Enabling WAF Protection
WAF is designed to keep web applications stable and secure. It examines all HTTP and HTTPS requests to detect and block attacks such as SQL injection, XSS, webshell, command and code injection, file inclusion, sensitive file access, third-party vulnerability exploits, CC attacks, malicious crawlers, and cross-site request forgery (CSRF).
This section describes how to enable WAF protection to protect your web applications from common web exploits.
Step 1: Buy WAF
1. Log in to the management console. Choose Security & Compliance > Web Application Firewall.
2. Click Buy Now. On the page for buying WAF, set the number of domain and bandwidth expansion packages and required duration.
1. For details about WAF editions, see Edition.
2. The Auto-renew option enables the system to renew your service by the purchased period when the service is about to expire.
Choose Web Application Firewall.
Buy Web Application Firewall.
Step 2: Create a Domain Name
1. In the navigation pane, choose Domains. In the upper left corner of the domain list, Click Add Domain Name.
2. Configure Domain Name. This field can be a single domain (www.domain.com) or wildcard domain (*.domain.com).
3. Configure Server Configuration: including the Client Protocol, Server Protocol,Server Address, and Server Port.
4. Proxy Configured: If your website is using a proxy such as Advanced Anti-DDoS (AAD), Content Delivery Network (CDN), or any other cloud acceleration service, select Yes so that the WAF security policies take effect on the origin server IP address.
1. WAF protects ports 88 and 443 by default. To protect another port, select Non-standard Port and then select a value from the Port drop-down list.
2. If Client Protocol is set to HTTPS, select an existing certificate or import a new certificate. For details about how to import a new certificate, see Updating a Certificate.
Add a domain name.
Configure Domain Name.
Configure server information.
Set Proxy Configured.
Step 3: Connect a Domain Name
1. (No proxy used) Switch to the page of your DNS provider as prompted and point your domain to the new CNAME.
2. (A proxy used) Modify the back-to-source IP address of the proxy (such as Advanced Anti-DDoS or CDN) as prompted.To prevent other users from configuring your domain names on WAF in advance (this will cause interference on your domain name protection), you are advised to add the subdomain name and TXT record at your DNS provider. For details about the configuration method, see What Are the Impacts If a Subdomain Name and TXT Record Are Not Configured?.
1. By default, WAF detects the DNS status of each protected domain name hourly. If you have performed domain connection and Access Status is Accessed, the domain name has been connected to WAF.
2. The default status of WAF is Log only. Switch the WAF status to Block by referring to Step 4.
No proxy used.
A proxy used.
Step 4: Enable WAF Protection
1. In the Operation column of the row containing the target domain name, click Configure Policy.
2. In the Basic Web Protection configuration area, set Mode to Block.
After Block is selected, attacks are blocked and logged once they are detected.
Click Configure Policy.
Set Mode to Block.