Configuring a Traffic Identifier for a Known Attack Source

Prerequisites

You have connected the website you want to protect to WAF.

Constraints

• If the IP address tag is configured, ensure that the protected website has a layer-7 proxy configured in front of WAF and that Use Layer-7 Proxy is set to Yes for the protected website.

  If the IP address tag is not configured, WAF identifies the client IP address by default.

• Before enabling cookie- or params-based known attack source rules, configure a session or user tag for the corresponding website domain name.

Configuring a Traffic Identifier for a Known Attack Source

1. Log in to the WAF console.
2. Click in the upper left corner and select a region or project.
3. (Optional) If you have enabled the enterprise project function, in the upper part of the navigation pane on the left, select your enterprise project from the Filter by enterprise project drop-down list. Then, WAF will display the related security data in the enterprise project on the page.
4. In the navigation pane on the left, click Website Settings.
5. On the Website Settings page, click the target website domain name.
6. In the Traffic Identifier area, click next to IP Tag, Session Tag, or User Tag and configure a traffic identifier by referring to Table 1.
   Figure 1 Traffic Identifier
   

   Table 1 Traffic identifier parameters

   Tag	Description	Example Value
   IP Tag	HTTP request header field of the original client IP address. Ensure that the protected website has a layer-7 proxy configured in front of WAF and that Use Layer-7 Proxy under the website basic information settings is set to Yes for this parameter to take effect. This field is used to store the real IP address of the client. You can customize the field name and configure multiple fields (separated by commas). After the configuration, WAF preferentially reads the configured field to obtain the real IP address of the client. If multiple fields are configured, WAF reads the IP address from left to right. NOTICE: If you want to use a TCP connection IP address as the client IP address, set IP Tag to $remote_addr. If WAF does not obtain the real IP address of a client from fields you configure, WAF reads the cdn-src-ip, x-real-ip, x-forwarded-for, and $remote_addr fields in sequence to read the client IP address.	X-Forwarded-For
   Session Tag	This tag is used to block possibly malicious requests based on the cookie attributes of an attack source. Configure this parameter to block requests based on cookie attributes.	sessiontest
   User Tag	This tag is used to block possibly malicious requests based on the Params attribute of an attack source. Configure this parameter to block requests based on the Params attributes.	Params

7. Click OK.

Related Operations

Configuring a Known Attack Source Rule to Block Specific Visitors for a Specified Duration