Function Overview

Web Application Firewall (WAF) keeps web services stable and secure. It examines all HTTP and HTTPS requests to detect and block the following attacks: Structured Query Language (SQL) injection, cross-site scripting (XSS), web shells, command and code injections, file inclusion, sensitive file access, third-party vulnerability exploits, Challenge Collapsar (CC) attacks, malicious crawlers, and cross-site request forgery (CSRF).
After you purchase a WAF instance, add your website domain to the WAF instance on the WAF console. All public network traffic for your website then goes to WAF first. WAF identifies and filters out the illegitimate traffic, and routes only the legitimate traffic to your origin server to ensure site security.

WAF can be deployed in cloud mode. Cloud WAF can protect web applications in HUAWEI CLOUD, other clouds, and on-premises. Cloud WAF has strong elastic scaling capabilities. You can scale it up with just one click.
WAF supports yearly/monthly billing modes. The yearly/monthly billing mode is supported in the standard(former professional), professional(former enterprise), and platinum(former premium) editions.

You can use WAF dedicated instances to protect your workloads on Huawei Cloud. In dedicated mode, you can add website domain names or IP address to WAF. WAF dedicated instances are exclusively used by you so they can protect your workloads from large-scale traffic attacks.
WAF dedicated instances are billed on a pay-per-use basis. You only pay for what you use..

After you connect a domain name to your WAF instance, WAF works as a reverse proxy between the client and the server. The real IP address of the server is hidden and only the IP address of WAF is visible to web visitors.

After you enable the notification function in WAF, alarm information will be sent to you as configured once your domain name is attacked.

In addition to standard ports 80 and 443, WAF also supports non-standard ports.

The built-in protection rules of WAF help you defend against common web application attacks, including XSS attacks, SQL injection, crawlers, and web shells. In addition, you can flexibly configure protection rules based on your website protection requirements. 

With an extensive preset reputation database, WAF defends against Open Web Application Security Project (OWASP) top 10 threats, malicious scanners, IP addresses, web shells, and other threats.
All-around protection: WAF detects and blocks such threats as SQL injection, XSS, file inclusion, directory traversal attacks, sensitive file access, command and code injections, web shells, backdoors, malicious HTTP requests, and third-party vulnerability exploits.
Precise identification:
WAF uses built-in semantic analysis engine and regex engine and supports configuring of blacklist/whitelist rules, which reduces false positives.
WAF supports anti-escape and automatic restoration of common codes, which improves the capability of recognizing deformation web attacks.
WAF can decode a wide range of code types, including url_encode, Unicode, XML, C-OCT, hexadecimal, HTML escape, and base64 code, case confusion, JavaScript, shell, and PHP concatenation confusion.

You can customize your Challenge Collapsar (CC) attack rules to restrict access to a specific URL on your website based on a unique IP address, cookie, or Referer field. WAF identifies and mitigates CC attacks based on the protection rules you configured. For example, you can configure the following rule: If a user whose cookie ID is name accesses the /admin* page under your domain name for more than 10 times within 60 seconds, the user is forbidden to access the target website for 600 seconds.

With precise protection rules, WAF allows you to customize combinations of HTTP headers, cookies, URLs, request parameters, and client IP addresses, improving protection accuracy. Precise protection rules can be used in hotlinking prevention and website management background protection.

This function allows you to blacklist or whitelist IP addresses or an IP address range to improve defense accuracy.

If WAF blocks a malicious request by IP address, Cookie, or Params, you can configure a known attack source rule to let WAF automatically block all requests from the attack source for a blocking duration set in the known attack source rule.
After a known attack source rule is added, you need to select the rule in basic web protection, precise protection, or blacklist and whitelist protection for the rule to take effect.

These rules allow you to customize access control for IP addresses forwarded from/to specified countries and provinces.

You can configure cache for static web pages. When a user accesses a web page, the system returns a cached page to the user and randomly checks whether the page is tampered with.

Dynamically analyze website service models and accurately identify crawler behavior based on data risk control and bot identification systems, such as JS Challenge.

Prevents disclosure of sensitive information (such as ID numbers, phone numbers, and email addresses) , and response code interception: intercepts the specified HTTP status codes.

If you select All protection for Ignore WAF Protection, all WAF rules do not take effect, and WAF allows all request traffic to the domain names in the rule.

If you select Basic Web Protection for Ignore WAF Protection, you can ignore basic web protection by rule ID, attack type, or all built-in rules. For example, if XSS check is not required for a URL, you can whitelist XSS rule.

Data masking prevents such data as passwords from being displayed in event logs.

On the Dashboard page, you can view event logs, including attack and request statistics, event distribution, top 10 attacked domain names, top 10 attack source IP addresses, and top 10 attacked URLs in a specified time frame, such as yesterday, today, past 3 days, past 7 days, or past 30 days.
On the Events page, you can view the event data of all protected domain names in the last 30 days.

You can download events (logged and blocked events) data over the past five days. A CSV file containing the event data of the current day is generated at the beginning of the next the day.

If HTTPS is selected for Client Protocol when you add a website to WAF, you need to associate a certificate with the website.
You can create a certificate and upload it to WAF. Then you can directly select the uploaded certificate for the protected website.

You can delete an expired or invalid certificate.

When Client Protocol for a website to be protected is set to HTTPS, you can use WAF to set the minimum TLS version and cipher suite (a set of cryptographic algorithms) for the website. All requests using a TLS version earlier than the minimum TLS version cannot access the protected website so that your service is secured.
WAF allows you to enable PCI DSS and PCI 3DS certification checks. After PCI DSS or PCI 3DS certification check is enabled, the minimum TLS version is automatically set to TLS v1.2 to meet the PCI DSS and PCI 3DS certification requirements.

You can modify server information, including Client Protocol, Server Protocol, Server Address, and Server Port.

You can delete a protected website that you do not want to protect any more. Deletion takes effect within one minute. Note that deleted domain names cannot be recovered. You should exercise caution when deleting a protected website.