diff --git a/umn/source/_static/images/en-us_image_0000001084031478.png b/umn/source/_static/images/en-us_image_0000001084031478.png new file mode 100644 index 0000000..6443d56 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001084031478.png differ diff --git a/umn/source/_static/images/en-us_image_0000001119487028.png b/umn/source/_static/images/en-us_image_0000001119487028.png new file mode 100644 index 0000000..8f1d810 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001119487028.png differ diff --git a/umn/source/_static/images/en-us_image_0000001124537874.png b/umn/source/_static/images/en-us_image_0000001124537874.png new file mode 100644 index 0000000..6443d56 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001124537874.png differ diff --git a/umn/source/_static/images/en-us_image_0000001162278415.png b/umn/source/_static/images/en-us_image_0000001162278415.png new file mode 100644 index 0000000..1ba9cd7 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001162278415.png differ diff --git a/umn/source/_static/images/en-us_image_0000001163672451.png b/umn/source/_static/images/en-us_image_0000001163672451.png new file mode 100644 index 0000000..2fafb07 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001163672451.png differ diff --git a/umn/source/_static/images/en-us_image_0000001166455750.png b/umn/source/_static/images/en-us_image_0000001166455750.png new file mode 100644 index 0000000..19b0e9b Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001166455750.png differ diff --git a/umn/source/_static/images/en-us_image_0000001166615726.png b/umn/source/_static/images/en-us_image_0000001166615726.png new file mode 100644 index 0000000..34e1a72 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001166615726.png differ diff --git a/umn/source/_static/images/en-us_image_0000001171626489.png b/umn/source/_static/images/en-us_image_0000001171626489.png new file mode 100644 index 0000000..4d7b749 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001171626489.png differ diff --git a/umn/source/_static/images/en-us_image_0000001179033432.png b/umn/source/_static/images/en-us_image_0000001179033432.png new file mode 100644 index 0000000..c36fd79 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001179033432.png differ diff --git a/umn/source/_static/images/en-us_image_0000001182095000.png b/umn/source/_static/images/en-us_image_0000001182095000.png new file mode 100644 index 0000000..38889db Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001182095000.png differ diff --git a/umn/source/_static/images/en-us_image_0000001133216533.jpg b/umn/source/_static/images/en-us_image_0000001188007266.jpg similarity index 100% rename from umn/source/_static/images/en-us_image_0000001133216533.jpg rename to umn/source/_static/images/en-us_image_0000001188007266.jpg diff --git a/umn/source/_static/images/en-us_image_0000001197423825.png b/umn/source/_static/images/en-us_image_0000001197423825.png new file mode 100644 index 0000000..89e26f8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001197423825.png differ diff --git a/umn/source/_static/images/en-us_image_0000001212095651.png b/umn/source/_static/images/en-us_image_0000001212095651.png new file mode 100644 index 0000000..19b0e9b Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001212095651.png differ diff --git a/umn/source/_static/images/en-us_image_0000001224193241.jpg b/umn/source/_static/images/en-us_image_0000001224193241.jpg new file mode 100644 index 0000000..cc595ad Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001224193241.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001226442037.png b/umn/source/_static/images/en-us_image_0000001226442037.png new file mode 100644 index 0000000..523c9de Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001226442037.png differ diff --git a/umn/source/_static/images/en-us_image_0000001226521449.png b/umn/source/_static/images/en-us_image_0000001226521449.png new file mode 100644 index 0000000..f716e4e Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001226521449.png differ diff --git a/umn/source/_static/images/en-us_image_0000001238531606.png b/umn/source/_static/images/en-us_image_0000001238531606.png deleted file mode 100644 index 6e43f2e..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001238531606.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001284790620.png b/umn/source/_static/images/en-us_image_0000001284790620.png deleted file mode 100644 index 9c0f873..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001284790620.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001284948512.png b/umn/source/_static/images/en-us_image_0000001284948512.png deleted file mode 100644 index 68a0f42..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001284948512.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001285028708.png b/umn/source/_static/images/en-us_image_0000001285028708.png deleted file mode 100644 index df03ee5..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001285028708.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001285178604.png b/umn/source/_static/images/en-us_image_0000001285178604.png deleted file mode 100644 index 1c0acd5..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001285178604.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001285643550.png b/umn/source/_static/images/en-us_image_0000001285643550.png deleted file mode 100644 index 1cc4085..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001285643550.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001286061432.png b/umn/source/_static/images/en-us_image_0000001286061432.png deleted file mode 100644 index 004f239..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001286061432.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001286879252.png b/umn/source/_static/images/en-us_image_0000001286879252.png new file mode 100644 index 0000000..f9db953 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001286879252.png differ diff --git a/umn/source/_static/images/en-us_image_0000001287754972.png b/umn/source/_static/images/en-us_image_0000001287754972.png new file mode 100644 index 0000000..f343bf9 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001287754972.png differ diff --git a/umn/source/_static/images/en-us_image_0000001337244713.png b/umn/source/_static/images/en-us_image_0000001337244713.png deleted file mode 100644 index b421966..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001337244713.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001337404641.png b/umn/source/_static/images/en-us_image_0000001337404641.png deleted file mode 100644 index 9d45c05..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001337404641.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001337470357.png b/umn/source/_static/images/en-us_image_0000001337470357.png deleted file mode 100644 index 843e8e9..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001337470357.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001337775421.png b/umn/source/_static/images/en-us_image_0000001337775421.png deleted file mode 100644 index 52f33ad..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001337775421.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001337778441.png b/umn/source/_static/images/en-us_image_0000001337778441.png deleted file mode 100644 index 4820eca..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001337778441.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001345013254.png b/umn/source/_static/images/en-us_image_0000001345013254.png deleted file mode 100644 index 7aabd8e..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001345013254.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001345013500.png b/umn/source/_static/images/en-us_image_0000001345013500.png deleted file mode 100644 index 3de8d42..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001345013500.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001345332674.png b/umn/source/_static/images/en-us_image_0000001345332674.png deleted file mode 100644 index 6148d7a..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001345332674.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001387002182.png b/umn/source/_static/images/en-us_image_0000001387002182.png new file mode 100644 index 0000000..f7523ca Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001387002182.png differ diff --git a/umn/source/_static/images/en-us_image_0000001395852973.png b/umn/source/_static/images/en-us_image_0000001395852973.png deleted file mode 100644 index 016757b..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001395852973.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001395853109.png b/umn/source/_static/images/en-us_image_0000001395853109.png deleted file mode 100644 index 73d421b..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001395853109.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001395970885.png b/umn/source/_static/images/en-us_image_0000001395970885.png deleted file mode 100644 index 425ca70..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001395970885.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001395972785.png b/umn/source/_static/images/en-us_image_0000001395972785.png deleted file mode 100644 index 7ff2470..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001395972785.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001396154617.png b/umn/source/_static/images/en-us_image_0000001396154617.png deleted file mode 100644 index 60c75eb..0000000 Binary files a/umn/source/_static/images/en-us_image_0000001396154617.png and /dev/null differ diff --git a/umn/source/_static/images/en-us_image_0000001285577484.png b/umn/source/_static/images/en-us_image_0000001435452489.png similarity index 100% rename from umn/source/_static/images/en-us_image_0000001285577484.png rename to umn/source/_static/images/en-us_image_0000001435452489.png diff --git a/umn/source/_static/images/en-us_image_0000001481373388.jpg b/umn/source/_static/images/en-us_image_0000001481373388.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001481373388.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001481692844.jpg b/umn/source/_static/images/en-us_image_0000001481692844.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001481692844.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001481693004.jpg b/umn/source/_static/images/en-us_image_0000001481693004.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001481693004.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001481851976.jpg b/umn/source/_static/images/en-us_image_0000001481851976.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001481851976.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001481908812.jpg b/umn/source/_static/images/en-us_image_0000001481908812.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001481908812.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001481908820.jpg b/umn/source/_static/images/en-us_image_0000001481908820.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001481908820.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001481959198.jpg b/umn/source/_static/images/en-us_image_0000001481959198.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001481959198.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001482063812.jpg b/umn/source/_static/images/en-us_image_0000001482063812.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001482063812.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001482067792.jpg b/umn/source/_static/images/en-us_image_0000001482067792.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001482067792.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001482072692.jpg b/umn/source/_static/images/en-us_image_0000001482072692.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001482072692.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001482227824.jpg b/umn/source/_static/images/en-us_image_0000001482227824.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001482227824.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001482228424.jpg b/umn/source/_static/images/en-us_image_0000001482228424.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001482228424.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001487940018.jpg b/umn/source/_static/images/en-us_image_0000001487940018.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001487940018.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001488605878.jpg b/umn/source/_static/images/en-us_image_0000001488605878.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001488605878.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001493489874.jpg b/umn/source/_static/images/en-us_image_0000001493489874.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001493489874.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001493652906.jpg b/umn/source/_static/images/en-us_image_0000001493652906.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001493652906.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001493806486.jpg b/umn/source/_static/images/en-us_image_0000001493806486.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001493806486.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001493990116.jpg b/umn/source/_static/images/en-us_image_0000001493990116.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001493990116.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001497159614.png b/umn/source/_static/images/en-us_image_0000001497159614.png new file mode 100644 index 0000000..02d6307 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001497159614.png differ diff --git a/umn/source/_static/images/en-us_image_0000001499416648.png b/umn/source/_static/images/en-us_image_0000001499416648.png new file mode 100644 index 0000000..c97fe43 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001499416648.png differ diff --git a/umn/source/_static/images/en-us_image_0000001499773388.png b/umn/source/_static/images/en-us_image_0000001499773388.png new file mode 100644 index 0000000..6224270 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001499773388.png differ diff --git a/umn/source/_static/images/en-us_image_0000001529293989.png b/umn/source/_static/images/en-us_image_0000001529293989.png new file mode 100644 index 0000000..3fcf4c4 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001529293989.png differ diff --git a/umn/source/_static/images/en-us_image_0000001532623045.jpg b/umn/source/_static/images/en-us_image_0000001532623045.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001532623045.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001532628161.jpg b/umn/source/_static/images/en-us_image_0000001532628161.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001532628161.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001532693109.jpg b/umn/source/_static/images/en-us_image_0000001532693109.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001532693109.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001532693205.jpg b/umn/source/_static/images/en-us_image_0000001532693205.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001532693205.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001532745961.jpg b/umn/source/_static/images/en-us_image_0000001532745961.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001532745961.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001532748653.jpg b/umn/source/_static/images/en-us_image_0000001532748653.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001532748653.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001532750637.jpg b/umn/source/_static/images/en-us_image_0000001532750637.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001532750637.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001532867165.jpg b/umn/source/_static/images/en-us_image_0000001532867165.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001532867165.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001532904513.jpg b/umn/source/_static/images/en-us_image_0000001532904513.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001532904513.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001533171269.jpg b/umn/source/_static/images/en-us_image_0000001533171269.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001533171269.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001533970929.png b/umn/source/_static/images/en-us_image_0000001533970929.png new file mode 100644 index 0000000..2133581 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001533970929.png differ diff --git a/umn/source/_static/images/en-us_image_0000001340308381.png b/umn/source/_static/images/en-us_image_0000001538620681.png similarity index 100% rename from umn/source/_static/images/en-us_image_0000001340308381.png rename to umn/source/_static/images/en-us_image_0000001538620681.png diff --git a/umn/source/_static/images/en-us_image_0000001340424065.png b/umn/source/_static/images/en-us_image_0000001538620869.png similarity index 100% rename from umn/source/_static/images/en-us_image_0000001340424065.png rename to umn/source/_static/images/en-us_image_0000001538620869.png diff --git a/umn/source/_static/images/en-us_image_0000001538688185.jpg b/umn/source/_static/images/en-us_image_0000001538688185.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001538688185.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001538689725.png b/umn/source/_static/images/en-us_image_0000001538689725.png new file mode 100644 index 0000000..6443d56 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001538689725.png differ diff --git a/umn/source/_static/images/en-us_image_0000001539325965.png b/umn/source/_static/images/en-us_image_0000001539325965.png new file mode 100644 index 0000000..6443d56 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001539325965.png differ diff --git a/umn/source/_static/images/en-us_image_0000001539348353.png b/umn/source/_static/images/en-us_image_0000001539348353.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001539348353.png differ diff --git a/umn/source/_static/images/en-us_image_0000001544453213.jpg b/umn/source/_static/images/en-us_image_0000001544453213.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001544453213.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001544520337.jpg b/umn/source/_static/images/en-us_image_0000001544520337.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001544520337.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001544531265.jpg b/umn/source/_static/images/en-us_image_0000001544531265.jpg new file mode 100644 index 0000000..22c76c8 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001544531265.jpg differ diff --git a/umn/source/_static/images/en-us_image_0000001547599721.png b/umn/source/_static/images/en-us_image_0000001547599721.png new file mode 100644 index 0000000..02d6307 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001547599721.png differ diff --git a/umn/source/_static/images/en-us_image_0000001548562913.png b/umn/source/_static/images/en-us_image_0000001548562913.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001548562913.png differ diff --git a/umn/source/_static/images/en-us_image_0000001550561697.png b/umn/source/_static/images/en-us_image_0000001550561697.png new file mode 100644 index 0000000..6443d56 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001550561697.png differ diff --git a/umn/source/_static/images/en-us_image_0000001550676585.png b/umn/source/_static/images/en-us_image_0000001550676585.png new file mode 100644 index 0000000..28807ed Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001550676585.png differ diff --git a/umn/source/_static/images/en-us_image_0000001550677993.png b/umn/source/_static/images/en-us_image_0000001550677993.png new file mode 100644 index 0000000..a363917 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001550677993.png differ diff --git a/umn/source/_static/images/en-us_image_0000001550850865.png b/umn/source/_static/images/en-us_image_0000001550850865.png new file mode 100644 index 0000000..a500885 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001550850865.png differ diff --git a/umn/source/_static/images/en-us_image_0000001555272665.png b/umn/source/_static/images/en-us_image_0000001555272665.png new file mode 100644 index 0000000..6d6c843 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0000001555272665.png differ diff --git a/umn/source/_static/images/en-us_image_0110861334.jpg b/umn/source/_static/images/en-us_image_0110861334.jpg new file mode 100644 index 0000000..6dd6f39 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0110861334.jpg differ diff --git a/umn/source/_static/images/en-us_image_0210924459.png b/umn/source/_static/images/en-us_image_0210924459.png new file mode 100644 index 0000000..3d3113f Binary files /dev/null and b/umn/source/_static/images/en-us_image_0210924459.png differ diff --git a/umn/source/_static/images/en-us_image_0216882896.png b/umn/source/_static/images/en-us_image_0216882896.png new file mode 100644 index 0000000..487b512 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0216882896.png differ diff --git a/umn/source/_static/images/en-us_image_0234924841.png b/umn/source/_static/images/en-us_image_0234924841.png new file mode 100644 index 0000000..de75085 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0234924841.png differ diff --git a/umn/source/_static/images/en-us_image_0245737543.png b/umn/source/_static/images/en-us_image_0245737543.png new file mode 100644 index 0000000..2f63ae0 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0245737543.png differ diff --git a/umn/source/_static/images/en-us_image_0245737551.png b/umn/source/_static/images/en-us_image_0245737551.png new file mode 100644 index 0000000..6978554 Binary files /dev/null and b/umn/source/_static/images/en-us_image_0245737551.png differ diff --git a/umn/source/_static/images/en-us_image_0268155242.png b/umn/source/_static/images/en-us_image_0268155242.png deleted file mode 100644 index ea6ebc5..0000000 Binary files a/umn/source/_static/images/en-us_image_0268155242.png and /dev/null differ diff --git a/umn/source/certificate_management/binding_a_certificate_to_a_protected_website.rst b/umn/source/certificate_management/binding_a_certificate_to_a_protected_website.rst index 9c2fe65..9612ec7 100644 --- a/umn/source/certificate_management/binding_a_certificate_to_a_protected_website.rst +++ b/umn/source/certificate_management/binding_a_certificate_to_a_protected_website.rst @@ -7,6 +7,10 @@ Binding a Certificate to a Protected Website If you configure **Client Protocol** to **HTTPS** for your website, the website needs an SSL certificate. This topic describes how to bind an SSL certificate that you have uploaded to WAF to a website. +.. note:: + + If you have enabled enterprise projects, you can select your enterprise project from the **Enterprise Project** drop-down list and bind certificates to websites in the project. + Prerequisites ------------- @@ -28,23 +32,11 @@ Procedure --------- #. Log in to the management console. - #. Click |image1| in the upper left corner of the management console and select a region or project. - #. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. - #. In the navigation pane, choose **Objects** > **Certificates**. - - - .. figure:: /_static/images/en-us_image_0000001285028708.png - :alt: **Figure 1** Certificate list - - **Figure 1** Certificate list - #. In the row containing the certificate you want to use, click **Use** in the **Operation** column. - #. In the displayed **Domain Name** dialog box, select the website you want to use the certificate to. - #. Click **Confirm**. Verification diff --git a/umn/source/certificate_management/deleting_a_certificate.rst b/umn/source/certificate_management/deleting_a_certificate.rst index e7a1ffe..c0c38ff 100644 --- a/umn/source/certificate_management/deleting_a_certificate.rst +++ b/umn/source/certificate_management/deleting_a_certificate.rst @@ -7,6 +7,10 @@ Deleting a Certificate This topic describes how to delete an expired or invalid certificate. +.. note:: + + If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the **Enterprise Project** drop-down list and delete a certificate. + Prerequisites ------------- @@ -27,22 +31,21 @@ Procedure --------- #. Log in to the management console. - #. Click |image1| in the upper left corner of the management console and select a region or project. - #. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. - #. In the navigation pane, choose **Objects** > **Certificates**. - - - .. figure:: /_static/images/en-us_image_0000001285028708.png - :alt: **Figure 1** Certificate list - - **Figure 1** Certificate list - -#. In the row containing the certificate you want to delete, click **Delete** in the **Operation** column. - #. In the displayed dialog box, click **Confirm**. +Other Operations +---------------- + +If a certificate to be deleted is bound to a website, unbind it from the website before deletion. + +To unbind a certificate from a website domain name, perform the following steps: + +#. In the **Domain Name** column of the row containing the desired certificate, click the domain name to go to the basic information page. +#. Click |image3| next to the certificate name. In the displayed dialog box, upload a new certificate or select an existing certificate. + .. |image1| image:: /_static/images/en-us_image_0000001317947942.jpg .. |image2| image:: /_static/images/en-us_image_0000001340305633.png +.. |image3| image:: /_static/images/en-us_image_0210924454.jpg diff --git a/umn/source/certificate_management/uploading_a_certificate.rst b/umn/source/certificate_management/uploading_a_certificate.rst index b77c02c..ab17566 100644 --- a/umn/source/certificate_management/uploading_a_certificate.rst +++ b/umn/source/certificate_management/uploading_a_certificate.rst @@ -9,6 +9,10 @@ If you select **HTTPS** for **Client Protocol** when you add a website to WAF, a You can upload a certificate to WAF. Then you can directly select the uploaded certificate for the protected website. +.. note:: + + If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select your enterprise project from the **Enterprise Project** drop-down list and upload certificates in the project. + Prerequisites ------------- @@ -40,21 +44,15 @@ Procedure #. In the navigation pane, choose **Objects** > **Certificates**. - - .. figure:: /_static/images/en-us_image_0000001285028708.png - :alt: **Figure 1** Certificate list - - **Figure 1** Certificate list - #. Click **Upload Certificate**. #. In the **Upload Certificate** dialog box, enter a certificate name, and copy the certificate file and private key into the corresponding text boxes. .. figure:: /_static/images/en-us_image_0000001338097417.png - :alt: **Figure 2** **Upload Certificate** + :alt: **Figure 1** **Upload Certificate** - **Figure 2** **Upload Certificate** + **Figure 1** **Upload Certificate** Only .pem certificates can be used in WAF. If the certificate is not in .pem format, convert it into .pem locally by referring to :ref:`Table 1 ` before uploading it. diff --git a/umn/source/certificate_management/viewing_certificate_information.rst b/umn/source/certificate_management/viewing_certificate_information.rst index d3f0f38..da62acb 100644 --- a/umn/source/certificate_management/viewing_certificate_information.rst +++ b/umn/source/certificate_management/viewing_certificate_information.rst @@ -23,24 +23,18 @@ Procedure #. In the navigation pane, choose **Objects** > **Certificates**. +#. View the certificate information. :ref:`Table 1 ` describes the parameters. - .. figure:: /_static/images/en-us_image_0000001285028708.png - :alt: **Figure 1** Certificate list + .. _waf_01_0282__table42671747141413: - **Figure 1** Certificate list - -#. View the certificate information. :ref:`Table 1 ` describes the parameters. - - .. _waf_01_0282__table4349769438: - - .. table:: **Table 1** Parameter description + .. table:: **Table 1** Certificate parameters +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Parameter | Parameter description | + | Parameter | Description | +===================================+====================================================================================================================================================================================================================================================================================================================================+ | Name | Certificate name. | +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Expired | Certificate expiration time. | + | Expires | Certificate expiration time. | | | | | | It is recommended that you update the certificate before it expires. Otherwise, all WAF protection rules will be unable to take effect, and there can be massive impacts on the origin server, even more severe than a crashed host or website access failures. For more details, see :ref:`Updating a Certificate `. | +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ diff --git a/umn/source/change_history.rst b/umn/source/change_history.rst index 04f25e5..670f460 100644 --- a/umn/source/change_history.rst +++ b/umn/source/change_history.rst @@ -5,8 +5,13 @@ Change History ============== -=========== ========================================= -Released On Description -=========== ========================================= -2022-10-30 This issue is the first official release. -=========== ========================================= ++-----------------------------------+--------------------------------------------------------------------------------------------------------------+ +| Released On | Description | ++===================================+==============================================================================================================+ +| 2023-03-30 | This issue is the second official release. | +| | | +| | - :ref:`Adding a Reference Table `: Added the description of the function of reference tables. | +| | - Added :ref:`Does WAF Support Two-Way SSL Authentication? ` | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------+ +| 2022-10-30 | This issue is the first official release. | ++-----------------------------------+--------------------------------------------------------------------------------------------------------------+ diff --git a/umn/source/dashboard.rst b/umn/source/dashboard.rst index 892f6be..c1c124b 100644 --- a/umn/source/dashboard.rst +++ b/umn/source/dashboard.rst @@ -55,7 +55,7 @@ Procedure #. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. -#. In the upper part of the page, specify the website, instance, and time period you want to query. +#. In the upper part of the page, specify the website, instance, and time range for your query. - By default, the information about all websites you add to WAF in all enterprise projects are displayed. - **Domain Names**: shows information about website domain names added to the WAF instance. Click **View** to go to the **Website Settings** page and view details about domain names of protected websites. @@ -96,37 +96,35 @@ Procedure .. table:: **Table 2** Parameters in Security Event Statistics - +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Parameter | Description | - +===================================+=============================================================================================================================================================================================================================================================================================================================+ - | Requests | You can view how many requests for your website as well as total attacks and attacks of each attack type. | - +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | QPS | Average number of requests per second for the domain name. For details about the values of QPS, see :ref:`How to Calculate QPS `. | - | | | - | | Queries Per Second (QPS) indicates the number of requests per second. For example, an HTTP GET request is also called a query. | - +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Bandwidth | Bandwidth usage | - +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Response Code | Response codes returned by WAF to the client or returned by the origin server to WAF along with the corresponding number of responses. You can click **WAF to Client** or **Origin Server to WAF** to view the corresponding information. | - | | | - | | The number of response codes is accumulated based on the sequence of response codes (from left to right) in the lower part of the chart. The number of response codes is the difference between two lines. If the value of a response code is 0, the line of the response code overlaps that of the previous response code. | - +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Event Distribution | Types of attack events | - | | | - | | Click an area in the **Event Distribution** area to view the type, number, and proportion of an attack. | - +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Top 10 Attacked Domain Names | The ten most attacked domain names and the number of attacks on each domain name. | - | | | - | | Click **View More** to go to the **Events** page and view more protection data. | - +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Top 10 Attack Source IP Addresses | The ten source IP addresses with the most attacks and the number of attacks from each source IP address. | - | | | - | | Click **View More** to go to the **Events** page and view more protection data. | - +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Top 10 Attacked URLs | The ten most attacked URLs and the number of attacks on each URL. | - | | | - | | Click **View More** to go to the **Events** page and view more protection data. | - +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Parameter | Description | + +===================================+==================================================================================================================================================================================================================================================================================================================+ + | Requests | You can view how many requests for your website as well as total attacks and attacks of each attack type. | + +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | QPS | Average number of requests per second for the domain name. For details about the values of QPS, see :ref:`How to Calculate QPS `. | + | | | + | | Queries Per Second (QPS) indicates the number of requests per second. For example, an HTTP GET request is also called a query. | + +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Bandwidth | Bandwidth usage | + | | | + | | The value of sent and received bytes is calculated by adding the values of **request_length** and **upstream_bytes_received** by time, so the value is different from the network bandwidth monitored on the EIP. This value is also affected by web page compression, connection reuse, and TCP retransmission. | + +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Event Distribution | Types of attack events | + | | | + | | Click an area in the **Event Distribution** area to view the type, number, and proportion of an attack. | + +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Top 10 Attacked Domain Names | The ten most attacked domain names and the number of attacks on each domain name. | + | | | + | | Click **View More** to go to the **Events** page and view more protection data. | + +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Top 10 Attack Source IP Addresses | The ten source IP addresses with the most attacks and the number of attacks from each source IP address. | + | | | + | | Click **View More** to go to the **Events** page and view more protection data. | + +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Top 10 Attacked URLs | The ten most attacked URLs and the number of attacks on each URL. | + | | | + | | Click **View More** to go to the **Events** page and view more protection data. | + +-----------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ .. |image1| image:: /_static/images/en-us_image_0210924450.jpg .. |image2| image:: /_static/images/en-us_image_0000001288106346.png diff --git a/umn/source/dedicated_waf_engine_management.rst b/umn/source/dedicated_waf_engine_management.rst index 88450a0..4024f00 100644 --- a/umn/source/dedicated_waf_engine_management.rst +++ b/umn/source/dedicated_waf_engine_management.rst @@ -7,10 +7,14 @@ Dedicated WAF Engine Management This topic describes how to manage your dedicated WAF instances (or engines), including viewing instance information, upgrading the instance edition, or deleting an instance. +.. note:: + + If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instances locate. Then, you can select the project from the **Enterprise Project** drop-down list and manage dedicated WAF instances in the project. + Prerequisites ------------- -You have purchased a dedicated WAF instance. +You have applied for a dedicated WAF instance. Viewing Information About a Dedicated WAF Instance -------------------------------------------------- @@ -149,7 +153,7 @@ If you select **Network Interface** for **Instance Type**, you can change the se Deleting a Dedicated WAF Instance --------------------------------- -You can delete a dedicated WAF instance at any time. A deleted dedicated WAF instance will no longer protect the website added to it. +You can delete a dedicated WAF instance anytime. A deleted dedicated WAF instance will no longer protect the website added to it. .. important:: diff --git a/umn/source/enabling_lts_for_waf_logging.rst b/umn/source/enabling_lts_for_waf_logging.rst new file mode 100644 index 0000000..5856d13 --- /dev/null +++ b/umn/source/enabling_lts_for_waf_logging.rst @@ -0,0 +1,375 @@ +:original_name: waf_01_0172.html + +.. _waf_01_0172: + +Enabling LTS for WAF Logging +============================ + +After you authorize WAF to access Log Tank Service (LTS), you can use the WAF logs recorded by LTS for quick and efficient real-time analysis, device O&M management, and analysis of service trends. + +LTS analyzes and processes a large number of logs. It enables you to process logs in real-time, efficiently, and securely. Logs can be stored in LTS for seven days by default but you can configure LTS for up to 30 days if needed. Logs earlier than 30 days are automatically deleted. However, you can configure LTS to dump those logs to an Object Storage Service (OBS) bucket or enable Data Ingestion Service (DIS) for long-term storage. + +Prerequisites +------------- + +- You have applied for your WAF. +- The website to be protected has been added to WAF. + +Impact on the System +-------------------- + +Enabling LTS for WAF does not affect WAF performance. + +Enabling LTS for WAF Protection Event Logging +--------------------------------------------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane on the left, choose **Events**. + +#. Click the **Configure Logs** tab, enable LTS (|image3|), and select a log group and log stream. :ref:`Table 1 ` describes the parameters. + + + .. figure:: /_static/images/en-us_image_0000001555272665.png + :alt: **Figure 1** Configuring logs + + **Figure 1** Configuring logs + + .. _waf_01_0172__table11535733111515: + + .. table:: **Table 1** Log configuration + + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Parameter | Description | Example Value | + +=======================+=============================================================================================================================+=======================+ + | Log Group | Select a log group or click **View Log Group** to go to the LTS console and create a log group. | lts-group-waf | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Attack Log | Select a log stream or click **View Log Stream** to go to the LTS console and create a log stream. | lts-topic-waf-attack | + | | | | + | | An attack log includes information about event type, protective action, and attack source IP address of each attack. | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Access Log | Select a log stream or click **View Log Stream** to go to the LTS console and create a log stream. | lts-topic-waf-access | + | | | | + | | An access log includes key information about access time, client IP address, and resource URL of each HTTP access requests. | | + +-----------------------+-----------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +#. Click **OK**. + + You can view WAF protection event logs on the LTS console. + +Viewing WAF Protection Event Logs on LTS +---------------------------------------- + +After enabling LTS, perform the following steps to view and analyze WAF logs on the LTS console. + +#. Log in to the management console. +#. Click |image4| in the upper left corner of the management console and select a region or project. +#. Click |image5| in the upper left corner of the page and choose **Management & Deployment** > **Log Tank Service**. +#. In the log group list, click |image6| to expand the WAF log group (for example, **lts-group-waf**). +#. View protection event logs. + + - View attack logs. + + a. In the log stream list, click the name of the configured attack log stream. + + b. View attack logs. + + + .. figure:: /_static/images/en-us_image_0000001550850865.png + :alt: **Figure 2** Viewing attack logs + + **Figure 2** Viewing attack logs + + - View access logs. + + a. In the log stream list, click the name of the configured access log stream. + + b. View access logs. + + + .. figure:: /_static/images/en-us_image_0000001499773388.png + :alt: **Figure 3** Viewing access logs + + **Figure 3** Viewing access logs + +WAF access_log Field +-------------------- + ++------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Field | Type | Field Description | Description | ++========================+=================+===================================================================================+===============================================================================================================================================================================================================================+ +| requestid | string | Random ID | The value is the same as the last eight characters of the **req_id** field in the attack log. | ++------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| time | string | Time an access request is received. | GMT time a log is generated. | ++------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| eng_ip | string | IP address of the WAF engine | ``-`` | ++------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| hostid | string | Domain name identifier of the access request. | Protected domain name ID (upstream_id). | ++------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| tenantid | string | Account ID | Your account | ++------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| projectid | string | ID of the project the protected domain name belongs to | Project ID of a user in a specific region. | ++------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| remote_ip | string | IP address from which a client request originates. | IP address from which a client request originates. | +| | | | | +| | | | .. important:: | +| | | | | +| | | | NOTICE: | +| | | | If a layer-7 proxy is deployed in front of WAF, this field indicates the IP address of the proxy node closest to WAF. The real IP address of the visitor is specified by the **x-forwarded-for** and **x_real_ip** fields. | ++------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| x-forwarded-for | string | A string of IP addresses for a proxy when the proxy is deployed in front of WAF. | The sting includes one or more IP addresses. | +| | | | | +| | | | The leftmost IP address is the originating IP address of the client. Each time the proxy server receives a request, it adds the source IP address of the request to the right of the originating IP address. | ++------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| x_real_ip | string | Real IP address of the client when a proxy is deployed in front of WAF. | Real IP address of the client, which is identified by the proxy. | ++------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| cdn_src_ip | string | Client IP address identified by CDN when CDN is deployed in front of WAF | This field specifies the real IP address of the client if CDN is deployed in front of WAF. | +| | | | | +| | | | .. important:: | +| | | | | +| | | | NOTICE: | +| | | | Some CDN vendors may use other fields. WAF records only the most common fields. | ++------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| scheme | string | Request protocol | Protocols that can be used in the request: | +| | | | | +| | | | - HTTP | +| | | | - HTTPS | ++------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| response_code | string | Response code | Response status code returned by the origin server to WAF. | ++------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| method | string | Request method. | Request type in a request line. Generally, the value is **GET** or **POST**. | ++------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| http_host | string | Domain name of the requested server. | Address, domain name, or IP address entered in the address box of a browser. | ++------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| url | string | Request URL. | Path in a URL (excluding the domain name). | ++------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| request_length | string | Request length. | The request length includes the access request address, HTTP request header, and number of bytes in the request body. | ++------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| bytes_send | string | Total number of bytes sent to the client. | Number of bytes sent by WAF to the client. | ++------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| body_bytes_sent | string | Total number of bytes of the response body sent to the client | Number of bytes of the response body sent by WAF to the client | ++------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| upstream_addr | string | Address of the backend server. | IP address of the origin server for which a request is destined. For example, if WAF forwards requests to an ECS, the IP address of the ECS is returned to this parameter. | ++------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| request_time | string | Request processing time | Processing time starts when the first byte of the client is read. | ++------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| upstream_response_time | string | Backend server response time. | Time when the backend server responds to the WAF request. | ++------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| upstream_status | string | Response code of the backend server. | Response status code returned by the backend server to WAF. | ++------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| upstream_connect_time | string | Time elapsed for origin servers to connect to backend servers | Time for the origin server to establish a connection to its backend servers. If the backend service uses an encryption protocol, this parameter includes the handshake time. | ++------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| upstream_header_time | string | Time used by the backend server to receive the first byte of the response header. | ``-`` | ++------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| bind_ip | string | WAF engine back-to-source IP address. | Back-to-source IP address used by the WAF engine. | ++------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| group_id | string | LTS log group ID | ID of the log group for interconnecting WAF with LTS. | ++------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| access_stream_id | string | Log stream ID. | ID of **access_stream** of the user in the log group identified by the **group_id** field. | ++------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| engine_id | string | WAF engine ID | Unique ID of the WAF engine. | ++------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| time_iso8601 | string | ISO 8601 time format of logs. | ``-`` | ++------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| sni | string | Domain name requested through SNI. | ``-`` | ++------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| tls_version | string | Protocol version for establishing an SSL connection. | TLS version used in the request. | ++------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| ssl_curves | string | Curve group list supported by the client. | ``-`` | ++------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| ssl_session_reused | string | SSL session reuse | Whether the SSL session can be reused | +| | | | | +| | | | **r**: Yes | +| | | | | +| | | | **.**: No | ++------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| process_time | string | Detection duration | ``-`` | ++------------------------+-----------------+-----------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +WAF request_log field description +--------------------------------- + ++-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ +| Field | Type | Field Description | Description | ++===================+=================+=====================================================================+==============================================================================================================+ +| scheme | string | Request protocol | Protocols that can be used in the request: | +| | | | | +| | | | - HTTP | +| | | | - https | ++-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ +| hport | string | Listening port for the engine | ``-`` | ++-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ +| body_bytes_sent | string | Total number of bytes of the response body sent to the client. | ``-`` | ++-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ +| hostid | string | Protected domain name ID (upstream_id). | ``-`` | ++-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ +| time_iso8601 | string | ISO 8601 time format of logs. | ``-`` | ++-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ +| host | string | Domain name of the requested server. | ``-`` | ++-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ +| tenantid | string | Account ID | ``-`` | ++-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ +| inet_ip | string | IP address of the engine | ``-`` | ++-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ +| backend.protocol | string | Current backend protocol | ``-`` | ++-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ +| backend.alive | string | Current backend status | ``-`` | ++-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ +| backend.port | string | Current backend port | ``-`` | ++-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ +| backend.host | string | Current backend host value | ``-`` | ++-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ +| backend.type | string | Current backend host type | Type of the backend host. It can be a domain name or an IP address. | ++-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ +| id | string | Request ID | The last eight characters are the same as the first eight characters of the **requestid** in the access log. | ++-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ +| sip | string | IP address from which a client request originates. | ``-`` | ++-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ +| sport | string | Port used by the IP address from which a client request originates. | ``-`` | ++-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ +| projectid | string | ID of the project the protected domain name belongs to | ``-`` | ++-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ +| cookie | string | Cookie | ``-`` | ++-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ +| method | string | Request method. | ``-`` | ++-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ +| uri | string | Request URI | ``-`` | ++-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ +| request_stream_id | string | Log stream ID | ID of **request_stream** of the user in the log group identified by the **group_id** field. | ++-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ +| group_id | string | Log group ID | LTS log group ID | ++-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ +| engine_id | string | Unique ID of the engine | ``-`` | ++-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ +| header | string | Header content | ``-`` | ++-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ +| time | string | Log time | ``-`` | ++-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ +| category | string | Log category | The value is **request**. | ++-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ +| status | string | Response code | ``-`` | ++-------------------+-----------------+---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------+ + +WAF attack_log field description +-------------------------------- + ++------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ +| Field | Type | Field Description | Description | ++========================+======================================================================+========================================================================+============================================================================================+ +| category | string | Log category | The value is **attack**. | ++------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ +| time | string | Log time | ``-`` | ++------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ +| time_iso8601 | string | ISO 8601 time format of logs. | ``-`` | ++------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ +| policy_id | string | Policy ID | ``-`` | ++------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ +| level | string | Protection level | Protection level of a built-in rule in basic web protection | +| | | | | +| | | | - **1**: Low | +| | | | - **2**: Medium | +| | | | - **3**: High | ++------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ +| attack | string | Type of attack | Attack type. This parameter is listed in attack logs only. | +| | | | | +| | | | - **default**: default attacks | +| | | | - **sqli**: SQL injections | +| | | | - **xss**: cross-site scripting (XSS) attacks | +| | | | - **webshell**: web shells | +| | | | - **robot**: malicious crawlers | +| | | | - **cmdi**: command injections | +| | | | - **rfi**: remote file inclusion attacks | +| | | | - **lfi**: local file inclusion attacks | +| | | | - **illegal**: unauthorized requests | +| | | | - **vuln**: exploits | +| | | | - **cc**: attacks that hit the CC protection rules | +| | | | - **custom_custom**: attacks that hit a precise protection rule | +| | | | - **custom_whiteip**: attacks that hit an IP address blacklist or whitelist rule | +| | | | - **custom_geoip**: attacks that hit a geolocation access control rule | +| | | | - **antitamper**: attacks that hit a web tamper protection rule | +| | | | - **anticrawler**: attacks that hit the JS challenge anti-crawler rule | +| | | | - **leakage**: vulnerabilities that hit an information leakage prevention rule | +| | | | - **followed_action**: The source is marked as a known attack source. | ++------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ +| action | string | Protective action | WAF defense action. | +| | | | | +| | | | - **block**: WAF blocks attacks. | +| | | | - **log**: WAF only logs detected attacks. | +| | | | - **captcha**: Verification code | ++------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ +| sub_type | string | Crawler types | When **attack** is set to **robot**, this parameter cannot be left blank. | +| | | | | +| | | | - **script_tool**: Script tools | +| | | | - **search_engine**: Search engines | +| | | | - **scanner:** Scanning tools | +| | | | - **uncategorized**: Other crawlers | ++------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ +| rule | string | ID of the triggered rule or the description of the custom policy type. | ``-`` | ++------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ +| location | string | Location triggering the malicious load | ``-`` | ++------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ +| hit_data | string | String triggering the malicious load | ``-`` | ++------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ +| resp_headers | string | Response header | ``-`` | ++------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ +| resp_body | string | Response body | ``-`` | ++------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ +| backend | string | Address of the backend server to which the request is forwarded. | ``-`` | ++------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ +| status | string | Response status code | ``-`` | ++------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ +| reqid | string | Random ID | ``-`` | ++------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ +| id | string | Attack ID | ID of the attack | ++------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ +| method | string | Request method | ``-`` | ++------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ +| sip | string | Client request IP address | ``-`` | ++------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ +| sport | string | Client request port | ``-`` | ++------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ +| host | string | Requested domain name | ``-`` | ++------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ +| http_host | string | Domain name of the requested server. | ``-`` | ++------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ +| hport | string | Port of the requested server. | ``-`` | ++------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ +| uri | string | Request URL. | The domain is excluded. | ++------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ +| header | A JSON string. A JSON table is obtained after the string is decoded. | Request header | ``-`` | ++------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ +| multipart | A JSON string. A JSON table is obtained after the string is decoded. | Request multipart header | This parameter is used to upload files. | ++------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ +| cookie | A JSON string. A JSON table is obtained after the string is decoded. | Cookie of the request | ``-`` | ++------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ +| params | A JSON string. A JSON table is obtained after the string is decoded. | Params value following the request URI. | ``-`` | ++------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ +| body_bytes_sent | string | Total number of bytes of the response body sent to the client. | Total number of bytes of the response body sent by WAF to the client. | ++------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ +| upstream_response_time | string | Backend server response time. | ``-`` | ++------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ +| process_time | string | Detection duration | ``-`` | ++------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ +| engine_id | string | Unique ID of the engine | ``-`` | ++------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ +| group_id | string | Log group ID | LTS log group ID | ++------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ +| attack_stream_id | string | Log stream ID | ID of **access_stream** of the user in the log group identified by the **group_id** field. | ++------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ +| hostid | string | Protected domain name ID (upstream_id). | ``-`` | ++------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ +| tenantid | string | Account ID | ``-`` | ++------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ +| projectid | string | ID of the project the protected domain name belongs to | ``-`` | ++------------------------+----------------------------------------------------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------------+ + +.. |image1| image:: /_static/images/en-us_image_0000001482072692.jpg +.. |image2| image:: /_static/images/en-us_image_0000001550676585.png +.. |image3| image:: /_static/images/en-us_image_0000001550677993.png +.. |image4| image:: /_static/images/en-us_image_0000001188007266.jpg +.. |image5| image:: /_static/images/en-us_image_0000001550561697.png +.. |image6| image:: /_static/images/en-us_image_0000001387002182.png diff --git a/umn/source/enabling_waf_protection/connecting_a_website_to_waf/connection_process_dedicated_mode.rst b/umn/source/enabling_waf_protection/connecting_a_website_to_waf/connection_process_dedicated_mode.rst new file mode 100644 index 0000000..52f9419 --- /dev/null +++ b/umn/source/enabling_waf_protection/connecting_a_website_to_waf/connection_process_dedicated_mode.rst @@ -0,0 +1,30 @@ +:original_name: waf_01_0326.html + +.. _waf_01_0326: + +Connection Process (Dedicated Mode) +=================================== + +To let your dedicated WAF instance protect your website, the domain name of the website must be connected to the WAF instance so that the website incoming traffic can go to WAF first. + +Constraints +----------- + +Dedicated WAF instances can only protect web applications and websites that are accessible through domain names or IP addresses. + +Processes of Connecting a Website to WAF +---------------------------------------- + +After purchasing a dedicated WAF instance, complete the required configurations by following the process shown in :ref:`Figure 1 `. + +.. _waf_01_0326__fig3118103718294: + +.. figure:: /_static/images/en-us_image_0000001171626489.png + :alt: **Figure 1** Process of connecting a website to a dedicated WAF instance + + **Figure 1** Process of connecting a website to a dedicated WAF instance + +Fixing Inaccessible Websites +---------------------------- + +If a domain name fails to be connected to WAF, its access status is **Inaccessible**. To fix this issue, see :ref:`Why Is My Domain Name or IP Address Inaccessible? ` diff --git a/umn/source/enabling_waf_protection/connecting_a_website_to_waf/index.rst b/umn/source/enabling_waf_protection/connecting_a_website_to_waf/index.rst index 4c4d376..a7f6251 100644 --- a/umn/source/enabling_waf_protection/connecting_a_website_to_waf/index.rst +++ b/umn/source/enabling_waf_protection/connecting_a_website_to_waf/index.rst @@ -5,14 +5,18 @@ Connecting a Website to WAF =========================== +- :ref:`Connection Process (Dedicated Mode) ` - :ref:`Step 1: Add a Website to WAF ` - :ref:`Step 2: Configure a Load Balancer ` - :ref:`Step 3: Bind an EIP to a Load Balancer ` +- :ref:`Step 4: Whitelist the Back-to-Source IP Addresses of Your Dedicated WAF Instances ` .. toctree:: :maxdepth: 1 :hidden: + connection_process_dedicated_mode step_1_add_a_website_to_waf step_2_configure_a_load_balancer step_3_bind_an_eip_to_a_load_balancer + step_4_whitelist_the_back-to-source_ip_addresses_of_your_dedicated_waf_instances diff --git a/umn/source/enabling_waf_protection/connecting_a_website_to_waf/step_1_add_a_website_to_waf.rst b/umn/source/enabling_waf_protection/connecting_a_website_to_waf/step_1_add_a_website_to_waf.rst index 83aab9d..6869a42 100644 --- a/umn/source/enabling_waf_protection/connecting_a_website_to_waf/step_1_add_a_website_to_waf.rst +++ b/umn/source/enabling_waf_protection/connecting_a_website_to_waf/step_1_add_a_website_to_waf.rst @@ -7,10 +7,14 @@ Step 1: Add a Website to WAF If your service servers are deployed on the cloud, you can add the domain name or IP address of the website to WAF so that the website traffic is forwarded to WAF for inspection. +.. note:: + + If you have enabled enterprise projects, you can select your enterprise project from the **Enterprise Project** drop-down list and add websites to be protected in the project. + Prerequisites ------------- -You have purchased a dedicated WAF instance. +You have applied for a dedicated WAF instance. Constraints ----------- @@ -18,6 +22,53 @@ Constraints - An Internet-facing load balancer has been deployed on the website you want to protect with dedicated WAF instances. - If your website has no layer-7 proxy server such as CDN and cloud acceleration service deployed in front of WAF and uses only layer-4 load balancers (or NAT), set **Proxy Configured** to **No**. Otherwise, **Proxy Configured** must be set to **Yes**. This ensures that WAF obtains real IP addresses of website visitors and takes protective actions configured in protection policies. +Collecting Domain Name/IP Address Information +--------------------------------------------- + +Before adding a domain name or IP address, obtain the information listed in :ref:`Table 1 `. + +.. _waf_01_0250__table1252463519439: + +.. table:: **Table 1** Domain name or IP address details required + + +------------------------+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+ + | Information | Parameter | Description | Example Value | + +========================+===================+===========================================================================================================================================================================================================================+=================+ + | Parameters | Protected Website | - Domain name: used by visitors to access your website. A domain name consists of letters separated by dots (.). It is a human readable address that maps to the machine readable IP address of your server. | www.example.com | + | | | - IP: IP address of the website. | | + +------------------------+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+ + | | Protected Port | The service port corresponding to the domain name of the website you want to protect. | 80 | + | | | | | + | | | - Standard ports | | + | | | | | + | | | - 80: default port when the client protocol is set to HTTP | | + | | | - 443: default port when the client protocol is set to HTTPS | | + | | | | | + | | | - Non-standard ports | | + | | | | | + | | | Ports other than ports 80 and 443 | | + | | | | | + | | | .. important:: | | + | | | | | + | | | NOTICE: | | + | | | If your website uses a non-standard port, check whether the WAF edition you plan to buy can protect the non-standard port before you make a purchase. For details, see :ref:`Ports Supported by WAF `. | | + +------------------------+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+ + | | Client Protocol | Protocol used by a client (for example, a browser) to access the website. WAF supports HTTP and HTTPS. | HTTP | + +------------------------+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+ + | | Server Protocol | Protocol used by WAF to forward requests to the client (such as a browser). The options are **HTTP** and **HTTPS**. | HTTP | + +------------------------+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+ + | | VPC | Select the VPC to which the dedicated WAF instance belongs. | vpc-default | + +------------------------+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+ + | | Server Address | Private IP address or domain name of the website server that a client (for example, a browser) accesses | 192.168.1.1 | + +------------------------+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+ + | (Optional) Certificate | Certificate Name | If you set **Client Protocol** to **HTTPS**, you are required to configure a certificate on WAF and associate the certificate with the domain name. | None | + | | | | | + | | | .. important:: | | + | | | | | + | | | NOTICE: | | + | | | Only .pem certificates can be used in WAF. If a certificate is not in .pem, convert it by referring to :ref:`How Do I Convert a Certificate into PEM Format? `. | | + +------------------------+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+ + Procedure --------- @@ -29,9 +80,8 @@ Procedure 5. In the upper left corner of the website list, click **Add Website**. -6. Configure basic information of the domain name. :ref:`Figure 1 ` shows an example. :ref:`Table 1 ` lists parameters. +6. Configure basic information of the domain name referring to :ref:`Table 2 `. - .. _waf_01_0250__fig175731754141418: .. figure:: /_static/images/en-us_image_0000001337887457.png :alt: **Figure 1** Configuring basic settings of a website @@ -40,7 +90,7 @@ Procedure .. _waf_01_0250__table056413271366: - .. table:: **Table 1** Parameter description + .. table:: **Table 2** Parameter description +-----------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------+ | Parameter | Description | Example Value | @@ -140,11 +190,11 @@ If you set **Client Protocol** to **HTTPS**, an SSL certificate is required. You WAF encrypts and saves the private key to keep it safe. - Only .pem certificates can be used in WAF. If the certificate is not in .pem format, convert it into .pem locally by referring to :ref:`Table 2 ` before uploading it. + Only .pem certificates can be used in WAF. If the certificate is not in .pem format, convert it into .pem locally by referring to :ref:`Table 3 ` before uploading it. .. _waf_01_0250__waf_01_0002_table1292125414516: - .. table:: **Table 2** Certificate conversion commands + .. table:: **Table 3** Certificate conversion commands +-----------------------------------+----------------------------------------------------------------------------------------------------------------------------+ | Format | Conversion Method | @@ -179,7 +229,7 @@ If you set **Client Protocol** to **HTTPS**, an SSL certificate is required. You - Before running an OpenSSL command, ensure that the `OpenSSL `__ tool has been installed on the local host. - If your local PC runs a Windows operating system, go to the command line interface (CLI) and then run the certificate conversion command. -#. Click **OK**. +#. Click **Confirm**. .. |image1| image:: /_static/images/en-us_image_0000001260399509.jpg .. |image2| image:: /_static/images/en-us_image_0000001288099090.png diff --git a/umn/source/enabling_waf_protection/connecting_a_website_to_waf/step_2_configure_a_load_balancer.rst b/umn/source/enabling_waf_protection/connecting_a_website_to_waf/step_2_configure_a_load_balancer.rst index 1774897..f06e56a 100644 --- a/umn/source/enabling_waf_protection/connecting_a_website_to_waf/step_2_configure_a_load_balancer.rst +++ b/umn/source/enabling_waf_protection/connecting_a_website_to_waf/step_2_configure_a_load_balancer.rst @@ -40,70 +40,35 @@ Procedure --------- #. Log in to the management console. - #. Click |image1| in the upper left corner of the management console and select a region or project. - -#. Click |image2| in the upper left corner of the page and choose **Elastic Load Balance** under **Network** to go to the ELB console. - -#. Click the name of your load balancer in the **Name** column to go to the **Basic Information** page. - -#. Click the **Listeners** tab, click **Add Listener**, and configure the listener information. :ref:`Figure 1 ` shows an example. - - .. _waf_01_0251__fig1213093341614: - - .. figure:: /_static/images/en-us_image_0000001284948512.png - :alt: **Figure 1** Configuring a listener - - **Figure 1** Configuring a listener - -#. Click **Next** and configure the backend server group and health check. :ref:`Figure 2 ` and :ref:`Figure 3 ` show examples. - - .. _waf_01_0251__fig1471975962718: - - .. figure:: /_static/images/en-us_image_0000001337470357.png - :alt: **Figure 2** Configuring a Backend Host Group - - **Figure 2** Configuring a Backend Host Group +#. Click |image2| in the upper left corner of the page and choose **Elastic Load Balance** under **Network** to go to the **Load Balancers** page. +#. Click the name of the load balancer in the **Name** column to go to the **Basic Information** page. +#. Locate the **IP as a Backend** row, enable the function. In the displayed dialog box, click **OK**. +#. Click the **Listeners** tab, click **Add Listener**, and configure the listener name, front-end protocol, and port. +#. Click **Next: Configure Request Routing Policy**. .. important:: If you select **Round robin** for **Load Balancing Algorithm**, disable **Sticky Session**. If you enable **Sticky Session**, the same requests will be forwarded to the same dedicated WAF instance. If this instance becomes faulty, an error will occur when the requests come to it next time. - .. _waf_01_0251__fig1623212054117: - - .. figure:: /_static/images/en-us_image_0000001284790620.png - :alt: **Figure 3** Health Check Settings - - **Figure 3** Health Check Settings - -#. Click **Next: Confirm**. - -#. Click **Finish** and then **OK**. - -#. Go to the page of the added listener, select the **Backend Server Groups** tab, and click **Add**. - -#. In the **Add Backend Server** dialog box, select the dedicated WAF instance you have created. - - - .. figure:: /_static/images/en-us_image_0000001337244713.png - :alt: **Figure 4** Selecting the created dedicated WAF instance - - **Figure 4** Selecting the created dedicated WAF instance - -#. Click **Next** and configure a port for the dedicated engine. :ref:`Figure 5 ` shows an example. +#. Click **Next: Add Backend Server**. Then, select the **IP as Backend Servers** tab. .. important:: - The listening port of the dedicated WAF instance must be the same as that configured in :ref:`Step 1: Add a Website to WAF `. If you configure a standard port for the website, set the HTTP listening port to **80** and HTTPS listening port to **443**. + In the health check configuration, **Protocol** can only be set to **TCP**, or the health check will fail and ELB will not forward traffic to the backend WAF. - .. _waf_01_0251__fig207213128248: +#. Click **Add IP as Backend Server**. In the displayed dialog box, configure **Backend Server IP Address** and **Backend Port**. - .. figure:: /_static/images/en-us_image_0000001337404641.png - :alt: **Figure 5** Configuring a port for the dedicated WAF instance + - **Backend Server IP Address**: Enter the IP address of the dedicated WAF engine, which you can obtain from the dedicated engine list. + - **Backend Port**: Use the same one you configured in :ref:`Step 1: Add a Website to WAF `. If you configure a standard port for the website, set the HTTP listening port to **80** and HTTPS listening port to **443**. - **Figure 5** Configuring a port for the dedicated WAF instance +#. Click **OK**. +#. Click **Next: Confirm**, confirm the information, and click **Submit**. -#. Click **Finish**. +Verification +------------ -.. |image1| image:: /_static/images/en-us_image_0210924450.jpg -.. |image2| image:: /_static/images/en-us_image_0212852906.png +If the **Health Check Result** is **Healthy**, the load balancer is configured. + +.. |image1| image:: /_static/images/en-us_image_0000001488605878.jpg +.. |image2| image:: /_static/images/en-us_image_0000001539325965.png diff --git a/umn/source/enabling_waf_protection/connecting_a_website_to_waf/step_3_bind_an_eip_to_a_load_balancer.rst b/umn/source/enabling_waf_protection/connecting_a_website_to_waf/step_3_bind_an_eip_to_a_load_balancer.rst index dc47300..75cdfb8 100644 --- a/umn/source/enabling_waf_protection/connecting_a_website_to_waf/step_3_bind_an_eip_to_a_load_balancer.rst +++ b/umn/source/enabling_waf_protection/connecting_a_website_to_waf/step_3_bind_an_eip_to_a_load_balancer.rst @@ -23,9 +23,8 @@ Procedure #. .. _waf_01_0252__li11870192512125: - On the **Elastic Load Balancers** page, locate the row that contains the load balancer configured for the origin server, click **More** in the **Operation** column, and select **Unbind IPv4 EIP**. :ref:`Figure 1 ` shows an example. + On the **Elastic Load Balancers** page, locate the row that contains the load balancer configured for the origin server. Then, in the **Operation** column, click **More** >\ **Unbind IPv4/6 EIP**. - .. _waf_01_0252__fig116641742207: .. figure:: /_static/images/en-us_image_0000001344294497.png :alt: **Figure 1** Unbinding an EIP @@ -34,7 +33,7 @@ Procedure #. In the displayed dialog box, click **Yes**. -#. On the **Load Balancers** page, locate the row that contains the load balancer configured for the dedicated WAF instance, click **More** in the **Operation** column, and select **Bind EIP**. +#. On the **Load Balancers** page, locate the row that contains the load balancer configured for the dedicated WAF instance, click **More** in the **Operation** column, and select **Bind IPv4/6 EIP**. #. In the **Bind EIP** dialog box, select the EIP unbound in :ref:`Step 4 ` and click **OK**. diff --git a/umn/source/enabling_waf_protection/connecting_a_website_to_waf/step_4_whitelist_the_back-to-source_ip_addresses_of_your_dedicated_waf_instances.rst b/umn/source/enabling_waf_protection/connecting_a_website_to_waf/step_4_whitelist_the_back-to-source_ip_addresses_of_your_dedicated_waf_instances.rst new file mode 100644 index 0000000..fd6c160 --- /dev/null +++ b/umn/source/enabling_waf_protection/connecting_a_website_to_waf/step_4_whitelist_the_back-to-source_ip_addresses_of_your_dedicated_waf_instances.rst @@ -0,0 +1,141 @@ +:original_name: waf_01_0343.html + +.. _waf_01_0343: + +Step 4: Whitelist the Back-to-Source IP Addresses of Your Dedicated WAF Instances +================================================================================= + +To let your dedicated WAF instances take effect, configure ACL rules on the origin server to trust only the back-to-source IP addresses of all your dedicated WAF instances. This prevents hackers from attacking the origin server through the server IP addresses. + +.. important:: + + ACL rules must be configured on the origin server to whitelist WAF back-to-source IP addresses. Otherwise, your website visitors will frequently receive 502 or 504 error code after your website is connected to WAF. + +Why Do I Need to Whitelist the WAF Back-to-Source IP Addresses? +--------------------------------------------------------------- + +In dedicated mode, website traffic is pointed to the load balancer configured for your dedicated WAF instances and then to dedicated WAF instances. The latter will filter out malicious traffic and route only normal traffic to the origin server. In this way, the origin server only communicates with WAF back-to-source IP addresses. By doing so, WAF protects the origin server from being attacked even if the server IP address is exposed to hackers accidentally. In dedicated mode, the WAF back-to-source IP addresses are the subnet IP addresses of the dedicated WAF instances. + +The security software on the origin server may most likely regard WAF back-to-source IP addresses as malicious and block them. Once they are blocked, the origin server will deny all WAF requests. As a result, your website may become unavailable or respond very slowly. Therefore, ACL rules must be configured on the origin server to trust only the subnet IP addresses of your dedicated WAF instances. + +Prerequisites +------------- + +Your website has been connected to your dedicated WAF instances. + +.. note:: + + If you have enabled enterprise projects, you can select your enterprise project from the **Enterprise Project** drop-down list and whitelist back-to-source IP addresses of your dedicated WAF instances in the project. + +Pointing Traffic to an ECS Hosting Your Website +----------------------------------------------- + +If your origin server is deployed on an ECS, perform the following steps to configure a security group rule to allow only the back-to-source IP address of the dedicated instance to access the origin server. + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane on the left, choose **Instance Management** > **Dedicated Engine** to go to the dedicated WAF instance page. + + + .. figure:: /_static/images/en-us_image_0000001388786649.png + :alt: **Figure 1** Dedicated engine list + + **Figure 1** Dedicated engine list + +#. .. _waf_01_0343__li1041295214415: + + In the **IP Address** column, obtain the IP address of each dedicated WAF instance under your account. + +#. Click |image3| in the upper left corner of the page and choose **Compute** > **Elastic Cloud Server**. + +#. Locate the row containing the ECS hosting your website. In the **Name/ID** column, click the ECS name to go to the ECS details page. + +#. Click the **Security Groups** tab. Then, click **Change Security Group**. + +#. In the **Change Security Group** dialog box displayed, select a security group or create a security group. + +#. Click the security group name to view the details. + +#. Click the **Inbound Rules** tab and click **Add Rule**. Then, specify parameters in the **Add Inbound Rule** dialog box. For details, see :ref:`Table 1 `. + + .. _waf_01_0343__table4746426132417: + + .. table:: **Table 1** Inbound rule parameters + + +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Parameter | Description | + +===================================+======================================================================================================================================================================================+ + | Protocol & Port | Protocol and port for which the security group rule takes effect. If you select **TCP (Custom ports)**, enter the origin server port number in the text box below the TCP box. | + +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Source | Subnet IP address of each dedicated WAF instance you obtain in :ref:`Step 5 `. Configure an inbound rule for each IP address. | + | | | + | | .. note:: | + | | | + | | An inbound rule can contain only one IP address. To configure an inbound rule for each IP address, click **Add Rule** to add more rules. A maximum of 10 rules can be configured. | + +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +#. Click **OK**. + + Now, the security group allows all inbound traffic from the back-to-source IP addresses of all your dedicated WAF instances. + + To check whether the configuration takes effect, use the Telnet tool to check whether a connection to the origin server service port bound to the IP address protected by WAF is established. + + For example, run the following command to check whether the connection to the origin server service port 443 bound to the IP address protected by WAF is established. If the connection cannot be established over the service port but the website is still accessible, the security group inbound rules take effect. + + **Telnet** *Origin server IP address*\ **443** + +Pointing Traffic to a Load Balancer +----------------------------------- + +If your origin server uses ELB to distribute traffic, perform the following steps to configure an access control policy to allow only the IP addresses of the dedicated WAF instances to access the origin server: + +#. Log in to the management console. + +#. Click |image4| in the upper left corner of the management console and select a region or project. + +#. Click |image5| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane on the left, choose **Instance Management** > **Dedicated Engine** to go to the dedicated WAF instance page. + + + .. figure:: /_static/images/en-us_image_0000001388786649.png + :alt: **Figure 2** Dedicated engine list + + **Figure 2** Dedicated engine list + +#. In the **IP Address** column, obtain the IP address of each dedicated WAF instance under your account. + +#. Click |image6| in the upper left corner of the page and choose **Networking** > **Elastic Load Balance**. + +#. Locate the row containing the load balancer configured for your dedicated WAF instance and click the load balancer name in the **Name** column. + +#. On the displayed details page, click the **Listeners** tab and then click **Configure Access Control** in the **Access Control** column. + +#. In the displayed dialog box, select **Whitelist** for **Access Policy**. + + a. .. _waf_01_0343__li18121331122018: + + Click **Create IP Address Group** and add the IP addresses of the dedicated WAF instances into the IP address group. + + b. Select the IP address group created in :ref:`9.a ` from the **IP Address Group** drop-down list. + +#. Click **OK**. + + Now, the access control policy allows all inbound traffic from the back-to-source IP addresses of your dedicated WAF instances. + + To check whether the configuration takes effect, use the Telnet tool to check whether a connection to the origin server service port bound to the IP address protected by WAF is established. + + For example, run the following command to check whether the connection to the origin server service port 443 bound to the IP address protected by WAF is established. If the connection cannot be established over the service port but the website is still accessible, the security group inbound rules take effect. + + **Telnet** *Origin server IP address*\ **443** + +.. |image1| image:: /_static/images/en-us_image_0000001532623045.jpg +.. |image2| image:: /_static/images/en-us_image_0000001538620681.png +.. |image3| image:: /_static/images/en-us_image_0212852906.png +.. |image4| image:: /_static/images/en-us_image_0000001487940018.jpg +.. |image5| image:: /_static/images/en-us_image_0000001538620869.png +.. |image6| image:: /_static/images/en-us_image_0000001124537874.png diff --git a/umn/source/enabling_waf_protection/index.rst b/umn/source/enabling_waf_protection/index.rst index 623487f..a3669f8 100644 --- a/umn/source/enabling_waf_protection/index.rst +++ b/umn/source/enabling_waf_protection/index.rst @@ -5,10 +5,12 @@ Enabling WAF Protection ======================= +- :ref:`Ports Supported by WAF ` - :ref:`Connecting a Website to WAF ` .. toctree:: :maxdepth: 1 :hidden: + ports_supported_by_waf connecting_a_website_to_waf/index diff --git a/umn/source/enabling_waf_protection/ports_supported_by_waf.rst b/umn/source/enabling_waf_protection/ports_supported_by_waf.rst new file mode 100644 index 0000000..11f8b49 --- /dev/null +++ b/umn/source/enabling_waf_protection/ports_supported_by_waf.rst @@ -0,0 +1,20 @@ +:original_name: waf_01_1249.html + +.. _waf_01_1249: + +Ports Supported by WAF +====================== + +:ref:`Table 1 ` lists the ports that can be protected by WAF. + +.. _waf_01_1249__waf_01_0032_table9589104616288: + +.. table:: **Table 1** Ports supported by WAF + + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+ + | Port Category | HTTP Protocol | HTTPS Protocol | Port Limit | + +===================================+===========================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+========================================================================================================================================================================================================+============+ + | Standard ports | 80 | 443 | Unlimited | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+ + | Non-standard ports (182 in total) | 9945, 9770, 81, 82, 83, 84, 88, 89, 800, 808, 1000, 1090, 3128, 3333, 3501, 3601, 4444, 5000, 5222, 5555, 5601, 6001, 6666, 6788, 6789, 6842, 6868, 7000, 7001, 7002, 7003, 7004, 7005, 7006, 7009, 7010, 7011, 7012, 7013, 7014, 7015, 7016, 7018, 7019, 7020, 7021, 7022, 7023, 7024, 7025, 7026, 7070, 7081, 7082, 7083, 7088, 7097, 7777, 7800, 7979, 8000, 8001, 8002, 8003, 8008, 8009, 8010, 8020, 8021, 8022, 8025, 8026, 8077, 8078, 8080, 8085, 8086, 8087, 8088, 8089, 8090, 8091, 8092, 8093, 8094, 8095, 8096, 8097, 8098, 8106, 8118, 8181, 8334, 8336, 8800, 8686, 8888, 8889, 8989, 8999, 9000, 9001, 9002, 9003, 9080, 9200, 9802, 10000, 10001, 10080, 12601, 86, 9021, 9023, 9027, 9037, 9081, 9082, 9201, 9205, 9207, 9208, 9209, 9210, 9211, 9212, 9213, 48800, 87, 97, 7510, 9180, 9898, 9908, 9916, 9918, 9919, 9928, 9929, 9939, 28080, 33702, 8011, 8012, 8013, 8014, 8015, 8016, 8017, and 8070 | 8750, 8445, 18010, 4443, 5443, 6443, 7443, 8081, 8082, 8083, 8084, 8443, 8843, 9443, 8553, 8663, 9553, 9663, 18110, 18381, 18980, 28443, 18443, 8033, 18000, 19000, 7072, 7073, 8803, 8804, 8805, 9999 | Unlimited | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+ diff --git a/umn/source/event_management/downloading_events_data.rst b/umn/source/event_management/downloading_events_data.rst index bf22f96..e7a160d 100644 --- a/umn/source/event_management/downloading_events_data.rst +++ b/umn/source/event_management/downloading_events_data.rst @@ -7,6 +7,10 @@ Downloading Events Data This topic describes how to download events (logged and blocked events) data for the last five days. One or more CSV files containing the event data of the current day will be generated at the beginning of the next day. +.. note:: + + If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the **Enterprise Project** drop-down list and download protection event logs in the project. + Prerequisites ------------- @@ -87,5 +91,5 @@ Fields in a Protection Event Data File | url | URL of the protected domain name | N/A | +------------------+---------------------------------------------------------------------------------------------------------------+----------------------------------+ -.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image1| image:: /_static/images/en-us_image_0000001532750637.jpg .. |image2| image:: /_static/images/en-us_image_0000001340666645.png diff --git a/umn/source/event_management/handling_false_alarms.rst b/umn/source/event_management/handling_false_alarms.rst index 81dd4f4..cba0fd1 100644 --- a/umn/source/event_management/handling_false_alarms.rst +++ b/umn/source/event_management/handling_false_alarms.rst @@ -21,6 +21,11 @@ Constraints - For events generated based on custom rules (such as a CC attack protection rule, precise protection rule, blacklist rule, whitelist rule, or geolocation access control rule), they cannot be handled as false alarms. To ignore such an event, delete or disable the custom rule hit by the event. - An attack event can only be handled as a false alarm once. +Application Scenarios +--------------------- + +Sometimes normal service requests may be blocked by WAF. For example, suppose you deploy a web application on an ECS and then add the public domain name associated with that application to WAF. If you enable basic web protection for that application, WAF may block the access requests that match the basic web protection rules. As a result, the website cannot be accessed through its domain name. However, the website can still be accessed through the IP address. In this case, you can handle the false alarms to allow normal access requests to the application. + Impact on the System -------------------- @@ -37,9 +42,8 @@ Procedure #. In the navigation pane on the left, choose **Events**. -#. Select the **Search** tab. Select a website from the **All protected websites** drop-down list. Then, select **Yesterday**, **Today**, **Past 3 days**, **Past 7 days**, **Past 30 days**, or a custom time range. :ref:`Figure 1 ` shows an example. :ref:`Table 1 ` and :ref:`Table 2 ` describe parameters. +#. Select the **Search** tab. Select a website from the **All protected websites** drop-down list. Then, select **Yesterday**, **Today**, **Past 3 days**, **Past 7 days**, **Past 30 days**, or a custom time range. :ref:`Table 1 ` and :ref:`Table 2 ` describe parameters. - .. _waf_01_0024__fig194311743164914: .. figure:: /_static/images/en-us_image_0000001395650509.png :alt: **Figure 1** Viewing protection events @@ -107,9 +111,8 @@ Procedure To view event details, click **Details** in the **Operation** column of the event list. -#. After you confirm that an event is a false alarm, click **Handle False Alarm** in the **Operation** column of the row and add a false alarm masking rule. :ref:`Figure 2 ` shows an example. :ref:`Table 3 ` describes parameters. +#. After you confirm that an event is a false alarm, click **Handle False Alarm** in the **Operation** column of the row and add a false alarm masking rule. :ref:`Table 3 ` describes parameters. - .. _waf_01_0024__fig16174064111318: .. figure:: /_static/images/en-us_image_0000001327191500.png :alt: **Figure 2** Handling a false alarm @@ -189,7 +192,7 @@ A false alarm will be deleted within about a minute after the handling configura Other Operations ---------------- -If an event is handled as a false alarm, the rule hit will be added to the global protection whitelist (formerly false alarm masking) rule list. You can go to the **Policies** page and then switch to the Global Protection Whitelist (Formerly False Alarm Masking) page to manage the rule, including querying, disabling, deleting, and modifying the rule. For details, see :ref:`Configuring a Global Protection Whitelist (Formerly False Alarm Masking) Rule `. +If an event is handled as a false alarm, the rule hit will be added to the global protection whitelist (formerly false alarm masking) rule list. You can go to the **Policies** page and then switch to the **Global Protection Whitelist (Formerly False Alarm Masking)** page to manage the rule, including querying, disabling, deleting, and modifying the rule. For more details, see :ref:`Configuring a Global Protection Whitelist (Formerly False Alarm Masking) Rule `. -.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image1| image:: /_static/images/en-us_image_0000001493990116.jpg .. |image2| image:: /_static/images/en-us_image_0000001288106950.png diff --git a/umn/source/event_management/viewing_protection_event_logs.rst b/umn/source/event_management/viewing_protection_event_logs.rst index 4964814..75cad27 100644 --- a/umn/source/event_management/viewing_protection_event_logs.rst +++ b/umn/source/event_management/viewing_protection_event_logs.rst @@ -7,11 +7,20 @@ Viewing Protection Event Logs On the **Events** page, you can view events generated for blocked attacks and logged only attacks. You can view details of WAF events, including the time an event occurs, origin server IP address, geographic location of the origin server IP address, malicious load, and hit rule. +.. note:: + + If you have enabled enterprise projects, you can select your enterprise project from the **Enterprise Project** drop-down list and view protection event logs in the project. + Prerequisites ------------- The website to be protected has been connected to WAF. +Constraints +----------- + +If the security software installed on your server blocks the event file from being downloaded, close the software and download the file again. + Procedure --------- @@ -90,5 +99,5 @@ Procedure To view event details, click **Details** in the **Operation** column of the event list. -.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image1| image:: /_static/images/en-us_image_0000001493806486.jpg .. |image2| image:: /_static/images/en-us_image_0000001287947022.png diff --git a/umn/source/faqs/about_waf/waf_functions/about_waf_protection.rst b/umn/source/faqs/about_waf/waf_functions/about_waf_protection.rst new file mode 100644 index 0000000..b0875bc --- /dev/null +++ b/umn/source/faqs/about_waf/waf_functions/about_waf_protection.rst @@ -0,0 +1,38 @@ +:original_name: waf_01_0181.html + +.. _waf_01_0181: + +About WAF Protection +==================== + +What Is a Protection IP Address? +-------------------------------- + +A protection IP address in WAF is the IP address of a website you use WAF to protect. + +Does WAF Support Vulnerability Detection? +----------------------------------------- + +The basic web protection function of WAF can detect and block threats such as third-party security tool vulnerability attacks. If you enable the scanner item when configuring basic web protection rules, WAF detects scanners and crawlers, such as OpenVAS and Nmap. + +Does WAF Support Protocols Used in MS Exchange? +----------------------------------------------- + +WAF supports HTTP and HTTPS for logging in to Exchange on the web, but does not support mail-related protocols such as Simple Mail Transfer Protocol (SMTP), Post Office Protocol version 3 (POP3), or Internet Message Access Protocol (IMAP) used by MS Exchange. + +Can WAF Defend Against XOR Injection Attacks? +--------------------------------------------- + +Yes. WAF can defend against XOR injection attacks. + +What Is the bind_ip Parameter in WAF Logs? +------------------------------------------ + +After your website is connected to WAF, WAF functions as a reverse proxy between the client and the origin server. WAF examines traffic to your website, filters out malicious traffic, and forwards health traffic to your origin servers. **bind_ip** indicates the WAF IP addresses used by WAF to forward healthy traffic. + +Can WAF Protect All Domain Names Mapped to My Website IP Address If I Have Connected the IP Address to WAF? +----------------------------------------------------------------------------------------------------------- + +No. + +In dedicated mode, the origin server IP address can be connected to WAF, and the IP address can be a private or internal IP address. WAF protects only the traffic accessed through the IP address but cannot protect the traffic to the domain name mapped to the IP address. To protect a domain name, connect the domain name to WAF. diff --git a/umn/source/faqs/about_waf/waf_functions/can_a_waf_instance_be_deployed_in_the_vpc.rst b/umn/source/faqs/about_waf/waf_functions/can_a_waf_instance_be_deployed_in_the_vpc.rst new file mode 100644 index 0000000..9c2fe9d --- /dev/null +++ b/umn/source/faqs/about_waf/waf_functions/can_a_waf_instance_be_deployed_in_the_vpc.rst @@ -0,0 +1,8 @@ +:original_name: waf_01_0256.html + +.. _waf_01_0256: + +Can a WAF Instance Be Deployed in the VPC? +========================================== + +Yes. You can deploy dedicated engine WAF instances in a VPC. diff --git a/umn/source/faqs/about_waf/waf_functions/can_i_configure_session_cookies_in_waf.rst b/umn/source/faqs/about_waf/waf_functions/can_i_configure_session_cookies_in_waf.rst new file mode 100644 index 0000000..f2f9156 --- /dev/null +++ b/umn/source/faqs/about_waf/waf_functions/can_i_configure_session_cookies_in_waf.rst @@ -0,0 +1,25 @@ +:original_name: waf_01_0216.html + +.. _waf_01_0216: + +Can I Configure Session Cookies in WAF? +======================================= + +No. WAF does not support session cookies. + +WAF allows you to configure CC attack protection rules to limit the access frequency of a specific path (URL) in a single cookie field, accurately identify CC attacks, and effectively mitigate CC attacks. For example, if a user whose cookie ID is **name** accesses the **/admin\*** page under the protected domain name for more than 10 times within 60 seconds, you can configure a CC attack protection rule to forbid the user from accessing the domain name for 600 seconds. + +What Are Cookies? +----------------- + +Cookies are data (usually encrypted) stored on the local terminal of a user by a website to identify the user and trace sessions. Cookies are sent by a web server to a browser to record personal information of the user. + +A cookie consists of a name, a value, and several optional attributes that control the cookie validity period, security, and usage scope. Cookies are classified into session cookies and persistent cookies. The details are as follows: + +- Session cookie + + A session cookie exists only in temporary memory while the user navigates the website. It does not have an expiration date. When the browser is closed, session cookies are deleted. + +- Persistent cookie + + A persistent cookie has an expiration date and is stored in disks. Persistent cookies will be deleted after a specific length of time. diff --git a/umn/source/faqs/about_waf/waf_functions/can_waf_block_data_packets_in_multipart_form-data_format.rst b/umn/source/faqs/about_waf/waf_functions/can_waf_block_data_packets_in_multipart_form-data_format.rst new file mode 100644 index 0000000..f4c8312 --- /dev/null +++ b/umn/source/faqs/about_waf/waf_functions/can_waf_block_data_packets_in_multipart_form-data_format.rst @@ -0,0 +1,10 @@ +:original_name: waf_01_0259.html + +.. _waf_01_0259: + +Can WAF Block Data Packets in multipart/form-data Format? +========================================================= + +Yes. + +The multipart/form-data indicates that the browser uses a form to upload files. For example, if an attachment is added to an email, the attachment is usually uploaded to the server in multipart/form-data format. diff --git a/umn/source/faqs/about_waf/waf_functions/can_waf_check_the_body_i_add_to_the_post_request.rst b/umn/source/faqs/about_waf/waf_functions/can_waf_check_the_body_i_add_to_a_post_request.rst similarity index 77% rename from umn/source/faqs/about_waf/waf_functions/can_waf_check_the_body_i_add_to_the_post_request.rst rename to umn/source/faqs/about_waf/waf_functions/can_waf_check_the_body_i_add_to_a_post_request.rst index 760e89e..a57af73 100644 --- a/umn/source/faqs/about_waf/waf_functions/can_waf_check_the_body_i_add_to_the_post_request.rst +++ b/umn/source/faqs/about_waf/waf_functions/can_waf_check_the_body_i_add_to_a_post_request.rst @@ -2,8 +2,8 @@ .. _waf_01_0187: -Can WAF Check the Body I Add to the POST Request? -================================================= +Can WAF Check the Body I Add to a POST Request? +=============================================== The built-in detection of WAF checks POST data, and web shells are the files submitted in POST requests. WAF checks all data, such as forms and JSON files in POST requests based on the default protection policies. diff --git a/umn/source/faqs/about_waf/waf_functions/can_waf_defend_against_the_apache_struts2_remote_code_execution_vulnerability_cve-2021-31805.rst b/umn/source/faqs/about_waf/waf_functions/can_waf_defend_against_the_apache_struts2_remote_code_execution_vulnerability_cve-2021-31805.rst new file mode 100644 index 0000000..a63721b --- /dev/null +++ b/umn/source/faqs/about_waf/waf_functions/can_waf_defend_against_the_apache_struts2_remote_code_execution_vulnerability_cve-2021-31805.rst @@ -0,0 +1,8 @@ +:original_name: waf_01_0458.html + +.. _waf_01_0458: + +Can WAF Defend Against the Apache Struts2 Remote Code Execution Vulnerability (CVE-2021-31805)? +=============================================================================================== + +Yes. WAF basic web protection rules can defend against the Apache Struts2 remote code execution vulnerability (CVE-2021-31805). diff --git a/umn/source/faqs/about_waf/waf_functions/can_waf_limit_access_through_domain_names.rst b/umn/source/faqs/about_waf/waf_functions/can_waf_limit_access_through_domain_names.rst new file mode 100644 index 0000000..e30fc91 --- /dev/null +++ b/umn/source/faqs/about_waf/waf_functions/can_waf_limit_access_through_domain_names.rst @@ -0,0 +1,10 @@ +:original_name: waf_01_0258.html + +.. _waf_01_0258: + +Can WAF Limit Access Through Domain Names? +========================================== + +No. WAF supports the blacklist and whitelist rules to block, log only, or permit access requests from specified IP addresses or IP address segments. + +You can configure blacklist and whitelist rules to block, log only, or permit access requests from the IP addresses or IP address segments corresponding to the domain names. diff --git a/umn/source/faqs/about_waf/waf_functions/can_waf_protect_an_ip_address.rst b/umn/source/faqs/about_waf/waf_functions/can_waf_protect_an_ip_address.rst index dd4a36a..ece0092 100644 --- a/umn/source/faqs/about_waf/waf_functions/can_waf_protect_an_ip_address.rst +++ b/umn/source/faqs/about_waf/waf_functions/can_waf_protect_an_ip_address.rst @@ -7,11 +7,4 @@ Can WAF Protect an IP Address? A WAF instance can protect IP addresses. -Dedicated Mode --------------- - -A dedicated or load balancing WAF instance can protect websites through either domain names or IP addresses. - -The origin server IP address configured in WAF can be a public IP address or internal IP address. - -For details about how to add a domain name to WAF, see :ref:`How Do I Add a Domain Name/IP Address to WAF? `. +For details about how to add a domain name to WAF, see :ref:`How Do I Add a Domain Name/IP Address to WAF? ` diff --git a/umn/source/faqs/about_waf/waf_functions/does_a_dedicated_waf_instance_support_cross-vpc_protection.rst b/umn/source/faqs/about_waf/waf_functions/does_a_dedicated_waf_instance_support_cross-vpc_protection.rst new file mode 100644 index 0000000..74fe658 --- /dev/null +++ b/umn/source/faqs/about_waf/waf_functions/does_a_dedicated_waf_instance_support_cross-vpc_protection.rst @@ -0,0 +1,8 @@ +:original_name: waf_01_0459.html + +.. _waf_01_0459: + +Does a Dedicated WAF Instance Support Cross-VPC Protection? +=========================================================== + +Dedicated WAF instances cannot protect origin servers in the VPCs that are different from where those WAF instances locate. To protect such origin servers, apply for dedicated WAF instances in the same VPC as that for the origin servers. diff --git a/umn/source/faqs/about_waf/waf_functions/does_waf_block_customized_post_requests.rst b/umn/source/faqs/about_waf/waf_functions/does_waf_block_customized_post_requests.rst new file mode 100644 index 0000000..6fe650d --- /dev/null +++ b/umn/source/faqs/about_waf/waf_functions/does_waf_block_customized_post_requests.rst @@ -0,0 +1,15 @@ +:original_name: waf_01_0193.html + +.. _waf_01_0193: + +Does WAF Block Customized POST Requests? +======================================== + +No. WAF does not block user-defined POST requests. :ref:`Figure 1 ` shows the detection process of the WAF built-in protection rules for original HTTP/HTTPS requests. + +.. _waf_01_0193__fig2638939185219: + +.. figure:: /_static/images/en-us_image_0000001286548588.png + :alt: **Figure 1** WAF engine detection process + + **Figure 1** WAF engine detection process diff --git a/umn/source/faqs/about_waf/waf_functions/does_waf_have_the_ips_module.rst b/umn/source/faqs/about_waf/waf_functions/does_waf_have_the_ips_module.rst new file mode 100644 index 0000000..378c830 --- /dev/null +++ b/umn/source/faqs/about_waf/waf_functions/does_waf_have_the_ips_module.rst @@ -0,0 +1,8 @@ +:original_name: waf_01_0148.html + +.. _waf_01_0148: + +Does WAF Have the IPS Module? +============================= + +Unlike the traditional firewalls, WAF does not have an Intrusion Prevention System (IPS). WAF supports intrusion detection of only HTTP/HTTPS requests. diff --git a/umn/source/faqs/about_waf/waf_functions/does_waf_support_two-way_ssl_authentication.rst b/umn/source/faqs/about_waf/waf_functions/does_waf_support_two-way_ssl_authentication.rst new file mode 100644 index 0000000..65b5096 --- /dev/null +++ b/umn/source/faqs/about_waf/waf_functions/does_waf_support_two-way_ssl_authentication.rst @@ -0,0 +1,18 @@ +:original_name: waf_01_0184.html + +.. _waf_01_0184: + +Does WAF Support Two-Way SSL Authentication? +============================================ + +No. You can configure a one-way SSL certificate on WAF. + +.. note:: + + If you set **Client Protocol** to **HTTPS** when adding a website to WAF, you will be required to upload a certificate and use it for your website. + +You are advised to use an ELB load balancer and dedicated WAF instances and then configure two-way authentication on the load balancer. The procedure is as follows: + +#. :ref:`Applying for a Dedicated WAF Instance `. +#. Connect your website to WAF and configure ELB. For details, see :ref:`Connection Process (Dedicated Mode) `. +#. Configure two-way authentication on the ELB. diff --git a/umn/source/faqs/about_waf/waf_functions/index.rst b/umn/source/faqs/about_waf/waf_functions/index.rst index c9808a9..6127229 100644 --- a/umn/source/faqs/about_waf/waf_functions/index.rst +++ b/umn/source/faqs/about_waf/waf_functions/index.rst @@ -10,16 +10,29 @@ WAF Functions - :ref:`Which OSs Does WAF Support? ` - :ref:`Which Layers Does WAF Provide Protection At? ` - :ref:`Does WAF Support File Caching? ` +- :ref:`About WAF Protection ` +- :ref:`Does WAF Support Two-Way SSL Authentication? ` - :ref:`Does WAF Support Application Layer Protocol- and Content-Based Access Control? ` -- :ref:`Can WAF Check the Body I Add to the POST Request? ` +- :ref:`Can WAF Check the Body I Add to a POST Request? ` - :ref:`Can WAF Limit the Access Speed of a Domain Name? ` +- :ref:`Can WAF Block Data Packets in multipart/form-data Format? ` +- :ref:`Can a WAF Instance Be Deployed in the VPC? ` - :ref:`Can WAF Block URL Requests That Contain Special Characters? ` - :ref:`Can WAF Block Spam and Malicious User Registrations? ` - :ref:`Can WAF Block Requests for Calling Other APIs from Web Pages? ` +- :ref:`Can I Configure Session Cookies in WAF? ` +- :ref:`Does WAF Block Customized POST Requests? ` +- :ref:`Can WAF Limit Access Through Domain Names? ` +- :ref:`Does WAF Have the IPS Module? ` - :ref:`Which Web Service Framework Protocols Does WAF Support? ` - :ref:`Can WAF Protect Websites Accessed Through HSTS or NTLM Authentication? ` +- :ref:`What Are the Differences Between WAF Forwarding and Nginx Forwarding? ` - :ref:`Does WAF Cache Website Data? ` +- :ref:`Is WAF a Hardware Firewall or a Software Firewall? ` +- :ref:`Is There Any Impact on Origin Servers If I Enable HTTP/2 in WAF? ` - :ref:`How Does WAF Detect SQL Injection and XSS Attacks? ` +- :ref:`Can WAF Defend Against the Apache Struts2 Remote Code Execution Vulnerability (CVE-2021-31805)? ` +- :ref:`Does a Dedicated WAF Instance Support Cross-VPC Protection? ` .. toctree:: :maxdepth: 1 @@ -30,13 +43,26 @@ WAF Functions which_oss_does_waf_support which_layers_does_waf_provide_protection_at does_waf_support_file_caching + about_waf_protection + does_waf_support_two-way_ssl_authentication does_waf_support_application_layer_protocol-_and_content-based_access_control - can_waf_check_the_body_i_add_to_the_post_request + can_waf_check_the_body_i_add_to_a_post_request can_waf_limit_the_access_speed_of_a_domain_name + can_waf_block_data_packets_in_multipart_form-data_format + can_a_waf_instance_be_deployed_in_the_vpc can_waf_block_url_requests_that_contain_special_characters can_waf_block_spam_and_malicious_user_registrations can_waf_block_requests_for_calling_other_apis_from_web_pages + can_i_configure_session_cookies_in_waf + does_waf_block_customized_post_requests + can_waf_limit_access_through_domain_names + does_waf_have_the_ips_module which_web_service_framework_protocols_does_waf_support can_waf_protect_websites_accessed_through_hsts_or_ntlm_authentication + what_are_the_differences_between_waf_forwarding_and_nginx_forwarding does_waf_cache_website_data + is_waf_a_hardware_firewall_or_a_software_firewall + is_there_any_impact_on_origin_servers_if_i_enable_http_2_in_waf how_does_waf_detect_sql_injection_and_xss_attacks + can_waf_defend_against_the_apache_struts2_remote_code_execution_vulnerability_cve-2021-31805 + does_a_dedicated_waf_instance_support_cross-vpc_protection diff --git a/umn/source/faqs/about_waf/waf_functions/is_there_any_impact_on_origin_servers_if_i_enable_http_2_in_waf.rst b/umn/source/faqs/about_waf/waf_functions/is_there_any_impact_on_origin_servers_if_i_enable_http_2_in_waf.rst new file mode 100644 index 0000000..901d9b9 --- /dev/null +++ b/umn/source/faqs/about_waf/waf_functions/is_there_any_impact_on_origin_servers_if_i_enable_http_2_in_waf.rst @@ -0,0 +1,8 @@ +:original_name: waf_01_0456.html + +.. _waf_01_0456: + +Is There Any Impact on Origin Servers If I Enable HTTP/2 in WAF? +================================================================ + +Yes. HTTP/2 is not supported between WAF and the origin server. This means if you enable HTTP/2 in WAF, WAF can process HTTP/2 requests from clients, but WAF can only forward the requests to origin server using HTTP 1.0/1.1. Therefore, service bandwidth of origin servers may rise as multiplexing in HTTP/2 may become invalid for origin servers. diff --git a/umn/source/faqs/about_waf/waf_functions/is_waf_a_hardware_firewall_or_a_software_firewall.rst b/umn/source/faqs/about_waf/waf_functions/is_waf_a_hardware_firewall_or_a_software_firewall.rst new file mode 100644 index 0000000..3b1b32e --- /dev/null +++ b/umn/source/faqs/about_waf/waf_functions/is_waf_a_hardware_firewall_or_a_software_firewall.rst @@ -0,0 +1,8 @@ +:original_name: waf_01_0255.html + +.. _waf_01_0255: + +Is WAF a Hardware Firewall or a Software Firewall? +================================================== + +WAF is a software firewall. diff --git a/umn/source/faqs/about_waf/waf_functions/what_are_the_differences_between_waf_forwarding_and_nginx_forwarding.rst b/umn/source/faqs/about_waf/waf_functions/what_are_the_differences_between_waf_forwarding_and_nginx_forwarding.rst new file mode 100644 index 0000000..f1cf19c --- /dev/null +++ b/umn/source/faqs/about_waf/waf_functions/what_are_the_differences_between_waf_forwarding_and_nginx_forwarding.rst @@ -0,0 +1,30 @@ +:original_name: waf_01_0338.html + +.. _waf_01_0338: + +What Are the Differences Between WAF Forwarding and Nginx Forwarding? +===================================================================== + +Nginx directly forwards access requests to the origin server, while WAF detects and filters out malicious traffic and then forwards only the normal access requests to the origin server. The details are as follows: + +- WAF forwarding + + After a website is connected to WAF, all access requests pass through WAF. WAF detects HTTP(S) requests to identify and block a wide range of attacks, such as SQL injection, cross-site scripting attacks, web shell uploads, command/code injection, file inclusion, sensitive file access, third-party application vulnerability attacks, CC attacks, malicious crawlers, cross-site request forgery (CSRF) attacks. Then, WAF sends normal traffic to the origin server. In this way, security, stability, and availability of your web applications are assured. + + + .. figure:: /_static/images/en-us_image_0000001197423825.png + :alt: **Figure 1** How WAF protects a website + + **Figure 1** How WAF protects a website + +- Nginx forwarding + + Nginx works as a reverse proxy server. After receiving the access request from the client, the reverse proxy server directly forwards the access request to the web server and returns the result obtained from the web server to the client. The reverse proxy server is installed in the website equipment room. It functions as a proxy for the web server to receive and forward access requests. + + The reverse proxy server prevents malicious attacks from the Internet to intranet servers, caches data to reduce workloads on the intranet servers, and implements access security control and load balancing. + + + .. figure:: /_static/images/en-us_image_0000001163672451.png + :alt: **Figure 2** How Nginx Works + + **Figure 2** How Nginx Works diff --git a/umn/source/faqs/about_waf/waf_usage/can_waf_block_requests_when_a_certificate_is_mounted_on_elb.rst b/umn/source/faqs/about_waf/waf_usage/can_waf_block_requests_when_a_certificate_is_mounted_on_elb.rst new file mode 100644 index 0000000..17bcf25 --- /dev/null +++ b/umn/source/faqs/about_waf/waf_usage/can_waf_block_requests_when_a_certificate_is_mounted_on_elb.rst @@ -0,0 +1,8 @@ +:original_name: waf_01_0195.html + +.. _waf_01_0195: + +Can WAF Block Requests When a Certificate Is Mounted on ELB? +============================================================ + +If the certificate is mounted on ELB, all requests sent through WAF are encrypted. For HTTPS services, you must upload the certificate to WAF so that WAF can detect the decrypted request and determine whether to block the request. diff --git a/umn/source/faqs/about_waf/waf_usage/do_i_need_to_make_some_changes_in_waf_if_the_security_group_for_origin_server_address_is_changed.rst b/umn/source/faqs/about_waf/waf_usage/do_i_need_to_make_some_changes_in_waf_if_the_security_group_for_origin_server_address_is_changed.rst new file mode 100644 index 0000000..bdeaab7 --- /dev/null +++ b/umn/source/faqs/about_waf/waf_usage/do_i_need_to_make_some_changes_in_waf_if_the_security_group_for_origin_server_address_is_changed.rst @@ -0,0 +1,8 @@ +:original_name: waf_01_0467.html + +.. _waf_01_0467: + +Do I Need to Make Some Changes in WAF If the Security Group for Origin Server (Address) Is Changed? +=================================================================================================== + +No modifications are required in WAF, but you are required to whitelist WAF IP addresses on the origin servers. diff --git a/umn/source/faqs/about_waf/waf_usage/does_waf_affect_my_existing_workloads_and_server_running.rst b/umn/source/faqs/about_waf/waf_usage/does_waf_affect_my_existing_workloads_and_server_running.rst new file mode 100644 index 0000000..6214fd4 --- /dev/null +++ b/umn/source/faqs/about_waf/waf_usage/does_waf_affect_my_existing_workloads_and_server_running.rst @@ -0,0 +1,8 @@ +:original_name: waf_01_0339.html + +.. _waf_01_0339: + +Does WAF Affect My Existing Workloads and Server Running? +========================================================= + +Enabling WAF does not interrupt your existing workloads or affect the running status of your origin servers. No additional operation (such as shutdown or restart) on the origin servers is required. diff --git a/umn/source/faqs/about_waf/waf_usage/how_do_i_configure_my_server_to_allow_only_requests_from_waf.rst b/umn/source/faqs/about_waf/waf_usage/how_do_i_configure_my_server_to_allow_only_requests_from_waf.rst new file mode 100644 index 0000000..66ef504 --- /dev/null +++ b/umn/source/faqs/about_waf/waf_usage/how_do_i_configure_my_server_to_allow_only_requests_from_waf.rst @@ -0,0 +1,8 @@ +:original_name: waf_01_0346.html + +.. _waf_01_0346: + +How Do I Configure My Server to Allow Only Requests from WAF? +============================================================= + +You can configure an access control rule on the origin server to allow only WAF back-to-source IP addresses to access the origin server. This prevents hackers from bypassing WAF to attack the origin server through origin server IP addresses, ensuring the security, stability, and availability of the origin server. diff --git a/umn/source/faqs/about_waf/waf_usage/how_do_i_configure_waf_if_a_reverse_proxy_server_is_deployed_for_my_website.rst b/umn/source/faqs/about_waf/waf_usage/how_do_i_configure_waf_if_a_reverse_proxy_server_is_deployed_for_my_website.rst new file mode 100644 index 0000000..63f9d4f --- /dev/null +++ b/umn/source/faqs/about_waf/waf_usage/how_do_i_configure_waf_if_a_reverse_proxy_server_is_deployed_for_my_website.rst @@ -0,0 +1,8 @@ +:original_name: waf_01_0350.html + +.. _waf_01_0350: + +How Do I Configure WAF If a Reverse Proxy Server Is Deployed for My Website? +============================================================================ + +In this case, the reverse proxy server will not be affected after the website is connected to WAF. WAF works as a reverse proxy between the client and your website server. The real IP addresses of your website server are hidden from the visitors, and only the IP addresses of WAF are visible to them. diff --git a/umn/source/faqs/about_waf/waf_usage/how_does_waf_block_requests.rst b/umn/source/faqs/about_waf/waf_usage/how_does_waf_block_requests.rst new file mode 100644 index 0000000..62481ed --- /dev/null +++ b/umn/source/faqs/about_waf/waf_usage/how_does_waf_block_requests.rst @@ -0,0 +1,8 @@ +:original_name: waf_01_0189.html + +.. _waf_01_0189: + +How Does WAF Block Requests? +============================ + +WAF checks both the request header and body. For example, WAF detects the request body, such as form, XML, and JSON data, and blocks requests that do not comply with protection rules. diff --git a/umn/source/faqs/about_waf/waf_usage/index.rst b/umn/source/faqs/about_waf/waf_usage/index.rst index db669ad..50bd403 100644 --- a/umn/source/faqs/about_waf/waf_usage/index.rst +++ b/umn/source/faqs/about_waf/waf_usage/index.rst @@ -5,22 +5,38 @@ WAF Usage ========= +- :ref:`Why Does the Vulnerability Scanning Tool Report Disabled Non-standard Ports for My WAF-Protected Website? ` - :ref:`Does WAF Affect Email Ports or Email Receiving and Sending? ` - :ref:`How Do I Obtain the Real IP Address of a Web Visitor? ` +- :ref:`How Does WAF Block Requests? ` - :ref:`What Are Local File Inclusion and Remote File Inclusion? ` - :ref:`What Is the Difference Between QPS and the Number of Requests? ` - :ref:`What Are Concurrent Requests? ` +- :ref:`Can WAF Block Requests When a Certificate Is Mounted on ELB? ` +- :ref:`Does WAF Affect My Existing Workloads and Server Running? ` +- :ref:`How Do I Configure My Server to Allow Only Requests from WAF? ` +- :ref:`Why Do Cookies Contain the HWWAFSESID or HWWAFSESTIME field? ` +- :ref:`How Do I Configure WAF If a Reverse Proxy Server Is Deployed for My Website? ` - :ref:`How Does WAF Forward Access Requests When Both a Wildcard Domain Name and a Single Domain Name Are Connected to WAF? ` - :ref:`Does WAF Affect Data Transmission from the Internal Network to an External Network? ` +- :ref:`Do I Need to Make Some Changes in WAF If the Security Group for Origin Server (Address) Is Changed? ` .. toctree:: :maxdepth: 1 :hidden: + why_does_the_vulnerability_scanning_tool_report_disabled_non-standard_ports_for_my_waf-protected_website does_waf_affect_email_ports_or_email_receiving_and_sending how_do_i_obtain_the_real_ip_address_of_a_web_visitor + how_does_waf_block_requests what_are_local_file_inclusion_and_remote_file_inclusion what_is_the_difference_between_qps_and_the_number_of_requests what_are_concurrent_requests + can_waf_block_requests_when_a_certificate_is_mounted_on_elb + does_waf_affect_my_existing_workloads_and_server_running + how_do_i_configure_my_server_to_allow_only_requests_from_waf + why_do_cookies_contain_the_hwwafsesid_or_hwwafsestime_field + how_do_i_configure_waf_if_a_reverse_proxy_server_is_deployed_for_my_website how_does_waf_forward_access_requests_when_both_a_wildcard_domain_name_and_a_single_domain_name_are_connected_to_waf does_waf_affect_data_transmission_from_the_internal_network_to_an_external_network + do_i_need_to_make_some_changes_in_waf_if_the_security_group_for_origin_server_address_is_changed diff --git a/umn/source/faqs/about_waf/waf_usage/why_do_cookies_contain_the_hwwafsesid_or_hwwafsestime_field.rst b/umn/source/faqs/about_waf/waf_usage/why_do_cookies_contain_the_hwwafsesid_or_hwwafsestime_field.rst new file mode 100644 index 0000000..5b05175 --- /dev/null +++ b/umn/source/faqs/about_waf/waf_usage/why_do_cookies_contain_the_hwwafsesid_or_hwwafsestime_field.rst @@ -0,0 +1,8 @@ +:original_name: waf_01_0347.html + +.. _waf_01_0347: + +Why Do Cookies Contain the **HWWAFSESID** or **HWWAFSESTIME** field? +==================================================================== + +After a domain name or IP address is connected to WAF, WAF inserts fields such as **HWWAFSESID** and **HWWAFSESTIME** into the cookie of customer requests. These fields are used for WAF statistics and security features and do not affect user services. diff --git a/umn/source/faqs/about_waf/waf_usage/why_does_the_vulnerability_scanning_tool_report_disabled_non-standard_ports_for_my_waf-protected_website.rst b/umn/source/faqs/about_waf/waf_usage/why_does_the_vulnerability_scanning_tool_report_disabled_non-standard_ports_for_my_waf-protected_website.rst new file mode 100644 index 0000000..ae208d6 --- /dev/null +++ b/umn/source/faqs/about_waf/waf_usage/why_does_the_vulnerability_scanning_tool_report_disabled_non-standard_ports_for_my_waf-protected_website.rst @@ -0,0 +1,21 @@ +:original_name: waf_01_0320.html + +.. _waf_01_0320: + +Why Does the Vulnerability Scanning Tool Report Disabled Non-standard Ports for My WAF-Protected Website? +========================================================================================================= + +Symptom +------- + +When a third-party vulnerability scanning tool scans the website whose domain name has been connected to WAF, the scan result shows that some standard ports (for example, 443) and non-standard ports (for example, 8000 and 8443) are vulnerable. + +Possible Cause +-------------- + +WAF uses the same non-standard port engine for all WAF users. So, if a third-party vulnerability scanning tool performs a scan for your website, the enabled non-standard ports in WAF are reported. This means such port vulnerabilities in scan results do not affect your origin server security. WAF will safeguard your website after you point origin server IP address to WAF engine IP address through the CNAME record. + +Handling Suggestions +-------------------- + +No action is required. diff --git a/umn/source/faqs/protection_rule_configuration/anti-crawler_protection/how_does_javascript_anti-crawler_detection_work.rst b/umn/source/faqs/protection_rule_configuration/anti-crawler_protection/how_does_javascript_anti-crawler_detection_work.rst new file mode 100644 index 0000000..4426fe3 --- /dev/null +++ b/umn/source/faqs/protection_rule_configuration/anti-crawler_protection/how_does_javascript_anti-crawler_detection_work.rst @@ -0,0 +1,34 @@ +:original_name: waf_01_0315.html + +.. _waf_01_0315: + +How Does JavaScript Anti-Crawler Detection Work? +================================================ + +:ref:`Figure 1 ` shows how JavaScript anti-crawler detection works, which includes JavaScript challenges (step 1 and step 2) and JavaScript authentication (step 3). + +.. _waf_01_0315__fig22129287019: + +.. figure:: /_static/images/en-us_image_0000001127096041.png + :alt: **Figure 1** JavaScript Anti-Crawler protection process + + **Figure 1** JavaScript Anti-Crawler protection process + +After JavaScript anti-crawler is enabled, WAF returns a piece of JavaScript code to the client when the client sends a request. + +- If the client sends a normal request to the website, triggered by the received JavaScript code, the client will automatically send the request to WAF again. WAF then forwards the request to the origin server. This process is called JavaScript verification. +- If the client is a crawler, it cannot be triggered by the received JavaScript code and will not send a request to WAF again. The client fails JavaScript authentication. +- If a client crawler fabricates a WAF authentication request and sends the request to WAF, the WAF will block the request. The client fails JavaScript authentication. + +By collecting statistics on the number of JavaScript challenge and authentication responses, the system calculates how many requests the JavaScript anti-crawler defends. As shown in :ref:`Figure 2 `, the JavaScript anti-crawler logs 18 events, 16 of which are JavaScript challenge responses, 2 of which are JavaScript authentication responses. The number of **Other** is the WAF authentication requests fabricated by the crawler. + +.. _waf_01_0315__fig10806185634312: + +.. figure:: /_static/images/en-us_image_0000001127126255.png + :alt: **Figure 2** Parameters of a JavaScript anti-crawler protection rule + + **Figure 2** Parameters of a JavaScript anti-crawler protection rule + +.. important:: + + WAF only logs JavaScript challenge and JavaScript authentication events. No other protective actions can be configured for JavaScript challenge and authentication. diff --git a/umn/source/faqs/protection_rule_configuration/anti-crawler_protection/index.rst b/umn/source/faqs/protection_rule_configuration/anti-crawler_protection/index.rst index 0f1fec2..004c38c 100644 --- a/umn/source/faqs/protection_rule_configuration/anti-crawler_protection/index.rst +++ b/umn/source/faqs/protection_rule_configuration/anti-crawler_protection/index.rst @@ -6,9 +6,13 @@ Anti-Crawler Protection ======================= - :ref:`Why Is the Requested Page Unable to Load After JavaScript Anti-Crawler Is Enabled? ` +- :ref:`Is There Any Impact on Website Loading Speed If Other Crawler Check in Anti-Crawler Is Enabled? ` +- :ref:`How Does JavaScript Anti-Crawler Detection Work? ` .. toctree:: :maxdepth: 1 :hidden: why_is_the_requested_page_unable_to_load_after_javascript_anti-crawler_is_enabled + is_there_any_impact_on_website_loading_speed_if_other_crawler_check_in_anti-crawler_is_enabled + how_does_javascript_anti-crawler_detection_work diff --git a/umn/source/faqs/protection_rule_configuration/anti-crawler_protection/is_there_any_impact_on_website_loading_speed_if_other_crawler_check_in_anti-crawler_is_enabled.rst b/umn/source/faqs/protection_rule_configuration/anti-crawler_protection/is_there_any_impact_on_website_loading_speed_if_other_crawler_check_in_anti-crawler_is_enabled.rst new file mode 100644 index 0000000..3a100e0 --- /dev/null +++ b/umn/source/faqs/protection_rule_configuration/anti-crawler_protection/is_there_any_impact_on_website_loading_speed_if_other_crawler_check_in_anti-crawler_is_enabled.rst @@ -0,0 +1,8 @@ +:original_name: waf_01_0240.html + +.. _waf_01_0240: + +Is There Any Impact on Website Loading Speed If Other Crawler Check in Anti-Crawler Is Enabled? +=============================================================================================== + +If you have enabled **Other** when you configure **Feature Library** of anti-crawler protection, WAF detects crawlers for various purposes, such as website monitoring, access proxy, and web page analysis. Enabling this option does not affect web page visits or the web page browsing speed. diff --git a/umn/source/faqs/protection_rule_configuration/basic_web_protection/how_do_i_switch_the_mode_of_basic_web_protection_from_log_only_to_block.rst b/umn/source/faqs/protection_rule_configuration/basic_web_protection/how_do_i_switch_the_mode_of_basic_web_protection_from_log_only_to_block.rst index aee4318..fce9957 100644 --- a/umn/source/faqs/protection_rule_configuration/basic_web_protection/how_do_i_switch_the_mode_of_basic_web_protection_from_log_only_to_block.rst +++ b/umn/source/faqs/protection_rule_configuration/basic_web_protection/how_do_i_switch_the_mode_of_basic_web_protection_from_log_only_to_block.rst @@ -20,5 +20,5 @@ Perform the following operations: **Log only** and **Block** are merely modes of basic web protection. CC attack protection and precise protection have their own protective actions. -.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image1| image:: /_static/images/en-us_image_0000001533171269.jpg .. |image2| image:: /_static/images/en-us_image_0000001340426101.png diff --git a/umn/source/faqs/protection_rule_configuration/cc_attack_protection_rules/how_do_i_configure_a_cc_attack_protection_rule.rst b/umn/source/faqs/protection_rule_configuration/cc_attack_protection_rules/how_do_i_configure_a_cc_attack_protection_rule.rst index a9b3144..c8d795e 100644 --- a/umn/source/faqs/protection_rule_configuration/cc_attack_protection_rules/how_do_i_configure_a_cc_attack_protection_rule.rst +++ b/umn/source/faqs/protection_rule_configuration/cc_attack_protection_rules/how_do_i_configure_a_cc_attack_protection_rule.rst @@ -13,4 +13,4 @@ WAF provides the following settings for a CC attack protection rule: - Identification of web visitors based on the IP address, cookie, or referer field. - Action when the maximum limit is reached, such as **Block** or **Verification code** -For details, see :ref:`Configuring a CC Attack Protection Rule `. +For details, see :ref:`Configuring a CC Attack Protection Rule `. diff --git a/umn/source/faqs/protection_rule_configuration/index.rst b/umn/source/faqs/protection_rule_configuration/index.rst index 573072d..469c6d5 100644 --- a/umn/source/faqs/protection_rule_configuration/index.rst +++ b/umn/source/faqs/protection_rule_configuration/index.rst @@ -7,6 +7,7 @@ Protection Rule Configuration - :ref:`Basic Web Protection ` - :ref:`CC Attack Protection Rules ` +- :ref:`Precise Protection rules ` - :ref:`Anti-Crawler Protection ` - :ref:`Others ` @@ -16,5 +17,6 @@ Protection Rule Configuration basic_web_protection/index cc_attack_protection_rules/index + precise_protection_rules/index anti-crawler_protection/index others/index diff --git a/umn/source/faqs/protection_rule_configuration/others/index.rst b/umn/source/faqs/protection_rule_configuration/others/index.rst index 149b550..f241816 100644 --- a/umn/source/faqs/protection_rule_configuration/others/index.rst +++ b/umn/source/faqs/protection_rule_configuration/others/index.rst @@ -8,6 +8,10 @@ Others - :ref:`In Which Situations Will the WAF Policies Fail? ` - :ref:`Is the Path of a WAF Protection Rule Case-sensitive? ` - :ref:`What Protection Rules Does WAF Support? ` +- :ref:`Which of the WAF Protection Rules Support the Log-Only Protective Action? ` +- :ref:`Why Does the Page Fail to Be Refreshed After WTP Is Enabled? ` +- :ref:`What Are the Differences Between Blacklist/Whitelist Rules and Precise Protection Rules on Blocking Access Requests from Specified IP Addresses? ` +- :ref:`What Do I Do If a Scanner, such as AppScan, Detects that the Cookie Is Missing Secure or HttpOnly? ` .. toctree:: :maxdepth: 1 @@ -16,3 +20,7 @@ Others in_which_situations_will_the_waf_policies_fail is_the_path_of_a_waf_protection_rule_case-sensitive what_protection_rules_does_waf_support + which_of_the_waf_protection_rules_support_the_log-only_protective_action + why_does_the_page_fail_to_be_refreshed_after_wtp_is_enabled + what_are_the_differences_between_blacklist_whitelist_rules_and_precise_protection_rules_on_blocking_access_requests_from_specified_ip_addresses + what_do_i_do_if_a_scanner_such_as_appscan_detects_that_the_cookie_is_missing_secure_or_httponly diff --git a/umn/source/faqs/protection_rule_configuration/others/what_are_the_differences_between_blacklist_whitelist_rules_and_precise_protection_rules_on_blocking_access_requests_from_specified_ip_addresses.rst b/umn/source/faqs/protection_rule_configuration/others/what_are_the_differences_between_blacklist_whitelist_rules_and_precise_protection_rules_on_blocking_access_requests_from_specified_ip_addresses.rst new file mode 100644 index 0000000..99fa350 --- /dev/null +++ b/umn/source/faqs/protection_rule_configuration/others/what_are_the_differences_between_blacklist_whitelist_rules_and_precise_protection_rules_on_blocking_access_requests_from_specified_ip_addresses.rst @@ -0,0 +1,22 @@ +:original_name: waf_01_0363.html + +.. _waf_01_0363: + +What Are the Differences Between Blacklist/Whitelist Rules and Precise Protection Rules on Blocking Access Requests from Specified IP Addresses? +================================================================================================================================================ + +Both of them can block access requests from specified IP addresses. :ref:`Table 1 ` describes the differences between the two types of rules. + +.. _waf_01_0363__table139435332492: + +.. table:: **Table 1** Differences between blacklist and whitelist rules and precise protection rules + + +-------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Protection Rules | Protection | WAF Inspection Sequence | + +===============================+===========================================================================================================================================================================================================+======================================================================================================================================================+ + | Blacklist and whitelist rules | This type or rules can block, log only, or allow access requests from a specified IP address or IP address range. | Blacklist and whitelist rules have the highest priority. | + | | | | + | | | WAF filters access requests based on the protection rules and the triggering sequence. For details, see :ref:`Configuration Guidance `. | + +-------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Precise protection rules | You can combine common HTTP fields, such as **IP**, **Path**, **Referer**, **User Agent**, and **Params** in a protection rule to let WAF allow or block the requests that match the combined conditions. | Precise protection rules have lower priority compared with blacklist and whitelist rules. | + +-------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------+ diff --git a/umn/source/faqs/protection_rule_configuration/others/what_do_i_do_if_a_scanner_such_as_appscan_detects_that_the_cookie_is_missing_secure_or_httponly.rst b/umn/source/faqs/protection_rule_configuration/others/what_do_i_do_if_a_scanner_such_as_appscan_detects_that_the_cookie_is_missing_secure_or_httponly.rst new file mode 100644 index 0000000..c34e020 --- /dev/null +++ b/umn/source/faqs/protection_rule_configuration/others/what_do_i_do_if_a_scanner_such_as_appscan_detects_that_the_cookie_is_missing_secure_or_httponly.rst @@ -0,0 +1,10 @@ +:original_name: waf_01_0121.html + +.. _waf_01_0121: + +What Do I Do If a Scanner, such as AppScan, Detects that the Cookie Is Missing Secure or HttpOnly? +================================================================================================== + +Cookies are inserted by back-end web servers and can be implemented through framework configuration or set-cookie. Secure and HttpOnly in cookies help defend against attacks, such as XSS attacks to obtain cookies, and help defend against cookie hijacking. + +If the AppScan scanner detects that the customer site does not insert security configuration fields, such as HttpOnly and Secure, into the cookie of the scan request after scanning the website, it records them as security threats. diff --git a/umn/source/faqs/protection_rule_configuration/others/which_of_the_waf_protection_rules_support_the_log-only_protective_action.rst b/umn/source/faqs/protection_rule_configuration/others/which_of_the_waf_protection_rules_support_the_log-only_protective_action.rst new file mode 100644 index 0000000..f742cd6 --- /dev/null +++ b/umn/source/faqs/protection_rule_configuration/others/which_of_the_waf_protection_rules_support_the_log-only_protective_action.rst @@ -0,0 +1,10 @@ +:original_name: waf_01_0210.html + +.. _waf_01_0210: + +Which of the WAF Protection Rules Support the Log-Only Protective Action? +========================================================================= + +In WAF, **Log only** is available for **Protective Action** in basic web protection rules. + +**Log only** is available for **Protective Action** in CC attack protection rules, precise protection rules, blacklist and whitelist rules, geolocation access control rules, and anti-crawler rules. diff --git a/umn/source/faqs/protection_rule_configuration/others/why_does_the_page_fail_to_be_refreshed_after_wtp_is_enabled.rst b/umn/source/faqs/protection_rule_configuration/others/why_does_the_page_fail_to_be_refreshed_after_wtp_is_enabled.rst new file mode 100644 index 0000000..4d2f6b3 --- /dev/null +++ b/umn/source/faqs/protection_rule_configuration/others/why_does_the_page_fail_to_be_refreshed_after_wtp_is_enabled.rst @@ -0,0 +1,47 @@ +:original_name: waf_01_0355.html + +.. _waf_01_0355: + +Why Does the Page Fail to Be Refreshed After WTP Is Enabled? +============================================================ + +Web Tamper Protection (WTP) supports only caching of static web pages. Perform the following steps to fix this issue: + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + +#. In the navigation pane on the left, choose **Website Settings**. + +#. In the **Policy** column of the row containing the domain name, click **Configure Policy**. + +#. In the **Web Tamper Protection** configuration area, check whether this function is enabled. + + - If this function is enabled (|image3|), go to :ref:`Step 7 `. + - If this function is disabled (|image4|), click |image5| to enable the function. Refresh the page several minutes later. + +#. .. _waf_01_0355__li56301354192511: + + Click **Customize Rule**. On the displayed page, check whether the domain name and path are correct. + + - If they are correct, go to :ref:`Step 8 `. + + - If they are incorrect, click **Delete** in the **Operation** column to delete the rule. Then, click **Add Rule** above the rule list and configure another rule. + + After the rule is added successfully, refresh the page several minutes later. Then, access the page again. + +#. .. _waf_01_0355__li129561731105818: + + In the row containing the web tamper protection rule, click **Update Cache** in the **Operation** column. + + If the content of a protected page is modified, you must update the cache. Otherwise, WAF always returns the most recently cached content. + + After updating the cache, refresh the page and access the page again. If the page is still not updated, contact technical support. + +.. |image1| image:: /_static/images/en-us_image_0000001482063812.jpg +.. |image2| image:: /_static/images/en-us_image_0000001548562913.png +.. |image3| image:: /_static/images/en-us_image_0000001166615726.png +.. |image4| image:: /_static/images/en-us_image_0000001166455750.png +.. |image5| image:: /_static/images/en-us_image_0000001212095651.png diff --git a/umn/source/faqs/protection_rule_configuration/precise_protection_rules/can_a_precise_protection_rule_take_effect_in_a_specified_period.rst b/umn/source/faqs/protection_rule_configuration/precise_protection_rules/can_a_precise_protection_rule_take_effect_in_a_specified_period.rst new file mode 100644 index 0000000..f8f899c --- /dev/null +++ b/umn/source/faqs/protection_rule_configuration/precise_protection_rules/can_a_precise_protection_rule_take_effect_in_a_specified_period.rst @@ -0,0 +1,10 @@ +:original_name: waf_01_0217.html + +.. _waf_01_0217: + +Can a Precise Protection Rule Take Effect in a Specified Period? +================================================================ + +WAF does not allow precise protection access rules to take effect in a specified period. + +You can set precise protection rules to filter access requests based on a combination of common HTTP fields (such as IP address, path, referer, user agent, and params) to allow or block the requests that match the conditions. diff --git a/umn/source/faqs/protection_rule_configuration/precise_protection_rules/index.rst b/umn/source/faqs/protection_rule_configuration/precise_protection_rules/index.rst new file mode 100644 index 0000000..9e0ecc7 --- /dev/null +++ b/umn/source/faqs/protection_rule_configuration/precise_protection_rules/index.rst @@ -0,0 +1,14 @@ +:original_name: waf_01_0306.html + +.. _waf_01_0306: + +Precise Protection rules +======================== + +- :ref:`Can a Precise Protection Rule Take Effect in a Specified Period? ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + can_a_precise_protection_rule_take_effect_in_a_specified_period diff --git a/umn/source/faqs/service_interruption_check/how_do_i_solve_the_problem_of_excessive_redirection_times.rst b/umn/source/faqs/service_interruption_check/how_do_i_solve_the_problem_of_excessive_redirection_times.rst new file mode 100644 index 0000000..a335116 --- /dev/null +++ b/umn/source/faqs/service_interruption_check/how_do_i_solve_the_problem_of_excessive_redirection_times.rst @@ -0,0 +1,8 @@ +:original_name: waf_01_0117.html + +.. _waf_01_0117: + +How Do I Solve the Problem of Excessive Redirection Times? +========================================================== + +After a domain name is connected to WAF, if the system displays a message indicating that there are excessive redirection times when a user requests to access the target domain name, the possible cause is that you have configured forcible redirection from HTTP to HTTPS on the backend server and forwarding from HTTPS (client protocol) to HTTP (server protocol) is configured on WAF, WAF is forced to redirect user requests, causing an infinite loop. You can configure two pieces of server information about HTTP (client protocol) to HTTP (server protocol) and HTTPS (client protocol) to HTTPS (server protocol). diff --git a/umn/source/faqs/service_interruption_check/how_do_i_troubleshoot_404_502_504_errors.rst b/umn/source/faqs/service_interruption_check/how_do_i_troubleshoot_404_502_504_errors.rst index 71a1500..b983ec7 100644 --- a/umn/source/faqs/service_interruption_check/how_do_i_troubleshoot_404_502_504_errors.rst +++ b/umn/source/faqs/service_interruption_check/how_do_i_troubleshoot_404_502_504_errors.rst @@ -107,7 +107,7 @@ The possible causes are as follows: #. To handle large-scale service increase, use method 1 or method 2 to perform the processing. - **Method 1**: Add a backend server group to the ELB. + **Method 1**: Add a backend server group to the ELB load balancer. **Method 2**: Create an ELB. Use the EIP of ELB as the IP address of the server to connect to WAF. diff --git a/umn/source/faqs/service_interruption_check/index.rst b/umn/source/faqs/service_interruption_check/index.rst index 7e43078..5149f2d 100644 --- a/umn/source/faqs/service_interruption_check/index.rst +++ b/umn/source/faqs/service_interruption_check/index.rst @@ -6,12 +6,18 @@ Service Interruption Check ========================== - :ref:`How Do I Troubleshoot 404/502/504 Errors? ` +- :ref:`Why Is My Domain Name or IP Address Inaccessible? ` - :ref:`How Do I Handle False Alarms as WAF Blocks Normal Requests to My Website? ` +- :ref:`Why Does WAF Block Normal Requests as Invalid Requests? ` - :ref:`What Is the Connection Timeout Duration of WAF? Can I Manually Set the Timeout Duration? ` +- :ref:`How Do I Solve the Problem of Excessive Redirection Times? ` - :ref:`Why Are HTTPS Requests Denied on Some Mobile Phones? ` - :ref:`How Do I Fix an Incomplete Certificate Chain? ` - :ref:`Why Does My Certificate Not Match the Key? ` - :ref:`Why Am I Seeing Error Code 418? ` +- :ref:`Why Am I Seeing Error Code 523? ` +- :ref:`Why Does the Website Login Page Continuously Refreshed After a Domain Name Is Connected to WAF? ` +- :ref:`Why Does the Requested Page Respond Slowly After the HTTP Forwarding Policy Is Configured? ` - :ref:`How Can I Upload Files After the Website Is Connected to WAF? ` .. toctree:: @@ -19,10 +25,16 @@ Service Interruption Check :hidden: how_do_i_troubleshoot_404_502_504_errors + why_is_my_domain_name_or_ip_address_inaccessible how_do_i_handle_false_alarms_as_waf_blocks_normal_requests_to_my_website + why_does_waf_block_normal_requests_as_invalid_requests what_is_the_connection_timeout_duration_of_waf_can_i_manually_set_the_timeout_duration + how_do_i_solve_the_problem_of_excessive_redirection_times why_are_https_requests_denied_on_some_mobile_phones how_do_i_fix_an_incomplete_certificate_chain why_does_my_certificate_not_match_the_key why_am_i_seeing_error_code_418 + why_am_i_seeing_error_code_523 + why_does_the_website_login_page_continuously_refreshed_after_a_domain_name_is_connected_to_waf + why_does_the_requested_page_respond_slowly_after_the_http_forwarding_policy_is_configured how_can_i_upload_files_after_the_website_is_connected_to_waf diff --git a/umn/source/faqs/service_interruption_check/what_is_the_connection_timeout_duration_of_waf_can_i_manually_set_the_timeout_duration.rst b/umn/source/faqs/service_interruption_check/what_is_the_connection_timeout_duration_of_waf_can_i_manually_set_the_timeout_duration.rst index 38804b8..05b5da4 100644 --- a/umn/source/faqs/service_interruption_check/what_is_the_connection_timeout_duration_of_waf_can_i_manually_set_the_timeout_duration.rst +++ b/umn/source/faqs/service_interruption_check/what_is_the_connection_timeout_duration_of_waf_can_i_manually_set_the_timeout_duration.rst @@ -11,5 +11,5 @@ What Is the Connection Timeout Duration of WAF? Can I Manually Set the Timeout D On the **Basic Information** page, enable **Timeout Settings** and click |image1|. Then, specify **WAF-to-Server connection timeout (s)**, **Read timeout (s)**, and **Write timeout (s)** and click |image2| to save settings. -.. |image1| image:: /_static/images/en-us_image_0000001238531606.png +.. |image1| image:: /_static/images/en-us_image_0000001238212390.png .. |image2| image:: /_static/images/en-us_image_0000001238212390.png diff --git a/umn/source/faqs/service_interruption_check/why_am_i_seeing_error_code_523.rst b/umn/source/faqs/service_interruption_check/why_am_i_seeing_error_code_523.rst new file mode 100644 index 0000000..c561f50 --- /dev/null +++ b/umn/source/faqs/service_interruption_check/why_am_i_seeing_error_code_523.rst @@ -0,0 +1,20 @@ +:original_name: waf_01_0199.html + +.. _waf_01_0199: + +Why Am I Seeing Error Code 523? +=============================== + +If a request passes through WAF twice, WAF blocks the request to prevent an infinite loop. In this case, error 523 is displayed when you access the domain name protected by WAF. + +Use the following methods to resolve the issue: + +- Direct the request to the internal DNS server so that the request can bypass the public network. + +- Configure the hosts file of the origin server. + + The following uses the Windows operating system as an example. + + #. Use a text editor to open the **hosts** file. Generally, the **hosts** file is stored in the **C:\\Windows\\System32\\drivers\\etc\\** directory. + #. Add a record about the IP address of the origin server to the hosts file. + #. Save the modification and exit. diff --git a/umn/source/faqs/service_interruption_check/why_does_the_requested_page_respond_slowly_after_the_http_forwarding_policy_is_configured.rst b/umn/source/faqs/service_interruption_check/why_does_the_requested_page_respond_slowly_after_the_http_forwarding_policy_is_configured.rst new file mode 100644 index 0000000..9b12d6c --- /dev/null +++ b/umn/source/faqs/service_interruption_check/why_does_the_requested_page_respond_slowly_after_the_http_forwarding_policy_is_configured.rst @@ -0,0 +1,10 @@ +:original_name: waf_01_0201.html + +.. _waf_01_0201: + +Why Does the Requested Page Respond Slowly After the HTTP Forwarding Policy Is Configured? +========================================================================================== + +In this case, add two forwarding policies. One is HTTP to HTTP forwarding, and the other is HTTPS to HTTPS forwarding. + +For details about how to configure a forwarding rule, see :ref:`How Do I Solve the Problem of Excessive Redirection Times? ` diff --git a/umn/source/faqs/service_interruption_check/why_does_the_website_login_page_continuously_refreshed_after_a_domain_name_is_connected_to_waf.rst b/umn/source/faqs/service_interruption_check/why_does_the_website_login_page_continuously_refreshed_after_a_domain_name_is_connected_to_waf.rst new file mode 100644 index 0000000..90a2225 --- /dev/null +++ b/umn/source/faqs/service_interruption_check/why_does_the_website_login_page_continuously_refreshed_after_a_domain_name_is_connected_to_waf.rst @@ -0,0 +1,8 @@ +:original_name: waf_01_0200.html + +.. _waf_01_0200: + +Why Does the Website Login Page Continuously Refreshed After a Domain Name Is Connected to WAF? +=============================================================================================== + +After you connect the domain name of your website to WAF, all website requests are forwarded to WAF first. Then, WAF forwards only the normal traffic to the origin server. For each request from the client, WAF generates an identifier based on the access IP address and user agent. WAF has multiple back-to-source IP addresses that will be randomly allocated. When the back-to-source-IP address changes, the identifier of the request changes accordingly. As a result, the session is directly deleted by WAF, and the login page keeps refreshing. To avoid this problem, you are advised to use session cookies to keep session persistent. diff --git a/umn/source/faqs/service_interruption_check/why_does_waf_block_normal_requests_as_invalid_requests.rst b/umn/source/faqs/service_interruption_check/why_does_waf_block_normal_requests_as_invalid_requests.rst new file mode 100644 index 0000000..c0c4a60 --- /dev/null +++ b/umn/source/faqs/service_interruption_check/why_does_waf_block_normal_requests_as_invalid_requests.rst @@ -0,0 +1,31 @@ +:original_name: waf_01_0335.html + +.. _waf_01_0335: + +Why Does WAF Block Normal Requests as Invalid Requests? +======================================================= + +Symptom +------- + +After a website is connected to WAF, a normal access request is blocked by WAF. On the **Events** page, the corresponding **Event Type** reads **Invalid request**, and the **Handle False Alarm** button is grayed out, as shown in :ref:`Figure 1 `. + +.. _waf_01_0335__fig18471757872: + +.. figure:: /_static/images/en-us_image_0000001162278415.png + :alt: **Figure 1** Normal requests blocked by WAF as invalid requests + + **Figure 1** Normal requests blocked by WAF as invalid requests + +Possible Cause +-------------- + +If either of the following numbers in an access request exceeds 512, WAF blocks the access request as an invalid request: + +- Number of parameters in a form when **form-data** is used for POST or PUT requests +- Number of URI parameters + +Solution +-------- + +If you confirm that the blocked request is a normal request, allow it by referring to :ref:`Configuring a Precise Protection Rule `. diff --git a/umn/source/faqs/service_interruption_check/why_is_my_domain_name_or_ip_address_inaccessible.rst b/umn/source/faqs/service_interruption_check/why_is_my_domain_name_or_ip_address_inaccessible.rst new file mode 100644 index 0000000..be572b0 --- /dev/null +++ b/umn/source/faqs/service_interruption_check/why_is_my_domain_name_or_ip_address_inaccessible.rst @@ -0,0 +1,63 @@ +:original_name: waf_01_0278.html + +.. _waf_01_0278: + +Why Is My Domain Name or IP Address Inaccessible? +================================================= + +Symptoms +-------- + +If **Access Progress/Status** for a website you have added to WAF is **Inaccessible**, the connection between WAF and the website domain name or IP address fails to be established. + + +.. figure:: /_static/images/en-us_image_0000001345493078.png + :alt: **Figure 1** Website list + + **Figure 1** Website list + +.. important:: + + WAF automatically checks the access status of protected websites every hour. If WAF detects that a protected website has received 20 access requests within 5 minutes, it considers that the website has been successfully connected to WAF. + +Troubleshooting and Solutions for WAF Instances +----------------------------------------------- + +Refer to :ref:`Figure 2 ` and :ref:`Table 1 ` to fix connection failures. + +.. _waf_01_0278__fig1680743491611: + +.. figure:: /_static/images/en-us_image_0000001119487028.png + :alt: **Figure 2** Troubleshooting for dedicated mode + + **Figure 2** Troubleshooting for dedicated mode + +.. _waf_01_0278__table439923118137: + +.. table:: **Table 1** Solutions for dedicated mode + + +---------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Possible Cause | Solution | + +=========================================================================================================================================================+=============================================================================================================================================================================+ + | Cause 1: **Access Status** for **Domain Name/IP Address** not updated | In the **Access Status** column for the website, click |image1| to update the status. | + +---------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Cause 2: Website access traffic not enough for WAF to consider the website accessible | #. Access the protected website many times within 1 minute. | + | | #. In the **Access Status** column for the website, click |image2| to update the status. | + | .. important:: | | + | | | + | NOTICE: | | + | After you connect a website to WAF, the website is considered accessible only when WAF detects at least 20 requests to the website within 5 minutes. | | + +---------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Cause 3: Incorrect domain name or IP address settings | Check domain name or IP address settings. | + | | | + | | If there are incorrect settings for the domain name or IP address, remove this domain name or IP address from WAF and add it to WAF again. | + +---------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Cause 4: No load balancer configured for the dedicated WAF instance or no EIP bound to the load balancer configured for the dedicated WAF instance | #. Configure a load balancer for dedicated WAF instances by referring to :ref:`Configuring a Load Balancer `. | + | | #. :ref:`Bind an EIP to a Load Balancer `. | + +---------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Cause 5: Incorrect load balancer configured or incorrect EIP bound to the load balancer | - After you :ref:`configure a load balancer `, ensure that **Health Check Result** for the dedicated WAF instances added to the load balancer is **Healthy**. | + | | - After you :ref:`bind an EIP to the load balancer `, check the EIP status. | + +---------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +.. |image1| image:: /_static/images/en-us_image_0000001497159614.png +.. |image2| image:: /_static/images/en-us_image_0000001547599721.png diff --git a/umn/source/faqs/website_domain_name_access_configuration/certificate_management/do_i_need_to_import_the_certificates_that_have_been_uploaded_to_elb_to_waf.rst b/umn/source/faqs/website_domain_name_access_configuration/certificate_management/do_i_need_to_import_the_certificates_that_have_been_uploaded_to_elb_to_waf.rst new file mode 100644 index 0000000..3809334 --- /dev/null +++ b/umn/source/faqs/website_domain_name_access_configuration/certificate_management/do_i_need_to_import_the_certificates_that_have_been_uploaded_to_elb_to_waf.rst @@ -0,0 +1,8 @@ +:original_name: waf_01_0234.html + +.. _waf_01_0234: + +Do I Need to Import the Certificates That Have Been Uploaded to ELB to WAF? +=========================================================================== + +You can select a created certificate or import a new certificate. You need to import the certificate that has been uploaded to ELB to WAF. diff --git a/umn/source/faqs/website_domain_name_access_configuration/certificate_management/index.rst b/umn/source/faqs/website_domain_name_access_configuration/certificate_management/index.rst index ece28b8..aa5cbf9 100644 --- a/umn/source/faqs/website_domain_name_access_configuration/certificate_management/index.rst +++ b/umn/source/faqs/website_domain_name_access_configuration/certificate_management/index.rst @@ -6,6 +6,7 @@ Certificate Management ====================== - :ref:`How Do I Select a Certificate When Configuring a Wildcard Domain Name? ` +- :ref:`Do I Need to Import the Certificates That Have Been Uploaded to ELB to WAF? ` - :ref:`How Do I Convert a Certificate into PEM Format? ` .. toctree:: @@ -13,4 +14,5 @@ Certificate Management :hidden: how_do_i_select_a_certificate_when_configuring_a_wildcard_domain_name + do_i_need_to_import_the_certificates_that_have_been_uploaded_to_elb_to_waf how_do_i_convert_a_certificate_into_pem_format diff --git a/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/can_i_change_the_domain_name_that_has_been_added_to_waf.rst b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/can_i_change_the_domain_name_that_has_been_added_to_waf.rst new file mode 100644 index 0000000..aa7e5e7 --- /dev/null +++ b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/can_i_change_the_domain_name_that_has_been_added_to_waf.rst @@ -0,0 +1,8 @@ +:original_name: waf_01_0232.html + +.. _waf_01_0232: + +Can I Change the Domain Name That Has Been Added to WAF? +======================================================== + +After a domain name is added to WAF, you cannot change its name. If you want to change the protected domain name, you are advised to delete the original one and add the domain name you want to protect. diff --git a/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/can_waf_protect_multiple_domain_names_that_point_to_the_same_origin_server.rst b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/can_waf_protect_multiple_domain_names_that_point_to_the_same_origin_server.rst new file mode 100644 index 0000000..e59cb56 --- /dev/null +++ b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/can_waf_protect_multiple_domain_names_that_point_to_the_same_origin_server.rst @@ -0,0 +1,10 @@ +:original_name: waf_01_0275.html + +.. _waf_01_0275: + +Can WAF Protect Multiple Domain Names That Point to the Same Origin Server? +=========================================================================== + +Yes. If there are multiple domain names pointing to the same origin server, you can connect these domain names to WAF for protection. + +WAF protects domain names or IP addresses. If multiple domain names use the same EIP to provide services, all these domain names must be connected to WAF. diff --git a/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/do_i_have_to_configure_the_same_port_as_that_of_the_origin_server_when_adding_a_domain_name_to_waf.rst b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/do_i_have_to_configure_the_same_port_as_that_of_the_origin_server_when_adding_a_domain_name_to_waf.rst new file mode 100644 index 0000000..7a9f7f3 --- /dev/null +++ b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/do_i_have_to_configure_the_same_port_as_that_of_the_origin_server_when_adding_a_domain_name_to_waf.rst @@ -0,0 +1,11 @@ +:original_name: waf_01_0279.html + +.. _waf_01_0279: + +Do I Have to Configure the Same Port as That of the Origin Server When Adding a Domain Name to WAF? +=================================================================================================== + +No. When you add a domain name to WAF, configure the server port to the port of the protected website. The origin server port is the service port used by WAF to forward your website requests. More details about port configuration are described as follows: + +- If **Client Protocol** is **HTTP**, WAF protects services on the standard port 80 by default. If **Client Protocol** is **HTTPS**, WAF protects services on the standard port 443 by default. +- To configure a port other than ports 80 and 443, select a non-standard port from the **Protected Port** drop-down list. diff --git a/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/how_do_i_add_a_domain_name_ip_address_to_waf.rst b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/how_do_i_add_a_domain_name_ip_address_to_waf.rst index de644ff..81898e3 100644 --- a/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/how_do_i_add_a_domain_name_ip_address_to_waf.rst +++ b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/how_do_i_add_a_domain_name_ip_address_to_waf.rst @@ -6,3 +6,23 @@ How Do I Add a Domain Name/IP Address to WAF? ============================================= After you connect a domain name or IP address of the website you want to protect to WAF, WAF works as a reverse proxy between the client and the server. The real IP address of the server is hidden and only the IP address of WAF is visible to web visitors. For details, see :ref:`Step 1: Add a Website to WAF `. + +.. important:: + + - You can enter a multi-level single domain name (for example, top-level domain name example.com or second-level domain name www.example.com) or a wildcard domain name (``*``.example.com). The processes of connecting domain names to different WAF instance types are the same. + + - If the server IP address of each subdomain name is the same, enter a wildcard domain name. For example, if the subdomain names **a.example.com**, **b.example.com**, and **c.example.com** have the same server IP address, you can add the wildcard domain name **\*.example.com** to WAF to protect all three. + - If the server IP addresses of subdomain names are different, add subdomain names as single domain names one by one. + + - Each combination of a domain name and a non-standard port is counted towards the domain name quota of the WAF edition you are using. For example, www.example.com:8080 and www.example.com:8081 use two domain names of the quota. If you want to protect web services over multiple ports with the same domain name, add the domain name and each port to WAF. + +The following figure shows the process of connecting a website to WAF in each mode. + + +.. figure:: /_static/images/en-us_image_0000001171626489.png + :alt: **Figure 1** Process of connecting a website to a dedicated WAF instance + + **Figure 1** Process of connecting a website to a dedicated WAF instance + +- If **Access Status** for protected website is **Inaccessible**, rectify the fault by referring to :ref:`Why Is My Domain Name or IP Address Inaccessible? ` +- If your website becomes inaccessible after it is connected to WAF, rectify the issue by referring to :ref:`How Do I Troubleshoot 404/502/504 Errors? ` diff --git a/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/how_do_i_configure_domain_names_to_be_protected_when_adding_domain_names.rst b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/how_do_i_configure_domain_names_to_be_protected_when_adding_domain_names.rst index e6ae38d..ebc4001 100644 --- a/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/how_do_i_configure_domain_names_to_be_protected_when_adding_domain_names.rst +++ b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/how_do_i_configure_domain_names_to_be_protected_when_adding_domain_names.rst @@ -35,7 +35,7 @@ Selecting a Domain Name Type WAF supports single domain names and wildcard domain names. -The domain name purchased from the DNS service provider is a single domain name (example.com). The domain name added to WAF can be example.com, a subdomain name (for example, a.xample.com), or wildcard domain name (``*``.example.com). You can select a domain name type based on the following scenarios: +The domain name purchased from the DNS service provider is a single domain name (example.com). The domain name added to WAF can be example.com, a subdomain name (for example, a.example.com), or wildcard domain name (``*``.example.com). You can select a domain name type based on the following scenarios: - If services of a domain name to be protected are the same, enter a single domain name. For example, if all the services of www.example.com to be protected are services on port 8080, set **Domain Name** to a single domain name **www.example.com**. - If the server IP address of each subdomain name is the same, enter a wildcard domain name to be protected. For example, if the server IP addresses corresponding to a.example.com, b.example.com, and c.example.com are the same, **Domain Name** can be set to a wildcard domain name **\*.example.com**. diff --git a/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/how_do_i_safely_delete_a_protected_domain_name.rst b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/how_do_i_safely_delete_a_protected_domain_name.rst index cf583e2..0d85926 100644 --- a/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/how_do_i_safely_delete_a_protected_domain_name.rst +++ b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/how_do_i_safely_delete_a_protected_domain_name.rst @@ -5,34 +5,7 @@ How Do I Safely Delete a Protected Domain Name? =============================================== -The deletion operation cannot be cancelled. Exercise caution when performing this operation. +To delete a website from WAF, see :ref:`Removing a Protected Website from WAF `. Before you start, get yourself familiar with the following precautions: -Procedure ---------- - -#. Log in to the management console. - -#. Click |image1| in the upper left corner of the management console and select a region or project. - -#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. - -#. In the navigation pane, choose **Website Settings**. - -#. In the row containing the website domain name you want to delete, click **Delete** in the **Operation** column. - -#. In the displayed confirmation dialog box, confirm the deletion. - - If you want to retain the policy applied to the domain name, select **Retain the policy of this domain name**. - - - .. figure:: /_static/images/en-us_image_0000001285577484.png - :alt: **Figure 1** Deleting a protected domain name from WAF - - **Figure 1** Deleting a protected domain name from WAF - -#. Click **OK**. - - If **Domain name deleted successfully** is displayed in the upper right corner, the domain name of the website was deleted. - -.. |image1| image:: /_static/images/en-us_image_0210924450.jpg -.. |image2| image:: /_static/images/en-us_image_0000001340304197.png +- Before removing a website from WAF, go to your DNS provider and resolve your domain name to the IP address of the origin server, or the traffic to your domain name cannot be routed to the origin server. +- It takes a while to remove a website from WAF, but once this action is started, it cannot be cancelled. Exercise caution when removing a website from WAF. diff --git a/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/how_do_i_use_a_dedicated_waf_instance_to_protect_non-standard_ports_that_are_not_supported_by_the_dedicated_instance.rst b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/how_do_i_use_a_dedicated_waf_instance_to_protect_non-standard_ports_that_are_not_supported_by_the_dedicated_instance.rst new file mode 100644 index 0000000..18da85b --- /dev/null +++ b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/how_do_i_use_a_dedicated_waf_instance_to_protect_non-standard_ports_that_are_not_supported_by_the_dedicated_instance.rst @@ -0,0 +1,52 @@ +:original_name: waf_01_0318.html + +.. _waf_01_0318: + +How Do I Use a Dedicated WAF Instance to Protect Non-Standard Ports That Are Not Supported by the Dedicated Instance? +===================================================================================================================== + +To use a dedicated WAF instance to protect a non-standard port that is not supported by dedicated instance, configure an ELB load balancer to distribute traffic to any non-standard port that is supported by the dedicated instance. For supported non-standard ports, see :ref:`Which Non-Standard Ports Does WAF Support? ` + +For example, a client sends requests over HTTP to the dedicated WAF instance, and you protect the website whose domain name is www.example.com:1234. The dedicated instance cannot protect non-standard port 1234. In this case, you can configure a load balancer to distribute traffic to any other non-standard port (for example, port 81) that can be protected by the dedicated instance. In this way, traffic designated to non-standard port 1234 will be checked by WAF. + +.. important:: + + To ensure that the configuration takes effect, a wildcard domain name corresponding to the protected domain name is recommended for the **Domain Name** field. For example, if you want to protect www.example.com:1234, set **Domain Name** to **\*.example.com**. + +Perform the following steps: + +#. Log in to the management console. +#. Add the domain name of the website you want to protect on the WAF console. + + a. Click |image1| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. + + b. .. _waf_01_0318__li57641239195811: + + In the upper left corner of the website list, click **Add Website**. On the displayed page, select **Dedicated mode**, enter the wildcard domain name **\*.example.com** corresponding to **www.example.com:1234** in the **Domain Name** text box, and select a port (for example, 81) from the **Protected Port** drop-down list. + + c. Select **Yes** for **Proxy** and click **OK**. + + d. Close the dialog box displayed. + + You can view the added websites in the protected website list. + +#. Configure a load balancer on the ELB console. + + a. Click |image2| in the upper left corner of the page and choose **Elastic Load Balance** under **Network** to go to the **Load Balancers** page. + b. Click the name of the load balancer you want in the **Name** column to go to the **Basic Information** page. + c. Locate the **IP as a Backend** row, enable the function. In the displayed dialog box, click **OK**. + d. Select the **Listeners** tab, click **Add Listener**, and configure the listener port to **1234**. + e. Click **Next: Configure Request Routing Policy**. + f. Click **Next: Add Backend Server**. Then, select the **IP as Backend Servers** tab. + g. Click **Add IP as Backend Server**. In the displayed dialog box, configure **Backend Server IP Address** and **Backend Port**. + + - **Backend Server IP Address**: Enter the IP address of the dedicated WAF engine, which you can obtain from the dedicated engine list. + - **Backend Port**: 81, which is the same as the non-standard port you selected in :ref:`2.b `. + + h. Click **OK**. + i. Click **Next: Confirm**, confirm the information, and click **Submit**. + +#. Unbind an elastic IP address (EIP) from the origin server and bind the EIP to the load balancer configured for the dedicated WAF instance. + +.. |image1| image:: /_static/images/en-us_image_0000001539348353.png +.. |image2| image:: /_static/images/en-us_image_0000001084031478.png diff --git a/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/index.rst b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/index.rst index c4c22be..252fe59 100644 --- a/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/index.rst +++ b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/index.rst @@ -6,9 +6,15 @@ Domain Name and Port Configuration ================================== - :ref:`How Do I Add a Domain Name/IP Address to WAF? ` +- :ref:`Which Non-Standard Ports Does WAF Support? ` +- :ref:`How Do I Use a Dedicated WAF Instance to Protect Non-Standard Ports That Are Not Supported by the Dedicated Instance? ` +- :ref:`Can WAF Protect Multiple Domain Names That Point to the Same Origin Server? ` - :ref:`How Do I Configure Domain Names to Be Protected When Adding Domain Names? ` +- :ref:`Do I Have to Configure the Same Port as That of the Origin Server When Adding a Domain Name to WAF? ` +- :ref:`What Can I Do If One of Ports on an Origin Server Does Not Require WAF Protection? ` - :ref:`What Data Is Required for Connecting a Domain Name/IP Address to WAF? ` - :ref:`How Do I Safely Delete a Protected Domain Name? ` +- :ref:`Can I Change the Domain Name That Has Been Added to WAF? ` - :ref:`What Are the Precautions for Configuring Multiple Server Addresses for Backend Servers? ` - :ref:`Does WAF Support Wildcard Domain Names? ` @@ -17,8 +23,14 @@ Domain Name and Port Configuration :hidden: how_do_i_add_a_domain_name_ip_address_to_waf + which_non-standard_ports_does_waf_support + how_do_i_use_a_dedicated_waf_instance_to_protect_non-standard_ports_that_are_not_supported_by_the_dedicated_instance + can_waf_protect_multiple_domain_names_that_point_to_the_same_origin_server how_do_i_configure_domain_names_to_be_protected_when_adding_domain_names + do_i_have_to_configure_the_same_port_as_that_of_the_origin_server_when_adding_a_domain_name_to_waf + what_can_i_do_if_one_of_ports_on_an_origin_server_does_not_require_waf_protection what_data_is_required_for_connecting_a_domain_name_ip_address_to_waf how_do_i_safely_delete_a_protected_domain_name + can_i_change_the_domain_name_that_has_been_added_to_waf what_are_the_precautions_for_configuring_multiple_server_addresses_for_backend_servers does_waf_support_wildcard_domain_names diff --git a/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/what_can_i_do_if_one_of_ports_on_an_origin_server_does_not_require_waf_protection.rst b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/what_can_i_do_if_one_of_ports_on_an_origin_server_does_not_require_waf_protection.rst new file mode 100644 index 0000000..6ffd103 --- /dev/null +++ b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/what_can_i_do_if_one_of_ports_on_an_origin_server_does_not_require_waf_protection.rst @@ -0,0 +1,8 @@ +:original_name: waf_01_0225.html + +.. _waf_01_0225: + +What Can I Do If One of Ports on an Origin Server Does Not Require WAF Protection? +================================================================================== + +WAF protects your web application through its domain name and the corresponding service port. When you add a domain name to WAF, you specify the domain name and the port to be protected. After the website is connected to WAF, traffic will not be forwarded to WAF through other ports. diff --git a/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/which_non-standard_ports_does_waf_support.rst b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/which_non-standard_ports_does_waf_support.rst new file mode 100644 index 0000000..7b4e456 --- /dev/null +++ b/umn/source/faqs/website_domain_name_access_configuration/domain_name_and_port_configuration/which_non-standard_ports_does_waf_support.rst @@ -0,0 +1,27 @@ +:original_name: waf_01_0032.html + +.. _waf_01_0032: + +Which Non-Standard Ports Does WAF Support? +========================================== + +In addition to standard ports 80 and 443, WAF supports multiple non-standard ports. The non-standard ports vary depending on the edition and billing mode you select. + +Each combination of a domain name and a non-standard port is counted towards the domain name quota of the WAF edition you are using. For example, www.example.com:8080 and www.example.com:8081 use two domain names of the quota. If you want to protect web services over multiple ports with the same domain name, add the domain name and each port to WAF. + +Ports Supported by WAF +---------------------- + +:ref:`Table 1 ` lists the ports that can be protected by WAF. + +.. _waf_01_0032__table9589104616288: + +.. table:: **Table 1** Ports supported by WAF + + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+ + | Port Category | HTTP Protocol | HTTPS Protocol | Port Limit | + +===================================+===========================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+========================================================================================================================================================================================================+============+ + | Standard ports | 80 | 443 | Unlimited | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+ + | Non-standard ports (182 in total) | 9945, 9770, 81, 82, 83, 84, 88, 89, 800, 808, 1000, 1090, 3128, 3333, 3501, 3601, 4444, 5000, 5222, 5555, 5601, 6001, 6666, 6788, 6789, 6842, 6868, 7000, 7001, 7002, 7003, 7004, 7005, 7006, 7009, 7010, 7011, 7012, 7013, 7014, 7015, 7016, 7018, 7019, 7020, 7021, 7022, 7023, 7024, 7025, 7026, 7070, 7081, 7082, 7083, 7088, 7097, 7777, 7800, 7979, 8000, 8001, 8002, 8003, 8008, 8009, 8010, 8020, 8021, 8022, 8025, 8026, 8077, 8078, 8080, 8085, 8086, 8087, 8088, 8089, 8090, 8091, 8092, 8093, 8094, 8095, 8096, 8097, 8098, 8106, 8118, 8181, 8334, 8336, 8800, 8686, 8888, 8889, 8989, 8999, 9000, 9001, 9002, 9003, 9080, 9200, 9802, 10000, 10001, 10080, 12601, 86, 9021, 9023, 9027, 9037, 9081, 9082, 9201, 9205, 9207, 9208, 9209, 9210, 9211, 9212, 9213, 48800, 87, 97, 7510, 9180, 9898, 9908, 9916, 9918, 9919, 9928, 9929, 9939, 28080, 33702, 8011, 8012, 8013, 8014, 8015, 8016, 8017, and 8070 | 8750, 8445, 18010, 4443, 5443, 6443, 7443, 8081, 8082, 8083, 8084, 8443, 8843, 9443, 8553, 8663, 9553, 9663, 18110, 18381, 18980, 28443, 18443, 8033, 18000, 19000, 7072, 7073, 8803, 8804, 8805, 9999 | Unlimited | + +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+ diff --git a/umn/source/index.rst b/umn/source/index.rst index d75e611..4e49620 100644 --- a/umn/source/index.rst +++ b/umn/source/index.rst @@ -14,10 +14,12 @@ Dedicated Web Application Firewall - User Guide rule_configuration/index dashboard event_management/index + enabling_lts_for_waf_logging policy_management/index dedicated_waf_engine_management - viewing_product_details + managing_projects_and_enterprise_projects permissions_management/index + key_operations_recorded_by_cts/index monitored_metrics faqs/index change_history diff --git a/umn/source/key_operations_recorded_by_cts/index.rst b/umn/source/key_operations_recorded_by_cts/index.rst new file mode 100644 index 0000000..67fe8b2 --- /dev/null +++ b/umn/source/key_operations_recorded_by_cts/index.rst @@ -0,0 +1,17 @@ +:original_name: waf_01_0058.html + +.. _waf_01_0058: + +Key Operations Recorded by CTS +============================== + +- :ref:`WAF Operations Recorded by CTS ` + CTS provides records of operations on WAF. With CTS, you can query, audit, and backtrack these operations. For details, see the *Cloud Trace Service User Guide*. +- :ref:`Viewing an Audit Trace ` + +.. toctree:: + :maxdepth: 1 + :hidden: + + waf_operations_recorded_by_cts + viewing_an_audit_trace diff --git a/umn/source/key_operations_recorded_by_cts/viewing_an_audit_trace.rst b/umn/source/key_operations_recorded_by_cts/viewing_an_audit_trace.rst new file mode 100644 index 0000000..ad6278a --- /dev/null +++ b/umn/source/key_operations_recorded_by_cts/viewing_an_audit_trace.rst @@ -0,0 +1,55 @@ +:original_name: waf_01_0060.html + +.. _waf_01_0060: + +Viewing an Audit Trace +====================== + +After you enable CTS, the system starts recording operations on WAF. Operation records for the last seven days can be viewed on the CTS console. + +Viewing WAF Logs on the CTS console +----------------------------------- + +#. Log in to the management console. + +#. Click |image1| in the upper left corner of the management console and select a region or project. + +#. Click |image2| in the upper left corner of the page. In the dialog box displayed on the right, choose **Management & Deployment** > **Cloud Trace Service**. + +#. Choose **Trace List** in the navigation pane. + +#. Click **Filter** and specify filtering criteria as needed. The following four filters are available: + + - **Trace Type**, **Trace Source**, **Resource Type**, and **Search By**. + + - Set **Trace Type** to **Management**. + - Set **Trace Source** to **WAF**. + - When you select **Resource ID** for **Search By**, you also need to enter a resource ID. + + - **Operator**: Select a specific operator (a user other than tenant). + - **Trace Status**: Available options include **All trace statuses**, **normal**, **warning**, and **incident**. You can only select one of them. + - **Time Range**: In the upper right corner of the page, you can query traces in the last 1 hour, last 1 day, last 1 week, or within a customized period. + +#. Click **Query**. + +#. Click |image3| on the left of a trace to expand its details, as shown in :ref:`Figure 1 `. + + .. _waf_01_0060__fig512618236452: + + .. figure:: /_static/images/en-us_image_0216882896.png + :alt: **Figure 1** Expanding trace details + + **Figure 1** Expanding trace details + +#. Click **View Trace** in the **Operation** column. On the displayed **View Trace** dialog box shown in :ref:`Figure 2 `, the trace structure details are displayed. + + .. _waf_01_0060__fig111275233454: + + .. figure:: /_static/images/en-us_image_0110861334.jpg + :alt: **Figure 2** Viewing the trace + + **Figure 2** Viewing the trace + +.. |image1| image:: /_static/images/en-us_image_0000001538688185.jpg +.. |image2| image:: /_static/images/en-us_image_0000001538689725.png +.. |image3| image:: /_static/images/en-us_image_0210924459.png diff --git a/umn/source/key_operations_recorded_by_cts/waf_operations_recorded_by_cts.rst b/umn/source/key_operations_recorded_by_cts/waf_operations_recorded_by_cts.rst new file mode 100644 index 0000000..7fe72ee --- /dev/null +++ b/umn/source/key_operations_recorded_by_cts/waf_operations_recorded_by_cts.rst @@ -0,0 +1,74 @@ +:original_name: waf_01_0059.html + +.. _waf_01_0059: + +WAF Operations Recorded by CTS +============================== + +CTS provides records of operations on WAF. With CTS, you can query, audit, and backtrack these operations. For details, see the *Cloud Trace Service User Guide*. + +:ref:`Table 1 ` lists WAF operations recorded by CTS. + +.. _waf_01_0059__table5821116193525: + +.. table:: **Table 1** WAF operations that can be recorded by CTS + + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Operation | Resource Type | Trace Name | + +===============================================================================================+===============+=====================+ + | Creating a WAF instance | instance | createInstance | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Deleting a WAF instance | instance | deleteInstance | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Modifying a WAF instance | instance | alterInstanceName | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Modifying the protection status of a WAF instance | instance | modifyProtectStatus | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Modifying the connection status of a WAF instance | instance | modifyAccessStatus | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Creating a WAF policy | policy | createPolicy | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Applying a WAF policy | policy | applyToHost | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Modifying a policy | policy | modifyPolicy | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Deleting a WAF policy | policy | deletePolicy | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Uploading a certificate | certificate | createCertificate | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Changing the name of a certificate | certificate | modifyCertificate | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Deleting a certificate | certificate | deleteCertificate | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Adding a CC attack protection rule | policy | createCc | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Modifying a CC attack protection rule | policy | modifyCc | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Deleting a CC attack protection rule | policy | deleteCc | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Adding a precise protection rule | policy | createCustom | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Modifying a precise protection rule | policy | modifyCustom | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Deleting a precise protection rule | policy | deleteCustom | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Adding an IP address blacklist or whitelist rule | policy | createWhiteblackip | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Modifying an IP address blacklist or whitelist rule | policy | modifyWhiteblackip | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Deleting an IP address blacklist or whitelist rule | policy | deleteWhiteblackip | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Creating/updating a web tamper protection rule | policy | createAntitamper | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Deleting a web tamper protection rule | policy | deleteAntitamper | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Creating a global protection whitelist (formerly false alarm masking) rule | policy | createIgnore | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Deleting a false alarm maskingglobal protection whitelist (formerly false alarm masking) rule | policy | deleteIgnore | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Adding a data masking rule | policy | createPrivacy | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Modifying a data masking rule | policy | modifyPrivacy | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Deleting a data masking rule | policy | deletePrivacy | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ diff --git a/umn/source/managing_projects_and_enterprise_projects.rst b/umn/source/managing_projects_and_enterprise_projects.rst new file mode 100644 index 0000000..0b067f7 --- /dev/null +++ b/umn/source/managing_projects_and_enterprise_projects.rst @@ -0,0 +1,52 @@ +:original_name: waf_01_0317.html + +.. _waf_01_0317: + +Managing Projects and Enterprise Projects +========================================= + +Creating a Project and Assigning Permissions +-------------------------------------------- + +- Creating a project + + Log in to the management console, click the username in the upper right corner, and select **Identity and Access Management**. In the navigation pane on the left, choose **Projects**. In the right pane, click **Create Project**. On the displayed **Create Project** page, select a region and enter a project name. + +- Authorization + + You can assign permissions (of resources and operations) to user groups to associate projects with user groups. You can add users to a user group to control which projects they can access and what resources they can perform operations on. To do so, perform the following operations: + + #. On the **User Groups** page, locate the target user group and click **Permissions** in the **Operation** column. Then, select the required cloud resource permission sets for the project. + #. On the **Users** page, locate the target user and click **Modify** in the **Operation** column. In the **Users Group** area, add a user group for the user. + +Creating an Enterprise Project and Assigning Permissions +-------------------------------------------------------- + +- Creating an enterprise project + + On the management console, click **Enterprise** in the upper right corner to go to the **Enterprise Management** page. In the navigation pane on the left, choose ****Enterprise** Project Management**. Then, click **Create Enterprise Project** and enter a name. + + .. note:: + + **Enterprise** is available on the management console only if you have enabled the enterprise project, or you have an enterprise account. + +- Authorization + + You can add a user group to an enterprise project and configure a policy to associate the enterprise project with the user group. You can add users to a user group to control which projects they can access and what resources they can perform operations on. To do so, perform the following operations: + + #. Locate the row that contains the target enterprise project, click **More** > **View User Group** in the **Operation** column. Then, click **Add User Group**, select the user groups you want to add and move them to the right pane. Click **Next** and select the policies. + #. In the navigation pane on the left, choose **Personnel Management** > **User Management**. Locate the row that contains the target user, click **Add to User Group** in the **Operation** column. In the available user groups on the left pane, select the target ones and move them to the right pane. + +- Associating the resource with enterprise projects + + To use an enterprise project to manage cloud resources, associate resources with the enterprise project. + + - Associate a WAF instance with an enterprise project during purchase. + + On the page for buying WAF, select an enterprise project from the **Enterprise Project** drop-down list. + + - Add WAF instances to an enterprise project after a WAF instance is purchased. + + On the **Enterprise Project Management** page, add existing WAF instances purchased under your account to an enterprise project. + + Value **default** indicates the default enterprise project. Resources that are not allocated to any enterprise projects under your account are listed in the default enterprise project. diff --git a/umn/source/monitored_metrics.rst b/umn/source/monitored_metrics.rst index a02edb8..9cd67c6 100644 --- a/umn/source/monitored_metrics.rst +++ b/umn/source/monitored_metrics.rst @@ -51,31 +51,31 @@ Metrics for Dedicated WAF Instances | | | | | | | | | | Collection mode: size of free disk space | | | | +-------------------------------+-----------------------------+------------------------------------------------------------------------------+-------------------+-------------------------+--------------------------------+ - | disk_read_bytes_rate | Disk Read Rate | Number of bytes the monitored object reads from the disk per second | >=0 byte/s | Dedicated WAF instances | 1 minute | + | disk_read_bytes_rate | Disk Read Rate | Number of bytes the monitored object reads from the disk per second | >= 0 byte/s | Dedicated WAF instances | 1 minute | | | | | | | | | | | Unit: byte/s, KB/s, MB/s, or GB/s | Value type: Float | | | | | | | | | | | | | Collection mode: number of bytes read from the disk per second | | | | +-------------------------------+-----------------------------+------------------------------------------------------------------------------+-------------------+-------------------------+--------------------------------+ - | disk_write_bytes_rate | Disk Write Rate | Number of bytes the monitored object writes into the disk per second | >=0 byte/s | Dedicated WAF instances | 1 minute | + | disk_write_bytes_rate | Disk Write Rate | Number of bytes the monitored object writes into the disk per second | >= 0 byte/s | Dedicated WAF instances | 1 minute | | | | | | | | | | | Unit: byte/s, KB/s, MB/s, or GB/s | Value type: Float | | | | | | | | | | | | | Collection mode: number of bytes written into the disk per second | | | | +-------------------------------+-----------------------------+------------------------------------------------------------------------------+-------------------+-------------------------+--------------------------------+ - | disk_read_requests_rate | Disk Read Requests | Number of requests the monitored object reads from the disk per second | >=0 request/s | Dedicated WAF instances | 1 minute | + | disk_read_requests_rate | Disk Read Requests | Number of requests the monitored object reads from the disk per second | >= 0 request/s | Dedicated WAF instances | 1 minute | | | | | | | | | | | Unit: Requests/s | Value type: Float | | | | | | | | | | | | | Collection mode: number of read requests processed by the disk per second | | | | +-------------------------------+-----------------------------+------------------------------------------------------------------------------+-------------------+-------------------------+--------------------------------+ - | disk_write_requests_rate | Disk Write Requests | Number of requests the monitored object writes into the disk per second | >=0 request/s | Dedicated WAF instances | 1 minute | + | disk_write_requests_rate | Disk Write Requests | Number of requests the monitored object writes into the disk per second | >= 0 request/s | Dedicated WAF instances | 1 minute | | | | | | | | | | | Unit: Requests/s | Value type: Float | | | | | | | | | | | | | Collection method: Number of write requests processed by the disk per second | | | | +-------------------------------+-----------------------------+------------------------------------------------------------------------------+-------------------+-------------------------+--------------------------------+ - | network_incoming_bytes_rate | Incoming Traffic | Incoming traffic per second on the monitored object | >=0 byte/s | Dedicated WAF instances | 1 minute | + | network_incoming_bytes_rate | Incoming Traffic | Incoming traffic per second on the monitored object | >= 0 byte/s | Dedicated WAF instances | 1 minute | | | | | | | | | | | Unit: | Value type: Float | | | | | | | | | | @@ -83,7 +83,7 @@ Metrics for Dedicated WAF Instances | | | | | | | | | | Collection method: Incoming traffic over the NIC per second | | | | +-------------------------------+-----------------------------+------------------------------------------------------------------------------+-------------------+-------------------------+--------------------------------+ - | network_outgoing_bytes_rate | Outgoing Traffic | Outgoing traffic per second on the monitored object | >=0 byte/s | Dedicated WAF instances | 1 minute | + | network_outgoing_bytes_rate | Outgoing Traffic | Outgoing traffic per second on the monitored object | >= 0 byte/s | Dedicated WAF instances | 1 minute | | | | | | | | | | | Unit: | Value type: Float | | | | | | | | | | @@ -91,7 +91,7 @@ Metrics for Dedicated WAF Instances | | | | | | | | | | Collection method: Outgoing traffic over the NIC per second | | | | +-------------------------------+-----------------------------+------------------------------------------------------------------------------+-------------------+-------------------------+--------------------------------+ - | network_incoming_packets_rate | Incoming Packet Rate | Incoming packets per second on the monitored object | >=0 packet/s | Dedicated WAF instances | 1 minute | + | network_incoming_packets_rate | Incoming Packet Rate | Incoming packets per second on the monitored object | >= 0 packet/s | Dedicated WAF instances | 1 minute | | | | | | | | | | | Unit: | Value type: Int | | | | | | | | | | @@ -99,7 +99,7 @@ Metrics for Dedicated WAF Instances | | | | | | | | | | Collection method: Incoming packets over the NIC per second | | | | +-------------------------------+-----------------------------+------------------------------------------------------------------------------+-------------------+-------------------------+--------------------------------+ - | network_outgoing_packets_rate | Outgoing Packet Rate | Outgoing packets per second on the monitored object | >=0 packet/s | Dedicated WAF instances | 1 minute | + | network_outgoing_packets_rate | Outgoing Packet Rate | Outgoing packets per second on the monitored object | >= 0 packet/s | Dedicated WAF instances | 1 minute | | | | | | | | | | | Unit: | Value type: Int | | | | | | | | | | diff --git a/umn/source/overview.rst b/umn/source/overview.rst index 75dfb7e..f0bc164 100644 --- a/umn/source/overview.rst +++ b/umn/source/overview.rst @@ -49,7 +49,7 @@ Sort out all website services you want to protect with WAF. This helps you learn | | | | | - Non-standard ports | | | | - | | Ports other than ports 80 and 443 For Non-standard ports supported by WAF, see :ref:`Non-Standard Ports `. | + | | Ports other than ports 80 and 443. For non-standard ports supported by WAF, see :ref:`Non-Standard Ports `. | +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Whether TLSv1.0 or weak encryption suite is supported | Check whether WAF supports the encryption suite used by your site. | +-------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ diff --git a/umn/source/permissions_management/waf_permissions_and_supported_actions.rst b/umn/source/permissions_management/waf_permissions_and_supported_actions.rst index 89cdfbc..7f78d63 100644 --- a/umn/source/permissions_management/waf_permissions_and_supported_actions.rst +++ b/umn/source/permissions_management/waf_permissions_and_supported_actions.rst @@ -138,3 +138,37 @@ WAF provides system-defined policies that can be directly used in IAM. You can a +----------------------------------------------------+----------------------------------+ | Querying protection policies | waf:policy:list | +----------------------------------------------------+----------------------------------+ +| Querying the WAF dedicated instances | waf:premiumInstance:list | ++----------------------------------------------------+----------------------------------+ +| Querying a WAF dedicated instance | waf:premiumInstance:get | ++----------------------------------------------------+----------------------------------+ +| Creating a WAF dedicated instance | waf:premiumInstance:create | ++----------------------------------------------------+----------------------------------+ +| Deleting a WAF dedicated instance | waf:premiumInstance:delete | ++----------------------------------------------------+----------------------------------+ +| Updating a WAF dedicated engine | waf:premiumInstance:put | ++----------------------------------------------------+----------------------------------+ +| Deletes the certificate | waf:certificate:delete | ++----------------------------------------------------+----------------------------------+ +| Deletes the postpaid | waf:postpaid:delete | ++----------------------------------------------------+----------------------------------+ +| Updates the ltsConfig | waf:ltsConfig:put | ++----------------------------------------------------+----------------------------------+ +| Updates the alertConfig | waf:alert:put | ++----------------------------------------------------+----------------------------------+ +| Creates the postpaid | waf:postpaid:create | ++----------------------------------------------------+----------------------------------+ +| Updates the valuelist | waf:valuelist:put | ++----------------------------------------------------+----------------------------------+ +| Queries all certificates | waf:certificate:list | ++----------------------------------------------------+----------------------------------+ +| Queries the ltsConfig | waf:ltsConfig:get | ++----------------------------------------------------+----------------------------------+ +| Queries the valuelist | waf:valuelist:get | ++----------------------------------------------------+----------------------------------+ +| Queries the cloud mode subscription | waf:subscription:get | ++----------------------------------------------------+----------------------------------+ +| Deletes the valuelist | waf:valuelist:delete | ++----------------------------------------------------+----------------------------------+ +| Queries the alertConfig | waf:alert:get | ++----------------------------------------------------+----------------------------------+ diff --git a/umn/source/policy_management/adding_rules_to_one_or_more_policies.rst b/umn/source/policy_management/adding_rules_to_one_or_more_policies.rst index 1f9f75b..947aaa8 100644 --- a/umn/source/policy_management/adding_rules_to_one_or_more_policies.rst +++ b/umn/source/policy_management/adding_rules_to_one_or_more_policies.rst @@ -7,6 +7,10 @@ Adding Rules to One or More Policies This topic describes how to add rules to one or more policies. +.. note:: + + If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the **Enterprise Project** drop-down list and configure protection policies for the domain names in batches. + Prerequisites ------------- @@ -43,7 +47,7 @@ Procedure #. Set other parameters. - - To add a CC attack protection rule, see :ref:`Table 1 `. + - To add a CC attack protection rule, see :ref:`Table 1 `. - To add a precise protection rule, see :ref:`Table 1 `. - To add a blacklist or whitelist rule, see :ref:`Table 1 `. - To add a geolocation access control rule, see :ref:`Table 1 `. @@ -61,5 +65,5 @@ Other Operations - To modify a rule, locate the row that contains the rule and click **Modify** in the **Operation** column. You can also select multiple rules and click **Modify** above the list to modify them all together. - To delete a rule, locate the row that contains the rule and click **Delete** in the **Operation** column. You can also select multiple rules and click **Delete** above the list to delete them all together. -.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image1| image:: /_static/images/en-us_image_0000001544453213.jpg .. |image2| image:: /_static/images/en-us_image_0000001340586225.png diff --git a/umn/source/policy_management/applying_a_policy_to_your_website.rst b/umn/source/policy_management/applying_a_policy_to_your_website.rst index d735b35..d8e9a34 100644 --- a/umn/source/policy_management/applying_a_policy_to_your_website.rst +++ b/umn/source/policy_management/applying_a_policy_to_your_website.rst @@ -31,14 +31,13 @@ Procedure **Figure 1** Adding a domain name to a policy -#. Select one or more domain names from the **Domain Name** drop-down list. :ref:`Figure 2 ` shows an example. +#. Select one or more domain names from the **Domain Name** drop-down list. .. important:: - A protected domain name can use only one policy, but one policy can be applied to multiple domain names. - To delete a policy that has been applied to domain names, add these domain names to other policies first. Then, click **Delete** in the **Operation** column of the policy you want to delete. - .. _waf_01_0075__fig8829399338: .. figure:: /_static/images/en-us_image_0000001286052290.png :alt: **Figure 2** Selecting one or more domain names @@ -47,5 +46,5 @@ Procedure #. Click **Confirm**. -.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image1| image:: /_static/images/en-us_image_0000001493652906.jpg .. |image2| image:: /_static/images/en-us_image_0000001340306901.png diff --git a/umn/source/policy_management/adding_a_policy.rst b/umn/source/policy_management/creating_a_protection_policy.rst similarity index 80% rename from umn/source/policy_management/adding_a_policy.rst rename to umn/source/policy_management/creating_a_protection_policy.rst index 119ffbc..9a1b039 100644 --- a/umn/source/policy_management/adding_a_policy.rst +++ b/umn/source/policy_management/creating_a_protection_policy.rst @@ -2,11 +2,15 @@ .. _waf_01_0074: -Adding a Policy -=============== +Creating a Protection Policy +============================ A policy is a combination of rules, such as basic web protection, blacklist, whitelist, and precise protection rules. A policy can be applied to multiple domain names, but only one policy can be used for a domain name. This topic describes how to add a policy to your WAF instance. +.. note:: + + If you have enabled enterprise projects, you can select your enterprise project from the **Enterprise Project** drop-down list and add protection policies in the project. + Prerequisites ------------- @@ -50,8 +54,8 @@ Other Operations ---------------- - To modify a policy name, click |image3| next to the policy name. In the dialog box displayed, enter a new policy name. -- To delete a rule, click **Delete** in the row containing the rule. +- To delete a rule, locate the row containing the rule. In the **Operation** column, click **Delete**. -.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image1| image:: /_static/images/en-us_image_0000001481959198.jpg .. |image2| image:: /_static/images/en-us_image_0000001288266902.png .. |image3| image:: /_static/images/en-us_image_0301168075.png diff --git a/umn/source/policy_management/index.rst b/umn/source/policy_management/index.rst index ff9ea1b..6d5ce57 100644 --- a/umn/source/policy_management/index.rst +++ b/umn/source/policy_management/index.rst @@ -5,7 +5,7 @@ Policy Management ================= -- :ref:`Adding a Policy ` +- :ref:`Creating a Protection Policy ` - :ref:`Adding Rules to One or More Policies ` - :ref:`Applying a Policy to Your Website ` @@ -13,6 +13,6 @@ Policy Management :maxdepth: 1 :hidden: - adding_a_policy + creating_a_protection_policy adding_rules_to_one_or_more_policies applying_a_policy_to_your_website diff --git a/umn/source/rule_configuration/adding_a_reference_table.rst b/umn/source/rule_configuration/adding_a_reference_table.rst index 6763e0e..de34111 100644 --- a/umn/source/rule_configuration/adding_a_reference_table.rst +++ b/umn/source/rule_configuration/adding_a_reference_table.rst @@ -7,6 +7,12 @@ Adding a Reference Table This topic describes how to create a reference table to batch configure protection metrics of a single type, such as **Path**, **User Agent**, **IP**, **Params**, **Cookie**, **Referer**, and **Header**. A reference table can be referenced by CC attack protection rules and precise protection rules. +New reference tables will be synchronized to CC attack protection rules and precise protection rules. When you configure a CC attack protection rule or precise protection rule, if the **Logic** field in the **Trigger** list is set to **Include any value**, **Exclude any value**, **Equal to any value**, **Not equal to any value**, **Prefix is any value**, **Prefix is not any value**, **Suffix is any value**, or **Suffix is not any value**, you can select an appropriate reference table from the **Content** drop-down list. + +.. note:: + + If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the **Enterprise Project** drop-down list and configure protection policies for the domain names in the project. + Prerequisites ------------- @@ -26,7 +32,7 @@ Procedure #. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. -#. In the navigation pane, choose **Website Settings**. +#. In the navigation pane on the left, choose **Website Settings**. #. In the **Policy** column of the row containing the target website, click the number to go to the policy configuration page. @@ -96,5 +102,5 @@ Other Operations - To modify a reference table, click **Modify** in the row containing the reference table. - To delete a reference table, click **Delete** in the row containing the reference table. -.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image1| image:: /_static/images/en-us_image_0000001532745961.jpg .. |image2| image:: /_static/images/en-us_image_0000001287946366.png diff --git a/umn/source/rule_configuration/configuration_guidance.rst b/umn/source/rule_configuration/configuration_guidance.rst index 7770173..7ab0794 100644 --- a/umn/source/rule_configuration/configuration_guidance.rst +++ b/umn/source/rule_configuration/configuration_guidance.rst @@ -60,12 +60,14 @@ This method is recommended when you have few domain name services or have differ +==================================================================+====================================================================================================================================================================================================================+====================================================================================================+ | Basic web protection rules | With an extensive reputation database, WAF defends against Open Web Application Security Project (OWASP) top 10 threats, and detects and blocks threats, such as malicious scanners, IP addresses, and web shells. | :ref:`Configuring Basic Web Protection Rules ` | +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------+ - | CC attack protection rules | CC attack protection rules can be customized to restrict access to a specific URL on your website based on a unique IP address, cookie, or referer field, mitigating CC attacks. | :ref:`Configuring a CC Attack Protection Rule ` | + | CC attack protection rules | CC attack protection rules can be customized to restrict access to a specific URL on your website based on a unique IP address, cookie, or referer field, mitigating CC attacks. | :ref:`Configuring a CC Attack Protection Rule ` | +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------+ | Precise protection rules | You can customize protection rules by combining HTTP headers, cookies, URLs, request parameters, and client IP addresses. | :ref:`Configuring a Precise Protection Rule ` | +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------+ | Blacklist and whitelist rules | You can configure blacklist and whitelist rules to block, log only, or allow access requests from specified IP addresses. | :ref:`Configuring an IP Address Blacklist or Whitelist Rule ` | +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------+ + | Known attack source rules | These rules can block the IP addresses from which blocked malicious requests originate. These rules are dependent on other rules. | :ref:`Configuring a Known Attack Source Rule ` | + +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------+ | Geolocation access control rules | You can customize these rules to allow or block requests from a specific country or region. | :ref:`Configuring a Geolocation Access Control Rule ` | +------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------+ | Web tamper protection rules | You can configure these rules to prevent a static web page from being tampered with. | :ref:`Configuring a Web Tamper Protection Rule ` | @@ -92,6 +94,6 @@ This method is recommended if you have many domain name services and require the - Procedure - #. Add a policy. For details, see :ref:`Adding a Policy `. + #. Add a policy. For details, see :ref:`Creating a Protection Policy `. #. Configure protection rules. For details, see :ref:`Adding Rules to One or More Policies `. #. Batch add multiple domain names to the policy. For details, see :ref:`Applying a Policy to Your Website `. diff --git a/umn/source/rule_configuration/configuring_a_cc_attack_protection_rule.rst b/umn/source/rule_configuration/configuring_a_cc_attack_protection_rule.rst index 91f909c..5c90f17 100644 --- a/umn/source/rule_configuration/configuring_a_cc_attack_protection_rule.rst +++ b/umn/source/rule_configuration/configuring_a_cc_attack_protection_rule.rst @@ -1,12 +1,16 @@ -:original_name: waf_01_0009.html +:original_name: waf_01_1209.html -.. _waf_01_0009: +.. _waf_01_1209: Configuring a CC Attack Protection Rule ======================================= You can customize a CC attack protection rule to restrict access to a specific URL on your website based on an IP address, cookie, or Referer, mitigating CC attacks. To make your custom CC attack protection rules take effect, ensure that you have enabled CC attack protection. +.. note:: + + If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the **Enterprise Project** drop-down list and configure protection policies for the domain names in the project. + Prerequisites ------------- @@ -18,10 +22,6 @@ Constraints - It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the **Events** page. - A reference table can be added to a CC attack protection rule. The reference table takes effect for all protected domain names. - A CC attack protection rule offers protective actions such as **Verification code** and **Block** for your choice. For example, you can configure a CC attack protection rule to block requests from a visit for 600 seconds by identifying their cookie (name field) if the visitor accessed a URL (for example, /admin*) of your website over 10 times within 60 seconds. -- The path in a CC attack protection rule must be set to a URL (excluding the domain name). This parameter allows prefix match and exact match. - - - Prefix match: A path ending with \* indicates that the path is used as a prefix. The \* can be used as a wildcard value. For example, to protect **/admin/test.php** or **/adminabc**, you can set **Path** to **/admin\***. - - Exact match: The path to be entered must be the same as the path to be protected. For example, to protect **/admin**, then **Path** must be set to **/admin**. Procedure --------- @@ -29,7 +29,7 @@ Procedure #. Log in to the management console. #. Click |image1| in the upper left corner of the management console and select a region or project. #. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. -#. In the navigation pane, choose **Website Settings**. +#. In the navigation pane on the left, choose **Website Settings**. 5. In the **Policy** column of the row containing the target website, click the number to go to the policy configuration page. @@ -43,18 +43,18 @@ Procedure 7. In the upper left corner of the **CC Attack Protection** page, click **Add Rule**. -8. In the displayed dialog box, configure a CC attack protection rule by referring to :ref:`Table 1 `. +8. In the displayed dialog box, configure a CC attack protection rule by referring to :ref:`Table 1 `. - If a visitor whose cookie is **name** accesses a page on your website where the address includes **/admin** at the end (for example, https://www.example.com/adminlogic) more than 10 times within 60 seconds, WAF blocks the requests from visitors of the same cookie **name** for 600s and returns the page configured for **Page Content**. :ref:`Figure 2 ` shows the configurations. + If a visitor whose cookie is **name** accesses a page on your website where the address includes **/admin** at the end (for example, https://www.example.com/adminlogic) more than 10 times within 60 seconds, WAF blocks the requests from visitors of the same cookie **name** for 600s and returns the page configured for **Page Content**. :ref:`Figure 2 ` shows the configurations. - .. _waf_01_0009__fig172782071413: + .. _waf_01_1209__fig172782071413: .. figure:: /_static/images/en-us_image_0000001285430612.png :alt: **Figure 2** Adding a CC attack protection rule **Figure 2** Adding a CC attack protection rule - .. _waf_01_0009__table1173915209149: + .. _waf_01_1209__table1173915209149: .. table:: **Table 1** Rule parameters @@ -166,12 +166,6 @@ Procedure 9. Click **Confirm**. You can then view the added CC attack protection rule in the CC rule list. - - .. figure:: /_static/images/en-us_image_0000001396154617.png - :alt: **Figure 3** CC rule list - - **Figure 3** CC rule list - - To disable a rule, click **Disable** in the **Operation** column of the rule. The default **Rule Status** is **Enabled**. - To modify a rule, click **Modify** in the row containing the rule. - To delete a rule, click **Delete** in the row containing the rule. @@ -179,14 +173,14 @@ Procedure Protection Effect ----------------- -If you have configured a CC attack protection rule for your domain name, with **Protective Action** set to **Block**, as shown in :ref:`Figure 2 `, to verify WAF is protecting your website (**www.example.com**) against the configured CC attack protection rule: +If you have configured a CC attack protection rule for your domain name, with **Protective Action** set to **Block**, as shown in :ref:`Figure 2 `, to verify WAF is protecting your website (**www.example.com**) against the configured CC attack protection rule: #. Clear the browser cache and enter the domain name in the address box of a browser to check whether the website is accessible. - If the website is inaccessible, connect the website domain name to WAF by following the instructions in :ref:`Step 1: Add a Website to WAF `. - - If the website is accessible, go to :ref:`Step 2 `. + - If the website is accessible, go to :ref:`Step 2 `. -#. .. _waf_01_0009__li88102353919: +#. .. _waf_01_1209__li88102353919: Clear the browser cache, enter **http://www.example.com/admin** in the address bar, and refresh the page 10 times within 60 seconds. In normal cases, the custom block page will be displayed the eleventh time you refresh the page, and the requested page will be accessible when you refresh the page 600 seconds later. @@ -196,6 +190,30 @@ If you have configured a CC attack protection rule for your domain name, with ** #. Return to the WAF console. In the navigation pane, choose **Events**. On the displayed page, view or :ref:`download events data `. -.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +Configuration Example - Verification Code +----------------------------------------- + +If domain name **www.example.com** has been connected to WAF, perform the following steps to verify that WAF CAPTCHA verification is enabled. + +#. Add a CC attack protection rule with **Protection Action** set to **Verification code**. + +#. Enable CC attack protection. + + + .. figure:: /_static/images/en-us_image_0000001285588948.png + :alt: **Figure 3** CC Attack Protection configuration area + + **Figure 3** CC Attack Protection configuration area + +#. Clear the browser cache and access http://www.example.com/admin/. + + If you access the page for 10 times within 60 seconds, a verification code is required when you attempt to access the page for the eleventh time. You need to enter the verification code to continue the access. + + |image4| + +#. Go to the WAF console. In the navigation pane on the left, choose **Events**. View the event on the **Events** page. + +.. |image1| image:: /_static/images/en-us_image_0000001493489874.jpg .. |image2| image:: /_static/images/en-us_image_0000001340585569.png .. |image3| image:: /_static/images/en-us_image_0000001191376107.jpg +.. |image4| image:: /_static/images/en-us_image_0000001224193241.jpg diff --git a/umn/source/rule_configuration/configuring_a_data_masking_rule.rst b/umn/source/rule_configuration/configuring_a_data_masking_rule.rst index b3c55a9..cf19dbc 100644 --- a/umn/source/rule_configuration/configuring_a_data_masking_rule.rst +++ b/umn/source/rule_configuration/configuring_a_data_masking_rule.rst @@ -15,7 +15,7 @@ A website has been added to WAF. Constraints ----------- -- It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the **Events** page. +It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the **Events** page. Impact on the System -------------------- @@ -31,7 +31,7 @@ Procedure #. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. -#. In the navigation pane, choose **Website Settings**. +#. In the navigation pane on the left, choose **Website Settings**. #. In the **Policy** column of the row containing the target website, click the number to go to the **Policies** page. @@ -111,11 +111,23 @@ To verify that WAF is protecting your domain name *www.example.com* against a da #. Enable data masking. + + .. figure:: /_static/images/en-us_image_0000001285661276.png + :alt: **Figure 4** Data Masking configuration area + + **Figure 4** Data Masking configuration area + #. In the navigation pane on the left, choose **Events**. #. In the row containing the event hit the rule, click **Details** in the **Operation** column and view the event details. Data in the **jsessionid** cookie field is masked. -.. |image1| image:: /_static/images/en-us_image_0210924450.jpg + + .. figure:: /_static/images/en-us_image_0000001226442037.png + :alt: **Figure 5** Viewing events - privacy data masking + + **Figure 5** Viewing events - privacy data masking + +.. |image1| image:: /_static/images/en-us_image_0000001481908812.jpg .. |image2| image:: /_static/images/en-us_image_0000001287946362.png diff --git a/umn/source/rule_configuration/configuring_a_geolocation_access_control_rule.rst b/umn/source/rule_configuration/configuring_a_geolocation_access_control_rule.rst index b59ec66..4dde8ab 100644 --- a/umn/source/rule_configuration/configuring_a_geolocation_access_control_rule.rst +++ b/umn/source/rule_configuration/configuring_a_geolocation_access_control_rule.rst @@ -29,7 +29,7 @@ Procedure #. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. -#. In the navigation pane, choose **Website Settings**. +#. In the navigation pane on the left, choose **Website Settings**. #. In the **Policy** column of the row containing the target website, click the number to go to the **Policies** page. @@ -67,12 +67,6 @@ Procedure #. Click **Confirm**. You can then view the added rule in the list of the geolocation access control rules. - - .. figure:: /_static/images/en-us_image_0000001345013254.png - :alt: **Figure 3** List of geolocation access control rules - - **Figure 3** List of geolocation access control rules - - To disable a rule, click **Disable** in the **Operation** column of the rule. The default **Rule Status** is **Enabled**. - To modify a rule, click **Modify** in the row containing the rule. - To delete a rule, click **Delete** in the row containing the rule. @@ -95,5 +89,5 @@ To verify WAF is protecting your website (**www.example.com**) against a rule: #. Go to the WAF console. In the navigation pane on the left, choose **Events**. On the displayed page, view or :ref:`download events data `. -.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image1| image:: /_static/images/en-us_image_0000001482227824.jpg .. |image2| image:: /_static/images/en-us_image_0000001340306233.png diff --git a/umn/source/rule_configuration/configuring_a_global_protection_whitelist_formerly_false_alarm_masking_rule.rst b/umn/source/rule_configuration/configuring_a_global_protection_whitelist_formerly_false_alarm_masking_rule.rst index 729126d..86bbd37 100644 --- a/umn/source/rule_configuration/configuring_a_global_protection_whitelist_formerly_false_alarm_masking_rule.rst +++ b/umn/source/rule_configuration/configuring_a_global_protection_whitelist_formerly_false_alarm_masking_rule.rst @@ -20,6 +20,7 @@ A website has been added to WAF. Constraints ----------- +- If you select **All protection** for **Ignore WAF Protection**, all WAF rules do not take effect, and WAF allows all request traffic to the domain names in the rule. - If you select **Basic web protection** for **Ignore WAF Protection**, global protection whitelist (formerly false alarm masking) rules take effect only for events triggered against WAF built-in rules in **Basic Web Protection** and anti-crawler rules under **Feature Library**. - Basic web protection rules @@ -31,7 +32,7 @@ Constraints Feature-based anti-crawler identifies and blocks crawler behavior from search engines, scanners, script tools, and other crawlers. - It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the **Events** page. -- You can configure a global protection whitelist (formerly false alarm masking) rule by referring to :ref:`Handling False Alarms `. After handling a false alarm, you can view the rule in the rule list. +- You can configure a global protection whitelist (formerly false alarm masking) rule by referring to :ref:`Handling False Alarms `. After handling a false alarm, you can view the rule in the global protection whitelist (formerly false alarm masking) rule list. Procedure --------- @@ -42,7 +43,7 @@ Procedure #. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. -#. In the navigation pane, choose **Website Settings**. +#. In the navigation pane on the left, choose **Website Settings**. #. In the **Policy** column of the row containing the target website, click the number to go to the **Policies** page. @@ -56,9 +57,8 @@ Procedure #. In the upper left corner of the **Global Protection Whitelist** page, click **Add Rule**. -#. Add a global whitelist rule by referring to :ref:`Table 1 `. :ref:`Figure 2 ` shows an example. +#. Add a global whitelist rule by referring to :ref:`Table 1 `. - .. _waf_01_0016__fig1658541018715: .. figure:: /_static/images/en-us_image_0000001326802772.png :alt: **Figure 2** Add Global Protection Whitelist Rule @@ -130,12 +130,6 @@ Procedure #. Click **OK**. - - .. figure:: /_static/images/en-us_image_0000001345013500.png - :alt: **Figure 3** Global protection whitelist (formerly false alarm masking) rules - - **Figure 3** Global protection whitelist (formerly false alarm masking) rules - Other Operations ---------------- @@ -143,5 +137,5 @@ Other Operations - To modify a global protection whitelist (formerly false alarm masking) rule, click **Modify** in the row containing the rule. - To delete a global protection whitelist (formerly false alarm masking) rule, click **Delete** in the row containing the rule. -.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image1| image:: /_static/images/en-us_image_0000001482228424.jpg .. |image2| image:: /_static/images/en-us_image_0000001288266226.png diff --git a/umn/source/rule_configuration/configuring_a_known_attack_source_rule.rst b/umn/source/rule_configuration/configuring_a_known_attack_source_rule.rst index 23de903..2f1b871 100644 --- a/umn/source/rule_configuration/configuring_a_known_attack_source_rule.rst +++ b/umn/source/rule_configuration/configuring_a_known_attack_source_rule.rst @@ -7,6 +7,10 @@ Configuring a Known Attack Source Rule If WAF blocks a malicious request by IP address, Cookie, or Params, you can configure a known attack source rule to let WAF automatically block all requests from the attack source for a blocking duration set in the known attack source rule. For example, if a blocked malicious request originates from an IP address and you set the blocking duration to 500 seconds, WAF will block the IP address for 500 seconds after the known attack source rule takes effect. +.. note:: + + If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the **Enterprise Project** drop-down list and configure protection policies for the domain names in the project. + Prerequisites ------------- @@ -34,13 +38,12 @@ Procedure #. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. -#. In the navigation pane, choose **Website Settings**. +#. In the navigation pane on the left, choose **Website Settings**. #. In the **Policy** column of the row containing the target website, click the number to go to the policy configuration page. -#. In the **Known Attack Source** configuration area, change **Status** if needed and click **Customize Rule** to go to the **Known Attack Source** page. :ref:`Figure 1 ` shows an example. +#. In the **Known Attack Source** configuration area, change **Status** if needed and click **Customize Rule** to go to the **Known Attack Source** page. - .. _waf_01_0271__fig0358162863015: .. figure:: /_static/images/en-us_image_0000001338230701.png :alt: **Figure 1** Known Attack Source configuration @@ -49,9 +52,8 @@ Procedure #. In the upper left corner of the known attack source rules, click **Add Known Attack Source Rule**. -#. In the displayed dialog box, specify the parameters by referring to :ref:`Table 1 `. :ref:`Figure 2 ` shows an example. +#. In the displayed dialog box, specify the parameters by referring to :ref:`Table 1 `. - .. _waf_01_0271__fig16699125187: .. figure:: /_static/images/en-us_image_0000001285992940.png :alt: **Figure 2** Add Known Attack Source Rule @@ -84,17 +86,56 @@ Procedure #. Click **Confirm**. You can then view the added known attack source rule in the list. - - .. figure:: /_static/images/en-us_image_0000001395852973.png - :alt: **Figure 3** Known attack source rules - - **Figure 3** Known attack source rules - Other Operations ---------------- - To modify a rule, click **Modify** in row containing the rule. - To delete a rule, click **Delete** in the row containing the rule. -.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +Configuration Example - Blocking Known Attack Source Identified by Cookie +------------------------------------------------------------------------- + +Assume that domain name *www.example.com* has been connected to WAF and a visitor has sent one or more malicious requests through IP address *XXX.XXX.248.195*. You want to block access requests from this IP address and whose cookie is **jsessionid** for 10 minutes. Refer to the following steps to configure a rule and verify its effect. + +#. On the **Website Settings** page, click *www.example.com* to go to its basic information page. + +#. In the **Traffic Identifier** area, configure the cookie in the **Session Tag** field. + + + .. figure:: /_static/images/en-us_image_0000001284861820.png + :alt: **Figure 3** Traffic Identifier + + **Figure 3** Traffic Identifier + +#. Add a known attack source, select **Long-term Cookie blocking** for **Blocking Type**, and set block duration to 600 seconds. + + + .. figure:: /_static/images/en-us_image_0000001287754972.png + :alt: **Figure 4** Adding a Cookie-based known attack source rule + + **Figure 4** Adding a Cookie-based known attack source rule + +#. Enable the known attack source protection. + + + .. figure:: /_static/images/en-us_image_0000001338230701.png + :alt: **Figure 5** Known Attack Source configuration + + **Figure 5** Known Attack Source configuration + +#. Add a blacklist and whitelist rule to block *XXX.XXX.248.195*. Select **Long-term Cookie blocking** for **Known Attack Source**. + +#. Clear the browser cache and access http://www.example.com. + + When a request from IP address *XXX.XXX.248.195*, WAF blocks the access. When WAF detects that the cookie of the access request from the IP address is **jsessionid**, WAF blocks the access request for 10 minutes. + + + .. figure:: /_static/images/en-us_image_0000001286879252.png + :alt: **Figure 6** Block page + + **Figure 6** Block page + +#. Go to the WAF console. In the navigation pane on the left, choose **Events**. View the event on the **Events** page. + +.. |image1| image:: /_static/images/en-us_image_0000001482067792.jpg .. |image2| image:: /_static/images/en-us_image_0000001340665981.png diff --git a/umn/source/rule_configuration/configuring_a_precise_protection_rule.rst b/umn/source/rule_configuration/configuring_a_precise_protection_rule.rst index 05bf0b7..e1af177 100644 --- a/umn/source/rule_configuration/configuring_a_precise_protection_rule.rst +++ b/umn/source/rule_configuration/configuring_a_precise_protection_rule.rst @@ -11,11 +11,21 @@ You can combine common HTTP fields, such as **IP**, **Path**, **Referer**, **Use A reference table can be added to a precise protection rule. The reference table takes effect for all protected domain names. +.. note:: + + If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the **Enterprise Project** drop-down list and configure protection policies for the domain names in the project. + Prerequisites ------------- A website has been added to WAF. +Constraints +----------- + +- It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the **Events** page. +- If you configure **Protective Action** to **Block** for a precise protection rule, you can configure a known attack source rule by referring to :ref:`Configuring a Known Attack Source Rule `. WAF will block requests matching the configured IP address, Cookie, or Params for a length of time configured as part of the rule. + Application Scenarios --------------------- @@ -30,7 +40,7 @@ Procedure #. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. -#. In the navigation pane, choose **Website Settings**. +#. In the navigation pane on the left, choose **Website Settings**. #. In the **Policy** column of the row containing the target website, click the number to go to the policy configuration page. @@ -42,7 +52,7 @@ Procedure **Figure 1** Precise Protection configuration area -#. On the **Precise Protection** page, set **Detection Mode**. :ref:`Figure 2 ` shows an example. +#. On the **Precise Protection** page, set **Detection Mode**. Two detection modes are available: @@ -50,7 +60,6 @@ Procedure - **Full Detection**: If a request matches a configured precise protection rule, WAF finishes its scan first and then blocks all requests that match the configured precise protection rule. - .. _waf_01_0010__fig1818193165213: .. figure:: /_static/images/en-us_image_0000001338129425.png :alt: **Figure 2** Setting Detection Mode @@ -93,12 +102,6 @@ Procedure | | | | | | - **Field** | | | | - **Subfield**: Configure this field only when **Params**, **Cookie**, or **Header** is selected for **Field**. | | - | | | | - | | .. important:: | | - | | | | - | | NOTICE: | | - | | The length of a subfield cannot exceed 2,048 bytes. Only digits, letters, underscores (_), and hyphens (-) are allowed. | | - | | | | | | - **Logic**: Select a logical relationship from the drop-down list. | | | | | | | | .. note:: | | @@ -121,47 +124,47 @@ Procedure .. table:: **Table 2** Condition list configurations - +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ - | Field | Example Subfield | Logic | Example Content | - +==================================================================================================================================================================================================+==================+========================================================+===========================================================================================+ - | **Path**: Part of a URL that does not include a domain name. This value supports exact matches only. For example, if the path to be protected is **/admin**, **Path** must be set to **/admin**. | None | Select a logical relationship from the drop-down list. | **/buy/phone/** | - | | | | | - | | | | .. important:: | - | | | | | - | | | | NOTICE: | - | | | | If **Path** is set to **/**, all paths of the website are protected. | - +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ - | **User Agent**: A user agent of the scanner to be checked. | None | | **Mozilla/5.0 (Windows NT 6.1)** | - +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ - | **IP**: An IP address of the visitor for the protection. | None | | XXX.XXX.1.1 | - +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ - | **Params**: A request parameter. | **sttl** | | **201901150929** | - +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ - | **Referer**: A user-defined request resource. | None | | http://www.test.com | - | | | | | - | For example, if the protected path is **/admin/xxx** and you do not want visitors to access the page from **www.test.com**, set **Content** to **http://www.test.com**. | | | | - +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ - | **Cookie**: A small piece of data to identify web visitors. | **name** | | jsessionid | - +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ - | **Header**: A user-defined HTTP header. | **Accept** | | **text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8** | - +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ - | **Method**: the user-defined request method. | None | | **GET**, **POST**, **PUT**, **DELETE**, and **PATCH** | - +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ - | **Request Line**: Length of a user-defined request line. | None | | **50** | - +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ - | **Request**: Length of a user-defined request. It includes the request header, request line, and request body. | None | | None | - +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ - | **Protocol**: the protocol of the request. | None | | http | - +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ + +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ + | Field | Subfield | Logic | Example Content | + +==================================================================================================================================================================================================+=================+========================================================+===========================================================================================+ + | **Path**: Part of a URL that does not include a domain name. This value supports exact matches only. For example, if the path to be protected is **/admin**, **Path** must be set to **/admin**. | None | Select a logical relationship from the drop-down list. | **/buy/phone/** | + | | | | | + | | | | .. important:: | + | | | | | + | | | | NOTICE: | + | | | | If **Path** is set to **/**, all paths of the website are protected. | + +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ + | **User Agent**: A user agent of the scanner to be checked. | None | | **Mozilla/5.0 (Windows NT 6.1)** | + +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ + | **IP**: An IP address of the visitor for the protection. | -- | | XXX.XXX.1.1 | + +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ + | **Params**: A request parameter. | - All fields | | **201901150929** | + | | - Any subfield | | | + | | - Custom | | | + +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ + | **Referer**: A user-defined request resource. | -- | | http://www.test.com | + | | | | | + | For example, if the protected path is **/admin/xxx** and you do not want visitors to access the page from **www.test.com**, set **Content** to **http://www.test.com**. | | | | + +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ + | **Cookie**: A small piece of data to identify web visitors. | - All fields | | jsessionid | + | | - Any subfield | | | + | | - Custom | | | + +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ + | **Header**: A user-defined HTTP header. | - All fields | | **text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8** | + | | - Any subfield | | | + | | - Custom | | | + +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ + | **Method**: the user-defined request method. | None | | **GET**, **POST**, **PUT**, **DELETE**, and **PATCH** | + +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ + | **Request Line**: Length of a user-defined request line. | None | | **50** | + +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ + | **Request**: Length of a user-defined request. It includes the request header, request line, and request body. | None | | None | + +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ + | **Protocol**: the protocol of the request. | None | | http | + +--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+--------------------------------------------------------+-------------------------------------------------------------------------------------------+ #. Click **Confirm**. You can then view the added precise protection rule in the protection rule list. - - .. figure:: /_static/images/en-us_image_0000001395970885.png - :alt: **Figure 4** Protection rules - - **Figure 4** Protection rules - - To disable a rule, click **Disable** in the **Operation** column of the rule. The default **Rule Status** is **Enabled**. - To modify a rule, click **Modify** in the row containing the rule. - To delete a rule, click **Delete** in the row containing the rule. @@ -185,22 +188,44 @@ If you have configured a precise protection rule as shown in :ref:`Figure 3 `. +Analysis of a specific type of WordPress pingback attack shows that the **User Agent** field contains WordPress. -.. _waf_01_0010__fig16451834185616: .. figure:: /_static/images/en-us_image_0168632822.png - :alt: **Figure 5** WordPress pingback attack + :alt: **Figure 4** WordPress pingback attack - **Figure 5** WordPress pingback attack + **Figure 4** WordPress pingback attack A precise rule as shown in the figure can block this type of attack. .. figure:: /_static/images/en-us_image_0000001378030725.png - :alt: **Figure 6** User Agent configuration + :alt: **Figure 5** User Agent configuration - **Figure 6** User Agent configuration + **Figure 5** User Agent configuration -.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +Configuration Example - Blocking Specified File Types (ZIP, TAR, and DOCX) +-------------------------------------------------------------------------- + +You can configure file types that match the path field to block specific files of certain types. For example, if you want to block .zip files, you can configure a precise protection rule as shown in :ref:`Figure 6 ` to block access requests of .zip files. + +.. _waf_01_0010__fig1599818616112: + +.. figure:: /_static/images/en-us_image_0000001499416648.png + :alt: **Figure 6** Blocking requests of specific file types + + **Figure 6** Blocking requests of specific file types + +Configuration Example - Allowing a Specific IP Address to Access a Certain URL +------------------------------------------------------------------------------ + +You can configure multiple conditions in the **Condition List** field. If an access request meets the conditions in the list, WAF will allow the request from a specific IP address to access a specified URL. + + +.. figure:: /_static/images/en-us_image_0000001182095000.png + :alt: **Figure 7** Allowing specific IP addresses to access specified URLs + + **Figure 7** Allowing specific IP addresses to access specified URLs + +.. |image1| image:: /_static/images/en-us_image_0000001532904513.jpg .. |image2| image:: /_static/images/en-us_image_0000001288266230.png diff --git a/umn/source/rule_configuration/configuring_a_web_tamper_protection_rule.rst b/umn/source/rule_configuration/configuring_a_web_tamper_protection_rule.rst index f2a650f..1509d92 100644 --- a/umn/source/rule_configuration/configuring_a_web_tamper_protection_rule.rst +++ b/umn/source/rule_configuration/configuring_a_web_tamper_protection_rule.rst @@ -15,6 +15,10 @@ WAF can cache configuration for static web pages of websites. After you configur So, if the URL in the value of the **Referer** request header is the same as the configured anti-tamper path, for example, **/admin**, all resources (resources ending with png, jpg, jpeg, gif, bmp, css or js) hit by the request are also cached. +.. note:: + + If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the **Enterprise Project** drop-down list and configure protection policies for the domain names in the project. + Prerequisites ------------- @@ -45,7 +49,7 @@ Procedure #. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. -#. In the navigation pane, choose **Website Settings**. +#. In the navigation pane on the left, choose **Website Settings**. #. In the **Policy** column of the row containing the target website, click the number to go to the **Policies** page. @@ -94,12 +98,6 @@ Procedure #. Click **Confirm**. You can view the rule in the list of web tamper protection rules. - - .. figure:: /_static/images/en-us_image_0000001395853109.png - :alt: **Figure 3** List of web tamper protection rules - - **Figure 3** List of web tamper protection rules - Other Operations ---------------- @@ -107,5 +105,42 @@ Other Operations - To update cache of a protected web page, click **Update Cache** in the row containing the corresponding web tamper protection rule. If the rule fails to be updated, WAF will return the recently cached page but not the latest page. - To delete a rule, click **Delete** in the row containing the rule. -.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +Configuration Example - Static Web Page Tamper Prevention +--------------------------------------------------------- + +To verify WAF is protecting a static page **/admin** on your website **www.example.com** from being tampered with: + +#. Use a browser to access **http://www.example.com/admin**. + + A tampered page is returned. + + + .. figure:: /_static/images/en-us_image_0000001226521449.png + :alt: **Figure 3** A static page that has been tampered with + + **Figure 3** A static page that has been tampered with + +#. Add a web tamper prevention rule to WAF. + + + .. figure:: /_static/images/en-us_image_0000001285636510.png + :alt: **Figure 4** Adding a web tamper protection rule + + **Figure 4** Adding a web tamper protection rule + +#. Enabling WTP + + + .. figure:: /_static/images/en-us_image_0000001338155669.png + :alt: **Figure 5** Web Tamper Protection configuration area + + **Figure 5** Web Tamper Protection configuration area + +#. Use a browser to access **http://www.example.com/admin**. WAF will cache the page. + +#. Access **http://www.example.com/admin** again. + + The intact page is returned. + +.. |image1| image:: /_static/images/en-us_image_0000001481908820.jpg .. |image2| image:: /_static/images/en-us_image_0000001288425878.png diff --git a/umn/source/rule_configuration/configuring_an_information_leakage_prevention_rule.rst b/umn/source/rule_configuration/configuring_an_information_leakage_prevention_rule.rst index d88c120..9e121ea 100644 --- a/umn/source/rule_configuration/configuring_an_information_leakage_prevention_rule.rst +++ b/umn/source/rule_configuration/configuring_an_information_leakage_prevention_rule.rst @@ -10,6 +10,10 @@ You can add two types of information leakage prevention rules. - Sensitive information filtering: prevents disclosure of sensitive information (such as ID numbers, phone numbers, and email addresses). - Response code interception: blocks the specified HTTP status codes. +.. note:: + + If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the **Enterprise Project** drop-down list and configure protection policies for the domain names in the project. + Prerequisites ------------- @@ -29,7 +33,7 @@ Procedure #. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. -#. In the navigation pane, choose **Website Settings**. +#. In the navigation pane on the left, choose **Website Settings**. #. In the **Policy** column of the row containing the target website, click the number to go to the **Policies** page. @@ -43,13 +47,12 @@ Procedure #. In the upper left corner of the **Information Leakage Prevention** page, click **Add Rule**. -#. In the dialog box displayed, add an information leakage prevention rule by referring to :ref:`Table 1 `. :ref:`Figure 2 ` and :ref:`Figure 3 ` show two examples. +#. In the dialog box displayed, add an information leakage prevention rule by referring to :ref:`Table 1 `. Information leakage prevention rules prevent sensitive information (such as ID numbers, phone numbers, and email addresses) from being disclosed. This type of rule can also block specified HTTP status codes. **Sensitive information filtering**: Configure rules to mask sensitive information, such as phone numbers and ID numbers, from web pages. For example, you can set the following protection rules to mask sensitive information, such as ID numbers, phone numbers, and email addresses: - .. _waf_01_0054__fig1077215502209: .. figure:: /_static/images/en-us_image_0000001285815180.png :alt: **Figure 2** Sensitive information leakage @@ -58,7 +61,6 @@ Procedure **Response code interception**: An error page of a specific HTTP response code may contain sensitive information. You can configure rules to block such error pages to prevent such information from being leaked out. For example, you can set the following rule to block error pages of specified HTTP response codes 404, 502, and 503. - .. _waf_01_0054__fig134221027101710: .. figure:: /_static/images/en-us_image_0000001285975220.png :alt: **Figure 3** Blocking response codes @@ -97,12 +99,6 @@ Procedure #. Click **Confirm**. The added information leakage prevention rule is displayed in the list of information leakage prevention rules. - - .. figure:: /_static/images/en-us_image_0000001395972785.png - :alt: **Figure 4** List of information leakage prevention rules - - **Figure 4** List of information leakage prevention rules - Other Operations ---------------- @@ -117,11 +113,23 @@ To verify that WAF is protecting your domain name *www.example.com* against an i #. Add an information leakage prevention rule. + + .. figure:: /_static/images/en-us_image_0000001285815180.png + :alt: **Figure 4** Sensitive information leakage + + **Figure 4** Sensitive information leakage + #. Enabling information leakage prevention. + + .. figure:: /_static/images/en-us_image_0000001338214477.png + :alt: **Figure 5** Information Leakage Prevention configuration area + + **Figure 5** Information Leakage Prevention configuration area + #. Clear the browser cache and access http://www.example.com/admin/. The email address, phone number, and identity number on the returned page are masked. -.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image1| image:: /_static/images/en-us_image_0000001532748653.jpg .. |image2| image:: /_static/images/en-us_image_0000001340585565.png diff --git a/umn/source/rule_configuration/configuring_an_ip_address_blacklist_or_whitelist_rule.rst b/umn/source/rule_configuration/configuring_an_ip_address_blacklist_or_whitelist_rule.rst index 6ab6efc..6bcfcd0 100644 --- a/umn/source/rule_configuration/configuring_an_ip_address_blacklist_or_whitelist_rule.rst +++ b/umn/source/rule_configuration/configuring_an_ip_address_blacklist_or_whitelist_rule.rst @@ -7,6 +7,10 @@ Configuring an IP Address Blacklist or Whitelist Rule You can configure blacklist and whitelist rules to block, log only, or allow access requests from specific IP addresses or IP address ranges. +.. note:: + + If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the **Enterprise Project** drop-down list and configure protection policies for the domain names in the project. + Prerequisites ------------- @@ -17,6 +21,7 @@ Constraints - WAF does not support batch import of blacklists or whitelists. To configure multiple IP address or IP address range rules, add blacklist and whitelist rules one by one to allow or block specified IP addresses or IP address ranges. - It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the **Events** page. +- If you configure **Protective Action** to **Block** for a blacklist or whitelist rule, you can configure a known attack source rule by referring to :ref:`Configuring a Known Attack Source Rule `. WAF will block requests matching the configured IP address, Cookie, or Params for a length of time configured as part of the rule. Impact on the System -------------------- @@ -34,7 +39,7 @@ Procedure #. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. -#. In the navigation pane, choose **Website Settings**. +#. In the navigation pane on the left, choose **Website Settings**. #. In the **Policy** column of the row containing the target website, click the number to go to the policy configuration page. @@ -86,12 +91,6 @@ Procedure #. Click **OK**. You can then view the added rule in the list of blacklist and whitelist rules. - - .. figure:: /_static/images/en-us_image_0000001345332674.png - :alt: **Figure 3** Blacklist or whitelist rules - - **Figure 3** Blacklist or whitelist rules - - To disable a rule, click **Disable** in the **Operation** column of the rule. The default **Rule Status** is **Enabled**. - To modify a rule, click **Modify** in the row containing the rule. - To delete a rule, click **Delete** in the row containing the rule. @@ -114,5 +113,5 @@ If you have added domain name **www.example.com** to this rule, to verify WAF is #. Return to the WAF console. In the navigation pane, choose **Events**. On the displayed page, view or :ref:`download events data `. -.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image1| image:: /_static/images/en-us_image_0000001532867165.jpg .. |image2| image:: /_static/images/en-us_image_0000001288106282.png diff --git a/umn/source/rule_configuration/configuring_anti-crawler_rules.rst b/umn/source/rule_configuration/configuring_anti-crawler_rules.rst index e2605f3..a053e37 100644 --- a/umn/source/rule_configuration/configuring_anti-crawler_rules.rst +++ b/umn/source/rule_configuration/configuring_anti-crawler_rules.rst @@ -7,6 +7,10 @@ Configuring Anti-Crawler Rules You can configure website anti-crawler protection rules to protect against search engines, scanners, script tools, and other crawlers, and use JavaScript to create custom anti-crawler protection rules. +.. note:: + + If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the **Enterprise Project** drop-down list and configure protection policies for the domain names in the project. + Prerequisites ------------- @@ -43,7 +47,7 @@ If JavaScript anti-crawler is enabled when a client sends a request, WAF returns - If the client is a crawler, it cannot be triggered by the received JavaScript code and will not send a request to WAF again. The client fails JavaScript authentication. - If a client crawler fabricates a WAF authentication request and sends the request to WAF, the WAF will block the request. The client fails JavaScript authentication. -By collecting statistics on the number of JavaScript challenges and authentication responses, the system calculates how many requests the JavaScript anti-crawler defends. In :ref:`Figure 2 `, the JavaScript anti-crawler has logged 18 events, 16 of which are JavaScript challenge responses, and 2 of which are JavaScript authentication responses. **Others** is the number of WAF authentication requests fabricated by the crawler. +By collecting statistics on the number of JavaScript challenges and authentication responses, the system calculates how many requests the JavaScript anti-crawler defends. In :ref:`Figure 2 `, the JavaScript anti-crawler has logged 18 events, 16 of which are JavaScript challenge responses, and 2 of which are JavaScript authentication responses. **Others** indicates the number of WAF authentication requests fabricated by the crawler. .. _waf_01_0015__fig10806185634312: @@ -65,22 +69,21 @@ Procedure #. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. -#. In the navigation pane, choose **Website Settings**. +#. In the navigation pane on the left, choose **Website Settings**. #. In the **Policy** column of the row containing the target website, click the number to go to the **Policies** page. #. .. _waf_01_0015__li11722104461314: - In the **Anti-Crawler** configuration area, enable anti-crawler using the toggle on the right, as shown in :ref:`Figure 3 `. If you enable this function, click **Configure Anti-Crawler**. + In the **Anti-Crawler** configuration area, enable anti-crawler using the toggle on the right. If you enable this function, click **Configure Anti-Crawler**. - .. _waf_01_0015__fig193788379: .. figure:: /_static/images/en-us_image_0000001395732753.png :alt: **Figure 3** Anti-Crawler configuration area **Figure 3** Anti-Crawler configuration area -#. Select the **Feature Library** tab and enable the protection by referring to :ref:`Table 1 `. :ref:`Figure 4 ` shows an example. +#. Select the **Feature Library** tab and enable the protection by referring to :ref:`Table 1 `. A feature-based anti-crawler rule has two protective actions: @@ -94,7 +97,6 @@ Procedure **Scanner** is enabled by default, but you can enable other protection types if needed. - .. _waf_01_0015__fig127337271541: .. figure:: /_static/images/en-us_image_0000001285803110.png :alt: **Figure 4** Feature Library @@ -131,7 +133,7 @@ Procedure #. Select the **JavaScript** tab and configure **Status** and **Protective Action**. - **JavaScript** anti-crawler is disabled by default. To enable it, click |image3| and click **Confirm** in the displayed dialog box. |image4| indicates that JavaScript anti-crawler is enabled. + **JavaScript** anti-crawler is disabled by default. To enable it, click |image3| and click **Confirm** in the displayed dialog box. .. figure:: /_static/images/en-us_image_0000001395732757.png @@ -153,7 +155,7 @@ Procedure - To protect all paths except a specified path - Select **Protect all paths**, but then in the upper left corner of the page, click **Exclude Path**. Configure the required parameters in the displayed dialog box and click **OK**. + Set **Protection Mode** to **Protect all paths**. Then, click **Exclude Path**, configure protected paths, and click **OK**. .. figure:: /_static/images/en-us_image_0000001285485922.png @@ -163,7 +165,7 @@ Procedure - To protect a specified path only - Select **Protect a specified path**. In the upper left corner of the page, click **Add Path**. In the displayed dialog box, configure required parameters and click **OK**. + Set **Protection Mode** to **Protect a specified path**. Then, click **Add Rule**, configure protected paths, and click **OK**. .. figure:: /_static/images/en-us_image_0000001285486134.png @@ -237,19 +239,17 @@ Configuration Example - Search Engine The following shows how to allow the search engine of Baidu or Google and block the POST request of Baidu. -#. Set **Status** of **Search Engine** to |image5| by referring to the instructions in :ref:`Step 6 `. +#. Set **Status** of **Search Engine** to |image4| by referring to the instructions in :ref:`Step 6 `. -#. Configure a precise protection rule by referring to :ref:`Configuring a Precise Protection Rule `, as shown in :ref:`Figure 10 `. +#. Configure a precise protection rule by referring to :ref:`Configuring a Precise Protection Rule `. - .. _waf_01_0015__fig1439052051516: .. figure:: /_static/images/en-us_image_0000001338332661.png :alt: **Figure 10** Blocking POST requests **Figure 10** Blocking POST requests -.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image1| image:: /_static/images/en-us_image_0000001532628161.jpg .. |image2| image:: /_static/images/en-us_image_0000001340426097.png .. |image3| image:: /_static/images/en-us_image_0234013368.png -.. |image4| image:: /_static/images/en-us_image_0000001285643550.png -.. |image5| image:: /_static/images/en-us_image_0000001227094315.png +.. |image4| image:: /_static/images/en-us_image_0000001227094315.png diff --git a/umn/source/rule_configuration/configuring_basic_web_protection_rules.rst b/umn/source/rule_configuration/configuring_basic_web_protection_rules.rst index b42409d..8d53991 100644 --- a/umn/source/rule_configuration/configuring_basic_web_protection_rules.rst +++ b/umn/source/rule_configuration/configuring_basic_web_protection_rules.rst @@ -11,6 +11,10 @@ After this function is enabled, WAF can defend against common web attacks, such Basic web protection has two modes: **Block** and **Log only**. +.. note:: + + If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the **Enterprise Project** drop-down list and configure protection policies for the domain names in the project. + Prerequisites ------------- @@ -25,7 +29,7 @@ Procedure #. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. -#. In the navigation pane, choose **Website Settings**. +#. In the navigation pane on the left, choose **Website Settings**. #. In the **Policy** column of the row containing the target website, click the number to go to the policy configuration page. @@ -55,11 +59,10 @@ Procedure #. In the **Basic Web Protection** configuration area, click **Advanced Settings**. -#. Click the **Protection Status** tab, and enable protection types one by one by referring to :ref:`Table 3 `. :ref:`Figure 2 ` shows an example. +#. Click the **Protection Status** tab, and enable protection types one by one by referring to :ref:`Table 3 `. - .. _waf_01_0008__fig17347539113910: - .. figure:: /_static/images/en-us_image_0000001337778441.png + .. figure:: /_static/images/en-us_image_0000001533970929.png :alt: **Figure 2** Basic web protection **Figure 2** Basic web protection @@ -122,36 +125,6 @@ Procedure | | If you enable this function, WAF checks all header fields in the requests. | +-----------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -#. Click the **Protection Rules** tab to view details. For more details about the parameters, see :ref:`Table 4 `. - - .. note:: - - Click |image5| to search for a rule by **CVE ID**, **Risk Severity**, **Application Type**, or **Protection Type**. - - .. _waf_01_0008__table19135226105218: - - .. table:: **Table 4** Protection rules - - +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Parameter | Description | - +===================================+==========================================================================================================================================================================================================================================================================================================================================================================================================================+ - | Rule ID | The protection rule ID, which is generated automatically. | - +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Rule Description | Details of attacks the protection rule is configured for. | - +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | CVE ID | Common Vulnerabilities & Exposures (CVE) ID, which corresponds to the protection rule. For non-CVE vulnerabilities, a double dash (--) is displayed. | - +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Risk Severity | The severity of the vulnerability, including: | - | | | - | | - High | - | | - Medium | - | | - Low | - +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Application Type | The application type the protection rule is used for. | - +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - | Protection Type | The type of the protection rule. WAF can discover SQL injection, command injection, XSS attacks, XML external entity (XXE) injection, Expression Language (EL) Injection, CSRF, SSRF, local file inclusion, remote file inclusion, website Trojans, malicious crawlers, session fixation attacks, deserialization vulnerabilities, remote command execution, information leakage, DoS attacks, source code/data leakage. | - +-----------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - Protection Effect ----------------- @@ -168,8 +141,35 @@ If **General Check** is enabled and **Mode** is set to **Block** for your domain #. Return to the WAF console. In the navigation pane, choose **Events**. On the displayed page, view or :ref:`download events data `. -.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +Example - Blocking SQL Injection Attacks +---------------------------------------- + +If domain name **www.example.com** has been connected to WAF, perform the following steps to verify that WAF can block SQL injection attacks. + +#. Enable **General Check** in **Basic Web Protection** and set the protection mode to **Block**. + +#. Enable WAF basic web protection. + + + .. figure:: /_static/images/en-us_image_0000001285577912.png + :alt: **Figure 3** Basic Web Protection configuration area + + **Figure 3** Basic Web Protection configuration area + +#. Clear the browser cache and enter a simulated SQL injection (for example, http://www.example.com?id=' or 1=1) in the address box. + + WAF blocks the access request. :ref:`Figure 4 ` shows an example block page. + + .. _waf_01_0008__fig4672124158: + + .. figure:: /_static/images/en-us_image_0000001179033432.png + :alt: **Figure 4** Block page + + **Figure 4** Block page + +#. Go to the WAF console. In the navigation pane on the left, choose **Events**. View the event on the **Events** page. + +.. |image1| image:: /_static/images/en-us_image_0000001482063812.jpg .. |image2| image:: /_static/images/en-us_image_0000001340426101.png .. |image3| image:: /_static/images/en-us_image_0000001337777849.png .. |image4| image:: /_static/images/en-us_image_0269496734.png -.. |image5| image:: /_static/images/en-us_image_0268155242.png diff --git a/umn/source/rule_configuration/index.rst b/umn/source/rule_configuration/index.rst index 0648402..6ae3059 100644 --- a/umn/source/rule_configuration/index.rst +++ b/umn/source/rule_configuration/index.rst @@ -7,7 +7,7 @@ Rule Configuration - :ref:`Configuration Guidance ` - :ref:`Configuring Basic Web Protection Rules ` -- :ref:`Configuring a CC Attack Protection Rule ` +- :ref:`Configuring a CC Attack Protection Rule ` - :ref:`Configuring a Precise Protection Rule ` - :ref:`Adding a Reference Table ` - :ref:`Configuring an IP Address Blacklist or Whitelist Rule ` diff --git a/umn/source/service_overview/functions.rst b/umn/source/service_overview/functions.rst index 36600bf..0bb6a58 100644 --- a/umn/source/service_overview/functions.rst +++ b/umn/source/service_overview/functions.rst @@ -7,6 +7,11 @@ Functions WAF makes it easier for you to handle web security risks. +Protection for IP Addresses and Domain Names (Wildcard, Top-level, and Second-Level Domain Names) +------------------------------------------------------------------------------------------------- + +Objects supported by dedicated WAF instances: domain names or IP addresses of web applications on a cloud or on-premises data centers + HTTP/HTTPS Service Protection ----------------------------- @@ -17,6 +22,12 @@ WebSocket/WebSockets WAF supports the WebSocket/WebSockets protocol, which is enabled by default. +PCI DSS/PCI 3DS Compliance Certification and TLS Checks +------------------------------------------------------- + +- TLS has three versions (TLS v1.0, TLS v1.1, and TLS v1.2) and five cipher suites. You can select the one best fits your business needs. +- WAF supports PCI DSS and PCI 3DS compliance certification check. + Basic Web Protection -------------------- @@ -26,6 +37,10 @@ With an extensive preset reputation database, WAF defends against Open Web Appli WAF detects and blocks varied attacks, such as SQL injection, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabilities, directory (path) traversal attacks, sensitive file access, command and code injections, web shells, backdoors, malicious HTTP requests, and third-party vulnerability exploits. +- Web shell detection + + WAF protects against web shells from upload interface. + - Precise identification - WAF uses built-in semantic analysis engine and regex engine and supports configuring of blacklist/whitelist rules, which reduces false positives. @@ -34,10 +49,18 @@ With an extensive preset reputation database, WAF defends against Open Web Appli WAF can decode the following types of code: url_encode, Unicode, XML, OCT, hexadecimal, HTML escape, and base64 code, case confusion, JavaScript, shell, and PHP concatenation confusion +- Deep inspection + + WAF identifies and blocks evasion attacks, such as the ones that use homomorphic character obfuscation, command injection with deformed wildcard characters, UTF7, data URI scheme, and other techniques. + +- Header detection + + WAF detects all header fields in the requests. + CC Attack Prevention -------------------- -You can customize a CC attack protection rule to restrict access to a specific URL on your website based on an IP address, cookie, or Referer, mitigating CC attacks. Protective actions of CC attack protection rules include **Verification code**, **Block**, **Dynamically block**, and **Log only**. +A CC attack protection rule can limit access to a specific path (URL) of the protected website based on a specific IP address, cookie, or referer in access requests. So, WAF can accurately identify and mitigate CC attacks, such as brute-force attacks by exploiting weak passwords. Protective actions of CC attack protection rules include **Verification code**, **Block**, **Dynamically block**, and **Log only**. - Flexible policy configuration @@ -135,14 +158,6 @@ Anti-Crawler Protection WAF dynamically analyzes your website service models and accurately identifies crawler behavior based on data risk control and bot identification systems. -- Feature library - - Blocks web page crawling with user-defined scanner and crawler rules. This feature improves protection accuracy. - -- JavaScript - - Identifies and blocks JavaScript crawling with user-defined rules. - Global Protection Whitelist (Formerly False Alarm Masking) ---------------------------------------------------------- diff --git a/umn/source/service_overview/index.rst b/umn/source/service_overview/index.rst index 62b8477..6bb68b6 100644 --- a/umn/source/service_overview/index.rst +++ b/umn/source/service_overview/index.rst @@ -6,10 +6,12 @@ Service Overview ================ - :ref:`What Is Web Application Firewall? ` -- :ref:`Specifications ` +- :ref:`Product Specifications ` - :ref:`Functions ` - :ref:`Product Advantages ` - :ref:`Application Scenarios ` +- :ref:`Project and Enterprise Project ` +- :ref:`Personal Data Protection Mechanism ` - :ref:`WAF Permissions Management ` - :ref:`WAF and Other Services ` @@ -18,9 +20,11 @@ Service Overview :hidden: what_is_web_application_firewall - specifications + product_specifications functions product_advantages application_scenarios + project_and_enterprise_project + personal_data_protection_mechanism waf_permissions_management waf_and_other_services diff --git a/umn/source/service_overview/personal_data_protection_mechanism.rst b/umn/source/service_overview/personal_data_protection_mechanism.rst new file mode 100644 index 0000000..17e5f18 --- /dev/null +++ b/umn/source/service_overview/personal_data_protection_mechanism.rst @@ -0,0 +1,43 @@ +:original_name: waf_01_0130.html + +.. _waf_01_0130: + +Personal Data Protection Mechanism +================================== + +To ensure that website visitors' personal data, such as the username, password, and mobile phone number, will not be obtained by unauthorized or unauthenticated entities or people and to prevent data leakage, WAF encrypts your personal data before storing it to control access to the data and records logs for operations performed on the data. + +Personal Data to Be Collected +----------------------------- + +WAF records requests that trigger attack alarms in event logs. :ref:`Table 1 ` provides the personal data collected and generated by WAF. + +.. _waf_01_0130__table17591953183018: + +.. table:: **Table 1** Personal data + + +------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------+-----------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Type | Collection Method | Can Be Modified | Mandatory | + +======================================================+============================================================================================================================+=================+======================================================================================================================================================================+ + | Request source IP address | Attacker IP address that is blocked or recorded by WAF when the domain name is attacked. | No | Yes | + +------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------+-----------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | URL | Attacked URL of the protected domain name, or URL of the protected domain name that is blocked or recorded by WAF. | No | Yes | + +------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------+-----------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | HTTP/HTTPS header information (including the cookie) | Cookie value and header value entered on the configuration page when you configure a CC attack or precise protection rule. | No | No | + | | | | | + | | | | If the configured cookie and header fields do not contain users' personal information, the requests recorded by WAF will not collect or generate such personal data. | + +------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------+-----------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + | Request parameters (Get and Post) | Request details recorded by WAF in protection logs. | No | No | + | | | | | + | | | | If request parameters do not contain users' personal information, the requests recorded by WAF will not collect or generate such personal data. | + +------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------+-----------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Storage Mode +------------ + +The values of sensitive fields are saved after being anonymized, and the values of other fields are saved in plaintext in logs. + +Access Control +-------------- + +Users can view only logs related to their own services. diff --git a/umn/source/service_overview/product_specifications.rst b/umn/source/service_overview/product_specifications.rst new file mode 100644 index 0000000..3e9bb6e --- /dev/null +++ b/umn/source/service_overview/product_specifications.rst @@ -0,0 +1,97 @@ +:original_name: waf_01_0272.html + +.. _waf_01_0272: + +Product Specifications +====================== + +WAF is deployed in dedicated mode. The following tables describe specifications and functions of the dedicated WAF instances. + +Dedicated Mode +-------------- + +:ref:`Table 1 ` describes dedicated WAF instances. + +.. _waf_01_0272__table680245522517: + +.. table:: **Table 1** Dedicated mode description + + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------+ + | Item | Description | + +===================================+===================================================================================================================+ + | Deployment mode | Dedicated WAF instances | + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------+ + | Application scenarios | Service servers are deployed on the cloud. | + | | | + | | Suitable for large enterprise websites that have a large service scale and have customized security requirements. | + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------+ + | Protection objects | Domain names or IP addresses | + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------+ + | Advantages | - Enable cloud and on-premises deployment. | + | | - Enable exclusive use of WAF instance. | + | | - Meet requirements for protection against large-scale traffic attacks. | + | | - Deploy dedicated WAF instances in a VPC to reduce network latency. | + +-----------------------------------+-------------------------------------------------------------------------------------------------------------------+ + +Service Scale +------------- + +For more details, see :ref:`Table 2 `. + +.. _waf_01_0272__table1048223113711: + +.. table:: **Table 2** Applicable service scale + + +---------------------------------------------------------------------------+------------------------------------------------------------------------------------+ + | Service Metrics | Specifications | + +===========================================================================+====================================================================================+ + | Peak rate of normal service requests | - Specifications: WI-500. Referenced performance: | + | | | + | | - Throughput: 500 Mbit/s; QPS: 10,000 | + | | - WAF-to-Server connections supported: 60,000 per instance or 5,000 per domain | + | | | + | | - Specifications: WI-100. Referenced performance: | + | | | + | | - Throughput: 100 Mbit/s; QPS: 2,000 | + | | - WAF-to-Server connections supported: 60,000 per instance or 5,000 per domain | + +---------------------------------------------------------------------------+------------------------------------------------------------------------------------+ + | Service bandwidth threshold (The origin server is deployed on the cloud.) | - Specifications: WI-500. Referenced performance: | + | | | + | | - Throughput: 500 Mbit/s; QPS: 10,000 | + | | - WAF-to-Server connections supported: 60,000 per instance or 5,000 per domain | + | | | + | | - Specifications: WI-100. Referenced performance: | + | | | + | | - Throughput: 100 Mbit/s; QPS: 2,000 | + | | - WAF-to-Server connections supported: 60,000 per instance or 5,000 per domain | + +---------------------------------------------------------------------------+------------------------------------------------------------------------------------+ + | Number of domain names | 2,000 (Supports 2,000 top-level domain names) | + +---------------------------------------------------------------------------+------------------------------------------------------------------------------------+ + | Quantity of supported ports | - Standard ports: Unlimited | + | | - Non-standard ports: Unlimited | + +---------------------------------------------------------------------------+------------------------------------------------------------------------------------+ + | Peak rate of CC attack protection | 500,000 QPS | + +---------------------------------------------------------------------------+------------------------------------------------------------------------------------+ + | CC attack protection rules | 100 | + +---------------------------------------------------------------------------+------------------------------------------------------------------------------------+ + | Precise protection rules | 100 | + +---------------------------------------------------------------------------+------------------------------------------------------------------------------------+ + | Reference table rules | 100 | + +---------------------------------------------------------------------------+------------------------------------------------------------------------------------+ + | IP address blacklist and whitelist rules | 100 | + +---------------------------------------------------------------------------+------------------------------------------------------------------------------------+ + | Geolocation access control rules | 100 | + +---------------------------------------------------------------------------+------------------------------------------------------------------------------------+ + | Web tamper protection rules | 100 | + +---------------------------------------------------------------------------+------------------------------------------------------------------------------------+ + | Information leakage prevention rules | 100 | + +---------------------------------------------------------------------------+------------------------------------------------------------------------------------+ + | Global Protection Whitelist (Formerly False Alarm Masking) | 1,000 | + +---------------------------------------------------------------------------+------------------------------------------------------------------------------------+ + | Data masking rules | 100 | + +---------------------------------------------------------------------------+------------------------------------------------------------------------------------+ + +.. important:: + + - The number of domains is the total number of top-level domain names (for example, example.com), single domain names/subdomain names (for example, www.example.com), and wildcard domain names (for example, \*.example.com). + - If a domain name maps to different ports, each port is considered to represent a different domain name. For example, **www.example.com:8080** and **www.example.com:8081** are counted towards your quota as two distinct domain names. diff --git a/umn/source/service_overview/project_and_enterprise_project.rst b/umn/source/service_overview/project_and_enterprise_project.rst new file mode 100644 index 0000000..3ff3d03 --- /dev/null +++ b/umn/source/service_overview/project_and_enterprise_project.rst @@ -0,0 +1,38 @@ +:original_name: waf_01_0316.html + +.. _waf_01_0316: + +Project and Enterprise Project +============================== + +Project +------- + +Projects in IAM are used to group and isolate OpenStack resources (computing resources, storage resources, and network resources). Resources in your account must be mounted under projects. A project can be a department or a project team. Multiple projects can be created under one account. + +Enterprise Project +------------------ + +Enterprise projects are used to categorize and manage multiple resources. Resources of the same type can be put under an enterprise project. The use of enterprise projects does not affect the use of HSS. + +You can classify resources by department or project group and put related resources into one enterprise project for management. Resources can be moved between enterprise projects. + +Differences Between Projects and Enterprise Projects +---------------------------------------------------- + +- IAM Project + + Projects are used to categorize and physically isolate resources in a region. Resources in an IAM project cannot be transferred. They can only be deleted and then rebuilt. + + |image1| + +- Enterprise Project + + Enterprise projects are upgraded based on IAM projects and used to categorize and manage resources of different projects of an enterprise. An enterprise project can contain resources of multiple regions, and resources can be added to or removed from enterprise projects. If you have enabled enterprise management, you cannot create an IAM project and can only manage existing projects. In the future, IAM projects will be replaced by enterprise projects, which are more flexible. + + |image2| + +Both projects and enterprise projects can be managed by one or more user groups. Users who manage enterprise projects belong to user groups. After a policy is granted to a user group, users in the group can obtain the permissions defined in the policy in the project or enterprise project. + +.. |image1| image:: /_static/images/en-us_image_0245737543.png +.. |image2| image:: /_static/images/en-us_image_0245737551.png diff --git a/umn/source/service_overview/specifications.rst b/umn/source/service_overview/specifications.rst deleted file mode 100644 index 8f27198..0000000 --- a/umn/source/service_overview/specifications.rst +++ /dev/null @@ -1,78 +0,0 @@ -:original_name: waf_01_0272.html - -.. _waf_01_0272: - -Specifications -============== - -WAF is deployed in dedicated mode. The following tables describe specifications and functions of the dedicated WAF instances. - -Dedicated Mode --------------- - -:ref:`Table 1 ` describes dedicated WAF instances. - -.. _waf_01_0272__table680245522517: - -.. table:: **Table 1** Dedicated mode description - - +-----------------------------------+-------------------------------------------------------------------------------------------------------------------+ - | Item | Description | - +===================================+===================================================================================================================+ - | Deployment mode | Dedicated WAF instances | - +-----------------------------------+-------------------------------------------------------------------------------------------------------------------+ - | Application scenarios | Service servers are deployed on the cloud. | - | | | - | | Suitable for large enterprise websites that have a large service scale and have customized security requirements. | - +-----------------------------------+-------------------------------------------------------------------------------------------------------------------+ - | Protection objects | Domain names or IP addresses | - +-----------------------------------+-------------------------------------------------------------------------------------------------------------------+ - | Advantages | - Enable cloud and on-premises deployment. | - | | - Enable exclusive use of WAF instance. | - | | - Meet requirements for protection against large-scale traffic attacks. | - | | - Deploy dedicated WAF instances in a VPC to reduce network latency. | - +-----------------------------------+-------------------------------------------------------------------------------------------------------------------+ - -Service Scale -------------- - -For more details, see :ref:`Table 2 `. - -.. _waf_01_0272__en-us_topic_0110861186_table15136121131817: - -.. table:: **Table 2** Service specifications - - +-------------------------------------------------------------------------+---------------------------------------------------------+ - | Service metrics | Specifications | - +=========================================================================+=========================================================+ - | Peak rate of normal service requests | - 2,000 QPS (WAF instance specifications: 100 Mbit/s) | - | | - 10,000 QPS (WAF instance specifications: 500 Mbit/s) | - +-------------------------------------------------------------------------+---------------------------------------------------------+ - | Service bandwidth threshold (Origin servers are deployed on the cloud.) | - 100 Mbit/s (WAF instance specifications: 100 Mbit/s) | - | | - 500 Mbit/s (WAF instance specifications: 500 Mbit/s) | - +-------------------------------------------------------------------------+---------------------------------------------------------+ - | Number of domains | 2,000 (Supports 2,000 top-level domain names) | - +-------------------------------------------------------------------------+---------------------------------------------------------+ - | Peak rate of CC attack protection | 500,000 QPS | - +-------------------------------------------------------------------------+---------------------------------------------------------+ - | CC attack protection rules | 100 | - +-------------------------------------------------------------------------+---------------------------------------------------------+ - | Precise protection rules | 100 | - +-------------------------------------------------------------------------+---------------------------------------------------------+ - | IP address blacklist and whitelist rules | 100 | - +-------------------------------------------------------------------------+---------------------------------------------------------+ - | Geolocation access control rules | 100 | - +-------------------------------------------------------------------------+---------------------------------------------------------+ - | Web tamper protection rules | 100 | - +-------------------------------------------------------------------------+---------------------------------------------------------+ - | Information leakage prevention rules | 100 | - +-------------------------------------------------------------------------+---------------------------------------------------------+ - | Global Protection Whitelist (Formerly False Alarm Masking) | 1,000 | - +-------------------------------------------------------------------------+---------------------------------------------------------+ - | Data masking rules | 100 | - +-------------------------------------------------------------------------+---------------------------------------------------------+ - -.. important:: - - - The number of domains is the total number of top-level domain names (for example, example.com), single domain names/subdomain names (for example, www.example.com), and wildcard domain names (for example, \*.example.com). - - If a domain name maps to different ports, each port is considered to represent a different domain name. For example, **www.example.com:8080** and **www.example.com:8081** are counted towards your quota as two distinct domain names. diff --git a/umn/source/service_overview/waf_and_other_services.rst b/umn/source/service_overview/waf_and_other_services.rst index ab42c23..4e37e7c 100644 --- a/umn/source/service_overview/waf_and_other_services.rst +++ b/umn/source/service_overview/waf_and_other_services.rst @@ -37,6 +37,8 @@ CTS +-----------------------------------------------------------------------------------------------+---------------+---------------------+ | Changing the name of a certificate | certificate | modifyCertificate | +-----------------------------------------------------------------------------------------------+---------------+---------------------+ + | Deleting a certificate | certificate | deleteCertificate | + +-----------------------------------------------------------------------------------------------+---------------+---------------------+ | Adding a CC attack protection rule | policy | createCc | +-----------------------------------------------------------------------------------------------+---------------+---------------------+ | Modifying a CC attack protection rule | policy | modifyCc | @@ -59,7 +61,7 @@ CTS +-----------------------------------------------------------------------------------------------+---------------+---------------------+ | Deleting a web tamper protection rule | policy | deleteAntitamper | +-----------------------------------------------------------------------------------------------+---------------+---------------------+ - | Creating a false alarm maskingglobal protection whitelist (formerly false alarm masking) rule | policy | createIgnore | + | Creating a global protection whitelist (formerly false alarm masking) rule | policy | createIgnore | +-----------------------------------------------------------------------------------------------+---------------+---------------------+ | Deleting a false alarm maskingglobal protection whitelist (formerly false alarm masking) rule | policy | deleteIgnore | +-----------------------------------------------------------------------------------------------+---------------+---------------------+ @@ -87,6 +89,18 @@ IAM Identity and Access Management (IAM) provides the permission management function for WAF. Only users granted WAF Administrator permissions can use WAF. To obtain this permission, contact the users who have the Security Administrator permissions. +SMN +--- + +Simple Message Notification (SMN) service provides the notification function. After you enable the notification function in WAF, alarm information will be sent to you as configured once your domain name is attacked. + +Enterprise Management +--------------------- + +You can manage multiple projects in an enterprise, separately settle their costs, and assign different personnel for them. A project can be started or stopped independently without affecting others. With Enterprise Management, you can easily manage your projects after creating an enterprise project for each of them. + +WAF can be interconnected with Enterprise Management. You can manage WAF resources by enterprise project and grant different permissions to users. + TMS --- diff --git a/umn/source/service_overview/what_is_web_application_firewall.rst b/umn/source/service_overview/what_is_web_application_firewall.rst index c2f37d3..ef1c697 100644 --- a/umn/source/service_overview/what_is_web_application_firewall.rst +++ b/umn/source/service_overview/what_is_web_application_firewall.rst @@ -8,3 +8,27 @@ What Is Web Application Firewall? Web Application Firewall (WAF) keeps web services stable and secure. It examines all HTTP and HTTPS requests to detect and block the following attacks: Structured Query Language (SQL) injection, cross-site scripting (XSS), web shells, command and code injections, file inclusion, sensitive file access, third-party vulnerability exploits, Challenge Collapsar (CC) attacks, malicious crawlers, and cross-site request forgery (CSRF). After you enable a WAF instance, add your website domain to the WAF instance on the WAF console. All public network traffic for your website then goes to WAF first. WAF identifies and filters out the illegitimate traffic, and routes only the legitimate traffic to your origin server to ensure site security. + +How WAF Works +------------- + +After purchasing WAF, add the website to WAF on the WAF console. After a website is connected to WAF, all website access requests are forwarded to WAF first. WAF detects and filters out malicious attack traffic, and returns normal traffic to the origin server to ensure that the origin server is secure, stable, and available. + + +.. figure:: /_static/images/en-us_image_0000001197423825.png + :alt: **Figure 1** How WAF protects a website + + **Figure 1** How WAF protects a website + +The process of forwarding traffic from WAF to origin servers is called back-to-source. WAF uses back-to-source IP addresses to send client requests to the origin server. When a website is connected to WAF, the destination IP addresses to the client are the IP addresses of WAF, so that the origin server IP address is invisible to the client. + + +.. figure:: /_static/images/en-us_image_0234924841.png + :alt: **Figure 2** Back-to-source IP address + + **Figure 2** Back-to-source IP address + +What WAF Protects +----------------- + +Objects supported by dedicated WAF instances: domain names or IP addresses of web applications on the clouds or on-premises data centers diff --git a/umn/source/viewing_product_details.rst b/umn/source/viewing_product_details.rst deleted file mode 100644 index 8a8f3a4..0000000 --- a/umn/source/viewing_product_details.rst +++ /dev/null @@ -1,38 +0,0 @@ -:original_name: waf_01_0319.html - -.. _waf_01_0319: - -Viewing Product Details -======================= - -On the **Product Details** page, you can view information about all your WAF instances, including the edition, domain quotas, and specifications. - -Prerequisites -------------- - -You have purchased a WAF instance. - -Procedure ---------- - -#. Log in to the management console. - -#. Click |image1| in the upper left corner of the management console and select a region or project. - -#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. - -#. In the navigation pane on the left, choose **Instance Management** > **Product Details**. - -#. On the **Product Details** page, view the WAF edition, specifications, and expiration time. - - - Click **Details** to view the detailed specifications of the current WAF edition. - - When you move the cursor to the WAF edition shown in the upper right corner of the page, the specifications are displayed. - - - .. figure:: /_static/images/en-us_image_0000001286061432.png - :alt: **Figure 1** Product information - - **Figure 1** Product information - -.. |image1| image:: /_static/images/en-us_image_0000001133216533.jpg -.. |image2| image:: /_static/images/en-us_image_0000001340308381.png diff --git a/umn/source/website_domain_name_management/configuring_a_traffic_identifier_for_a_known_attack_source.rst b/umn/source/website_domain_name_management/configuring_a_traffic_identifier_for_a_known_attack_source.rst index 2a35380..23a29e3 100644 --- a/umn/source/website_domain_name_management/configuring_a_traffic_identifier_for_a_known_attack_source.rst +++ b/umn/source/website_domain_name_management/configuring_a_traffic_identifier_for_a_known_attack_source.rst @@ -7,6 +7,10 @@ Configuring a Traffic Identifier for a Known Attack Source WAF allows you to configure traffic identifiers by IP address, session, or user tag to block possibly malicious requests from known attack sources based on **IP address**, **Cookie**, or **Params**. +.. note:: + + If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the **Enterprise Project** drop-down list and configure known attack source traffic identifiers for the domain names. + Prerequisites ------------- @@ -30,13 +34,12 @@ Procedure #. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. -#. In the navigation pane, choose **Website Settings**. +#. In the navigation pane on the left, choose **Website Settings**. #. In the **Domain Name** column, click the domain name of the target website to go to the basic information page. -#. In the **Traffic Identifier** area, click |image3| next to **IP Tag**, **Session Tag**, or **User Tag** to configure a traffic identifier by referring to :ref:`Table 1 `. :ref:`Figure 1 ` shows an example. +#. In the **Traffic Identifier** area, click |image3| next to **IP Tag**, **Session Tag**, or **User Tag** to configure a traffic identifier by referring to :ref:`Table 1 `. - .. _waf_01_0270__fig165215137120: .. figure:: /_static/images/en-us_image_0000001284861820.png :alt: **Figure 1** Traffic Identifier @@ -47,20 +50,22 @@ Procedure .. table:: **Table 1** Traffic identifier parameters - +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Tag | Description | Example Value | - +=======================+==================================================================================================================================================================================================================+=======================+ - | IP Tag | HTTP request header field of the original client IP address. | X-Forwarded-For | - | | | | - | | Ensure that the protected website has a layer-7 proxy configured in front of WAF and that **Proxy Configured** under the website basic information settings is set to **Yes** for this parameter to take effect. | | - +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | Session Tag | This tag is used to block possibly malicious requests based on the cookie attributes of an attack source. Configure this parameter to block requests based on cookie attributes. | jssessionid | - +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ - | User Tag | This tag is used to block possibly malicious requests based on the Params attribute of an attack source. Configure this parameter to block requests based on the Params attributes. | name | - +-----------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Tag | Description | Example Value | + +=======================+=======================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+=======================+ + | IP Tag | HTTP request header field of the original client IP address. | X-Forwarded-For | + | | | | + | | Ensure that the protected website has a layer-7 proxy configured in front of WAF and that **Proxy Configured** under the website basic information settings is set to **Yes** for this parameter to take effect. | | + | | | | + | | If there are multiple field names separated by commas (,), WAF reads the fields from left to right to obtain the client IP address. For example, for **X-Forwarded-For,CDN-Src-IP,X-real-IP**, WAF obtains the client IP address from the **X-Forwarded-For** field first. If this field has no value, WAF then obtains the value from other fields in sequence. If there is no field configured by the customer, WAF obtains the source IP address in the TCP connection by default. | | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | Session Tag | This tag is used to block possibly malicious requests based on the cookie attributes of an attack source. Configure this parameter to block requests based on cookie attributes. | jssessionid | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ + | User Tag | This tag is used to block possibly malicious requests based on the Params attribute of an attack source. Configure this parameter to block requests based on the Params attributes. | name | + +-----------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------------+ #. Click **Confirm**. -.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image1| image:: /_static/images/en-us_image_0000001481373388.jpg .. |image2| image:: /_static/images/en-us_image_0000001288423818.png .. |image3| image:: /_static/images/en-us_image_0210924454.jpg diff --git a/umn/source/website_domain_name_management/configuring_connection_protection.rst b/umn/source/website_domain_name_management/configuring_connection_protection.rst index eeccc5e..0a15832 100644 --- a/umn/source/website_domain_name_management/configuring_connection_protection.rst +++ b/umn/source/website_domain_name_management/configuring_connection_protection.rst @@ -32,15 +32,15 @@ Procedure #. In the **Domain Name** column, click the domain name of the website to go to the basic information page. - .. _waf_01_1172__waf_01_1169_fig7279164301510: - - .. figure:: /_static/images/en-us_image_0000001285178604.png - :alt: **Figure 1** Basic Information area - - **Figure 1** Basic Information area - #. In the **Connection Protection** area, click the status toggle to enable it. + .. _waf_01_1172__fig491043320154: + + .. figure:: /_static/images/en-us_image_0000001529293989.png + :alt: **Figure 1** Connection Protection + + **Figure 1** Connection Protection + #. Click |image3| next to each parameter, edit **Breakdown Protection** and **Connection Protection** parameters to meet your requirements, and click |image4| to save settings. :ref:`Table 1 ` describes these parameters. .. _waf_01_1172__table172097131662: @@ -71,7 +71,7 @@ Procedure .. note:: - The following uses **Connection Protection** settings in :ref:`Figure 1 ` as an example to describe how the protection works. + The following uses **Connection Protection** settings in :ref:`Figure 1 ` as an example to describe how the protection works. - **Breakdown Protection**: When the number of 502/504 errors returned by the protected website exceeds 1,000 and accounts for 90% or more of the total access requests of the website for the first time, the first breakdown protection is triggered. During the first breakdown protection, WAF stops forwarding client requests for 180s (that is, blocks visitors access to the website for 180s). If a second consecutive breakdown protection is triggered, WAF stops forwarding client requests for 360s (180 x 2). If a third or more consecutive breakdowns are triggered, WAF stops forwarding client requests for 540s (180s x 3). The breakdowns are counted from 0 when the total downtime duration exceeds one hour (3,600s). - **Connection Protection**: When the number of read URL requests in the waiting queue exceeds 6,000, WAF stops forwarding client requests for 60 seconds and returns the maintenance page of the website to visitors. diff --git a/umn/source/website_domain_name_management/configuring_connection_timeout.rst b/umn/source/website_domain_name_management/configuring_connection_timeout.rst index ed53be8..d3ca9d3 100644 --- a/umn/source/website_domain_name_management/configuring_connection_timeout.rst +++ b/umn/source/website_domain_name_management/configuring_connection_timeout.rst @@ -17,27 +17,21 @@ Prerequisites The website you want to protect has been added to WAF. +Constraints +----------- + +- The timeout duration for connections between a browser and WAF cannot be modified. Only timeout duration for connections between WAF and your origin server can be modified. +- This function cannot be disabled once it is enabled. + Procedure --------- #. Log in to the management console. - #. Click |image1| in the upper left corner of the management console and select a region or project. - #. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. - #. In the navigation pane, choose **Website Settings**. - #. In the **Domain Name** column, click the domain name of the website to go to the basic information page. - - - .. figure:: /_static/images/en-us_image_0000001285178604.png - :alt: **Figure 1** Basic Information area - - **Figure 1** Basic Information area - #. In the **Timeout Settings** row, click the **Status** toggle and enable it if needed. - #. Click |image3|, specify **WAF-to-Server connection timeout (s)**, **Read timeout (s)**, and **Write timeout (s)**, and click |image4| to save settings. .. |image1| image:: /_static/images/en-us_image_0000001238508978.jpg diff --git a/umn/source/website_domain_name_management/configuring_pci_dss_3ds_certification_check_and_tls_version.rst b/umn/source/website_domain_name_management/configuring_pci_dss_3ds_certification_check_and_tls_version.rst index b748b95..f35e692 100644 --- a/umn/source/website_domain_name_management/configuring_pci_dss_3ds_certification_check_and_tls_version.rst +++ b/umn/source/website_domain_name_management/configuring_pci_dss_3ds_certification_check_and_tls_version.rst @@ -156,6 +156,19 @@ The TLS cipher suites in WAF are compatible with all browsers and clients of lat | Safari 6.0.4/OS X 10.8.4 | Compatible | Compatible | Not compatible | Compatible | Compatible | +---------------------------------------------+----------------------+----------------+----------------+----------------+----------------+ +Impact on the System +-------------------- + +- If you enable the PCI DSS certification check: + + - The minimum TLS version and cypher suite are automatically set to **TLS v1.2** and **EECDH+AESGCM:EDH+AESGCM**, respectively, and cannot be changed. + - To change the minimum TLS version and cipher suite, disable the check. + +- If you enable the PCI 3DS certification check: + + - The minimum TLS version is automatically set to **TLS v1.2** and cannot be changed. + - The check cannot be disabled. + Procedure --------- @@ -163,15 +176,14 @@ Procedure #. Click |image1| in the upper left corner of the management console and select a region or project. -#. Click |image2| in the upper left corner and choose **Security** > **Web Application Firewall (Dedicated)**. +#. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. -#. In the navigation pane, choose **Website Settings**. +#. In the navigation pane on the left, choose **Website Settings**. #. In the **Domain Name** column, click the domain name of the website to go to the basic information page. -#. In the **Compliance Certification** row, you can select **PCI DSS** and/or **PCI 3DS** to allow WAF to check your website for the corresponding PCI certification compliance. In the **TLS Configuration** row, click |image3| to complete TLS configuration. :ref:`Figure 1 ` shows an example. +#. In the **Compliance Certification** row, you can select **PCI DSS** and/or **PCI 3DS** to allow WAF to check your website for the corresponding PCI certification compliance. In the **TLS Configuration** row, click |image3| to complete TLS configuration. - .. _waf_01_0169__fig158391141135917: .. figure:: /_static/images/en-us_image_0000001337771401.png :alt: **Figure 1** TLS configuration modification @@ -195,9 +207,8 @@ Procedure - If PCI 3DS certification check is enabled, the minimum TLS version cannot be changed. - Once enabled, the PCI 3DS certification check cannot be disabled. -#. In the displayed **TLS Configuration** dialog box, select the minimum TLS version and cipher suite. :ref:`Figure 2 ` shows an example. +#. In the displayed **TLS Configuration** dialog box, select the minimum TLS version and cipher suite. - .. _waf_01_0169__fig1518314493518: .. figure:: /_static/images/en-us_image_0000001337772549.png :alt: **Figure 2** TLS Configuration @@ -217,8 +228,8 @@ Verification If the **Minimum TLS Version** is set to **TLS v1.2**, the website can be accessed over connections secured by TLS v1.2 or later, but cannot be accessed over connections secured by TLS v1.1 or earlier. -.. |image1| image:: /_static/images/en-us_image_0210924450.jpg -.. |image2| image:: /_static/images/en-us_image_0000001340424065.png +.. |image1| image:: /_static/images/en-us_image_0000001481692844.jpg +.. |image2| image:: /_static/images/en-us_image_0000001340304201.png .. |image3| image:: /_static/images/en-us_image_0210924454.jpg .. |image4| image:: /_static/images/en-us_image_0000001337772205.png .. |image5| image:: /_static/images/en-us_image_0000001337772269.png diff --git a/umn/source/website_domain_name_management/editing_server_information.rst b/umn/source/website_domain_name_management/editing_server_information.rst index 494da93..d6c6968 100644 --- a/umn/source/website_domain_name_management/editing_server_information.rst +++ b/umn/source/website_domain_name_management/editing_server_information.rst @@ -13,6 +13,10 @@ Applicable scenarios: - Add server configurations. - Update a certificate by referring to :ref:`Updating a Certificate `. +.. note:: + + If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the enterprise project from the **Enterprise Project** drop-down list and configure server information for the domain names. + Prerequisites ------------- @@ -32,7 +36,7 @@ Procedure #. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. -#. In the navigation pane, choose **Website Settings**. +#. In the navigation pane on the left, choose **Website Settings**. #. In the **Domain Name** column, click the domain name of the website to go to the basic information page. @@ -44,21 +48,13 @@ Procedure **Figure 1** Server Information -#. On the **Edit Server Information** page, edit the server configurations (such as client protocol and associated certificate). +#. On the **Edit Server Information** page, edit the server configurations (such as client protocols and associated certificates). - .. note:: - - - For details about certificate, see :ref:`Updating a Certificate `. - - WAF supports configuring of multiple backend servers. To add a backend server, click **Add**. - - - .. figure:: /_static/images/en-us_image_0000001337775421.png - :alt: **Figure 2** Edit Server Information - - **Figure 2** Edit Server Information + - For details about certificate, see :ref:`Updating a Certificate `. + - WAF supports configuring of multiple backend servers. To add a backend server, click **Add**. #. Click **Confirm**. -.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image1| image:: /_static/images/en-us_image_0000001532693205.jpg .. |image2| image:: /_static/images/en-us_image_0000001288264194.png .. |image3| image:: /_static/images/en-us_image_0282893059.jpg diff --git a/umn/source/website_domain_name_management/modifying_the_alarm_page.rst b/umn/source/website_domain_name_management/modifying_the_alarm_page.rst index df54b91..1400844 100644 --- a/umn/source/website_domain_name_management/modifying_the_alarm_page.rst +++ b/umn/source/website_domain_name_management/modifying_the_alarm_page.rst @@ -7,6 +7,10 @@ Modifying the Alarm Page If a visitor is blocked by WAF, the **Default** block page of WAF is returned by default. You can also configure **Custom** or **Redirection** for the block page to be returned as required. +.. note:: + + If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the enterprise project from the **Enterprise Project** drop-down list and customize alarm pages for the domain names. + Prerequisites ------------- @@ -24,7 +28,7 @@ Procedure #. Log in to the management console. #. Click |image1| in the upper left corner of the management console and select a region or project. #. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. -#. In the navigation pane, choose **Website Settings**. +#. In the navigation pane on the left, choose **Website Settings**. #. In the **Domain Name** column, click the domain name of the website to go to the basic information page. #. Click |image3| next to the page template name in the row where **Alarm Page** is located. In the displayed **Alarm Page** dialog box, specify **Page Template**. @@ -60,6 +64,6 @@ Procedure #. Click **Confirm**. -.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image1| image:: /_static/images/en-us_image_0000001481693004.jpg .. |image2| image:: /_static/images/en-us_image_0000001340583529.png .. |image3| image:: /_static/images/en-us_image_0210924454.jpg diff --git a/umn/source/website_domain_name_management/removing_a_protected_website_from_waf.rst b/umn/source/website_domain_name_management/removing_a_protected_website_from_waf.rst index f908a2d..812de39 100644 --- a/umn/source/website_domain_name_management/removing_a_protected_website_from_waf.rst +++ b/umn/source/website_domain_name_management/removing_a_protected_website_from_waf.rst @@ -7,6 +7,8 @@ Removing a Protected Website from WAF This topic describes how to remove a website from WAF if you no longer need to protect it. +Before removing a website from WAF, go to your DNS provider and resolve your domain name to the IP address of the origin server, or the traffic to your domain name cannot be routed to the origin server. + Prerequisites ------------- @@ -26,7 +28,7 @@ Procedure #. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. -#. In the navigation pane, choose **Website Settings**. +#. In the navigation pane on the left, choose **Website Settings**. #. In the row containing the website domain name you want to delete, click **Delete** in the **Operation** column. @@ -35,7 +37,7 @@ Procedure If you want to retain the policy applied to the domain name, select **Retain the policy of this domain name**. - .. figure:: /_static/images/en-us_image_0000001285577484.png + .. figure:: /_static/images/en-us_image_0000001435452489.png :alt: **Figure 1** Deleting a protected domain name from WAF **Figure 1** Deleting a protected domain name from WAF @@ -44,5 +46,5 @@ Procedure If **Domain name deleted successfully** is displayed in the upper right corner, the domain name of the website was deleted. -.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image1| image:: /_static/images/en-us_image_0000001544531265.jpg .. |image2| image:: /_static/images/en-us_image_0000001340304197.png diff --git a/umn/source/website_domain_name_management/switching_waf_working_mode.rst b/umn/source/website_domain_name_management/switching_waf_working_mode.rst index af7bab9..91c2c7c 100644 --- a/umn/source/website_domain_name_management/switching_waf_working_mode.rst +++ b/umn/source/website_domain_name_management/switching_waf_working_mode.rst @@ -7,6 +7,10 @@ Switching WAF Working Mode You can change the working mode of WAF. WAF can work in **Enabled** or **Suspended** mode. +.. note:: + + If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the enterprise project from the **Enterprise Project** drop-down list and switch WAF working mode for a specific domain name. + Prerequisites ------------- @@ -32,9 +36,9 @@ Procedure #. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. -#. In the navigation pane, choose **Website Settings**. +#. In the navigation pane on the left, choose **Website Settings**. -#. In the **Mode** column of the row containing the target domain name, click |image3| and select a working mode. +#. In the **Mode** column of the row containing the target domain name, click |image3| and select a working mode. .. figure:: /_static/images/en-us_image_0000001345173294.png @@ -42,6 +46,6 @@ Procedure **Figure 1** Switching WAF working mode -.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image1| image:: /_static/images/en-us_image_0000001544520337.jpg .. |image2| image:: /_static/images/en-us_image_0000001340304201.png .. |image3| image:: /_static/images/en-us_image_0000001324043026.png diff --git a/umn/source/website_domain_name_management/updating_a_certificate.rst b/umn/source/website_domain_name_management/updating_a_certificate.rst index abbcef3..ebaf5a9 100644 --- a/umn/source/website_domain_name_management/updating_a_certificate.rst +++ b/umn/source/website_domain_name_management/updating_a_certificate.rst @@ -37,7 +37,7 @@ Procedure #. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. -#. In the navigation pane, choose **Website Settings**. +#. In the navigation pane on the left, choose **Website Settings**. #. In the **Domain Name** column, click the domain name of the website to go to the basic information page. @@ -45,13 +45,12 @@ Procedure Click |image3| next to the certificate name. In the **Update Certificate** dialog box, import a new certificate or select an existing certificate. - - If you select **Import new certificate** for **Update Method**, enter a certificate name, and copy and paste the certificate file and private key into the corresponding text boxes. :ref:`Figure 1 ` shows an example. + - If you select **Import new certificate** for **Update Method**, enter a certificate name, and copy and paste the certificate file and private key into the corresponding text boxes. .. note:: WAF encrypts and saves the private key to keep it safe. - .. _waf_01_0262__fig1518314493518: .. figure:: /_static/images/en-us_image_0000001337894657.png :alt: **Figure 1** Update Certificate @@ -97,7 +96,7 @@ Procedure - Before running an OpenSSL command, ensure that the `OpenSSL `__ tool has been installed on the local host. - If your local PC runs a Windows operating system, go to the command line interface (CLI) and then run the certificate conversion command. - - If you select **Select existing certificate** for **Update Method**, select an existing certificate from the **Certificate Name** drop-down list. + - If you select **Select existing certificate** for **Update Method**, select an existing certificate from the **Certificate** drop-down list. .. figure:: /_static/images/en-us_image_0000001378108553.png @@ -107,6 +106,6 @@ Procedure #. Click **Confirm**. -.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image1| image:: /_static/images/en-us_image_0000001532693109.jpg .. |image2| image:: /_static/images/en-us_image_0000001340663937.png .. |image3| image:: /_static/images/en-us_image_0210924454.jpg diff --git a/umn/source/website_domain_name_management/viewing_basic_information.rst b/umn/source/website_domain_name_management/viewing_basic_information.rst index d3b9f21..7f5ac82 100644 --- a/umn/source/website_domain_name_management/viewing_basic_information.rst +++ b/umn/source/website_domain_name_management/viewing_basic_information.rst @@ -21,7 +21,7 @@ Procedure #. Click |image2| in the upper left corner and choose **Web Application Firewall (Dedicated)** under **Security**. -#. In the navigation pane, choose **Website Settings**. +#. In the navigation pane on the left, choose **Website Settings**. #. View the protected website lists. For details about parameters, see :ref:`Table 1 `. @@ -38,7 +38,7 @@ Procedure +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Parameter | Description | +===================================+=========================================================================================================================================================================================================================================================================================================================================================================================================+ - | Domain Name | Domain name or IP address of a website to be protected. | + | Domain Name | Domain name or IP address of a website you want to protect. | +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Deployment Mode | How your WAF instance is deployed for your website. Only **Dedicated mode** is available. | +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ @@ -48,6 +48,8 @@ Procedure | | | | | - **Enabled**: WAF is enabled. | | | - **Suspended**: WAF is disabled. If a large number of normal requests are blocked, for example, status code 418 is frequently returned, then you can switch the mode to **Suspended**. In this mode, your website is not protected because WAF only forwards requests. It does not scan for attacks. This mode is risky. You are advised to use the false alarm masking rules to reduce false alarms. | + | | | + | | For details, see :ref:`Switching WAF Working Mode `. | +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Policy | The total number of protection policies configured in WAF. You can click a number to go to the rule configuration page. | +-----------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ @@ -62,9 +64,8 @@ Procedure #. In the **Domain Name** column, click the domain name of the website to go to the basic information page. -#. View the basic information about the domain name of the protected website. :ref:`Figure 2 ` shows an example.View the basic information about the protected website. +#. View the basic information about the domain name of the protected website. - .. _waf_01_0020__fig1068529619241: .. figure:: /_static/images/en-us_image_0000001284850794.png :alt: **Figure 2** Basic Information @@ -77,7 +78,7 @@ Procedure - Customize the alarm page: Click |image7|. In the displayed dialog box, select **Custom** or **Redirection** and complete required configurations. By default, **Alarm Page** is **Default**. - If you want to set a timeout duration for each request, enable **Timeout Settings** and click |image8|\ to specify **WAF-to-Server Connection Timeout (s)**, **Read Timeout (s)**, and **Write Timeout (s)**. This function cannot be disabled after being enabled. For details, see :ref:`Configuring Connection Timeout `. -.. |image1| image:: /_static/images/en-us_image_0210924450.jpg +.. |image1| image:: /_static/images/en-us_image_0000001481851976.jpg .. |image2| image:: /_static/images/en-us_image_0000001288099090.png .. |image3| image:: /_static/images/en-us_image_0000001284852786.png .. |image4| image:: /_static/images/en-us_image_0210924454.jpg