- What's New
- Function Overview
-
Product Bulletin
- Java Spring Framework Remote Code Execution Vulnerability
- Apache Dubbo Deserialization Vulnerability
- DoS Vulnerability in the Open-Source Component Fastjson
- Remote Code Execution Vulnerability of Fastjson
- Oracle WebLogic wls9-async Deserialization Remote Command Execution Vulnerability (CNVD-C-2019-48814)
- Service Overview
- Billing
- Getting Started
-
User Guide
- Creating a User Group and Granting Permissions
- Buying WAF
- Connecting a Website to WAF
- Viewing Protection Events
-
Configuring Protection Policies
- Protection Configuration Overview
- Configuring Basic Web Protection to Defend Against Common Web Attacks
- Configuring CC Attack Protection Rules to Defend Against CC Attacks
- Configuring Custom Precise Protection Rules
- Configuring IP Address Blacklist and Whitelist Rules to Block or Allow Specified IP Addresses
- Configuring Geolocation Access Control Rules to Block or Allow Requests from Specific Locations
- Configuring Web Tamper Protection Rules to Prevent Static Web Pages from Being Tampered With
- Configuring Anti-Crawler Rules
- Configuring Information Leakage Prevention Rules to Protect Sensitive Information from Leakage
- Configuring a Global Protection Whitelist Rule to Ignore False Alarms
- Configuring Data Masking Rules to Prevent Privacy Information Leakage
- Creating a Reference Table to Configure Protection Metrics in Batches
- Configuring a Known Attack Source Rule to Block Specific Visitors for a Specified Duration
- Condition Field Description
- Application Types WAF Can Protect
- Viewing the Dashboard Page
- Website Settings
- Policy Management
- Object Management
- System Management
- Permissions Management
- Monitoring and Auditing
-
Best Practices
- Website Access Configuration
- Website Protection Configuration Suggestions
-
Mitigating Web Security Vulnerabilities
- Java Spring Framework Remote Code Execution Vulnerability
- Apache Dubbo Deserialization Vulnerability
- DoS Vulnerability in the Open-Source Component Fastjson
- Remote Code Execution Vulnerability of Fastjson
- Oracle WebLogic wls9-async Deserialization Remote Command Execution Vulnerability (CNVD-C-2019-48814)
- Defending Against Challenge Collapsar (CC) Attacks
- Using WAF to Block Crawler Attacks
- Verifying a Global Protection Whitelist Rule by Simulating Requests with Postman
- Combining WAF and HSS to Improve Web Page Tampering Protection
- Configuring Origin Server Security
- Obtaining the Real Client IP Addresses
-
API Reference
- Before You Start
- API Overview
- API Calling
-
APIs
-
Managing Websites Protected by Dedicated WAF Engines
- Querying the List of Domain Names Protected by Dedicated WAF Instances
- Adding a Domain Name to a Dedicated WAF Instance
- Modifying a Domain Name Protected by a Dedicated WAF Instance
- Querying Domain Name Settings in Dedicated Mode
- Deleting a Domain Name from a Dedicated WAF Instance
- Modifying the Protection Status of a Domain Name in Dedicated Mode
-
Rule Management
- Changing the Status of a Rule
- Querying CC Attack Protection Rules
- Creating a CC Attack Protection Rule
- Querying a CC Attack Protection Rule by ID
- Updating a CC Attack Protection Rule
- Deleting a CC Attack Protection Rule
- Querying the List of Precise Protection Rules
- Creating a precise protection rule
- Querying a Precise Protection Rule by ID
- Updating a precise protection rule
- Deleting a precise protection rule
- Creating a Global Protection Whitelist (Formerly False Alarm Masking) Rule
- Querying the List of Global Protection Whitelist (Formerly False Alarm Masking) Rules
- Updating a Global Protection Whitelist (Formerly False Alarm Masking) Rule
- Deleting a Global Protection Whitelist (Formerly False Alarm Masking) Rule
- Querying the Blacklist and Whitelist Rule List
- Creating a Blacklist/Whitelist Rule
- Querying a blacklist or whitelist rule
- Updating a Blacklist or Whitelist Protection Rule
- Querying Global Protection Whitelist (Formerly False Alarm Masking) Rules
- Deleting a Blacklist or Whitelist Rule
- Querying the JavaScript Anti-Crawler Rule List
- Updating a JavaScript Anti-Crawler Protection Rule
- Creating a JavaScript Anti-Crawler Rule
- Querying a JavaScript Anti-Crawler Rule
- Updating a JavaScript Anti-Crawler Rule
- Deleting a JavaScript Anti-Crawler Rule
- Querying the list of Data Masking Rules.
- Creating a Data Masking Rule
- Querying a Data Masking Rule
- Updating a Data Masking Rule
- Deleting a Data Masking Rule
- Querying the List of Known Attack Source Rules
- Creating a Known Attack Source Rule
- Querying a Known Attack Source Rule by ID
- Updating a Known Attack Source Rule
- Deleting a Known Attack Source Rule
- Querying the List of Geolocation Access Control Rules
- Creating a Geolocation Access Control Rule
- Querying a Geolocation Access Control Rule by ID.
- Updating a Geolocation Access Control Rule
- Deleting a Geolocation Access Control Rule
- Querying the List of Web Tamper Protection Rules
- Creating a Web Tamper Protection Rule
- Querying a Web Tamper Protection Rule
- Deleting a Web Tamper Protection Rule
- Updating the Cache for a Web Tamper Protection Rule
- Querying the List of Information Leakage Prevention Rules
- Creating an Information Leakage Prevention Rule
- Querying an Information Leakage Prevention Rule
- Updating an Information Leakage Prevention Rule
- Deleting an Information Leakage Prevention Rule
- Querying the Reference Table List
- Creating a Reference Table
- Querying a Reference Table
- Modifying a Reference Table
- Deleting a Reference Table
- Address Group Management
- Certificate Management
- Event Management
- Dashboard
- Dedicated Instance Management
- Log Reporting
- Managing Your Subscriptions
- System Management
- Alarm Management
-
Protected Website Management in Cloud Mode
- Querying the List of Domain Names Protected in Cloud Mode
- Adding a Domain Name to the Cloud WAF
- Querying Details About a Domain Name by Domain Name ID in Cloud Mode
- Updating Configurations of Domain Names Protected with Cloud WAF
- Deleting a Domain Name from the Cloud WAF
- Changing the Protection Status of a Domain Name
- Querying the Domain Name of a Tenant
- Policy management
-
Managing Websites Protected by Dedicated WAF Engines
- Appendix
- Change History
- SDK Reference
-
FAQs
-
About WAF
- WAF Basics
- Can WAF Protect an IP Address?
- What Objects Does WAF Protect?
- Does WAF Block Customized POST Requests?
- What Are the Differences Between the Web Tamper Protection Functions of WAF and HSS?
- Which Web Service Framework Protocols Does WAF Support?
- Can WAF Protect Websites Accessed Through HSTS or NTLM Authentication?
- What Are the Differences Between WAF Forwarding and Nginx Forwarding?
- What Are the Differences Between WAF and CFW?
- Can I Configure Session Cookies in WAF?
- How Does WAF Detect SQL Injection, XSS, and PHP Injection Attacks?
- Can WAF Defend Against the Apache Struts2 Remote Code Execution Vulnerability (CVE-2021-31805)?
- Why Does the Vulnerability Scanning Tool Report Disabled Non-standard Ports for My WAF-Protected Website?
- What Are the Restrictions on Using WAF in Enterprise Projects?
- Will Traffic Be Permitted After WAF Is Switched to the Bypassed Mode?
- What Are Local File Inclusion and Remote File Inclusion?
- What Is the Difference Between QPS and the Number of Requests?
- Does WAF Support Custom Authorization Policies?
- Why Do Cookies Contain the HWWAFSESID or HWWAFSESTIME field?
- Can I Switch Between the WAF Cloud Mode and Dedicated Mode?
- What Are Regions and AZs?
- Can I Use WAF Across Regions?
-
About Purchase and Specifications Change
- What Are the Differences Between the Permissions of an Account and Those of IAM Users?
- Can I Share My WAF with Other Accounts?
- How Does WAF Calculate Domain Name Quota Usage?
- Can I Add More Protection Rules?
- What Can I Do If the Website Traffic Exceeds the WAF Service Request Limit?
- What Are the Impacts When QPS Exceeds the Allowed Peak Rate?
- Can I Change WAF Specifications During Renewal?
- Where and When Can I Buy a Domain, QPS, or Rule Expansion Package?
- How Do I Select Service QPS When Purchasing WAF?
- Is Service QPS Calculated Based on Incoming Traffic or Outgoing Traffic?
- Does WAF Have a Limit on the Protection Bandwidth or Shared Bandwidth?
- Where Can I View the Inbound and Outbound Bandwidths of a Protected Website?
-
Website Connect Issues
- How Do I Configure Domain Names to Be Protected When Adding Domain Names?
- Do I Have to Configure the Same Port as That of the Origin Server When Adding a Website to WAF?
- How Do I Whitelist Back-to-Source IP Addresses of Cloud WAF?
- What Are the Precautions for Configuring Multiple Server Addresses for Backend Servers?
- Does WAF Support Wildcard Domain Names?
- How Does WAF Forward Access Requests When Both a Wildcard Domain Name and a Single Domain Name Are Connected to WAF?
- What Can I Do If the Message "Illegal server address" Is Displayed When I Add a Domain Name?
- Why Am I Seeing That My Domain Quota Is Insufficient When There Is Still Remaining Quota?
- Why Am I Seeing the "Someone else has already added this domain name. Please confirm that the domain name belongs to you" Error Message?
- Why Cannot I Select a Client Protocol When Adding a Domain Name?
- Can I Set the Origin Server Address to a CNAME Record If I Use Cloud WAF?
- How Do I Verify Domain Ownership Using Huawei Cloud DNS?
- What Are Impacts If No Subdomain Name and TXT Record Are Configured?
- Can I Access a Website Using an IP Address After a Domain Name Is Connected to WAF?
- How Can I Forward Requests Directly to the Origin Server Without Passing Through WAF?
-
Protection Rules
- Which Protection Levels Can Be Set for Basic Web Protection?
- What Is the Peak Rate of CC Attack Protection?
- When Is Cookie Used to Identify Users?
- What Are the Differences Between Rate Limit and Allowable Frequency in a CC Rule?
- Why Cannot the Verification Code Be Refreshed When Verification Code Is Configured in a CC Attack Protection Rule?
- Can I Batch Add IP Addresses to a Blacklist or Whitelist Rule?
- Can I Import or Export a Blacklist or Whitelist into or from WAF?
- Why Does a Requested Page Fail to Respond to the Client After the JavaScript-based Anti-Crawler Is Enabled?
- Is There Any Impact on Website Loading Speed If Other Crawler Check in Anti-Crawler Is Enabled?
- How Does JavaScript Anti-Crawler Detection Work?
- In Which Situations Will the WAF Policies Fail?
- How Do I Allow Requests from Only IP Addresses in a Specified Geographical Region?
- How Do I Allow Only Specified IP Addresses to Access Protected Websites?
- Which Protection Rules Are Included in the System-Generated Policy?
- Why Does the Page Fail to Be Refreshed After WTP Is Enabled?
- What Are the Differences Between Blacklist/Whitelist Rules and Precise Protection Rules on Blocking Access Requests from Specified IP Addresses?
- What Do I Do If a Scanner, such as AppScan, Detects that the Cookie Is Missing Secure or HttpOnly?
- Certificate Management
-
Protection Event Logs
- Can I Obtain WAF Logs Using APIs?
- What Does "Mismatch" for "Protective Action" Mean in the Event List?
- How Does WAF Obtain the Real Client IP Address for a Request?
- How Long Can WAF Protection Logs Be Stored?
- Can I Query Protection Events of a Batch of Specified IP Addresses at Once?
- Will WAF Record Unblocked Events?
- Why Is the Traffic Statistics on WAF Inconsistent with That on the Origin Server?
- Why Is the Number of Logs on the Dashboard Page Inconsistent with That on the Configure Logs Tab?
- Why Is My Domain Name or IP Address Inaccessible?
- How Do I Fix an Incomplete Certificate Chain?
-
About WAF
-
Troubleshooting
- Troubleshooting Website Connection Exceptions
-
Troubleshooting Certificate and Cipher Suite Issues
- How Do I Fix an Incomplete Certificate Chain?
- Why Does My Certificate Not Match the Key?
- Why Are HTTPS Requests Denied on Some Mobile Phones?
- What Do I Do If the Protocol Is Not Supported and the Client and Server Do Not Support Common SSL Protocol Versions or Cipher Suites?
- Why Is the Bar Mitzvah Attack on SSL/TLS Detected?
- Troubleshooting Traffic Forwarding Exceptions
- Checking Whether Normal Requests Are Blocked Mistakenly
- Videos
Creating an IP Address Group
Function
This API is used to create an IP address group.
URI
POST /v1/{project_id}/waf/ip-groups
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
project_id |
Yes |
String |
Project ID |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
enterprise_project_id |
No |
String |
Enterprise project ID. |
Request Parameters
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
X-Auth-Token |
Yes |
String |
User token. It can be obtained by calling the IAM API (value of X-Subject-Token in the response header). |
Content-Type |
Yes |
String |
Content type. Default: application/json;charset=utf8 |
Parameter |
Mandatory |
Type |
Description |
---|---|---|---|
name |
Yes |
String |
Address group name |
ips |
Yes |
String |
IP addresses or IP address ranges are separated by commas (,). |
description |
No |
String |
Address group description |
Response Parameters
Status code: 200
Parameter |
Type |
Description |
---|---|---|
id |
String |
ID of the IP address group |
name |
String |
IP address group name |
ips |
String |
Address group IP addresses (IP addresses or IP address ranges are separated by commas (,). |
size |
Integer |
Length of the IP address group |
rules |
Array of RuleInfo objects |
List of rules that use the IP address group |
description |
String |
Address group description |
timestamp |
Long |
Timestamp |
Parameter |
Type |
Description |
---|---|---|
rule_id |
String |
Rule ID |
rule_name |
String |
Rule name |
policy_id |
String |
Policy ID |
policy_name |
String |
Policy Name |
Status code: 400
Parameter |
Type |
Description |
---|---|---|
error_code |
String |
Error code |
error_msg |
String |
Error message |
Status code: 401
Parameter |
Type |
Description |
---|---|---|
error_code |
String |
Error code |
error_msg |
String |
Error message |
Status code: 500
Parameter |
Type |
Description |
---|---|---|
error_code |
String |
Error code |
error_msg |
String |
Error message |
Example Requests
The following example shows how to create an address group in a project. The project ID is specified by project_id. IP address group name: group3. IP address: xx.xx.xx.xx. Address group description: demo.
POST https://{Endpoint}/v1/{project_id}/waf/ip-groups?enterprise_project_id=0 { "name" : "group3", "ips" : "xx.xx.xx.xx", "description" : "demo" }
Example Responses
Status code: 200
Request succeeded.
{ "id" : "c36e896b18ee486a81026fce8e69fb1a", "ips" : "xx.xx.xx.xx", "name" : "group3", "rules" : [ ], "size" : 1, "timestamp" : 1666747418345, "description" : "demo" }
Status Codes
Status Code |
Description |
---|---|
200 |
Request succeeded. |
400 |
Request failed. |
401 |
The token does not have required permissions. |
500 |
Internal server error. |
Error Codes
See Error Codes.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.