This topic describes how to edit or add server information for a website to be protected.
-- Modify server information, including Client Protocol, Server Protocol, VPC, Server Address, and Server Port.
- Add server configurations.
- Update a certificate by referring to Updating a Certificate.
If you select dedicated when adding a website to WAF, you can edit the server information of your website.
+- Modify server information, including Client Protocol, Server Protocol, VPC, Server Address, and Server Port.
- Add server configurations.
- Update a certificate by referring to Updating the Certificate Used for a Website.
If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the enterprise project from the Enterprise Project drop-down list and configure server information for the domain names.
Prerequisites
A website has been added to WAF.
+Prerequisites
+Constraints
If PCI DSS/3DS compliance check is enabled, the client protocol cannot be changed, and no origin server addresses can be added.
Impact on the System
Modifying the server configuration does not affect services.
Procedure
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project. - Click
in the upper left corner and choose Web Application Firewall (Dedicated) under Security. - In the navigation pane on the left, choose Website Settings.
- In the Domain Name column, click the domain name of the website to go to the basic information page.
- In the Server Information area, click
.Figure 1 Server Information-
- On the Edit Server Information page, edit the server configurations (such as client protocols and associated certificates).
- For details about certificate, see Updating a Certificate.
- WAF supports configuring of multiple backend servers. To add a backend server, click Add.
Editing Server Information
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
- In the navigation pane on the left, choose Website Settings.
- In the Domain Name column, click the domain name of the website to go to the basic information page.
- In the Server Information area, click
. - On the Edit Server Information page, edit the server configurations (such as client protocols and associated certificates).
- For details about certificate, see Updating the Certificate Used for a Website.
- WAF supports configuring of multiple backend servers. To add a backend server, click Add.
- Click Confirm.
You can change the working mode of WAF. WAF can work in Enabled or Suspended mode.
If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the enterprise project from the Enterprise Project drop-down list and switch WAF working mode for a specific domain name.
Prerequisites
The domain name of the website to be protected has been connected to WAF.
+ -Application Scenarios
- Enabled: In this mode, WAF defends your website against attacks based on configured policies.
- Suspended: If a large number of normal requests are blocked, for example, status code 418 is frequently returned, then you can switch the mode to Suspended. In this mode, your website is not protected because WAF only forwards requests. It does not scan for or log attacks. This mode is risky. You are advised to use the false alarm masking rules to reduce false alarms.
Application Scenarios
- Enabled: In this mode, WAF defends your website against attacks based on configured policies.
- Suspended: If a large number of normal requests are blocked, for example, status code 418 is frequently returned, then you can switch the mode to Suspended. In this mode, your website is not protected because WAF only forwards requests. It does not scan for or log attacks. This mode is risky. You are advised to use the global protection whitelist rules to reduce false alarms.
Impact on the System
In the Suspended mode, your website is not protected because WAF only forwards requests. It does not scan for attacks. To avoid normal requests from being blocked, configure false alarm masking rules, instead of using the Suspended mode.
+Impact on the System
In Suspended mode, your website is not protected because WAF only forwards requests. It does not scan for attacks. To avoid normal requests from being blocked, configure global protection whitelist rules, instead of using the Suspended mode.
Procedure
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project. - Click
in the upper left corner and choose Web Application Firewall (Dedicated) under Security. - In the navigation pane on the left, choose Website Settings.
- In the Mode column of the row containing the target domain name, click
and select a working mode.Figure 1 Switching WAF working mode-
Switching WAF Working Mode
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project. - Click
in the upper left corner and choose Web Application Firewall (Dedicated) under Security. - In the navigation pane on the left, choose Website Settings.
Removing a Protected Website from WAF
+Deleting a Protected Website from WAF
This topic describes how to remove a website from WAF if you no longer need to protect it.
-Before removing a website from WAF, go to your DNS provider and resolve your domain name to the IP address of the origin server, or the traffic to your domain name cannot be routed to the origin server.
-Prerequisites
A website domain name has been added to WAF.
+Impact on the System
It takes about a minute to remove a website from WAF, but once this action is started, it cannot be cancelled. Exercise caution when removing a website from WAF.
Procedure
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project. - Click
in the upper left corner and choose Web Application Firewall (Dedicated) under Security. - In the navigation pane on the left, choose Website Settings.
- In the row containing the website domain name you want to delete, click Delete in the Operation column.
- In the displayed confirmation dialog box, confirm the deletion.
If you want to retain the policy applied to the domain name, select Retain the policy of this domain name.
+Deleting a Protected Website from WAF
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
- In the navigation pane on the left, choose Website Settings.
- In the row containing the website domain name you want to delete, click Delete in the Operation column.
- In the displayed confirmation dialog box, confirm the deletion.
If you want to retain the policy applied to the domain name, select Retain the policy of this domain name.
Figure 1 Deleting a protected domain name from WAF
- Click OK.
If Domain name deleted successfully is displayed in the upper right corner, the domain name of the website was deleted.
diff --git a/docs/wafd/umn/waf_01_0007.html b/docs/wafd/umn/waf_01_0007.html index f7a200e1..5b4ddc56 100644 --- a/docs/wafd/umn/waf_01_0007.html +++ b/docs/wafd/umn/waf_01_0007.html @@ -1,34 +1,36 @@ --Parent topic: Website Domain Name Management+Parent topic: Managing WebsitesRule Configuration
+Configuring Protection Policies
diff --git a/docs/wafd/umn/waf_01_0008.html b/docs/wafd/umn/waf_01_0008.html index c118f6bc..f6612ed2 100644 --- a/docs/wafd/umn/waf_01_0008.html +++ b/docs/wafd/umn/waf_01_0008.html @@ -1,14 +1,14 @@ --
-
- Configuration Guidance
+ - Protection Configuration Overview
- - Configuring Basic Web Protection Rules
+ - Configuring Basic Protection Rules to Defend Against Common Web Attacks
- - Configuring a CC Attack Protection Rule
+ - Configuring CC Attack Protection Rules to Defend Against CC Attacks
- - Configuring a Precise Protection Rule
+ - Configuring Custom Precise Protection Rules
- - Adding a Reference Table
+ - Configuring IP Address Blacklist and Whitelist Rules to Block or Allow Specified IP Addresses
- - Configuring an IP Address Blacklist or Whitelist Rule
+ - Configuring Geolocation Access Control Rules to Block or Allow Requests from Specific Locations
- - Configuring a Known Attack Source Rule
-
- - Configuring a Geolocation Access Control Rule
-
- - Configuring a Web Tamper Protection Rule
+ - Configuring Web Tamper Protection Rules to Prevent Static Web Pages from Being Tampered With
- Configuring Anti-Crawler Rules
- - Configuring an Information Leakage Prevention Rule
+ - Configuring Information Leakage Prevention Rules to Protect Sensitive Information from Leakage
- - Configuring a Global Protection Whitelist (Formerly False Alarm Masking) Rule
+ - Configuring a Global Proteciton whitelist Rule to Ignore False Alarms
- - Configuring a Data Masking Rule
+ - Configuring Data Masking Rules to Prevent Privacy Information Leakage
+
+ - Creating a Reference Table to Configure Protection Metrics In Batches
+
+ - Configuring a Known Attack Source Rule to Block Specific Visitors for a Specified Duration
+
+ - Condition Field Description
Configuring Basic Web Protection Rules
+Configuring Basic Protection Rules to Defend Against Common Web Attacks
After this function is enabled, WAF can defend against common web attacks, such as SQL injections, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabilities, remote command execution, directory traversal, sensitive file access, and command/code injections. You can also enable other checks in basic web protection, such as web shell detection, deep inspection against evasion attacks, and header inspection.
-
Basic web protection has two modes: Block and Log only.
-- If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the Enterprise Project drop-down list and configure protection policies for the domain names in the project.
Prerequisites
A website has been added to WAF.
+-Prerequisites
A website has been added to WAF.
Procedure
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project. - Click
in the upper left corner and choose Web Application Firewall (Dedicated) under Security. - In the navigation pane on the left, choose Website Settings.
- In the Policy column of the row containing the target website, click the number to go to the policy configuration page.
- In the Basic Web Protection configuration area, change Status and Mode as needed by referring to Table 1.Figure 1 Basic Web Protection configuration area+
+Constraints
- Basic web protection has two modes: Block and Log only.
- If you select Block for Basic Web Protection, you can configure access control criteria for a known attack source. WAF will block requests matching the configured IP address, cookie, or params for a length of time configured as part of the rule.
Enabling Basic Web Protection Rules
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
- In the navigation pane on the left, choose Policies.
- Click the name of the target policy to go to the protection configuration page.
- In the Basic Web Protection configuration area, change Status and Mode as needed by referring to Table 1.Figure 1 Basic Web Protection configuration area-
- In the Basic Web Protection configuration area, click Advanced Settings.
- Click the Protection Status tab, and enable protection types one by one by referring to Table 3.Figure 2 Basic web protection-
- Set the protection level.
In the upper part of the page, set Protection Level to Low, Medium, or High. The default value is Medium.
+ - In the Basic Web Protection configuration area, click Advanced Settings.
- Click the Protection Status tab, and enable protection types one by one by referring to Table 3.Figure 2 Basic web protection+
- Set the protective action.
- Block: WAF blocks and logs detected attacks.
If you select Block, you can select a known attack source rule to let WAF block requests accordingly. For details, see Configuring a Known Attack Source Rule to Block Specific Visitors for a Specified Duration.
+ - Log only: WAF only logs detected attacks.
- Block: WAF blocks and logs detected attacks.
- Set the protection level.
In the upper part of the page, set Protection Level to Low, Medium, or High. The default value is Medium.
-Table 2 Protection levels Protection Level
+Table 2 Protection levels Protection Level
Description
+Description
Low
+Low
WAF only blocks the requests with obvious attack signatures.
+WAF only blocks the requests with obvious attack signatures.
If a large number of false alarms are reported, Low is recommended.
Medium
+Medium
The default level is Medium, which meets a majority of web protection requirements.
+The default level is Medium, which meets a majority of web protection requirements.
High
+High
At this level, WAF provides the finest granular protection and can intercept attacks with complex bypass features, such as Jolokia cyber attacks, common gateway interface (CGI) vulnerability detection, and Druid SQL injection attacks.
-To let WAF defend against more attacks but make minimum effect on normal requests, observe your workloads for a period of time first. Then, configure a global protection whitelist rule and select High.
+At this level, WAF provides the finest granular protection and can intercept attacks with complex bypass features, such as Jolokia cyber attacks, common gateway interface (CGI) vulnerability detection, and Druid SQL injection attacks.
+To let WAF defend against more attacks but make minimum effect on normal requests, observe your workloads for a period of time first. Then, configure a global protection whitelist rule and select High.
Deep Inspection
Identifies and blocks evasion attacks, such as the ones that use homomorphic character obfuscation, command injection with deformed wildcard characters, UTF7, data URI scheme, and other techniques.
-NOTE:If you enable Deep Inspection, WAF detects and defends against evasion attacks in depth.
+NOTE:If you enable Deep Inspection, WAF detects and defends against evasion attacks in depth.
Suggestions
- If you are not clear about your service traffic characteristics, you are advised to switch to the Log only mode first and observe the WAF protection for a period of time. Generally, you need to observe service running for one to two weeks, and then analyze the attack logs.
- If no record of blocking legitimate requests is found, switch to the Block mode.
- If legitimate requests are blocked, adjust the protection level or configure global protection whitelist rules to prevent legitimate requests from being blocked.
- Note the following points in your operations:
- Do not transfer the original SQL statement or JavaScript code in a legitimate HTTP request.
- Do not use special keywords (such as UPDATE and SET) in a legitimate URL. For example, https://www.example.com/abc/update/mod.php?set=1.
- Use Object Storage Service (OBS) or other secure methods to upload files that exceed 50 MB rather than via a web browser.
Protection Effect
If General Check is enabled and Mode is set to Block for your domain name, to verify WAF is protecting your website (www.example.com) against general check items:
-- Clear the browser cache and enter the domain name in the address box of a browser to check whether the website is accessible.
- If the website is inaccessible, connect the website domain name to WAF by following the instructions in Step 1: Add a Website to WAF.
- If the website is accessible, go to Step 2.
- Clear the browser cache and enter http://www.example.com?id=1%27%20or%201=1 in the address box of the browser to simulate an SQL injection attack.
- Return to the WAF console. In the navigation pane, choose Events. On the displayed page, view or download events data.
- Clear the browser cache and enter the domain name in the address bar to check whether the website is accessible.
- If the website is inaccessible, connect the website domain name to WAF by following the instructions in Step 1: Add a Website to WAF.
- If the website is accessible, go to Step 2.
- Clear the browser cache and enter http://www.example.com?id=1%27%20or%201=1 in the address box of the browser to simulate an SQL injection attack.
- Return to the WAF console. In the navigation pane, click Events. On the displayed page, view the event log.
Example - Blocking SQL Injection Attacks
If domain name www.example.com has been connected to WAF, perform the following steps to verify that WAF can block SQL injection attacks.
-- Enable General Check in Basic Web Protection and set the protection mode to Block.
- Enable WAF basic web protection.Figure 3 Basic Web Protection configuration area-
- Clear the browser cache and enter a simulated SQL injection (for example, http://www.example.com?id=' or 1=1) in the address box.
WAF blocks the access request. Figure 4 shows an example block page.
- +- Enable General Check in Basic Web Protection and set the protection mode to Block.Figure 3 Enabling General Check+
- Enable WAF basic web protection.Figure 4 Basic Web Protection configuration area+
- Clear the browser cache and enter a simulated SQL injection (for example, http://www.example.com?id=' or 1=1) in the address box.
WAF blocks the access request. Figure 5 shows an example block page.
+ - Go to the WAF console. In the navigation pane on the left, choose Events. View the event on the Events page.
- Enable General Check in Basic Web Protection and set the protection mode to Block.
diff --git a/docs/wafd/umn/waf_01_0009.html b/docs/wafd/umn/waf_01_0009.html new file mode 100644 index 00000000..1d8063f2 --- /dev/null +++ b/docs/wafd/umn/waf_01_0009.html @@ -0,0 +1,149 @@ + + +-Parent topic: Rule Configuration+Parent topic: Configuring Protection PoliciesConfiguring CC Attack Protection Rules to Defend Against CC Attacks
++CC attack protection can limit the access to a protected website based on a single IP address, cookie, or referer. To use this protection, ensure that you have toggled on CC Attack Protection.
+A reference table can be added to a CC attack protection rule. The reference table takes effect for all protected domain names.
++ If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the Enterprise Project drop-down list and configure protection policies for the domain names in the project.
++Prerequisites
A website has been added to WAF.
++Constraints
- If you set Logic to Include any value, Exclude any value, Equal to any value, Not equal to any value, Prefix is any value, Prefix is not any of them, Suffix is any value, or Suffix is not any of them, select an existing reference table. For details, see Creating a Reference Table to Configure Protection Metrics In Batches.
- It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.
+Configuring a CC Attack Protection Rule
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project. - Click
in the upper left corner and choose Web Application Firewall (Dedicated) under Security. - In the navigation pane on the left, choose Policies.
- Click the name of the target policy to go to the protection configuration page.
- In the CC Attack Protection configuration area, change Status if needed and click Customize Rule to go to the CC Attack Protection page.Figure 1 CC Attack Protection configuration area+
- In the upper left corner above the CC Attack Protection rule list, click Add Rule.
- In the displayed dialog box, configure a CC attack protection rule by referring to Table 1.
+
++
+Table 1 Rule parameters Parameter
+Description
+Example Value
+Rule Description
+A brief description of the rule. This parameter is optional.
+--
+Rate Limit Mode
+- Per IP address: A website visitor is identified by the IP address.
- Per user: A website visitor is identified by the key value of Cookie or Header.
- Other: A website visitor is identified by the Referer field (user-defined request source).
NOTE:+If you set Rate Limit Mode to Other, set Content of Referer to a complete URL containing the domain name. The Content field supports prefix match and exact match only, but cannot contain two or more consecutive slashes, for example, ///admin. If you enter ///admin, WAF will convert it to /admin.
+For example, if you do not want visitors to access www.test.com, set Referer to http://www.test.com.
+--
+User Identifier
+This parameter is mandatory when you select Per user for Rate Limit Mode.
+- Cookie: A cookie field name. You need to configure an attribute variable name in the cookie that can uniquely identify a web visitor based on your website requirements. This field does not support regular expressions. Only complete matches are supported.
For example, if a website uses the name field in the cookie to uniquely identify a web visitor, enter name.
+ - Header: Set the user-defined HTTP header you want to protect. You need to configure the HTTP header that can identify web visitors based on your website requirements.
name
+Trigger
+Click Add to add conditions. At least one condition is required, but up to 30 conditions are allowed. If you add more than one condition, the rule will only take effect if all of the conditions are met.
+- Field
- Subfield: Configure this field only when IPv4, Cookie, Header, or Params is selected for Field.NOTICE:+
A subfield cannot exceed 2,048 bytes.
+ - Logic: Select a logical relationship from the drop-down list.NOTE:+
If you set Logic to Include any value, Exclude any value, Equal to any value, Not equal to any value, Prefix is any value, Prefix is not any of them, Suffix is any value, or Suffix is not any of them, select an existing reference table. For details, see Creating a Reference Table to Configure Protection Metrics In Batches.
+ - Content: Enter or select the content that matches the condition.
Path Include /admin
+Rate Limit
+The number of requests allowed from a website visitor in the rate limit period. If the number of requests exceeds the rate limit, WAF takes the action you configure for Protective Action.
+10 requests allowed in 60 seconds
+Protective Action
+The action that WAF will take if the number of requests exceeds Rate Limit you configured. The options are as follows:
+- Verification code: WAF allows requests that trigger the rule as long as your website visitors complete the required verification.
- Block: WAF blocks requests that trigger the rule.
- Block dynamically: WAF blocks requests that trigger the rule based on Allowable Frequency, which you configure after the first rate limit period is over.
- Log only: WAF only logs requests that trigger the rule.
Block
+Allowable Frequency
+This parameter can be set if you select Block dynamically for Protective Action.
+WAF blocks requests that trigger the rule based on Rate Limit first. Then, in the following rate limit period, WAF blocks requests that trigger the rule based on Allowable Frequency you configure.
+Allowable Frequency cannot be larger than Rate Limit.
+NOTE:+If you set Allowable Frequency to 0, WAF blocks all requests that trigger the rule in the next rate limit period.
+8 requests allowed in 60 seconds
+Block Duration
+Period of time for which to block the item when you set Protective Action to Block.
+600 seconds
+Block Page
+The page displayed if the request limit has been reached. This parameter is configured only when Protective Action is set to Block.
+- If you select Default settings, the default block page is displayed.
- If you select Custom, a custom error message is displayed.
Custom
+Block Page Type
+If you select Custom for Block Page, select a type of the block page among options application/json, text/html, and text/xml.
+text/html
+Page Content
+If you select Custom for Block Page, configure the content to be returned.
+Page content styles corresponding to different page types are as follows:
+- text/html: <html><body>Forbidden</body></html>
- application/json: {"msg": "Forbidden"}
- text/xml: <?xml version="1.0" encoding="utf-8"?><error> <msg>Forbidden</msg></error>
- Click Confirm. You can then view the added CC attack protection rule in the CC rule list.
- To disable a rule, click Disable in the Operation column of the rule. The default Rule Status is Enabled.
- To modify a rule, click Modify in the row containing the rule.
- To delete a rule, click Delete in the row containing the rule.
+Protection Effect
If you have configured a CC attack protection rule like Figure 2 (with Protective Action set to Block) for your domain name www.example.com, take the following steps to verify the protection effect:
+- Clear the browser cache and enter the domain name in the address bar to check whether the website is accessible.
- If the website is inaccessible, connect the website domain name to WAF by referring to Step 1: Add a Website to WAF.
- If the website is accessible, go to 2.
- Clear the browser cache, enter http://www.example.com/admin in the address bar, and refresh the page 10 times within 60 seconds. In normal cases, the custom block page will be displayed the eleventh time you refresh the page, and the requested page will be accessible when you refresh the page 60 seconds later.
If you select Verification code for protective action, a verification code is required for visitors to continue the access if they exceed the configured rate limit.
+
+
- Return to the WAF console. In the navigation pane, click Events. On the displayed page, view the event log.
+Configuration Example - Verification Code
If domain name www.example.com has been connected to WAF, perform the following steps to verify that WAF CAPTCHA verification is enabled.
+- Add a CC attack protection rule with Protection Action set to Verification code.Figure 3 Verification code+
- Enable CC attack protection.Figure 4 CC Attack Protection configuration area+
- Clear the browser cache and access http://www.example.com/admin/.
If you access the page 10 times within 60 seconds, a verification code is required when you attempt to access the page for the eleventh time. You need to enter the verification code to continue the access.
+
+
- Go to the WAF console. In the navigation pane on the left, choose Events. View the event on the Events page.
++ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0010.html b/docs/wafd/umn/waf_01_0010.html index 6158b945..dc5cb5fd 100644 --- a/docs/wafd/umn/waf_01_0010.html +++ b/docs/wafd/umn/waf_01_0010.html @@ -1,208 +1,121 @@ -++Parent topic: Configuring Protection Policies+Configuring a Precise Protection Rule
-WAF allows you to customize protection rules by combining HTTP headers, cookies, URLs, request parameters, and client IP addresses.
-You can combine common HTTP fields, such as IP, Path, Referer, User Agent, and Params in a protection rule to let WAF allow, block, or only log the requests that match the combined conditions.
+Configuring Custom Precise Protection Rules
+You can combine common HTTP fields, such as IP, Path, Referer, User Agent, and Params in a protection rule to let WAF allow, block, or only log the requests that match the combined conditions.
A reference table can be added to a precise protection rule. The reference table takes effect for all protected domain names.
- If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the Enterprise Project drop-down list and configure protection policies for the domain names in the project.
Prerequisites
A website has been added to WAF.
+Prerequisites
A website has been added to WAF.
Constraints
-- It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.
- If you configure Protective Action to Block for a precise protection rule, you can configure a known attack source rule by referring to Configuring a Known Attack Source Rule. WAF will block requests matching the configured IP address, Cookie, or Params for a length of time configured as part of the rule.
- If you configure Protective Action to Block for a precise protection rule, you can configure a known attack source rule by referring to Configuring a Known Attack Source Rule to Block Specific Visitors for a Specified Duration. WAF will block requests matching the configured IP address, Cookie, or Params for a length of time configured as part of the rule.
- The path content cannot contain the following special characters: (<>*)
- It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.
-Application Scenarios
Precise protection rules are used for anti-leeching and website management background protection.
Procedure
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project. - Click
in the upper left corner and choose Web Application Firewall (Dedicated) under Security. - In the navigation pane on the left, choose Website Settings.
- In the Policy column of the row containing the target website, click the number to go to the policy configuration page.
- In the Precise Protection configuration area, change Status as needed and click Customize Rule to go to the Precise Protection page.Figure 1 Precise Protection configuration area- -
- On the Precise Protection page, set Detection Mode.Two detection modes are available:
- Instant Detection: If a request matches a configured precise protection rule, WAF immediately ends threat detection and blocks the request.
- Full Detection: If a request matches a configured precise protection rule, WAF finishes its scan first and then blocks all requests that match the configured precise protection rule.Figure 2 Setting Detection Mode-
Configuring a Precise Protection Rule
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click
in the upper left corner and choose Web Application Firewall (Dedicated) under Security. - In the navigation pane on the left, choose Policies.
- Click the name of the target policy to go to the protection configuration page.
- In the Precise Protection configuration area, change Status as needed and click Customize Rule to go to the Precise Protection page.Figure 1 Precise Protection configuration area+
- On the Precise Protection page, set Detection Mode.Two detection modes are available:-
- Instant detection: If a request matches a configured precise protection rule, WAF immediately ends threat detection and blocks the request.
- Full detection: If a request matches a configured precise protection rule, WAF finishes its scan first and then blocks all requests that match the configured precise protection rule.
- Click Add Rule.
- In the displayed dialog box, add a rule by referring to Table 1.
The settings shown in Figure 3 are used as an example. If a visitor tries to access a URL containing /admin, WAF will block the request.
+ - In the upper left corner above the Precise Protection rule list, click Add Rule.
- In the displayed dialog box, add a rule by referring to Table 1.
The settings shown in Figure 2 are used as an example. If a visitor tries to access a URL containing /admin, WAF will block the request.
- To ensure that WAF blocks only attack requests, configure Protective Action to Log only first and check whether normal requests are blocked on the Events page. If no normal requests are blocked, configure Protective Action to Block.
+---Table 1 Rule parameters Parameter
+- -
-Table 1 Rule parameters Parameter
Description
+Description
Example Value
+Example Value
Protective Action
+Rule Description
You can select Block, Allow, or Log only. Default value: Block
+A brief description of the rule. This parameter is optional.
Block
+None
Known Attack Source
+Condition List
If you set Protective Action to Block, you can select a blocking type for a known attack source rule. Then, WAF blocks requests matching the configured IP, Cookie, or Params for a length of time that depends on the selected blocking type.
-Long-term IP address blocking
-Effective Date
-Select Immediate to enable the rule immediately, or select Custom to configure when you wish the rule to be enabled.
-Immediate
-Condition List
-Click Add to add conditions. At least one condition needs to be added. You can add up to 30 conditions to a protection rule. If more than one condition is added, all of the conditions must be met for the rule to be applied. A condition includes the following parameters:
-Parameters for configuring a condition are described as follows:- Field
- Subfield: Configure this field only when Params, Cookie, or Header is selected for Field.
- Logic: Select a logical relationship from the drop-down list.NOTE:
- If Include any value, Exclude any value, Equal to any value, Not equal to any value, Prefix is any value, Prefix is not any of them, Suffix is any value, or Suffix is not any of them is selected, select an existing reference table in the Content drop-down list. For details, see Adding a Reference Table.
- Exclude any value, Not equal to any value, Prefix is not any of them, and Suffix is not any of them indicates, respectively, that WAF performs the protection action (block, allow, or log only) when the field in the access request does not contain, is not equal to, or the prefix or suffix is not any value set in the reference table. For example, assume that Path field is set to Exclude any value and the test reference table is selected. If test1, test2, and test3 are set in the test reference table, WAF performs the protection action when the path of the access request does not contain test1, test2, or test3.
Click Add to add conditions. At least one condition needs to be added. You can add up to 30 conditions to a protection rule. If more than one condition is added, all of the conditions must be met for the rule to be applied. A condition includes the following parameters:
+Parameters for configuring a condition are described as follows:-- Field
- Subfield: Configure this field only when Params, Cookie, or Header is selected for Field.
- Logic: Select a logical relationship from the drop-down list.NOTE:
- If Include any value, Exclude any value, Equal to any value, Not equal to any value, Prefix is any value, Prefix is not any of them, Suffix is any value, or Suffix is not any of them is selected, select an existing reference table in the Content drop-down list. For details, see Creating a Reference Table to Configure Protection Metrics In Batches.
- Exclude any value, Not equal to any value, Prefix is not any of them, and Suffix is not any of them indicates, respectively, that WAF performs the protection action (block, allow, or log only) when the field in the access request does not contain, is not equal to, or the prefix or suffix is not any value set in the reference table. For example, assume that Path field is set to Exclude any value and the test reference table is selected. If test1, test2, and test3 are set in the test reference table, WAF performs the protection action when the path of the access request does not contain test1, test2, or test3.
- Content: Enter or select the content of condition matching.
Path Include /admin
+Path Include /admin
Priority
+Protective Action
Rule priority. If you have added multiple rules, rules are matched by priority. The smaller the value you set, the higher the priority.
+- Block: The request that hit the rule will be blocked and a block response page is returned to the client that initiates the request. By default, WAF uses a unified block response page. You can also customize this page.
- Allow: Requests that hit the rule are forwarded to backend servers.
- Log only: Requests that hit the rule are not blocked, but will be logged. You can use WAF logs to query requests that hit the current rule and analyze the protection results of the rule. For example, check whether there are requests that are blocked mistakenly.
Block
+Known Attack Source
+If you set Protective Action to Block, you can select a blocking type for a known attack source rule. Then, WAF blocks requests matching the configured IP, Cookie, or Params for a length of time that depends on the selected blocking type.
+Long-term IP address blocking
+Priority
+Rule priority. If you have added multiple rules, rules are matched by priority. The smaller the value you set, the higher the priority.
-5
-Rule Description
-A brief description of the rule. This parameter is optional.
-None
--Table 2 Condition list configurations Field
-Subfield
-Logic
-Example Content
-Path: Part of a URL that does not include a domain name. This value supports exact matches only. For example, if the path to be protected is /admin, Path must be set to /admin.
-None
-Select a logical relationship from the drop-down list.
-/buy/phone/
-NOTICE:If Path is set to /, all paths of the website are protected.
+NOTICE:If multiple precise access control rules have the same priority, WAF matches the rules in the sequence of time the rules are added.
User Agent: A user agent of the scanner to be checked.
-None
-Mozilla/5.0 (Windows NT 6.1)
+5
IP: An IP address of the visitor for the protection.
+Application Schedule
--
+Select Immediate to enable the rule immediately, or select Custom to configure when you wish the rule to be enabled.
XXX.XXX.1.1
-Params: A request parameter.
-- All fields
- Any subfield
- Custom
201901150929
-Referer: A user-defined request resource.
-For example, if the protected path is /admin/xxx and you do not want visitors to access the page from www.test.com, set Content to http://www.test.com.
---
-http://www.test.com
-Cookie: A small piece of data to identify web visitors.
-- All fields
- Any subfield
- Custom
jsessionid
-Header: A user-defined HTTP header.
-- All fields
- Any subfield
- Custom
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
-Method: the user-defined request method.
-None
-GET, POST, PUT, DELETE, and PATCH
-Request Line: Length of a user-defined request line.
-None
-50
-Request: Length of a user-defined request. It includes the request header, request line, and request body.
-None
-None
-Protocol: the protocol of the request.
-None
-http
+Immediate
- Click Confirm. You can then view the added precise protection rule in the protection rule list.
- To disable a rule, click Disable in the Operation column of the rule. The default Rule Status is Enabled.
- To modify a rule, click Modify in the row containing the rule.
- To delete a rule, click Delete in the row containing the rule.
- Click Confirm. You can then view the added precise protection rule in the protection rule list.
-- To disable a rule, click Disable in the Operation column of the rule. The default Rule Status is Enabled.
- To modify a rule, click Modify in the row containing the rule.
- To delete a rule, click Delete in the row containing the rule.
Protection Effect
If you have configured a precise protection rule as shown in Figure 3 for your domain name, to verify WAF is protecting your website (www.example.com) against the rule:
-- Clear the browser cache and enter the domain name in the address bar to check whether the website is accessible.
- If the website is inaccessible, connect the website domain name to WAF by following the instructions in Step 1: Add a Website to WAF.
- If the website is accessible, go to Step 2.
- Clear the browser cache and enter http://www.example.com/admin (or any page containing /admin) in the address bar. Normally, WAF blocks the requests that meet the conditions and returns the block page.
- Return to the WAF console. In the navigation pane, click Events. On the displayed page, view or download events data.
Protection Effect
To verify WAF is protecting your website (www.example.com) against the rule as shown in Figure 2:
+- Clear the browser cache and enter the domain name in the address bar to check whether the website is accessible.
- If the website is inaccessible, connect the website domain name to WAF by following the instructions in Step 1: Add a Website to WAF.
- If the website is accessible, go to Step 2.
- Clear the browser cache and enter http://www.example.com/admin (or any page containing /admin) in the address bar. Normally, WAF blocks the requests that meet the conditions and returns the block page.
- Return to the WAF console. In the navigation pane, choose Events. On the displayed page, view the event log.
-Configuration Example - Blocking a Certain Type of Attack Requests
Analysis of a specific type of WordPress pingback attack shows that the User Agent field contains WordPress.
-Figure 4 WordPress pingback attack+
Figure 3 WordPress pingback attackA precise rule as shown in the figure can block this type of attack.
-Figure 5 User Agent configuration+
Figure 4 User Agent configurationConfiguration Example - Blocking Specified File Types (ZIP, TAR, and DOCX)
You can configure file types that match the path field to block specific files of certain types. For example, if you want to block .zip files, you can configure a precise protection rule as shown in Figure 6 to block access requests of .zip files.
- ++Configuration Example - Blocking Requests to a Certain URL
If a large number of IP addresses are accessing a URL that does not exist, configure the following protection rule to block such requests to reduce resource usage on the origin server.
+Figure 5 Blocking requests to a specific URL+
+Configuration Example - Blocking Requests with null Fields
You can configure precise protection rules to block requests having null fields.
+Figure 6 Blocking requests with empty Referer+
+Configuration Example - Blocking Specified File Types (ZIP, TAR, and DOCX)
You can configure file types that match the path field to block specific files of certain types. For example, if you want to block .zip files, you can configure a precise protection rule as shown in Figure 7 to block access requests of .zip files.
+ +Configuration Example - Allowing a Specified IP Address to Access Your Website
You can configure two precise protection rules, one to block all requests, as shown in Figure 8, but then another one to allow the access from a specific IP address, as shown in Figure 9.
+ +Configuration Example - Allowing a Specific IP Address to Access a Certain URL
You can configure multiple conditions in the Condition List field. If an access request meets the conditions in the list, WAF will allow the request from a specific IP address to access a specified URL.
-Figure 7 Allowing specific IP addresses to access specified URLs+
Figure 10 Allowing specific IP addresses to access specified URLs
diff --git a/docs/wafd/umn/waf_01_0012.html b/docs/wafd/umn/waf_01_0012.html index 63a8784b..3f073ac3 100644 --- a/docs/wafd/umn/waf_01_0012.html +++ b/docs/wafd/umn/waf_01_0012.html @@ -1,17 +1,17 @@ --Parent topic: Rule Configuration+Parent topic: Configuring Protection PoliciesConfiguring an IP Address Blacklist or Whitelist Rule
-You can configure blacklist and whitelist rules to block, log only, or allow access requests from specific IP addresses or IP address ranges.
+Configuring IP Address Blacklist and Whitelist Rules to Block or Allow Specified IP Addresses
+You can configure blacklist and whitelist rules to block, log only, or allow access requests from specific IP addresses or IP address ranges. Whitelist rules have a higher priority than blacklist rules.
- If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the Enterprise Project drop-down list and configure protection policies for the domain names in the project.
Prerequisites
A website has been added to WAF.
+-Prerequisites
A website has been added to WAF.
Constraints
- WAF does not support batch import of blacklists or whitelists. To configure multiple IP address or IP address range rules, add blacklist and whitelist rules one by one to allow or block specified IP addresses or IP address ranges.
- It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.
- If you configure Protective Action to Block for a blacklist or whitelist rule, you can configure a known attack source rule by referring to Configuring a Known Attack Source Rule. WAF will block requests matching the configured IP address, Cookie, or Params for a length of time configured as part of the rule.
Constraints
- WAF does not support batch import of blacklists or whitelists. To configure multiple IP address or IP address range rules, add blacklist and whitelist rules one by one to allow or block specified IP addresses or IP address ranges.
- The address 0.0.0.0/0 cannot be added to a WAF IP address blacklist or whitelist, and if a whitelist conflicts with a blacklist, the whitelist rule takes priority. If you want to allow only a specific IP address within a range of blocked addresses, add a blacklist rule to block the range and then add a whitelist rule to allow the individual address you wish to allow.
- If you set Protective Action to Block for a blacklist or whitelist rule, you can set a known attack source to block the visitor for a certain period of time; however, the known attack source with Long-term IP address blocking or Short-term IP address blocking configured cannot be set for a blacklist or whitelist rule. WAF will block requests matching the configured Cookie or Params for a block duration you specify.
- It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.
-Impact on the System
If an IP address is added to a blacklist or whitelist, WAF blocks or allows requests from that IP address without checking whether the requests are malicious.
Procedure
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project. - Click
in the upper left corner and choose Web Application Firewall (Dedicated) under Security. - In the navigation pane on the left, choose Website Settings.
- In the Policy column of the row containing the target website, click the number to go to the policy configuration page.
- In the Blacklist and Whitelist configuration area, change Status as needed and click Customize Rule.Figure 1 Blacklist and Whitelist configuration area-
- In the upper left corner of the Blacklist and Whitelist page, click Add Rule.
- In the displayed dialog box, specify the parameters by referring to Table 1.
- If you select Log only for Protective Action for an IP address, WAF only identifies and logs requests from the IP address.
- Other IP addresses are evaluated based on other configured WAF protection rules.
Configuring an IP Address Blacklist or Whitelist Rule
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
- In the navigation pane on the left, choose Policies.
- Click the name of the target policy to go to the protection configuration page.
- In the Blacklist and Whitelist configuration area, change Status as needed and click Customize Rule.Figure 1 Blacklist and Whitelist configuration area+
- In the upper left corner above the Blacklist and Whitelist list, click Add Rule.
- In the displayed dialog box, specify the parameters by referring to Table 1.
- If you select Log only for Protective Action for an IP address, WAF only identifies and logs requests from the IP address.
- Other IP addresses are evaluated based on other configured WAF protection rules.
Figure 2 Adding a blacklist or whitelist rule@@ -47,9 +47,11 @@
Known Attack Source
If you select Block for Protective Action, you can select a blocking type of a known attack source rule. WAF will block requests matching the configured IP address, Cookie, or Params for a length of time configured as part of the rule.
+If you select Block for Protective Action, you can select a blocking type of a known attack source rule. WAF will block requests matching the configured Cookie or Params for a length of time configured as part of the rule.
+NOTE:Do not select the Long-term IP address blocking for a long time or Short-term IP address blocking for Blocking Type.
+Long-term IP address blocking
+Long-term Cookie blocking
Rule Description
@@ -63,17 +65,29 @@- Click OK. You can then view the added rule in the list of blacklist and whitelist rules.
- To disable a rule, click Disable in the Operation column of the rule. The default Rule Status is Enabled.
- To modify a rule, click Modify in the row containing the rule.
- To delete a rule, click Delete in the row containing the rule.
- Click Confirm. You can then view the added rule in the list of blacklist and whitelist rules.
- To disable a rule, click Disable in the Operation column of the rule. The default Rule Status is Enabled.
- To modify a rule, click Modify in the row containing the rule.
- To delete a rule, click Delete in the row containing the rule.
Protection Effect
If you have added domain name www.example.com to this rule, to verify WAF is protecting the corresponding website:
-- Clear the browser cache and enter the domain name in the address bar to check whether the website is accessible.
- If the website is inaccessible, connect the website domain name to WAF by following the instructions in Step 1: Add a Website to WAF.
- If the website is accessible, go to Step 2.
- Blacklist the IP address of a client according to the instructions in Procedure.
- Clear the browser cache and access http://www.example.com. Normally, WAF blocks such requests and returns the block page.
- Return to the WAF console. In the navigation pane, choose Events. On the displayed page, view or download events data.
+Protection Effect
To verify WAF is protecting your website (www.example.com) against a rule:
+- Clear the browser cache and enter the domain name in the address bar to check whether the website is accessible.
- If the website is inaccessible, connect the website domain name to WAF by following the instructions in Step 1: Add a Website to WAF.
- If the website is accessible, go to Step 2.
- Blacklist the IP address of a client according to the instructions in Configuring an IP Address Blacklist or Whitelist Rule.
- Clear the browser cache and access http://www.example.com. Normally, WAF blocks such requests and returns the block page.
- Return to the WAF console. In the navigation pane, click Events. On the displayed page, view the event log.
Example Configuration - Allowing a Specified IP Addresses
If domain name www.example.com has been connected to WAF, you can perform the following steps to verify the rule takes effect:
+- Add the following two blacklist and whitelist rules to block all IP addresses:Figure 3 Blocking IP address range 1.0.0.0/1+
Figure 4 Blocking IP address range 128.0.0.0/1+
You can also add a precise protection rule to block all access requests, as shown in Figure 5.
+ +For details, see Configuring Custom Precise Protection Rules.
+ - Refer to Figure 6 and add a whitelist rule to allow a specified IP address, for example, XXX.XXX.2.3. +
- Enable the white and blacklist protection. +
- Clear the browser cache and access http://www.example.com.
If the IP address of a visitor is not the one specified in Step 2, WAF blocks the access request. Figure 7 shows an example of the block page.
+ + - Go to the WAF console. In the navigation pane on the left, choose Events. View the event on the Events page.
diff --git a/docs/wafd/umn/waf_01_0013.html b/docs/wafd/umn/waf_01_0013.html index c7ec87cd..1bfb5c8b 100644 --- a/docs/wafd/umn/waf_01_0013.html +++ b/docs/wafd/umn/waf_01_0013.html @@ -1,57 +1,76 @@ --Parent topic: Rule Configuration+Parent topic: Configuring Protection PoliciesConfiguring a Geolocation Access Control Rule
-This topic describes how to configure a geolocation access control rule. A geolocation access control rule allows you to control IP addresses forwarded from or to specified countries and regions.
-Prerequisites
A website has been added to WAF.
+Configuring Geolocation Access Control Rules to Block or Allow Requests from Specific Locations
+WAF can identify where a request originates. You can set geolocation access control rules in just a few clicks and let WAF block or allow requests from a certain region. A geolocation access control rule allows you to allow or block requests from IP addresses from specified countries or regions.
++ If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the Enterprise Project drop-down list and configure protection policies for the domain names in the project.
+Prerequisites
A website has been added to WAF.
-Constraints
- One region can be configured in only one geolocation access control rule.
- It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.
Procedure
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project. - Click
in the upper left corner and choose Web Application Firewall (Dedicated) under Security. - In the navigation pane on the left, choose Website Settings.
- In the Policy column of the row containing the target website, click the number to go to the Policies page.
- In the Geolocation Access Control configuration area, change Status if needed and click Customize Rule.Figure 1 Geolocation Access Control configuration area-
- In the upper left corner of the Geolocation Access Control page, click Add Rule.
- In the displayed dialog box, add a geolocation access control rule by referring to Table 1.Figure 2 Adding a geolocation access control rule+
Configuring a Geolocation Access Control Rule
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
- In the navigation pane on the left, choose Policies.
- Click the name of the target policy to go to the protection configuration page.
- In the Geolocation Access Control configuration area, change Status if needed and click Customize Rule.Figure 1 Geolocation Access Control configuration area+
- In the upper left corner above the Geolocation Access Control list, click Add Rule.
- In the displayed dialog box, add a geolocation access control rule by referring to Table 1.Figure 2 Adding a geolocation access control rule-
Table 1 Rule parameters Parameter
+-Table 1 Rule parameters Parameter
Description
+Description
Example Value
+Example Value
Rule Description
+Rule Description
A brief description of the rule. This parameter is optional.
+A brief description of the rule. This parameter is optional.
waf
+waf
Geolocation
+Geolocation
Geographical scope of the IP address.
+Geographical scope of the IP address.
-
+-
Protective Action
+Protective Action
Action WAF will take if the rule is hit. You can select Block, Allow, or Log only.
+Action WAF will take if the rule is hit. You can select Block, Allow, or Log only.
Block
+Block
- Click Confirm. You can then view the added rule in the list of the geolocation access control rules.
- To disable a rule, click Disable in the Operation column of the rule. The default Rule Status is Enabled.
- To modify a rule, click Modify in the row containing the rule.
- To delete a rule, click Delete in the row containing the rule.
- Click Confirm. You can then view the added rule in the list of the geolocation access control rules.
+- To disable a rule, click Disable in the Operation column of the rule. The default Rule Status is Enabled.
- To modify a rule, click Modify in the row containing the rule.
- To delete a rule, click Delete in the row containing the rule.
+Configuration Example - Allowing Access Requests from IP Addresses in a Specified Region
Assume that domain name www.example.com has been connected to WAF and you want to allow only IP addresses in Australia to access the domain name. Perform the following steps:
+- Add a geolocation access control rule: Select Australia for Geolocation and select Allow for Protective Action.Figure 3 Selecting Allow for Protective Action+
- Enable geolocation access control.Figure 4 Geolocation Access Control configuration area+
- Configure a precise protection rule to block all requests.Figure 5 Blocking all access requests+
- Clear the browser cache and access http://www.example.com.
When an access request from IP addresses outside Australia accesses the page, WAF blocks the access request.
+Figure 6 Block page+
- Go to the WAF console. In the navigation pane on the left, choose Events. View the event on the Events page. You will see that all requests not from Australia have been blocked.
Configuration Example - Blocking Access Requests from IP Addresses in a Specified Region
Assume that domain name www.example.com has been connected to WAF and you want to block all IP addresses from Australia to access the domain name. The following shows how to configure a rule to this end:
+- Add a geolocation access control rule, select Australia for Geolocation and Block for Protective Action.Figure 7 Blocking access requests from a specific region+
- Enable geolocation access control.Figure 8 Geolocation Access Control configuration area+
- Clear the browser cache and access http://www.example.com.
When an access request from IP addresses inside Australia accesses the page, WAF blocks the access request.
+Figure 9 Block page+ - Go to the WAF console. In the navigation pane on the left, choose Events. View the event on the Events page.Figure 10 Viewing events - blocking access requests from IP addresses in a region+
Protection Effect
To verify WAF is protecting your website (www.example.com) against a rule:
-- Clear the browser cache and enter the domain name in the address box of a browser to check whether the website is accessible.
- If the website is inaccessible, connect the website domain name to WAF by following the instructions in Step 1: Add a Website to WAF.
- If the website is accessible, go to 2.
- Add a geolocation access control rule by referring to Procedure.
- Clear the browser cache and access http://www.example.com. Normally, WAF blocks such requests and returns the block page.
- Go to the WAF console. In the navigation pane on the left, choose Events. On the displayed page, view or download events data.
- Clear the browser cache and enter the domain name in the address bar to check whether the website is accessible.
- If the website is inaccessible, connect the website domain name to WAF by referring to Step 1: Add a Website to WAF.
- If the website is accessible, go to 2.
- Add a geolocation access control rule by referring to Configuring a Geolocation Access Control Rule.
- Clear the browser cache and access http://www.example.com. Normally, WAF blocks such requests and returns the block page.
- Go to the WAF console. In the navigation pane on the left, choose Events. On the displayed page, view or download events data.
diff --git a/docs/wafd/umn/waf_01_0014.html b/docs/wafd/umn/waf_01_0014.html index 7ac1967e..1e3b9022 100644 --- a/docs/wafd/umn/waf_01_0014.html +++ b/docs/wafd/umn/waf_01_0014.html @@ -1,54 +1,55 @@ --Parent topic: Rule Configuration+Parent topic: Configuring Protection PoliciesConfiguring a Web Tamper Protection Rule
-WAF can cache configuration for static web pages of websites. After you configure a web tamper protection rule, WAF can:+- Return directly the cached web page to the normal web visitor to accelerate request response.
- Return the cached original web pages to visitors if an attacker has tampered with the static web pages. This ensures that your website visitors always get the right web pages.
- Protect all resources in the web page path. For example, if a web tamper protection rule is configured for static page www.example.com/admin, WAF protects all resources in the /admin directory.
So, if the URL in the value of the Referer request header is the same as the configured anti-tamper path, for example, /admin, all resources (resources ending with png, jpg, jpeg, gif, bmp, css or js) hit by the request are also cached.
-
Configuring Web Tamper Protection Rules to Prevent Static Web Pages from Being Tampered With
+You can set web tamper protection rules to protect specific website pages (such as the ones contain important content) from being tampered with. If a web page protected with such a rule is requested, WAF returns the origin page it has cached based on the rule so that visitors always receive the authenticate web pages.
- If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the Enterprise Project drop-down list and configure protection policies for the domain names in the project.
Prerequisites
A website has been added to WAF.
+-How It Works
- Return directly the cached web page to the normal web visitor to accelerate request response.
- Return the cached original web pages to visitors if an attacker has tampered with the static web pages. This ensures that your website visitors always get the right web pages.
- Protect all resources in the web page path. For example, if a web tamper protection rule is configured for a static page pointed to www.example.com/index.html, WAF protects the web page pointed to /index.html and related resources associated with the web page.
So, if the URL in the Referer header field is the same as the configured anti-tamper path, for example, /index.html, all resources (resources ending with png, jpg, jpeg, gif, bmp, css or js) matching the request are also cached.
+
Constraints
It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.
++Prerequisites
You have added your website to a policy.
+Constraints
- The ELB access mode does not support this type protection rule.
- It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.
- Ensure that the origin server response contains the Content-Type response header, or WAF may fail to cache the origin server response.
-Application Scenarios
- Quicker response to requests
After a web tamper protection rule is configured, WAF caches static web pages on the server. When receiving a request from a web visitor, WAF directly returns the cached web page to the web visitor.
- Web tamper protection
If an attacker modifies a static web page on the server, WAF still returns the cached original web page to visitors. Visitors never see the pages that were tampered with.
Procedure
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project. - Click
in the upper left corner and choose Web Application Firewall (Dedicated) under Security. - In the navigation pane on the left, choose Website Settings.
- In the Policy column of the row containing the target website, click the number to go to the Policies page.
- In the Web Tamper Protection configuration area, change Status if needed and click Customize Rule to go to the Web Tamper Protection page.Figure 1 Web Tamper Protection configuration area-
- In the upper left corner of the Web Tamper Protection page, click Add Rule.
- In the displayed dialog box, specify the parameters by referring to Table 1.Figure 2 Adding a web tamper protection rule+
Configuring a Web Tamper Protection Rule
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
- In the navigation pane on the left, choose Policies.
- Click the name of the target policy to go to the protection configuration page.
- In the Web Tamper Protection configuration area, change Status if needed and click Customize Rule to go to the Web Tamper Protection page.Figure 1 Web Tamper Protection configuration area+
- In the upper left corner above the Web Tamper Protection rule list, click Add Rule.
- In the displayed dialog box, specify the parameters by referring to Table 1.Figure 2 Adding a web tamper protection rule-
Table 1 Rule parameters Parameter
+-Table 1 Rule parameters Parameter
Description
+Description
Example Value
+Example Value
Domain Name
+Domain Name
Domain name of the website to be protected
+Domain name of the website to be protected
www.example.com
+www.example.com
Path
+Path
A part of the URL, not including the domain name
+A part of the URL, not including the domain name
A URL is used to define the address of a web page. The basic URL format is as follows:
Protocol name://Domain name or IP address[:Port]/[Path/.../File name].
For example, if the URL is http://www.example.com/admin, set Path to /admin.
NOTE:- The path does not support regular expressions.
- The path cannot contain two or more consecutive slashes. For example, ///admin. If you enter ///admin, WAF converts /// to /.
/admin
+/admin
Rule Description
+Rule Description
A brief description of the rule. This parameter is optional.
+A brief description of the rule. This parameter is optional.
None
+None
- Click Confirm. You can view the rule in the list of web tamper protection rules.
-Other Operations
- To disable a rule, click Disable in the Operation column of the rule. The default Rule Status is Enabled.
- To update cache of a protected web page, click Update Cache in the row containing the corresponding web tamper protection rule. If the rule fails to be updated, WAF will return the recently cached page but not the latest page.
- To delete a rule, click Delete in the row containing the rule.
-Related Operations
- To disable a rule, click Disable in the Operation column of the rule. The default Rule Status is Enabled.
- To update cache of a protected web page, click Update Cache in the row containing the corresponding web tamper protection rule. If the rule fails to be updated, WAF will return the recently cached page but not the latest page.
- To delete a rule, click Delete in the row containing the rule.
Configuration Example - Static Web Page Tamper Prevention
To verify WAF is protecting a static page /admin on your website www.example.com from being tampered with:
-- Use a browser to access http://www.example.com/admin.
A tampered page is returned.
-Figure 3 A static page that has been tampered with-
- Add a web tamper prevention rule to WAF.Figure 4 Adding a web tamper protection rule-
- Enabling WTPFigure 5 Web Tamper Protection configuration area-
- Use a browser to access http://www.example.com/admin. WAF will cache the page.
- Access http://www.example.com/admin again.
The intact page is returned.
+Configuration Example - Static Web Page Tamper Prevention
To verify WAF is protecting a static page /admin on your website www.example.com from being tampered with:
+- Add a web tamper prevention rule to WAF.Figure 3 Adding a web tamper protection rule+
- Enable WTP.Figure 4 Web Tamper Protection configuration area+
- Simulate the attack to tamper with the http://www.example.com/admin web page.
- Use a browser to access http://www.example.com/admin. WAF will cache the page.
- Access http://www.example.com/admin again.
The intact page is returned.
- Add a web tamper prevention rule to WAF.
diff --git a/docs/wafd/umn/waf_01_0015.html b/docs/wafd/umn/waf_01_0015.html index 25581dae..c616975d 100644 --- a/docs/wafd/umn/waf_01_0015.html +++ b/docs/wafd/umn/waf_01_0015.html @@ -4,22 +4,25 @@-Parent topic: Rule Configuration+Parent topic: Configuring Protection PoliciesYou can configure website anti-crawler protection rules to protect against search engines, scanners, script tools, and other crawlers, and use JavaScript to create custom anti-crawler protection rules.
- If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the Enterprise Project drop-down list and configure protection policies for the domain names in the project.
Prerequisites
A website has been added to WAF.
+Prerequisites
A website has been added to WAF.
Constraints
- Cookies must be enabled and JavaScript supported by any browser used to access a website protected by anti-crawler protection rules.
- If your service is connected to CDN, exercise caution when using the JS anti-crawler function.
CDN caching may impact JS anti-crawler performance and page accessibility.
- - WAF only logs JavaScript challenge and JavaScript authentication events. No other protective actions can be configured for JavaScript challenge and authentication.
- WAF JavaScript-based anti-crawler rules only check GET requests and do not check POST requests.
- JS anti-crawler protection is not supported if you use the ELB access mode.
- WAF only logs JavaScript challenge and JavaScript authentication events. No other protective actions can be configured for JavaScript challenge and authentication.
- WAF JavaScript-based anti-crawler rules only check GET requests and do not check POST requests.
-How JavaScript Anti-Crawler Protection Works
Figure 1 shows how JavaScript anti-crawler detection works, which includes JavaScript challenges (step 1 and step 2) and JavaScript authentication (step 3).
-If JavaScript anti-crawler is enabled when a client sends a request, WAF returns a piece of JavaScript code to the client.
-- If the client sends a normal request to the website, triggered by the received JavaScript code, the client will automatically send the request to WAF again. WAF then forwards the request to the origin server. This process is called JavaScript verification.
- If the client is a crawler, it cannot be triggered by the received JavaScript code and will not send a request to WAF again. The client fails JavaScript authentication.
- If a client crawler fabricates a WAF authentication request and sends the request to WAF, the WAF will block the request. The client fails JavaScript authentication.
If JavaScript anti-crawler is enabled when a client sends a request, WAF returns a piece of JavaScript code to the client.- If the client sends a normal request to the website, triggered by the received JavaScript code, the client will automatically send the request to WAF again. WAF then forwards the request to the origin server. This process is called JavaScript verification.
- If the client is a crawler, it cannot be triggered by the received JavaScript code and will not send a request to WAF again. The client fails JavaScript authentication.
- If a client crawler fabricates a WAF authentication request and sends the request to WAF, the WAF will block the request. The client fails JavaScript authentication.
By collecting statistics on the number of JavaScript challenges and authentication responses, the system calculates how many requests the JavaScript anti-crawler defends. In Figure 2, the JavaScript anti-crawler has logged 18 events, 16 of which are JavaScript challenge responses, and 2 of which are JavaScript authentication responses. Others indicates the number of WAF authentication requests fabricated by the crawler.
WAF only logs JavaScript challenge and JavaScript authentication events. No other protective actions can be configured for JavaScript challenge and authentication.
Procedure
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project. - Click
in the upper left corner and choose Web Application Firewall (Dedicated) under Security. - In the navigation pane on the left, choose Website Settings.
- In the Policy column of the row containing the target website, click the number to go to the Policies page.
- In the Anti-Crawler configuration area, enable anti-crawler using the toggle on the right. If you enable this function, click Configure Anti-Crawler.Figure 3 Anti-Crawler configuration area+
Configuring an Anti-Crawler Rule
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
- In the navigation pane on the left, choose Policies.
- Click the name of the target policy to go to the protection configuration page.
- In the Anti-Crawler configuration area, toggle on the function if needed. Then, click Configure Anti-Crawler.Figure 3 Anti-Crawler configuration area
- Select the Feature Library tab and enable the protection by referring to Table 1.A feature-based anti-crawler rule has two protective actions:@@ -39,7 +42,7 @@
- Block
WAF blocks and logs detected attacks.
+
Enabling this feature may have the following impacts:
+- Blocking requests of search engines may affect your website SEO.
- Blocking scripts may block some applications because those applications may trigger anti-crawler rules if their user-agent field is not modified.
- Log only
Detected attacks are logged only. This is the default protective action.
This rule is used to block web crawlers, such as Googlebot and Baiduspider, from collecting content from your site.
If you enable this rule, WAF detects and blocks search engine crawlers.
-NOTE:If Search Engine is not enabled, WAF does not block POST requests from Googlebot or Baiduspider. If you want to block POST requests from Baiduspider, use the configuration described in Configuration Example - Search Engine.
+NOTE:If Search Engine is not enabled, WAF does not block POST requests from Googlebot or Baiduspider. If you want to block POST requests from Baiduspider, use the configuration described in Configuration Example - Search Engine.
- Block
- Select the JavaScript tab and configure Status and Protective Action.
JavaScript anti-crawler is disabled by default. To enable it, click
-
and click Confirm in the displayed dialog box.Figure 5 JavaScript+
- Select the JavaScript tab and change Status if needed.
JavaScript anti-crawler is disabled by default. To enable it, click
+ and then click OK in the displayed dialog box to toggle on 
.Figure 5 JavaScript
- - Cookies must be enabled and JavaScript supported by any browser used to access a website protected by anti-crawler protection rules.
- If your service is connected to CDN, exercise caution when using the JS anti-crawler function.
CDN caching may impact JS anti-crawler performance and page accessibility.
- Configure a JavaScript-based anti-crawler rule by referring to Table 2.
Two protective actions are provided: Protect all paths and Protect a specified path.
-- To protect all paths except a specified path +
- Configure a JavaScript-based anti-crawler rule by referring to Table 2.
Two protective actions are provided: Protect all requests and Protect specified requests.
+- To protect all paths except a specified path
Set Protection Mode to Protect all paths. Then, click Exclude Path, configure protected paths, and click Confirm.
+Figure 6 Exclude Rule
- To protect a specified path only
Set Protection Mode to Protect a specified path. Then, click Add Rule, configure protected paths, and click OK.
-Figure 7 Add Path+
- - To disable a rule, click Disable in the Operation column of the rule. The default Rule Status is Enabled.
- To modify a rule, click Modify in the row containing the rule.
- To delete a rule, click Delete in the row containing the rule.
- To disable a rule, click Disable in the Operation column of the rule. The default Rule Status is Enabled.
- To modify a rule, click Modify in the row containing the rule.
- To delete a rule, click Delete in the row containing the rule.
- Execute a JavaScript tool to crawl web page content.
- On the Feature Library tab, enable Script Tool and select Log only for Protective Action. (If WAF detects an attack, it logs the attack only.)Figure 8 Enabling Script Tool
- Enable anti-crawler protection.Figure 9 Anti-Crawler configuration area
- In the navigation pane on the left, choose Events to go to the Events page.
- Set Status of Search Engine to
by referring to the instructions in Step 6. - Configure a precise protection rule by referring to Configuring a Precise Protection Rule.Figure 10 Blocking POST requests+
Configuration Example - Search Engine
To allow the search engine of Baidu or Google and block the POST request of Baidu:
+- Set Status of Search Engine to by referring to the instructions in Step 6.
- Configure a precise protection rule by referring to Configuring Custom Precise Protection Rules.Figure 10 Blocking POST requests
- Set Status of Search Engine to
- If you select All protection for Ignore WAF Protection, all WAF rules do not take effect, and WAF allows all request traffic to the domain names in the rule.
- If you select Basic Web Protection for Ignore WAF Protection, you can ignore basic web protection by rule ID, attack type, or all built-in rules. For example, if XSS check is not required for a URL, you can whitelist XSS rule.
- If you select All protection for Ignore WAF Protection, all WAF rules do not take effect, and WAF allows all request traffic to the domain names in the rule.
- If you select Basic web protection for Ignore WAF Protection, global protection whitelist (formerly false alarm masking) rules take effect only for events triggered against WAF built-in rules in Basic Web Protection and anti-crawler rules under Feature Library.
- Basic web protection rules
Basic web protection defends against common web attacks, such as SQL injection, XSS attacks, remote buffer overflow attacks, file inclusion, Bash vulnerability exploits, remote command execution, directory traversal, sensitive file access, and command and code injections. Basic web protection also detects web shells and evasion attacks.
+-Constraints
- If you select All protection for Ignore WAF Protection, all WAF rules do not take effect, and WAF allows all request traffic to the domain names in the rule.
- If you select Basic web protection for Ignore WAF Protection, global protection whitelist rules take effect only for events triggered against WAF built-in rules in Basic Web Protection and anti-crawler rules under Feature Library.
- Basic web protection rules
Basic web protection defends against common web attacks, such as SQL injection, XSS attacks, remote buffer overflow attacks, file inclusion, Bash vulnerability exploits, remote command execution, directory traversal, sensitive file access, and command and code injections. Basic web protection also detects web shells and evasion attacks.
- Feature-based anti-crawler protection
Feature-based anti-crawler identifies and blocks crawler behavior from search engines, scanners, script tools, and other crawlers.
- Basic web protection rules
- It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.
- You can configure a global protection whitelist (formerly false alarm masking) rule by referring to Handling False Alarms. After handling a false alarm, you can view the rule in the global protection whitelist (formerly false alarm masking) rule list.
- You can configure a global protection whitelist rule by referring to Handling False Alarms. After handling a false alarm, you can view the rule in the global protection whitelist rule list.
- It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.
Procedure
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project. - Click
in the upper left corner and choose Web Application Firewall (Dedicated) under Security. - In the navigation pane on the left, choose Website Settings.
- In the Policy column of the row containing the target website, click the number to go to the Policies page.
- In the Global Protection Whitelist (Formerly False Alarm Masking) configuration area, click Status if needed. Then, click Customize Rule.Figure 1 Global Protection Whitelist configuration area-
- In the upper left corner of the Global Protection Whitelist page, click Add Rule.
- Add a global whitelist rule by referring to Table 1.Figure 2 Add Global Protection Whitelist Rule+
Configuring a Global Protection Whitelist
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
- In the navigation pane on the left, choose Policies.
- Click the name of the target policy to go to the protection configuration page.
- In the Global Protection Whitelist configuration area, change Status if needed and click Customize Rule.Figure 1 Global Protection Whitelist configuration area+
- In the upper left corner above the Global Protection Whitelist rule list, click Add Rule.
- Add a global whitelist rule by referring to Table 1.Figure 2 Add Global Protection Whitelist Rule-
Table 1 Parameters Parameter
+-Table 1 Parameters Parameter
Description
+Description
Example Value
+Example Value
Scope
+Scope
- All domain names: By default, this rule will be used to all domain names that are protected by the current policy.
- Specified domain names: This rule will be used to the specified domain names that match the wildcard domain name being protected by the current policy.
- All domain names: By default, this rule will be used to all domain names that are protected by the current policy.
- Specified domain names: Specify a domain name range this rule applies to.
Specified domain names
+Specified domain names
Domain Name
+Domain Name
This parameter is mandatory when you select Specified domain names for Scope.
+This parameter is mandatory when you select Specified domain names for Scope.
Enter a single domain name that matches the wildcard domain name being protected by the current policy.
www.example.com
+www.example.com
Condition List
+Condition List
Click Add to add conditions. At least one condition needs to be added. You can add up to 30 conditions to a protection rule. If more than one condition is added, all of the conditions must be met for the rule to be applied. A condition includes the following parameters:
-Parameters for configuring a condition are described as follows:- Field
- Subfield: Configure this field only when Params, Cookie, or Header is selected for Field.NOTICE:
The length of a subfield cannot exceed 2,048 bytes. Only digits, letters, underscores (_), and hyphens (-) are allowed.
+Click Add to add conditions. At least one condition needs to be added. You can add up to 30 conditions to a protection rule. If more than one condition is added, all of the conditions must be met for the rule to be applied. A condition includes the following parameters:
+Parameters for configuring a condition are described as follows:- Field
- Subfield: Configure this field only when Params, Cookie, or Header is selected for Field.NOTICE:-
The length of a subfield cannot exceed 2,048 bytes. Only digits, letters, underscores (_), and hyphens (-) are allowed.
- Logic: Select a logical relationship from the drop-down list.
- Content: Enter or select the content that matches the condition.
- Logic: Select a logical relationship from the drop-down list.
- Content: Enter or select the content that matches the condition.
Path, Include, /product
+Path, Include, /product
Ignore WAF Protection
+Ignore WAF Protection
- All protection: All WAF rules do not take effect, and WAF allows all request traffic to the domain names in the rule.
- Basic Web Protection: You can ignore basic web protection by rule ID, attack type, or all built-in rules. For example, if XSS check is not required for a URL, you can whitelist XSS rule.
- All protection: All WAF rules do not take effect, and WAF allows all request traffic to the domain names in the rule.
- Basic web protection: You can ignore basic web protection by rule ID, attack type, or all built-in rules. For example, if XSS check is not required for a URL, you can whitelist XSS rule.
Basic Web Protection
+Basic web protection
Ignored Protection Type
+Ignored Protection Type
If you select Basic web protection for Ignored Protection Type, specify the following parameters:
-- ID: Configure the rule by event ID.
- Attack type: Configure the rule by attack type, such as XSS and SQL injection. One type contains one or more rule IDs.
- All built-in rules: all checks enabled in Basic Web Protection.
If you select Basic web protection for Ignored Protection Type, specify the following parameters:
+- ID: Configure the rule by event ID.
- Attack type: Configure the rule by attack type, such as XSS and SQL injection. One type contains one or more rule IDs.
- All built-in rules: all checks enabled in Basic Web Protection.
Attack type
+Attack type
ID
+Rule ID
This parameter is mandatory when you select ID for Ignored Protection Type.
-ID of an attack event on the Events page. If the event type is Custom, it has no event ID. Click Handle False Alarm in the row containing the attack event to obtain the ID. You are advised to configure global protection whitelist (formerly false alarm masking) rules on the Events page by referring to Handling False Alarms.
+This parameter is mandatory when you select ID for Ignored Protection Type.
+Rule ID of a misreported event in Events whose type is not Custom. You are advised to handle false alarms on the Events page.
041046
+041046
Attack type
+Rule Type
This parameter is mandatory when you select Attack type for Ignored Protection Type.
+This parameter is mandatory when you select Attack type for Ignored Protection Type.
Select an attack type from the drop-down list box.
WAF can defend against XSS attacks, web shells, SQL injection attacks, malicious crawlers, remote file inclusions, local file inclusions, command injection attacks, and other attacks.
SQL injection
+SQL injection
Rule Description
+Rule Description
A brief description of the rule. This parameter is optional.
+A brief description of the rule. This parameter is optional.
SQL injection attacks are not intercepted.
+SQL injection attacks are not intercepted.
Advanced Settings
+Advanced Settings
To ignore attacks of a specific field, specify the field in the Advanced Settings area. After you add the rule, WAF will stop blocking attack events of the specified field.
-Select a target field from the first drop-down list box on the left. The following fields are supported: Params, Cookie, Header, Body, and Multipart.- If you select Params, Cookie, or Header, you can select All or Specified field to configure a subfield.
- If you select Body or Multipart, you can select All.
- If you select Cookie, the Domain Name and Path can be empty.
NOTE:If All is selected, WAF will not block all attack events of the selected field.
+To ignore attacks of a specific field, specify the field in the Advanced Settings area. After you add the rule, WAF will stop blocking attack events of the specified field.
+Select a target field from the first drop-down list box on the left. The following fields are supported: Params, Cookie, Header, Body, and Multipart.- If you select Params, Cookie, or Header, you can select All or Field to configure a subfield.
- If you select Body or Multipart, you can select All.
- If you select Cookie, the Domain Name box for the rule can be empty.
NOTE:If All is selected, WAF will not block all attack events of the selected field.
Params
+Params
All
- Click OK.
+- Click OK.
-Other Operations
- To disable a rule, click Disable in the Operation column of the rule. The default Rule Status is Enabled.
- To modify a global protection whitelist (formerly false alarm masking) rule, click Modify in the row containing the rule.
- To delete a global protection whitelist (formerly false alarm masking) rule, click Delete in the row containing the rule.
Related Operations
- To disable a rule, click Disable in the Operation column of the rule. The default Rule Status is Enabled.
- To modify a rule, click Modify in the row containing the rule.
- To delete a rule, click Delete in the row containing the rule.
diff --git a/docs/wafd/umn/waf_01_0017.html b/docs/wafd/umn/waf_01_0017.html index c3c89946..3a838f5d 100644 --- a/docs/wafd/umn/waf_01_0017.html +++ b/docs/wafd/umn/waf_01_0017.html @@ -1,55 +1,55 @@ --Parent topic: Rule Configuration+Parent topic: Configuring Protection PoliciesConfiguring a Data Masking Rule
+Configuring Data Masking Rules to Prevent Privacy Information Leakage
This topic describes how to configure data masking rules. You can configure data masking rules to prevent sensitive data such as passwords from being displayed in event logs.
-Prerequisites
A website has been added to WAF.
++ If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the Enterprise Project drop-down list and configure protection policies for the domain names in the project.
+Prerequisites
A website has been added to WAF.
Constraints
It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.
-Impact on the System
Sensitive data in the events will be masked to protect your website visitor's privacy.
Procedure
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project. - Click
in the upper left corner and choose Web Application Firewall (Dedicated) under Security. - In the navigation pane on the left, choose Website Settings.
- In the Policy column of the row containing the target website, click the number to go to the Policies page.
- In the Data Masking configuration area, change Status if needed and click Customize Rule.Figure 1 Data Masking configuration area-
- In the upper left corner of the Data Masking page, click Add Rule.
- In the displayed dialog box, specify the parameters described in Table 1.Figure 2 Adding a data masking rule+
Configuring a Data Masking Rule
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
- In the navigation pane on the left, choose Policies.
- Click the name of the target policy to go to the protection configuration page.
- In the Data Masking configuration area, change Status if needed and click Customize Rule.Figure 1 Data Masking configuration area+
- In the upper left corner above the Data Masking rule list, click Add Rule.
- In the displayed dialog box, specify the parameters described in Table 1.Figure 2 Adding a data masking rule-
Table 1 Rule parameters Parameter
+Table 1 Rule parameters Parameter
Description
+Description
Example Value
+Example Value
Path
+Path
Part of the URL that does not include the domain name.
+Part of the URL that does not include the domain name.
- Prefix match: The path ending with * indicates that the path is used as a prefix. For example, if the path to be protected is /admin/test.php or /adminabc, set Path to /admin*.
- Exact match: The path to be entered must match the path to be protected. If the path to be protected is /admin, set Path to /admin.
NOTE:- The path supports prefix and exact matches only and does not support regular expressions.
- The path cannot contain two or more consecutive slashes. For example, ///admin. If you enter ///admin, WAF converts /// to /.
/admin/login.php
+/admin/login.php
For example, if the URL to be protected is http://www.example.com/admin/login.php, set Path to /admin/login.php.
Masked Field
+Masked Field
A field set to be masked- Params: A request parameter
- Cookie: A small piece of data to identify web visitors
- Header: A user-defined HTTP header
- Form: A form parameter
- Params: A request parameter
- Cookie: A small piece of data to identify web visitors
- Header: A user-defined HTTP header
- Form: A form parameter
- If Masked Field is Params and Field Name is id, content that matches id is masked.
- If Masked Field is Cookie and Field Name is name, content that matches name is masked.
- If Masked Field is Params and Field Name is id, content that matches id is masked.
- If Masked Field is Cookie and Field Name is name, content that matches name is masked.
Field Name
+Field Name
Set the parameter based on Masked Field. The masked field will not be displayed in logs.
-NOTICE:+The length of a subfield cannot exceed 2,048 bytes. Only digits, letters, underscores (_), and hyphens (-) are allowed.
-Set the parameter based on Masked Field. The masked field will not be displayed in logs.
Rule Description
+Rule Description
A brief description of the rule. This parameter is optional.
+A brief description of the rule. This parameter is optional.
None
+None
- Click Confirm. The added data masking rule is displayed in the list of data masking rules.
-Other Operations
- To disable a rule, click Disable in the Operation column of the rule. The default Rule Status is Enabled.
- To modify a rule, click Modify in the row containing the rule.
- To delete a rule, click Delete in the row containing the rule.
Related Operations
- To disable a rule, click Disable in the Operation column of the rule. The default Rule Status is Enabled.
- To modify a rule, click Modify in the row containing the rule.
- To delete a rule, click Delete in the row containing the rule.
Configuration Example - Masking the Cookie Field
To verify that WAF is protecting your domain name www.example.com against a data masking rule (with Cookie selected for Masked Field and jsessionid entered in Field Name):
- Add a data masking rule.Figure 3 Select Cookie for Masked Field and enter jsessionid in Field Name.@@ -69,7 +69,7 @@
diff --git a/docs/wafd/umn/waf_01_0018.html b/docs/wafd/umn/waf_01_0018.html index 8c56784a..c23d91c0 100644 --- a/docs/wafd/umn/waf_01_0018.html +++ b/docs/wafd/umn/waf_01_0018.html @@ -1,15 +1,17 @@ --Parent topic: Rule Configuration+Parent topic: Configuring Protection PoliciesEvent Management
+Viewing Protection Events
diff --git a/docs/wafd/umn/waf_01_0020.html b/docs/wafd/umn/waf_01_0020.html index 185bdbe8..a126d20e 100644 --- a/docs/wafd/umn/waf_01_0020.html +++ b/docs/wafd/umn/waf_01_0020.html @@ -1,11 +1,11 @@ -Viewing Basic Information
-This topic describes how to view the basic information about a protected website, switch WAF working mode, and delete a domain name of a protected website from WAF.
-Prerequisites
A website has been connected to WAF.
+Viewing Basic Information of a Website
+This topic describes how to view client protocol, policy name, alarm page, CNAME record, and CNAME IP address configured for a protected domain name.
+ -Procedure
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project. - Click
in the upper left corner and choose Web Application Firewall (Dedicated) under Security. - In the navigation pane on the left, choose Website Settings.
- View the protected website lists. For details about parameters, see Table 1.Figure 1 Website list-
+Viewing Basic Information of a Website
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click
in the upper left corner and choose Web Application Firewall (Dedicated) under Security. - In the navigation pane on the left, choose Website Settings.
- View the protected website lists. For details about parameters, see Table 1.Figure 1 Website list+
-Table 1 Parameter description Parameter
Description
@@ -14,55 +14,53 @@Domain Name
Domain name or IP address of a website you want to protect.
+Protected domain name or IP address.
Deployment Mode
+Protection
How your WAF instance is deployed for your website. Only Dedicated mode is available.
Server IP/Port
+Public IP address of the website server accessed by the client and the service port used by WAF to forward client requests to the server.
+Last 3 Days
Protection status of the domain name over the past three days.
+Protection status of the domain name over the past three days.
Mode
WAF mode of the protected domain name. Click Switch and select one of the following working modes: Click
-
and select one of the following working mode:- Enabled: WAF is enabled.
- Suspended: WAF is disabled. If a large number of normal requests are blocked, for example, status code 418 is frequently returned, then you can switch the mode to Suspended. In this mode, your website is not protected because WAF only forwards requests. It does not scan for attacks. This mode is risky. You are advised to use the false alarm masking rules to reduce false alarms.
WAF mode of the protected domain name. You can click
+
to select a protection mode:- Enabled: WAF is enabled.
- Suspended: WAF is disabled. If a large number of normal requests are blocked, for example, status code 418 is frequently returned, then you can switch the mode to Suspended. In this mode, your website is not protected because WAF only forwards requests. It does not scan for attacks. This mode is risky. You are advised to use the global protection whitelist rules to reduce false alarms.
For details, see Switching WAF Working Mode.
Policy
The total number of protection policies configured in WAF. You can click a number to go to the rule configuration page.
+Number of types of WAF protection enabled for the domain name. You can click a number to go to the rule configuration page.
Access Progress/Status
+Access Progress
The progress of connecting your website to WAF or the website access status.
Operation
-To remove a protected website from WAF, click Delete.
-WARNING:-The deletion operation cannot be cancelled. Exercise caution when performing this operation.
- - In the Domain Name column, click the domain name of the website to go to the basic information page.
- View the basic information about the domain name of the protected website.Figure 2 Basic Information-
- Update the certificate: If you select HTTPS for Client Protocol, an SSL certificate is required. To update the certificate, click next to the certificate name in the Certificate Name row. Then, in the displayed dialog box, upload a new certificate or select an existing certificate. For more details, see Updating a Certificate.
- Update the TLS version and TLS cipher suite for accessing the origin server: If you select HTTPS for Client Protocol, you can change TLS version to a more secure one. To do so, click next to the TLS Configuration field. Then, in the displayed dialog box, select the desired TLS version and TLS cipher suite. For more details, see Configuring PCI DSS/3DS Certification Check and TLS Version.
- Modify the field of Proxy Configured: Click . In the displayed dialog box, select Yes if your web server is using a proxy.
- Customize the alarm page: Click . In the displayed dialog box, select Custom or Redirection and complete required configurations. By default, Alarm Page is Default.
- If you want to set a timeout duration for each request, enable Timeout Settings and click
to specify WAF-to-Server Connection Timeout (s), Read Timeout (s), and Write Timeout (s). This function cannot be disabled after being enabled. For details, see Configuring Connection Timeout.
- Update the certificate: If you select HTTPS for Client Protocol, an SSL certificate is required. To update the certificate, click
- In the Domain Name column, click the domain name of the website to go to the basic information page.
- View the basic information about the domain name of the protected website.To modify a parameter, locate the row that contains the target parameter and click the edit icon.Figure 2 Basic Information+
diff --git a/docs/wafd/umn/waf_01_0021.html b/docs/wafd/umn/waf_01_0021.html index 8b766799..db13fa32 100644 --- a/docs/wafd/umn/waf_01_0021.html +++ b/docs/wafd/umn/waf_01_0021.html @@ -1,8 +1,8 @@ --Parent topic: Website Domain Name Management+Parent topic: Managing WebsitesDashboard
-This topic describes how to view event logs, including attack and request statistics, event distribution, top 10 attacked domain names, top 10 attack source IP addresses, and top 10 attacked URLs in a specified time range, such as yesterday, today, past 3 days, past 7 days, or past 30 days.
-Prerequisites
- A domain name has been added and connected to WAF.
- WAF protection is enabled.
- At least one protection rule has been configured for the domain name.
Viewing the Dashboard Page
+-This topic describes how to view protection event logs, including attack and request statistics, event distribution, top 10 attacked domain names, top 10 attack source IP addresses, and top 10 attacked URLs in a specified time range, such as yesterday, today, past 3 days, past 7 days, or past 30 days.
+Prerequisites
- You have connected a website to WAF.
- At least one protection rule has been configured for the domain name.
@@ -18,30 +18,30 @@Specification Limitations
On the Dashboard page, protection data of a maximum of 30 days can be viewed.
Yesterday or Today
The QPS curve is made with the average QPSs in every minute.
+The QPS curve is made with the average QPS in every minute.
The QPS curve is made with each peak QPS in every minute.
Past 3 days
The QPS curve is made with the average QPSs in every five minutes.
+The QPS curve is made with the average QPS in every five minutes.
The QPS curve is made with each peak QPS in every five minutes.
Past 7 days
The QPS curve is made with the maximum value among the average QPSs in every five minutes at a 10-minute interval.
+The QPS curve is made with the maximum value among the average QPS in every five minutes at a 10-minute interval.
The QPS curve is made with each peak QPS in every 10 minutes.
Past 30 days
The QPS curve is made with the maximum value among the average QPSs in every five minutes at a one-hour interval.
+The QPS curve is made with the maximum value among the average QPS in every five minutes at a one-hour interval.
The QPS curve is made with the peak QPSs in every hour.
+The QPS curve is made with the peak QPS in every hour.
Queries Per Second (QPS) indicates the number of requests per second. For example, an HTTP GET request is also called a query. The number of requests is the total number of requests in a specific time range.
Procedure
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project. - Click
in the upper left corner and choose Web Application Firewall (Dedicated) under Security. - In the upper part of the page, specify the website, instance, and time range for your query.
- By default, the information about all websites you add to WAF in all enterprise projects are displayed.
- Domain Names: shows information about website domain names added to the WAF instance. Click View to go to the Website Settings page and view details about domain names of protected websites.
- Query time: You can select Yesterday, Today, Past 3 days, Past 7 days, or Past 30 days.
Figure 1 Setting search criteria-
- View how many requests, attacks, and pages under each type of attacks.
- Requests: shows the page views of the website, making it easy for you to view the total number of pages accessed by visitors in a certain period of time.
- Attacks: shows how many times the website are attacked.
- You can view how many pages are attacked by a certain type of attacks within a certain period of time.
Viewing the Dashboard
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
- In the upper part of the page, select a project from the Enterprise Project drop-down list. Then, specify the website, instance, and time range for your query.
- By default, the information about all websites you add to WAF in all enterprise projects are displayed.
- Domain Names: shows information about websites added to the WAF instance in the selected enterprise project. Click View to go to the Website Settings page and view details about domain names of protected websites.
- Query time: You can select Yesterday, Today, Past 3 days, Past 7 days, or Past 30 days.
Figure 1 Setting search criteria+
- View how many requests, attacks, and attacked pages by attack type over the specified time range.
- Requests: shows the page views of the website, making it easy for you to view the total number of pages accessed by visitors in a certain period of time.
- Attacks: shows how many times the website are attacked.
- You can view how many pages are attacked by a certain type of attack within a certain period of time.
- You can click Show Details to view the details of the 10 domain names with the most requests, attacks, and basic web protection, precise protection, CC attack protection, and anti-crawler protection actions.
Figure 2 Protection action statistics
- Query security data in the Security Event Statistics area.
By day: You can select this option to view the data gathered by the day. If you leave this option unselected, you have the following options:
-- Yesterday and Today: Security event data is gathered every 2 minutes.
- Past 3 days: Security event data is gathered every 5 minutes.
- Past 7 days: Security event data is gathered every 10 minutes.
- Past 30 days: Security event data is gathered every hour.
Figure 3 Security Event Statistics+
- Yesterday and Today: Security event data is gathered every minute.
- Past 3 days: Security event data is gathered every 5 minutes.
- Past 7 days: Security event data is gathered every 10 minutes.
- Past 30 days: Security event data is gathered every hour.
Figure 3 Security Event Statistics
Table 2 Parameters in Security Event Statistics Parameter
Queries Per Second (QPS) indicates the number of requests per second. For example, an HTTP GET request is also called a query.
Bandwidth
+Bytes Sent/Received
Bandwidth usage
The value of sent and received bytes is calculated by adding the values of request_length and upstream_bytes_received by time, so the value is different from the network bandwidth monitored on the EIP. This value is also affected by web page compression, connection reuse, and TCP retransmission.
@@ -84,24 +84,24 @@Event Distribution
Types of attack events
-Click an area in the Event Distribution area to view the type, number, and proportion of an attack.
+Click an area in the Event Distribution area to view the type, number, and proportion of an attack.
Top 10 Attacked Domain Names
The ten most attacked domain names and the number of attacks on each domain name.
+The ten most attacked domain names and the number of attacks on each domain name.
Click View More to go to the Events page and view more protection data.
Top 10 Attack Source IP Addresses
+Top 10 Attack Source IP Addresses
The ten source IP addresses with the most attacks and the number of attacks from each source IP address.
+The ten source IP addresses with the most attacks and the number of attacks from each source IP address.
Click View More to go to the Events page and view more protection data.
Top 10 Attacked URLs
+Top 10 Attacked URLs
The ten most attacked URLs and the number of attacks on each URL.
+The ten most attacked URLs and the number of attacks on each URL.
Click View More to go to the Events page and view more protection data.
- About WAF
- - Website Domain Name Access Configuration
+ - Website Connect Issues
- - Service Interruption Check
+ - Protection Rules
- - Protection Rule Configuration
+ - Certificate Management
+
+ - Troubleshooting Website Connection Exceptions
+
+ - Troubleshooting Certificate and Cipher Suite Issues
+
+ - Troubleshooting Traffic Forwarding Exceptions
+
+ - Checking Whether Normal Requests Are Blocked Mistakenly
Handling False Alarms
-If you confirm that an attack event on the Events page is a false alarm, you can handle the event as false alarm by ignoring the URL and rule ID in basic web protection, or by deleting or disabling the corresponding protection rule you configured. After an attack event is handled as a false alarm, the event will not be displayed on the Events page anymore. You will no longer receive any alarm notifications about the event.
+If you confirm that an attack event on the Events page is a false alarm, you can handle the event as false alarm by ignoring the URL and rule ID in basic web protection, or by deleting or disabling the corresponding protection rule you configured. After an attack event is handled as a false alarm, the event will not be displayed on the Events page anymore.
WAF detects attacks by using built-in basic web protection rules, built-in features in anti-crawler protection, and custom rules you configured (such as CC attack protection, precise access protection, blacklist, whitelist, and geolocation access control rules). WAF will respond to detected attacks based on the protective actions (such as Block and Log only) defined in the rules and display attack events on the Events page.
-Prerequisites
There is at least one false alarm event in the event list.
Constraints
- Only attack events blocked or recorded by preconfigured basic web protection rules and features in anti-crawler protection can be handled as false alarms.
- For events generated based on custom rules (such as a CC attack protection rule, precise protection rule, blacklist rule, whitelist rule, or geolocation access control rule), they cannot be handled as false alarms. To ignore such an event, delete or disable the custom rule hit by the event.
- An attack event can only be handled as a false alarm once.
Constraints
- Only attack events blocked or recorded by built-in basic web protection rules and features in anti-crawler protection can be handled as false alarms.
- For events generated based on custom rules (such as a CC attack protection rule, precise protection rule, blacklist rule, whitelist rule, or geolocation access control rule), they cannot be handled as false alarms. To ignore such an event, delete or disable the custom rule hit by the event.
- An attack event can only be handled as a false alarm once.
- After an attack event is handled as a false alarm, the attack event will not be displayed on the Events page.
- Dedicated WAF instances earlier than June 2022 do not support All protection for Ignore WAF Protection. Only Basic web protection can be selected.
-Application Scenarios
Sometimes normal service requests may be blocked by WAF. For example, suppose you deploy a web application on an ECS and then add the public domain name associated with that application to WAF. If you enable basic web protection for that application, WAF may block the access requests that match the basic web protection rules. As a result, the website cannot be accessed through its domain name. However, the website can still be accessed through the IP address. In this case, you can handle the false alarms to allow normal access requests to the application.
-Impact on the System
The attack event will not be displayed on the Events page. You will no longer receive any alarm notifications about the event.
-Procedure
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project. - Click
in the upper left corner and choose Web Application Firewall (Dedicated) under Security. - In the navigation pane on the left, choose Events.
- Select the Search tab. Select a website from the All protected websites drop-down list. Then, select Yesterday, Today, Past 3 days, Past 7 days, Past 30 days, or a custom time range. Table 1 and Table 2 describe parameters.Figure 1 Viewing protection events+
Handling False Alarms
- Log in to the management console.
- Click
in the upper left corner and choose Web Application Firewall (Dedicated) under Security. - In the navigation pane on the left, choose Events.
- Click the Search tab. In the website or instance drop-down list, select a website to view corresponding event logs. The query time can be Yesterday, Today, Past 3 days, Past 7 days, Past 30 days, or a time range you configure.
- In the event list, handle events.
- If you confirm that an event is a false alarm, locate the row containing the event. In the Operation column, click and handle the hit rule.Figure 1 Handling a false alarm-
Table 1 Event parameters Parameter
+- -
-Table 1 Parameters Parameter
Description
+Description
+Example Value
Event Type
+Scope
Type of attack.
-By default, All is selected. You can view logs of all attack types or select an attack type to view corresponding attack logs.
+- All domain names: By default, this rule will be used to all domain names that are protected by the current policy.
- Specified domain names: Specify a domain name range this rule applies to.
Specified domain names
Protective Action
+Domain Name
The options are Block, Log only, and Verification code.
-Source IP Address
-Public IP address of the web visitor/attacker
-By default, All is selected. You can view logs of all attack source IP addresses, select an attack source IP address, or enter an attack source IP address to view corresponding attack logs.
-URL
-Attacked URL
-Event ID
-ID of the event
--
-Table 2 Parameters in the event list Parameter
-Description
-Example Value
-Time
-When the attack occurred
-2021/02/04 13:20:04
-Source IP Address
-Public IP address of the web visitor/attacker
-None
-Geolocation
-Location where the IP address of the attack originates from
--
-Domain Name
-Attacked domain name
-www.example.com
-URL
-Attacked URL
-/admin
-Malicious Load
-The location or part of the attack that causes damage or the number of times that the URL was accessed.
-NOTE:-- In a CC attack, the malicious load indicates the number of times that the URL was accessed.
- For blacklist protection events, the malicious load is left blank.
id=1 and 1='1
-Event Type
-Type of attack
-SQL injection
-Protective Action
-Protective actions configured in the rule. The options are Block, Log only, and Verification code.
-NOTE:-If an access request matches a web tamper protection rule, information leakage prevention rule, or data masking rule, the protective action is marked as Mismatch.
-Block
-Status Code
-HTTP status code returned on the block page.
-418
-- To view event details, click Details in the Operation column of the event list.
-- After you confirm that an event is a false alarm, click Handle False Alarm in the Operation column of the row and add a false alarm masking rule. Table 3 describes parameters.
Figure 2 Handling a false alarm- - -
-Table 3 Parameters Parameter
-Description
-Example Value
-Scope
-- All domain names: By default, this rule will be used to all domain names that are protected by the current policy.
- Specified domain names: This rule will be used to the specified domain names that match the wildcard domain name being protected by the current policy.
Specified domain names
-Domain Name
-This parameter is mandatory when you select Specified domain names for Scope.
+This parameter is mandatory when you select Specified domain names for Scope.
Enter a single domain name that matches the wildcard domain name being protected by the current policy.
www.example.com
+www.example.com
Condition List
+Condition List
Click Add to add conditions. At least one condition needs to be added. You can add up to 30 conditions to a protection rule. If more than one condition is added, all of the conditions must be met for the rule to be applied. A condition includes the following parameters:
-Parameters for configuring a condition are described as follows:- Field
- Subfield: Configure this field only when Params, Cookie, or Header is selected for Field.NOTICE:
The length of a subfield cannot exceed 2,048 bytes. Only digits, letters, underscores (_), and hyphens (-) are allowed.
+Click Add to add conditions. At least one condition needs to be added. You can add up to 30 conditions to a protection rule. If more than one condition is added, all of the conditions must be met for the rule to be applied. A condition includes the following parameters:
+Parameters for configuring a condition are described as follows:- Field
- Subfield: Configure this field only when Params, Cookie, or Header is selected for Field.NOTICE:-
The length of a subfield cannot exceed 2,048 bytes. Only digits, letters, underscores (_), and hyphens (-) are allowed.
- Logic: Select a logical relationship from the drop-down list.
- Content: Enter or select the content that matches the condition.
- Logic: Select a logical relationship from the drop-down list.
- Content: Enter or select the content that matches the condition.
Path, Include, /product
+Path, Include, /product
Ignore WAF Protection
+Ignore WAF Protection
- All protection: All WAF rules do not take effect, and WAF allows all request traffic to the domain names in the rule.
- Basic Web Protection: You can ignore basic web protection by rule ID, attack type, or all built-in rules. For example, if XSS check is not required for a URL, you can whitelist XSS rule.
- All protection: All WAF rules do not take effect, and WAF allows all request traffic to the domain names in the rule.
- Basic web protection: You can ignore basic web protection by rule ID, attack type, or all built-in rules. For example, if XSS check is not required for a URL, you can whitelist XSS rule.
Basic Web Protection
+Basic web protection
Ignored Protection Type
+Ignored Protection Type
If you select Basic web protection for Ignored Protection Type, specify the following parameters:
-- ID: Configure the rule by event ID.
- Attack type: Configure the rule by attack type, such as XSS and SQL injection. One type contains one or more rule IDs.
- All built-in rules: all checks enabled in Basic Web Protection.
If you select Basic web protection for Ignored Protection Type, specify the following parameters:
+- ID: Configure the rule by event ID.
- Attack type: Configure the rule by attack type, such as XSS and SQL injection. One type contains one or more rule IDs.
- All built-in rules: all checks enabled in Basic Web Protection.
Attack type
+Attack type
ID
+Rule ID
This parameter is mandatory when you select ID for Ignored Protection Type.
-ID of an attack event on the Events page. If the event type is Custom, it has no event ID. Click Handle False Alarm in the row containing the attack event to obtain the ID. You are advised to configure global protection whitelist (formerly false alarm masking) rules on the Events page by referring to Handling False Alarms.
+This parameter is mandatory when you select ID for Ignored Protection Type.
+Rule ID of a misreported event in Events whose type is not Custom. You are advised to handle false alarms on the Events page.
041046
+041046
Attack type
+Rule Type
This parameter is mandatory when you select Attack type for Ignored Protection Type.
+This parameter is mandatory when you select Attack type for Ignored Protection Type.
Select an attack type from the drop-down list box.
WAF can defend against XSS attacks, web shells, SQL injection attacks, malicious crawlers, remote file inclusions, local file inclusions, command injection attacks, and other attacks.
SQL injection
+SQL injection
Rule Description
+Rule Description
A brief description of the rule. This parameter is optional.
+A brief description of the rule. This parameter is optional.
SQL injection attacks are not intercepted.
+SQL injection attacks are not intercepted.
Advanced Settings
+Advanced Settings
To ignore attacks of a specific field, specify the field in the Advanced Settings area. After you add the rule, WAF will stop blocking attack events of the specified field.
-Select a target field from the first drop-down list box on the left. The following fields are supported: Params, Cookie, Header, Body, and Multipart.- If you select Params, Cookie, or Header, you can select All or Specified field to configure a subfield.
- If you select Body or Multipart, you can select All.
- If you select Cookie, the Domain Name and Path can be empty.
NOTE:If All is selected, WAF will not block all attack events of the selected field.
+To ignore attacks of a specific field, specify the field in the Advanced Settings area. After you add the rule, WAF will stop blocking attack events of the specified field.
+Select a target field from the first drop-down list box on the left. The following fields are supported: Params, Cookie, Header, Body, and Multipart.- If you select Params, Cookie, or Header, you can select All or Field to configure a subfield.
- If you select Body or Multipart, you can select All.
- If you select Cookie, the Domain Name box for the rule can be empty.
NOTE:If All is selected, WAF will not block all attack events of the selected field.
Params
+Params
All
- Click OK.
+- Add the source IP address to an address group. Locate the row containing the desired event, in the Operation column, click . The source IP address triggering the event will be blocked or allowed based on the policy used for the address group.
Add to: You can select an existing address group or create an address group.
+Figure 2 Add to Address Group+
- Add the source IP address to a blacklist or whitelist rule of the corresponding protected domain name. Locate the row containing the desired event. In the Operation column, click . Then, the source IP address will be blocked or allowed based on the protective action configured in the blacklist or whitelist rule.
Figure 3 Add to Blacklist/Whitelist+ +
-Table 2 Parameter descriptions Parameter
+Description
+Add to
+- Existing rule
- New rule
Rule Name
+- If you select Existing rule for Add to, select a rule name from the drop-down list.
- If you select New rule for Add to, customize a blacklist or whitelist rule.
IP Address/Range/Group
+This parameter is mandatory when you select New rule for Add to.
+You can select IP address/Range or Address Group to add IP addresses a blacklist or whitelist rule.
+Group Name
+This parameter is mandatory when you select Address group for IP Address/Range/Group.
+Select an address group from the drop-down list.
+Protective Action
+- Block: Select Block if you want to blacklist an IP address or IP address range.
- Allow: Select Allow if you want to whitelist an IP address or IP address range.
- Log only: Select Log only if you want to observe an IP address or IP address range.
Known Attack Source
+If you select Block for Protective Action, you can select a blocking type of a known attack source rule. WAF will block requests matching the configured IP address, Cookie, or Params for a length of time configured as part of the rule.
+Rule Description
+A brief description of the rule. This parameter is optional.
+-Verification
A false alarm will be deleted within about a minute after the handling configuration is done. It will no longer be displayed in the attack event details list. You can refresh the browser cache and request the page for which the false alarm masking rule is configured to check whether the configuration takes effect.
+ +Other Operations
If an event is handled as a false alarm, the rule hit will be added to the global protection whitelist (formerly false alarm masking) rule list. You can go to the Policies page and then switch to the Global Protection Whitelist (Formerly False Alarm Masking) page to manage the rule, including querying, disabling, deleting, and modifying the rule. For more details, see Configuring a Global Protection Whitelist (Formerly False Alarm Masking) Rule.
++Verification
A false alarm will be deleted within about a minute after the handling configuration is done. It will no longer be displayed in the attack event details list. You can refresh the browser cache and access the page for which the global whitelist rule is configured again to check whether the configuration is successful.
+Related Operations
If an event is handled as a false alarm, the rule hit will be added to the global protection whitelist rule list. You can go to the Policies page and then switch to the Global Protection Whitelist page to manage the rule, including querying, disabling, deleting, and modifying the rule. For more details, see Configuring a Global Proteciton whitelist Rule to Ignore False Alarms.
diff --git a/docs/wafd/umn/waf_01_0025.html b/docs/wafd/umn/waf_01_0025.html index bd72c334..f9d24421 100644 --- a/docs/wafd/umn/waf_01_0025.html +++ b/docs/wafd/umn/waf_01_0025.html @@ -4,9 +4,37 @@-Parent topic: Event Management+Parent topic: Viewing Protection Events-
-
- WAF Functions
+ - WAF Basics
- - WAF Usage
+ - Can WAF Protect an IP Address?
+
+ - What Objects Does WAF Protect?
+
+ - Does WAF Block Customized POST Requests?
+
+ - Which Web Service Framework Protocols Does WAF Support?
+
+ - Can WAF Protect Websites Accessed Through HSTS or NTLM Authentication?
+
+ - What Are the Differences Between WAF Forwarding and Nginx Forwarding?
+
+ - Can I Configure Session Cookies in WAF?
+
+ - How Does WAF Detect SQL Injection, XSS, and PHP Injection Attacks?
+
+ - Can WAF Defend Against the Apache Struts2 Remote Code Execution Vulnerability (CVE-2021-31805)?
+
+ - Why Does the Vulnerability Scanning Tool Report Disabled Non-standard Ports for My WAF-Protected Website?
+
+ - What Are Local File Inclusion and Remote File Inclusion?
+
+ - What Is the Difference Between QPS and the Number of Requests?
+
+ - Does WAF Support Custom Authorization Policies?
+
+ - Why Do Cookies Contain the HWWAFSESID or HWWAFSESTIME field?
+
+ - Can I Switch Between the WAF ELB Access Mode and Dedicated Mode?
Which OSs Does WAF Support?
--WAF is deployed on the cloud, which is irrelevant to an OS. Therefore, WAF supports any OS. A domain name server on any OS can be connected to WAF for protection.
--- diff --git a/docs/wafd/umn/waf_01_0027.html b/docs/wafd/umn/waf_01_0027.html index 82c3da84..3903bb39 100644 --- a/docs/wafd/umn/waf_01_0027.html +++ b/docs/wafd/umn/waf_01_0027.html @@ -9,7 +9,7 @@--Parent topic: WAF Functions-diff --git a/docs/wafd/umn/waf_01_0028.html b/docs/wafd/umn/waf_01_0028.html deleted file mode 100644 index f4a5969e..00000000 --- a/docs/wafd/umn/waf_01_0028.html +++ /dev/null @@ -1,22 +0,0 @@ - - --Parent topic: WAF Functions+Parent topic: About WAFWhat Protection Rules Does WAF Support?
--The protection rules supported by WAF are described below.
-- Basic Web Protection
WAF can defend against common web attacks, such as SQL injection, XSS, web shells, and Trojans in HTTP upload channels. Once these functions are enabled, protection takes effect immediately.
- - CC Attack Protection
Flexible rate limiting policies can be set based on the IP addresses, cookies, or Referer field, mitigating CC attacks.
- - Precise Protection
Common HTTP fields can be combined to customize protection policies, such as CSRF protection. With user-defined rules, WAF can accurately detect malicious requests and protect sensitive information in websites.
- - Blacklist and Whitelist
Blacklist or whitelist rules allow you to block or allow specific IP addresses or address ranges, improving defense accuracy.
- - Geolocation Access Control
Geolocation access control rules allow you to customize access control based on the source IP addresses.
- - Web Tamper Protection
Cache configuration is performed on static web pages. When a user accesses a web page, the system returns a cached page to the user and randomly checks whether the page is tampered with.
- - Anti-crawler Protection
This function dynamically analyzes website service models and accurately identifies crawler behavior based on data risk control and bot identification systems, such as JS Challenge.
- - Global Protection Whitelist (Formerly False Alarm Masking)
This function ignores certain attack detection rules for specific requests.
- - Data Masking
Data masking prevents such data as passwords from being displayed in event logs.
- - Information Leakage Prevention
WAF prevents user's sensitive information on web pages from being disclosed, such as ID numbers, phone numbers, and email addresses.
-
-- diff --git a/docs/wafd/umn/waf_01_0029.html b/docs/wafd/umn/waf_01_0029.html index 024e7453..c7bfa527 100644 --- a/docs/wafd/umn/waf_01_0029.html +++ b/docs/wafd/umn/waf_01_0029.html @@ -1,12 +1,11 @@--Parent topic: Others-Can WAF Protect an IP Address?
-A WAF instance can protect IP addresses.
-For details about how to add a domain name to WAF, see How Do I Add a Domain Name/IP Address to WAF?
+A WAF instance can protect IP addresses or domain names.
diff --git a/docs/wafd/umn/waf_01_0030.html b/docs/wafd/umn/waf_01_0030.html deleted file mode 100644 index 583979c1..00000000 --- a/docs/wafd/umn/waf_01_0030.html +++ /dev/null @@ -1,11 +0,0 @@ - - --Parent topic: WAF Functions+Parent topic: About WAFWhich Layers Does WAF Provide Protection At?
--WAF provides protection at seven layers, namely, the physical layer, data link layer, network layer, transport layer, session layer, presentation layer, and application layer.
--- diff --git a/docs/wafd/umn/waf_01_0032.html b/docs/wafd/umn/waf_01_0032.html deleted file mode 100644 index 2eef883d..00000000 --- a/docs/wafd/umn/waf_01_0032.html +++ /dev/null @@ -1,46 +0,0 @@ - - ---Parent topic: WAF Functions-Which Non-Standard Ports Does WAF Support?
--In addition to standard ports 80 and 443, WAF supports multiple non-standard ports. The non-standard ports vary depending on the edition and billing mode you select.
-Each combination of a domain name and a non-standard port is counted towards the domain name quota of the WAF edition you are using. For example, www.example.com:8080 and www.example.com:8081 use two domain names of the quota. If you want to protect web services over multiple ports with the same domain name, add the domain name and each port to WAF.
--Ports Supported by WAF
Table 1 lists the ports that can be protected by WAF. ---
-Table 1 Ports supported by WAF Port Category
-HTTP Protocol
-HTTPS Protocol
-Port Limit
-Standard ports
-80
-443
-Unlimited
-Non-standard ports (182 in total)
-9945, 9770, 81, 82, 83, 84, 88, 89, 800, 808, 1000, 1090, 3128, 3333, 3501, 3601, 4444, 5000, 5222, 5555, 5601, 6001, 6666, 6788, 6789, 6842, 6868, 7000, 7001, 7002, 7003, 7004, 7005, 7006, 7009, 7010, 7011, 7012, 7013, 7014, 7015, 7016, 7018, 7019, 7020, 7021, 7022, 7023, 7024, 7025, 7026, 7070, 7081, 7082, 7083, 7088, 7097, 7777, 7800, 7979, 8000, 8001, 8002, 8003, 8008, 8009, 8010, 8020, 8021, 8022, 8025, 8026, 8077, 8078, 8080, 8085, 8086, 8087, 8088, 8089, 8090, 8091, 8092, 8093, 8094, 8095, 8096, 8097, 8098, 8106, 8118, 8181, 8334, 8336, 8800, 8686, 8888, 8889, 8989, 8999, 9000, 9001, 9002, 9003, 9080, 9200, 9802, 10000, 10001, 10080, 12601, 86, 9021, 9023, 9027, 9037, 9081, 9082, 9201, 9205, 9207, 9208, 9209, 9210, 9211, 9212, 9213, 48800, 87, 97, 7510, 9180, 9898, 9908, 9916, 9918, 9919, 9928, 9929, 9939, 28080, 33702, 8011, 8012, 8013, 8014, 8015, 8016, 8017, and 8070
-8750, 8445, 18010, 4443, 5443, 6443, 7443, 8081, 8082, 8083, 8084, 8443, 8843, 9443, 8553, 8663, 9553, 9663, 18110, 18381, 18980, 28443, 18443, 8033, 18000, 19000, 7072, 7073, 8803, 8804, 8805, 9999
-Unlimited
--- diff --git a/docs/wafd/umn/waf_01_0035.html b/docs/wafd/umn/waf_01_0035.html index 3626b7b4..4aa63372 100644 --- a/docs/wafd/umn/waf_01_0035.html +++ b/docs/wafd/umn/waf_01_0035.html @@ -1,14 +1,25 @@ ---Parent topic: Domain Name and Port Configuration-How Do I Configure a CC Attack Protection Rule?
-+When a service interface is under an HTTP flood attack, you can set a CC attack protection rule on the WAF console to relieve service pressure.
-WAF provides the following settings for a CC attack protection rule:
-- Number of requests allowed from a web visitor in a specified period
- Identification of web visitors based on the IP address, cookie, or referer field.
- Action when the maximum limit is reached, such as Block or Verification code
For details, see Configuring a CC Attack Protection Rule.
-Troubleshooting Traffic Forwarding Exceptions
++diff --git a/docs/wafd/umn/waf_01_0036.html b/docs/wafd/umn/waf_01_0036.html index fa7dfe54..56c7dba6 100644 --- a/docs/wafd/umn/waf_01_0036.html +++ b/docs/wafd/umn/waf_01_0036.html @@ -6,7 +6,7 @@-
+
- How Do I Troubleshoot 404/502/504 Errors?
+
+ - Why Am I Seeing Error Code 418?
+
+ - Why Am I Seeing Error Code 523?
+
+ - Why Was My Website Redirected So Many Times?
+
+ - Why Am I Seeing Error Code 414 Request-URI Too Large?
+
+ - What Is the Connection Timeout Duration of WAF? Can I Manually Set the Timeout Duration?
+
+
-Parent topic: CC Attack Protection Rules+Parent topic: FAQsdiff --git a/docs/wafd/umn/waf_01_0038.html b/docs/wafd/umn/waf_01_0038.html index b420ac2f..5e84af76 100644 --- a/docs/wafd/umn/waf_01_0038.html +++ b/docs/wafd/umn/waf_01_0038.html @@ -19,7 +19,7 @@-Parent topic: CC Attack Protection Rules+Parent topic: Protection Rules- Feature-based anti-crawler protection
-Feature-based anti-crawler identifies and blocks crawler behavior from search engines, scanners, script tools, and other crawlers.
In the row containing the attack event, click Handle False Alarm in the Operation column. For details, see Handling False Alarms.
+In the row containing the attack event, click Handle as False Alarm in the Operation column. For details, see Handling False Alarms.
Custom protection rules
@@ -32,11 +32,11 @@Other
Invalid access requests
-NOTE:If either of the following numbers in an access request exceeds 512, WAF blocks the access request as an invalid request:- Number of parameters in a form when form-data is used for POST or PUT requests
- Number of URI parameters
NOTE:If any of the following cases, WAF blocks the access request as an invalid request:- When form-data is used for POST or PUT requests, the number of parameters in a form exceeds 8,192.
- The URL contains more than 2,048 parameters.
- The number of headers exceeds 512.
Allow the blocked requests by referring to Configuring a Precise Protection Rule. The Handle False Alarm button for invalid access events are grayed out as such events are generated against a precise protection rule.
+Allow the blocked requests by referring to Configuring Custom Precise Protection Rules. The Handle as False Alarm button is grayed out for events that are generated against a precise protection rule.
diff --git a/docs/wafd/umn/waf_01_0041.html b/docs/wafd/umn/waf_01_0041.html deleted file mode 100644 index b6b3afca..00000000 --- a/docs/wafd/umn/waf_01_0041.html +++ /dev/null @@ -1,12 +0,0 @@ - - --Parent topic: Service Interruption Check+Parent topic: Checking Whether Normal Requests Are Blocked MistakenlyHow Do I Safely Delete a Protected Domain Name?
--To delete a website from WAF, see Removing a Protected Website from WAF. Before you start, get yourself familiar with the following precautions:
-- Before removing a website from WAF, go to your DNS provider and resolve your domain name to the IP address of the origin server, or the traffic to your domain name cannot be routed to the origin server.
- It takes a while to remove a website from WAF, but once this action is started, it cannot be cancelled. Exercise caution when removing a website from WAF.
-- diff --git a/docs/wafd/umn/waf_01_0045.html b/docs/wafd/umn/waf_01_0045.html index 621f99c7..2be87646 100644 --- a/docs/wafd/umn/waf_01_0045.html +++ b/docs/wafd/umn/waf_01_0045.html @@ -1,14 +1,18 @@ ---Parent topic: Domain Name and Port Configuration-What Is Web Application Firewall?
+What Is WAF?
Web Application Firewall (WAF) keeps web services stable and secure. It examines all HTTP and HTTPS requests to detect and block the following attacks: Structured Query Language (SQL) injection, cross-site scripting (XSS), web shells, command and code injections, file inclusion, sensitive file access, third-party vulnerability exploits, Challenge Collapsar (CC) attacks, malicious crawlers, and cross-site request forgery (CSRF).
After you enable a WAF instance, add your website domain to the WAF instance on the WAF console. All public network traffic for your website then goes to WAF first. WAF identifies and filters out the illegitimate traffic, and routes only the legitimate traffic to your origin server to ensure site security.
-How WAF Works
After purchasing WAF, add the website to WAF on the WAF console. After a website is connected to WAF, all website access requests are forwarded to WAF first. WAF detects and filters out malicious attack traffic, and returns normal traffic to the origin server to ensure that the origin server is secure, stable, and available.
-Figure 1 How WAF protects a website+
-How WAF Works (Dedicated Mode)
After applying for WAF, add the website to WAF on the WAF console. After a website is connected to WAF, all website access requests are forwarded to WAF first. WAF detects and filters out malicious attack traffic, and returns normal traffic to the origin server to ensure that the origin server is secure, stable, and available.
+Figure 1 How WAF WorksThe process of forwarding traffic from WAF to origin servers is called back-to-source. WAF uses back-to-source IP addresses to send client requests to the origin server. When a website is connected to WAF, the destination IP addresses to the client are the IP addresses of WAF, so that the origin server IP address is invisible to the client.
Figure 2 Back-to-source IP address
What WAF Protects
Objects supported by dedicated WAF instances: domain names or IP addresses of web applications on the clouds or on-premises data centers
++How WAF Works (ELB Access Mode)
If you connect a website to WAF in ELB access mode, WAF works as follows:
+- In this mode, WAF is integrated into the gateway of an ELB load balancer through an SDK module. WAF extracts traffic through the SDK module embedded in the gateway for inspection.
- WAF synchronizes the inspection result to the load balancer, and the load balancer determines whether to forward client requests to the origin server based on the inspection result.
- In this method, WAF does not forward traffic. This reduces compatibility and stability problems.
Figure 3 How WAF in ELB load balancer access mode works+
What WAF Protects
Objects WAF can protect: domain names or IP addresses of web applications on the cloud
diff --git a/docs/wafd/umn/waf_01_0051.html b/docs/wafd/umn/waf_01_0051.html index 133906a0..999354fb 100644 --- a/docs/wafd/umn/waf_01_0051.html +++ b/docs/wafd/umn/waf_01_0051.html @@ -2,217 +2,10 @@WAF and Other Services
This topic describes WAF and other cloud services.
-CTS
-+
-Table 1 WAF operations that can be recorded by CTS Operation
-Resource Type
-Trace Name
-Creating a WAF instance
-instance
-createInstance
-Deleting a WAF instance
-instance
-deleteInstance
-Modifying a WAF instance
-instance
-alterInstanceName
-Modifying the protection status of a WAF instance
-instance
-modifyProtectStatus
-Modifying the connection status of a WAF instance
-instance
-modifyAccessStatus
-Creating a WAF policy
-policy
-createPolicy
-Applying a WAF policy
-policy
-applyToHost
-Modifying a policy
-policy
-modifyPolicy
-Deleting a WAF policy
-policy
-deletePolicy
-Uploading a certificate
-certificate
-createCertificate
-Changing the name of a certificate
-certificate
-modifyCertificate
-Deleting a certificate
-certificate
-deleteCertificate
-Adding a CC attack protection rule
-policy
-createCc
-Modifying a CC attack protection rule
-policy
-modifyCc
-Deleting a CC attack protection rule
-policy
-deleteCc
-Adding a precise protection rule
-policy
-createCustom
-Modifying a precise protection rule
-policy
-modifyCustom
-Deleting a precise protection rule
-policy
-deleteCustom
-Adding an IP address blacklist or whitelist rule
-policy
-createWhiteblackip
-Modifying an IP address blacklist or whitelist rule
-policy
-modifyWhiteblackip
-Deleting an IP address blacklist or whitelist rule
-policy
-deleteWhiteblackip
-Creating/updating a web tamper protection rule
-policy
-createAntitamper
-Deleting a web tamper protection rule
-policy
-deleteAntitamper
-Creating a global protection whitelist (formerly false alarm masking) rule
-policy
-createIgnore
-Deleting a false alarm maskingglobal protection whitelist (formerly false alarm masking) rule
-policy
-deleteIgnore
-Adding a data masking rule
-policy
-createPrivacy
-Modifying a data masking rule
-policy
-modifyPrivacy
-Deleting a data masking rule
-policy
-deletePrivacy
-CTS
Cloud Trace Service (CTS) records all WAF operations for you to query, audit, and backtrack.
Cloud Eye
Cloud Eye monitors the indicators of the dedicated WAF, so that you can understand the protection status of the dedicated WAF in a timely manner, and set protection policies accordingly. For details, see the Cloud Eye User Guide.
-For details about WAF monitored metrics, see WAF Monitored Metrics.
+For details about monitored WAF metrics, see WAF Monitored Metrics.
@@ -225,7 +18,7 @@ELB
You can add your WAF instances to a load balancer so that your website traffic is distributed by the load balancer across WAF instances for detection and then forwarded by WAF to the origin server. In this way, website traffic will be protected even if one of your WAF instances becomes faulty.
TMS
Tag Management Service (TMS) is a visualized service for fast and unified tag management that enables you to label and manage WAF instances by tags.
-Table 2 WAF operations supported by TMS Operation
+Table 1 WAF operations supported by TMS Operation
Resource Type
How Do I Switch the Mode of Basic Web Protection from Log Only to Block?
--This FAQ guides you to switch the mode of basic web protection to Block.
-Perform the following operations:
-- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project. - Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
- In the navigation pane, choose Website Settings.
- In the Policy column of the row containing the target website, click the number to go to the policy configuration page.
- In the Basic Web Protection configuration area, set Mode to Block.-
Log only and Block are merely modes of basic web protection. CC attack protection and precise protection have their own protective actions.
-
-- diff --git a/docs/wafd/umn/waf_01_0054.html b/docs/wafd/umn/waf_01_0054.html index 3a1db776..03284b2c 100644 --- a/docs/wafd/umn/waf_01_0054.html +++ b/docs/wafd/umn/waf_01_0054.html @@ -1,16 +1,16 @@ ---Parent topic: Basic Web Protection-Configuring an Information Leakage Prevention Rule
+Configuring Information Leakage Prevention Rules to Protect Sensitive Information from Leakage
You can add two types of information leakage prevention rules.
-- Sensitive information filtering: prevents disclosure of sensitive information (such as ID numbers, phone numbers, and email addresses).
- Response code interception: blocks the specified HTTP status codes.
- Sensitive information filtering: prevents disclosure of sensitive information, such as ID numbers, phone numbers, and email addresses.
- Response code interception: blocks the specified HTTP status codes.
- If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the Enterprise Project drop-down list and configure protection policies for the domain names in the project.
Prerequisites
A website has been added to WAF.
+-Prerequisites
You have added your website to a policy.
Constraints
It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.
+-Constraints
- It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.
diff --git a/docs/wafd/umn/waf_01_0058.html b/docs/wafd/umn/waf_01_0058.html index d80ad76c..bef3dd91 100644 --- a/docs/wafd/umn/waf_01_0058.html +++ b/docs/wafd/umn/waf_01_0058.html @@ -1,13 +1,17 @@ -Procedure
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project. - Click
in the upper left corner and choose Web Application Firewall (Dedicated) under Security. - In the navigation pane on the left, choose Website Settings.
- In the Policy column of the row containing the target website, click the number to go to the Policies page.
- In the Information Leakage Prevention configuration area, change Status if needed and click Customize Rule.Figure 1 Information Leakage Prevention configuration area-
- In the upper left corner of the Information Leakage Prevention page, click Add Rule.
- In the dialog box displayed, add an information leakage prevention rule by referring to Table 1.
Information leakage prevention rules prevent sensitive information (such as ID numbers, phone numbers, and email addresses) from being disclosed. This type of rule can also block specified HTTP status codes.
+-Configuring an Information Leakage Prevention Rule
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
- In the navigation pane on the left, choose Policies.
- Click the name of the target policy to go to the protection configuration page.
- In the Information Leakage Prevention configuration area, change Status if needed and click Customize Rule.Figure 1 Information Leakage Prevention configuration area+
- In the upper left corner above the Information Leakage Prevention rule list, click Add Rule.
- In the dialog box displayed, add an information leakage prevention rule by referring to Table 1.
Information leakage prevention rules prevent sensitive information (such as ID numbers, phone numbers, and email addresses) from being disclosed. This type of rule can also block specified HTTP status codes.
Sensitive information filtering: Configure rules to mask sensitive information, such as phone numbers and ID numbers, from web pages. For example, you can set the following protection rules to mask sensitive information, such as ID numbers, phone numbers, and email addresses:Figure 2 Sensitive information leakage
Response code interception: An error page of a specific HTTP response code may contain sensitive information. You can configure rules to block such error pages to prevent such information from being leaked out. For example, you can set the following rule to block error pages of specified HTTP response codes 404, 502, and 503.Figure 3 Blocking response codes@@ -63,18 +63,18 @@
- Click Confirm. The added information leakage prevention rule is displayed in the list of information leakage prevention rules.
Other Operations
- To disable a rule, click Disable in the Operation column of the rule. The default Rule Status is Enabled.
- To modify a rule, click Modify in the row containing the rule.
- To delete a rule, click Delete in the row containing the rule.
Related Operations
- To disable a rule, click Disable in the Operation column of the rule. The default Rule Status is Enabled.
- To modify a rule, click Modify in the row containing the rule.
- To delete a rule, click Delete in the row containing the rule.
Configuration Example — Masking Sensitive Information
To verify that WAF is protecting your domain name www.example.com against an information leakage prevention rule:
- Add an information leakage prevention rule.Figure 4 Sensitive information leakage-
- Enabling information leakage prevention.Figure 5 Information Leakage Prevention configuration area+
- Enable information leakage prevention.Figure 5 Information Leakage Prevention configuration area
- Clear the browser cache and access http://www.example.com/admin/.
The email address, phone number, and identity number on the returned page are masked.
diff --git a/docs/wafd/umn/waf_01_0055.html b/docs/wafd/umn/waf_01_0055.html index 9ce3076e..b74052bf 100644 --- a/docs/wafd/umn/waf_01_0055.html +++ b/docs/wafd/umn/waf_01_0055.html @@ -6,9 +6,9 @@-Parent topic: Rule Configuration+Parent topic: Configuring Protection Policies
Key Operations Recorded by CTS
+Auditing
diff --git a/docs/wafd/umn/waf_01_0059.html b/docs/wafd/umn/waf_01_0059.html index c24133d2..412c4ff3 100644 --- a/docs/wafd/umn/waf_01_0059.html +++ b/docs/wafd/umn/waf_01_0059.html @@ -2,210 +2,209 @@- WAF Operations Recorded by CTS
CTS provides records of operations on WAF. With CTS, you can query, audit, and backtrack these operations. For details, see the Cloud Trace Service User Guide.
- - Viewing an Audit Trace
+ - Querying Real-Time Traces
+Parent topic: Monitoring and Auditing+WAF Operations Recorded by CTS
CTS provides records of operations on WAF. With CTS, you can query, audit, and backtrack these operations. For details, see the Cloud Trace Service User Guide.
-Table 1 lists WAF operations recorded by CTS.
-Table 1 WAF operations that can be recorded by CTS Operation
+Table 1 WAF Operations Recorded by CTS Operation
Resource Type
+Resource Type
Trace Name
+Trace Name
Creating a WAF instance
+Creating a WAF instance
instance
+instance
createInstance
+createInstance
Deleting a WAF instance
+Deleting a WAF instance
instance
+instance
deleteInstance
+deleteInstance
Modifying a WAF instance
+Modifying a WAF instance
instance
+instance
alterInstanceName
+alterInstanceName
Modifying the protection status of a WAF instance
+Modifying the protection status of a WAF instance
instance
+instance
modifyProtectStatus
+modifyProtectStatus
Modifying the connection status of a WAF instance
+Modifying the connection status of a WAF instance
instance
+instance
modifyAccessStatus
+modifyAccessStatus
Creating a WAF policy
+Creating a WAF policy
policy
+policy
createPolicy
+createPolicy
Applying a WAF policy
+Applying a WAF policy
policy
+policy
applyToHost
+applyToHost
Modifying a policy
+Modifying a policy
policy
+policy
modifyPolicy
+modifyPolicy
Deleting a WAF policy
+Deleting a WAF policy
policy
+policy
deletePolicy
+deletePolicy
Uploading a certificate
+Uploading a certificate
certificate
+certificate
createCertificate
+createCertificate
Changing the name of a certificate
+Changing the name of a certificate
certificate
+certificate
modifyCertificate
+modifyCertificate
Deleting a certificate
+Deleting a certificate from WAF
certificate
+certificate
deleteCertificate
+deleteCertificate
Adding a CC attack protection rule
+Adding a CC attack protection rule
policy
+policy
createCc
+createCc
Modifying a CC attack protection rule
+Modifying a CC attack protection rule
policy
+policy
modifyCc
+modifyCc
Deleting a CC attack protection rule
+Deleting a CC attack protection rule
policy
+policy
deleteCc
+deleteCc
Adding a precise protection rule
+Adding a precise protection rule
policy
+policy
createCustom
+createCustom
Modifying a precise protection rule
+Modifying a precise protection rule
policy
+policy
modifyCustom
+modifyCustom
Deleting a precise protection rule
+Deleting a precise protection rule
policy
+policy
deleteCustom
+deleteCustom
Adding an IP address blacklist or whitelist rule
+Adding an IP address blacklist or whitelist rule
policy
+policy
createWhiteblackip
+createWhiteblackip
Modifying an IP address blacklist or whitelist rule
+Modifying an IP address blacklist or whitelist rule
policy
+policy
modifyWhiteblackip
+modifyWhiteblackip
Deleting an IP address blacklist or whitelist rule
+Deleting an IP address blacklist or whitelist rule
policy
+policy
deleteWhiteblackip
+deleteWhiteblackip
Creating/updating a web tamper protection rule
+Creating/updating a web tamper protection rule
policy
+policy
createAntitamper
+createAntitamper
Deleting a web tamper protection rule
+Deleting a web tamper protection rule
policy
+policy
deleteAntitamper
+deleteAntitamper
Creating a global protection whitelist (formerly false alarm masking) rule
+Creating a global protection whitelist rule
policy
+policy
createIgnore
+createIgnore
Deleting a false alarm maskingglobal protection whitelist (formerly false alarm masking) rule
+Deleting a global protection whitelist rule
policy
+policy
deleteIgnore
+deleteIgnore
Adding a data masking rule
+Adding a data masking rule
policy
+policy
createPrivacy
+createPrivacy
Modifying a data masking rule
+Modifying a data masking rule
policy
+policy
modifyPrivacy
+modifyPrivacy
Deleting a data masking rule
+Deleting a data masking rule
policy
+policy
deletePrivacy
+deletePrivacy
diff --git a/docs/wafd/umn/waf_01_0060.html b/docs/wafd/umn/waf_01_0060.html index e0afcfcf..9a8648d3 100644 --- a/docs/wafd/umn/waf_01_0060.html +++ b/docs/wafd/umn/waf_01_0060.html @@ -1,17 +1,25 @@ --Parent topic: Key Operations Recorded by CTS+Parent topic: AuditingViewing an Audit Trace
-After you enable CTS, the system starts recording operations on WAF. Operation records for the last seven days can be viewed on the CTS console.
-Viewing WAF Logs on the CTS console
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project. - Click
in the upper left corner of the page. In the dialog box displayed on the right, choose Management & Deployment > Cloud Trace Service. - Choose Trace List in the navigation pane.
- Click Filter and specify filtering criteria as needed. The following four filters are available:
- Trace Type, Trace Source, Resource Type, and Search By.
- Set Trace Type to Management.
- Set Trace Source to WAF.
- When you select Resource ID for Search By, you also need to enter a resource ID.
- Operator: Select a specific operator (a user other than tenant).
- Trace Status: Available options include All trace statuses, normal, warning, and incident. You can only select one of them.
- Time Range: In the upper right corner of the page, you can query traces in the last 1 hour, last 1 day, last 1 week, or within a customized period.
- Trace Type, Trace Source, Resource Type, and Search By.
- Click Query.
- Click
on the left of a trace to expand its details, as shown in Figure 1.
- - Click View Trace in the Operation column. On the displayed View Trace dialog box shown in Figure 2, the trace structure details are displayed. -
Querying Real-Time Traces
++Scenarios
After you enable CTS and the management tracker is created, CTS starts recording operations on cloud resources. CTS stores operation records generated in the last seven days.
+This section describes how to query and export operation records of the last seven days on the CTS console.
+ +Viewing Real-Time Traces in the Trace List
- Log in to the management console.
- Click
in the upper left corner and choose Management & Deployment > Cloud Trace Service. The CTS console is displayed. - Choose Trace List in the navigation pane on the left.
- Set filters to search for your desired traces, as shown in Figure 1. The following filters are available:
++
- Trace Type, Trace Source, Resource Type, and Search By: Select a filter from the drop-down list.
- If you select Resource ID for Search By, specify a resource ID.
- If you select Trace name for Search By, specify a trace name.
- If you select Resource name for Search By, specify a resource name.
- Operator: Select a user.
- Trace Status: Select All trace statuses, Normal, Warning, or Incident.
- Time range: You can query traces generated during any time range in the last seven days.
- Click Export to export all traces in the query result as a CSV file. The file can contain up to 5000 records.
- Trace Type, Trace Source, Resource Type, and Search By: Select a filter from the drop-down list.
- Click Query.
- On the Trace List page, you can also export and refresh the trace list.
- Click Export to export all traces in the query result as a CSV file. The file can contain up to 5000 records.
- Click
to view the latest information about traces.
- Click
on the left of a trace to expand its details.
+
+ +
- Click View Trace in the Operation column. The trace details are displayed.
+
- For details about key fields in the trace structure, see section "Trace References" > "Trace Structure" and section "Trace References" > "Example Traces" in the CTS User Guide.
diff --git a/docs/wafd/umn/waf_01_0061.html b/docs/wafd/umn/waf_01_0061.html index 5c1a4a62..03fdb79e 100644 --- a/docs/wafd/umn/waf_01_0061.html +++ b/docs/wafd/umn/waf_01_0061.html @@ -4,14 +4,11 @@-Parent topic: Key Operations Recorded by CTS+Parent topic: AuditingThis topic describes how to add rules to one or more policies.
- If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the Enterprise Project drop-down list and configure protection policies for the domain names in batches.
-Prerequisites
A website has been added to WAF.
--Procedure
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project. - Click
in the upper left corner and choose Web Application Firewall (Dedicated) under Security. - In the navigation pane on the left, choose Policies.
- In the upper left corner of the page, click All Rules.Figure 1 View Rules-
- In the upper left corner above a rule to be added, click Add Rule.Figure 2 Adding a rule to one or more policies-
- Select one or more policies from the Policy Name drop-down list.
- Set other parameters.
- To add a CC attack protection rule, see Table 1.
- To add a precise protection rule, see Table 1.
- To add a blacklist or whitelist rule, see Table 1.
- To add a geolocation access control rule, see Table 1.
- To add a WTP rule, see Table 1.
- To add an information leakage prevention rule, see Table 1.
- To add a global protection whitelist rule, see Table 1.
- To add a data masking rule, see Table 1.
- Click OK.
Other Operations
- After a rule is added, the rule is Enabled by default. To disable it, click Disable in the Operation column of the target rule. You can also select multiple rules and click Disable above the rule list to disable them all together.
- To modify a rule, locate the row that contains the rule and click Modify in the Operation column. You can also select multiple rules and click Modify above the list to modify them all together.
- To delete a rule, locate the row that contains the rule and click Delete in the Operation column. You can also select multiple rules and click Delete above the list to delete them all together.
Adding Rules to One or More Policies
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
- In the navigation pane on the left, choose Policies.
- In the upper left corner of the policy list, click View All My Rules.Figure 1 View Rules+
- In the upper left corner above a list of a type of rule, click Add Rule.Figure 2 Adding a rule to one or more policies+
- Select one or more policies from the Policy Name drop-down list.Figure 3 Adding a rule to one or more policies+
- Set other parameters.
- To add a CC attack protection rule, see Table 1.
- To add a precise protection rule, see Table 1.
- To add a blacklist or whitelist rule, see Table 1.
- To add a geolocation access control rule, see Table 1.
- To add a WTP rule, see Table 1.
- To add an information leakage prevention rule, see Table 1.
- To add a global protection whitelist rule, see Table 1.
- To add a data masking rule, see Table 1.
- Click Confirm.
diff --git a/docs/wafd/umn/waf_01_0062.html b/docs/wafd/umn/waf_01_0062.html deleted file mode 100644 index bfcb6f45..00000000 --- a/docs/wafd/umn/waf_01_0062.html +++ /dev/null @@ -1,14 +0,0 @@ - - -How Do I Obtain the Real IP Address of a Web Visitor?
--After you connect a website to your WAF instance, WAF works as a reverse proxy between the client and the server. The real IP address of the server is hidden and only the IP address of WAF is visible to web visitors.
-Generally, a proxy such as CDN, WAF, and anti-DDoS service is deployed between the client and server. Web visitors cannot directly access the server. For example, .
-When forwarding requests to the downstream server, the transparent proxy server adds an X-Forwarded-For field to the HTTP header to identify the web visitor's real IP address in the format of X-Forwarded-For: real IP address of the web visitor, proxy 1-IP address, proxy 2-IP address, proxy 3-IP address, ........->....
-Therefore, you can obtain the web visitor's real IP address from the X-Forwarded-For field. The first IP address in this field is the web visitor's real IP address.
--- diff --git a/docs/wafd/umn/waf_01_0063.html b/docs/wafd/umn/waf_01_0063.html index 94a1f874..11ed1cad 100644 --- a/docs/wafd/umn/waf_01_0063.html +++ b/docs/wafd/umn/waf_01_0063.html @@ -1,18 +1,32 @@ ---Parent topic: WAF Usage-Protection Rule Configuration
+Protection Rules
-
-
- Basic Web Protection
+ - Which Protection Levels Can Be Set for Basic Web Protection?
- - CC Attack Protection Rules
+ - What Is the Peak Rate of CC Attack Protection?
- - Precise Protection rules
+ - When Is Cookie Used to Identify Users?
- - Anti-Crawler Protection
+ - Why Does a Requested Page Fail to Respond to the Client After the JavaScript-based Anti-Crawler Is Enabled?
- - Others
+ - Is There Any Impact on Website Loading Speed If Other Crawler Check in Anti-Crawler Is Enabled?
+
+ - How Does JavaScript Anti-Crawler Detection Work?
+
+ - In Which Situations Will the WAF Policies Fail?
+
+ - How Do I Allow Requests from Only IP Addresses in a Specified Geographical Region?
+
+ - How Do I Allow Only Specified IP Addresses to Access Protected Websites?
+
+ - Why Does the Page Fail to Be Refreshed After WTP Is Enabled?
+
+ - What Are the Differences Between Blacklist/Whitelist Rules and Precise Protection Rules on Blocking Access Requests from Specified IP Addresses?
+
+ - What Do I Do If a Scanner, such as AppScan, Detects that the Cookie Is Missing Secure or HttpOnly?
-
-
- What Is Web Application Firewall?
+ - What Is WAF?
- Product Specifications
diff --git a/docs/wafd/umn/waf_01_0065.html b/docs/wafd/umn/waf_01_0065.html
index bf0a8e4c..ef628b75 100644
--- a/docs/wafd/umn/waf_01_0065.html
+++ b/docs/wafd/umn/waf_01_0065.html
@@ -4,8 +4,6 @@
- WAF uses rule and AI dual engines and integrates our latest security rules and best practices.
- You can configure enterprise-grade policies to protect your website more precisely, including custom alarm pages, combining multiple conditions in a CC attack protection rule, and blacklisting or whitelisting a large number of IP addresses.
- Sensitive information, such as accounts and passwords, in attack logs can be anonymized.
- PCI-DSS checks for SSL encryption are available.
- The minimum TLS protocol version and cipher suite can be configured.
- A non-standard port is configured when a domain name is connected to WAF. No port is added or the origin server port instead of the non-standard port is used to access the website. For example, use https://www.example.com or https://www.example.com:80 to access the website.
Solution: Add the non-standard port to the URL and access the origin server again, for example, https://www.example.com:8080.
- - No non-standard port is configured when a domain name is added to WAF. A non-standard port or the origin server port is used to access the website. For example, use https://www.example.com:8080 to access the website.
If no non-standard port is configured, WAF protects services on port 80/443 by default. To protect services on other ports, re-configure domain settings.
+Cause: The port added to a URL is incorrect.- A non-standard port is configured when a domain name is connected to WAF. No port is added or the origin server port instead of the non-standard port is used to access the website. For example, use https://www.example.com or https://www.example.com:80 to access the website. Figure 2 shows an example.
+
Solution: Add the non-standard port to the URL and access the origin server again, for example, https://www.example.com:8080.
+ - No non-standard port is configured when a domain name is added to WAF. A non-standard port or the origin server port is used to access the website. For example, use https://www.example.com:8080 to access the website. Figure 3 shows an example.
+
If no non-standard port is configured, WAF protects services on port 80/443 by default. To protect services on other ports, re-configure domain settings.
Solution: The domain name needs to be accessed directly. For example, https://www.example.com.
Possible causes are as follows:
- Cause 1: Your website is using another security protection software. The software considers back-to-source IP addresses of WAF as malicious and blocks the requests forwarded by WAF. As a result, the site becomes inaccessible.
-
Solution: Add the WAF IP address ranges to the whitelist of the firewall (hardware or software), security protection software, and rate limiting module.
- - Cause 2: Multiple backend servers are configured. However, one backend server is unreachable.Perform the following steps to check whether the origin server configuration is correct:
- Log in to the management console, click Service List in the upper part of the page, and choose .
- In the navigation pane, choose Website Settings.
- In the Protected Website column, click the domain name to go to the Basic Information page.
- In the Server Information area, click
. On the displayed page, check whether the client protocol, server protocol, origin server address, and port used by the origin server are correct. - Run the curl command on the host to check whether each origin server can be properly accessed.
curl http://xx.xx.xx.xx:yy -kvv
+Solution: Add the WAF back-to-source IP address ranges to the whitelist of the firewall (hardware or software), security protection software, and rate limiting module.
+ - Cause 2: Multiple backend servers are configured. However, one backend server is unreachable.Perform the following steps to check whether the origin server configuration is correct:
- Log in to the management console, click Service List in the upper part of the page, and choose .
- In the navigation pane, choose Website Settings.
- In the Domain Name column, click the domain name. Its information is displayed.
- In the Server Information area, click . On the displayed page, check whether the client protocol, server protocol, origin server address, and port used by the origin server are correct.
- Run the curl command on the host to check whether each origin server can be properly accessed.
curl http://xx.xx.xx.xx:yy -kvv
xx.xx.xx.xx indicates the IP address of the origin server. yy indicates the port of the origin server. xx.xx.xx.xx and yy must belong to the same origin server.
- - The host where the curl command can be run must meet the following requirements:
- The network communication is normal.
- The curl command has been installed. curl must be manually installed on the host running the Windows operating system. curl is installed along with other operating systems.
- The host where the curl command can be run must meet the following requirements:
- The network communication is normal.
- The curl command has been installed. curl must be manually installed on the host running a Windows operating system. curl is installed along with other operating systems.
- You can also enter http://origin server address:origin server port in the address bar of the browser to check whether the origin server can be properly accessed.
If connection refused is displayed, the origin server is unreachable and website cannot be accessed. Perform the following operations:
-- Check whether the server is running properly. If it is not, restart the server.
- Add the WAF IP address ranges to the whitelist of the firewall (hardware or software), security protection software, and rate limiting module.
- Check whether the server is running properly. If it is not, restart the server.
- Add the WAF back-to-source IP address ranges to the whitelist of the firewall (hardware or software), security protection software, and rate limiting module.
- Cause 3: Origin server performance
Solution: Contact your website owner to rectify the fault.
@@ -35,27 +37,25 @@504 Gateway Timeout
Scenario: After the configuration of connecting a domain name to WAF is complete, your website works properly. However, with the increasing traffic volume, the number of 504 errors also increases. If you directly access the IP address of the origin server, the 504 error code is returned sometimes.
The possible causes are as follows:
- Cause 1: Backend server performance issues (such as too many connections or high CPU usage)Solution:-
- Optimize the server configuration, including TCP network parameters and ulimit parameters.
- To handle large-scale service increase, use method 1 or method 2 to perform the processing.
Method 1: Add a backend server group to the ELB load balancer.
-Method 2: Create an ELB. Use the EIP of ELB as the IP address of the server to connect to WAF.-- Log in to the management console, click Service List in the upper part of the page, and choose .
- In the navigation pane, choose Website Settings.
- In the Protected Website column, click the domain name to go to the Basic Information page.
- In the Server Information area, click . On the displayed page, click Add.
Method 2: Create an ELB. Use the EIP of ELB as the IP address of the server to connect to WAF.-- Log in to the management console, click Service List in the upper part of the page, and choose .
- In the navigation pane, choose Website Settings.
- In the Domain Name column, click the domain name. Its information is displayed.
- In the Server Information area, click . On the displayed page, click Add.
- If the Client Protocol is HTTPS, you can use HTTPS on the WAF side. However, it is recommended that HTTP (Server Protocol) to forward the requests to your web server, lowering the computational demands on backend servers.
+- If the Client Protocol is HTTPS, you can use HTTPS on the WAF side. However, it is recommended that HTTP (Server Protocol) to forward the requests to your web server, lowering the computational demands on backend servers.
- Cause 2: The WAF back-to-source IP addresses are not whitelisted or your origin server port is not enabled.
-
Solution: Whitelist the WAF back-to-source IP addresses in the corresponding ECS security groups.
- - Cause 3: The origin server has a firewall and the firewall blocks the WAF IP addresses.
-
Solution: Whitelist the WAF back-to-source IP addresses in the corresponding ECS security groups or uninstall the firewall software except WAF.
+ - Cause 2: The WAF back-to-source IP addresses are not whitelisted or your origin server port is not enabled.
Solution: Whitelist the WAF back-to-source IP addresses in the corresponding ECS security groups.
+ - Cause 3: The origin server has a firewall and the firewall blocks the WAF back-to-source IP addresses.
Solution: Whitelist the WAF back-to-source IP addresses in the corresponding ECS security groups or uninstall the firewall software except WAF.
- Cause 4: Connection timeout and read timeout
Solution
- Database queries are slow.
- Tune services to shorten the query duration and improve user experience.
- Modify the request interaction mode so that the persistent connection can have some data transmitted within 60 seconds, such as ACK packets, heartbeat packets, keep-alive packets, and other packets that can keep the session alive.
- It takes a long time to upload large files.
- Tune services to shorten the file upload time.
- An FTP server is recommended for file upload.
- Upload the file through an IP address or a domain name that is not protected by WAF.
- The default timeout period for a dedicated WAF instance to respond origin servers is 180s.
- It takes a long time to upload large files.
- Tune services to shorten the file upload time.
- An FTP server is recommended for file upload.
- Upload the file through an IP address or a domain name that is not protected by WAF.
- The default timeout for a dedicated WAF instance to respond origin servers is 180s.
- The origin server is faulty.
- Database queries are slow.
- Cause 5: The bandwidth of the origin server exceeds the upper limit.
Solution: Increase the bandwidth of the origin server.
+ - Cause 6: In dedicated mode, the origin server port is not enabled in the security group of the origin server or the origin server subnet is not enabled in network ACLs.
Solution: Enable the security group ports, such as ports 80 and 443, and configure a network ACL to allow access from the origin server subnet.
diff --git a/docs/wafd/umn/waf_01_0067.html b/docs/wafd/umn/waf_01_0067.html index 9d9fce19..f06745dc 100644 --- a/docs/wafd/umn/waf_01_0067.html +++ b/docs/wafd/umn/waf_01_0067.html @@ -1,29 +1,23 @@ --Parent topic: Service Interruption Check+Parent topic: Troubleshooting Traffic Forwarding ExceptionsWebsite Domain Name Management
+Managing Websites
diff --git a/docs/wafd/umn/waf_01_0068.html b/docs/wafd/umn/waf_01_0068.html new file mode 100644 index 00000000..42bf92a9 --- /dev/null +++ b/docs/wafd/umn/waf_01_0068.html @@ -0,0 +1,23 @@ + + +-
-
- Viewing Basic Information
+ - Viewing Basic Information of a Website
- Switching WAF Working Mode
- - Configuring PCI DSS/3DS Certification Check and TLS Version
-
- - Configuring Connection Timeout
-
- - Configuring Connection Protection
-
- - Updating a Certificate
-
- - Configuring a Traffic Identifier for a Known Attack Source
+ - Updating the Certificate Used for a Website
- Editing Server Information
- - Modifying the Alarm Page
-
- - Removing a Protected Website from WAF
+ - Deleting a Protected Website from WAF
+Parent topic: Website Settings+Troubleshooting Certificate and Cipher Suite Issues
+ +++ diff --git a/docs/wafd/umn/waf_01_0070.html b/docs/wafd/umn/waf_01_0070.html index 17fb9591..e3b3a3da 100644 --- a/docs/wafd/umn/waf_01_0070.html +++ b/docs/wafd/umn/waf_01_0070.html @@ -1,12 +1,12 @@ --
+
- How Do I Fix an Incomplete Certificate Chain?
+
+ - Why Does My Certificate Not Match the Key?
+
+ - Why Are HTTPS Requests Denied on Some Mobile Phones?
+
+ - What Do I Do If the Protocol Is Not Supported and the Client and Server Do Not Support Common SSL Protocol Versions or Cipher Suites?
+
+ - Why Is the Bar Mitzvah Attack on SSL/TLS Detected?
+
+
++Parent topic: FAQs+Enabling WAF Protection
+Website Settings
diff --git a/docs/wafd/umn/waf_01_0071.html b/docs/wafd/umn/waf_01_0071.html deleted file mode 100644 index 84119117..00000000 --- a/docs/wafd/umn/waf_01_0071.html +++ /dev/null @@ -1,169 +0,0 @@ - - -Overview
-- diff --git a/docs/wafd/umn/waf_01_0074.html b/docs/wafd/umn/waf_01_0074.html index 114ed14e..843f7c31 100644 --- a/docs/wafd/umn/waf_01_0074.html +++ b/docs/wafd/umn/waf_01_0074.html @@ -1,18 +1,16 @@-Website Service Review
Sort out all website services you want to protect with WAF. This helps you learn about your workloads and specific data of your workloads so that you can choose and configure appropriate protection policies.
- --
-Table 1 Website services Item
-Description
-Website and Service Information
-Daily peak traffic of website/web application services, including the bandwidth (in Mbit/s) and QPS
-Use it as the basis for selecting the service bandwidth and QPS specifications.
-NOTE:-If your website traffic peak exceeds the maximum QPS specifications you are using, WAF will stop checking the traffic and directly forward it to the origin server. There is no protection for your website or applications.
-Major user group (for example, major locations where the requests originate from)
-Determine the attack source and then set geolocation access control rules to block users from these locations.
-Whether the service uses a C/S architecture
-If yes, check whether there is an app client, Windows client, Linux client, code callback, or any other client.
-Location where the origin server is deployed
-Decide which region you want to buy the instance.
-Operating system (Linux or Windows) and web service middleware (Apache, Nginx, or IIS) of the origin server
-Check whether access control is enabled for the origin server. If yes, whitelist WAF IP addresses.
-Domain protocol
-Check whether WAF supports the communication protocol used by your site.
-NOTE:-WAF can protect your website only when Client Protocol and Server Protocol are configured based on the real situation of your website.-- Client Protocol: the protocol used by a client (for example, a browser) to access your website. You can select HTTP or HTTPS.
- Server Protocol: the protocol used by WAF to forward requests from the client (such as a browser) to the origin server. You can select HTTP or HTTPS.
Service port
-Check whether your service ports are within the port range supported by WAF.
-- Standard ports
- 80: default port when the client protocol is HTTP
- 443: default port when the client protocol is HTTPS
- Non-standard ports
Ports other than ports 80 and 443. For non-standard ports supported by WAF, see Non-Standard Ports.
-
Whether TLSv1.0 or weak encryption suite is supported
-Check whether WAF supports the encryption suite used by your site.
-Whether advanced anti-DDoS, CDN, or other proxy services are deployed in front of WAF.
-Check whether a proxy is used and whether domain name is resolved to a correct address.
-Whether the client supports Server Name Indication (for HTTPS services)
-If your domain name supports HTTPS, the client and server must support Server Name Indication (SNI).
-Service interaction
-Understand the service interaction process and service processing logic to facilitate subsequent configuration of protection policies.
-Active users
-Determine the severity of an attack event to take a low-risk measure to respond it.
-Services and Attacks
-Service types and features (such as games, cards, websites, or apps)
-Help analyze the attack signatures.
-Inbound traffic range and connection status of a single user or a single IP address
-Help determine whether a rate limiting policy can be configured per IP address.
-User group attribute
-For example, individual users, Internet cafe users, or proxy users
-Whether your website experienced large-volumetric attacks, the attack type, and maximum peak traffic
-Determine whether a DDoS protection service is required and determine the DDoS protection specifications based on the peak attack traffic.
-Whether your website experienced CC attacks and the maximum peak QPS in a CC attack
-Configure the protection policies based on attack signatures.
-Whether the pressure test has been performed
-Evaluate the request processing performance of the origin server to determine whether service anomaly occurs due to attacks.
--How to Use WAF
Table 2 describes the procedure to use WAF. ---
-Table 2 Procedure to use WAF Step
-Description
-Applying for dedicated WAF instances
-Apply for a dedicated WAF instance.
-For details, see Applying for a Dedicated WAF Instance.
-Adding a website to WAF
-Add the website you want to protect to WAF.
-For details, see Step 1: Add a Website to WAF.
-Enabling WAF protection
-Enable WAF protection to protect added website.
-NOTE:-- Using WAF does not affect your web server performance because the WAF engine is not running on your web server.
- After your domain name is connected to WAF, there will be a latency of tens of milliseconds, which might be raised based on the size of the requested page or number of incoming requests.
Configuring protection rules
-Use WAF built-in protection rules and configure custom rules to protect your website. For more details, see Rule Configuration.
-Handling false alarms
-Mask blocked or logged events which are handled as false alarms. For more details, see Handling False Alarms.
-Viewing Dashboard
-View protection data of yesterday, today, last 3 days, last 7 days, or last 30 days. For more details, see Dashboard.
-For details about how to connect your website to WAF, see Figure 1. --Creating a Protection Policy
-A policy is a combination of rules, such as basic web protection, blacklist, whitelist, and precise protection rules. A policy can be applied to multiple domain names, but only one policy can be used for a domain name. This topic describes how to add a policy to your WAF instance.
+A policy is a combination of rules, such as basic web protection, blacklist, whitelist, and precise protection rules. A policy can be applied to multiple domain names, but only one policy can be used for a domain name. This topic describes how to add a policy for your WAF instance.
- If you have enabled enterprise projects, you can select your enterprise project from the Enterprise Project drop-down list and add protection policies in the project.
Prerequisites
A website has been added to WAF.
--Constraints
A protected website domain name can use only one policy.
Procedure
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project. - Click
in the upper left corner and choose Web Application Firewall (Dedicated) under Security. - In the navigation pane on the left, choose Policies.
- In the upper left corner, click Add Policy.Figure 1 Policies-
- In the displayed dialog box, enter the policy name and click Confirm. The added policy will be displayed in the policy list.Figure 2 Add Policy+
-Procedure
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
- In the navigation pane on the left, choose Policies.
- In the upper left corner, click Add Policy.Figure 1 Policies+
- In the displayed dialog box, enter the policy name and click Confirm. The added policy will be displayed in the policy list.Figure 2 Add Policy
- In the Policy Name column, click the policy name. On the displayed page, add rules to the policy by referring to Rule Configurations.
Other Operations
- To modify a policy name, click
next to the policy name. In the dialog box displayed, enter a new policy name. - To delete a rule, locate the row containing the rule. In the Operation column, click Delete.
Related Operations
- To modify a policy name, click next to the policy name. In the dialog box displayed, enter a new policy name.
- To delete a rule, locate the row containing the rule. In the Operation column, click Delete.
diff --git a/docs/wafd/umn/waf_01_0075.html b/docs/wafd/umn/waf_01_0075.html index 9cf11c74..9e20cbcc 100644 --- a/docs/wafd/umn/waf_01_0075.html +++ b/docs/wafd/umn/waf_01_0075.html @@ -1,14 +1,16 @@ -Applying a Policy to Your Website
-This topic describes how to apply a policy to your protected website.
-Prerequisites
A website has been added to WAF.
+Adding a Domain Name to a Policy
+You can add a domain name to a new policy you think applicable. Then, the original policy applied to the domain name stops working on this domain name.
++ - If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the Enterprise Project drop-down list and configure protection policies for the domain names in batches.
+Procedure
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project. - Click
in the upper left corner and choose Web Application Firewall (Dedicated) under Security. - In the navigation pane on the left, choose Policies.
- In the row containing the policy you want to apply to a website, click Add Domain Name in the Operation column.Figure 1 Adding a domain name to a policy-
- Select one or more domain names from the Domain Name drop-down list.
- A protected domain name can use only one policy, but one policy can be applied to multiple domain names.
- To delete a policy that has been applied to domain names, add these domain names to other policies first. Then, click Delete in the Operation column of the policy you want to delete.
Adding a Domain Name to a Policy
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
- In the navigation pane on the left, choose Policies.
- In the row containing the policy you want to apply to a website, click Add Domain Name in the Operation column.Figure 1 Adding a domain name to a policy+
- Select one or more domain names from the Domain Name drop-down list.
- A protected domain name can use only one policy, but one policy can be applied to multiple domain names.
- To delete a policy that has been applied to domain names, add these domain names to other policies first. Then, click Delete in the Operation column of the policy you want to delete.
Figure 2 Selecting one or more domain names-
- Click Confirm.
- Click Confirm.
diff --git a/docs/wafd/umn/waf_01_0077.html b/docs/wafd/umn/waf_01_0077.html index 5a13a4a6..6133b520 100644 --- a/docs/wafd/umn/waf_01_0077.html +++ b/docs/wafd/umn/waf_01_0077.html @@ -4,11 +4,11 @@This topic describes how to download events (logged and blocked events) data for the last five days. One or more CSV files containing the event data of the current day will be generated at the beginning of the next day.
- If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the Enterprise Project drop-down list and download protection event logs in the project.
Prerequisites
- The website to be protected has been added to WAF.
- An event file has been generated.
Prerequisites
- The website you want to protect has been connected to WAF.
- An event file has been generated.
-Specification Limitations
- Each file can include a maximum of 5,000 events. If there are more than 5,000 events, another file is generated.
- Only event data for the last five days can be downloaded through the WAF console.
Procedure
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project. - Click
in the upper left corner and choose Web Application Firewall (Dedicated) under Security. - In the navigation pane on the left, choose Events.
- Click the Download Events tab and download the desired protection data. Table 1 describes the parameters.
+
Downloading Events Data
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
- In the navigation pane on the left, choose Events.
- Click the Downloads tab and download the desired protection data. Table 1 describes the parameters.
Table 1 Parameter description Parameter
Description
@@ -23,7 +23,7 @@Number of Events
Total number of blocked and logged events
-NOTE:The maximum number of events in a file is 10,000. If there are more than 10,000 events, another file is generated.
+NOTE:Each file can include a maximum of 5,000 events. If there are more than 5,000 events, another file is generated.
diff --git a/docs/wafd/umn/waf_01_0078.html b/docs/wafd/umn/waf_01_0078.html index 1d741e92..4f4ed94e 100644 --- a/docs/wafd/umn/waf_01_0078.html +++ b/docs/wafd/umn/waf_01_0078.html @@ -1,65 +1,65 @@ --Parent topic: Event Management+Parent topic: Viewing Protection EventsUploading a Certificate
-If you select HTTPS for Client Protocol when you add a website to WAF, a certificate must be associated with the website.
-You can upload a certificate to WAF. Then you can directly select the uploaded certificate for the protected website.
+Uploading a Certificate to WAF
+If you select Dedicated for Protection and set Client Protocol to HTTPS, a certificate is required for your website.
+If you upload a certificate to WAF, you can directly select the certificate when adding a website to WAF.
If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select your enterprise project from the Enterprise Project drop-down list and upload certificates in the project.
Prerequisites
You have obtained the certificate file and certificate private key.
-Specification Limitations
You can create as many certificates in WAF as the number of domain names that can be protected by your WAF instances in the same account. For example, if WAF can protect 10 domain names, you can create 10 certificates in WAF.
Constraints
If you import a new certificate when adding a protected website or updating a certificate, the certificate is added to the certificate list on the Certificates page, and the imported certificates is counted in the number of created certificates.
+Constraints
If you import a new certificate when adding a protected website or updating a certificate, the certificate is added to the certificate list on the Certificates page, and the imported certificate is also counted towards your total certificate quota.
-Application Scenario
If you select HTTPS for Client Protocol, a certificate is required.
Procedure
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project. - Click
in the upper left corner and choose Web Application Firewall (Dedicated) under Security. - In the navigation pane, choose Objects > Certificates.
- Click Upload Certificate.
- In the Upload Certificate dialog box, enter a certificate name, and copy the certificate file and private key into the corresponding text boxes.Figure 1 Upload Certificate+
Uploading a Certificate to WAF
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
- In the navigation pane, choose Objects > Certificates.
- Click Add Certificate.
- In the displayed dialog box, enter a certificate name, and copy and paste the certificate file and private key to the corresponding text boxes.Figure 1 Upload Certificate-
Only .pem certificates can be used in WAF. If the certificate is not in .pem format, convert it into .pem locally by referring to Table 1 before uploading it. -Table 1 Certificate conversion commands Format
+Only .pem certificates can be used in WAF. If the certificate is not in .pem format, convert it into .pem locally by referring to Table 1 before uploading it. +-Table 1 Certificate conversion commands Format
Conversion Method
+Conversion Method
CER/CRT
+CER/CRT
Rename the cert.crt certificate file to cert.pem.
+Rename the cert.crt certificate file to cert.pem.
PFX
+PFX
- Obtain a private key. For example, run the following command to convert cert.pfx into key.pem:
openssl pkcs12 -in cert.pfx -nocerts -out key.pem -nodes
- - Obtain a certificate. For example, run the following command to convert cert.pfx into cert.pem:
openssl pkcs12 -in cert.pfx -nokeys -out cert.pem
+- Obtain a private key. For example, run the following command to convert cert.pfx into key.pem:
openssl pkcs12 -in cert.pfx -nocerts -out key.pem -nodes
+ - Obtain a certificate. For example, run the following command to convert cert.pfx into cert.pem:
openssl pkcs12 -in cert.pfx -nokeys -out cert.pem
- Obtain a private key. For example, run the following command to convert cert.pfx into key.pem:
P7B
+P7B
- Convert a certificate. For example, run the following command to convert cert.p7b into cert.cer:
openssl pkcs7 -print_certs -in cert.p7b -out cert.cer
- - Rename certificate file cert.cer to cert.pem.
- Convert a certificate. For example, run the following command to convert cert.p7b into cert.cer:
openssl pkcs7 -print_certs -in cert.p7b -out cert.cer
+ - Rename certificate file cert.cer to cert.pem.
DER
+DER
- Obtain a private key. For example, run the following command to convert privatekey.der into privatekey.pem:
openssl rsa -inform DER -outform PEM -in privatekey.der -out privatekey.pem
- - Obtain a certificate. For example, run the following command to convert cert.cer into cert.pem:
openssl x509 -inform der -in cert.cer -out cert.pem
+- Obtain a private key. For example, run the following command to convert privatekey.der into privatekey.pem:
openssl rsa -inform DER -outform PEM -in privatekey.der -out privatekey.pem
+ - Obtain a certificate. For example, run the following command to convert cert.cer into cert.pem:
openssl x509 -inform der -in cert.cer -out cert.pem
- Obtain a private key. For example, run the following command to convert privatekey.der into privatekey.pem:
-- Before running an OpenSSL command, ensure that the OpenSSL tool has been installed on the local host.
- If your local PC runs a Windows operating system, go to the command line interface (CLI) and then run the certificate conversion command.
- Before running an OpenSSL command, ensure that the OpenSSL tool has been installed on the local host.
- If your local PC runs a Windows operating system, go to the command line interface (CLI) and then run the certificate conversion command.
- Click Confirm.
+- Click Confirm.
-Verification
The certificate you created is displayed in the certificate list.
Other Operations
- To change the certificate name, move the cursor over the name of the certificate, click
, and enter a certificate name. If the certificate is in use, unbind the certificate from the domain name first. Otherwise, the certificate name cannot be changed.
+Related Operations
- To change the certificate name, move the cursor over the name of the certificate, click , and enter a certificate name.-
If the certificate is in use, unbind the certificate from the domain name first. Otherwise, the certificate name cannot be changed.
- To view details about a certificate, click View in the Operation column of the certificate.
- In the row containing the certificate you want, click Use in the Operation column to use the certificate to the corresponding domain name.
- To delete a certificate, locate the row of the certificate and click Delete in the Operation column.
- To view details about a certificate, click View in the Operation column of the certificate.
- In the row containing the certificate you want, click Use in the Operation column to use the certificate to the corresponding domain name.
- To delete a certificate, locate the row of the certificate and click More > Delete in the Operation column.
- To update a certificate, locate the row of the certificate and click More > Update in the Operation column.
diff --git a/docs/wafd/umn/waf_01_0081.html b/docs/wafd/umn/waf_01_0081.html index 9d8ab815..07570768 100644 --- a/docs/wafd/umn/waf_01_0081.html +++ b/docs/wafd/umn/waf_01_0081.html @@ -1,15 +1,15 @@ -Adding a Reference Table
+Creating a Reference Table to Configure Protection Metrics In Batches
This topic describes how to create a reference table to batch configure protection metrics of a single type, such as Path, User Agent, IP, Params, Cookie, Referer, and Header. A reference table can be referenced by CC attack protection rules and precise protection rules.
-New reference tables will be synchronized to CC attack protection rules and precise protection rules. When you configure a CC attack protection rule or precise protection rule, if the Logic field in the Trigger list is set to Include any value, Exclude any value, Equal to any value, Not equal to any value, Prefix is any value, Prefix is not any value, Suffix is any value, or Suffix is not any value, you can select an appropriate reference table from the Content drop-down list.
+When you configure a CC attack protection rule or precise protection rule, if the Logic field in the Trigger list is set to Include any value, Exclude any value, Equal to any value, Not equal to any value, Prefix is any value, Prefix is not any value, Suffix is any value, or Suffix is not any value, you can select an appropriate reference table from the Content drop-down list.
- If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the Enterprise Project drop-down list and configure protection policies for the domain names in the project.
Prerequisites
A website has been added to WAF.
+-Prerequisites
A website has been added to WAF.
Application Scenarios
You can use a reference table when you configure protection fields in batches for CC attack protection rules and precise access protection rules.
+-Application Scenarios
Reference tables can be used for configuring multiple protection fields in CC attack protection and precise protection rules.
-Procedure
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project. - Click
in the upper left corner and choose Web Application Firewall (Dedicated) under Security. - In the navigation pane on the left, choose Website Settings.
- In the Policy column of the row containing the target website, click the number to go to the policy configuration page.
- In the CC Attack Protection or Precise Protection area, click Customize Rule.
- Click Reference Table Management in the upper left corner of the list.Figure 1 Reference Table Management+
Creating a Reference Table
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
- In the navigation pane on the left, choose Policies.
- Click the name of the target policy to go to the protection configuration page.
- In the CC Attack Protection or Precise Protection area, click Customize Rule.
- Click Reference Table Management in the upper left corner of the list.Figure 1 Reference Table Management
- On the Reference Table Management page, click Add Reference Table.Figure 2 Add Reference Table
- In the Add Reference Table dialog box, specify the parameters by referring to Table 1.Figure 3 Adding a reference table@@ -50,12 +50,12 @@
- Click Confirm. You can then view the added reference table in the reference table list.
Other Operations
- To modify a reference table, click Modify in the row containing the reference table.
- To delete a reference table, click Delete in the row containing the reference table.
Related Operations
- To modify a reference table, click Modify in the row containing the reference table.
- To delete a reference table, click Delete in the row containing the reference table.
diff --git a/docs/wafd/umn/waf_01_0082.html b/docs/wafd/umn/waf_01_0082.html index 7f4a9eb7..9a27a0ca 100644 --- a/docs/wafd/umn/waf_01_0082.html +++ b/docs/wafd/umn/waf_01_0082.html @@ -3,19 +3,19 @@-Parent topic: Rule Configuration+Parent topic: Configuring Protection PoliciesHow Do I Fix an Incomplete Certificate Chain?
If the certificate provided by the certificate authority is not found in the built-in trust store on your platform and the certificate chain does not have a certificate authority, the certificate is incomplete. If you use the incomplete certificate to access the website corresponding to the protected domain name, the access will fail.
Use either of the following methods to fix it:
-- Manually build up a complete certificate chain and upload the certificate. (This function is available soon.)
- Purchase a new certificate and upload it.
- Make a complete certificate chain manually and upload the certificate.
- Upload the correct certificate.
The latest Google Chrome version supports automatic verification of the trust chain. The following describes how to manually create a complete certificate chain:
-- Check the certificate. Click the padlock in the address bar to view the certificate status. Figure 1 shows an example. -
- Check the certificate chain. Click Certificate. Select the Certificate Path tab and then click the certificate name to view the certificate status. Figure 2 shows an example. -
- Save the certificates to the local PC one by one.
- Select the certificate name and click the Details tab. Figure 3 shows an example. -
- Click Copy to File, and then click Next as prompted.
- Select Base-64 encoded X.509 (.CER) and click Next. Figure 4 shows an example.
+
- View and export the certificate.
- Click the padlock in the address bar to view the certificate status.
- Locate the row that shows Secure Connection, click
, and click Valid Certificate in address bar. - Click the Details tab. In the lower right corner of the page, click Copy to File... to export the certificate to the local PC.
- Check the certificate chain. Open the certificate you export. Select the Certificate Path tab and then click the certificate name to view the certificate status. Figure 1 shows an example. +
- Save the certificates to the local PC one by one. -
- Rebuild the certificate. After all certificates are exported to the local PC, open the certificate file in Notepad and rebuild the certificate according to the sequence shown in Figure 5. +
- Rebuild the certificate. After all certificates are exported to the local PC, open the certificate file in Notepad and rebuild the certificate according to the sequence shown in Figure 4.
- Upload the certificate again.
- View and export the certificate.
diff --git a/docs/wafd/umn/waf_01_0093.html b/docs/wafd/umn/waf_01_0093.html index 6dfee2ec..ed901294 100644 --- a/docs/wafd/umn/waf_01_0093.html +++ b/docs/wafd/umn/waf_01_0093.html @@ -1,12 +1,17 @@-Parent topic: Service Interruption Check+Parent topic: Troubleshooting Certificate and Cipher Suite IssuesWhy Are HTTPS Requests Denied on Some Mobile Phones?
-If your visitors receive a page similar to the one in Figure 1 when they try to access your website through a mobile phone, an incomplete certificate chain is uploaded when you connect the website to WAF. Rectify the fault by referring to How Do I Fix an Incomplete Certificate Chain?
++Symptom
Open the browser on the mobile phone and access the protected domain name. If a page similar to Figure 1 is displayed, the HTTPS request on the mobile phone is abnormal.
+Causes
The uploaded certificate chain is incomplete.
++Solution
For details, see How Do I Fix an Incomplete Certificate Chain?.
+diff --git a/docs/wafd/umn/waf_01_0094.html b/docs/wafd/umn/waf_01_0094.html index da281801..78bd306d 100644 --- a/docs/wafd/umn/waf_01_0094.html +++ b/docs/wafd/umn/waf_01_0094.html @@ -1,101 +1,146 @@-Parent topic: Service Interruption Check+Parent topic: Troubleshooting Certificate and Cipher Suite IssuesFunctions
-WAF makes it easier for you to handle web security risks.
--Protection for IP Addresses and Domain Names (Wildcard, Top-level, and Second-Level Domain Names)
Objects supported by dedicated WAF instances: domain names or IP addresses of web applications on a cloud or on-premises data centers
--HTTP/HTTPS Service Protection
WAF keeps applications stable and secure. It examines HTTP and HTTPS requests to detect and block attacks, such as Structure Query Language (SQL) injections, cross-site scripting (XSS), web shell upload, command or code injections, file inclusion, sensitive file access, third-party vulnerability exploits, CC attacks, malicious crawlers, and cross-site request forgery (CSRF).
--WebSocket/WebSockets
WAF supports the WebSocket/WebSockets protocol, which is enabled by default.
--PCI DSS/PCI 3DS Compliance Certification and TLS Checks
- TLS has three versions (TLS v1.0, TLS v1.1, and TLS v1.2) and five cipher suites. You can select the one best fits your business needs.
- WAF supports PCI DSS and PCI 3DS compliance certification check.
-Basic Web Protection
With an extensive preset reputation database, WAF defends against Open Web Application Security Project (OWASP) top 10 threats, malicious scanners, IP addresses, web shells, and other threats.
-- All-around protection
WAF detects and blocks varied attacks, such as SQL injection, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabilities, directory (path) traversal attacks, sensitive file access, command and code injections, web shells, backdoors, malicious HTTP requests, and third-party vulnerability exploits.
- - Web shell detection -
- Precise identification
- WAF uses built-in semantic analysis engine and regex engine and supports configuring of blacklist/whitelist rules, which reduces false positives.
- WAF supports anti-escape and automatic restoration of common codes, which improves the capability of recognizing deformation web attacks.
WAF can decode the following types of code: url_encode, Unicode, XML, OCT, hexadecimal, HTML escape, and base64 code, case confusion, JavaScript, shell, and PHP concatenation confusion
-
- Deep inspection
WAF identifies and blocks evasion attacks, such as the ones that use homomorphic character obfuscation, command injection with deformed wildcard characters, UTF7, data URI scheme, and other techniques.
- - Header detection -
-CC Attack Prevention
A CC attack protection rule can limit access to a specific path (URL) of the protected website based on a specific IP address, cookie, or referer in access requests. So, WAF can accurately identify and mitigate CC attacks, such as brute-force attacks by exploiting weak passwords. Protective actions of CC attack protection rules include Verification code, Block, Dynamically block, and Log only.
- --GUI-based Security Data
WAF provides a GUI-based interface for you to monitor attack information and event logs in real time.
-- Centralized policy configuration
On the WAF console, you can configure policies applicable to multiple protected domain names in a centralized manner so that the policies can be quickly delivered and take effect.
- - Traffic and event statistics
WAF displays the number of requests, the number and types of security events, and log information in real time.
-
- To change the certificate name, move the cursor over the name of the certificate, click
- Obtain a private key. For example, run the following command to convert cert.pfx into key.pem:
- The host where the curl command can be run must meet the following requirements:
- A non-standard port is configured when a domain name is connected to WAF. No port is added or the origin server port instead of the non-standard port is used to access the website. For example, use https://www.example.com or https://www.example.com:80 to access the website. Figure 2 shows an example.
+
diff --git a/docs/wafd/umn/waf_01_0066.html b/docs/wafd/umn/waf_01_0066.html index b90c0fd9..88fa4cc9 100644 --- a/docs/wafd/umn/waf_01_0066.html +++ b/docs/wafd/umn/waf_01_0066.html @@ -1,11 +1,13 @@WAF examines web traffic from multiple dimensions to accurately identify malicious requests and filter attacks, reducing the risks of data being tampered with or stolen.
-Precisely and Efficiently Identify Threats
Zero-Day Vulnerabilities Patched Fast
A specialized security team provides 24/7 service support to fix zero-day vulnerabilities within 2 hours.
-Strong Protection for User Data Privacy
How Do I Troubleshoot 404/502/504 Errors?
-If an error, such as 404 Not Found, 502 Bad Gateway, or 504 Gateway Timeout, occurs after a domain name is connected to WAF, use the following methods to locate the cause and remove the error:
+If an error, such as 404 Not Found, 502 Bad Gateway, or 504 Gateway Timeout, occurs after a website is connected to WAF, use the following methods to locate the cause and remove the error:
404 Not Found
Scenario 1: When a visitor accesses your website, the page shown in Figure 1 is displayed.-Cause: The port added to a URL is incorrect.
- If you confirm that an event is a false alarm, locate the row containing the event. In the Operation column, click and handle the hit rule.
- Basic web protection rules
Other Operations
Related Operations
-Configuration Example - Logging Script Crawlers Only
To verify that WAF is protecting domain name www.example.com against an anti-crawler rule:
Configuration Example - Search Engine
The following shows how to allow the search engine of Baidu or Google and block the POST request of Baidu.
-diff --git a/docs/wafd/umn/waf_01_0016.html b/docs/wafd/umn/waf_01_0016.html index f686ece3..118d216d 100644 --- a/docs/wafd/umn/waf_01_0016.html +++ b/docs/wafd/umn/waf_01_0016.html @@ -1,115 +1,117 @@ --Parent topic: Rule Configuration+Parent topic: Configuring Protection PoliciesConfiguring a Global Protection Whitelist (Formerly False Alarm Masking) Rule
+Configuring a Global Proteciton whitelist Rule to Ignore False Alarms
Once an attack hits a WAF basic web protection rule or a feature-library anti-crawler rule, WAF will respond to the attack immediately according to the protective action (Log only or Block) you configured for the rule and display an event on the Events page.
You can add false alarm masking rules to let WAF ignore certain rule IDs or event types (for example, skip XSS checks for a specific URL).
Prerequisites
A website has been added to WAF.
++ If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the Enterprise Project drop-down list and configure protection policies for the domain names in the project.
+-Prerequisites
A website has been added to WAF.
Constraints
- To protect all paths except a specified path
- Click Confirm. You can then view the added rule in the list of the geolocation access control rules.
- If you are not clear about your service traffic characteristics, you are advised to switch to the Log only mode first and observe the WAF protection for a period of time. Generally, you need to observe service running for one to two weeks, and then analyze the attack logs.
- Set the protective action.
- Set the protection level.
