Protection Configuration Overview

After a website is connected to WAF, a default protection policy is generated for the website domain name. You can configure protection rules for the policy as needed. You can also add a protection policy, apply it to the domain name, and configure protection rules for this policy.

Tutorial Video

This video introduces core functions and advanced protection capabilities of WAF.

Protection and Check Principles

WAF engines will check HTTP/HTTPS requests in a certain sequence and take action according to the rules you configure in the protection policy in use.

WAF engines will check user requests and responses returned by the origin server in a certain sequence and anonymize WAF logs according to the configurations.

Figure 1 shows the WAF engine work process and the sequence of rules in each detection phase.

Figure 1 WAF engine work process
Click to enlarge

The detection process is as follows:

Parsing phase: WAF parses the original HTTP or HTTPS request packets from the client to obtain the request header, request line, and request body, and determines the forwarding policy based on the request packets.
Detection phase:
1. WAF obtains the protection rules you configure based on the request information it identifies.
2. WAF parses the request content, such as the source IP address, domain name, and request length.
3. WAF checks the request content based on configured protection rules in sequence shown in Figure 1. If the request matches the conditions configured in a protection rule, WAF handles the request based on the protective action configured in the rule.
Response detection phase:
1. WAF parses the server response.
2. WAF checks the response based on configured protection rules in the sequence shown in Figure 1. If the response matches the conditions configured in a protection rule, WAF handles the response based on the protective action configured in the rule.
Log recording phase: WAF processes WAF logs based on configured data masking rules to prevent sensitive information such as user accounts and passwords from being displayed in logs.

Protective actions are a series of measures taken by WAF when detecting that a request matches the filter criteria configured in a protection rule. Only one protective action can be configured for protection rules with the same conditions.

WAF supports the following protective actions:

Log only
If WAF detects that a request matches the conditions configured in a protection rule, it does not take any action but records the activity for subsequent analysis and review by the security team.

After a website is connected to WAF, by default, WAF will enable General Check under Basic Web Protection and Scanner under Anti-Crawler, and set their Protective Action to Log only. If you are not sure about your service traffic characteristics, you can keep the Log only action for a while, observe the traffic, analyze attack logs, and then configure targeted protection rules.
Block
If WAF detects that a request matches the conditions configured in a protection rule, WAF blocks the request and stops checking the request based on the subsequent rules.

If the protective action is set to Block, you can configure a known attack source rule to block the IP addresses, cookies, or parameters of the visitor for a long or short period. In this way, WAF automatically blocks requests from the visitor. For details, see Configuring a Known Attack Source Rule to Block Specific Visitors for a Specified Duration.

If your service scenarios are complex and require multiple types of protection rules, you need to comprehensively analyze all protection rules used for your services and make sure all these rules can work as expected. This is because the Block action in the current rule may stop WAF from checking the requests based on other rules with lower priorities than the current rule. To obtain a configuration example, see Protection Rule Examples.
Allow
If WAF detects that a request matches the conditions configured in a protection rule, WAF allows the request and stops checking the request based on the subsequent rules.

If your service scenarios are complex and require multiple types of protection rules, you need to comprehensively analyze all protection rules used for your services and make sure all these rules can work as expected. This is because the Allow action in the current rule may stop WAF from checking the requests based on other rules with lower priorities than the current rule. Subsequent rules become invalid. For details about the configuration example, see Protection Rule Examples.
JS Challenge
If WAF detects a request that matches the conditions configured in a protection rule, WAF returns a piece of JavaScript code that can be automatically executed by a normal browser to the client. If the client properly executes the JavaScript code, WAF allows all requests from the client within the validity period of the token. During this period, no verification is required. If the client fails to execute the code, WAF blocks the requests.
Block dynamically
In a CC attack protection rule, if the number of access requests exceeds the rate limit in a rate limiting period, WAF blocks the requests. In the next rate limiting period, WAF blocks the requests according to the allowable frequency.

For example, we set Rate limit to 10 requests within every 60 seconds and Allowance Frequency to 5 requests within every 60 seconds. If the number of requests exceeds 10 in the first 60 seconds, WAF blocks the access. In the second 60 seconds, WAF blocks the access when the number of requests exceeds 5.
Verification code
In a CC attack protection rule, if the number of requests exceeds the rate limit, WAF displays a verification code for human-machine verification. The access will be restricted unless the verification is successful. If the verification fails, the system restricts the access based on Block Duration configured in the rule.

Protection Rule Overview

Table 1 describes WAF protection rules.

**Table 1** Configurable protection rules
Protection Rule	Description	Reference
Global protection whitelist rules	You can configure these rules to let WAF ignore certain rules for specific requests.	Configuring a Global Protection Whitelist Rule to Ignore False Alarms
Blacklist and whitelist rules	You can configure blacklist and whitelist rules to block, log only, or allow access requests from specified IP addresses. Configuring a Known Attack Source Rule to Block Specific Visitors for a Specified Duration is supported.	Configuring IP Address Blacklist and Whitelist Rules to Block or Allow Specified IP Addresses
Geolocation access control rules	You can customize these rules to allow or block requests from a specific country or region.	Configuring Geolocation Access Control Rules to Block or Allow Requests from Specific Locations
Threat intelligence access control rules	Access control is performed based on the IP address library of the Internet Data Center (IDC).	Configuring Threat Intelligence Access Control Rules to Block or Allow IP Addresses in a Specified IP Address Library
Precise protection rules	You can configure custom protection rules by combining HTTP headers, cookies, URLs, request parameters, and client IP addresses. Configuring a Known Attack Source Rule to Block Specific Visitors for a Specified Duration is supported.	Configuring Custom Precise Protection Rules
Scanning protection rules	The scanning protection module identifies scanning behaviors and scanner features to prevent attackers or scanners from scanning websites at scale. WAF will automatically block heavy traffic web attacks and directory traversal attacks and block the source IP addresses for a period of time, helping reduce intrusion risks and junk traffic.	Configuring a Scanning Blocking Rule to Automatically Block Heavy-Traffic Attacks
Bot rules	Supports detection of known bots, signature-based requests, and bot behavior. With layered bot detection, WAF can accurately identify and manage bot behavior in website traffic, effectively reducing risks such as data leakage and performance deterioration caused by bot attacks.	Configuring Bot Protection Rules to Defend Against Bot Behavior
Website anti-crawler protection rules	This function dynamically analyzes website service models and accurately identifies crawler behavior based on data risk control and bot identification systems, such as JS Challenge.	Configuring Anti-Crawler Rules
CC attack protection rules	CC attack protection rules can be customized to restrict access to a specific URL on your website based on a unique IP address, cookie, or referer field, mitigating CC attacks. Configuring a Known Attack Source Rule to Block Specific Visitors for a Specified Duration is supported.	Configuring CC Attack Protection Rules to Defend Against CC Attacks
Basic web protection	WAF defends against common web attacks, such as SQL injections, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabilities, remote command execution, directory traversal, sensitive file access, and command/code injections. You can also enable other checks in basic web protection, such as web shell detection, deep inspection against evasion attacks, and header inspection.	Configuring Basic Web Protection to Defend Against Common Web Attacks
Web tamper protection rules	You can configure these rules to prevent a static web page from being tampered with.	Configuring Web Tamper Protection Rules to Prevent Static Web Pages from Being Tampered With
Information leakage prevention rules	You can add two types of information leakage prevention rules. Sensitive information filtering: prevents disclosure of sensitive information (such as ID numbers, phone numbers, and email addresses). Response code interception: blocks the specified HTTP status codes.	Configuring Information Leakage Prevention Rules to Protect Sensitive Information from Leakage
Data masking rules	You can configure data masking rules to prevent sensitive data such as passwords from being displayed in event logs.	Configuring Data Masking Rules to Prevent Privacy Information Leakage

Protection Configuration Procedure

After connection a website to WAF, you can configure protection as follows:

(Optional) Create a protection policy. For details, see Creating a Protection Policy. If you configure protection rules in the default protection policy, you can skip 1 and 2.
(Optional) Apply a protection policy to a protected object. For details, see Adding a Domain Name to a Policy.
Configure protection rules. For details, see Configuring Protection Rules. You can enable and configure protection rules in the protection policy in use.

Protection Rule Examples

In the cybersecurity drill scenario, you may need to configure multiple types of protection rules, such as IP address blacklist and whitelist, geolocation access control, precise protection, and CC attack protection rules, to allow the requests of the defender.

Correct configuration: In this scenario, set Protective Action to Log only. WAF will allow requests that hit the current rule and log related information. WAF will continue to check the requests based on protection rules with lower priorities.
Incorrect configuration: If Protective Action is set to Allow, WAF will allow the current request and skip other protection rules. The skipped rules cannot work as expected.

For example, when creating an IP address blacklist/whitelist rule, you are advised to add the IP address of the defender to the IP address blacklist/whitelist rule and set Protective Action to Log only instead of Allow.

Parent Topic: Configuring Protection Policies

Previous topic: Configuring Protection Policies

Next topic: Creating or Managing Protection Policies