Function Overview

Web Application Firewall (WAF) keeps web services stable and secure. It examines all HTTP and HTTPS requests to detect and block the following attacks: Structured Query Language (SQL) injection, cross-site scripting (XSS), web shells, command and code injections, file inclusion, sensitive file access, third-party vulnerability exploits, Challenge Collapsar (CC) attacks, malicious crawlers, and cross-site request forgery (CSRF).
After buying a WAF instance, you need to add your website domain to the WAF instance on the WAF console. All public network traffic destined for your website then goes to WAF first. WAF identifies and filters out the illegitimate traffic, and routes only the legitimate traffic to your origin server. This keeps your origin servers secure.

WAF supports two deployment modes: Cloud Mode and Dedicated Mode.

Cloud mode is a cloud-based WAF deployment method. In this mode, Huawei Cloud WAF cluster resources are shared with all users. With this mode, you do not need to deploy any hardware or maintain the software. It is ready for use out of the box, highly available, and auto-scalable. You can select yearly/monthly or pay-per-using billing.

• With cloud mode, you can select CNAME or Load balancer access to connect your website to WAF.
• The cloud mode supports Yearly/Monthly (prepaid) billing. There are four WAF editions available: Starter, Standard, Professional, and Enterprise.
• If the quota of domain names, QPS, bandwidth, or IP address blacklist and whitelist rules in the in-use edition (Standard, Professional, or Enterprise) cannot meet service requirements, you can buy domain name expansion packages, QPS expansion packages, or rule extension packages to increase the quota.

In this mode, DNS resolves the protected domain name to the CNAME record of the WAF cluster. WAF identifies and filters out malicious traffic and returns normal traffic to the origin server through back-to-source IP addresses.

With this mode, you can protect web services deployed on Huawei Cloud, non-Huawei Cloud, and on-premises servers. The protected objects are domain names.

In this mode, WAF is integrated into the Elastic Load Balance (ELB) gateway through SDKs. After detecting and filtering malicious attack traffic, WAF synchronizes detection result to ELB. ELB then determines whether to forward client requests to the origin server based on the detection result it received.

With this mode, you can protect web services deployed on Huawei Cloud. The protected objects can be domain names, public IP addresses, and private IP addresses.

• The cloud load balancer access mode supports only dedicated load balancers with Specifications set to Application load balancing (HTTP/HTTPS).
• To enable the Cloud Mode - Load balancer access, you need to buy the Standard, Professional, or Enterprise edition and then submit a service ticket.
• If Cloud Mode - CNAME access and Cloud Mode - Load balancer access are in use, they can share the domain name, QPS, and rule expansion package quotas.

The dedicated mode is an advanced deployment method. You have completely isolated and independently deployed protection nodes. Your WAF instance performance will be unaffected by attacks targeting other users' workloads in the cloud. This deployment method provides dedicated resources, robust custom protection, high availability, and disaster recovery.

• The dedicated mode supports pay-per-use (postpaid) billing.
• The dedicated mode supports Dedicated Mode access.

    In dedicated mode, after a website is connected to WAF, the website traffic is sent to WAF through the ELB load balancer. WAF blocks abnormal requests and forwards normal requests to the origin server through the back-to-source IP address of the dedicated WAF engine.

• The dedicated mode has been discontinued in some regions. For details, see Notice on Web Application Firewall (Dedicated Mode) Discontinued.

In addition to standard ports 80 and 443, WAF also supports non-standard ports.

The built-in protection rules of WAF help you defend against common web application attacks, including XSS attacks, SQL injection, crawlers, and web shells. In addition, you can flexibly configure protection rules based on your website protection requirements. 

With an extensive preset reputation database, WAF defends against Open Web Application Security Project (OWASP) top 10 threats, malicious scanners, IP addresses, web shells, and other threats.

• All-around protection: WAF detects and blocks such threats as SQL injection, XSS, file inclusion, directory traversal attacks, sensitive file access, command and code injections, web shells, backdoors, malicious HTTP requests, and third-party vulnerability exploits.
• Precise identification: WAF uses built-in semantic analysis engine and regex engine and supports configuring of blacklist/whitelist rules, which reduces false positives.
  WAF supports anti-escape and automatic restoration of common codes, which improves the capability of recognizing deformation web attacks.
  WAF can decode a wide range of code types, including url_encode, Unicode, XML, C-OCT, hexadecimal, HTML escape, and base64 code, case confusion, JavaScript, shell, and PHP concatenation confusion.

WAF can accurately identify and manage bot behavior in website traffic, effectively reducing risks such as data leakage and performance deterioration caused by bot attacks.

You can customize your Challenge Collapsar (CC) attack rules to restrict access to a specific URL on your website based on a unique IP address, cookie, or Referer field. WAF identifies and mitigates CC attacks based on the protection rules you configured. For example, you can configure the following rule: If a user whose cookie ID is name accesses the /admin* page under your domain name for more than 10 times within 60 seconds, the user is forbidden to access the target website for 600 seconds.

The All WAF instances function is supported for CC attack protection rules. This function allows WAF to count requests to all your WAF instances for rate limiting. By default, requests to each WAF instance are counted for triggering a CC attack rule. If you enable this, WAF will count requests to all your WAF instances for triggering this rule.

• With Cloud Mode - CNAME mode, this function is supported in the following regions: CN North-Beijing1, CN North-Beijing4, CN South-Guangzhou, CN East-Shanghai1, and CN East-Shanghai2.
• If you are using the dedicated mode, you can submit a service ticket.

With precise protection rules, WAF allows you to customize combinations of HTTP headers, cookies, URLs, request parameters, and client IP addresses, improving protection accuracy. Precise protection rules can be used in hotlinking prevention and website management background protection.

This function allows you to blacklist or whitelist IP addresses or an IP address range to improve defense accuracy.

These rules allow you to customize access control for IP addresses forwarded from/to specified countries and provinces.

Access is controlled based on the IP address library of an Internet Data Center (IDC)..

You can configure cache for static web pages. When a user accesses a web page, the system returns a cached page to the user and randomly checks whether the page is tampered with.

Dynamically analyze website service models and accurately identify crawler behavior based on data risk control and bot identification systems, such as JS Challenge.

Prevents disclosure of sensitive information (such as ID numbers, phone numbers, and email addresses) , and response code interception: intercepts the specified HTTP status codes.

If you select All protection for Ignore WAF Protection, all WAF rules do not take effect, and WAF allows all request traffic to the domain names in the rule.

If you select Basic Web Protection for Ignore WAF Protection, you can ignore basic web protection by rule ID, attack type, or all built-in rules. For example, if XSS check is not required for a URL, you can whitelist XSS rule.

Data masking prevents such data as passwords from being displayed in event logs.

The scanning protection module identifies scanning behaviors and scanner features to prevent attackers or scanners from scanning websites at scale.

If WAF blocks a malicious request by IP address, Cookie, or Params, you can configure a known attack source rule to let WAF automatically block all requests from the attack source for a blocking duration set in the known attack source rule.
After a known attack source rule is added, you need to select the rule in basic web protection, precise protection, or blacklist and whitelist protection for the rule to take effect.

You can use a reference table to batch configure protection objects for the following types: Paths, User Agent, IP, Params, Cookie, Referer, and Header.

You can use reference tables for CC attack, precise access, and anti-crawler protection rules.

When Client Protocol for a website to be protected is set to HTTPS, you can use WAF to set the minimum TLS version and cipher suite (a set of cryptographic algorithms) for the website. All requests using a TLS version earlier than the minimum TLS version cannot access the protected website so that your service is secured.
WAF allows you to enable PCI DSS and PCI 3DS certification checks. After PCI DSS or PCI 3DS certification check is enabled, the minimum TLS version is automatically set to TLS v1.2 to meet the PCI DSS and PCI 3DS certification requirements.

If your website is accessible over the HTTP/2 protocol, enable HTTP/2 in WAF. The HTTP/2 protocol can be used only for access between the client and WAF on the condition that at least one origin server has HTTPS used for Client Protocol.

• You need to submit a service ticket to enable this function. WAF will log the response body within the length you configure in protection events.

If you enable and configure request and response header forwarding, WAF will insert fields you specify into the header field of requests and responses, and forwards the requests to your origin server, and the responses to the client. This helps you distinguish requests from different sources and better analyze website operating status.

This function is only supported for cloud mode CNAME access and dedicated mode.

WAF returns a default response page to visitors it blocks. You can also configure a Custom or Redirection page. WAF will return this page to blocked visitors.

Cloud Mode - Load balancer does not support the Redirection template.

WAF allows you to stop WAF from inserting the HWWAFSESTIME and HWWAFSESID fields into cookies. However, you should exercise caution when enabling this function. If WAF does not insert the HWWAFSESTIME and HWWAFSESID fields into cookies, CC attack protection rules (verification code), known attack source rules, and dynamic anti-crawler rules will be unable to work.

This function is only supported for cloud mode CNAME access and dedicated mode.

You can enable IPv6 protection if needed. If IPv6 protection is enabled, WAF assigns an IPv6 access address to your domain name. WAF adds IPv6 address resolution to CNAME record sets by default. All IPv6 access requests are first forwarded to WAF. WAF detects and filters out malicious traffic and returns legitimate traffic to the origin server. This can keep origin servers secure, stable, and available.

If you configure one or more origin server addresses, you can use a load balancing algorithm to distribute traffic across these origin servers. WAF supports the following algorithms:

• Origin server IP hash: Requests from the same IP address are routed to the same backend server.
• Weighted round robin: Requests are distributed across backend servers in turn based on the weight you assign to each server.
• Session hash: Requests with the same session tag are routed to the same origin server. To enable this algorithm, configure traffic identifiers for known attack sources, or Session hash algorithm cannot take effect.

If you set Client Protocol to HTTPS, you can enable Cookie Security Attributes. If you enable this, the HttpOnly and Secure attributes of cookies will be set to true.

Cookies are inserted by back-end web servers and can be implemented through framework configuration or set-cookie. Secure and HttpOnly in cookies help defend against attacks, such as XSS attacks to obtain cookies, and help defend against cookie hijacking.

This function is only supported for cloud mode CNAME access and dedicated mode.

You need to submit a service ticket enable this function. If you enable this function, you can set Protective Action to Verification code and specify a response code displayed on the verification page when configuring the protection rule.

You can configure a custom extended log field and record a specific header field in requests or responses to the custom_traceid field in logs.

This function is only supported for cloud mode CNAME access and dedicated mode.

You can use WAF to add custom headers, for example, $request_id, to track requests. WAF can follow your configurations to insert additional fields into the request header field and forward the requests to origin servers. Note that the key value of a custom header field cannot be the same as any native Nginx fields.

If you want to set a timeout duration for each request between your WAF instance and origin server, enable Timeout Settings and specify WAF-to-Server connection timeout (s), Read timeout (s), and Write timeout (s). This function cannot be disabled once it is enabled.

• WAF-to-Server Connection Timeout: timeout for WAF and the origin server to establish a TCP connection.
• Write Timeout: Timeout set for WAF to send a request to the origin server. If the origin server does not receive a request within the specified write timeout, the connection times out.
• Read Timeout: Timeout set for WAF to read responses from the origin server. If WAF does not receive any response from the origin server within the specified read timeout, the connection times out.

If a large number of 502 Bad Gateway and 504 Gateway Timeout errors are detected, you can enable WAF breakdown protection and connection protection to let WAF suspend your website and protect your origin servers from being crashed. When the 502/504 error requests and pending URL requests reach the thresholds you configure, WAF enables corresponding protection for your website.

By analyzing TLS handshake metadata, it generates unique fingerprints to distinguish different client applications. With dedicated mode, if a layer-7 reverse proxy (for example, ELB) is deployed in front of WAF and its fingerprint is transferred to WAF with the header field, you can configure the JA3/JA4 fingerprint tags for the domain name protected by WAF. Then, the fingerprints along with tags will be transferred to WAF. WAF processes requests based on the TLS fingerprint (JA3) and TLS fingerprint (JA4) configured in the precise protection rule. This can mitigate JA3/JA4 fingerprinting attacks.

You can modify server information, including Client Protocol, Server Protocol, Server Address, and Server Port.

You can delete a protected website that you do not want to protect any more. Deletion takes effect within one minute. Note that deleted domain names cannot be recovered. You should exercise caution when deleting a protected website.

On the Dashboard page, you can view event logs, including attack and request statistics, event distribution, top 10 attacked domain names, top 10 attack source IP addresses, and top 10 attacked URLs in a specified time frame, such as yesterday, today, past 3 days, past 7 days, or past 30 days.
On the Events page, you can view the event data of all protected domain names in the last 30 days.

If HTTPS is selected for Client Protocol when you add a website to WAF, you need to associate a certificate with the website.
You can create a certificate and upload it to WAF. Then you can directly select the uploaded certificate for the protected website.

You can delete an expired or invalid certificate.

After you enable the notification function in WAF, alarm information will be sent to you as configured once your domain name is attacked.