Functions

Cloud Mode

Cloud mode is a cloud-based WAF deployment method. In this mode, Huawei Cloud WAF cluster resources are shared with all users. With this mode, you do not need to deploy any hardware or maintain the software. It is ready for use out of the box, highly available, and auto-scalable. You can select yearly/monthly or pay-per-using billing. For more details, see Buying a Cloud WAF Instance.

• With cloud mode, you can select yearly/monthly (prepaid) billing and buy any of the following editions: Standard, Professional, and Enterprise.
• With cloud mode, you can select CNAME or Load balancer access to connect your website to WAF.
• If the domain name, QPS, bandwidth, or IP address blacklist/whitelist quota of the current edition (Standard, Professional, or Enterprise) you are using cannot meet your service requirements, you can buy domain name, QPS, or rule expansion packages to increase the quota.

Expansion Packages

If you have bought the cloud mode Standard, Professional, or Enterprise edition, you can buy Domain Expansion Package, QPS Expansion Package, or Rule Expansion Package to increase the quota accordingly. For more information, see

• One domain name expansion package supports up to 10 domain names.
• A QPS expansion package protects up to:
  • Service requests: 1,000 QPS
  • Service bandwidth: 20 Mbit/s (for origin servers not deployed on Huawei Cloud) or 50 Mbit/s (for origin servers deployed on Huawei Cloud.)
    

    The bandwidth limit applies only to websites connected to WAF using cloud mode CNAME access. There is no bandwidth limit but only QPS limit for websites connected to WAF using load balancer access.

• A rule expansion package allows you to configure up to 10 IP address blacklist and whitelist rules.

Cloud Mode - CNAME

Cloud mode - CNAME access is a simple and fast website access method. In this mode, DNS resolves the protected domain name to the CNAME address of the WAF cluster. WAF detects and filters out malicious attack traffic and returns normal traffic to the origin server through back-to-source IP addresses.

With this mode, you can protect web services deployed on our cloud, other clouds, and on-premises servers. The protected objects are domain names.

For details about the applicable scenarios, advantages, supported functions and specifications of CNAME access in cloud mode, see Edition Differences. For details about the access guide, see Connecting Your Website to WAF (Cloud Mode - CNAME Access).

Cloud Mode - Load Balancer Access

This mode is a website access method. You can deploy it within minutes. After your website is connected to WAF, the ELB load balancer mirrors the website traffic to WAF. WAF checks the mirrored traffic, filters out malicious traffic, and synchronizes the check result to the load balancer. The load balancer determines whether to forward client requests to the origin server based on the check result it receives.

With this mode, you can protect web services deployed on our cloud. The protected objects are domain names, public IP addresses, and private IP addresses.

For details about the applicable scenarios, advantages, supported functions and specifications of load balancer access in cloud mode, see Edition Differences. For details about the access guide, see Connecting Your Website to WAF (Cloud Mode - Load Balancer).

Dedicated Mode

With dedicated mode, you have completely isolated and independently deployed protection nodes. Your WAF instance performance will not be affected by attacks targeting other users' workloads in the cloud. This mode features dedicated resources, in-depth custom protection, high availability, and disaster recovery. For more details, see Buying a Dedicated WAF Instance.

• The dedicated mode supports pay-per-use (postpaid) billing.
• The dedicated mode supports Dedicated Mode access.
  • In dedicated mode, WAF is deployed in your VPC. You use WAF exclusively. WAF specifications are customizable. In this mode, after a website is connected to WAF, the website traffic is sent to WAF through an ELB load balancer. WAF blocks abnormal requests and forwards normal requests to the origin server over the back-to-source IP address of the dedicated WAF engine.
  • With this mode, you can protect web services deployed on our cloud. The protected objects are domain names, public IP addresses, and private IP addresses.
• Dedicated WAF instances are not available in some regions. For details, see Notice on Web Application Firewall (Dedicated Mode) Discontinued.

Domain Name/IP Address Protection

Protocol Protection

• WAF can protect HTTP and HTTPS traffic for a website. You need to select HTTP or HTTPS when connecting a website to WAF. For details, seeConnecting Your Website to WAF.
• WAF can check WebSocket requests. This feature is enabled by default.
• WAF supports the Server-Sent Events (SSE) protocol, which is enabled by default.

Port Protection

WAF can protect standard ports, such as 80 and 443, and a wide range of non-standard ports.

How WAF Engine Works

WAF engines will check user requests and responses returned by the origin server in a certain sequence and anonymize WAF logs according to the configurations.

Figure 1 WAF engine work process

Basic Web Protection

With an extensive preset reputation database, WAF defends against Open Web Application Security Project (OWASP) top 10 threats, vulnerability exploits, web shells, and other threats. For more details, see Configuring Basic Web Protection to Defend Against Common Web Attacks.

If you set Protective Action to Block, you can use the known attack source function. It means that if WAF blocks malicious requests from a visitor, you can enable this function to let WAF block requests from the same visitor for a period of time.

• General Check

  WAF defends against attacks such as SQL injections, XSS, file inclusions, Bash vulnerabilities, remote command execution, directory traversal, sensitive file access, and command/code injections.

• Web shell detection

  WAF protects against web shells from upload interface.

• Precise identification
  • WAF uses built-in semantic analysis engine and regex engine and supports configuring of blacklist/whitelist rules, which reduces false positives.
  • WAF can automatically decode common codes no matter how many times they are encoded.

    WAF can decode the following types of code: url_encode, Unicode, XML, OCT, HEX, HTML escaping, Base64, case confusion, PHP serialization, Java serialization, UTF-7, mixed nested encoding, and concatenation of JavaScript, Shell, and PHP code.

• Deep inspection

  WAF identifies and blocks evasion attacks, such as the ones that use homomorphic character obfuscation, command injection with deformed wildcard characters, UTF-7, data URI scheme, and other techniques.

• Header detection

  WAF detects all header fields in the requests.

• Shiro Decryption Check

  WAF uses AES and Base64 to decrypt the rememberMe field in cookies and checks whether this field is attacked.

CC Attack Protection

You can configure custom CC attack protection rules to restrict access to a specific URL on your website based on a unique IP address, cookie, or referer field. This type of rule can greatly mitigate CC attacks. For more details, see Configuring CC Attack Protection Rules to Defend Against CC Attacks.

The All WAF instances function is supported for CC attack protection rules. This function allows WAF to count requests to all your WAF instances for rate limiting. By default, requests to each WAF instance are counted. If you enable this, WAF will count requests to all your WAF instances for triggering this rule.

• With Cloud Mode - CNAME mode, this function is supported in the following regions: CN North-Beijing1, CN North-Beijing4, CN South-Guangzhou, CN East-Shanghai1, and CN East-Shanghai2.
• In Dedicated Mode, this function is supported in the following regions: CN East-Shanghai1 and CN North-Ulanqab1. You can submit a service ticket to enable this function.

Precise Protection

You can configure custom protection rules by combining HTTP headers, cookies, URLs, request parameters, and client IP addresses. For more details, see Configuring Precise Protection Rules.

Blacklist and Whitelist

You can configure blacklist and whitelist rules to block, log only, or allow access requests from specified IP addresses. For details, see Configuring IP Address Blacklist and Whitelist Rules to Block or Allow Specified IP Addresses.

You can add IP addresses or IP address ranges to an IP address group all at once for centralized management. You can use an IP address group when configuring a blacklist or whitelist rule. For more details, see Adding an IP Address Group.

Geolocation Access Control

You can configure custom rules to allow or block requests from a specific country or region. For more details, see Configuring Geolocation Access Control Rules to Block or Allow Requests from Specific Locations.

Web Tamper Protection

You can configure this type of rule to prevent a static web page from being tampered with. For more details, see Configuring Web Tamper Protection Rules to Prevent Static Web Pages from Being Tampered With.

Anti-Crawler Protection

This function dynamically analyzes website service models and accurately identifies crawler behavior based on data risk control and bot identification systems, such as JS Challenge. For details, see Configuring Anti-Crawler Rules.

Information Leakage Prevention

You can add two types of information leakage prevention rules.

• Sensitive information filtering: prevents disclosure of sensitive information (such as ID numbers, phone numbers, and email addresses).
• Response code interception: blocks specified HTTP status codes.

For more details, see Configuring Information Leakage Prevention Rules to Protect Sensitive Information from Leakage.

Global Protection Whitelist

You can configure this type of rule to let WAF ignore certain rules for specific requests. For details, see Configuring a Global Protection Whitelist Rule to Ignore False Alarms.

Data Masking

You can configure data masking rules to prevent sensitive data such as passwords from being displayed in event logs. For more details, see Configuring Data Masking Rules to Prevent Privacy Information Leakage.

Threat Intelligence Access Control

You can control access based on the IP address library of the Internet Data Center (IDC). For details, see Configuring Threat Intelligence Access Control Rules to Block or Allow IP Addresses in a Specified IP Address Library.

Scanning Protection

The scanning protection module identifies scanning behaviors and scanner features to prevent attackers or scanners from scanning websites at scale. WAF will automatically block heavy traffic web attacks and directory traversal attacks and block the source IP addresses for a period of time, helping reduce intrusion risks and junk traffic.

For details, see Configuring a Scanning Blocking Rule to Automatically Block Heavy-Traffic Attacks.

Bot Protection

With layered bot detection, WAF can accurately identify and manage bot behavior in website traffic, effectively reducing risks such as data leakage and performance deterioration caused by bot attacks. For details, see Configuring Bot Protection Rules to Defend Against Bot Behavior

To enable this function, submit a service ticket.

AI Model Check

WAF offers prompt verification and response compliance checks. These functions help scan prompts and responses for inappropriate and non-compliant inputs and outputs, so that you can easily keep your LLM model inputs and outputs secure, stable, available, and legally compliant. For more details, see Configuring AI Model Check Rules to Ensure Security and Compliance of LLM Applications.

Known Attack Source Rules

If you set Protective Action to Block, you can use the known attack source function. It means that if WAF blocks malicious requests from a visitor, you can enable this function to let WAF block requests from the same visitor for a period of time. You need to use function together with other rules, such as basic web protection, precise protection, and blacklist and whitelist rules. For more details, see Configuring a Known Attack Source Rule.

Reference Tables

When you configure a CC attack protection rule, bot rule, anti-crawler rule, or precise protection rule, if the Logic field in the Condition List area is set to Include any value, Exclude any value, Equal to any value, Not equal to any value, Prefix is any value, Prefix is not any value, Suffix is any value, or Suffix is not any value, you can select an appropriate reference table from the Content drop-down list. For more details, see Creating a Reference Table to Configure Protection Metrics in Batches.

PCI DSS/PCI 3DS Compliance Check and TLS

• TLS has three versions (TLS v1.0, TLS v1.1, and TLS v1.2) and nine cipher suites. You can select the one best fits your security needs.
• WAF supports PCI DSS and PCI 3DS compliance check.

For more details, see Configuring PCI DSS/3DS Compliance Check and TLS.

HTTP/2

If you want to use HTTP/2 for access between the client and WAF, make sure at least one origin server has HTTPS used for Client Protocol. For more details, see Enabling the HTTP/2 Protocol.

Response Body Length in Logs (Bytes)

You need to submit a service ticket to enable the response details function, and configure the length of the response body to be logged. In this way, WAF can display the response details and record the response body based on specified length. You can configure the response body length based on site requirements to make sure response bodies are recorded in event logs. For more details, see Configuring a Response Body Length in Logs.

Request and Response Header Forwarding

If you enable and configure request and response header forwarding, WAF will insert fields you specify into the header field of requests and responses, and forwards the requests to your origin server, and the responses to the client. This helps you distinguish requests from different sources and better analyze website operational status.

This function is only supported for cloud mode CNAME access and dedicated mode.

For more details, see Configuring Request and Response Header Forwarding.

Editing Response Page for Blocked Requests

If a visitor is blocked by WAF, the Default block page of WAF is returned by default. You can also configure Custom or Redirection for the block page to be returned as required.

For more details, see Modifying the Alarm Page.

Stopping WAF from Inserting Cookie Fields

This topic describes how to stop WAF from inserting the HWWAFSESTIME and HWWAFSESID fields into cookies. However, you should exercise caution when enabling this function. If WAF does not insert the HWWAFSESTIME and HWWAFSESID fields into cookies, CC attack protection rules (verification code), known attack source rules, and dynamic anti-crawler rules will be unable to work.

This function is only supported for cloud mode CNAME access and dedicated mode.

For more details, see Stopping WAF from Inserting Cookie Fields.

IPv6 Protection

• WAF can inspect requests that use both IPv4 and IPv6 addresses for the same domain name.
• WAF supports NAT64 for web services that still use the IPv4 protocol stack. NAT64 is an IPv6 translation mechanism that enables communications between IPv6 and IPv4 hosts through network address translation (NAT). With NAT64, WAF can convert IPv4 origin servers into IPv6 websites and convert IPv6 access traffic into IPv4 traffic.

For more details, see Enabling WAF IPv6 Protection.

Load Balancing Algorithms

If you configure one or more origin server addresses, you can use a load balancing algorithm to distribute traffic across these origin servers. WAF supports the following algorithms:

• Origin server IP hash: Requests from the same IP address are routed to the same backend server.
• Weighted round robin: All requests are distributed across origin servers in turn based on weights set to each origin server. The origin server with a larger weight receives more requests than others.
• Session hash: Requests from the same session are routed to the same origin server. Ensure that you have configured a traffic identifier for a known attack source after adding the domain name. Otherwise, the session hash configuration does not take effect. For more details, see Configuring a Traffic Identifier for a Known Attack Source.

For more details, see Modifying the Load Balancing Algorithm.

Cookie Security Attributes

If you set Client Protocol to HTTPS, you can enable Cookie Security Attributes. If you enable this, the HttpOnly and Secure attributes of cookies will be set to true.

Cookies are inserted by back-end web servers and can be implemented through framework configuration or set-cookie. Secure and HttpOnly in cookies help defend against attacks, such as XSS attacks to obtain cookies, and help defend against cookie hijacking.

This function is only supported for cloud mode CNAME access and dedicated mode.

For more details, see Enabling Cookie Security Attributes.

Verification Code

If you select Verification code for Protective Action in a rule, you can change the response code of the verification page. To do so, you need to submit a service ticket. For details, seeSubmitting a Service Ticket. For more details, see Modifying a Verification Code.

Custom Log Trace IDs

You can configure custom log trace IDs. The header field in the request or response can be recorded to the custom_traceid field in WAF logs. For more details, see Configuring a Custom Log Trace ID.

This function is only supported for cloud mode CNAME access and dedicated mode.

Configuring a Traffic Identifier for a Known Attack Source

WAF allows you to configure traffic identifiers by IP address, session, or user tag to block possibly malicious requests from known attack sources based on IP address, Cookie, or Params. For more details, see Configuring a Traffic Identifier for a Known Attack Source.

JA3/JA4 Fingerprint Tags

JA3/JA4 is a fingerprinting technology for SSL/TLS client identification. By analyzing TLS handshake metadata, it generates unique fingerprints to distinguish different client applications. With dedicated mode, if a layer-7 reverse proxy (for example, ELB) is deployed in front of WAF and its fingerprint is transferred to WAF with the header field, you can configure the JA3/JA4 fingerprint tags for the domain name protected by WAF. Then, the fingerprints along with tags will be transferred to WAF. WAF processes requests based on the TLS fingerprint (JA3) and TLS fingerprint (JA4) configured in the precise protection rule. This can mitigate JA3/JA4 fingerprinting attacks.

For more details, see Configuring a JA3/JA4 Fingerprint Tag.

Configuring Website Connection Timeout

• The default timeout for connections from a browser to WAF is 120 seconds. The value varies depending on your browser settings and cannot be changed on the WAF console.
• The default timeout for connections between WAF and your origin server is 30 seconds. You can customize a timeout on the WAF console as long as you are using a dedicated WAF instance or professional or enterprise cloud WAF.

For details, see Configuring a Timeout for Connections Between WAF and a Website Server.

Break Protection

When the 502/504 error requests and pending URL requests reach the thresholds you configure, WAF enables corresponding protection for your website. For details, see Enabling Break Protection to Protect Origin Servers.

Protection Event Management

• WAF allows you to view and handle false alarms for blocked or logged events.
• You can download events data over the past five days.
• You can use Log Tank Service (LTS) on Huawei Cloud to record all WAF logs, including attack and access logs.

For more details, see Querying a Protection Event.

Log Settings

After you authorize WAF to access Log Tank Service (LTS), you can use the WAF logs recorded by LTS for quick and efficient real-time analysis, device O&M management, and analysis of service trends.

Certificate Management

If you select HTTPS for Client Protocol when adding a website to WAF, an SSL certificate must be used for the website. You can upload a certificate to WAF. Then you can directly select the uploaded certificate for the protected website. You can delete expired or invalid certificates. For more details, see Uploading a Certificate to WAF.

Notifications

You can configure alarm rules for WAF to notify you of exceptions by email, SMS messages, or other method you specify. So that you can handle exceptions in a timely manner and keep your website stable.

For more details, see Enabling Alarm Notifications.

GUI-based security data

WAF provides a GUI-based interface for you to monitor attack information and event logs in real time.

• Centralized policy configuration

  On the WAF console, you can configure policies applicable to multiple protected domain names in a centralized manner so that the policies can be quickly delivered and take effect.

• Traffic and event statistics

  WAF displays the number of requests, the number and types of security events, and log information in real time.

High Flexibility and Reliability

The service works across clusters and regions and supports load balancing. This can prevent single points of failure (SPOFs) and ensure smooth online capacity expansion, maximizing service stability.