Why Cannot the Vulnerability Scanning Tool Scan Real Services on My Website Protected with WAF?
After a domain name is connected to cloud WAF with CNAME records, the real services of the website cannot be scanned by vulnerability scanning tools. Only the IP address of WAF can be scanned.
Solutions
Solution 1: On the WAF console, switch the WAF working mode to Bypassed. For details, see Switching WAF Working Mode.
Bypassed: If you enable this, requests are directly sent to backend origin servers without passing through WAF. Before enabling this mode, enable the service port of origin servers to let requests go to origin servers.
Solution 2: Add the website IP address to the vulnerability scanning tool for scanning. Take CodeArts Inspector as an example. You can add website IP addresses to the service.
Service Interruption Check FAQs
- How Do I Troubleshoot 404/502/504 Errors?
- Why Is My Domain Name or IP Address Inaccessible?
- How Do I Handle False Alarms as WAF Blocks Normal Requests to My Website?
- Why Does WAF Block Normal Requests as Invalid Requests?
- Why Is the Handle False Alarm Button Grayed Out?
- How Do I Whitelist IP Address Ranges of Cloud WAF?
- What Is the Connection Timeout Duration of WAF? Can I Manually Set the Timeout Duration?
- How Do I Solve the Problem of Excessive Redirection Times?
- Why Are HTTPS Requests Denied on Some Mobile Phones?
- How Do I Fix an Incomplete Certificate Chain?
- Why Does My Certificate Not Match the Key?
- Why Am I Seeing Error Code 418?
- Why Am I Seeing Error Code 523?
- Why Does the Website Login Page Continuously Refreshed After a Domain Name Is Connected to WAF?
- Why Does the Requested Page Respond Slowly After the HTTP Forwarding Policy Is Configured?
- How Can I Upload Files After the Website Is Connected to WAF?
- Why Am I Seeing Error Code 414 Request-URI Too Large?
- What Do I Do If the Protocol Is Not Supported and the Client and Server Do Not Support Common SSL Protocol Versions or Cipher Suites?
- Why Cannot I Access the Dedicated Engine Page?
- Why Is the Bar Mitzvah Attack on SSL/TLS Detected?
- What Do I Do If the CPU Usage of the Origin Server Reaches 100%?
- Why Cannot the Vulnerability Scanning Tool Scan Real Services on My Website Protected with WAF?
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbotmore