What's New
The tables below describe the functions released in each Web Application Firewall version and corresponding documentation updates. New features will be successively launched in each region.
December 2024
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
Custom response code and headers supported in CC attack protection rules |
HTTP Return Codes and Response Header can be configured when Block Page is set to Custom. |
Commercial use |
Configuring CC Attack Protection Rules to Defend Against CC Attacks |
October 2024
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
Response Header added on the custom Block Page |
A response header can be specified for custom alarm pages if you set Page Template to Custom. |
Commercial use |
|
2 |
Downloading events function no longer available |
The function of downloading protection event logs has been moved from WAF to the LTS console. |
Commercial use |
|
3 |
New layout for protection rules page |
The dashboard, basic web protection, CC attack protection, and precise protection rule configuration pages have been optimized. |
Commercial use |
Configuring Basic Web Protection to Defend Against Common Web Attacks |
4 |
New Dashboard page |
Some strings on the Dashboard page have been optimized. |
Commercial use |
|
5 |
Layer 3 source IP address added to the sub-field. |
Layer 3 source IP address is added to the sub-field corresponding to the IPv4/IPv6 field. |
Commercial use |
|
6 |
Scanning Protection available |
The scanning protection module identifies scanning behaviors and scanner features to prevent attackers or scanners from scanning websites at scale. WAF will automatically block heavy traffic web attacks and directory traversal attacks and block the source IP addresses for a period of time, helping reduce intrusion risks and junk traffic. |
Commercial use |
Configuring a Scanning Blocking Rule to Automatically Block Heavy-Traffic Attacks |
7 |
Response condition fields supported |
The Response Code, Response Length, Response Time, Response Header, and Response Body fields are supported in rule conditions. |
Commercial use |
July 2024
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
Optimizing the cloud mode domain access page |
The page for adding websites to cloud WAF was optimized, which is easier to use. |
Commercial use |
|
2 |
Optimized purchase page |
On the WAF purchase page, a help panel with parameter-level guide on selecting WAF edition is available. |
Commercial use |
|
3 |
Custom time ranges selectable on the dashboard |
On the Dashboard page, you can view the protection event logs of all protected websites or instances for a specified time range, including yesterday, today, past 3 days, past 7 days, or past 30 days. You can select Yesterday, Today, Past 3 days, Past 7 days, or Past 30 days. You can also click Custom and specify a time range within 30 days. |
Commercial use |
|
4 |
Optimized web UI for changing expansion package specifications |
An independent entry is provided for changing specifications of expansion packages. |
Commercial use |
April 2024
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
JS Challenge supported for Protective Action in CC attack protection rules |
The Protective Action in CC attack protection rules can be set to JS Challenge. JS Challenge: WAF returns a piece of JavaScript code that can be automatically executed by a normal browser to the client. If the client properly executes the JavaScript code, WAF allows all requests from the client within a period of time (30 minutes by default). During this period, no verification is required. If the client fails to execute the code, WAF blocks the requests. |
Commercial use |
|
2 |
Cookie security attributes |
If you set Client Protocol to HTTPS, you can enable Cookie Security Attributes. If you enable this, the HttpOnly and Secure attributes of cookies will be set to true. Cookies are inserted by back-end web servers and can be implemented through framework configuration or set-cookie. Secure and HttpOnly in cookies help defend against attacks, such as XSS attacks to obtain cookies, and help defend against cookie hijacking. If the AppScan scanner detects that the customer site does not insert security configuration fields, such as HttpOnly and Secure, into the cookie of the scan request, it records them as security threats. |
Commercial use |
|
3 |
Protection Overview part added on the Dashboard page |
The Protection Overview part displays the following data:
|
Commercial use |
|
4 |
IP address range 0.0.0.0/0 and ::/0 supported for IP address blacklist and whitelist rules |
You can configure 0.0.0.0/0 and ::/0 IP address ranges in IP address blacklist and whitelist rules to block all IPv4 and IPv6 traffic, respectively. |
Commercial use |
Configuring IP Address Blacklist and Whitelist Rules to Block or Allow Specified IP Addresses |
5 |
Case-sensitive path supported by JavaScript-based anti-crawler rules |
If a JavaScript-based anti-crawler rule is set to Protect all requests or Protect specified requests, a case-sensitive parameter is added to the condition list. When Field is set to Path, you can enable this parameter to let the rule match case-sensitive paths. |
Commercial use |
|
6 |
Custom block page supported by precise protection rules |
In a precise protection rule, if Protective Action is set to Block, a custom error page can be configured. |
Commercial use |
February 2024
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
JS Challenge supported for Protection Action in precise protection rules |
The Protection Action in precise protection rules can be set to JS Challenge. JS Challenge: WAF returns a piece of JavaScript code that can be automatically executed by a normal browser to the client. If the client properly executes the JavaScript code, WAF allows all requests from the client within a period of time (30 minutes by default). During this period, no verification is required. If the client fails to execute the code, WAF blocks the requests. |
Commercial use |
|
2 |
CNAME access and ELB access to cloud WAF |
The ELB access mode is included as one of the cloud access modes. When adding your website to WAF, you can select Cloud - CNAME or Cloud - Load balancer for Proteciton. |
Commercial use |
|
3 |
The OR relationship can be used for condition groups in global protection whitelist. |
When configuring a global protection whitelist rule, you can add three groups of conditions. These groups are in the OR relationship. The rule works if any of the three condition groups is matched. |
Commercial use |
Configuring a Global Protection Whitelist Rule to Ignore False Alarms |
November 2023
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
ELB-mode WAF available |
If your service servers are deployed on Huawei Cloud, you can add the domain name or IP address of the website to ELB-mode WAF so that the website traffic can be forwarded to ELB-mode WAF for inspection.
|
Commercial use |
August 2023
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
Renaming Bandwidth Expansion Package as QPS Expansion Package |
The bandwidth expansion package is officially renamed QPS expansion package. The service bandwidth limit is the amount of normal traffic a WAF instance can protect. A QPS expansion package contains:
|
Commercial use |
|
2 |
Requests to All WAF instances counted for triggering a CC attack protection rule |
If Protective Action in a CC attack protection rule is set to Verification code, you can set a time range for Lock Verification. If a visitor fails verification code authentication, verification is required for all access requests within the specified period. |
Commercial use |
|
3 |
Periodic security reports |
WAF can generate daily, weekly, monthly, or custom security reports based on the report template you have created. Reports will be sent to you by the way and within the time range you configure. |
Commercial use |
|
4 |
Obtaining IP addresses from the network layer |
If you want to use a TCP connection IP address to mark the client IP address, set IP Tag to $remote_addr. |
Commercial use |
May 2023
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
Migrating domain names to other enterprise projects |
WAF allows you to share domain names of an enterprise project with other enterprise projects. |
Commercial use |
|
2 |
Forwarding custom header fields |
You can use WAF to add additional header information, for example, $request_id, to associate requests on the entire link. WAF can follow your configurations to insert additional fields into a header and forward requests to origin servers. Note that the key value of a custom header field cannot be the same as any native Nginx fields. |
Commercial use |
|
3 |
TLS v1.3 supported |
WAF supports TLS v1.3. TLS v1.3 is incompatible with other TLS versions. |
Commercial use |
|
4 |
Protective action Log only supported for information leakage prevention rules |
Protective Action for information leakage prevention rules can be set to Log only. |
Commercial use |
|
5 |
Caching user-defined header fields |
WAF can cache user-defined header fields. In the upper part of the page, click Modify Field to configure the header fields you want WAF to cache. |
Commercial use |
August 2022
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
Certificate expiration alarms |
WAF has a more friendly alarm notification page, with alarms for certificates before they actually expire included. |
Commercial use |
July 2022
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
Requests to all WAF instances counted for a CC attack protection rule |
All WAF instances: This feature enables WAF to count identified requests to on one or more WAF instances according to the rate limit mode you select. By default, requests to each WAF instance are counted for triggering a CC attack rule. If you enable this, WAF will count requests to all your WAF instances for triggering the rule. To enable user-based rate limiting, Per user or Other (Referer must be configured) instead of Per IP address must be selected for Rate Limit Mode. This is because IP address-based rate limiting cannot limit the access rate of a specific user. However, in user-based rate limiting, requests may be forwarded to one or more WAF instances. Therefore, All WAF instances must be enabled for triggering the rule precisely. |
Commercial use |
June 2022
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
Global protection whitelist rules supported |
If All protection is selected for Ignore WAF Protection, all WAF rules, including basic web protection rules and custom rules, will stop to block payload hit WAF rules. |
Commercial use |
Configuring a Global Protection Whitelist (Formerly False Alarm Masking) Rule |
2 |
Shiro decryption check available |
The Shiro decryption check is included in Basic Web Protection. After you enable this check, WAF uses AES and Base64 to decrypt the rememberMe field in cookies and checks whether this field is attacked. There are hundreds of known leaked keys included and checked for. |
Commercial use |
May 2022
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
Modifiable false alarm masking rules |
You can modify the false alarm masking rules you add. |
Commercial use |
Configuring a Global Protection Whitelist (Formerly False Alarm Masking) Rule |
April 2022
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
Intelligent access control against CC attacks |
If you enable intelligent access control, WAF uses built-in AI-powered models to analyze traffic to your website, identify CC attacks and abnormal features in HTTP requests on the origin server, and generate specific precise protection and access control rules for your website. In this way, WAF can then automatically protect your website from CC attacks. |
Commercial use |
|
2 |
Website connection timeout protection |
WAF allows you to set the timeout period for each request of a domain name. You can set the connection, read, and write timeout periods. |
Commercial use |
|
3 |
HTTP/2 protocol |
If your website is accessible over the HTTP/2 protocol, enable HTTP/2 in WAF. The HTTP/2 protocol can be used only for access between the client and WAF on the condition that at least one origin server has HTTPS used for Client Protocol. |
Commercial use |
|
4 |
IPv6 protection |
WAF allows you to enable IPv6 protection for websites on the WAF console. After you enable IPv6 protection, WAF assigns an IPv6 address to your domain name. In this manner, your website can be reached using the IPv6 address. WAF adds IPv6 address resolution in CNAME record sets by default. IPv6 access requests are forwarded to WAF first. WAF detects and filters out malicious attack traffic, and returns normal traffic to the origin server to ensure that the origin server is secure, stable, and available. |
Commercial use |
|
5 |
Breakdown protection and connection protection |
If a large number of 502 Bad Gateway and 504 Gateway Timeout errors are detected, you can enable WAF breakdown protection and connection protection to let WAF suspend your website and protect your origin servers from being crashed. When the number of 502/504 error requests and pending URL requests reach the thresholds you configure, WAF enables corresponding protection for your website. |
Commercial use |
|
6 |
Load balancing algorithms |
If you configure one or more origin server addresses, you can use a load balancing algorithm to distribute traffic across these origin servers. WAF supports the following algorithms:
|
Commercial use |
December 2021
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
New geolocation access control rule configuration available |
In the new geolocation access control rule configuration, countries and regions can be selected in batches. |
Commercial use |
|
2 |
Cloud Eye available to WAF |
Cloud Eye monitors the metrics of WAF, so that you can understand the protection status of WAF in a timely manner, and set protection policies accordingly. |
Commercial use |
August 2021
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
Rename WAF editions |
WAF Professional edition is renamed Standard edition, Enterprise edition renamed Professional edition, and Premium edition renamed Platinum edition. |
Commercial use |
July 2021
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
WAF console entry description changed |
The access entry description is changed from Security to Security & Compliance. |
Commercial use |
|
2 |
Information on the Certificates page changed |
Information on the Certificates page is reorganized. |
Commercial use |
April 2021
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
Rule packages available |
Rule expansion packages are available on the purchase and upgrade pages. |
Commercial use |
|
2 |
WAF purchase page optimized |
On the purchase page, a page for upgrading specifications is added. |
Commercial use |
March 2021
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
Product Details page available |
On the Product Details page, you can view information about all your WAF instances, including the edition, domain quotas, and specifications. |
Commercial use |
February 2021
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
Enterprise management available |
You can manage WAF resources by enterprise project and set user permissions for each enterprise project. |
Commercial use |
|
2 |
Header detection available |
WAF adds header detection in the basic web protection module. |
Commercial use |
January 2021
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
Cloud WAF instances billed on a pay-per-use basis available |
Cloud WAF instances billed on a pay-per-use basis are available. |
Commercial use |
December 2020
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
Cloud WAF instances billed on a pay-per-use basis unavailable |
Cloud WAF instances billed on a pay-per-use basis are discontinued. |
Commercial use |
|
2 |
Optimizing user experience of anti-crawler function |
The website anti-crawler protection used the feature library and JS scripts to defend against bad crawlers. |
Commercial use |
October 2020
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
Changing specifications of pay-per-use cloud WAF |
Specifications of pay-per-use cloud WAF are changed. |
Commercial use |
September 2020
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
Pay-per-use cloud WAF |
WAF offers the cloud WAF instances that can be billed on a pay-per-use basis (postpaid billing mode). You can enable or disable a cloud WAF instance anytime. |
Commercial use |
August 2020
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
One-click enabling of PCI DSS/3DS compliance check |
WAF allows you to enable PCI DSS and PCI 3DS certification checks. After PCI DSS or PCI 3DS certification check is enabled, the minimum TLS version is automatically set to TLS v1.2 to meet the PCI DSS and PCI 3DS certification requirements. The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes. PCI 3-Domain Secure (PCI 3DS) is a PCI Core Security Standard. |
Commercial use |
|
2 |
Known attack source rules |
If WAF blocks a malicious request by IP address, Cookie, or Params, you can configure a known attack source rule to let WAF automatically block all requests from the attack source for a blocking duration set in the known attack source rule. For example, if a blocked malicious request originates from an IP address (192.168.1.1) and you set the blocking duration to 500 seconds, WAF will block the IP address for 500 seconds after the known attack source rule takes effect. |
Commercial use |
|
3 |
Certificate management |
You can create or delete certificate in WAF. The number of certificates that can be created in WAF is the same as the number of domain names that can be protected by WAF. |
Commercial use |
|
4 |
Viewing details about basic web protection rules |
You can view the CVE ID, Risk Severity, Application Type, and Protection Type of a basic web protection rule. |
Commercial use |
July 2020
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
TLS cipher suite 4 |
Cipher suite 4 supports the following cryptographic algorithms:
|
Commercial use |
June 2020
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
Optimizing user experience of anti-crawler function |
When you enable the anti-crawler function, a warning dialog box is displayed, describing the restrictions on using the anti-crawler function. |
Commercial use |
May 2020
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
Fine-grained permission management |
With policy-based fine-grained permission management, you can manage permissions based on the principle of least privilege. For example, you can grant permissions for a certain WAF operation or a specific resource under certain conditions. |
Commercial use |
|
2 |
Professional edition available |
The professional edition is suitable for small- and medium-sized websites that do not have special security requirements. |
Commercial use |
April 2020
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
LTS for WAF logging |
After you authorize WAF to access Log Tank Service (LTS), the WAF logs recorded by LTS are available for you to quickly and efficiently perform real-time decisive analysis, device O&M management, and service trend analysis. |
Commercial use |
March 2020
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
New console |
The new WAF console provides you with better experience. |
Commercial use |
February 2020
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
Protection against Apache Dubbo Deserialization vulnerability |
On February 10, 2020, Apache Dubbo officially released the CVE-2019-17564 vulnerability notice, and the vulnerability severity is medium. Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. Now, HUAWEI CLOUD WAF provides protection against this vulnerability.
|
Commercial use |
January 2020
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
Multiple cipher suites available in TLS configuration |
When Client Protocol of your website is set to HTTPS, you can set a cipher suite (a set of multiple cryptographic algorithms) for the website to meet industry security requirements. |
Commercial use |
December 2019
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
Customization of alarm pages |
If a visitor is blocked by WAF, the Default block page of WAF is returned by default. You can also configure Custom or Redirection for the block page to be returned as required.
|
Commercial use |
October 2019
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
Refined defense against CC attacks |
You can customize a CC attack protection rule to restrict access to a specific URL on your website based on an IP address, cookie, or Referer, mitigating CC attacks. |
Commercial use |
September 2019
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
Defense against of DoS vulnerability in the open-source component Fastjson |
On September 3, 2019, the HUAWEI CLOUD security team detected a DoS vulnerability in multiple versions of the widely used open-source component Fastjson. An attacker can exploit this vulnerability to construct malicious requests and send them to the server that uses Fastjson. As a result, the memory and CPU of the server are used up, and the server breaks down, causing service breakdown. HUAWEI CLOUD WAF provides protection against this vulnerability.
|
Commercial use |
August 2019
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
Adding remarks to a user-defined protection rule |
When you add a user-defined protection rule, you can add remarks for the rule to facilitate rule management. |
Commercial use |
July 2019
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
Defense against Fastjson remote code execution vulnerabilities |
On July 12, 2019, the HUAWEI CLOUD Emergency Response Center detected that the open-source component Fastjson had a remote code execution vulnerability. This vulnerability is an extension of the deserialization vulnerability of Fastjson 1.2.24 detected in 2017 and can be directly used to obtain server permissions, causing serious damage.
WAF can protect your websites against Fastjson remote code execution vulnerabilities. |
Commercial use |
April 2019
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
Defense against Oracle WebLogic wls9-async deserialization remote command execution vulnerabilities (CNVD-C-2019-48814) |
On April 17, 2019, the HUAWEI CLOUD Emergency Response Center detected that China National Vulnerability Database (CNVD) released a security bulletin on the Oracle WebLogic wls9-async component. The component has a defect in deserializing input information. Attackers can send well-constructed malicious HTTP requests to obtain the permission of the target server and execute arbitrary code remotely without authorization. CNVD rates the vulnerability as "high-risk." WAF can protect your websites against Oracle WebLogic wls9-async deserialization remote command execution vulnerabilities (CNVD-C-2019-48814). |
Commercial use |
|
2 |
Configuration of the TLS protocol |
When Client Protocol of your website is set to HTTPS, you can set the minimum TLS version for your website to meet industry security requirements. |
Commercial use |
March 2019
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
A new field supported in precise protection rules |
You can configure a precise protection rule to allow or block requests based on the content in the HTTP field. |
Commercial use |
February 2019
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
WebSocket/WebSockets supported |
WAF can check WebSocket and WebSockets requests, which is enabled by default. |
Commercial use |
December 2018
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
Customization of alarm notification sending frequency |
Customization of alarm notification sending frequency |
Commercial use |
|
2 |
Support for the query of attack logs |
Support for the query of attack logs to learn about the security status of service networks. |
Commercial use |
October 2018
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
Support for wildcard domain names |
If the server IP address of each subdomain name is the same, enter a wildcard domain name to be protected. For example, if the subdomains a.example.com, b.example.com, and c.example.com have the same server IP address, you can directly add the wildcard domain name *.example.com to WAF for protection. |
Commercial use |
June 2018
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
Support for detecting CC attacks based on the Referer field |
Support for detecting CC attacks based on the Referer field, more accurate in defending against CC attacks. |
Commercial use |
|
2 |
Support for the use of domain names for forwarding traffic back to the original server |
Support for the use of domain names for forwarding traffic back to the original server |
Commercial use |
May 2018
No. |
Feature |
Description |
Phase |
Document |
---|---|---|---|---|
1 |
This issue is the first official release |
Web Application Firewall (WAF) keeps web services stable and secure. It examines all HTTP and HTTPS requests to detect and block the following attacks: Structured Query Language (SQL) injection, cross-site scripting (XSS), web shells, command and code injections, file inclusion, sensitive file access, third-party vulnerability exploits, Challenge Collapsar (CC) attacks, malicious crawlers, and cross-site request forgery (CSRF). |
Commercial use |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot