Help Center> Web Application Firewall> User Guide> System Management> Managing Dedicated WAF Engines
Updated on 2024-04-17 GMT+08:00
View PDF

Managing Dedicated WAF Engines

This topic describes how to manage your dedicated WAF instances (or engines), including viewing instance information, viewing instance monitoring configurations, upgrading the instance edition, or deleting an instance.

If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instances locate. Then, you can select the project from the Enterprise Project drop-down list and manage dedicated WAF instances in the project.

Prerequisites

  • You have purchased a dedicated WAF instance.
  • Your login account has the IAM ReadOnly permission.

Dedicated Engine Version Iteration

Engine Version

Feature

December 2023
  • You can configure a global protection whitelist rule to ignore invalid requests.
  • JavaScript-based anti-crawler rules support more protective actions, including Block, Log only, and Verification code.

August 2023
  • The $remote_addr field is added to the IP identifier, which can be directly set to the IP address of the TCP connection.
  • IP addresses used in TCP connections can be identified by CC, precise protection, blacklist, and whitelist rules.
  • A block duration can be set if Protective Action is set to Verification code in a CC attack protection rule.

April 2023
  • HTTP2 is enabled globally by default. There is no need to enable it manually.
  • By default, a request can pass through WAF four times before it goes to the origin server. Error code 523 will be returned if the request exceeds this limit.
  • Strict multipart format verification is supported.
  • Dedicated ELB network load balancers are supported. (In earlier versions, only shared load balancers and dedicated application load balancers are supported.)

November 2022
  • Built-in tags can be added to attack logs (hit_data) when built-in rules are hit.
  • Destination rate limiting and response code conditions can be configured in CC attack protection rules.

September 2022
  • TLS v1.3 is supported.
  • Protection for on-premises web servers is supported.
  • More types of statistics are added to heartbeat logs for attacks.
  • HTTPS ports 60700 to 60999 (300 ports) are added to the protection port list.

July 2022
  • The wildcard domain name matching logic is supported.
  • The global protection whitelist is supported.

May 2022

Configuring the earliest TLS version based on instances is supported.

March 2022
  • Rules can be updated and delivered from the management plane.
  • False alarm masking rules can work for all domain names and specified domain names.
  • All conditions can be configured for false alarm masking.

February 2022

The request logging methods are optimized.

January 2022

Some regular expression matching rules are optimized.

November 2021
  • The log only mode is supported for information leakage rules.
  • Attack logs of invalid requests are added.
  • Precise protection rules can work to each IP address (only for IPv4 format) in the XFF request header.
  • Timeout duration can be set for specified domain names.
  • Some functions are optimized.

October 2021

The performance of some functions is improved.

September 2021
  • Precise protection rules can work to the request body field.
  • Precise protection rules support regular expression matching and all subfields.
  • Some logs can be interconnected with LTS.

June 2021
  • The HTTPS port supports HTTP/2.
  • The region ID field is added to access logs.
  • The region ID field and engine IP address are added to attack logs.

Viewing Information About a Dedicated WAF Instance

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner, select a region, and choose Security & Compliance > Web Application Firewall to go to the Dashboard page.
  4. In the navigation pane on the left, choose Instance Management > Dedicated Engine to go to the dedicated WAF instance page.

    Figure 1 Dedicated engine list

  5. View information about a dedicated WAF instance. Table 1 describes parameters.

    Table 1 Key parameters of dedicated WAF instances

    Parameter

    Description

    Example Value

    Instance Name

    Name automatically generated when an instance is created.

    None

    Protected Website

    Domain name of the website protected by the instance.

    www.example.com

    VPC

    VPC where the instance resides

    vpc-waf

    Subnet

    Subnet where an instance resides

    subnet-62bb

    IP Address

    IP address of the subnet in the VPC where the WAF instance is deployed.

    192.168.0.186

    Access Status

    Connection status of the instance.

    Accessible

    Running Status

    Status of the instance.

    Running

    Version

    Dedicated WAF

    202304

    Deployment

    How the instance is deployed.

    Standard mode (reverse proxy)

    Specifications

    Specifications of resources hosting the instance.

    8 vCPUs | 16 GB

Viewing Metrics of a Dedicated WAF Instance

When a WAF instance is in the Running status, you can view the monitored metrics about the instance.

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner, select a region, and choose Security & Compliance > Web Application Firewall to go to the Dashboard page.
  4. In the navigation pane on the left, choose Instance Management > Dedicated Engine to go to the dedicated WAF instance page.

    Figure 2 Dedicated engine list

  5. In the row of the instance, click Cloud Eye in the Operation column to go to the Cloud Eye console and view the monitoring information, such as CPU, memory, and bandwidth.

Upgrading a Dedicated WAF Instance

Only dedicated WAF instances in the Running status can be upgraded to the latest version. Select an upgrade method based on the number of dedicated WAF instances you have.

If you are using the latest version of dedicated WAF instances, the Upgrade button is grayed out.

Change Security Group for a Dedicated WAF Instance

If you select Network Interface for Instance Type, you can change the security group to which your dedicated instance belongs. After you select a security group, the WAF instance will be protected by the access rules of the security group.

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner, select a region, and choose Security & Compliance > Web Application Firewall to go to the Dashboard page.
  4. In the navigation pane on the left, choose Instance Management > Dedicated Engine to go to the dedicated WAF instance page.

    Figure 3 Dedicated engine list

  5. In the row containing the instance, choose More > Change Security Group in the Operation column.
  6. In the dialog box displayed, select the new security group and click Confirm.

Deleting a Dedicated WAF Instance

You can delete a dedicated WAF instance at any time. After it is deleted, the billing ends.

Resources on deleted instance are released and cannot be restored. Exercise caution when performing this operation.

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner, select a region, and choose Security & Compliance > Web Application Firewall to go to the Dashboard page.
  4. In the navigation pane on the left, choose Instance Management > Dedicated Engine to go to the dedicated WAF instance page.

    Figure 4 Dedicated engine list

  5. In the row of the instance, click More > Delete in the Operation column.
  6. In the displayed dialog box, enter DELETE and click OK.
Parent Topic: System Management