By collecting statistics on the number of JavaScript challenges and authentication responses, the system calculates how many requests the JavaScript anti-crawler defends. In Figure 2, the JavaScript anti-crawler has logged 18 events, 16 of which are JavaScript challenge responses, and 2 of which are JavaScript authentication responses. Others indicates the number of WAF authentication requests fabricated by the crawler.
By collecting statistics on the number of JavaScript challenges and authentication responses, the system calculates how many requests the JavaScript anti-crawler defends. In Figure 2, the JavaScript anti-crawler has logged 18 events, 16 of which are JavaScript challenge responses, and 2 of which are JavaScript authentication responses. Other indicates the number of WAF authentication requests fabricated by the crawler.
diff --git a/docs/wafd/umn/waf_01_0016.html b/docs/wafd/umn/waf_01_0016.html
index 192d82196..cca3ac6d4 100644
--- a/docs/wafd/umn/waf_01_0016.html
+++ b/docs/wafd/umn/waf_01_0016.html
@@ -42,9 +42,9 @@
Certificate/Cipher Suite
diff --git a/docs/wafd/umn/waf_01_0021.html b/docs/wafd/umn/waf_01_0021.html
index 49de6e396..30dcd48c7 100644
--- a/docs/wafd/umn/waf_01_0021.html
+++ b/docs/wafd/umn/waf_01_0021.html
@@ -4,7 +4,7 @@
This topic describes how to view protection event logs, including attack and request statistics, event distribution, top 10 attacked domain names, top 10 attack source IP addresses, and top 10 attacked URLs in a specified time range, such as yesterday, today, past 3 days, past 7 days, or past 30 days.
- Specification LimitationsOn the Dashboard page, protection data of up to 30 days can be viewed.
+ Specification LimitationsYou can view the protection data of a maximum of 30 days.
How to Calculate QPSThe QPS calculation method varies depending on the time range. For details, see Table 1.
@@ -52,10 +52,10 @@
Viewing the Dashboard- Log in to the management console.
- Click
 in the upper left corner of the management console and select a region or project. - Click
 in the upper left corner and choose Web Application Firewall (Dedicated) under Security. - In the upper part of the page, select a project from the Enterprise Project drop-down list. Then, specify the website, instance, and time range for your query.
- By default, the information about all websites you add to WAF in all enterprise projects are displayed.
- Domain Names: shows information about websites added to the WAF instance in the selected enterprise project. Click View to go to the Website Settings page and view details about domain names of protected websites.
- Query time: You can select Yesterday, Today, Past 3 days, Past 7 days, or Past 30 days.
Figure 1 Setting search criteria
- - View how many requests, attacks, and attacked pages by attack type over the specified time range.
- Requests: shows the page views of the website, making it easy for you to view the total number of pages accessed by visitors in a certain period of time.
- Attacks: shows how many times the website are attacked.
- You can view how many pages are attacked by a certain type of attack within a certain period of time.
- You can click Show Details to view the details of the 10 domain names with the most requests, attacks, and basic web protection, precise protection, CC attack protection, and anti-crawler protection actions.
+ - View how many requests, attacks, and attacked pages by attack type over the specified time range.
- Requests: shows the page views of the website, making it easy for you to view the total number of pages accessed by visitors in a certain period of time.
- Attacks: shows how many times the website are attacked.
- You can view how many pages are attacked by a certain type of attack within a certain period of time.
- You can click Show Details to view the details of the 10 domain names with the most requests, attacks, and basic web protection, precise protection, CC attack protection, and anti-crawler protection actions.
Figure 2 Protection action statistics
- Query security data in the Security Event Statistics area.
By day: You can select this option to view the data gathered by the day. If you leave this option unselected, you have the following options:
-- Yesterday and Today: Security event data is gathered every minute.
- Past 3 days: Security event data is gathered every 5 minutes.
- Past 7 days: Security event data is gathered every 10 minutes.
- Past 30 days: Security event data is gathered every hour.
+- Yesterday and Today: Security event data is gathered every minute.
- Past 3 days: Security event data is gathered every 5 minutes.
- Past 7 days: Security event data is gathered every 10 minutes.
- Past 30 days: Security event data is gathered every hour.
Figure 3 Security Event Statistics
Table 2 Parameters in Security Event StatisticsParameter
@@ -84,7 +84,7 @@
|
|---|
Event Distribution
|
Types of attack events
-Click an area in the Event Distribution area to view the type, number, and proportion of an attack.
+Click an area in the Event Distribution area to view the type, number, and proportion of an attack.
|
Top 10 Attacked Domain Names
diff --git a/docs/wafd/umn/waf_01_0024.html b/docs/wafd/umn/waf_01_0024.html
index 414629e80..24b8c4d59 100644
--- a/docs/wafd/umn/waf_01_0024.html
+++ b/docs/wafd/umn/waf_01_0024.html
@@ -37,9 +37,9 @@
| Condition List
|
Click Add to add conditions. At least one condition needs to be added. You can add up to 30 conditions to a protection rule. If more than one condition is added, all of the conditions must be met for the rule to be applied. A condition includes the following parameters:
-Parameters for configuring a condition are described as follows: - Field
- Subfield: Configure this field only when Params, Cookie, or Header is selected for Field.
NOTICE: The length of a subfield cannot exceed 2,048 bytes. Only digits, letters, underscores (_), and hyphens (-) are allowed.
+ Parameters for configuring a condition are described as follows: - Field
- Subfield: Configure this field only when Params, Cookie, or Header is selected for Field.
NOTICE: The length of a subfield cannot exceed 2,048 bytes. Only digits, letters, underscores (_), and hyphens (-) are allowed.
- - Logic: Select a logical relationship from the drop-down list.
- Content: Enter or select the content that matches the condition.
+ - Logic: Select a logical relationship from the drop-down list.
- Content: Enter or select the content that matches the condition.
|
Path, Include, /product
diff --git a/docs/wafd/umn/waf_01_0052.html b/docs/wafd/umn/waf_01_0052.html
index e81fb46b6..e9ee6e6cf 100644
--- a/docs/wafd/umn/waf_01_0052.html
+++ b/docs/wafd/umn/waf_01_0052.html
@@ -6,7 +6,7 @@
If your account does not need individual IAM users for permissions management, then you may skip over this chapter.
WAF PermissionsBy default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.
WAF is a project-level service deployed and accessed in specific physical regions. To assign WAF permissions to a user group, specify the scope as region-specific projects and select projects for the permissions to take effect. If All projects is selected, the permissions will take effect for the user group in all region-specific projects. When accessing WAF, the users need to switch to a region where they have been authorized to use the WAF service.
- You can grant users permissions by using roles and policies. - Roles: A type of coarse-grained authorization mechanism that defines permissions related to users responsibilities. Only a limited number of service-level roles for authorization are available. You need to also assign other dependent roles for the permission control to take effect. Roles are not ideal for fine-grained authorization and secure access control.
- Policies: A fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization and meets secure access control requirements. For example, you can grant WAF users only the permissions for managing a certain type of resources. Most policies define permissions based on APIs. For the API actions supported by WAF, see WAF Permissions and Supported Actions.
+ You can grant users permissions by using roles and policies. - Roles: A type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. Only a limited number of service-level roles for authorization are available. You need to also assign other dependent roles for the permission control to take effect. Roles are not ideal for fine-grained authorization and secure access control.
- Policies: A fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization and meets secure access control requirements. For example, you can grant WAF users only the permissions for managing a certain type of resources. Most policies define permissions based on APIs. For the API actions supported by WAF, see WAF Permissions and Supported Actions.
Table 1 lists all the system roles supported by WAF.
diff --git a/docs/wafd/umn/waf_01_0060.html b/docs/wafd/umn/waf_01_0060.html
index b16f7ee30..44cdc5182 100644
--- a/docs/wafd/umn/waf_01_0060.html
+++ b/docs/wafd/umn/waf_01_0060.html
@@ -1,7 +1,7 @@
Viewing CTS Traces in the Trace List
- ScenariosAfter you enable CTS and the management tracker is created, CTS starts recording operations on cloud resources. After a data tracker is created, the system starts recording operations on data in Object Storage Service (OBS) buckets. Cloud Trace Service (CTS) stores operation records (traces) generated in the last seven days.
+ ScenariosAfter you enable CTS and the management tracker is created, CTS starts recording operations on cloud resources. Cloud Trace Service (CTS) stores operation records (traces) generated in the last seven days.
 These operation records are retained for seven days on the CTS console and are automatically deleted upon expiration. Manual deletion is not supported.
@@ -10,7 +10,7 @@
- Operator: Select a user.
- Trace Status: Select All trace statuses, Normal, Warning, or Incident.
- Time range: Select Last 1 hour, Last 1 day, or Last 1 week, or specify a custom time range within the last seven days.
- Click Query.
- On the Trace List page, you can also export and refresh the trace list.
- Click Export to export all traces in the query result as a CSV file. The file can contain up to 5,000 records.
- Click
 to view the latest information about traces.
- - Click
 on the left of a trace to expand its details.
+ - Click on the left of a trace to expand its details.
diff --git a/docs/wafd/umn/waf_01_0061.html b/docs/wafd/umn/waf_01_0061.html
index ac668ea0e..8ea7bcea6 100644
--- a/docs/wafd/umn/waf_01_0061.html
+++ b/docs/wafd/umn/waf_01_0061.html
@@ -6,8 +6,8 @@
Adding Rules to One or More Policies- Log in to the management console.
- Click
 in the upper left corner of the management console and select a region or project. - Click
 in the upper left corner and choose Web Application Firewall (Dedicated) under Security. - In the navigation pane on the left, choose Policies.
- In the upper left corner of the policy list, click View All My Rules.
Figure 1 View Rules
- In the upper left corner above a list of a type of rule, click Add Rule.
Figure 2 Adding a rule to one or more policies
- - Select one or more policies from the Policy Name drop-down list.
Figure 3 Adding a rule to one or more policies
- - Set other parameters.
- To add a CC attack protection rule, see Table 1.
- To add a precise protection rule, see Table 1.
- To add a blacklist or whitelist rule, see Table 1.
- To add a geolocation access control rule, see Table 1.
- To add a WTP rule, see Table 1.
- To add an information leakage prevention rule, see Table 1.
- To add a global protection whitelist rule, see Table 1.
- To add a data masking rule, see Table 1.
+ - Select one or more policies from the Policy Name drop-down list.
Figure 3 Adding a rule to one or more policies
+ - Set other parameters in addition to Policy Name.
- To add a CC attack protection rule, see Table 1.
- To add a precise protection rule, see Table 1.
- To add a blacklist or whitelist rule, see Table 1.
- To add a geolocation access control rule, see Table 1.
- To add a WTP rule, see Table 1.
- To add an information leakage prevention rule, see Table 1.
- To add a global protection whitelist rule, see Table 1.
- To add a data masking rule, see Table 1.
- Click Confirm.
diff --git a/docs/wafd/umn/waf_01_0066.html b/docs/wafd/umn/waf_01_0066.html
index e248cd6d6..9f05e01b8 100644
--- a/docs/wafd/umn/waf_01_0066.html
+++ b/docs/wafd/umn/waf_01_0066.html
@@ -37,7 +37,7 @@
504 Gateway TimeoutScenario: After the configuration of connecting a domain name to WAF is complete, your website works properly. However, with the increasing traffic volume, the number of 504 errors also increases. If you directly access the IP address of the origin server, the 504 error code is returned sometimes.
The possible causes are as follows:
- Cause 1: Backend server performance issues (such as too many connections or high CPU usage)
Solution: - Optimize the server configuration, including TCP network parameters and ulimit parameters.
- To handle large-scale service increase, use method 1 or method 2 to perform the processing.
Method 1: Add a backend server group to the ELB load balancer.
-Method 2: Create an ELB. Use the EIP of ELB as the IP address of the server to connect to WAF. - Log in to the management console, click Service List in the upper part of the page, and choose .
- In the navigation pane, choose Website Settings.
- In the Domain Name column, click the domain name. Its information is displayed.
- In the Server Information area, click
 . On the displayed page, click Add.
+ Method 2: Create an ELB. Use the EIP of ELB as the IP address of the server to connect to WAF. - Log in to the management console, click Service List in the upper part of the page, and choose .
- In the navigation pane, choose Website Settings.
- In the Domain Name column, click the domain name. Its information is displayed.
- In the Server Information area, click
 . On the displayed page, click Add.
- If the Client Protocol is HTTPS, you can use HTTPS on the WAF side. However, it is recommended that HTTP (Server Protocol) to forward the requests to your web server, lowering the computational demands on backend servers.
diff --git a/docs/wafd/umn/waf_01_0074.html b/docs/wafd/umn/waf_01_0074.html
index 063cc1be6..eef72fce5 100644
--- a/docs/wafd/umn/waf_01_0074.html
+++ b/docs/wafd/umn/waf_01_0074.html
@@ -7,7 +7,7 @@
ConstraintsA protected website domain name can use only one policy.
Related Operations- To modify a policy name, click
 next to the policy name. In the dialog box displayed, enter a new policy name. - To delete a rule, locate the row containing the rule. In the Operation column, click Delete.
diff --git a/docs/wafd/umn/waf_01_0081.html b/docs/wafd/umn/waf_01_0081.html
index 6df8d0e2f..b3e03110c 100644
--- a/docs/wafd/umn/waf_01_0081.html
+++ b/docs/wafd/umn/waf_01_0081.html
@@ -31,14 +31,14 @@
Type
|
+- Header: A user-defined HTTP header.
|
-Path
+ | Path
|
Value
|
-Value of the corresponding Type. Wildcards are not allowed.
+ | Value of the corresponding Type. Wildcards are not allowed.
NOTE: Click Add to add more than one value.
|
diff --git a/docs/wafd/umn/waf_01_0100.html b/docs/wafd/umn/waf_01_0100.html
index 12b7d3027..f0375cbf3 100644
--- a/docs/wafd/umn/waf_01_0100.html
+++ b/docs/wafd/umn/waf_01_0100.html
@@ -1,7 +1,7 @@
What Can I Do If Files Cannot Be Uploaded After a Website Is Connected to WAF?
-After your website is connected to WAF, the size of the file each time you can upload to the website is limited as follows: - Cloud mode - CNAME access: 1 GB
- Cloud mode - load balancer access or dedicated mode: 10 GB
+ After your website is connected to WAF, the size of the file each time you can upload to the website is limited as follows: - Cloud mode - Load balancer access mode: 10 GB
- Dedicated mode: 10 GB
To upload a file larger than what is allowed, upload the file through any of the following:
- IP address
- Separate web server that is not protected by WAF
- FTP server
diff --git a/docs/wafd/umn/waf_01_0154.html b/docs/wafd/umn/waf_01_0154.html
index c2b60a319..86b46cc97 100644
--- a/docs/wafd/umn/waf_01_0154.html
+++ b/docs/wafd/umn/waf_01_0154.html
@@ -8,7 +8,7 @@
Constraints- The Redirection mode is not supported if you select ELB access for the protected website.
- The content of the text/html, text/xml, and application/json pages can be configured on the Custom block page to be returned.
- The root domain name of the redirection address must be the same as the currently protected domain name (including a wildcard domain name). For example, if the protected domain name is www.example.com and the port is 8080, the redirection URL can be set to http://www.example.com:8080/error.html.
- Editing Response Page for Blocked Requests- Log in to the management console.
- Click
 in the upper left corner of the management console and select a region or project. - Click
 in the upper left corner and choose Web Application Firewall (Dedicated) under Security. - In the navigation pane on the left, choose Website Settings.
- In the Domain Name column, click the domain name of the website to go to the basic information page.
- Click the edit icon next to the page template name in the row where Alarm Page is located. In the displayed Alarm Page dialog box, specify Page Template.
- To use the built-in page, select Default. An HTTP code 418 is returned.
Figure 1 Default alarm page
+Editing Response Page for Blocked Requests- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
- In the navigation pane on the left, choose Website Settings.
- In the Domain Name column, click the domain name of the website to go to the basic information page.
- Click
 next to the page template name in the row of Alarm Page. In the displayed Alarm Page dialog box, specify Page Template.- To use the built-in page, select Default. An HTTP code 418 is returned.
Figure 1 Default alarm page
- To customize the alarm page, select Custom and configure following parameters.
- HTTP Return Code: return code configured on a custom page.
- Response Header: Click Add Response Header Field and configure response header parameters.
- Block Page Type: The options are text/html, text/xml, and application/json.
- Page Content: Configure the page content based on the selected value for Block Page Type.
Figure 2 Custom alarm page
- To configure a redirection URL, select Redirection.
Figure 3 Redirection alarm page
diff --git a/docs/wafd/umn/waf_01_0169.html b/docs/wafd/umn/waf_01_0169.html
index 6c5e5b07c..57b7e2a76 100644
--- a/docs/wafd/umn/waf_01_0169.html
+++ b/docs/wafd/umn/waf_01_0169.html
@@ -58,8 +58,7 @@
|
Default cipher suite
- NOTE: By default, Cipher suite 1 is configured for websites. However, if the request does not carry the server name indication (SNI), WAF uses the Default cipher suite.
-
+
|
- ECDHE-RSA-AES256-SHA384
- AES256-SHA256
- RC4
- HIGH
|
diff --git a/docs/wafd/umn/waf_01_0172.html b/docs/wafd/umn/waf_01_0172.html
index bdccd06ac..95791ba45 100644
--- a/docs/wafd/umn/waf_01_0172.html
+++ b/docs/wafd/umn/waf_01_0172.html
@@ -3,7 +3,7 @@
Using LTS to Log WAF Activities
After you authorize WAF to access Log Tank Service (LTS), you can use the WAF logs recorded by LTS for quick and efficient real-time analysis, device O&M management, and analysis of service trends.
LTS analyzes and processes a large number of logs. It enables you to process logs in real-time, efficiently, and securely. Logs can be stored in LTS for seven days by default but you can configure LTS for up to 30 days if needed. Logs earlier than 30 days are automatically deleted. However, you can configure LTS to dump those logs to an Object Storage Service (OBS) bucket or enable Data Ingestion Service (DIS) for long-term storage.
- Prerequisites
+
Impact on the SystemEnabling LTS for WAF does not affect WAF performance.
diff --git a/docs/wafd/umn/waf_01_0253.html b/docs/wafd/umn/waf_01_0253.html
index 8697dcaa3..9c3bde2ec 100644
--- a/docs/wafd/umn/waf_01_0253.html
+++ b/docs/wafd/umn/waf_01_0253.html
@@ -6,84 +6,111 @@
Prerequisites- You have applied for a dedicated WAF instance.
- Your login account has the IAM ReadOnly permission.
Viewing Information About a Dedicated WAF Instance- Log in to the management console.
- Click
 in the upper left corner of the management console and select a region or project. - Click
 in the upper left corner and choose Web Application Firewall (Dedicated) under Security. - In the navigation pane on the left, choose Instance Management > Dedicated Engine to go to the dedicated WAF instance page.
Figure 1 Dedicated engine list
- - View information about a dedicated WAF instance. Table 1 describes parameters.
- Table 1 Key parameters of dedicated WAF instancesParameter
+Dedicated Engine Version IterationYou can view the WAF instance version in the Version column of the dedicated WAF instance list.
+
+ Table 1 Dedicated WAF versionsEngine Version
|
-Description
- |
-Example Value
+ | Feature
|
|---|
-Instance Name
+ | 202312
|
-Name automatically generated when an instance is created.
- |
-None
+ | - A global protection whitelist rule can be set to ignore invalid requests.
- JavaScript-based anti-crawler rules support more protective actions, including Block, Log only, and Verification code.
|
-Protected Website
+ | 202308
|
-Domain name of the website protected by the instance.
- |
-www.example.com
+ | - The $remote_addr field is added to the IP identifier, which can be directly set to the IP address of the TCP connection.
- IP addresses used in TCP connections can be identified by CC, precise protection, blacklist, and whitelist rules.
- A block duration can be set if Protective Action is set to Verification code in a CC attack protection rule.
|
-VPC
+ | 202305
|
-VPC where the instance resides
- |
-vpc-waf
+ | - HTTP2 is enabled globally by default. There is no need to enable it manually.
- By default, a request can pass through WAF four times before it goes to the origin server. Error code 523 will be returned if the request exceeds this limit.
- Strict multipart format verification is supported.
- Dedicated ELB network load balancers are supported. (In earlier versions, only shared load balancers and dedicated application load balancers are supported.)
|
-Subnet
+ |
+
+
+ Viewing Information About a Dedicated WAF Instance- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
- In the navigation pane on the left, choose Instance Management > Dedicated Engine to go to the dedicated WAF instance page.
Figure 1 Dedicated engine list
+ - View information about a dedicated WAF instance. Table 2 describes parameters.
+ Table 2 Key parameters of dedicated WAF instancesParameter
+ |
+Description
+ |
+Example Value
+ |
+
|---|
+
+Instance Name
|
-Subnet where an instance resides
+ | Name automatically generated when an instance is created.
|
-subnet-62bb
+ | None
|
-IP Address
+ | Protected Website
|
-IP address of the subnet in the VPC where the WAF instance is deployed.
+ | Domain name of the website protected by the instance.
|
-192.168.0.186
+ | www.example.com
|
-Access Status
+ | VPC
|
-Connection status of the instance.
+ | VPC where the instance resides
|
-Accessible
+ | vpc-waf
|
-Running Status
+ | Subnet
|
-Status of the instance.
+ | Subnet where an instance resides
|
-Running
+ | subnet-62bb
|
-Version
+ | IP Address
|
-Dedicated WAF version.
+ | IP address of the subnet in the VPC where the WAF instance is deployed.
|
-202304
+ | 192.168.0.186
|
-Deployment
+ | Access Status
|
-How the instance is deployed.
+ | Connection status of the instance.
|
-Standard mode (reverse proxy)
+ | Accessible
|
-Specifications
+ | Running Status
|
-Specifications of resources hosting the instance.
+ | Status of the instance.
|
-8 vCPUs | 16 GB
+ | Running
+ |
+
+Version
+ |
+Dedicated WAF version.
+ |
+202304
+ |
+
+Deployment
+ |
+How the instance is deployed.
+ |
+Standard mode (reverse proxy)
+ |
+
+Specifications
+ |
+Specifications of resources hosting the instance.
+ |
+8 vCPUs | 16 GB
|
@@ -111,7 +138,7 @@
 Resources on deleted instance are released and cannot be restored. Exercise caution when performing this operation.
- Log in to the management console.
- Click
 in the upper left corner of the management console and select a region or project. - Click
 in the upper left corner and choose Web Application Firewall (Dedicated) under Security. - In the navigation pane on the left, choose Instance Management > Dedicated Engine to go to the dedicated WAF instance page.
Figure 5 Dedicated engine list
- - In the row of the instance, click More > Delete in the Operation column.
- In the displayed dialog box, enter DELETE and click Confirm.
Figure 6 Deleting an instance
+ - In the row of the instance, click More > Delete in the Operation column.
- In the displayed dialog box, enter DELETE and click Confirm.
Figure 6 Deleting an instance
diff --git a/docs/wafd/umn/waf_01_0262.html b/docs/wafd/umn/waf_01_0262.html
index c9957bbe5..f28f29008 100644
--- a/docs/wafd/umn/waf_01_0262.html
+++ b/docs/wafd/umn/waf_01_0262.html
@@ -9,7 +9,7 @@
Impact on the System- It is recommended that you update the certificate before it expires. Otherwise, all WAF protection rules will fail to take effect, and there can be massive impacts on the origin server, even more severe than a crashed host or website access failures.
- Updating certificates does not affect services. The old certificate still works during the certificate replacement. The new certificate will take over the job once it has been uploaded and successfully associated with the domain name.
Updating the Certificate Used for a Website- Log in to the management console.
- Click
 in the upper left corner of the management console and select a region or project. - Click
 in the upper left corner and choose Web Application Firewall (Dedicated) under Security. - In the navigation pane on the left, choose Website Settings.
- In the Domain Name column, click the domain name of the website to go to the basic information page.
- Click the edit icon next to the certificate name. In the Update Certificate dialog box, import a new certificate or select an existing certificate.
- If you select Import new certificate for Update Method, enter a certificate name, and copy and paste the certificate file and private key into the corresponding text boxes.
WAF encrypts and saves the private key to keep it safe.
+ Updating the Certificate Used for a Website- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
- In the navigation pane on the left, choose Website Settings.
- In the Domain Name column, click the domain name of the website to go to the basic information page.
- Click Modify next to the certificate name. In the Update Certificate dialog box, import a new certificate or select an existing certificate.
- If you select Import new certificate for Update Method, enter a certificate name, and copy and paste the certificate file and private key into the corresponding text boxes.
WAF encrypts and saves the private key to keep it safe.
Figure 1 Update Certificate
Only .pem certificates can be used in WAF. If the certificate is not in .pem format, convert it into .pem locally by referring to Table 1 before uploading it.
diff --git a/docs/wafd/umn/waf_01_0265.html b/docs/wafd/umn/waf_01_0265.html
index b36cc0514..4a2283d33 100644
--- a/docs/wafd/umn/waf_01_0265.html
+++ b/docs/wafd/umn/waf_01_0265.html
@@ -8,7 +8,14 @@
- 2024-12-13
+ | 2025-01-17
+ |
+This issue is the ninth official release.
+Modified the following content:
+
+ |
+
+2024-12-13
|
This issue is the eighth official release.
Added the following content:
diff --git a/docs/wafd/umn/waf_01_0271.html b/docs/wafd/umn/waf_01_0271.html
index 23f11649d..4029d4ca1 100644
--- a/docs/wafd/umn/waf_01_0271.html
+++ b/docs/wafd/umn/waf_01_0271.html
@@ -27,11 +27,11 @@
| Blocking Type
|
Specifies the blocking type. The options are:
-- Long-term IP address blocking
- Short-term IP address blocking
- Long-term Cookie blocking
- Short-term Cookie blocking
- Long-term Params blocking
- Short-term Params blocking
+- Long-term IP address blocking
- Short-term IP address blocking
- Long-term Cookie blocking
- Short-term Cookie blocking
- Long-term Params blocking
- Short-term Params blocking
NOTICE: For blacklist and whitelist rules, a known attack source with Long-term IP address blocking or Short-term IP address blocking configured cannot be selected.
|
-Long-term IP address blocking
+ | Long-term IP address blocking
|
Blocking Duration (s)
diff --git a/docs/wafd/umn/waf_01_0272.html b/docs/wafd/umn/waf_01_0272.html
index 03649f10b..cc7e8af61 100644
--- a/docs/wafd/umn/waf_01_0272.html
+++ b/docs/wafd/umn/waf_01_0272.html
@@ -58,8 +58,8 @@
| Peak rate of normal service requests
|
The following lists the specifications of a single instance.
-- Specifications: WI-500. Estimated performance:
- HTTP services - Recommended QPS: 5,000. Maximum QPS: 10,000.
- HTTPS services - Recommended QPS: 4,000. Maximum QPS: 8,000.
- WebSocket service - Maximum concurrent connections: 5,000
- Maximum WAF-to-server persistent connections: 60,000
- - Specifications: WI-100. Estimated performance:
- HTTP services - Recommended QPS: 1,000. Maximum QPS: 2,000.
- HTTPS services - Recommended QPS: 800. Maximum QPS: 1,600
- WebSocket service - Maximum concurrent connections: 1,000
- Maximum WAF-to-server persistent connections: 60,000
+- Specifications: WI-500. Estimated performance:
- HTTP services: 5,000 QPS (recommended)
- HTTPS services: 4,000 QPS (recommended)
- WebSocket service - Maximum concurrent connections: 5,000
- Maximum WAF-to-server persistent connections: 60,000
+ - Specifications: WI-100. Estimated performance:
- HTTP services: 1,000 QPS (recommended)
- HTTPS services: 800 QPS (recommended)
- WebSocket service - Maximum concurrent connections: 1,000
- Maximum WAF-to-server persistent connections: 60,000
NOTICE: Maximum QPS values are for reference only. They may vary depending on your businesses. The real-world QPS is related to the request size and the type and quantity of protection rules you customize.
diff --git a/docs/wafd/umn/waf_01_0278.html b/docs/wafd/umn/waf_01_0278.html
index 542a1e713..1984275ff 100644
--- a/docs/wafd/umn/waf_01_0278.html
+++ b/docs/wafd/umn/waf_01_0278.html
@@ -53,7 +53,7 @@
|
-Cause 1: Access Status for Domain Name/IP Address not updated
+ | Cause 1: Access Status for Domain Name/IP Address not updated
|
In the Access Status column for the website, click  to update the status.
|
diff --git a/docs/wafd/umn/waf_01_0287.html b/docs/wafd/umn/waf_01_0287.html
index 82f743d32..44b724f3c 100644
--- a/docs/wafd/umn/waf_01_0287.html
+++ b/docs/wafd/umn/waf_01_0287.html
@@ -6,7 +6,7 @@
Prerequisites- You have applied for a dedicated WAF instance.
- You have contacted technical support to apply for the ELB access mode.
- You have applied for a dedicated load balancer. Its specifications must be Application load balancing (HTTP/HTTPS). Note that the account you use to apply for the load balancer must have WAF dedicated mode enabled.
Connecting a Website to WAF in ELB Access Mode- Log in to the management console.
- Click
 in the upper left corner of the management console and select a region or project. - Click
 in the upper left corner and choose Web Application Firewall (Dedicated) under Security. - In the navigation pane on the left, choose Website Settings.
- In the upper left corner of the website list, click Add Website.
- Choose ELB access and click OK.
- On the displayed domain name details page, configure basic settings by referring to Table 1.
+ Connecting a Website to WAF in ELB Access Mode- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
- In the navigation pane on the left, choose Website Settings.
- In the upper left corner of the website list, click Add Website.
- Choose ELB access and click OK.
- On the displayed domain name details page, configure basic settings by referring to Table 1.
Table 1 Parameter descriptionParameter
|
Description
@@ -25,7 +25,7 @@
|
|---|
ELB Listener
|
Listener configured for the selected ELB load balancer.
-- All listeners
- Specific listener
+- All listeners
- Specific listener
|
All listeners
|
@@ -41,11 +41,11 @@
Set this parameter to the domain name or IP address you want to protect. Make sure that the domain name has been resolved to the EIP of the load balancer.
Single domain names or wildcard domain names are supported.
-- Single domain name: Enter a single domain name, for example, www.example.com.
- Wildcard domain name
- If the server IP address of each subdomain name is the same, enter a wildcard domain name. For example, if the subdomain names a.example.com, b.example.com, and c.example.com have the same server IP address, you can add the wildcard domain name *.example.com to WAF to protect all three.
- If the server IP addresses of subdomain names are different, add subdomain names as single domain names one by one.
- Wildcard domain name* can be added.
+- Single domain name: Enter a single domain name, for example, www.example.com.
- Wildcard domain name
- If the server IP address of each subdomain name is the same, enter a wildcard domain name. For example, if the subdomain names a.example.com, b.example.com, and c.example.com have the same server IP address, you can add the wildcard domain name *.example.com to WAF to protect all three.
- If the server IP addresses of subdomain names are different, add subdomain names as single domain names one by one.
- Wildcard domain name* can be added.
|
-Single domain name: www.example.com
-Wildcard domain name: *.example.com
+ | Single domain name: www.example.com
+Wildcard domain name: *.example.com
IP Address:
XXX.XXX.1.1
|
@@ -59,12 +59,12 @@
Policy
|
-The system-generated policy is selected by default. You can select a policy you configured before. You can also customize rules after the domain name is connected to WAF.
+ | The system-generated policy is selected by default. You can select a policy you configured before. You can also customize rules after the domain name is connected to WAF.
System-generated policies
-- Basic web protection (Log only mode and common checks)
The basic web protection defends against attacks such as SQL injections, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabilities, remote command execution, directory traversal, sensitive file access, and command/code injections.
- - Anti-crawler (Log only mode and Scanner feature)
WAF only logs web scanning tasks, such as vulnerability scanning and virus scanning, such as crawling behavior of OpenVAS and Nmap.
+- Basic web protection (Log only mode and common checks)
The basic web protection defends against attacks such as SQL injections, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabilities, remote command execution, directory traversal, sensitive file access, and command/code injections.
+ - Anti-crawler (Log only mode and Scanner feature)
WAF only logs web scanning tasks, such as vulnerability scanning and virus scanning, such as crawling behavior of OpenVAS and Nmap.
- NOTE: - Log only: WAF only logs detected attacks instead of blocking them.
- Only the professional and platinum editions allow you to specify a custom policy for Policy.
+ NOTE: - Log only: WAF only logs detected attacks instead of blocking them.
- Only the professional and platinum editions allow you to specify a custom policy for Policy.
|
System-generated policy
@@ -74,7 +74,7 @@
|
- - Click OK.
You can view the added websites in the protected website list.
+ - Click OK.
You can view the added websites in the protected website list.
Follow-up Operations- The initial Access Status of a website is Unaccessed. When a request reaches the WAF instance configured for the website, the access status automatically changes to Accessed. To address access failure, see
- Complete Recommended Configurations
- Adjust the protection policy configured for the protected domain name based on protection requirements. For details, see Protection Configuration Overview.
diff --git a/docs/wafd/umn/waf_01_0311.html b/docs/wafd/umn/waf_01_0311.html
index e99e0fdc5..68dc7de3f 100644
--- a/docs/wafd/umn/waf_01_0311.html
+++ b/docs/wafd/umn/waf_01_0311.html
@@ -10,7 +10,7 @@
diff --git a/docs/wafd/umn/waf_01_0312.html b/docs/wafd/umn/waf_01_0312.html
index faa6090ea..3a1f6f38f 100644
--- a/docs/wafd/umn/waf_01_0312.html
+++ b/docs/wafd/umn/waf_01_0312.html
@@ -8,7 +8,7 @@
Configuring a Precise Protection Rule to Block All Source IP Addresses Except the Specified Ones- Log in to the management console.
- Click
 in the upper left corner of the management console and select a region or project. - Click
 in the upper left corner and choose Web Application Firewall (Dedicated) under Security. - In the navigation pane on the left, choose Policies.
- Click the name of the target policy to go to the protection configuration page.
- In the Precise Protection configuration area, enable the protection.
Figure 3 Precise Protection configuration area
- - Click Customize Rule. In the upper left corner of the displayed page, click Add Rule.
- In the displayed Add Precise Protection Rule dialog box, add a protection rule as shown in Figure 4 to block all requests.
 The priority value here must be greater than that configured in Step 9 because allowing access has a higher priority than blocking access and a smaller priority value indicates a higher priority.
+ - In the upper left corner of the displayed page, click Add Rule.
- In the displayed Add Precise Protection Rule dialog box, add a protection rule as shown in Figure 4 to block all requests.
The priority value here must be greater than that configured in Step 9 because allowing access has a higher priority than blocking access and a smaller priority value indicates a higher priority.
Figure 4 Blocking all requests
- Click Add Rule. In the displayed Add Precise Protection Rule dialog box, add a rule for the specified IP address.
For example, if you want to allow 192.168.2.3 to access the website, add a protection rule as shown in Figure 5.
diff --git a/docs/wafd/umn/waf_01_0355.html b/docs/wafd/umn/waf_01_0355.html
index b2be49611..67db50898 100644
--- a/docs/wafd/umn/waf_01_0355.html
+++ b/docs/wafd/umn/waf_01_0355.html
@@ -3,7 +3,7 @@
Why Does the Page Fail to Be Refreshed After WTP Is Enabled?
Web Tamper Protection (WTP) supports only caching of static web pages. Perform the following steps to fix this issue:
- Log in to the management console.
- Click
 in the upper left corner of the management console and select a region or project. - Click
 in the upper left corner and choose Web Application Firewall (Dedicated) under Security. - In the navigation pane on the left, choose Policies.
- Click the name of the target policy to go to the protection configuration page.
- Click the Web Tamper Protection configuration area and check whether this function is enabled.
- If this function is enabled (
 ), go to Step 7. - If this function is disabled (
 ), click  to enable the function. Refresh the page several minutes later.
- - Click Customize Rule. On the displayed page, check whether the domain name and path are correct.
- If they are correct, go to Step 8.
- If they are incorrect, click Delete in the Operation column to delete the rule. Then, click Add Rule above the rule list and configure another rule.
After the rule is added successfully, refresh the page several minutes later. Then, access the page again.
+ - Click Customize Rule. On the displayed page, check whether the domain name and path are correct.
- In the row containing the web tamper protection rule, click Update Cache in the Operation column.
If the content of a protected page is modified, you must update the cache. Otherwise, WAF always returns the most recently cached content.
After updating the cache, refresh the page and access the page again. If the page is still not updated, contact technical support.
diff --git a/docs/wafd/umn/waf_01_0425.html b/docs/wafd/umn/waf_01_0425.html
index 155b58d09..5cad86c94 100644
--- a/docs/wafd/umn/waf_01_0425.html
+++ b/docs/wafd/umn/waf_01_0425.html
@@ -12,8 +12,8 @@
Peak rate of normal service requests
|
The following lists the specifications of a single instance.
-- Specifications: WI-500. Estimated performance:
- HTTP services - Recommended QPS: 5,000. Maximum QPS: 10,000.
- HTTPS services - Recommended QPS: 4,000. Maximum QPS: 8,000.
- WebSocket service - Maximum concurrent connections: 5,000
- Maximum WAF-to-server persistent connections: 60,000
- - Specifications: WI-100. Estimated performance:
- HTTP services - Recommended QPS: 1,000. Maximum QPS: 2,000.
- HTTPS services - Recommended QPS: 800. Maximum QPS: 1,600
- WebSocket service - Maximum concurrent connections: 1,000
- Maximum WAF-to-server persistent connections: 60,000
+- Specifications: WI-500. Estimated performance:
- HTTP services: 5,000 QPS (recommended)
- HTTPS services: 4,000 QPS (recommended)
- WebSocket service - Maximum concurrent connections: 5,000
- Maximum WAF-to-server persistent connections: 60,000
+ - Specifications: WI-100. Estimated performance:
- HTTP services: 1,000 QPS (recommended)
- HTTPS services: 800 QPS (recommended)
- WebSocket service - Maximum concurrent connections: 1,000
- Maximum WAF-to-server persistent connections: 60,000
NOTICE: Maximum QPS values are for reference only. They may vary depending on your businesses. The real-world QPS is related to the request size and the type and quantity of protection rules you customize.
diff --git a/docs/wafd/umn/waf_01_1249.html b/docs/wafd/umn/waf_01_1249.html
index 412cc095e..ea12a4c30 100644
--- a/docs/wafd/umn/waf_01_1249.html
+++ b/docs/wafd/umn/waf_01_1249.html
@@ -2,33 +2,33 @@
Ports Supported by WAF
WAF can protect standard and non-standard ports. When you add a website to WAF, you need to specify protection port, which is your service port. WAF will then forward and protect traffic over this port. This section describes the standard and non-standard ports WAF can protect.
- Table 1 lists the ports that can be protected by WAF.
- Table 1 Ports supported by WAFPort Category
+Table 1 lists the ports that can be protected by WAF.
+ Table 1 Ports supported by WAFPort Type
|
-HTTP Protocol
+ | HTTP
|
-HTTPS Protocol
+ | HTTPS
|
-Port Limit
+ | Port Limit
|
|---|
-Standard ports
+ | Standard ports
|
-80
+ | 80
|
-443
+ | 443
|
-Unlimited
+ | Unlimited
|
-Non-standard ports (182 in total)
+ | Non-standard ports (182 in total)
|
-9945, 9770, 81, 82, 83, 84, 88, 89, 800, 808, 1000, 1090, 3128, 3333, 3501, 3601, 4444, 5000, 5222, 5555, 5601, 6001, 6666, 6788, 6789, 6842, 6868, 7000, 7001, 7002, 7003, 7004, 7005, 7006, 7009, 7010, 7011, 7012, 7013, 7014, 7015, 7016, 7018, 7019, 7020, 7021, 7022, 7023, 7024, 7025, 7026, 7070, 7081, 7082, 7083, 7088, 7097, 7777, 7800, 7979, 8000, 8001, 8002, 8003, 8008, 8009, 8010, 8020, 8021, 8022, 8025, 8026, 8077, 8078, 8080, 8085, 8086, 8087, 8088, 8089, 8090, 8091, 8092, 8093, 8094, 8095, 8096, 8097, 8098, 8106, 8118, 8181, 8334, 8336, 8800, 8686, 8888, 8889, 8989, 8999, 9000, 9001, 9002, 9003, 9080, 9200, 9802, 10000, 10001, 10080, 12601, 86, 9021, 9023, 9027, 9037, 9081, 9082, 9201, 9205, 9207, 9208, 9209, 9210, 9211, 9212, 9213, 48800, 87, 97, 7510, 9180, 9898, 9908, 9916, 9918, 9919, 9928, 9929, 9939, 28080, 33702, 8011, 8012, 8013, 8014, 8015, 8016, 8017, and 8070
+ | 9945, 9770, 81, 82, 83, 84, 88, 89, 800, 808, 1000, 1090, 3128, 3333, 3501, 3601, 4444, 5000, 5222, 5555, 5601, 6001, 6666, 6788, 6789, 6842, 6868, 7000, 7001, 7002, 7003, 7004, 7005, 7006, 7009, 7010, 7011, 7012, 7013, 7014, 7015, 7016, 7018, 7019, 7020, 7021, 7022, 7023, 7024, 7025, 7026, 7070, 7081, 7082, 7083, 7088, 7097, 7777, 7800, 7979, 8000, 8001, 8002, 8003, 8008, 8009, 8010, 8020, 8021, 8022, 8025, 8026, 8077, 8078, 8080, 8085, 8086, 8087, 8088, 8089, 8090, 8091, 8092, 8093, 8094, 8095, 8096, 8097, 8098, 8106, 8118, 8181, 8334, 8336, 8800, 8686, 8888, 8889, 8989, 8999, 9000, 9001, 9002, 9003, 9080, 9200, 9802, 10000, 10001, 10080, 12601, 86, 9021, 9023, 9027, 9037, 9081, 9082, 9201, 9205, 9207, 9208, 9209, 9210, 9211, 9212, 9213, 48800, 87, 97, 7510, 9180, 9898, 9908, 9916, 9918, 9919, 9928, 9929, 9939, 28080, 33702, 8011, 8012, 8013, 8014, 8015, 8016, 8017, 8070
|
-8750, 8445, 18010, 4443, 5443, 6443, 7443, 8081, 8082, 8083, 8084, 8443, 8843, 9443, 8553, 8663, 9553, 9663, 18110, 18381, 18980, 28443, 18443, 8033, 18000, 19000, 7072, 7073, 8803, 8804, 8805, 9999
+ | 8750, 8445, 18010, 4443, 5443, 6443, 7443, 8081, 8082, 8083, 8084, 8443, 8843, 9443, 8553, 8663, 9553, 9663, 18110, 18381, 18980, 28443, 18443, 8033, 18000, 19000, 7072, 7073, 8803, 8804, 8805, 9999
|
-Unlimited
+ | Unlimited
|
diff --git a/docs/wafd/umn/waf_01_1346.html b/docs/wafd/umn/waf_01_1346.html
index de4a1d151..2f2071073 100644
--- a/docs/wafd/umn/waf_01_1346.html
+++ b/docs/wafd/umn/waf_01_1346.html
@@ -8,9 +8,7 @@
For example:
curl -kv -H "Host: a.example.com" http://192.168.0.1
If the response code is 200, the request has been forwarded.
-- Attack blocking test
- Ensure that the block mode for basic web protection has been enabled in the policy used for the protected website.
-
-
+ - Attack blocking test
- Ensure that the block mode for basic web protection has been enabled in the policy used for the protected website.
Figure 1 Enabling Basic Web Protection
- Run the following command:
curl -kv -H "Host: {protection object added to WAF}"{Client protocol in server configuration}://{IP address of the dedicated WAF instance}:{protection port}--data "id=1 and 1='1"
Example: curl -kv -H "Host: a.example.com" http:// 192.168.X.X --data "id=1 and 1='1"
If the response code is 200, the request has been forwarded.
If the dedicated WAF instance works but the request fails to be forwarded, check the load balancer settings first. If the load balancer health check result is unhealthy, disable health check and perform the preceding operations again.
- - Attack blocking test
- Ensure that the block mode for basic web protection has been enabled in the policy used for the protected website.
-
-
+ - Attack blocking test
- Ensure that the block mode for basic web protection has been enabled in the policy used for the protected website.
Figure 2 Enabling Basic Web Protection
- Run the following command:
curl -kv -H "Host: { protection object added to WAF}"{ELB external protocol}://{Private IP address bound to the load balancer}:{ELB listening port}--data "id=1 and 1='1"
If an EIP has been bound to the load balancer, any publicly accessible servers can be used for testing.
curl -kv -H "Host: { protection object added to WAF}"{ELB external protocol}://{EIP bound to the load balancer}:{ELB listening port}--data "id=1 and 1='1"
diff --git a/docs/wafd/umn/waf_01_3271.html b/docs/wafd/umn/waf_01_3271.html
index 734ea8c49..7c2d03e44 100644
--- a/docs/wafd/umn/waf_01_3271.html
+++ b/docs/wafd/umn/waf_01_3271.html
@@ -1,9 +1,9 @@
Condition Field Description
-When setting a CC attack, precise access, or global whitelist protection rule, there are some fields in the Condition List or Trigger area. These fields together are used to define the request attributes to trigger the rule. This topic describes the fields that you can specify in conditions to trigger a rule.
- What Is a Condition Field?A condition field specifies the request attribute WAF checks against protection rules. When configuring a CC attack protection rule, precise access protection rule, or global protection whitelist, you can define condition fields to specify request attributes to trigger the rule. If a request meets the conditions set in a rule, the request matches the rule. WAF handles the request based on the action (for example, allow, block, or log only) set in the rule.
- Figure 1 Condition field
+ When setting a precise access, CC attack protection, or global protection whitelist rule, there are some fields in the Condition List or Trigger area. These fields together are used to define the request attributes to trigger the rule. This topic describes the fields that you can specify in conditions to trigger a rule.
+ What Is a Condition Field?A condition field specifies the request attribute WAF checks against protection rules. When configuring a precise access protection rule, CC attack protection rule, or global protection whitelist, you can define condition fields to specify request attributes to trigger the rule. If a request meets the conditions set in a rule, the request matches the rule. WAF handles the request based on the action (for example, allow, block, or log only) set in the rule.
+ Figure 1 Condition field
A condition field consists of the field, subfield, logic, and content. Example:
- Example 1: If Field is set to Path, logic to Include, and Content to /admin, a request matches the rule when the requested path contains /admin.
- Example 2: Set Field to IPv4, Subfield to Client IP Address, Logic to Equal to, and Content to 192.XX.XX.3. When the client IP address is 192.XX.XX.3, the request hits the rule.
@@ -18,7 +18,7 @@
- Path: part of a URL that does not include a domain name. This value supports exact matches only. For example, if the path to be protected is /admin, Path must be set to /admin.
+ | Path: part of a URL that does not include a domain name. This value supports exact matches only, so that the path to be protected must be the same as the path you specify for this parameter. For example, if the path to be protected is /admin, Path must be set to /admin.
|
--
|
diff --git a/docs/wafd/umn/waf_01_5249.html b/docs/wafd/umn/waf_01_5249.html
index 7ff84b71b..f6b7fed94 100644
--- a/docs/wafd/umn/waf_01_5249.html
+++ b/docs/wafd/umn/waf_01_5249.html
@@ -23,7 +23,7 @@
Protected Object
|
-- Domain name: used by visitors to access your website. A domain name consists of letters separated by dots (.). It is a human readable address that maps to the machine readable IP address of your server.
- IP: IP address of the website.
+ | - Domain name: used by visitors to access your website. A domain name consists of letters separated by dots (.). It is a human readable address that maps to the machine-readable IP address of your server.
- IP: IP address of the website.
|
www.example.com
|
|
|---|
|
|
|---|
|
in the upper left corner of the management console and select a region or project.
in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
