Web Application Firewall
Web Application Firewall
All results for "
" in this service
All results for "
" in this service
What's New
Function Overview
Product Bulletin
Java Spring Framework Remote Code Execution Vulnerability
Apache Dubbo Deserialization Vulnerability
DoS Vulnerability in the Open-Source Component Fastjson
Remote Code Execution Vulnerability of Fastjson
Oracle WebLogic wls9-async Deserialization Remote Command Execution Vulnerability (CNVD-C-2019-48814)
Service Overview
Infographics
What Is WAF?
Edition Differences
Basic Concepts
Functions
Product Advantages
Application Scenarios
Project and Enterprise Project
Personal Data Protection Mechanism
WAF Permissions Management
WAF and Other Services
Change History
Billing
Overview
Billing Modes
Overview
Yearly/Monthly Billing
Pay-per-Use Billing
Billing Items
Billing Examples
Renewing Your Subscription
Overview
Manually Renewing WAF
Auto-renewing WAF
Bills
About Arrears
Billing Termination
Cost Management
Billing FAQs
How Is WAF Billed?
Can WAF Continue Protecting a Domain Name When It Expires?
How Do I Unsubscribe from WAF?
Can I Retain the Original Configurations When I Unsubscribe from a WAF Instance and Then Purchase Another One?
Change History
Getting Started
Enabling WAF Protection
Configuring CC Attack Protection Rules
Configuring Precise Protection Rules
Getting Started with Common Practices
User Guide
WAF Operation Guide
Buying WAF
Buying a Cloud WAF InstanceBuying a WAF Instance
Buying a Dedicated WAF Instance
Changing the Edition and Specifications of a Cloud WAF Instance
Expansion Packages Available in Cloud WAF
Domain Name Expansion Package
QPS Expansion Package
Rule Expansion Package
Dashboard
Events
Viewing Protection Event Logs
Handling False Alarms
Downloading Events Data
Policies
How to Configure WAF Protection
Configuring Basic Protection Rules to Defend Against Common Web Attacks
Configuring a CC Attack Protection Rule
Configuring Custom Precise Protection Rules
Configuring IP Address Blacklist and Whitelist Rules to Block or Allow Specified IP Addresses
Configuring Geolocation Access Control Rules to Block or Allow Requests from Specific Locations
Configuring Web Tamper Protection Rules to Prevent Static Web Pages from Being Tampered With
Configuring Anti-Crawler Rules
Configuring Information Leakage Prevention Rules to Protect Sensitive Information from Leakage
Configuring a Global Protection Whitelist Rule to Ignore False Alarms
Configuring Data Masking Rules to Prevent Privacy Information Leakage
Creating a Reference Table to Configure Protection Metrics In Batches
Configuring a Known Attack Source Rule to Block Specific Visitors for a Specified Duration
Condition Field Description
Application Types WAF Can Protect
Policy Management
Creating a Protection Policy
Adding a Domain Name to a Policy
Adding Rules to One or More Policies
Website Settings
Adding a Website to WAF
Process for Adding a Website to WAF
Step 1: Add a Domain Name to WAF (Cloud Mode)
Step 4: Whitelist WAF Back-to-Source IP Addresses
Step 3: Test WAF
Step 3: Modify the DNS Records of the Domain Name
Configuration Example: Adding a Domain Name to WAF
Connecting a Website to WAF (Dedicated Mode)
Connection Process (Dedicated Mode)
Step 1: Add a Website to WAF (Dedicated Mode)
Step 2: Configure a Load Balancer for WAF
Step 3: Bind an EIP to a Load Balancer
Step 4: Whitelist Back-to-Source IP Addresses of Dedicated WAF Instances
Step 5: Test Dedicated WAF Instances
Advanced Settings
Configuring PCI DSS/3DS Certification Check and TLS Version
Enabling WAF IPv6 Protection
Enabling the HTTP/2 Protocol
Configuring a Timeout for Connections Between WAF and a Website Server
Configuring a Traffic Identifier for a Known Attack Source
Modifying the Alarm Page
Basic Information
Viewing Basic Information
Exporting Website Settings
Switching WAF Working Mode
Switching the Load Balancing Algorithm
Updating a Certificate
Editing Server Information
Viewing Protection Information About a Protected Website on Cloud Eye
Deleting a Protected Website from WAF
Ports Supported by WAF
Object Management
Certificate Management
Uploading a Certificate
Using a Certificate for a Protected Website in WAF
Viewing Certificate Information
Sharing a Certificate with Other Enterprise Projects
Deleting a Certificate
Managing IP Address Blacklist and Whitelist Groups
Adding an IP Address Group
Modifying or Deleting a Blacklist or Whitelist IP Address Group
System Management
Managing Dedicated WAF Engines
Viewing Product Details
Enabling Alarm Notifications
Permissions Management
Authorizing and Associating an Enterprise Project
IAM Permissions Management
Creating a User Group and Granting Permissions
WAF Custom Policies
WAF Permissions and Supported Actions
Monitoring and Auditing
Monitoring
WAF Monitored Metrics
Configuring Alarm Monitoring Rules
Viewing Monitored Metrics
Auditing
WAF Operations Recorded by CTS
Querying Real-Time Traces
Change History
Best Practices
WAF Cloud Mode Access Configuration
Preparations
Connecting a Domain Name to WAF for Websites with no Proxy Used
Best Practices for Website Protection
Mitigating Web Security Vulnerabilities
Java Spring Framework Remote Code Execution Vulnerability
Apache Dubbo Deserialization Vulnerability
DoS Vulnerability in the Open-Source Component Fastjson
Remote Code Execution Vulnerability of Fastjson
Oracle WebLogic wls9-async Deserialization Remote Command Execution Vulnerability (CNVD-C-2019-48814)
Configuring Protection Policies
Configuring Basic Web Protection
Configuring CC Attack Protection
Overview
IP Address-based Rate Limiting
Cookie-based CC Attack Protection
Restricting Malicious Requests in Promotions by Using Cookies and HWWAFSESID
Configuring Anti-Crawler Rules to Prevent Crawler Attacks
Handling False Alarms to Get Improved Basic Web Protection
Verifying a Global Protection Whitelist (Formerly False Alarm Masking) Rule by Simulating Requests with Postman
Configuring Origin Server Security
Configuring the Minimum TLS Version and Cipher Suite to Better Secure Connections
Configuring an Access Control Policy on an ECS or ELB to Protect Origin Servers
Configuring Collaborative Protection
Combining CDN and WAF to Get Improved Protection and Load Speed
Combining WAF and Layer-7 Load Balancers to Protect Services over Any Ports
Combining WAF and HSS to Get Improved Web Tamper Protection
Upgrading a Dedicated WAF Instance
Obtaining Real Client IP Addresses
Change History
API Reference
Before You Start
Overview
API Calling
Concepts
API Overview
API Calling
Making an API Request
Authentication
Response
APIs
Managing Websites Protected by Dedicated WAF Engines
Querying the List of Domain Names Protected by Dedicated WAF Instances
Adding a Domain Name to a Dedicated WAF Instance
Modifying a Domain Name Protected by a Dedicated WAF Instance
Querying Domain Name Settings in Dedicated Mode
Deleting a Domain Name from a Dedicated WAF Instance
Modifying the Protection Status of a Domain Name in Dedicated Mode
Rule Management
Changing the Status of a Rule
Querying CC Attack Protection Rules
Creating a CC Attack Protection Rule
Querying a CC Attack Protection Rule by ID
Updating a CC Attack Protection Rule
Deleting a CC Attack Protection Rule
Querying the List of Precise Protection Rules
Creating a precise protection rule
Querying a Precise Protection Rule by ID
Updating a precise protection rule
Deleting a precise protection rule
Creating a Global Protection Whitelist (Formerly False Alarm Masking) Rule
Querying the List of Global Protection Whitelist (Formerly False Alarm Masking) Rules
Updating a Global Protection Whitelist (Formerly False Alarm Masking) Rule
Deleting a Global Protection Whitelist (Formerly False Alarm Masking) Rule
Querying the Blacklist and Whitelist Rule List
Creating a Blacklist/Whitelist Rule
Querying a blacklist or whitelist rule
Updating a Blacklist or Whitelist Protection Rule
Querying Global Protection Whitelist (Formerly False Alarm Masking) Rules
Deleting a Blacklist or Whitelist Rule
Querying the JavaScript Anti-Crawler Rule List
Updating a JavaScript Anti-Crawler Protection Rule
Creating a JavaScript Anti-Crawler Rule
Querying a JavaScript Anti-Crawler Rule
Updating a JavaScript Anti-Crawler Rule
Deleting a JavaScript Anti-Crawler Rule
Querying the list of Data Masking Rules.
Creating a Data Masking Rule
Querying a Data Masking Rule
Updating a Data Masking Rule
Deleting a Data Masking Rule
Querying the List of Known Attack Source Rules
Creating a Known Attack Source Rule
Querying a Known Attack Source Rule by ID
Updating a Known Attack Source Rule
Deleting a Known Attack Source Rule
Querying the List of Geolocation Access Control Rules
Creating a Geolocation Access Control Rule
Querying a Geolocation Access Control Rule by ID.
Updating a Geolocation Access Control Rule
Deleting a Geolocation Access Control Rule
Querying the List of Web Tamper Protection Rules
Creating a Web Tamper Protection Rule
Querying a Web Tamper Protection Rule
Deleting a Web Tamper Protection Rule
Updating the Cache for a Web Tamper Protection Rule
Querying the List of Information Leakage Prevention Rules
Creating an Information Leakage Prevention Rule
Querying an Information Leakage Prevention Rule
Updating an Information Leakage Prevention Rule
Deleting an Information Leakage Prevention Rule
Querying the Reference Table List
Creating a Reference Table
Querying a Reference Table
Modifying a Reference Table
Deleting a Reference Table
Address Group Management
Querying IP Address Groups
Creating an IP Address Group
Querying IP Addresses in an Address Group
Modifying an IP Address Group
Deleting an IP Address Group
Certificate Management
Querying the List of Certificates
Uploading a Certificate
Querying a Certificate
Modifying a Certificate
Deleting a Certificate
Applying a Certificate to a Domain Name
Event Management
This API is used to query details about an event of a specified ID
Querying the List of Attack Events
Dashboard
Querying the QPS Statistics
Querying Statistics of Requests and Attacks
Querying Bandwidth Usage Statistics
Querying Statistics of Top Exceptions
Querying Top Security Statistics by Category
Querying Website Requests
Dedicated Instance Management
Querying Dedicated WAF Instances
Creating a Dedicated WAF Instance
Querying Details about a Dedicated WAF Instance
Renaming a Dedicated WAF Instance
Deleting a Dedicated WAF Instance
Log Reporting
Querying LTS Settings
Configuring LTS for WAF Logging
Managing Your Subscriptions
Request body for buying a yearly/monthly-billed cloud WAF instance
Changing specifications of a cloud WAF instance billed yearly/monthly.
Querying Your Subscriptions
System Management
Querying the IP addresses of WAF
Alarm Management
This API is used to query configuration of alarm notifications.
This API is used to update alarm notification configuration.
Protected Website Management in Cloud Mode
Querying the List of Domain Names Protected in Cloud Mode
Adding a Domain Name to the Cloud WAF
Querying Details About a Domain Name by Domain Name ID in Cloud Mode
Updating Configurations of Domain Names Protected with Cloud WAF
Deleting a Domain Name from the Cloud WAF
Changing the Protection Status of a Domain Name
Querying the Domain Name of a Tenant
Querying Domain Names Protected with All WAF Instances
Querying a Domain Name by ID
Policy management
Querying the Protection Policy List
Creating a Protection Policy
Querying a Policy by ID
Updating a Protection Policy
Deleting a Protection Policy
Updating the Domain Name Protection Policy
Appendix
Status Code
Error Codes
Obtaining a Project ID
Change History
SDK Reference
SDK Overview
FAQs
Most Frequently Asked Questions
About WAF
FAQs for Beginners
WAF Functions
Can WAF Protect an IP Address?
What Objects Does WAF Protect?
Does WAF Block Customized POST Requests?
What Are the Differences Between the Web Tamper Protection Functions of WAF and HSS?
Which Web Service Framework Protocols Does WAF Support?
Can WAF Protect Websites Accessed Through HSTS or NTLM Authentication?
What Are the Differences Between WAF Forwarding and Nginx Forwarding?
What Are the Differences Between WAF and CFW?
Can I Configure Session Cookies in WAF?
How Does WAF Detect SQL Injection, XSS, and PHP Injection Attacks?
Can WAF Defend Against the Apache Struts2 Remote Code Execution Vulnerability (CVE-2021-31805)?
WAF Usage
Why Does the Vulnerability Scanning Tool Report Disabled Non-standard Ports for My WAF-Protected Website?
What Are the Restrictions on Using WAF in Enterprise Projects?
How Do I Obtain the Real IP Address of a Web Visitor?
Will Traffic Be Permitted After WAF Is Switched to the Bypassed Mode?
What Are Local File Inclusion and Remote File Inclusion?
What Is the Difference Between QPS and the Number of Requests?
Does WAF Support Custom Authorization Policies?
How Do I Configure My Server to Allow Only Requests from WAF?
Why Do Cookies Contain the HWWAFSESID or HWWAFSESTIME field?
Can I Switch Between the WAF Cloud Mode and Dedicated Mode?
How Do I Configure WAF If a Reverse Proxy Server Is Deployed for My Website?
How Does WAF Forward Access Requests When Both a Wildcard Domain Name and a Single Domain Name Are Connected to WAF?
Regions and AZs
What Are Regions and AZs?
Can I Use WAF Across Regions?
Configuring IPv6 Addresses
Which WAF Editions in Which Regions Support IPv6 Protection?
How Do I Check Whether the Origin Server IP Address Configured in WAF Is an IPv6 Address?
Can I Configure the Origin Server Address to an IPv6 Address in WAF?
How Does WAF Forward Traffic to an IPv6 Origin Server?
Purchasing WAF
What Are the Differences Between the Permissions of an Account and Those of IAM Users?
Can I Share My WAF with Other Accounts?
How Does WAF Calculate Domain Name Quota Usage?
Service Request/Specification
WAF Instance Specifications Change
How Do I Change the WAF Instance Edition to a Lower One and Reduce Number of Packages?
Can I Add More Protection Rules?
What Can I Do If the Website Traffic Exceeds the WAF Service Request Limit?
What Are the Impacts When QPS Exceeds the Allowed Peak Rate?
Can I Change WAF Specifications During Renewal?
How Many Rules Can I Add to a WAF Instance?
Where and When Can I Buy a Domain, QPS, or Rule Expansion Package?
About Service Requests
How Do I Select Service QPS When Purchasing WAF?
Is Service QPS Calculated Based on Incoming Traffic or Outgoing Traffic?
Does WAF Have a Limit on the Protection Bandwidth or Shared Bandwidth?
Where Can I View the Inbound and Outbound Bandwidths of a Protected Website?
Website Domain Name Access Configuration
Domain Name and Port Configuration
How Do I Add a Domain Name/IP Address to WAF?
Which Non-Standard Ports Does WAF Support?
How Do I Use a Dedicated WAF Instance to Protect Non-Standard Ports That Are Not Supported by the Dedicated Instance?
How Do I Configure Domain Names to Be Protected When Adding Domain Names?
Do I Have to Configure the Same Port as That of the Origin Server When Adding a Website to WAF?
How Do I Configure Non-standard Ports When Adding a Protected Domain Name?
What Can I Do If One of Ports on an Origin Server Does Not Require WAF Protection?
What Data Is Required for Connecting a Domain Name/IP Address to WAF?
How Do I Safely Delete a Protected Domain Name?
Can I Change the Domain Name That Has Been Added to WAF?
What Are the Precautions for Configuring Multiple Server Addresses for Backend Servers?
Does WAF Support Wildcard Domain Names?
How Do I Route Website Traffic to My Cloud WAF Instance?
What Can I Do If the Message "Illegal server address" Is Displayed When I Add a Domain Name?
Why Am I Seeing That My Domain Quota Is Insufficient When There Is Still Remaining Quota?
Can I Configure Multiple Load Balancers for a Dedicated WAF Instance?
Why Am I Seeing the "Someone else has already added this domain name. Please confirm that the domain name belongs to you" Error Message?
Certificate Management
How Do I Select a Certificate When Configuring a Wildcard Domain Name?
Do I Need to Import the Certificates That Have Been Uploaded to ELB to WAF?
How Do I Convert a Certificate into PEM Format?
Server Configuration
How Do I Configure the Client Protocol and Server Protocol?
Why Cannot I Select a Client Protocol When Adding a Domain Name?
Can I Set the Origin Server Address to a CNAME Record If I Use Cloud WAF?
Domain Name Resolution
How Do I Modify DNS Record on Huawei Cloud DNS?
How Do I Verify Domain Ownership Using Huawei Cloud DNS?
How Do I Configure the TXT Record on HUAWEI CLOUD DNS Service?
What Are Impacts If No Subdomain Name and TXT Record Are Configured?
Operations After Connecting Websites to WAF
Can I Access a Website Using an IP Address After a Domain Name Is Connected to WAF?
How Do I Test WAF?
How Can I Forward Requests Directly to the Origin Server Without Passing Through WAF?
Service Interruption Check
How Do I Troubleshoot 404/502/504 Errors?
Why Is My Domain Name or IP Address Inaccessible?
How Do I Handle False Alarms as WAF Blocks Normal Requests to My Website?
Why Does WAF Block Normal Requests as Invalid Requests?
Why Is the Handle False Alarm Button Grayed Out?
How Do I Whitelist IP Address Ranges of Cloud WAF?
What Is the Connection Timeout Duration of WAF? Can I Manually Set the Timeout Duration?
How Do I Solve the Problem of Excessive Redirection Times?
Why Are HTTPS Requests Denied on Some Mobile Phones?
How Do I Fix an Incomplete Certificate Chain?
Why Does My Certificate Not Match the Key?
Why Am I Seeing Error Code 418?
Why Am I Seeing Error Code 523?
Why Does the Website Login Page Continuously Refreshed After a Domain Name Is Connected to WAF?
Why Does the Requested Page Respond Slowly After the HTTP Forwarding Policy Is Configured?
How Can I Upload Files After the Website Is Connected to WAF?
Why Am I Seeing Error Code 414 Request-URI Too Large?
What Do I Do If the Protocol Is Not Supported and the Client and Server Do Not Support Common SSL Protocol Versions or Cipher Suites?
Why Cannot I Access the Dedicated Engine Page?
Why Is the Bar Mitzvah Attack on SSL/TLS Detected?
Protection Rule Configuration
Basic Web Protection
How Do I Switch the Mode of Basic Web Protection from Log Only to Block?
Which Protection Levels Can Be Set for Basic Web Protection?
CC Attack Protection Rules
What Is the Peak Rate of CC Attack Protection?
How Do I Configure a CC Attack Protection Rule?
When Is Cookie Used to Identify Users?
What Are the Differences Between Rate Limit and Allowable Frequency in a CC Rule?
Why Cannot the Verification Code Be Refreshed When Verification Code Is Configured in a CC Attack Protection Rule?
Precise Protection rules
Can a Precise Protection Rule Take Effect in a Specified Period?
Can a Path Containing # Be Matched in a Precise Protection Rule?
How Can I Allow Access from .js Files?
IP Address Blacklist and Whitelist
Can I Batch Add IP Addresses to a Blacklist or Whitelist Rule?
Can I Import or Export a Blacklist or Whitelist into or from WAF?
How Do I Block Abnormal IP Addresses?
Anti-Crawler Protection
Why Is the Requested Page Unable to Load After JavaScript Anti-Crawler Is Enabled?
Is There Any Impact on Website Loading Speed If Other Crawler Check in Anti-Crawler Is Enabled?
How Does JavaScript Anti-Crawler Detection Work?
Others
In Which Situations Will the WAF Policies Fail?
Can I Export or Back Up the WAF Configuration?
How Do I Allow Requests from Only IP Addresses in a Specified Geographical Region?
What Working Modes and Protection Mechanisms Does WAF Have?
What Types of Protection Rules Does WAF Support?
Which of the WAF Protection Rules Support the Log-Only Protective Action?
How Do I Allow Only Specified IP Addresses to Access Protected Websites?
Which Protection Rules Are Included in the System-Generated Policy?
Why Does the Page Fail to Be Refreshed After WTP Is Enabled?
What Are the Differences Between Blacklist/Whitelist Rules and Precise Protection Rules on Blocking Access Requests from Specified IP Addresses?
What Do I Do If a Scanner, such as AppScan, Detects that the Cookie Is Missing Secure or HttpOnly?
Protection Event Logs
Can I Obtain WAF Logs Using APIs?
What Does "Mismatch" for "Protective Action" Mean in the Event List?
How Does WAF Obtain the Real Client IP Address for a Request?
How Long Can WAF Protection Logs Be Stored?
Can I Query Protection Events of a Batch of Specified IP Addresses at Once?
Will WAF Record Unblocked Events?
Why Is the Traffic Statistics on WAF Inconsistent with That on the Origin Server?
Why Is the Number of Logs on the Dashboard Page Inconsistent with That on the Configure Logs Tab?
Change History
Troubleshooting
Troubleshooting Website Connection Exceptions
Why Is My Domain Name or IP Address Inaccessible?
Why Does the Requested Page Respond Slowly After a Forwarding Policy Is Configured for My Website?
What Can I Do If Files Cannot Be Uploaded After a Website Is Connected to WAF?
Troubleshooting Certificate and Cipher Suite Issues
How Do I Fix an Incomplete Certificate Chain?
Why Does My Certificate Not Match the Key?
Why Are HTTPS Requests Denied on Some Mobile Phones?
What Do I Do If the Protocol Is Not Supported and the Client and Server Do Not Support Common SSL Protocol Versions or Cipher Suites?
Why Is the Bar Mitzvah Attack on SSL/TLS Detected?
Troubleshooting Traffic Forwarding Exceptions
How Do I Troubleshoot 404/502/504 Errors?
Why Am I Seeing Error Code 418?
Why Am I Seeing Error Code 523?
Why Is My Website Redirected Too Many Times?
Why Am I Seeing Error Code 414 Request-URI Too Large?
What Is the Connection Timeout Duration of WAF? Can I Manually Set the Timeout Duration?
Checking Whether Normal Requests Are Blocked Mistakenly
How Do I Handle False Alarms as WAF Blocks Normal Requests to My Website?
Why Does WAF Block Normal Requests as Invalid Requests?
Why Is the Handle False Alarm Button Grayed Out?
Videos