Help Center/ Web Application Firewall/ Best Practices/ Migrating Protection Policies for Your Website

Updated on 2024-08-08 GMT+08:00

View PDF

Migrating Protection Policies for Your Website

Application Scenarios

This topic will walk you through on how to migrate your website protection policies from Alibaba Cloud WAF to Huawei Cloud WAF.

We will show how to complete the migration from Alibaba Cloud pay-per-use WAF 3.0 to Huawei Cloud professional edition cloud WAF.

Resource and Cost Planning

**Table 1** Resources and costs
Resource	Description	Monthly Fee
Web Application Firewall (WAF)	Cloud - professional edition: Billing mode: Yearly/Monthly Domain name quota: 50, including a maximum of five top-level domain names QPS quota: 5,000 QPS Peak bandwidth: 200 Mbit/s inside the cloud and 50 Mbit/s outside the cloud	For details about pricing rules, see Billing Description.

Step 1: Buy Huawei Cloud Professional Edition Cloud WAF

Log in to Huawei Cloud management console.
On the management console page, choose Security & Compliance > Web Application Firewall.
In the upper right corner of the page, click Buy WAF. On the purchase page displayed, select Cloud Mode for WAF Mode.
- Region: Select the region nearest to your services WAF will protect.
- Edition: Select Profesional.
- Expansion Package and Required Duration: Set them based on site requirements.
Confirm the product details and click Buy Now in the lower right corner of the page.
Check the order details and read the WAF Disclaimer. Then, select the box and click Pay Now.
On the payment page, select a payment method and pay for your order.

Step 2: Connect the Website to Huawei Cloud WAF

In the navigation pane on the left, choose Website Settings.
In the upper left corner of the website list, click Add Website.
Select Cloud - CNAME and click Configure Now.

Configure website details. Table 2 describes the parameter mappings between Huawei Cloud and Alibaba Cloud.

On the Alibaba Cloud WAF console, choose Website Configuration > CNAME Record. In the Actions column of the row containing the target domain name, click Edit and check its configuration details.

Figure 1 Domain name configuration page
Click to enlarge

**Table 2** Parameter mappings
Parameter No. in Figure 1	Alibaba Cloud	Huawei Cloud
①	Domain Name	Domain Name
②	Protocol Type/Port	Client Protocol/Protected Port
③	Whether Layer 7 Proxy, Such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, Is Deployed in Front of WAF	Proxy Your Website Uses
④	IPv6	IPv6 Protection
⑤	Load Balancing Algorithm	Load Balancing Algorithm
⑥	Origin Server Address	Server Address
⑦	Protection Resource	Automatically generated

Click Next. Then, whitelist WAF back-to-source IP address, test WAF, and modify DNS records as prompted.

Figure 2 Domain name added to WAF

Step 3: Migrating Protection Rules

Table 3 summarizes mappings between Alibaba Cloud WAF rules and Huawei Cloud WAF rules.

**Table 3** Protection rule mappings
Alibaba Cloud	Huawei Cloud	Reference
Basic protection rule	Basic web protection	Configuring Basic Web Protection Rules to Defend Against Common Web Attacks
Whitelist	Blacklist and whitelist Global protection whitelist	Configuring IP Address Blacklist and Whitelist Rules to Block or Allow Specified IP Addresses Configuring a Global Protection Whitelist Rule to Ignore False Alarms
IP address blacklist	Blacklist and whitelist	Configuring IP Address Blacklist and Whitelist Rules to Block or Allow Specified IP Addresses
Custom rules	Precise protection	Configuring Custom Precise Protection Rules
Custom response	Alarm page	Modifying the Alarm Page
HTTP flood protection (CC attack defense)	CC attack protection	Configuring a CC Attack Protection Rule
Region blacklist rule	Geolocation access control	Configuring Geolocation Access Control Rules to Block or Allow Requests from Specific Locations
Web Tamper Protection	Web tamper protection	Configuring Web Tamper Protection Rules to Prevent Static Web Pages from Being Tampered With
Data leakage prevention	Information leakage prevention	Configuring Information Leakage Prevention Rules to Prevent Sensitive Information Leakage

Migrating Basic Protection Rules

Log in to the Alibaba Cloud WAF console. In the navigation pane on the left, choose Protection Configuration > Protection Rules. On the displayed page, expand the Basic Protection Rule area. In the Action column of the row containing the target rule, click Edit and check the rule details.
Log in to the Huawei Cloud WAF console and go to the Huawei Cloud WAF protection rule configuration page by referring to Figure 3.

Figure 3 Protection rules

Select the Basic Web Protection configuration box, enable it, and migrate related configurations to Huawei Cloud WAF based on Table 4.

**Table 4** Parameter mappings
Alibaba Cloud	Huawei Cloud
Basic Protection Rule	Basic Web Protection
Create Template	Status : enabled. : disabled.
Intelligent Whitelist	None
Rule Configuration	General Check/Deep Inspection/Header Inspection/Shiro Decryption Check
Protocol Compliance	None
Semantic Engine	General Check

Migrating Whitelist Rules

Log in to the Alibaba Cloud WAF console. In the navigation pane on the left, choose Protection Configuration > Protection Rules. On the displayed page, expand the Whitelist area. In the Actions column of the row containing the target rule, click Edit and check the rule details.
Log in to the Huawei Cloud WAF console and go to the Huawei Cloud WAF protection rule configuration page by referring to Figure 4.

Figure 4 Protection rules

In the Global Protection Whitelist configuration box, enable it, and click Add Rule. Then, migrate related configurations to Huawei Cloud WAF based on Table 5.

**Table 5** Parameter mappings
Alibaba Cloud	Huawei Cloud
Whitelist	Global Protection Whitelist
Create Template	Status : enabled. : disabled.
Match Field	Field in the Condition List area
Logical Operator	Logic
Match Content	Content
Bypassed Modules Example: Basic Protection Rule - All Rules	Ignore WAF Protection Example: Basic Web Protection - All built-in rules

Migrating IP Address Blacklist Rules

Log in to the Alibaba Cloud WAF console. In the navigation pane on the left, choose Protection Configuration > Protection Rules. On the displayed page, expand the IP Address Blacklist area. In the Actions column of the row containing the target rule, click Edit and check the rule details.
Log in to the Huawei Cloud WAF console and go to the Huawei Cloud WAF protection rule configuration page by referring to Figure 5.

Figure 5 Protection rules

Choose Blacklist and Whitelist, enable it, and click Add Rule. Then, migrate related configurations to Huawei Cloud WAF based on Table 6.

**Table 6** Parameter mappings
Alibaba Cloud	Huawei Cloud
IP Address Blacklist	Blacklist and Whitelist
Create Template	Status : enabled. : disabled.
IP Address Blacklist	IP Address/Range
Action	Protective Action

Migrating Custom Rules

Log in to the Alibaba Cloud WAF console. In the navigation pane on the left, choose Protection Configuration > Protection Rules. On the displayed page, expand the Custom Rules area. In the Actions column of the row containing the target rule, click Edit and check the rule details.
Log in to the Huawei Cloud WAF console and go to the Huawei Cloud WAF protection rule configuration page by referring to Figure 6.

Figure 6 Protection rules

Click the Precise Protection configuration box, enable it, and click Add Rule. Then, migrate related configurations to Huawei Cloud WAF based on Table 7.

**Table 7** Parameter mappings
Alibaba Cloud	Huawei Cloud
Custom Rules	Precise Protection
Create Template	Status : enabled. : disabled.
Match Field	Field
Logical Operator	Logic
Match Content	Content
Protection Type	None
Action	Protective Action
Effective Mode	Apply

Migrating Custom Response Rules

Log in to the Alibaba Cloud WAF console. In the navigation pane on the left, choose Protection Configuration > Protection Rules. On the displayed page, expand the Custom Response area. In the Actions column of the row containing the target rule, click Edit and check the rule details.
Log in to the Huawei Cloud WAF console. In the navigation pane on the left, choose Website Settings. Click the target domain name to go to its details page.

Click the edit icon next to the page template name in the row where Alarm Page is located. In the displayed Alarm Page dialog box, specify Page Template.

Migrate related configurations to Huawei Cloud WAF based on Table 8.

**Table 8** Parameter mappings
Alibaba Cloud	Huawei Cloud
Custom Response	Block Page
Create Template	Page Template
Status Code	HTTP Return Code
Response Body	Page Content

Migrating HTTP Flood Protection Rules

Log in to the Alibaba Cloud WAF console. In the navigation pane on the left, choose Protection Configuration > Protection Rules. On the displayed page, expand the HTTP Flood Protection area. In the Actions column of the row containing the target rule, click Edit and check the rule details.
Log in to the Huawei Cloud WAF console and go to the Huawei Cloud WAF protection rule configuration page by referring to Figure 7.

Figure 7 Protection rules

Click the CC Attack Protection configuration box, enable it, and click Add Rule. Then, migrate related configurations to Huawei Cloud WAF based on Table 9.

**Table 9** Parameter mappings
Alibaba Cloud	Huawei Cloud
HTTP Flood Protection (CC attack defense)	CC Attack Protection
Create Template	Status : enabled. : disabled.
Action	Protective Action
Protected objects	This parameter is not required for Huawei Cloud WAF.

Migrating Region Blacklist Rules

Log in to the Alibaba Cloud WAF console. In the navigation pane on the left, choose Protection Configuration > Protection Rules. On the displayed page, expand the Region Blacklist area. In the Actions column of the row containing the target rule, click Edit and check the rule details.
Log in to the Huawei Cloud WAF console and go to the Huawei Cloud WAF protection rule configuration page by referring to Figure 8.

Figure 8 Protection rules

In the Geolocation Access Control configuration box, enable it, and click Add Rule. Then, migrate related configurations to Huawei Cloud WAF based on Table 10.

**Table 10** Parameter mappings
Alibaba Cloud	Huawei Cloud
Region Blacklist Rule	Geolocation Access Control
Create Template	Status : enabled. : disabled.
Action	Protective Action
Select Regions to Block	Geolocation

Migrating Website Tamper-Proofing Rules

Log in to the Alibaba Cloud WAF console. In the navigation pane on the left, choose Protection Configuration > Protection Rules. On the displayed page, expand the Website Tamper-proofing area. In the Actions column of the row containing the target rule, click Edit and check the rule details.
Log in to the Huawei Cloud WAF console and go to the Huawei Cloud WAF protection rule configuration page by referring to Figure 9.

Figure 9 Protection rules

In the Web Tamper Protection configuration box, enable it, and click Add Rule. Then, migrate related configurations to Huawei Cloud WAF based on Table 11.

**Table 11** Parameter mappings
Alibaba Cloud	Huawei Cloud
Website Tamper-proofing	Web Tamper Protection
Create Template	Status : enabled. : disabled.
Address of Cached Page	Path

Migrating Data Leakage Prevention Rules

Log in to the Alibaba Cloud WAF console. In the navigation pane on the left, choose Protection Configuration > Protection Rules. On the displayed page, expand the Data Leakage Prevention area. In the Actions column of the row containing the target rule, click Edit and check the rule details.
Log in to the Huawei Cloud WAF console and go to the Huawei Cloud WAF protection rule configuration page by referring to Figure 10.

Figure 10 Protection rules

Click the Information Leakage Prevention configuration box, enable it, and click Add Rule. Then, migrate related configurations to Huawei Cloud WAF based on Table 12.

**Table 12** Parameter mappings
Alibaba Cloud	Huawei Cloud
Data Leak Prevention	Information Leakage Prevention
Create Template	Status : enabled. : disabled.
Match Condition	Type
Sensitive Info	Content
Action	Protective Action