Help Center/ Web Application Firewall/ User Guide (Ankara Region)/ Website Domain Name Management/ Configuring a Traffic Identifier for a Known Attack Source
Updated on 2024-04-12 GMT+08:00

Configuring a Traffic Identifier for a Known Attack Source

WAF allows you to configure traffic identifiers by IP address, session, or user tag to block possibly malicious requests from known attack sources based on IP address, Cookie, or Params.

Prerequisites

The website to be protected has been added to WAF.

Constraints

  • If the IP address tag is configured, ensure that the protected website has a layer-7 proxy configured in front of WAF and that Proxy Configured is set to Yes for the protected website.

    If the IP address tag is not configured, WAF identifies the client IP address by default.

  • Before enabling Cookie- or Params-based known attack source rules, configure a session or user tag for the corresponding website domain name.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall under Security & Compliance.
  4. In the navigation pane on the left, choose Website Settings.
  5. In the Domain Name column, click the domain name of the target website to go to the basic information page.
  6. In the Traffic Identifier area, click next to IP Tag, Session Tag, or User Tag to configure a traffic identifier by referring to Table 1.

    Table 1 Traffic identifier parameters

    Tag

    Description

    Example Value

    IP Tag

    HTTP request header field of the original client IP address.

    Ensure that the protected website has a layer-7 proxy configured in front of WAF and that Proxy Configured under the website basic information settings is set to Yes for this parameter to take effect.

    WAF obtains client IP addresses in the following sequence.

    1. If an IP tag is configured, WAF firstly obtains the source IP header list configured in upstream. If no value is obtained, go to 2.
    2. WAF obtains the value of the cdn-src-ip field in the source IP header list configured in the config file. If no value is obtained, go to 3.
    3. WAF obtains the value of the x-real-ip field. If no value is obtained, go to 4.
    4. WAF obtains the first public IP address from the left of the x-forwarded-for field. If no public IP address is obtained, go to 5.
    5. WAF obtains the value of the remote_addr field, which includes the IP address used for establishing the TCP connection.

    X-Forwarded-For

    Session Tag

    This tag is used to block possibly malicious requests based on the cookie attributes of an attack source. Configure this parameter to block requests based on cookie attributes.

    jssessionid

    User Tag

    This tag is used to block possibly malicious requests based on the Params attribute of an attack source. Configure this parameter to block requests based on the Params attributes.

    name

  7. Click Confirm.