Help Center/ Web Application Firewall/ User Guide/ System Management/ Managing Dedicated WAF Engines
Updated on 2024-08-05 GMT+08:00
View PDF
Share

Managing Dedicated WAF Engines

This topic describes how to manage your dedicated WAF instances (or engines), including viewing instance information, viewing instance monitoring configurations, upgrading the instance edition, or deleting an instance.

If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instances locate. Then, you can select the project from the Enterprise Project drop-down list and manage dedicated WAF instances in the project.

Prerequisites

  • Your login account has the IAM ReadOnly permission.

Dedicated Engine Version Iteration

Engine Version

Feature

June 2024
  • The health-check API is supported.
  • Cookies can be checked for invalid characters.
  • The Protective Action in CC attack protection rules can be set to JS Challenge.
  • Known feature crawler can be set in the condition list of precise protection rules.
  • When and how to execute a precise rule can be set in the Apply parameter.
  • Requests for only error response codes 4xx and 5xx can be logged. Function parameter: upstream.extend.only_log_abnormal_status.
  • In dedicated mode, the default values of X-Real-IP and X-Hwwaf-Real-IP are returned from $client_ip instead of $remote_addr.

December 2023
  • A global protection whitelist rule can be set to ignore invalid requests.
  • JavaScript-based anti-crawler rules support more protective actions, including Block, Log only, and Verification code.

August 2023
  • The $remote_addr field is added to the IP identifier, which can be directly set to the IP address of the TCP connection.
  • IP addresses used in TCP connections can be identified by CC, precise protection, blacklist, and whitelist rules.
  • A block duration can be set if Protective Action is set to Verification code in a CC attack protection rule.

April 2023
  • HTTP2 is enabled globally by default. There is no need to enable it manually.
  • By default, a request can pass through WAF four times before it goes to the origin server. Error code 523 will be returned if the request exceeds this limit.
  • Strict multipart format verification is supported.
  • Dedicated ELB network load balancers are supported. (In earlier versions, only shared load balancers and dedicated application load balancers are supported.)

November 2022
  • Built-in tags can be added to attack logs (hit_data) when built-in rules are hit.
  • Destination rate limiting and response code conditions can be configured in CC attack protection rules.

September 2022
  • TLS v1.3 is supported.
  • Protection for on-premises web servers is supported.
  • More types of statistics are added to heartbeat logs for attacks.
  • HTTPS ports 60700 to 60999 (300 ports) are added to the protection port list.

July 2022
  • The wildcard domain name matching logic is supported.
  • The global protection whitelist is supported.

May 2022

Configuring the earliest TLS version based on instances is supported.

March 2022
  • Rules can be updated and delivered from the management plane.
  • False alarm masking rules can work for all domain names and specified domain names.
  • All conditions can be configured for false alarm masking.

February 2022

The request logging methods are optimized.

January 2022

Some regular expression matching rules are optimized.

November 2021
  • The log only mode is supported for information leakage rules.
  • Attack logs of invalid requests are added.
  • Precise protection rules can work to each IP address (only for IPv4 format) in the XFF request header.
  • Timeout duration can be set for specified domain names.
  • Some functions are optimized.

October 2021

The performance of some functions is improved.

September 2021
  • Precise protection rules can work to the request body field.
  • Precise protection rules support regular expression matching and all subfields.
  • Some logs can be interconnected with LTS.

June 2021
  • The HTTPS port supports HTTP/2.
  • The region ID field is added to access logs.
  • The region ID field and engine IP address are added to attack logs.

Viewing Information About a Dedicated WAF Instance

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner, select a region, and choose Security & Compliance > Web Application Firewall to go to the Dashboard page.
  4. In the navigation pane on the left, choose Instance Management > Dedicated Engine to go to the dedicated WAF instance page.

    Figure 1 Dedicated engine list

  5. View information about a dedicated WAF instance. Table 1 describes parameters.

    Table 1 Key parameters of dedicated WAF instances

    Parameter

    Description

    Example Value

    Instance Name

    Name automatically generated when an instance is created.

    None

    Protected Website

    Domain name of the website protected by the instance.

    www.example.com

    VPC

    VPC where the instance resides

    vpc-waf

    Subnet

    Subnet where an instance resides

    subnet-62bb

    IP Address

    IP address of the subnet in the VPC where the WAF instance is deployed.

    192.168.0.186

    Access Status

    Connection status of the instance.

    Accessible

    Running Status

    Status of the instance.

    Running

    Version

    Dedicated WAF version.

    202304

    Deployment

    How the instance is deployed.

    Standard mode (reverse proxy)

    Specifications

    Specifications of resources hosting the instance.

    8 vCPUs | 16 GB

Viewing Metrics of a Dedicated WAF Instance

When a WAF instance is in the Running status, you can view the monitored metrics about the instance.

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner, select a region, and choose Security & Compliance > Web Application Firewall to go to the Dashboard page.
  4. In the navigation pane on the left, choose Instance Management > Dedicated Engine to go to the dedicated WAF instance page.

    Figure 2 Dedicated engine list

  5. In the row of the instance, click Cloud Eye in the Operation column to go to the Cloud Eye console and view the monitoring information, such as CPU, memory, and bandwidth.

Upgrading a Dedicated WAF Instance

Only dedicated WAF instances in the Running status can be upgraded to the latest version. Select an upgrade method based on the number of dedicated WAF instances you have.

If you have deployed only one dedicated WAF instance for your workloads, take the following steps to complete the upgrade:

  1. Apply for another dedicated WAF instance.

    • The new dedicated WAF instance is of the latest version. So its Upgrade button is grayed out.
    • The VPC, subnet, security group, and other settings of the new instance must be the same as those of the original one. In this way, the new instance automatically synchronizes all WAF protection configurations of the original instance.

  2. Run the curl command on any ECS in the VPC the original dedicated WAF instance locates to check whether the workloads are normal.

    • HTTP workloads

      curl http://IP-address-of-the-dedicated-WAF-instance:Service-port -H "host:Service-domain-name" -H "User-Agent: Test"

    • HTTPS workloads

      curl https://IP-address-of-the-dedicated-WAF-instance:Service-port -H "host:Service-domain-name" -H "User-Agent: Test"

    Check whether the service is normal. If the service is normal, go to 3. If the service is abnormal, rectify the fault by referring to Why Is the Access Status of a Domain Name or IP Address Inaccessible? and How Do I Troubleshoot 404/502/504 Errors?. After the fault is fixed, go to 3.

    To run a curl command, your server must meet the following requirements:
    • The network communication is normal.
    • A curl command line tool has been installed. curl must be manually installed on the host running the Windows operating system. curl is installed along with other operating systems.

  3. Add the new dedicated WAF instance to the backend server group of the ELB load balancer you are using.

    The following uses a shared load balancer to show how to add an instance to a backend server group.

    1. Click in the upper left corner, select a region, and choose Security & Compliance > Web Application Firewall to go to the Dashboard page.
    2. In the navigation pane on the left, choose Instance Management > Dedicated Engine to go to the dedicated WAF instance page.
    3. In the row containing the instance you want to upgrade, click More > Add to ELB in the Operation column.
    4. In the Add to ELB dialog box, specify ELB (Load Balancer), ELB Listener, and Backend Server Group you configure for the original dedicated instance.
    5. Click Confirm. Then, configure service port for the WAF instance. In this example, configure Backend Port to the one we configured for the original dedicated instance.

  4. On the ELB console, set the weight of the original dedicated instance to 0. For details, see Changing Backend Server Weights.

    Requests are not forwarded to a backend server if its weight is set to 0.

  5. Delete the original dedicated WAF instance during off-peak hours.

    You can view metrics of the dedicated WAF instance on Cloud Eye. If the number of new connections is small (for example, less than 5), your workloads have decreased.

    1. In the navigation pane on the left on the WAF console, choose Instance Management > Dedicated Engine to go to the dedicated WAF instance page.
    2. In the row of the instance, click More > Delete in the Operation column.
    3. Click Confirm.

      Resources on deleted instance are released and cannot be restored.

If you have deployed multiple dedicated WAF instances for your workloads, take the following steps to upgrade them:

  1. On the ELB console, obtain the weight of a dedicated instance and then change the weight to 0. For details, see Changing Backend Server Weights.

    Requests are not forwarded to a backend server if its weight is set to 0.

  2. Upgrade the dedicated WAF instance during off-peak hours.

    You can view metrics of the dedicated WAF instance on Cloud Eye. If the number of new connections is small (for example, less than 5), your workloads have decreased.

    1. In the navigation pane on the left on the WAF console, choose Instance Management > Dedicated Engine to go to the dedicated WAF instance page.
    2. In the row containing the instance you want to upgrade, click Upgrade in the Operation column.
    3. Confirm the upgrade conditions and click Confirm.

      It takes about 5 minutes for the upgrade.

  3. Run the curl command on any ECS in the VPC the dedicated WAF instance locates to check whether the workloads are normal.

    • HTTP workloads

      curl http://IP-address-of-the-dedicated-WAF-instance:Service-port -H "host:Service-domain-name" -H "User-Agent: Test"

    • HTTPS workloads

      curl https://IP-address-of-the-dedicated-WAF-instance:Service-port -H "host:Service-domain-name" -H "User-Agent: Test"

    Check whether the service is normal. If the service is normal, go to 4. If the service is abnormal, rectify the fault by referring to Why Is the Access Status of a Domain Name or IP Address Inaccessible? and How Do I Troubleshoot 404/502/504 Errors?. After the fault is fixed, go to 3.

    To run a curl command, your server must meet the following requirements:
    • The network communication is normal.
    • A curl command line tool has been installed. curl must be manually installed on the host running the Windows operating system. curl is installed along with other operating systems.

  4. On the ELB console, change the weight of the dedicated instance from 0 to the one you obtain in 1. For details, see Configuring Weights for Backend Servers.
  5. Upgrade other dedicated WAF instances one by one by referring to 1 to 4.

Rolling Back a Dedicated WAF Instance

The version can be rolled back only to the original version.

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner, select a region, and choose Security & Compliance > Web Application Firewall to go to the Dashboard page.
  4. In the navigation pane on the left, choose Instance Management > Dedicated Engine to go to the dedicated WAF instance page.
  5. In the row of the instance, click More > Roll Back in the Operation column.
  6. In the dialog box displayed, confirm that the following conditions are met and select the following three conditions. Then, click Confirm.

    An instance can be rolled back only when the following conditions are met:
    • Multiple active instances are available or no services are connected to the instance.
    • ELB HTTP/HTTPS health check has been enabled.
    • ELB sticky session has been disabled.

Change Security Group for a Dedicated WAF Instance

If you select Network Interface for Instance Type, you can change the security group to which your dedicated instance belongs. After you select a security group, the WAF instance will be protected by the access rules of the security group.

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner, select a region, and choose Security & Compliance > Web Application Firewall to go to the Dashboard page.
  4. In the navigation pane on the left, choose Instance Management > Dedicated Engine to go to the dedicated WAF instance page.

    Figure 3 Dedicated engine list

  5. In the row containing the instance, choose More > Change Security Group in the Operation column.
  6. In the dialog box displayed, select the new security group and click Confirm.

Deleting a Dedicated WAF Instance

You can delete a dedicated WAF instance at any time. After it is deleted, the billing ends.

Resources on deleted instance are released and cannot be restored. Exercise caution when performing this operation.

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner, select a region, and choose Security & Compliance > Web Application Firewall to go to the Dashboard page.
  4. In the navigation pane on the left, choose Instance Management > Dedicated Engine to go to the dedicated WAF instance page.

    Figure 4 Dedicated engine list

  5. In the row of the instance, click More > Delete in the Operation column.
  6. In the displayed dialog box, enter DELETE and click OK.
Parent Topic: System Management