | For details, see :ref:`Step 1: Add a Website to WAF `. | + | | | + | | .. note:: | + | | | + | | - Using WAF does not affect your web server performance because the WAF engine is not running on your web server. | + | | - After your domain name is connected to WAF, there will be a latency of tens of milliseconds, which might be raised based on the size of the requested page or number of incoming requests. | + +-----------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | :ref:`Configure a protection policy. ` | A policy is a combination of rules, such as basic web protection, blacklist, whitelist, and precise protection rules. A policy can be applied to multiple domain names, but only one policy can be used for a domain name. | + +-----------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | :ref:`Analyze logs `. | WAF displays blocked or logged-only attacks on the **Events** page. You can view and analyze protection logs to adjust your website protection policies or mask false alarms. | + +-----------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Related Functions +----------------- + +Beyond functions in :ref:`Procedure for Using WAF `, WAF also provides the following functions for you to improve your website security performance. + +.. table:: **Table 2** Related functions + + +---------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Function | Description | + +===========================================================================================================================+=============================================================================================================================================================================================================================================================================================================================================================================================+ + | :ref:`Dashboard ` | You can view protection data of yesterday, today, last 3 days, last 7 days, or last 30 days. | + +---------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | :ref:`Configuring PCI DSS/3DS Certification Check and Configuring the Minimum TLS Version and Cipher Suite ` | TLS v1.0 and the cipher suite 1 are configured by default in WAF for general security. To protect your websites better, set the minimum TLS version to a later version and select a more secure cipher suite. | + +---------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | :ref:`Configuring Connection Timeout ` | - The default timeout period for connections from a browser to WAF is 120 seconds. The value varies depending on your browser settings and cannot be changed on the WAF console. | + | | - The default timeout duration for the connection between WAF and an origin server is 60 seconds. You can manually set the timeout duration on the WAF console. | + +---------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | :ref:`Configuring Connection Protection ` | If a large number of 502 Bad Gateway and 504 Gateway Timeout errors are detected, you can enable WAF breakdown protection and connection protection to let WAF suspend your website and protect your origin servers from being crashed. When the 502/504 error requests and pending URL requests reach the thresholds you configure, WAF enables corresponding protection for your website. | + +---------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | :ref:`Configuring a Traffic Identifier for a Known Attack Source ` | WAF allows you to configure traffic identifiers by IP address, session, or user tag to block possibly malicious requests from known attack sources based on **IP address**, **Cookie**, or **Params**. | + +---------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | :ref:`Editing Response Page for Blocked Requests ` | If a visitor is blocked by WAF, the **Default** block page of WAF is returned by default. You can also configure **Custom** or **Redirection** for the block page to be returned as required. | + +---------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | :ref:`Managing Certificates ` | If you upload a certificate to WAF, you can directly select the certificate when adding a website to WAF. | + +---------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | :ref:`Managing Dedicated Engines ` | This topic describes how to manage your dedicated WAF instances (or engines), including viewing instance information, viewing instance monitoring configurations, upgrading the instance edition, or deleting an instance. | + +---------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ diff --git a/umn/source/website_domain_name_management/index.rst b/umn/source/website_domain_name_management/index.rst deleted file mode 100644 index a673b08..0000000 --- a/umn/source/website_domain_name_management/index.rst +++ /dev/null @@ -1,32 +0,0 @@ -:original_name: waf_01_0067.html - -.. _waf_01_0067: - -Website Domain Name Management -============================== - -- :ref:`Viewing Basic Information ` -- :ref:`Switching WAF Working Mode ` -- :ref:`Configuring PCI DSS/3DS Certification Check and TLS Version ` -- :ref:`Configuring Connection Timeout ` -- :ref:`Configuring Connection Protection ` -- :ref:`Updating a Certificate ` -- :ref:`Configuring a Traffic Identifier for a Known Attack Source ` -- :ref:`Editing Server Information ` -- :ref:`Modifying the Alarm Page ` -- :ref:`Removing a Protected Website from WAF ` - -.. toctree:: - :maxdepth: 1 - :hidden: - - viewing_basic_information - switching_waf_working_mode - configuring_pci_dss_3ds_certification_check_and_tls_version - configuring_connection_timeout - configuring_connection_protection - updating_a_certificate - configuring_a_traffic_identifier_for_a_known_attack_source - editing_server_information - modifying_the_alarm_page - removing_a_protected_website_from_waf diff --git a/umn/source/website_domain_name_management/configuring_connection_timeout.rst b/umn/source/website_settings/advanced_settings/configuring_a_timeout_for_connections_between_waf_and_a_website_server.rst similarity index 60% rename from umn/source/website_domain_name_management/configuring_connection_timeout.rst rename to umn/source/website_settings/advanced_settings/configuring_a_timeout_for_connections_between_waf_and_a_website_server.rst index d3ca9d3..2421bd9 100644 --- a/umn/source/website_domain_name_management/configuring_connection_timeout.rst +++ b/umn/source/website_settings/advanced_settings/configuring_a_timeout_for_connections_between_waf_and_a_website_server.rst @@ -2,14 +2,27 @@ .. _waf_01_1171: -Configuring Connection Timeout -============================== +Configuring a Timeout for Connections Between WAF and a Website Server +====================================================================== If you want to set a timeout duration for each request between your WAF instance and origin server, enable **Timeout Settings** and specify **WAF-to-Server connection timeout (s)**, **Read timeout (s)**, and **Write timeout (s)**. This function cannot be disabled once it is enabled. +- **WAF-to-Server Connection Timeout**: timeout for WAF and the origin server to establish a TCP connection. +- **Write Timeout**: Timeout set for WAF to send a request to the origin server. If the origin server does not receive a request within the specified write timeout, the connection times out. +- **Read Timeout**: Timeout set for WAF to read responses from the origin server. If WAF does not receive any response from the origin server within the specified read timeout, the connection times out. + +:ref:`Figure 1 ` shows the three steps for WAF to forward requests to an origin server. + +.. _waf_01_1171__fig1746612284428: + +.. figure:: /_static/images/en-us_image_0000001519222274.png + :alt: **Figure 1** WAF forwarding requests to origin servers. + + **Figure 1** WAF forwarding requests to origin servers. + .. note:: - - The default timeout duration for connections between a browser and WAF is 120 seconds, which cannot be manually set. + - The timeout period for connections from a browser to WAF is 120 seconds. The value varies depending on your browser settings and cannot be changed on the WAF console page. - The default timeout duration for the connection between WAF and an origin server is 60 seconds. This topic walks you through how to customize the timeout duration. Prerequisites diff --git a/umn/source/website_domain_name_management/configuring_a_traffic_identifier_for_a_known_attack_source.rst b/umn/source/website_settings/advanced_settings/configuring_a_traffic_identifier_for_a_known_attack_source.rst similarity index 57% rename from umn/source/website_domain_name_management/configuring_a_traffic_identifier_for_a_known_attack_source.rst rename to umn/source/website_settings/advanced_settings/configuring_a_traffic_identifier_for_a_known_attack_source.rst index 23a29e3..ba242ad 100644 --- a/umn/source/website_domain_name_management/configuring_a_traffic_identifier_for_a_known_attack_source.rst +++ b/umn/source/website_settings/advanced_settings/configuring_a_traffic_identifier_for_a_known_attack_source.rst @@ -50,19 +50,37 @@ Procedure .. table:: **Table 1** Traffic identifier parameters - +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Tag | Description | Example Value | - +=======================+=======================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+=======================+ - | IP Tag | HTTP request header field of the original client IP address. | X-Forwarded-For | - | | | | - | | Ensure that the protected website has a layer-7 proxy configured in front of WAF and that **Proxy Configured** under the website basic information settings is set to **Yes** for this parameter to take effect. | | - | | | | - | | If there are multiple field names separated by commas (,), WAF reads the fields from left to right to obtain the client IP address. For example, for **X-Forwarded-For,CDN-Src-IP,X-real-IP**, WAF obtains the client IP address from the **X-Forwarded-For** field first. If this field has no value, WAF then obtains the value from other fields in sequence. If there is no field configured by the customer, WAF obtains the source IP address in the TCP connection by default. | | - +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Session Tag | This tag is used to block possibly malicious requests based on the cookie attributes of an attack source. Configure this parameter to block requests based on cookie attributes. | jssessionid | - +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | User Tag | This tag is used to block possibly malicious requests based on the Params attribute of an attack source. Configure this parameter to block requests based on the Params attributes. | name | - +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Tag | Description | Example Value | + +=======================+==================================================================================================================================================================================================================+=======================+ + | IP Tag | HTTP request header field of the original client IP address. | X-Forwarded-For | + | | | | + | | Ensure that the protected website has a layer-7 proxy configured in front of WAF and that **Proxy Configured** under the website basic information settings is set to **Yes** for this parameter to take effect. | | + | | | | + | | WAF obtains client IP addresses in the following sequence. | | + | | | | + | | a. If an IP tag is configured, WAF firstly obtains the source IP header list configured in **upstream**. If no value is obtained, go to :ref:`2 `. | | + | | | | + | | b. .. _waf_01_0270__li9345144410312: | | + | | | | + | | WAF obtains the value of the **cdn-src-ip** field in the source IP header list configured in the config file. If no value is obtained, go to :ref:`3 `. | | + | | | | + | | c. .. _waf_01_0270__li9353131612717: | | + | | | | + | | WAF obtains the value of the **x-real-ip** field. If no value is obtained, go to :ref:`4 `. | | + | | | | + | | d. .. _waf_01_0270__li168275401797: | | + | | | | + | | WAF obtains the first public IP address from the left of the **x-forwarded-for** field. If no public IP address is obtained, go to :ref:`5 `. | | + | | | | + | | e. .. _waf_01_0270__li16951245181112: | | + | | | | + | | WAF obtains the value of the **remote_addr** field, which includes the IP address used for establishing the TCP connection. | | + +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Session Tag | This tag is used to block possibly malicious requests based on the cookie attributes of an attack source. Configure this parameter to block requests based on cookie attributes. | jssessionid | + +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | User Tag | This tag is used to block possibly malicious requests based on the Params attribute of an attack source. Configure this parameter to block requests based on the Params attributes. | name | + +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ #. Click **Confirm**. diff --git a/umn/source/website_domain_name_management/configuring_pci_dss_3ds_certification_check_and_tls_version.rst b/umn/source/website_settings/advanced_settings/configuring_pci_dss_3ds_certification_check_and_tls_version.rst similarity index 51% rename from umn/source/website_domain_name_management/configuring_pci_dss_3ds_certification_check_and_tls_version.rst rename to umn/source/website_settings/advanced_settings/configuring_pci_dss_3ds_certification_check_and_tls_version.rst index f35e692..1caa236 100644 --- a/umn/source/website_domain_name_management/configuring_pci_dss_3ds_certification_check_and_tls_version.rst +++ b/umn/source/website_settings/advanced_settings/configuring_pci_dss_3ds_certification_check_and_tls_version.rst @@ -9,12 +9,22 @@ Transport Layer Security (TLS) provides confidentiality and ensures data integri TLS v1.0 and the cipher suite 1 are configured by default in WAF for general security. To protect your websites better, set the minimum TLS version to a later version and select a more secure cipher suite. +.. note:: + + If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the enterprise project from the **Enterprise Project** drop-down list and configure PCI DSS or PCI 3DS and TLS for the domain names. + Prerequisites ------------- - The website to be protected has been added to WAF. - Your website uses HTTPS as the client protocol. +Constraints +----------- + +- If **Client Protocol** for the website you want to protect is set to **HTTP**, TLS is not required, and you can skip this topic. +- If you configure multiple combinations of server information, PCI DSS and PCI 3DS compliance certification checks can be set only when **Client Protocol** is set to **HTTPS** in all of those combinations. + Application Scenarios --------------------- @@ -40,65 +50,70 @@ The recommended cipher suite in WAF is **Cipher suite 1**. Cipher suite 1 offers .. table:: **Table 2** Description of cipher suites - +-----------------------+------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Cipher Suite Name | Supported cryptographic algorithms | Description | - +=======================+====================================+===================================================================================================================================================================+ - | Default cipher suite | - ECDHE-RSA-AES256-SHA384 | - Compatibility: Good. | - | | - AES256-SHA256 | | - | | - HIGH | A wide range of browsers are supported. | - | | - !MD5 | | - | | - !aNULL | - Security: Average | - | | - !eNULL | | - | | - !NULL | | - | | - !DH | | - | | - !EDH | | - | | - !AESGCM | | - +-----------------------+------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Cipher suite 1 | - ECDHE-ECDSA-AES256-GCM-SHA384 | Recommended configuration. | - | | - HIGH | | - | | - !MEDIUM | - Compatibility: Good. | - | | - !LOW | | - | | - !aNULL | A wide range of browsers are supported. | - | | - !eNULL | | - | | - !DES | - Security: Good | - | | - !MD5 | | - | | - !PSK | | - | | - !kRSA | | - | | - !SRP | | - | | - !3DES | | - | | - !DSS | | - | | - !EXP | | - | | - !CAMELLIA | | - | | - @STRENGTH | | - +-----------------------+------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Cipher suite 2 | - EECDH+AESGCM | - Compatibility: Average. | - | | - EDH+AESGCM | | - | | | Strict compliance with forward secrecy requirements of PCI DSS and excellent protection, but browsers of earlier versions may be unable to access the website. | - | | | | - | | | - Security: Excellent | - +-----------------------+------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Cipher suite 3 | - ECDHE-RSA-AES128-GCM-SHA256 | - Compatibility: Average. | - | | - ECDHE-RSA-AES256-GCM-SHA384 | | - | | - ECDHE-RSA-AES256-SHA384 | Earlier versions of browsers may be unable to access the website. | - | | - HIGH | | - | | - !MD5 | - Security: Excellent. | - | | - !aNULL | | - | | - !eNULL | Multiple algorithms, such as ECDHE, DHE-GCM, and RSA-AES-GCM, are supported. | - | | - !NULL | | - | | - !DH | | - | | - !EDH | | - +-----------------------+------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Cipher suite 4 | - ECDHE-RSA-AES256-GCM-SHA384 | - Compatibility: Good. | - | | - ECDHE-RSA-AES128-GCM-SHA256 | | - | | - ECDHE-RSA-AES256-SHA384 | A wide range of browsers are supported. | - | | - AES256-SHA256 | | - | | - HIGH | - Security: Average. | - | | - !MD5 | | - | | - !aNULL | The GCM algorithm is supported. | - | | - !eNULL | | - | | - !NULL | | - | | - !EDH | | - +-----------------------+------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Cipher Suite Name | Supported cryptographic algorithms | Description | + +=======================+=========================================================================================================================================================================================================================+===================================================================================================================================================================+ + | Default cipher suite | - ECDHE-RSA-AES256-SHA384 | - Compatibility: Good. | + | | - AES256-SHA256 | | + | | - HIGH | A wide range of browsers are supported. | + | | - !MD5 | | + | | - !aNULL | - Security: Average | + | | - !eNULL | | + | | - !NULL | | + | | - !DH | | + | | - !EDH | | + | | - !AESGCM | | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Cipher suite 1 | - ECDHE-ECDSA-AES256-GCM-SHA384 | Recommended configuration. | + | | - HIGH | | + | | - !MEDIUM | - Compatibility: Good. | + | | - !LOW | | + | | - !aNULL | A wide range of browsers are supported. | + | | - !eNULL | | + | | - !DES | - Security: Good | + | | - !MD5 | | + | | - !PSK | | + | | - !kRSA | | + | | - !SRP | | + | | - !3DES | | + | | - !DSS | | + | | - !EXP | | + | | - !CAMELLIA | | + | | - @STRENGTH | | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Cipher suite 2 | - EECDH+AESGCM | - Compatibility: Average. | + | | - EDH+AESGCM | | + | | | Strict compliance with forward secrecy requirements of PCI DSS and excellent protection, but browsers of earlier versions may be unable to access the website. | + | | | | + | | | - Security: Excellent | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Cipher suite 3 | - ECDHE-RSA-AES128-GCM-SHA256 | - Compatibility: Average. | + | | - ECDHE-RSA-AES256-GCM-SHA384 | | + | | - ECDHE-RSA-AES256-SHA384 | Earlier versions of browsers may be unable to access the website. | + | | - HIGH | | + | | - !MD5 | - Security: Excellent. | + | | - !aNULL | | + | | - !eNULL | Multiple algorithms, such as ECDHE, DHE-GCM, and RSA-AES-GCM, are supported. | + | | - !NULL | | + | | - !DH | | + | | - !EDH | | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Cipher suite 4 | - ECDHE-RSA-AES256-GCM-SHA384 | - Compatibility: Good. | + | | - ECDHE-RSA-AES128-GCM-SHA256 | | + | | - ECDHE-RSA-AES256-SHA384 | A wide range of browsers are supported. | + | | - AES256-SHA256 | | + | | - HIGH | - Security: Average. | + | | - !MD5 | | + | | - !aNULL | The GCM algorithm is supported. | + | | - !eNULL | | + | | - !NULL | | + | | - !EDH | | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Cipher suite 5 | AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!DHE:@STRENGTH | Supported algorithms: RSA-AES-CBC only | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Cipher suite 6 | ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 | - Compatibility: Average | + | | | - Security: Good | + +-----------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------+ The TLS cipher suites in WAF are compatible with all browsers and clients of later versions but are incompatible with some browsers of earlier versions. :ref:`Table 3 ` lists the incompatible browsers and clients if the TLS v1.0 protocol is used. @@ -185,7 +200,7 @@ Procedure #. In the **Compliance Certification** row, you can select **PCI DSS** and/or **PCI 3DS** to allow WAF to check your website for the corresponding PCI certification compliance. In the **TLS Configuration** row, click |image3| to complete TLS configuration. - .. figure:: /_static/images/en-us_image_0000001337771401.png + .. figure:: /_static/images/en-us_image_0000001732455909.png :alt: **Figure 1** TLS configuration modification **Figure 1** TLS configuration modification @@ -210,7 +225,7 @@ Procedure #. In the displayed **TLS Configuration** dialog box, select the minimum TLS version and cipher suite. - .. figure:: /_static/images/en-us_image_0000001337772549.png + .. figure:: /_static/images/en-us_image_0000001732417057.png :alt: **Figure 2** TLS Configuration **Figure 2** TLS Configuration @@ -221,7 +236,7 @@ Procedure - **TLS v1.1**: Only requests using TLS v1.1 or later can access the domain name. - **TLS v1.2**: Only requests using TLS v1.2 or later can access the domain name. -#. Click **OK**. +#. Click **Confirm**. Verification ------------ diff --git a/umn/source/website_domain_name_management/configuring_connection_protection.rst b/umn/source/website_settings/advanced_settings/enabling_connection_protection.rst similarity index 96% rename from umn/source/website_domain_name_management/configuring_connection_protection.rst rename to umn/source/website_settings/advanced_settings/enabling_connection_protection.rst index 0a15832..750276c 100644 --- a/umn/source/website_domain_name_management/configuring_connection_protection.rst +++ b/umn/source/website_settings/advanced_settings/enabling_connection_protection.rst @@ -2,8 +2,8 @@ .. _waf_01_1172: -Configuring Connection Protection -================================= +Enabling Connection Protection +============================== If a large number of 502 Bad Gateway and 504 Gateway Timeout errors are detected, you can enable WAF breakdown protection and connection protection to let WAF suspend your website and protect your origin servers from being crashed. When the 502/504 error requests and pending URL requests reach the thresholds you configure, WAF enables corresponding protection for your website. @@ -17,7 +17,7 @@ Constraints ----------- - You have selected **Dedicated mode** for your website deployment. -- The :ref:`dedicated WAF instance must be upgraded to the latest version ` before you enable **Connection Protection**, or your website workloads may be interrupted. +- Before enabling **Connection Protection**, make sure :ref:`you have updated dedicated WAF instances to the latest version, `, or your services might be affected. Procedure --------- @@ -36,7 +36,7 @@ Procedure .. _waf_01_1172__fig491043320154: - .. figure:: /_static/images/en-us_image_0000001529293989.png + .. figure:: /_static/images/en-us_image_0000001556300637.png :alt: **Figure 1** Connection Protection **Figure 1** Connection Protection diff --git a/umn/source/website_settings/advanced_settings/index.rst b/umn/source/website_settings/advanced_settings/index.rst new file mode 100644 index 0000000..aa25497 --- /dev/null +++ b/umn/source/website_settings/advanced_settings/index.rst @@ -0,0 +1,22 @@ +:original_name: waf_01_3274.html + +.. _waf_01_3274: + +Advanced Settings +================= + +- :ref:`Configuring PCI DSS/3DS Certification Check and TLS Version ` +- :ref:`Configuring a Timeout for Connections Between WAF and a Website Server ` +- :ref:`Enabling Connection Protection ` +- :ref:`Configuring a Traffic Identifier for a Known Attack Source ` +- :ref:`Modifying the Alarm Page ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + configuring_pci_dss_3ds_certification_check_and_tls_version + configuring_a_timeout_for_connections_between_waf_and_a_website_server + enabling_connection_protection + configuring_a_traffic_identifier_for_a_known_attack_source + modifying_the_alarm_page diff --git a/umn/source/website_domain_name_management/modifying_the_alarm_page.rst b/umn/source/website_settings/advanced_settings/modifying_the_alarm_page.rst similarity index 100% rename from umn/source/website_domain_name_management/modifying_the_alarm_page.rst rename to umn/source/website_settings/advanced_settings/modifying_the_alarm_page.rst diff --git a/umn/source/website_domain_name_management/editing_server_information.rst b/umn/source/website_settings/basic_information/editing_server_information.rst similarity index 100% rename from umn/source/website_domain_name_management/editing_server_information.rst rename to umn/source/website_settings/basic_information/editing_server_information.rst diff --git a/umn/source/website_settings/basic_information/index.rst b/umn/source/website_settings/basic_information/index.rst new file mode 100644 index 0000000..ae7594e --- /dev/null +++ b/umn/source/website_settings/basic_information/index.rst @@ -0,0 +1,22 @@ +:original_name: waf_01_0067.html + +.. _waf_01_0067: + +Basic Information +================= + +- :ref:`Viewing Basic Information ` +- :ref:`Switching WAF Working Mode ` +- :ref:`Updating a Certificate ` +- :ref:`Editing Server Information ` +- :ref:`Removing a Protected Website from WAF ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + viewing_basic_information + switching_waf_working_mode + updating_a_certificate + editing_server_information + removing_a_protected_website_from_waf diff --git a/umn/source/website_domain_name_management/removing_a_protected_website_from_waf.rst b/umn/source/website_settings/basic_information/removing_a_protected_website_from_waf.rst similarity index 100% rename from umn/source/website_domain_name_management/removing_a_protected_website_from_waf.rst rename to umn/source/website_settings/basic_information/removing_a_protected_website_from_waf.rst diff --git a/umn/source/website_domain_name_management/switching_waf_working_mode.rst b/umn/source/website_settings/basic_information/switching_waf_working_mode.rst similarity index 100% rename from umn/source/website_domain_name_management/switching_waf_working_mode.rst rename to umn/source/website_settings/basic_information/switching_waf_working_mode.rst diff --git a/umn/source/website_domain_name_management/updating_a_certificate.rst b/umn/source/website_settings/basic_information/updating_a_certificate.rst similarity index 100% rename from umn/source/website_domain_name_management/updating_a_certificate.rst rename to umn/source/website_settings/basic_information/updating_a_certificate.rst diff --git a/umn/source/website_domain_name_management/viewing_basic_information.rst b/umn/source/website_settings/basic_information/viewing_basic_information.rst similarity index 80% rename from umn/source/website_domain_name_management/viewing_basic_information.rst rename to umn/source/website_settings/basic_information/viewing_basic_information.rst index 7f5ac82..09cf404 100644 --- a/umn/source/website_domain_name_management/viewing_basic_information.rst +++ b/umn/source/website_settings/basic_information/viewing_basic_information.rst @@ -53,13 +53,7 @@ Procedure +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Policy | The total number of protection policies configured in WAF. You can click a number to go to the rule configuration page. | +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Access Progress/Status | The progress of connecting your website to WAF or the website access status. | - +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Operation | To remove a protected website from WAF, click **Delete**. | - | | | - | | .. warning:: | - | | | - | | The deletion operation cannot be cancelled. Exercise caution when performing this operation. | + | Access Progress | The progress of connecting your website to WAF or the website access status. | +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ #. In the **Domain Name** column, click the domain name of the website to go to the basic information page. @@ -76,10 +70,10 @@ Procedure - Update the TLS version and TLS cipher suite for accessing the origin server: If you select **HTTPS** for **Client Protocol**, you can change TLS version to a more secure one. To do so, click |image5| next to the TLS Configuration field. Then, in the displayed dialog box, select the desired TLS version and TLS cipher suite. For more details, see :ref:`Configuring PCI DSS/3DS Certification Check and TLS Version `. - Modify the field of **Proxy Configured**: Click |image6|. In the displayed dialog box, select **Yes** if your web server is using a proxy. - Customize the alarm page: Click |image7|. In the displayed dialog box, select **Custom** or **Redirection** and complete required configurations. By default, **Alarm Page** is **Default**. - - If you want to set a timeout duration for each request, enable **Timeout Settings** and click |image8|\ to specify **WAF-to-Server Connection Timeout (s)**, **Read Timeout (s)**, and **Write Timeout (s)**. This function cannot be disabled after being enabled. For details, see :ref:`Configuring Connection Timeout `. + - If you want to set a timeout duration for each request, enable **Timeout Settings** and click |image8|\ to specify **WAF-to-Server Connection Timeout (s)**, **Read Timeout (s)**, and **Write Timeout (s)**. This function cannot be disabled after being enabled. For details, see :ref:`Configuring a Timeout for Connections Between WAF and a Website Server `. .. |image1| image:: /_static/images/en-us_image_0000001481851976.jpg -.. |image2| image:: /_static/images/en-us_image_0000001288099090.png +.. |image2| image:: /_static/images/en-us_image_0000001733092845.png .. |image3| image:: /_static/images/en-us_image_0000001284852786.png .. |image4| image:: /_static/images/en-us_image_0210924454.jpg .. |image5| image:: /_static/images/en-us_image_0210924454.jpg diff --git a/umn/source/website_settings/connecting_a_website_to_waf_dedicated_mode/connection_process_dedicated_mode.rst b/umn/source/website_settings/connecting_a_website_to_waf_dedicated_mode/connection_process_dedicated_mode.rst new file mode 100644 index 0000000..9103df8 --- /dev/null +++ b/umn/source/website_settings/connecting_a_website_to_waf_dedicated_mode/connection_process_dedicated_mode.rst @@ -0,0 +1,72 @@ +:original_name: waf_01_0326.html + +.. _waf_01_0326: + +Connection Process (Dedicated Mode) +=================================== + +To let a dedicated WAF instance protect your website, the domain name of the website must be connected to the dedicated WAF instance so that the website incoming traffic can go to WAF first. + +Constraints +----------- + +Dedicated WAF instances can only protect web applications and websites that are accessible through domain names or IP addresses. + +Processes of Connecting a Website to WAF +---------------------------------------- + +Before using a dedicated WAF instance, complete the required configurations by following the process shown in :ref:`Figure 1 `. + +.. _waf_01_0326__fig3118103718294: + +.. figure:: /_static/images/en-us_image_0000001171626489.png + :alt: **Figure 1** Process of connecting a website to a dedicated WAF instance + + **Figure 1** Process of connecting a website to a dedicated WAF instance + +Collecting Domain Name/IP Address Details +----------------------------------------- + +Before adding a domain name or IP address to WAF, obtain the information listed in :ref:`Table 1 `. + +.. _waf_01_0326__table1252463519439: + +.. table:: **Table 1** Domain name or IP address details required + + +------------------------+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+ + | Information | Parameter | Description | Example | + +========================+===================+===============================================================================================================================================================================================================+=================+ + | Parameters | Protected Website | - Domain name: used by visitors to access your website. A domain name consists of letters separated by dots (.). It is a human readable address that maps to the machine readable IP address of your server. | www.example.com | + | | | - IP: IP address of the website. | | + +------------------------+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+ + | | Protected Port | The service port corresponding to the domain name of the website you want to protect. | 80 | + | | | | | + | | | - Standard Ports | | + | | | | | + | | | - 80: default port when the client protocol is HTTP | | + | | | - 443: default port when the client protocol is HTTPS | | + | | | | | + | | | - Non-standard ports | | + | | | | | + | | | Ports other than ports 80 and 443 | | + +------------------------+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+ + | | Client Protocol | Protocol used by a client (for example, a browser) to access the website. WAF supports HTTP and HTTPS. | HTTP | + +------------------------+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+ + | | Server Protocol | Protocol used by WAF to forward requests from the client (such as a browser). The options are **HTTP** and **HTTPS**. | HTTP | + +------------------------+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+ + | | VPC | Select the VPC that the dedicated WAF instance belongs to. | vpc-default | + +------------------------+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+ + | | Server Address | Private IP address of the website server. | 192.168.1.1 | + +------------------------+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+ + | (Optional) Certificate | Certificate Name | If you set **Client Protocol** to **HTTPS**, you are required to configure a certificate on WAF and associate the certificate with the domain name. | ``-`` | + | | | | | + | | | .. important:: | | + | | | | | + | | | NOTICE: | | + | | | Only .pem certificates can be used in WAF. If a certificate is not in .pem, convert it by referring to :ref:`How Do I Convert a Certificate into PEM Format? ` | | + +------------------------+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+ + +Fixing Inaccessible Websites +---------------------------- + +If a domain name fails to be connected to WAF, its access status is **Inaccessible**. To fix this issue, see :ref:`Why Is My Domain Name or IP Address Inaccessible? ` diff --git a/umn/source/enabling_waf_protection/connecting_a_website_to_waf/index.rst b/umn/source/website_settings/connecting_a_website_to_waf_dedicated_mode/index.rst similarity index 67% rename from umn/source/enabling_waf_protection/connecting_a_website_to_waf/index.rst rename to umn/source/website_settings/connecting_a_website_to_waf_dedicated_mode/index.rst index a7f6251..1109d35 100644 --- a/umn/source/enabling_waf_protection/connecting_a_website_to_waf/index.rst +++ b/umn/source/website_settings/connecting_a_website_to_waf_dedicated_mode/index.rst @@ -2,14 +2,15 @@ .. _waf_01_0249: -Connecting a Website to WAF -=========================== +Connecting a Website to WAF (Dedicated Mode) +============================================ - :ref:`Connection Process (Dedicated Mode) ` - :ref:`Step 1: Add a Website to WAF ` -- :ref:`Step 2: Configure a Load Balancer ` +- :ref:`Step 2: Configure a Load Balancer for WAF ` - :ref:`Step 3: Bind an EIP to a Load Balancer ` - :ref:`Step 4: Whitelist the Back-to-Source IP Addresses of Your Dedicated WAF Instances ` +- :ref:`Step 5: Test Dedicated WAF ` .. toctree:: :maxdepth: 1 @@ -17,6 +18,7 @@ Connecting a Website to WAF connection_process_dedicated_mode step_1_add_a_website_to_waf - step_2_configure_a_load_balancer + step_2_configure_a_load_balancer_for_waf step_3_bind_an_eip_to_a_load_balancer step_4_whitelist_the_back-to-source_ip_addresses_of_your_dedicated_waf_instances + step_5_test_dedicated_waf diff --git a/umn/source/website_settings/connecting_a_website_to_waf_dedicated_mode/step_1_add_a_website_to_waf.rst b/umn/source/website_settings/connecting_a_website_to_waf_dedicated_mode/step_1_add_a_website_to_waf.rst new file mode 100644 index 0000000..860d0d0 --- /dev/null +++ b/umn/source/website_settings/connecting_a_website_to_waf_dedicated_mode/step_1_add_a_website_to_waf.rst @@ -0,0 +1,188 @@ +:original_name: waf_01_0250.html + +.. _waf_01_0250: + +Step 1: Add a Website to WAF +============================ + +If your service servers are deployed on the cloud, you can add the domain name or IP address of the website to WAF so that the website traffic is forwarded to WAF for inspection. + +.. note:: + + If you have enabled enterprise projects, you can select your enterprise project from the **Enterprise Project** drop-down list and add websites to be protected in the project. + +Prerequisites +------------- + +You have applied for a dedicated WAF instance. + +Constraints +----------- + +- An Internet-facing load balancer has been deployed on the website you want to protect with dedicated WAF instances. +- If your website has no layer-7 proxy server such as CDN and cloud acceleration service deployed in front of WAF and uses only layer-4 load balancers (or NAT), set **Proxy Configured** to **No**. Otherwise, **Proxy Configured** must be set to **Yes**. This ensures that WAF obtains real IP addresses of website visitors and takes protective actions configured in protection policies. + +Procedure +--------- + +#. Log in to the management console. +#. Click |image1| in the upper left corner of the management console and select a region or project. +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +4. In the navigation pane, choose **Website Settings**. + +5. In the upper left corner of the website list, click **Add Website**. + +6. Provide the domain name details. + + - **Website Name**: (Optional) You can customize the website name. + - **Domain Name**: Enter the domain name of a website you want WAF to protect. You can enter a single domain name or a wildcard domain name. + + .. note:: + + - WAF does not support wildcard domain names containing underscores (_). + - If the server IP address of each subdomain name is the same, enter a wildcard domain name to be protected. For example, if the subdomain names **a.example.com**, **b.example.com**, and **c.example.com** have the same server IP address, you can add the wildcard domain name **\*.example.com** to WAF to protect all three. + - If the server IP addresses of subdomain names are different, add subdomain names as single domain names one by one. + + - **Website Remarks**: (Optional) You can provide remarks about your website if you want. + + + .. figure:: /_static/images/en-us_image_0000001684305004.png + :alt: **Figure 1** Configuring domain name details + + **Figure 1** Configuring domain name details + +7. Configure the origin server. :ref:`Table 1 ` describes the parameters. + + + .. figure:: /_static/images/en-us_image_0000001732225393.png + :alt: **Figure 2** Origin Server Settings + + **Figure 2** Origin Server Settings + + .. _waf_01_0250__table077263255719: + + .. table:: **Table 1** Parameter description + + +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------+ + | Parameter | Description | Example Value | + +=======================+========================================================================================================================================================================================================================================+=================================+ + | Protected Port | Select the port type that you want WAF to protect from the drop-down list. | 81 | + | | | | + | | To protect port 80 or 443, select **Standard port** from the drop-down list. | | + +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------+ + | Server Configuration | Address of the web server. The configuration contains the **Client Protocol**, **Server protocol**, VPC, **Server Address,** and **Server Port**. | **Client Protocol**: **HTTP** | + | | | | + | | - **Client Protocol**: protocol used by a client to access a server. The options are **HTTP** and **HTTPS**. | **Server Protocol**: **HTTP** | + | | - **Server Protocol**: protocol used by WAF to forward client requests. The options are **HTTP** and **HTTPS**. | | + | | - **VPC**: Select the VPC to which the dedicated WAF instance belongs. | **Server Address**: XXX.XXX.1.1 | + | | | | + | | .. note:: | **Server Port**: **80** | + | | | | + | | To implement active-active services and prevent single points of failure (SPOFs), it is recommended that at least two WAF instances be deployed in the same VPC. | | + | | | | + | | - **Server Address**: Private/internal IP address of the website server that a client (for example, a browser) accesses. | | + | | - **Server Port**: service port of the server to which the dedicated WAF instance forwards client requests. | | + +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------+ + | Certificate Name | If you set **Client Protocol** to **HTTPS**, an SSL certificate is required. | -- | + | | | | + | | The newly imported certificates will be listed on the **Certificates** page. For more details, see :ref:`Uploading a Certificate `. | | + | | | | + | | .. important:: | | + | | | | + | | NOTICE: | | + | | | | + | | - Only .pem certificates can be used in WAF. If the certificate is not in .pem format, convert it into .pem by referring to :ref:`Importing a New Certificate ` before uploading the certificate. | | + | | - If your website certificate is about to expire, purchase a new certificate before the expiration date and update the certificate associated with the website in WAF. | | + | | - Each domain name must have a certificate associated. A wildcard domain name can only use a wildcard domain certificate. If you only have single-domain certificates, add domain names one by one in WAF. | | + +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------+ + +8. Configure the advanced settings. + + - **Proxy Configured**: WAF security policies work only for real client IP addresses where the requests initiate. To ensure that WAF obtains real client IP addresses, if your website has layer-7 proxy servers such as CDN and cloud acceleration products deployed in front of WAF, select **Yes** for **Proxy Configured**. + + - **Policy**: The **system-generated policy** is selected by default. You can select a policy you configured before. You can also customize rules after the domain name is connected to WAF. + + System-generated policies include: + + - Basic web protection (**Log only** mode and common checks) + + The basic web protection defends against attacks such as SQL injections, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabilities, remote command execution, directory traversal, sensitive file access, and command/code injections. + + - Anti-crawler (**Log only** mode and **Scanner** feature) + + WAF only logs web scanning tasks, such as vulnerability scanning and virus scanning, such as crawling behavior of OpenVAS and Nmap. + + .. note:: + + **Log only**: WAF only logs detected attack events instead of blocking them. + +9. Click **OK**. + +Verification +------------ + +The initial **Access Status** of a website is **Inaccessible**. After you configure a load balancer and bind an EIP to the load balancer for your website, when a request reaches the WAF dedicated instance, the access status automatically changes to **Accessible**. + +.. _waf_01_0250__section36817893018: + +Importing a New Certificate +--------------------------- + +If you set **Client Protocol** to **HTTPS**, an SSL certificate is required. You can perform the following steps to import a new certificate. + +#. Click **Import New Certificate**. In the displayed dialog box, enter a certificate name and copy the certificate file and private key to the corresponding text boxes. + + + .. figure:: /_static/images/en-us_image_0000001285728898.png + :alt: **Figure 3** Import New Certificate + + **Figure 3** Import New Certificate + + .. note:: + + WAF encrypts and saves the private key to keep it safe. + + Only .pem certificates can be used in WAF. If the certificate is not in .pem format, convert it into .pem locally by referring to :ref:`Table 2 ` before uploading it. + + .. _waf_01_0250__waf_01_0002_table1292125414516: + + .. table:: **Table 2** Certificate conversion commands + + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------+ + | Format | Conversion Method | + +===================================+============================================================================================================================+ + | CER/CRT | Rename the **cert.crt** certificate file to **cert.pem**. | + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------+ + | PFX | - Obtain a private key. For example, run the following command to convert **cert.pfx** into **key.pem**: | + | | | + | | **openssl pkcs12 -in cert.pfx -nocerts -out key.pem -nodes** | + | | | + | | - Obtain a certificate. For example, run the following command to convert **cert.pfx** into **cert.pem**: | + | | | + | | **openssl** **pkcs12** **-in** **cert.pfx** **-nokeys** **-out** **cert.pem** | + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------+ + | P7B | a. Convert a certificate. For example, run the following command to convert **cert.p7b** into **cert.cer**: | + | | | + | | **openssl** **pkcs7** **-print_certs** **-in** **cert.p7b** **-out** **cert.cer** | + | | | + | | b. Rename certificate file **cert.cer** to **cert.pem**. | + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------+ + | DER | - Obtain a private key. For example, run the following command to convert ****privatekey.der**** into **privatekey.pem**: | + | | | + | | **openssl** **rsa** **-inform** **DER** **-outform** **PEM** **-in** **privatekey.der** **-out** **privatekey.pem** | + | | | + | | - Obtain a certificate. For example, run the following command to convert **cert.cer** into **cert.pem**: | + | | | + | | **openssl** **x509** **-inform** **der** **-in** **cert.cer** **-out cert.pem** | + +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------+ + + .. note:: + + - Before running an OpenSSL command, ensure that the `OpenSSL `__ tool has been installed on the local host. + - If your local PC runs a Windows operating system, go to the command line interface (CLI) and then run the certificate conversion command. + +#. Click **Confirm**. + +.. |image1| image:: /_static/images/en-us_image_0000001368128877.jpg +.. |image2| image:: /_static/images/en-us_image_0000001732142997.png diff --git a/umn/source/website_settings/connecting_a_website_to_waf_dedicated_mode/step_2_configure_a_load_balancer_for_waf.rst b/umn/source/website_settings/connecting_a_website_to_waf_dedicated_mode/step_2_configure_a_load_balancer_for_waf.rst new file mode 100644 index 0000000..9de4b31 --- /dev/null +++ b/umn/source/website_settings/connecting_a_website_to_waf_dedicated_mode/step_2_configure_a_load_balancer_for_waf.rst @@ -0,0 +1,137 @@ +:original_name: waf_01_0251.html + +.. _waf_01_0251: + +Step 2: Configure a Load Balancer for WAF +========================================= + +To ensure your dedicated WAF instance reliability, after you add a website to it, use Elastic Load Balance (ELB) to configure a load balancer and a health check for the dedicated WAF instance. + +Prerequisites +------------- + +- You have added a website to a dedicated WAF instance. + +- You have created a load balancer. + +- Related ports have been enabled in the security group to which the dedicated WAF instance belongs. + + You can configure your security group as follows: + + - Inbound rules + + Add an inbound rule to allow incoming network traffic to pass through over a specified port based on your service requirements. For example, if you want to allow access from port 80, add a rule that allows **TCP** and port **80**. + + - Outbound rules + + Retain the default settings. All outgoing network traffic is allowed by default. + +Constraints +----------- + +- If **Health Check** is configured, the health check result of the dedicated instance must be **Normal**, or the website requests cannot be pointed to WAF. +- The backend port for the listener must be the same as the service port protected by the dedicated WAF instance, which is the protection port set in :ref:`Step 1: Add a Website to WAF `. +- WAF works as a layer-7 proxy. When configuring a listener, you can only select HTTP or HTTPS as the frontend protocol. + +Impact on the System +-------------------- + +If you select **Weighted round robin** for **Load Balancing Algorithm**, disable **Sticky Session**. If you enable **Sticky Session**, the same requests will be forwarded to the same dedicated WAF instance. If this instance becomes faulty, an error will occur when the requests come to it next time. + +.. _waf_01_0251__section15547769474: + +Adding a Listener +----------------- + +If **Health Check** is configured, the health check result of the dedicated instance must be **Healthy**, or the website requests cannot be pointed to WAF. + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner of the page and choose **Elastic Load Balance** under **Network** to go to the **Load Balancers** page. + +#. Click the name of the load balancer you want in the **Name** column to go to the **Listeners** page. + +#. Then, click **Add Listener** and configure the listener information. + + - **Frontend Port**: Set it to the origin server port configured in WAF. + - **Frontend Protocol**: Select HTTP or HTTPS. + + + .. figure:: /_static/images/en-us_image_0000001684193230.png + :alt: **Figure 1** Configuring a listener + + **Figure 1** Configuring a listener + +#. Click **Next: Configure Request Routing Policy**. :ref:`Figure 2 ` shows an example. + + .. _waf_01_0251__fig86114755315: + + .. figure:: /_static/images/en-us_image_0000001733107861.png + :alt: **Figure 2** Configuring a backend server group + + **Figure 2** Configuring a backend server group + + .. important:: + + If you select **Weighted round robin** for **Load Balancing Algorithm**, disable **Sticky Session**. If you enable **Sticky Session**, the same requests will be forwarded to the same dedicated WAF instance. If this instance becomes faulty, an error will occur when the requests come to it next time. + +#. Click **Next: Add Backend Server** and configure a health check. + + .. important:: + + If **Health Check** is configured, the health check result must be **Healthy**, or the website requests cannot be pointed to WAF. . + +#. Click **Next: Confirm**. + +#. Click **Submit**. + +Adding WAF Instances to an ELB Load Balancer +-------------------------------------------- + +#. Log in to the management console. + +#. Click |image3| in the upper left corner of the management console and select a region or project. + +#. Click |image4| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane on the left, choose **Instance Management** > **Dedicated Engine** to go to the dedicated WAF instance page. + + + .. figure:: /_static/images/en-us_image_0000001732567617.png + :alt: **Figure 3** Dedicated engine list + + **Figure 3** Dedicated engine list + +#. In the row containing the instance you want to upgrade, click **More** > **Add to ELB** in the **Operation** column. + +#. In the **Add to ELB** dialog box, specify **ELB (Load Balancer)**, **ELB Listener**, and **Backend Server Group** based on :ref:`Adding a Listener `. + + + .. figure:: /_static/images/en-us_image_0000001684228264.png + :alt: **Figure 4** Add to ELB + + **Figure 4** Add to ELB + + .. important:: + + The **Health Check** result must be **Healthy**, or the website requests cannot be pointed to WAF. + +#. Click **Confirm**. Then, configure service port for the WAF instance, and **Backend Port** must be set to the port configured in :ref:`Step 1: Add a Website to WAF `. + + + .. figure:: /_static/images/en-us_image_0000001685273988.png + :alt: **Figure 5** Configuring Backend Port + + **Figure 5** Configuring Backend Port + +Verification +------------ + +If the **Health Check Result** is **Healthy**, the load balancer is configured. + +.. |image1| image:: /_static/images/en-us_image_0000001379513829.jpg +.. |image2| image:: /_static/images/en-us_image_0000001379794013.png +.. |image3| image:: /_static/images/en-us_image_0000001379638185.jpg +.. |image4| image:: /_static/images/en-us_image_0000001711487817.png diff --git a/umn/source/website_settings/connecting_a_website_to_waf_dedicated_mode/step_3_bind_an_eip_to_a_load_balancer.rst b/umn/source/website_settings/connecting_a_website_to_waf_dedicated_mode/step_3_bind_an_eip_to_a_load_balancer.rst new file mode 100644 index 0000000..3c16cc9 --- /dev/null +++ b/umn/source/website_settings/connecting_a_website_to_waf_dedicated_mode/step_3_bind_an_eip_to_a_load_balancer.rst @@ -0,0 +1,47 @@ +:original_name: waf_01_0252.html + +.. _waf_01_0252: + +Step 3: Bind an EIP to a Load Balancer +====================================== + +After you configure a load balancer for your dedicated WAF instance, you need to unbind the EIP from the origin server and then bind this EIP to the load balancer you configured. For details, see :ref:`Configuring a Load Balancer `. The request traffic then goes to the dedicated WAF instance for attack detection first and then go to the origin server, ensuring the security, stability, and availability of the origin server. + +Prerequisites +------------- + +You have configured :ref:`a load balancer ` for a dedicated WAF instance. + +Procedure +--------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner of the page and choose **Elastic Load Balance** under **Network** to go to the ELB console. + +#. .. _waf_01_0252__li201541213511: + + On the **Load Balancers** page, unbind the EIP from the origin server. + + - Unbinding an IPv4 EIP: Locate the row that contains the load balancer configured for the origin server. Then, in the **Operation** column, click **More** > **Unbind IPv4 EIP**. + - Unbinding an IPv6 EIP: Locate the row that contains the load balancer configured for the origin server. Then, in the **Operation** column, click **More** > **Unbind IPv6 Address**. + + + .. figure:: /_static/images/en-us_image_0000001344294497.png + :alt: **Figure 1** Unbinding an EIP + + **Figure 1** Unbinding an EIP + +#. In the displayed dialog box, click **Yes**. + +#. On the **Load Balancers** page, locate the load balancer configured for the dedicated WAF instance and bind the EIP unbound from the origin server to the load balancer. + + - Binding an IPv4 EIP: Locate the row that contains the load balancer configured for the dedicated WAF instance, click **More** in the **Operation** column, and select **Bind IPv4 EIP**. + - Binding an IPv6 EIP: Locate the row that contains the load balancer configured for the dedicated WAF instance, click **More** in the **Operation** column, and select **Bind IPv6 Address**. + +#. In the displayed dialog box, select the EIP unbound in :ref:`Step 4 ` and click **OK**. + +.. |image1| image:: /_static/images/en-us_image_0000001379820401.jpg +.. |image2| image:: /_static/images/en-us_image_0212852906.png diff --git a/umn/source/enabling_waf_protection/connecting_a_website_to_waf/step_4_whitelist_the_back-to-source_ip_addresses_of_your_dedicated_waf_instances.rst b/umn/source/website_settings/connecting_a_website_to_waf_dedicated_mode/step_4_whitelist_the_back-to-source_ip_addresses_of_your_dedicated_waf_instances.rst similarity index 91% rename from umn/source/enabling_waf_protection/connecting_a_website_to_waf/step_4_whitelist_the_back-to-source_ip_addresses_of_your_dedicated_waf_instances.rst rename to umn/source/website_settings/connecting_a_website_to_waf_dedicated_mode/step_4_whitelist_the_back-to-source_ip_addresses_of_your_dedicated_waf_instances.rst index fd6c160..399c58f 100644 --- a/umn/source/enabling_waf_protection/connecting_a_website_to_waf/step_4_whitelist_the_back-to-source_ip_addresses_of_your_dedicated_waf_instances.rst +++ b/umn/source/website_settings/connecting_a_website_to_waf_dedicated_mode/step_4_whitelist_the_back-to-source_ip_addresses_of_your_dedicated_waf_instances.rst @@ -41,12 +41,12 @@ If your origin server is deployed on an ECS, perform the following steps to conf #. In the navigation pane on the left, choose **Instance Management** > **Dedicated Engine** to go to the dedicated WAF instance page. - .. figure:: /_static/images/en-us_image_0000001388786649.png + .. figure:: /_static/images/en-us_image_0000001732567617.png :alt: **Figure 1** Dedicated engine list **Figure 1** Dedicated engine list -#. .. _waf_01_0343__li1041295214415: +#. .. _waf_01_0343__li6801172213128: In the **IP Address** column, obtain the IP address of each dedicated WAF instance under your account. @@ -56,9 +56,9 @@ If your origin server is deployed on an ECS, perform the following steps to conf #. Click the **Security Groups** tab. Then, click **Change Security Group**. -#. In the **Change Security Group** dialog box displayed, select a security group or create a security group. +#. In the **Change Security Group** dialog box displayed, select a security group or create a security group and click **OK**. -#. Click the security group name to view the details. +#. Click the security group ID and view the details. #. Click the **Inbound Rules** tab and click **Add Rule**. Then, specify parameters in the **Add Inbound Rule** dialog box. For details, see :ref:`Table 1 `. @@ -71,7 +71,7 @@ If your origin server is deployed on an ECS, perform the following steps to conf +===================================+======================================================================================================================================================================================+ | Protocol & Port | Protocol and port for which the security group rule takes effect. If you select **TCP (Custom ports)**, enter the origin server port number in the text box below the TCP box. | +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Source | Subnet IP address of each dedicated WAF instance you obtain in :ref:`Step 5 `. Configure an inbound rule for each IP address. | + | Source | Subnet IP address of each dedicated WAF instance you obtain in :ref:`Step 5 `. Configure an inbound rule for each IP address. | | | | | | .. note:: | | | | @@ -102,7 +102,7 @@ If your origin server uses ELB to distribute traffic, perform the following step #. In the navigation pane on the left, choose **Instance Management** > **Dedicated Engine** to go to the dedicated WAF instance page. - .. figure:: /_static/images/en-us_image_0000001388786649.png + .. figure:: /_static/images/en-us_image_0000001732567617.png :alt: **Figure 2** Dedicated engine list **Figure 2** Dedicated engine list @@ -113,16 +113,28 @@ If your origin server uses ELB to distribute traffic, perform the following step #. Locate the row containing the load balancer configured for your dedicated WAF instance and click the load balancer name in the **Name** column. -#. On the displayed details page, click the **Listeners** tab and then click **Configure Access Control** in the **Access Control** column. +#. In the **Access Control** row of the target listener, click **Configure**. + + + .. figure:: /_static/images/en-us_image_0000001545291713.png + :alt: **Figure 3** Listener list + + **Figure 3** Listener list #. In the displayed dialog box, select **Whitelist** for **Access Policy**. a. .. _waf_01_0343__li18121331122018: - Click **Create IP Address Group** and add the IP addresses of the dedicated WAF instances into the IP address group. + Click **Create IP Address Group** and add the IP addresses of the dedicated WAF instances into the IP address group. You can obtain these IP addresses from :ref:`Step 5 `. b. Select the IP address group created in :ref:`9.a ` from the **IP Address Group** drop-down list. + + .. figure:: /_static/images/en-us_image_0000001732267765.png + :alt: **Figure 4** Configuring whitelist access control + + **Figure 4** Configuring whitelist access control + #. Click **OK**. Now, the access control policy allows all inbound traffic from the back-to-source IP addresses of your dedicated WAF instances. diff --git a/umn/source/website_settings/connecting_a_website_to_waf_dedicated_mode/step_5_test_dedicated_waf.rst b/umn/source/website_settings/connecting_a_website_to_waf_dedicated_mode/step_5_test_dedicated_waf.rst new file mode 100644 index 0000000..7ccffc5 --- /dev/null +++ b/umn/source/website_settings/connecting_a_website_to_waf_dedicated_mode/step_5_test_dedicated_waf.rst @@ -0,0 +1,118 @@ +:original_name: waf_01_1346.html + +.. _waf_01_1346: + +Step 5: Test Dedicated WAF +========================== + +To ensure that WAF can forward your website requests normally, test WAF locally after you add a website to WAF. + +Prerequisites +------------- + +You have performed operations in :ref:`Step 1: Add a Website to WAF ` to :ref:`Step 4: Whitelist the Back-to-Source IP Addresses of Your Dedicated WAF Instances `. + +(Optional) Testing a Dedicated WAF Instance +------------------------------------------- + +#. .. _waf_01_1346__li147271915114514: + + Create an ECS that is in the same VPC as the dedicated WAF instance for sending requests. + +#. Send requests to the dedicated WAF through the ECS created in :ref:`Step 1 `. + + - Forwarding test + + .. code-block:: + + curl -kv -H "Host: {protection object added to WAF}"{Client protocol in server configuration}://{IP address of the dedicated WAF instance}:{protection port} + + For example: + + .. code-block:: + + curl -kv -H "Host: a.example.com" http://192.168.0.1 + + If the response code is 200, the request has been forwarded. + + - Attack blocking test + + a. Ensure that the block mode for basic web protection has been enabled in the policy used for the protected website. + + |image1| + + |image2| + + b. Run the following command: + + .. code-block:: + + curl -kv -H "Host: {protection object added to WAF}"{Client protocol in server configuration}://{IP address of the dedicated WAF instance}:{protection port}--data "id=1 and 1='1" + + Example: + + .. code-block:: + + curl -kv -H "Host: a.example.com" http:// 192.168.X.X --data "id=1 and 1='1" + + If the response code is 418, the request has been blocked, indicating that the dedicated WAF works properly. + +Testing the Dedicated WAF Instance and Dedicated ELB Load Balancer +------------------------------------------------------------------ + +- Forwarding test + + .. code-block:: + + curl -kv -H "Host: { protection object added to WAF}"{ELB external protocol}://{Private IP address bound to the load balancer}:{ELB listening port} + + If an EIP is bound to the load balancer, any publicly accessible servers can be used for testing. + + .. code-block:: + + curl -kv -H "Host: {Protected object added to WAF}" {ELB external protocol}://{EIP bound to the load balancer}:{ELB listening port} + + Example: + + .. code-block:: + + curl -kv -H "Host: a.example.com" http://192.168.X.Y + curl -kv -H "Host: a.example.com" http://100.10.X.X + + If the response code is 200, the request has been forwarded. + + If the dedicated WAF instance works but the request fails to be forwarded, check the load balancer settings first. If the load balancer health check result is unhealthy, disable health check and perform the preceding operations again. + +- Attack blocking test + + #. Ensure that the block mode for basic web protection has been enabled in the policy used for the protected website. + + |image3| + + |image4| + + #. Run the following command: + + .. code-block:: + + curl -kv -H "Host: { protection object added to WAF}"{ELB external protocol}://{Private IP address bound to the load balancer}:{ELB listening port}--data "id=1 and 1='1" + + If an EIP has been bound to the load balancer, any publicly accessible servers can be used for testing. + + .. code-block:: + + curl -kv -H "Host: { protection object added to WAF}"{ELB external protocol}://{EIP bound to the load balancer}:{ELB listening port}--data "id=1 and 1='1" + + Example: + + .. code-block:: + + curl -kv -H "Host: a.example.com" http:// 192.168.0.2 --data "id=1 and 1='1" + curl -kv -H "Host: a.example.com" http:// 100.10.X.X --data "id=1 and 1='1" + + If the response code is 418, the request has been blocked, indicating that both dedicated WAF instance and ELB load balancer work properly. + +.. |image1| image:: /_static/images/en-us_image_0000001732411573.png +.. |image2| image:: /_static/images/en-us_image_0000001657133813.png +.. |image3| image:: /_static/images/en-us_image_0000001732411573.png +.. |image4| image:: /_static/images/en-us_image_0000001657133813.png diff --git a/umn/source/website_settings/index.rst b/umn/source/website_settings/index.rst new file mode 100644 index 0000000..75c0d6c --- /dev/null +++ b/umn/source/website_settings/index.rst @@ -0,0 +1,20 @@ +:original_name: waf_01_0070.html + +.. _waf_01_0070: + +Website Settings +================ + +- :ref:`Connecting a Website to WAF (Dedicated Mode) ` +- :ref:`Advanced Settings ` +- :ref:`Basic Information ` +- :ref:`Ports Supported by WAF ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + connecting_a_website_to_waf_dedicated_mode/index + advanced_settings/index + basic_information/index + ports_supported_by_waf diff --git a/umn/source/enabling_waf_protection/ports_supported_by_waf.rst b/umn/source/website_settings/ports_supported_by_waf.rst similarity index 96% rename from umn/source/enabling_waf_protection/ports_supported_by_waf.rst rename to umn/source/website_settings/ports_supported_by_waf.rst index 11f8b49..4d7ad27 100644 --- a/umn/source/enabling_waf_protection/ports_supported_by_waf.rst +++ b/umn/source/website_settings/ports_supported_by_waf.rst @@ -5,6 +5,8 @@ Ports Supported by WAF ====================== +WAF can protect standard and non-standard ports. When you add a website to WAF, you need to specify protection port, which is your service port. WAF will then forward and protect traffic over this port. This section describes the standard and non-standard ports WAF can protect. + :ref:`Table 1 ` lists the ports that can be protected by WAF. .. _waf_01_1249__waf_01_0032_table9589104616288: