What's New
The tables below describe the functions released in each Web Application Firewall version and corresponding documentation updates. New features will be successively launched in each region.
April, 2024
No. |
Feature |
Description |
Phase |
Related Documents |
---|---|---|---|---|
1 |
JS Challenge supported for Protective Action in CC attack protection rules |
The Protective Action in CC attack protection rules can be set to JS Challenge. JS Challenge: WAF returns a piece of JavaScript code that can be automatically executed by a normal browser to the client. If the client properly executes the JavaScript code, WAF allows all requests from the client within a period of time (30 minutes by default). During this period, no verification is required. If the client fails to execute the code, WAF blocks the requests. |
Commercial use |
|
2 |
Cookie security attributes |
If you set Client Protocol to HTTPS, you can enable Cookie Security Attributes. If you enable this, the HttpOnly and Secure attributes of cookies will be set to true. Cookies are inserted by back-end web servers and can be implemented through framework configuration or set-cookie. Secure and HttpOnly in cookies help defend against attacks, such as XSS attacks to obtain cookies, and help defend against cookie hijacking. If the AppScan scanner detects that the customer site does not insert security configuration fields, such as HttpOnly and Secure, into the cookie of the scan request, it records them as security threats. |
Commercial use |
|
3 |
Protection Overview part added on the Dashboard page |
The Protection Overview part displays the following data:
|
Commercial use |
|
4 |
IP address range 0.0.0.0/0 and ::/0 supported for IP address blacklist and whitelist rules |
You can configure 0.0.0.0/0 and ::/0 IP address ranges in IP address blacklist and whitelist rules to block all IPv4 and IPv6 traffic, respectively. |
Commercial use |
Configuring IP Address Blacklist and Whitelist Rules to Block or Allow Specified IP Addresses |
5 |
Case-sensitive path supported by JavaScript-based anti-crawler rules |
If a JavaScript-based anti-crawler rule is set to Protect all requests or Protect specified requests, a case-sensitive parameter is added to the condition list. When Field is set to Path, you can enable this parameter to let the rule match case-sensitive paths. |
Commercial use |
|
6 |
Custom block page supported by precise protection rules |
In a precise protection rule, if Protective Action is set to Block, a custom error page can be configured. |
Commercial use |
February, 2024
No. |
Feature |
Description |
Phase |
Related Documents |
---|---|---|---|---|
1 |
JS Challenge supported for Protection Action in precise protection rules |
The Protection Action in precise protection rules can be set to JS Challenge. JS Challenge: WAF returns a piece of JavaScript code that can be automatically executed by a normal browser to the client. If the client properly executes the JavaScript code, WAF allows all requests from the client within a period of time (30 minutes by default). During this period, no verification is required. If the client fails to execute the code, WAF blocks the requests. |
Commercial use |
|
2 |
CNAME access and ELB access to cloud WAF |
The ELB access mode is included as one of the cloud access modes. When adding your website to WAF, you can select Cloud - CNAME or Cloud - Load balancer for Proteciton. |
Commercial use |
|
3 |
The OR relationship can be used for condition groups in global protection whitelist. |
When configuring a global protection whitelist rule, you can add three groups of conditions. These groups are in the OR relationship. The rule works if any of the three condition groups is matched. |
Commercial use |
Configuring a Global Protection Whitelist Rule to Ignore False Alarms |
November, 2023
No. |
Feature |
Description |
Phase |
Related Documents |
---|---|---|---|---|
1 |
ELB-mode WAF available |
If your service servers are deployed on Huawei Cloud, you can add the domain name or IP address of the website to ELB-mode WAF so that the website traffic can be forwarded to ELB-mode WAF for inspection.
|
Commercial use |
August, 2023
No. |
Feature |
Description |
Phase |
Related Documents |
---|---|---|---|---|
1 |
Renaming Bandwidth Expansion Package as QPS Expansion Package |
The bandwidth expansion package is officially renamed QPS expansion package. The service bandwidth limit is the amount of normal traffic a WAF instance can protect. A QPS expansion package contains:
|
Commercial use |
|
2 |
Requests to All WAF instances counted for triggering a CC attack protection rule |
If Protective Action in a CC attack protection rule is set to Verification code, you can set a time range for Lock Verification. If a visitor fails verification code authentication, verification is required for all access requests within the specified period. |
Commercial use |
|
3 |
Periodic security reports |
WAF can generate daily, weekly, monthly, or custom security reports based on the report template you have created. Reports will be sent to you by the way and within the time range you configure. |
Commercial use |
|
4 |
Obtaining IP addresses from the network layer |
If you want to use a TCP connection IP address to mark the client IP address, set IP Tag to $remote_addr. |
Commercial use |
May, 2023
No. |
Feature |
Description |
Phase |
Related Documents |
---|---|---|---|---|
1 |
Migrating domain names to other enterprise projects |
WAF allows you to share domain names of an enterprise project with other enterprise projects. |
Commercial use |
|
2 |
Forwarding custom header fields |
You can use WAF to add additional header information, for example, $request_id, to associate requests on the entire link. WAF can follow your configurations to insert additional fields into a header and forward requests to origin servers. Note that the key value of a custom header field cannot be the same as any native Nginx fields. |
Commercial use |
|
3 |
TLS v1.3 supported |
WAF supports TLS v1.3. TLS v1.3 is incompatible with other TLS versions. |
Commercial use |
|
4 |
Protective action Log only supported for information leakage prevention rules |
Protective Action for information leakage prevention rules can be set to Log only. |
Commercial use |
|
5 |
Caching user-defined header fields |
WAF can cache user-defined header fields. In the upper part of the page, click Modify Field to configure the header fields you want WAF to cache. |
Commercial use |
August, 2022
No. |
Feature |
Description |
Phase |
Related Documents |
---|---|---|---|---|
1 |
Certificate expiration alarms |
WAF has a more friendly alarm notification page, with alarms for certificates before they actually expire included. |
Commercial use |
July, 2022
No. |
Feature |
Description |
Phase |
Related Documents |
---|---|---|---|---|
1 |
Requests to all WAF instances counted for a CC attack protection rule |
All WAF instances: This feature enables WAF to count identified requests to on one or more WAF instances according to the rate limit mode you select. By default, requests to each WAF instance are counted for triggering a CC attack rule. If you enable this, WAF will count requests to all your WAF instances for triggering the rule. To enable user-based rate limiting, Per user or Other (Referer must be configured) instead of Per IP address must be selected for Rate Limit Mode. This is because IP address-based rate limiting cannot limit the access rate of a specific user. However, in user-based rate limiting, requests may be forwarded to one or more WAF instances. Therefore, All WAF instances must be enabled for triggering the rule precisely. |
Commercial use |
June, 2022
No. |
Feature |
Description |
Phase |
Related Documents |
---|---|---|---|---|
1 |
Global protection whitelist rules supported |
If All protection is selected for Ignore WAF Protection, all WAF rules, including basic web protection rules and custom rules, will stop to block payload hit WAF rules. |
Commercial use |
Configuring a Global Protection Whitelist (Formerly False Alarm Masking) Rule |
2 |
Shiro decryption check available |
The Shiro decryption check is included in Basic Web Protection. After you enable this check, WAF uses AES and Base64 to decrypt the rememberMe field in cookies and checks whether this field is attacked. There are hundreds of known leaked keys included and checked for. |
Commercial use |
May, 2022
No. |
Feature |
Description |
Phase |
Related Documents |
---|---|---|---|---|
1 |
Modifiable false alarm masking rules |
You can modify the false alarm masking rules you add. |
Commercial use |
Configuring a Global Protection Whitelist (Formerly False Alarm Masking) Rule |
April, 2022
No. |
Feature |
Description |
Phase |
Related Documents |
---|---|---|---|---|
1 |
Intelligent access control against CC attacks |
If you enable intelligent access control, WAF uses built-in AI-powered models to analyze traffic to your website, identify CC attacks and abnormal features in HTTP requests on the origin server, and generate specific precise protection and access control rules for your website. In this way, WAF can then automatically protect your website from CC attacks. |
Commercial use |
|
2 |
Website connection timeout protection |
WAF allows you to set the timeout period for each request of a domain name. You can set the connection, read, and write timeout periods. |
Commercial use |
|
3 |
HTTP/2 protocol |
If your website is accessible over the HTTP/2 protocol, enable HTTP/2 in WAF. The HTTP/2 protocol can be used only for access between the client and WAF on the condition that at least one origin server has HTTPS used for Client Protocol. |
Commercial use |
|
4 |
IPv6 protection |
WAF allows you to enable IPv6 protection for websites on the WAF console. After you enable IPv6 protection, WAF assigns an IPv6 address to your domain name. In this manner, your website can be reached using the IPv6 address. WAF adds IPv6 address resolution in CNAME record sets by default. IPv6 access requests are forwarded to WAF first. WAF detects and filters out malicious attack traffic, and returns normal traffic to the origin server to ensure that the origin server is secure, stable, and available. |
Commercial use |
|
5 |
Breakdown protection and connection protection |
If a large number of 502 Bad Gateway and 504 Gateway Timeout errors are detected, you can enable WAF breakdown protection and connection protection to let WAF suspend your website and protect your origin servers from being crashed. When the number of 502/504 error requests and pending URL requests reach the thresholds you configure, WAF enables corresponding protection for your website. |
Commercial use |
|
6 |
Load balancing algorithms |
If you configure one or more origin server addresses, you can use a load balancing algorithm to distribute traffic across these origin servers. WAF supports the following algorithms:
|
Commercial use |
December, 2021
No. |
Feature |
Description |
Phase |
Related Documents |
---|---|---|---|---|
1 |
New geolocation access control rule configuration available |
In the new geolocation access control rule configuration, countries and regions can be selected in batches. |
Commercial use |
|
2 |
Cloud Eye available to WAF |
Cloud Eye monitors the metrics of WAF, so that you can understand the protection status of WAF in a timely manner, and set protection policies accordingly. |
Commercial use |
August, 2021
No. |
Feature |
Description |
Phase |
Related Documents |
---|---|---|---|---|
1 |
Rename WAF editions |
WAF Professional edition is renamed Standard edition, Enterprise edition renamed Professional edition, and Premium edition renamed Platinum edition. |
Commercial use |
July, 2021
No. |
Feature |
Description |
Phase |
Related Documents |
---|---|---|---|---|
1 |
WAF console entry description changed |
The access entry description is changed from Security to Security & Compliance. |
Commercial use |
|
2 |
Information on the Certificates page changed |
Information on the Certificates page is reorganized. |
Commercial use |
April, 2021
No. |
Feature |
Description |
Phase |
Related Documents |
---|---|---|---|---|
1 |
Rule packages available |
Rule expansion packages are available on the purchase and upgrade pages. |
Commercial use |
|
2 |
WAF purchase page optimized |
On the purchase page, a page for upgrading specifications is added. |
Commercial use |
March, 2021
No. |
Feature |
Description |
Phase |
Related Documents |
---|---|---|---|---|
1 |
Product Details page available |
On the Product Details page, you can view information about all your WAF instances, including the edition, domain quotas, and specifications. |
Commercial use |
February, 2021
No. |
Feature |
Description |
Phase |
Related Documents |
---|---|---|---|---|
1 |
Enterprise management available |
You can manage WAF resources by enterprise project and set user permissions for each enterprise project. |
Commercial use |
|
2 |
Header detection available |
WAF adds header detection in the basic web protection module. |
Commercial use |
January, 2021
No. |
Feature |
Description |
Phase |
Related Documents |
---|---|---|---|---|
1 |
Cloud WAF instances billed on a pay-per-use basis available |
Cloud WAF instances billed on a pay-per-use basis are available. |
Commercial use |
December, 2020
No. |
Feature |
Description |
Phase |
Related Documents |
---|---|---|---|---|
1 |
Cloud WAF instances billed on a pay-per-use basis unavailable |
Cloud WAF instances billed on a pay-per-use basis are discontinued. |
Commercial use |
|
2 |
Optimizing user experience of anti-crawler function |
The website anti-crawler protection used the feature library and JS scripts to defend against bad crawlers. |
Commercial use |
October, 2020
No. |
Feature |
Description |
Phase |
Related Documents |
---|---|---|---|---|
1 |
Changing specifications of pay-per-use cloud WAF |
Specifications of pay-per-use cloud WAF are changed. |
Commercial use |
September, 2020
No. |
Feature |
Description |
Phase |
Related Documents |
---|---|---|---|---|
1 |
Pay-per-use cloud WAF |
WAF offers the cloud WAF instances that can be billed on a pay-per-use basis (postpaid billing mode). You can enable or disable a cloud WAF instance anytime. |
Commercial use |
August, 2020
No. |
Feature |
Description |
Phase |
Related Documents |
---|---|---|---|---|
1 |
One-click enabling of PCI DSS/3DS compliance check |
WAF allows you to enable PCI DSS and PCI 3DS certification checks. After PCI DSS or PCI 3DS certification check is enabled, the minimum TLS version is automatically set to TLS v1.2 to meet the PCI DSS and PCI 3DS certification requirements. The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes. PCI 3-Domain Secure (PCI 3DS) is a PCI Core Security Standard. |
Commercial use |
|
2 |
Known attack source rules |
If WAF blocks a malicious request by IP address, Cookie, or Params, you can configure a known attack source rule to let WAF automatically block all requests from the attack source for a blocking duration set in the known attack source rule. For example, if a blocked malicious request originates from an IP address (192.168.1.1) and you set the blocking duration to 500 seconds, WAF will block the IP address for 500 seconds after the known attack source rule takes effect. |
Commercial use |
|
3 |
Certificate management |
You can create or delete certificate in WAF. The number of certificates that can be created in WAF is the same as the number of domain names that can be protected by WAF. |
Commercial use |
|
4 |
Viewing details about basic web protection rules |
You can view the CVE ID, Risk Severity, Application Type, and Protection Type of a basic web protection rule. |
Commercial use |
July, 2020
No. |
Feature |
Description |
Phase |
Related Documents |
---|---|---|---|---|
1 |
TLS cipher suite 4 |
Cipher suite 4 supports the following cryptographic algorithms:
|
Commercial use |
June, 2020
No. |
Feature |
Description |
Phase |
Related Documents |
---|---|---|---|---|
1 |
Optimizing user experience of anti-crawler function |
When you enable the anti-crawler function, a warning dialog box is displayed, describing the restrictions on using the anti-crawler function. |
Commercial use |
May, 2020
No. |
Feature |
Description |
Phase |
Related Documents |
---|---|---|---|---|
1 |
Fine-grained permission management |
With policy-based fine-grained permission management, you can manage permissions based on the principle of least privilege. For example, you can grant permissions for a certain WAF operation or a specific resource under certain conditions. |
Commercial use |
|
2 |
Professional edition available |
The professional edition is suitable for small- and medium-sized websites that do not have special security requirements. |
Commercial use |
April, 2020
No. |
Feature |
Description |
Phase |
Related Documents |
---|---|---|---|---|
1 |
LTS for WAF logging |
After you authorize WAF to access Log Tank Service (LTS), the WAF logs recorded by LTS are available for you to quickly and efficiently perform real-time decisive analysis, device O&M management, and service trend analysis. |
Commercial use |
March, 2020
No. |
Feature |
Description |
Phase |
Related Documents |
---|---|---|---|---|
1 |
New console |
The new WAF console provides you with better experience. |
Commercial use |
February, 2020
No. |
Feature |
Description |
Phase |
Related Documents |
---|---|---|---|---|
1 |
Protection against Apache Dubbo Deserialization vulnerability |
On February 10, 2020, Apache Dubbo officially released the CVE-2019-17564 vulnerability notice, and the vulnerability severity is medium. Unsafe deserialization occurs within a Dubbo application which has HTTP remoting enabled. An attacker may submit a POST request with a Java object in it to completely compromise a Provider instance of Apache Dubbo, if this instance enables HTTP. Now, HUAWEI CLOUD WAF provides protection against this vulnerability.
|
Commercial use |
January, 2020
No. |
Feature |
Description |
Phase |
Related Documents |
---|---|---|---|---|
1 |
Multiple cipher suites available in TLS configuration |
When Client Protocol of your website is set to HTTPS, you can set a cipher suite (a set of multiple cryptographic algorithms) for the website to meet industry security requirements. |
Commercial use |
December, 2019
No. |
Feature |
Description |
Phase |
Related Documents |
---|---|---|---|---|
1 |
Customization of alarm pages |
If a visitor is blocked by WAF, the Default block page of WAF is returned by default. You can also configure Custom or Redirection for the block page to be returned as required.
|
Commercial use |
October, 2019
No. |
Feature |
Description |
Phase |
Related Documents |
---|---|---|---|---|
1 |
Refined defense against CC attacks |
You can customize a CC attack protection rule to restrict access to a specific URL on your website based on an IP address, cookie, or Referer, mitigating CC attacks. |
Commercial use |
September, 2019
No. |
Feature |
Description |
Phase |
Related Documents |
---|---|---|---|---|
1 |
Defense against of DoS vulnerability in the open-source component Fastjson |
On September 3, 2019, the HUAWEI CLOUD security team detected a DoS vulnerability in multiple versions of the widely used open-source component Fastjson. An attacker can exploit this vulnerability to construct malicious requests and send them to the server that uses Fastjson. As a result, the memory and CPU of the server are used up, and the server breaks down, causing service breakdown. HUAWEI CLOUD WAF provides protection against this vulnerability.
|
Commercial use |
August, 2019
No. |
Feature |
Description |
Phase |
Related Documents |
---|---|---|---|---|
1 |
Adding remarks to a user-defined protection rule |
When you add a user-defined protection rule, you can add remarks for the rule to facilitate rule management. |
Commercial use |
July, 2019
No. |
Feature |
Description |
Phase |
Related Documents |
---|---|---|---|---|
1 |
Defense against Fastjson remote code execution vulnerabilities |
On July 12, 2019, the HUAWEI CLOUD Emergency Response Center detected that the open-source component Fastjson had a remote code execution vulnerability. This vulnerability is an extension of the deserialization vulnerability of Fastjson 1.2.24 detected in 2017 and can be directly used to obtain server permissions, causing serious damage.
WAF can protect your websites against Fastjson remote code execution vulnerabilities. |
Commercial use |
April, 2019
No. |
Feature |
Description |
Phase |
Related Documents |
---|---|---|---|---|
1 |
Defense against Oracle WebLogic wls9-async deserialization remote command execution vulnerabilities (CNVD-C-2019-48814) |
On April 17, 2019, the HUAWEI CLOUD Emergency Response Center detected that China National Vulnerability Database (CNVD) released a security bulletin on the Oracle WebLogic wls9-async component. The component has a defect in deserializing input information. Attackers can send well-constructed malicious HTTP requests to obtain the permission of the target server and execute arbitrary code remotely without authorization. CNVD rates the vulnerability as "high-risk." WAF can protect your websites against Oracle WebLogic wls9-async deserialization remote command execution vulnerabilities (CNVD-C-2019-48814). |
Commercial use |
|
2 |
Configuration of the TLS protocol |
When Client Protocol of your website is set to HTTPS, you can set the minimum TLS version for your website to meet industry security requirements. |
Commercial use |
March, 2019
No. |
Feature |
Description |
Phase |
Related Documents |
---|---|---|---|---|
1 |
A new field supported in precise protection rules |
You can configure a precise protection rule to allow or block requests based on the content in the HTTP field. |
Commercial use |
February, 2019
No. |
Feature |
Description |
Phase |
Related Documents |
---|---|---|---|---|
1 |
WebSocket/WebSockets supported |
WAF can check WebSocket and WebSockets requests, which is enabled by default. |
Commercial use |
December, 2018
No. |
Feature |
Description |
Phase |
Related Documents |
---|---|---|---|---|
1 |
Customization of alarm notification sending frequency |
Customization of alarm notification sending frequency |
Commercial use |
|
2 |
Support for the query of attack logs |
Support for the query of attack logs to learn about the security status of service networks. |
Commercial use |
October, 2018
No. |
Feature |
Description |
Phase |
Related Documents |
---|---|---|---|---|
1 |
Support for wildcard domain names |
If the server IP address of each subdomain name is the same, enter a wildcard domain name to be protected. For example, if the subdomains a.example.com, b.example.com, and c.example.com have the same server IP address, you can directly add the wildcard domain name *.example.com to WAF for protection. |
Commercial use |
June, 2018
No. |
Feature |
Description |
Phase |
Related Documents |
---|---|---|---|---|
1 |
Support for detecting CC attacks based on the Referer field |
Support for detecting CC attacks based on the Referer field, more accurate in defending against CC attacks. |
Commercial use |
|
2 |
Support for the use of domain names for forwarding traffic back to the original server |
Support for the use of domain names for forwarding traffic back to the original server |
Commercial use |
May, 2018
No. |
Feature |
Description |
Phase |
Related Documents |
---|---|---|---|---|
1 |
This issue is the first official release |
Web Application Firewall (WAF) keeps web services stable and secure. It examines all HTTP and HTTPS requests to detect and block the following attacks: Structured Query Language (SQL) injection, cross-site scripting (XSS), web shells, command and code injections, file inclusion, sensitive file access, third-party vulnerability exploits, Challenge Collapsar (CC) attacks, malicious crawlers, and cross-site request forgery (CSRF). |
Commercial use |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot