Common Tasks
WAF provides a series of common practices for you. These practices can help you start WAF protection for your workloads quickly.
|
Practice |
Description |
|
|---|---|---|
|
Connecting a domain name to WAF |
If your website is not added to WAF, DNS resolves your domain name to the IP address of the origin server. If your website is added to WAF, DNS resolves your domain name to the CNAME of WAF. In this way, the traffic passes through WAF. WAF inspects every traffic coming from the client and filters out malicious traffic. This section describes how to change DNS settings for WAF to take effect. |
|
|
The combination of AAD and WAF can protect domain names deployed on Huawei Cloud, other clouds, or on-premises from DDoS attacks and web attacks, ensuring service continuity and reliability.
|
||
|
Combining CDN and WAF to Get Improved Protection and Load Speed |
The combination of CDN and WAF can protect websites on Huawei Cloud, other clouds, or on-premises and improve website response time. |
|
|
Combining WAF and Layer-7 Load Balancers to Protect Services over Any Ports |
This topic walks you through how to combine dedicated WAF instances and layer-7 load balancers to protect your services over non-standard ports that cannot be protected with WAF alone. For ports that can be protected with WAF, see Ports Supported by WAF. |
|
|
Using WAF, ELB, and NAT Gateway to Protect Services Not Deployed on Our Cloud |
By default, in cloud load balancer access mode, WAF can protect only workloads deployed on our cloud. If your origin servers are not deployed on our cloud, but you want to use WAF in this mode, you can use Network Address Translation (NAT) gateways to route traffic from Huawei Cloud to the public IP addresses of your origin server. Then, you can connect your website to WAF in cloud load balancer access mode to let WAF check your website traffic. |
|
|
Policy configuration |
This topic describes how Web Application Firewall (WAF) protects workloads in different scenarios. You can refer to configurations in this topic to make WAF work better for you. |
|
|
This section guides you through configuring IP address-based rate limiting and cookie-based protection rules against Challenge Collapsar (CC) attacks. |
||
|
WAF provides three anti-crawler policies, bot detection by identifying User-Agent, website anti-crawler by checking browser validity, and CC attack protection by limiting the access frequency, to help mitigate crawler attacks against your websites. |
||
|
Verifying a Global Protection Whitelist Rule by Simulating Requests with Postman |
After your website is connected to WAF, you can use an API test tool to send HTTP/HTTPS requests to the website and verify that WAF protection rules take effect. This topic uses Postman as an example to describe how to verify a global protection whitelist (formerly false alarm masking) rule. |
|
|
With HSS and WAF in place, you can stop worrying about web page tampering. |
||
|
LTS log analysis |
If you enable LTS for WAF logging, Log Tank Service (LTS) will log attack and access logs for WAF. With LTS, users can perform real-time decision analysis, device O&M management, and service trend analysis in a timely and efficient manner. |
|
|
Using LTS to Analyze How WAF Blocks Spring Core RCE Vulnerability |
This topic walks you through on how to enable the LTS quick analysis for WAF attack logs and use the Spring rule ID to quickly query and analyze the logs of the blocked Spring Core RCE vulnerabilities. |
|
|
This topic walks you through how to enable LTS quick analysis for WAF attack logs and configure alarm rules to analyze WAF attack logs and generate alarms. In this way, you can gain insight into the protection status of your workloads in WAF in real time and make informed decisions. |
||
|
Configuring TLS encryption |
Configuring the Minimum TLS Version and Cipher Suite to Better Secure Connections |
HTTPS is a network protocol constructed based on Transport Layer Security (TLS) and HTTP for encrypted transmission and identity authentication. When you add a domain name to WAF, set Client Protocol to HTTPS. Then, you can configure the minimum TLS version and cipher suite to harden website security. |
|
Protecting origin servers |
Configuring the Minimum TLS Version and Cipher Suite to Better Secure Connections |
HTTPS is a network protocol constructed based on Transport Layer Security (TLS) and HTTP for encrypted transmission and identity authentication. If a client uses HTTPS to access WAF, that is, the client protocol is set to HTTPS, you can configure the minimum TLS version and cipher suite for the domain name to ensure website security. |
|
Configuring ECS and ELB Access Control Policies to Protect Origin Servers |
This topic describes how to protect origin servers deployed on ECSs or added to ELB backend server groups. It helps you:
|
|
|
Obtaining real client IP addresses |
This topic describes how to obtain the client IP address from WAF and how to configure different types of web application servers, including Tomcat, Apache, Nginx, IIS 6, and IIS 7, to obtain the client IP address. |
|
|
Configuring Alarms on Cloud Eye for Abnormal WAF Metrics |
This topic describes how to create alarms for abnormal WAF metrics on Cloud Eye. So, you can learn about the WAF protection status in a timely manner. If there is something wrong, you can take actions in time. |
|
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
