Function Overview

Web Application Firewall (WAF) keeps web services stable and secure. It examines all HTTP and HTTPS requests to detect and block the following attacks: Structured Query Language (SQL) injection, cross-site scripting (XSS), web shells, command and code injections, file inclusion, sensitive file access, third-party vulnerability exploits, Challenge Collapsar (CC) attacks, malicious crawlers, and cross-site request forgery (CSRF).
After you purchase a WAF instance, add your website domain to the WAF instance on the WAF console. All public network traffic for your website then goes to WAF first. WAF identifies and filters out the illegitimate traffic, and routes only the legitimate traffic to your origin server to ensure site security.

WAF can be deployed in cloud mode. Cloud WAF can protect web applications in HUAWEI CLOUD, other clouds, and on-premises. Cloud WAF has strong elastic scaling capabilities. You can scale it up with just one click.
WAF supports yearly/monthly billing modes. The yearly/monthly billing mode is supported in the standard(former professional), professional(former enterprise), and platinum(former premium) editions.

If your service servers are deployed on Huawei Cloud, you can add the domain name or IP address of the website to WAF so that the website traffic is forwarded to WAF for inspection.

• To buy ELB-mode WAF instances, submit a service ticket to enable it for you.
• You can use the ELB mode, domain name, QPS, and rule expansion packages along with your standard, professional, or platinum cloud WAF edition.

A domain package offers 10 domains, including a maximum of 1 top-level domain and 9 subdomains or wildcard domains related to the top-level domain.
If the default domain quota is insufficient, buy additional domain expansion packages to meet your needs.

A bandwidth expansion package contains 20 Mbit/s for services on HUAWEI CLOUD or 50 Mbit/s for services not on HUAWEI CLOUD or 1,000 Queries per Second (QPS). One HTTP Get request is a query.
The bandwidth in WAF is calculated by WAF itself and is not associated with the bandwidth or traffic limit of other HUAWEI CLOUD products (such as CDN, ELB, and ECS).
If your sites' normal traffic exceeds the bandwidth limit offered by your selected edition, traffic limiting and random packet loss may occur. As a result, services are unavailable, frozen, or delayed for a certain period of time. In this case, upgrade your edition or buy additional bandwidth expansion packages.

After you connect a domain name to your WAF instance, WAF works as a reverse proxy between the client and the server. The real IP address of the server is hidden and only the IP address of WAF is visible to web visitors.

After you enable the notification function in WAF, alarm information will be sent to you as configured once your domain name is attacked.

In addition to standard ports 80 and 443, WAF also supports non-standard ports.

The built-in protection rules of WAF help you defend against common web application attacks, including XSS attacks, SQL injection, crawlers, and web shells. In addition, you can flexibly configure protection rules based on your website protection requirements. 

With an extensive preset reputation database, WAF defends against Open Web Application Security Project (OWASP) top 10 threats, malicious scanners, IP addresses, web shells, and other threats.
All-around protection: WAF detects and blocks such threats as SQL injection, XSS, file inclusion, directory traversal attacks, sensitive file access, command and code injections, web shells, backdoors, malicious HTTP requests, and third-party vulnerability exploits.
Precise identification:
WAF uses built-in semantic analysis engine and regex engine and supports configuring of blacklist/whitelist rules, which reduces false positives.
WAF supports anti-escape and automatic restoration of common codes, which improves the capability of recognizing deformation web attacks.
WAF can decode a wide range of code types, including url_encode, Unicode, XML, C-OCT, hexadecimal, HTML escape, and base64 code, case confusion, JavaScript, shell, and PHP concatenation confusion.

You can customize your Challenge Collapsar (CC) attack rules to restrict access to a specific URL on your website based on a unique IP address, cookie, or Referer field. WAF identifies and mitigates CC attacks based on the protection rules you configured. For example, you can configure the following rule: If a user whose cookie ID is name accesses the /admin* page under your domain name for more than 10 times within 60 seconds, the user is forbidden to access the target website for 600 seconds.

• All WAF instances: Requests to on one or more WAF instances will be counted together according to the rate limit mode you select. By default, requests to each WAF instance are counted. If you enable this, WAF will count requests to all your WAF instances for triggering this rule. 

Note: Only the cloud CNAME access mode supports counting requests to All WAF instances. Only the CN North-Beijing1, CN North-Beijing4, CN East-Shanghai1, CN East-Shanghai2, CN South-Guangzhou supports counting requests to All WAF instances.

With precise protection rules, WAF allows you to customize combinations of HTTP headers, cookies, URLs, request parameters, and client IP addresses, improving protection accuracy. Precise protection rules can be used in hotlinking prevention and website management background protection.

This function allows you to blacklist or whitelist IP addresses or an IP address range to improve defense accuracy.

If WAF blocks a malicious request by IP address, Cookie, or Params, you can configure a known attack source rule to let WAF automatically block all requests from the attack source for a blocking duration set in the known attack source rule.
After a known attack source rule is added, you need to select the rule in basic web protection, precise protection, or blacklist and whitelist protection for the rule to take effect.

These rules allow you to customize access control for IP addresses forwarded from/to specified countries and provinces.

You can configure cache for static web pages. When a user accesses a web page, the system returns a cached page to the user and randomly checks whether the page is tampered with.

Dynamically analyze website service models and accurately identify crawler behavior based on data risk control and bot identification systems, such as JS Challenge.

Prevents disclosure of sensitive information (such as ID numbers, phone numbers, and email addresses) , and response code interception: intercepts the specified HTTP status codes.

If you select All protection for Ignore WAF Protection, all WAF rules do not take effect, and WAF allows all request traffic to the domain names in the rule.

If you select Basic Web Protection for Ignore WAF Protection, you can ignore basic web protection by rule ID, attack type, or all built-in rules. For example, if XSS check is not required for a URL, you can whitelist XSS rule.

Data masking prevents such data as passwords from being displayed in event logs.

On the Dashboard page, you can view event logs, including attack and request statistics, event distribution, top 10 attacked domain names, top 10 attack source IP addresses, and top 10 attacked URLs in a specified time frame, such as yesterday, today, past 3 days, past 7 days, or past 30 days.
On the Events page, you can view the event data of all protected domain names in the last 30 days.

After you authorize WAF to access Log Tank Service (LTS), you can use the WAF logs recorded by LTS to quickly and efficiently perform real-time decisive analysis, device O&M management, and service trend analysis.

If HTTPS is selected for Client Protocol when you add a website to WAF, you need to associate a certificate with the website.
You can create a certificate and upload it to WAF. Then you can directly select the uploaded certificate for the protected website.

You can delete an expired or invalid certificate.

When Client Protocol for a website to be protected is set to HTTPS, you can use WAF to set the minimum TLS version and cipher suite (a set of cryptographic algorithms) for the website. All requests using a TLS version earlier than the minimum TLS version cannot access the protected website so that your service is secured.
WAF allows you to enable PCI DSS and PCI 3DS certification checks. After PCI DSS or PCI 3DS certification check is enabled, the minimum TLS version is automatically set to TLS v1.2 to meet the PCI DSS and PCI 3DS certification requirements.

You can modify server information, including Client Protocol, Server Protocol, Server Address, and Server Port.

You can delete a protected website that you do not want to protect any more. Deletion takes effect within one minute. Note that deleted domain names cannot be recovered. You should exercise caution when deleting a protected website.

If your website is accessible over the HTTP/2 protocol, enable HTTP/2 in WAF. The HTTP/2 protocol can be used only for access between the client and WAF on the condition that at least one origin server has HTTPS used for Client Protocol.

If you want to set a timeout duration for each request between your WAF instance and origin server, enable Timeout Settings and specify WAF-to-Server connection timeout (s), Read timeout (s), and Write timeout (s). This function cannot be disabled once it is enabled.

• WAF-to-Server Connection Timeout: timeout for WAF and the origin server to establish a TCP connection.
• Write Timeout: Timeout set for WAF to send a request to the origin server. If the origin server does not receive a request within the specified write timeout, the connection times out.
• Read Timeout: Timeout set for WAF to read responses from the origin server. If WAF does not receive any response from the origin server within the specified read timeout, the connection times out.

If a large number of 502 Bad Gateway and 504 Gateway Timeout errors are detected, you can enable WAF breakdown protection and connection protection to let WAF suspend your website and protect your origin servers from being crashed. When the 502/504 error requests and pending URL requests reach the thresholds you configure, WAF enables corresponding protection for your website.

If you configure one or more origin server addresses, you can use a load balancing algorithm to distribute traffic across these origin servers. WAF supports the following algorithms:

• Origin server IP hash: Requests from the same IP address are routed to the same backend server.
• Weighted round robin: Requests are distributed across backend servers in turn based on the weight you assign to each server.
• Session hash: Requests with the same session tag are routed to the same origin server. To enable this algorithm, configure traffic identifiers for known attack sources, or Session hash algorithm cannot take effect.

You can use WAF to add additional header information, for example, $request_id, to associate requests on the entire link. You can follow this topic to let WAF insert additional fields into a header and forward requests to origin servers. Note that the key value of a custom header field cannot be the same as any native Nginx fields.

With IP address groups, you can quickly add IP addresses or IP address ranges to a blacklist or whitelist rule.