Protection Configuration Overview

After a website is connected to WAF, a default protection policy is generated for the website domain name. You can configure protection rules for the policy as needed. You can also add a protection policy, apply it to the domain name, and configure protection rules for this policy.

Tutorial Video

This video introduces core functions and advanced protection capabilities of WAF.

Protection and Check Principles

WAF engines will check HTTP/HTTPS requests in a certain sequence and take action according to the rules you configure. Only one protective action can be configured for protection rules with the same conditions. WAF check sequence is determined by the protection rule type but not the protective action.

Figure 1 shows the WAF engine work process. Table 1 shows the protection rule check sequence.

Figure 1 WAF engine work process
Click to enlarge

The protective actions are as follows:

Pass: The request is unconditionally allowed after a rule is matched.
Block: The request is blocked after a rule is matched.
If the protective action is set to Block, you can Configuring a Known Attack Source Rule to Block Specific Visitors for a Specified Duration. WAF will block requests matching the configured IP address, Cookie, or Params for a length of time configured as part of the rule.
captcha: CAPTCHA verification will be performed if a request matches the rule.
Redirect: The request will be redirected if a rule is matched.
Log: Attack information is logged only if a rule is matched.
Mask: Sensitive information will be masked if a request matches the rule.

Protection Rule Overview

After your website is connected to WAF, WAF applies a protection policy to your website and enables General Check (with Protective Action set to Log only and Protection Level set to Medium) in Basic Web Protection and enables Scanner check (with Protective Action set to Log only) in Anti-Crawler protection.

If your website were under attacks, you can configure custom protection rules based on attack details on the Events page. Table 1 lists the protection rule types supported by WAF based on the check sequence.

You can click the target protection policy on the Policies page and select Sort by check sequence. All protection rules will be re-arranged according to WAF check sequence.

**Table 1** Supported protection rules (ranked by check sequence)
Protection Rule	Description	Reference
Global protection whitelist rules	You can configure these rules to let WAF ignore certain rules for specific requests.	Configuring a Global Protection Whitelist Rule to Ignore False Alarms
Blacklist and whitelist rules	You can configure blacklist and whitelist rules to block, log only, or allow access requests from specified IP addresses. Configuring a Known Attack Source Rule to Block Specific Visitors for a Specified Duration is supported.	Configuring IP Address Blacklist and Whitelist Rules to Block or Allow Specified IP Addresses
Geolocation access control rules	You can customize these rules to allow or block requests from a specific country or region.	Configuring Geolocation Access Control Rules to Block or Allow Requests from Specific Locations
Threat intelligence access control rules	Access control is performed based on the IP address library of the Internet Data Center (IDC).	Configuring Threat Intelligence Access Control Rules to Block or Allow IP Addresses in a Specified IP Address Library
Precise protection rules	You can configure custom protection rules by combining HTTP headers, cookies, URLs, request parameters, and client IP addresses. Configuring a Known Attack Source Rule to Block Specific Visitors for a Specified Duration is supported.	Configuring Custom Precise Protection Rules
Scanning protection rules	The scanning protection module identifies scanning behaviors and scanner features to prevent attackers or scanners from scanning websites at scale. WAF will automatically block heavy traffic web attacks and directory traversal attacks and block the source IP addresses for a period of time, helping reduce intrusion risks and junk traffic.	Configuring a Scanning Blocking Rule to Automatically Block Heavy-Traffic Attacks
Bot rules	Supports detection of known bots, signature-based requests, and bot behavior. With layered bot detection, WAF can accurately identify and manage bot behavior in website traffic, effectively reducing risks such as data leakage and performance deterioration caused by bot attacks.	Configuring Bot Protection Rules to Defend Against Bot Behavior
Website anti-crawler protection rules	This function dynamically analyzes website service models and accurately identifies crawler behavior based on data risk control and bot identification systems, such as JS Challenge.	Configuring Anti-Crawler Rules
CC attack protection rules	CC attack protection rules can be customized to restrict access to a specific URL on your website based on a unique IP address, cookie, or referer field, mitigating CC attacks. Configuring a Known Attack Source Rule to Block Specific Visitors for a Specified Duration is supported.	Configuring CC Attack Protection Rules to Defend Against CC Attacks
Basic web protection	WAF defends against common web attacks, such as SQL injections, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabilities, remote command execution, directory traversal, sensitive file access, and command/code injections. You can also enable other checks in basic web protection, such as web shell detection, deep inspection against evasion attacks, and header inspection.	Configuring Basic Web Protection to Defend Against Common Web Attacks
Web tamper protection rules	You can configure these rules to prevent a static web page from being tampered with.	Configuring Web Tamper Protection Rules to Prevent Static Web Pages from Being Tampered With
Information leakage prevention rules	You can add two types of information leakage prevention rules. Sensitive information filtering: prevents disclosure of sensitive information (such as ID numbers, phone numbers, and email addresses). Response code interception: blocks the specified HTTP status codes.	Configuring Information Leakage Prevention Rules to Protect Sensitive Information from Leakage
Data masking rules	You can configure data masking rules to prevent sensitive data such as passwords from being displayed in event logs.	Configuring Data Masking Rules to Prevent Privacy Information Leakage

Protection Configuration Procedure

After connection a website to WAF, you can configure protection as follows:

(Optional) Add a protection policy. For details, see Creating a Protection Policy. If you configure protection rules in the default protection policy, you can skip 1 and 2.
(Optional) Add a domain name to a protection policy. For details, see Adding a Domain Name to a Policy.
Configure protection rules. For details, see Configuring Protection Rules. You can enable and configure protection rules in the protection policy in use.