El contenido no se encuentra disponible en el idioma seleccionado. Estamos trabajando continuamente para agregar más idiomas. Gracias por su apoyo.

Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Situation Awareness
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive

What's New

Updated on 2025/01/27 GMT+08:00

The tables below describe the functions released in each Web Application Firewall version and corresponding documentation updates. New features will be successively launched in each region.

January 2025

No.

Feature

Description

Phase

Document

1

IP address ranges supported in geolocation access control rules

An IP address range can be set in a geolocation access control rule. An IP address range can include IPv4, IPv6, or any (including IPv4 and IPv6) addresses.

Note: If you are using dedicated WAF instances, upgrade them to the latest version, or IPv6 is not supported for IP Address Range.

Commercial use

Configuring Geolocation Access Control Rules to Block or Allow Requests from Specific Locations

2

Upgraded cipher suite algorithms supported by WAF

  • Changed the name of Default cipher suite to Classic cipher suite.

  • Added Security cipher suite, which is used by default.

Commercial use

Configuring PCI DSS/3DS Compliance Check and TLS

3

Known attack source rules supported in CC attack protection

If you set Protective Action to Block, you can select a blocking type for a known attack source rule. Then, WAF blocks the requests matching the configured IP, Cookie, or Params for a length of time that depends on the selected blocking type.

Commercial use

Configuring CC Attack Protection Rules to Defend Against CC Attacks

4

Case sensitive option added for precise access control and CC attack protection rules

If you enable the Case-Sensitive option, WAF matches the case-sensitive content. It helps the system precisely identify requests and respond to them accurately, making protection policies work better.

Commercial use

Configuring CC Attack Protection Rules to Defend Against CC Attacks

5

Status DNS error added for domain names

In Cloud mode - CNAME access mode, if a proxy such as CDN is used before WAF, DNS resolves the domain name to the proxy. As the domain name is not directly resolved to WAF, and no traffic passes through WAF, the access status of the domain name will be DNS error.

Commercial use

Viewing Basic Information of a Website

6

More non-standard ports supported

The following non-standard ports are supported by the professional and standard editions in cloud mode:

  • HTTP: 1180, 18081

  • HTTPS: 90, 1446, 1448, 1451, 1452, 4433, 6022, 6130, 6133, 6140, 6141, 6142, 6150, 8079, 8990, 8991, 9300, 10003, 12340, 12341, 12342, 12343, 12344, 12345, 12346, 12347, 12348, 12349, 12350, 12351, 12352, 12353, 12354, 17918, 19999,10006

Commercial use

Non-standard ports supported by WAF

7

Restrictions on top-level domain names lifted for WAF in cloud mode

There are no limits on the number of top-level domain names supported by each WAF edition and domain expansion package in cloud WAF.

Commercial use

Buying a Cloud WAF Instance

8

Batch modifications to settings of origin servers supported

Batch modifying origin server information is supported only for domain names connected to WAF in the same access mode.

Commercial use

Editing Server Information

9

Updated the configuration rule of long-term blocking for known attack source rule

The Blocking Type can be Long-term IP address blockingLong-term Cookie blocking, or Long-term Params blocking. The blocking duration can be calculated by the SecondMinuteHourDay, or Month.

Commercial use

Configuring a Known Attack Source Rule to Block Specific Visitors for a Specified Duration

December 2024

No.

Feature

Description

Phase

Document

1

Custom response code and headers supported in CC attack protection rules

HTTP Return Codes and Response Header can be configured when Block Page is set to Custom.

Commercial use

Configuring CC Attack Protection Rules to Defend Against CC Attacks

October 2024

No.

Feature

Description

Phase

Document

1

Scanning Protection available

The scanning protection module identifies scanning behaviors and scanner features to prevent attackers or scanners from scanning websites at scale. WAF will automatically block heavy traffic web attacks and directory traversal attacks and block the source IP addresses for a period of time, helping reduce intrusion risks and junk traffic.

Commercial use

Configuring a Scanning Blocking Rule to Automatically Block Heavy-Traffic Attacks

2

New layout for protection rules page

The dashboard, basic web protection, CC attack protection, and precise protection rule configuration pages have been optimized.

Commercial use

Configuring Basic Web Protection to Defend Against Common Web Attacks

3

Downloading events function no longer available

The function of downloading protection event logs has been moved from WAF to the LTS console.

Commercial use

Enabling LTS for WAF Protection Event Logging

4

New Dashboard page

Some strings on the Dashboard page have been optimized.

Commercial use

Viewing the Dashboard Page

5

Layer 3 source IP address added to the sub-field.

Layer 3 source IP address is added to the sub-field corresponding to the IPv4/IPv6 field.

Commercial use

Condition Field Description

6

Response condition fields supported

The Response Code, Response Length, Response Time, Response Header, and Response Body fields are supported in rule conditions.

Commercial use

Condition Field Description

7

Response Header added on the custom Block Page

A response header can be specified for custom alarm pages if you set Page Template to Custom.

Commercial use

Modifying the Alarm Page

July 2024

No.

Feature

Description

Phase

Document

1

Optimized web UI for changing expansion package specifications

An independent entry is provided for changing specifications of expansion packages.

Commercial use

Changing the Cloud WAF Edition and Specifications

2

Custom time ranges selectable on the dashboard

On the Dashboard page, you can view the protection event logs of all protected websites or instances for a specified time range, including yesterday, today, past 3 days, past 7 days, or past 30 days.

You can select Yesterday, Today, Past 3 days, Past 7 days, or Past 30 days. You can also click Custom and specify a time range within 30 days.

Commercial use

Viewing the Dashboard

3

Optimized purchase page

On the WAF purchase page, a help panel with parameter-level guide on selecting WAF edition is available.

Commercial use

Buying a Cloud WAF Instance

4

Optimizing the cloud mode domain access page

The page for adding websites to cloud WAF was optimized, which is easier to use.

Commercial use

Connecting a Website to WAF (Cloud Mode - CNAME Access)

April 2024

No.

Feature

Description

Phase

Document

1

JS Challenge supported for Protective Action in CC attack protection rules

The Protective Action in CC attack protection rules can be set to JS Challenge.

JS Challenge: WAF returns a piece of JavaScript code that can be automatically executed by a normal browser to the client. If the client properly executes the JavaScript code, WAF allows all requests from the client within a period of time (30 minutes by default). During this period, no verification is required. If the client fails to execute the code, WAF blocks the requests.

Commercial use

Configuring a CC Attack Protection Rule

2

Custom block page supported by precise protection rules

In a precise protection rule, if Protective Action is set to Block, a custom error page can be configured.

Commercial use

Configuring Custom Precise Protection Rules

3

IP address range 0.0.0.0/0 and ::/0 supported for IP address blacklist and whitelist rules

You can configure 0.0.0.0/0 and ::/0 IP address ranges in IP address blacklist and whitelist rules to block all IPv4 and IPv6 traffic, respectively.

Commercial use

Configuring IP Address Blacklist and Whitelist Rules to Block or Allow Specified IP Addresses

4

Case-sensitive path supported by JavaScript-based anti-crawler rules

If a JavaScript-based anti-crawler rule is set to Protect all requests or Protect specified requests, a case-sensitive parameter is added to the condition list. When Field is set to Path, you can enable this parameter to let the rule match case-sensitive paths.

Commercial use

Configuring Anti-Crawler Rules

5

Protection Overview part added on the Dashboard page

The Protection Overview part displays the following data:

  • Protection Duration: You can learn of how long the cloud WAF or dedicated WAF you purchase the earliest protects websites in the current enterprise project.

  • Domain Names: You can learn of how many domain names you add to WAF in the current enterprise project, as well as how many of them are accessible and how many of them are inaccessible.

  • WAF Back-to-Source IP Addresses: In this area, you will learn of new WAF back-to-source IP addresses. A notification will be sent one month in advance if there are new WAF back-to-source IP addresses.

  • Updated Rules: In this area, you can check notifications about built-in rule library updates, including emerging vulnerabilities such as zero-day vulnerabilities these rules can defend against. You can also check notifications about new functions, billing details, and critical alarms, such as alarms generated when requests to your domain name bypass WAF.

Commercial use

Dashboard

6

Cookie security attributes

If you set Client Protocol to HTTPS, you can enable Cookie Security Attributes. If you enable this, the HttpOnly and Secure attributes of cookies will be set to true.

Cookies are inserted by back-end web servers and can be implemented through framework configuration or set-cookie. Secure and HttpOnly in cookies help defend against attacks, such as XSS attacks to obtain cookies, and help defend against cookie hijacking.

If the AppScan scanner detects that the customer site does not insert security configuration fields, such as HttpOnly and Secure, into the cookie of the scan request, it records them as security threats.

Commercial use

Enabling the Cookie Security Attributes

February 2024

No.

Feature

Description

Phase

Document

1

JS Challenge supported for Protection Action in precise protection rules

The Protection Action in precise protection rules can be set to JS Challenge.

JS Challenge: WAF returns a piece of JavaScript code that can be automatically executed by a normal browser to the client. If the client properly executes the JavaScript code, WAF allows all requests from the client within a period of time (30 minutes by default). During this period, no verification is required. If the client fails to execute the code, WAF blocks the requests.

Commercial use

Configuring Custom Precise Protection Rules

2

The OR relationship can be used for condition groups in global protection whitelist.

When configuring a global protection whitelist rule, you can add three groups of conditions. These groups are in the OR relationship. The rule works if any of the three condition groups is matched.

Commercial use

Configuring a Global Protection Whitelist Rule to Ignore False Alarms

3

CNAME access and ELB access to cloud WAF

The ELB access mode is included as one of the cloud access modes.

When adding your website to WAF, you can select Cloud - CNAME or Cloud - Load balancer for Proteciton.

Commercial use

Adding a Website to WAF (Cloud Mode - ELB Access)

November 2023

No.

Feature

Description

Phase

Document

1

ELB-mode WAF available

If your service servers are deployed on Huawei Cloud, you can add the domain name or IP address of the website to ELB-mode WAF so that the website traffic can be forwarded to ELB-mode WAF for inspection.

  • To use ELB-mode WAF, you need to submit a service ticket to enable it for you first. ELB WAF is available in some regions. For details, see Functions.
  • If you have purchased cloud WAF standard, professional, or platinum edition, you can also use the ELB mode. Your ELB-mode WAF instances can use the domain name, bandwidth, and rule extension packages you have purchased along with cloud WAF.

Commercial use

Adding a Website to WAF (ELB Mode)

August 2023

No.

Feature

Description

Phase

Document

1

Renaming Bandwidth Expansion Package as QPS Expansion Package

The bandwidth expansion package is officially renamed QPS expansion package. 

The service bandwidth limit is the amount of normal traffic a WAF instance can protect. A QPS expansion package contains:

  • For web applications deployed on Huawei Cloud

    Service bandwidth: 50 Mbit/s

    QPS: 1,000 (Each HTTP GET request is a query.)

  • For web applications not deployed on Huawei Cloud

    Service bandwidth: 20 Mbit/s

    QPS: 1,000 (Each HTTP GET request is a query.)

Commercial use

Introduction to Cloud WAF QPS Expansion Packages

2

Periodic security reports

WAF can generate daily, weekly, monthly, or custom security reports based on the report template you have created. Reports will be sent to you by the way and within the time range you configure.

Commercial use

Configuring a Report Template

3

Requests to All WAF instances counted for triggering a CC attack protection rule

If Protective Action in a CC attack protection rule is set to Verification code, you can set a time range for Lock Verification.

If a visitor fails verification code authentication, verification is required for all access requests within the specified period.

Commercial use

Configuring a CC Attack Protection Rule

4

Obtaining IP addresses from the network layer

If you want to use a TCP connection IP address to mark the client IP address, set IP Tag to $remote_addr.

Commercial use

Configuring a Traffic Identifier for a Known Attack Source

May 2023

No.

Feature

Description

Phase

Document

1

Migrating domain names to other enterprise projects

WAF allows you to share domain names of an enterprise project with other enterprise projects.

Commercial use

Migrating Domain Names to Other Enterprise Projects

2

Forwarding custom header fields

You can use WAF to add additional header information, for example, $request_id, to associate requests on the entire link. WAF can follow your configurations to insert additional fields into a header and forward requests to origin servers. Note that the key value of a custom header field cannot be the same as any native Nginx fields.

Commercial use

Forwarding Custom Header Fields

3

TLS v1.3 supported

WAF supports TLS v1.3. TLS v1.3 is incompatible with other TLS versions.

Commercial use

Configuring PCI DSS/3DS Certification Check and TLS Version

4

Caching user-defined header fields

WAF can cache user-defined header fields. In the upper part of the page, click Modify Field to configure the header fields you want WAF to cache.

Commercial use

Configuring a Web Tamper Protection Rule

5

Protective action Log only supported for information leakage prevention rules

Protective Action for information leakage prevention rules can be set to Log only.

Commercial use

Configuring an Information Leakage Prevention Rule

August 2022

No.

Feature

Description

Phase

Document

1

Certificate expiration alarms

WAF has a more friendly alarm notification page, with alarms for certificates before they actually expire included.

Commercial use

Enabling Alarm Notifications

July 2022

No.

Feature

Description

Phase

Document

1

Requests to all WAF instances counted for a CC attack protection rule

All WAF instances: This feature enables WAF to count identified requests to on one or more WAF instances according to the rate limit mode you select. By default, requests to each WAF instance are counted for triggering a CC attack rule. If you enable this, WAF will count requests to all your WAF instances for triggering the rule. To enable user-based rate limiting, Per user or Other (Referer must be configured) instead of Per IP address must be selected for Rate Limit Mode. This is because IP address-based rate limiting cannot limit the access rate of a specific user. However, in user-based rate limiting, requests may be forwarded to one or more WAF instances. Therefore, All WAF instances must be enabled for triggering the rule precisely.

Commercial use

Configuring a CC Attack Protection Rule

June 2022

No.

Feature

Description

Phase

Document

1

Global protection whitelist rules supported

If All protection is selected for Ignore WAF Protection, all WAF rules, including basic web protection rules and custom rules, will stop to block payload hit WAF rules.

Commercial use

Configuring a Global Protection Whitelist (Formerly False Alarm Masking) Rule

2

Shiro decryption check available

The Shiro decryption check is included in Basic Web Protection. After you enable this check, WAF uses AES and Base64 to decrypt the rememberMe field in cookies and checks whether this field is attacked. There are hundreds of known leaked keys included and checked for.

Commercial use

Configuring Basic Web Protection Rules

May 2022

No.

Feature

Description

Phase

Document

1

Modifiable false alarm masking rules

You can modify the false alarm masking rules you add.

Commercial use

Configuring a Global Protection Whitelist (Formerly False Alarm Masking) Rule

April 2022

No.

Feature

Description

Phase

Document

1

Intelligent access control against CC attacks

If you enable intelligent access control, WAF uses built-in AI-powered models to analyze traffic to your website, identify CC attacks and abnormal features in HTTP requests on the origin server, and generate specific precise protection and access control rules for your website. In this way, WAF can then automatically protect your website from CC attacks.

Commercial use

Configuring Intelligent Access Control

2

Website connection timeout protection

WAF allows you to set the timeout period for each request of a domain name. You can set the connection, read, and write timeout periods.

Commercial use

Configuring Connection Timeout

3

Breakdown protection and connection protection

If a large number of 502 Bad Gateway and 504 Gateway Timeout errors are detected, you can enable WAF breakdown protection and connection protection to let WAF suspend your website and protect your origin servers from being crashed. When the number of 502/504 error requests and pending URL requests reach the thresholds you configure, WAF enables corresponding protection for your website.

Commercial use

Configuring Connection Protection

4

IPv6 protection

WAF allows you to enable IPv6 protection for websites on the WAF console. After you enable IPv6 protection, WAF assigns an IPv6 address to your domain name. In this manner, your website can be reached using the IPv6 address. WAF adds IPv6 address resolution in CNAME record sets by default. IPv6 access requests are forwarded to WAF first. WAF detects and filters out malicious attack traffic, and returns normal traffic to the origin server to ensure that the origin server is secure, stable, and available.

Commercial use

Enabling WAF IPv6 Protection

5

HTTP/2 protocol

If your website is accessible over the HTTP/2 protocol, enable HTTP/2 in WAF. The HTTP/2 protocol can be used only for access between the client and WAF on the condition that at least one origin server has HTTPS used for Client Protocol.

Commercial use

Enabling the HTTP/2 Protocol

6

Load balancing algorithms

If you configure one or more origin server addresses, you can use a load balancing algorithm to distribute traffic across these origin servers. WAF supports the following algorithms:

  • Source IP Hash: Requests from the same IP address are routed to the same backend server.
  • Weighted round robin: Requests are distributed across backend servers in turn based on the weight you assign to each server.
  • Session Hash: Requests identified by the same session ID are directed to the same origin server.

Commercial use

Switching the Load Balancing Algorithm

December 2021

No.

Feature

Description

Phase

Document

1

New geolocation access control rule configuration available

In the new geolocation access control rule configuration, countries and regions can be selected in batches.

Commercial use

Configuring a Geolocation Access Control Rule

2

Cloud Eye available to WAF

Cloud Eye monitors the metrics of WAF, so that you can understand the protection status of WAF in a timely manner, and set protection policies accordingly.

Commercial use

WAF Monitored Metrics

August 2021

No.

Feature

Description

Phase

Document

1

Rename WAF editions

WAF Professional edition is renamed Standard edition, Enterprise edition renamed Professional edition, and Premium edition renamed Platinum edition.

Commercial use

Buying a Cloud WAF Instance

July 2021

No.

Feature

Description

Phase

Document

1

WAF console entry description changed

The access entry description is changed from Security to Security & Compliance.

Commercial use

Dashboard

2

Information on the Certificates page changed

Information on the Certificates page is reorganized.

Commercial use

Uploading a Certificate

April 2021

No.

Feature

Description

Phase

Document

1

Rule packages available

Rule expansion packages are available on the purchase and upgrade pages.

Commercial use

WAF Cloud Mode Rule Expansion Packages

2

WAF purchase page optimized

On the purchase page, a page for upgrading specifications is added.

Commercial use

Buying a Cloud WAF Instance

March 2021

No.

Feature

Description

Phase

Document

1

Product Details page available

On the Product Details page, you can view information about all your WAF instances, including the edition, domain quotas, and specifications.

Commercial use

Viewing Product Details

February 2021

No.

Feature

Description

Phase

Document

1

Enterprise management available

You can manage WAF resources by enterprise project and set user permissions for each enterprise project.

Commercial use

Managing Projects and Enterprise Projects

2

Header detection available

WAF adds header detection in the basic web protection module.

Commercial use

Configuring Basic Web Protection Rules

January 2021

No.

Feature

Description

Phase

Document

1

Cloud WAF instances billed on a pay-per-use basis available

Cloud WAF instances billed on a pay-per-use basis are available.

Commercial use

Edition Differences

December 2020

No.

Feature

Description

Phase

Document

1

Cloud WAF instances billed on a pay-per-use basis unavailable

Cloud WAF instances billed on a pay-per-use basis are discontinued.

Commercial use

Billing Description

2

Optimizing user experience of anti-crawler function

The website anti-crawler protection used the feature library and JS scripts to defend against bad crawlers.

Commercial use

Configuring Anti-Crawler Rules

October 2020

No.

Feature

Description

Phase

Document

1

Changing specifications of pay-per-use cloud WAF

Specifications of pay-per-use cloud WAF are changed.

Commercial use

Edition Differences

September 2020

No.

Feature

Description

Phase

Document

1

Pay-per-use cloud WAF

WAF offers the cloud WAF instances that can be billed on a pay-per-use basis (postpaid billing mode). You can enable or disable a cloud WAF instance anytime.

Commercial use

Billing Description

August 2020

No.

Feature

Description

Phase

Document

1

One-click enabling of PCI DSS/3DS compliance check

WAF allows you to enable PCI DSS and PCI 3DS certification checks. After PCI DSS or PCI 3DS certification check is enabled, the minimum TLS version is automatically set to TLS v1.2 to meet the PCI DSS and PCI 3DS certification requirements. The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes. PCI 3-Domain Secure (PCI 3DS) is a PCI Core Security Standard.

Commercial use

Configuring PCI DSS/3DS Certification Check and TLS Version

2

Certificate management

You can create or delete certificate in WAF. The number of certificates that can be created in WAF is the same as the number of domain names that can be protected by WAF.

Commercial use

Uploading a Certificate

3

Known attack source rules

If WAF blocks a malicious request by IP address, Cookie, or Params, you can configure a known attack source rule to let WAF automatically block all requests from the attack source for a blocking duration set in the known attack source rule. For example, if a blocked malicious request originates from an IP address (192.168.1.1) and you set the blocking duration to 500 seconds, WAF will block the IP address for 500 seconds after the known attack source rule takes effect.

Commercial use

Configuring a Known Attack Source Rule

4

Viewing details about basic web protection rules

You can view the CVE IDRisk SeverityApplication Type, and Protection Type of a basic web protection rule.

Commercial use

Configuring Basic Web Protection Rules

July 2020

No.

Feature

Description

Phase

Document

1

TLS cipher suite 4

Cipher suite 4 supports the following cryptographic algorithms:

  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-SHA384
  • AES256-SHA256
  • HIGH
  • !MD5
  • !aNULL
  • !eNULL
  • !NULL
  • !EDH

Commercial use

Configuring PCI DSS/3DS Certification Check and TLS Version

June 2020

No.

Feature

Description

Phase

Document

1

Optimizing user experience of anti-crawler function

When you enable the anti-crawler function, a warning dialog box is displayed, describing the restrictions on using the anti-crawler function.

Commercial use

Configuring Anti-Crawler Rules

May 2020

No.

Feature

Description

Phase

Document

1

Fine-grained permission management

With policy-based fine-grained permission management, you can manage permissions based on the principle of least privilege. For example, you can grant permissions for a certain WAF operation or a specific resource under certain conditions.

Commercial use

WAF Permissions Management

2

Professional edition available

The professional edition is suitable for small- and medium-sized websites that do not have special security requirements.

Commercial use

Edition Differences

April 2020

No.

Feature

Description

Phase

Document

1

LTS for WAF logging

After you authorize WAF to access Log Tank Service (LTS), the WAF logs recorded by LTS are available for you to quickly and efficiently perform real-time decisive analysis, device O&M management, and service trend analysis.

Commercial use

Enabling LTS for WAF Logging

March 2020

No.

Feature

Description

Phase

Document

1

New console

The new WAF console provides you with better experience.

Commercial use

Dashboard

February 2020

No.

Feature

Description

Phase

Document

1

Protection against Apache Dubbo Deserialization vulnerability

On February 10, 2020, Apache Dubbo officially released the CVE-2019-17564 vulnerability notice, and the vulnerability severity is medium. Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. Now, HUAWEI CLOUD WAF provides protection against this vulnerability.

Commercial use

Apache Dubbo Deserialization Vulnerability

January 2020

No.

Feature

Description

Phase

Document

1

Multiple cipher suites available in TLS configuration

When Client Protocol of your website is set to HTTPS, you can set a cipher suite (a set of multiple cryptographic algorithms) for the website to meet industry security requirements.

Commercial use

Configuring PCI DSS/3DS Certification Check and TLS Version

December 2019

No.

Feature

Description

Phase

Document

1

Customization of alarm pages

If a visitor is blocked by WAF, the Default block page of WAF is returned by default. You can also configure Custom or Redirection for the block page to be returned as required.

Commercial use

Modifying the Alarm Page

October 2019

No.

Feature

Description

Phase

Document

1

Refined defense against CC attacks

You can customize a CC attack protection rule to restrict access to a specific URL on your website based on an IP address, cookie, or Referer, mitigating CC attacks.

Commercial use

Configuring a CC Attack Protection Rule

September 2019

No.

Feature

Description

Phase

Document

1

Defense against of DoS vulnerability in the open-source component Fastjson

On September 3, 2019, the HUAWEI CLOUD security team detected a DoS vulnerability in multiple versions of the widely used open-source component Fastjson. An attacker can exploit this vulnerability to construct malicious requests and send them to the server that uses Fastjson. As a result, the memory and CPU of the server are used up, and the server breaks down, causing service breakdown. HUAWEI CLOUD WAF provides protection against this vulnerability.

Commercial use

DoS Vulnerability in the Open-Source Component Fastjson

August 2019

No.

Feature

Description

Phase

Document

1

Adding remarks to a user-defined protection rule

When you add a user-defined protection rule, you can add remarks for the rule to facilitate rule management.

Commercial use

Configuration Guidance

July 2019

No.

Feature

Description

Phase

Document

1

Defense against Fastjson remote code execution vulnerabilities

On July 12, 2019, the HUAWEI CLOUD Emergency Response Center detected that the open-source component Fastjson had a remote code execution vulnerability. This vulnerability is an extension of the deserialization vulnerability of Fastjson 1.2.24 detected in 2017 and can be directly used to obtain server permissions, causing serious damage.

WAF can protect your websites against Fastjson remote code execution vulnerabilities.

Commercial use

Remote Code Execution Vulnerability of Fastjson

April 2019

No.

Feature

Description

Phase

Document

1

Configuration of the TLS protocol

When Client Protocol of your website is set to HTTPS, you can set the minimum TLS version for your website to meet industry security requirements.

Commercial use

Configuring PCI DSS/3DS Certification Check and TLS Version

2

Defense against Oracle WebLogic wls9-async deserialization remote command execution vulnerabilities (CNVD-C-2019-48814)

On April 17, 2019, the HUAWEI CLOUD Emergency Response Center detected that China National Vulnerability Database (CNVD) released a security bulletin on the Oracle WebLogic wls9-async component. The component has a defect in deserializing input information. Attackers can send well-constructed malicious HTTP requests to obtain the permission of the target server and execute arbitrary code remotely without authorization. CNVD rates the vulnerability as "high-risk."

WAF can protect your websites against Oracle WebLogic wls9-async deserialization remote command execution vulnerabilities (CNVD-C-2019-48814).

Commercial use

Oracle WebLogic wls9-async Deserialization Remote Command Execution Vulnerability (CNVD-C-2019-48814)

March 2019

No.

Feature

Description

Phase

Document

1

A new field supported in precise protection rules

You can configure a precise protection rule to allow or block requests based on the content in the HTTP field.

Commercial use

Configuring a Precise Protection Rule

February 2019

No.

Feature

Description

Phase

Document

1

WebSocket/WebSockets supported

WAF can check WebSocket and WebSockets requests, which is enabled by default.

Commercial use

Which Web Service Framework Protocols Does WAF Support?

December 2018

No.

Feature

Description

Phase

Document

1

Support for the query of attack logs

Support for the query of attack logs to learn about the security status of service networks.

Commercial use

Viewing Protection Event Logs

2

Customization of alarm notification sending frequency

Customization of alarm notification sending frequency

Commercial use

Enabling Alarm Notifications

October 2018

No.

Feature

Description

Phase

Document

1

Support for wildcard domain names

If the server IP address of each subdomain name is the same, enter a wildcard domain name to be protected. For example, if the subdomains a.example.com, b.example.com, and c.example.com have the same server IP address, you can directly add the wildcard domain name *.example.com to WAF for protection.

Commercial use

Adding a Domain Name to WAF (Cloud Mode)

June 2018

No.

Feature

Description

Phase

Document

1

Support for the use of domain names for forwarding traffic back to the original server

Support for the use of domain names for forwarding traffic back to the original server

Commercial use

Adding a Domain Name to WAF (Cloud Mode)

2

Support for detecting CC attacks based on the Referer field

Support for detecting CC attacks based on the Referer field, more accurate in defending against CC attacks.

Commercial use

Configuring a CC Attack Protection Rule

May 2018

No.

Feature

Description

Phase

Document

1

This issue is the first official release

Web Application Firewall (WAF) keeps web services stable and secure. It examines all HTTP and HTTPS requests to detect and block the following attacks: Structured Query Language (SQL) injection, cross-site scripting (XSS), web shells, command and code injections, file inclusion, sensitive file access, third-party vulnerability exploits, Challenge Collapsar (CC) attacks, malicious crawlers, and cross-site request forgery (CSRF).

Commercial use

What Is Web Application Firewall?

Utilizamos cookies para mejorar nuestro sitio y tu experiencia. Al continuar navegando en nuestro sitio, tú aceptas nuestra política de cookies. Descubre más

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback