diff --git a/docs/wafd/umn/ALL_META.TXT.json b/docs/wafd/umn/ALL_META.TXT.json new file mode 100644 index 000000000..bbc612184 --- /dev/null +++ b/docs/wafd/umn/ALL_META.TXT.json @@ -0,0 +1,1202 @@ +[ + { + "uri":"waf_01_0064.html", + "product_code":"dwaf", + "code":"1", + "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "doc_type":"usermanual", + "kw":"Service Overview", + "title":"Service Overview", + "githuburl":"" + }, + { + "uri":"waf_01_0045.html", + "product_code":"dwaf", + "code":"2", + "des":"Web Application Firewall (WAF) keeps web services stable and secure. It examines all HTTP and HTTPS requests to detect and block the following attacks: Structured Query L", + "doc_type":"usermanual", + "kw":"What Is Web Application Firewall?,Service Overview,User Guide", + "title":"What Is Web Application Firewall?", + "githuburl":"" + }, + { + "uri":"waf_01_0272.html", + "product_code":"dwaf", + "code":"3", + "des":"WAF is deployed in dedicated mode. The following tables describe specifications and functions of the dedicated WAF instances.Table 1 describes dedicated WAF instances.For", + "doc_type":"usermanual", + "kw":"Specifications,Service Overview,User Guide", + "title":"Specifications", + "githuburl":"" + }, + { + "uri":"waf_01_0094.html", + "product_code":"dwaf", + "code":"4", + "des":"WAF makes it easier for you to handle web security risks.WAF keeps applications stable and secure. It examines HTTP and HTTPS requests to detect and block attacks, such a", + "doc_type":"usermanual", + "kw":"Functions,Service Overview,User Guide", + "title":"Functions", + "githuburl":"" + }, + { + "uri":"waf_01_0065.html", + "product_code":"dwaf", + "code":"5", + "des":"WAF examines web traffic from multiple dimensions to accurately identify malicious requests and filter attacks, reducing the risks of data being tampered with or stolen.W", + "doc_type":"usermanual", + "kw":"Product Advantages,Service Overview,User Guide", + "title":"Product Advantages", + "githuburl":"" + }, + { + "uri":"waf_01_0046.html", + "product_code":"dwaf", + "code":"6", + "des":"WAF helps you defend against common web attacks, such as command injection and sensitive file access.Countless malicious requests may be sent to service interfaces during", + "doc_type":"usermanual", + "kw":"Application Scenarios,Service Overview,User Guide", + "title":"Application Scenarios", + "githuburl":"" + }, + { + "uri":"waf_01_0052.html", + "product_code":"dwaf", + "code":"7", + "des":"If you need to assign different permissions to employees in your enterprise to access your WAF resources, IAM is a good choice for fine-grained permissions management. IA", + "doc_type":"usermanual", + "kw":"WAF Permissions Management,Service Overview,User Guide", + "title":"WAF Permissions Management", + "githuburl":"" + }, + { + "uri":"waf_01_0051.html", + "product_code":"dwaf", + "code":"8", + "des":"This topic describes WAF and other cloud services.Cloud Eye monitors the indicators of the dedicated WAF, so that you can understand the protection status of the dedicate", + "doc_type":"usermanual", + "kw":"WAF and Other Services,Service Overview,User Guide", + "title":"WAF and Other Services", + "githuburl":"" + }, + { + "uri":"waf_01_0071.html", + "product_code":"dwaf", + "code":"9", + "des":"Sort out all website services you want to protect with WAF. This helps you learn about your workloads and specific data of your workloads so that you can choose and confi", + "doc_type":"usermanual", + "kw":"Overview,User Guide", + "title":"Overview", + "githuburl":"" + }, + { + "uri":"waf_01_1072.html", + "product_code":"dwaf", + "code":"10", + "des":"If your service servers are deployed on the cloud, you can buy dedicated WAF instances (or dedicated WAF engines) to protect important websites through domain names or to", + "doc_type":"usermanual", + "kw":"Applying for a Dedicated WAF Instance,User Guide", + "title":"Applying for a Dedicated WAF Instance", + "githuburl":"" + }, + { + "uri":"waf_01_0070.html", + "product_code":"dwaf", + "code":"11", + "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "doc_type":"usermanual", + "kw":"Enabling WAF Protection", + "title":"Enabling WAF Protection", + "githuburl":"" + }, + { + "uri":"waf_01_0249.html", + "product_code":"dwaf", + "code":"12", + "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "doc_type":"usermanual", + "kw":"Connecting a Website to WAF", + "title":"Connecting a Website to WAF", + "githuburl":"" + }, + { + "uri":"waf_01_0250.html", + "product_code":"dwaf", + "code":"13", + "des":"If your service servers are deployed on the cloud, you can add the domain name or IP address of the website to WAF so that the website traffic is forwarded to WAF for ins", + "doc_type":"usermanual", + "kw":"Step 1: Add a Website to WAF,Connecting a Website to WAF,User Guide", + "title":"Step 1: Add a Website to WAF", + "githuburl":"" + }, + { + "uri":"waf_01_0251.html", + "product_code":"dwaf", + "code":"14", + "des":"To ensure your dedicated WAF instance reliability, after you add a website to it, use Elastic Load Balance (ELB) to configure a load balancer and a health check for the d", + "doc_type":"usermanual", + "kw":"Step 2: Configure a Load Balancer,Connecting a Website to WAF,User Guide", + "title":"Step 2: Configure a Load Balancer", + "githuburl":"" + }, + { + "uri":"waf_01_0252.html", + "product_code":"dwaf", + "code":"15", + "des":"After you configure a load balancer for your dedicated WAF instance, you need to unbind the EIP from the origin server and then bind this EIP to the load balancer you con", + "doc_type":"usermanual", + "kw":"Step 3: Bind an EIP to a Load Balancer,Connecting a Website to WAF,User Guide", + "title":"Step 3: Bind an EIP to a Load Balancer", + "githuburl":"" + }, + { + "uri":"waf_01_0067.html", + "product_code":"dwaf", + "code":"16", + "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "doc_type":"usermanual", + "kw":"Website Domain Name Management", + "title":"Website Domain Name Management", + "githuburl":"" + }, + { + "uri":"waf_01_0020.html", + "product_code":"dwaf", + "code":"17", + "des":"This topic describes how to view the basic information about a protected website, switch WAF working mode, and delete a domain name of a protected website from WAF.A webs", + "doc_type":"usermanual", + "kw":"Viewing Basic Information,Website Domain Name Management,User Guide", + "title":"Viewing Basic Information", + "githuburl":"" + }, + { + "uri":"waf_01_0003.html", + "product_code":"dwaf", + "code":"18", + "des":"You can change the working mode of WAF. WAF can work in Enabled or Suspended mode.The domain name of the website to be protected has been connected to WAF.Enabled: In thi", + "doc_type":"usermanual", + "kw":"Switching WAF Working Mode,Website Domain Name Management,User Guide", + "title":"Switching WAF Working Mode", + "githuburl":"" + }, + { + "uri":"waf_01_0169.html", + "product_code":"dwaf", + "code":"19", + "des":"Transport Layer Security (TLS) provides confidentiality and ensures data integrity for data sent between applications over the Internet. HTTPS is a network protocol const", + "doc_type":"usermanual", + "kw":"Configuring PCI DSS/3DS Certification Check and TLS Version,Website Domain Name Management,User Guid", + "title":"Configuring PCI DSS/3DS Certification Check and TLS Version", + "githuburl":"" + }, + { + "uri":"waf_01_1171.html", + "product_code":"dwaf", + "code":"20", + "des":"If you want to set a timeout duration for each request between your WAF instance and origin server, enable Timeout Settings and specify WAF-to-Server connection timeout (", + "doc_type":"usermanual", + "kw":"Configuring Connection Timeout,Website Domain Name Management,User Guide", + "title":"Configuring Connection Timeout", + "githuburl":"" + }, + { + "uri":"waf_01_1172.html", + "product_code":"dwaf", + "code":"21", + "des":"If a large number of 502 Bad Gateway and 504 Gateway Timeout errors are detected, you can enable WAF breakdown protection and connection protection to let WAF suspend you", + "doc_type":"usermanual", + "kw":"Configuring Connection Protection,Website Domain Name Management,User Guide", + "title":"Configuring Connection Protection", + "githuburl":"" + }, + { + "uri":"waf_01_0262.html", + "product_code":"dwaf", + "code":"22", + "des":"If you set Client Protocol to HTTPS when you add a website to WAF, upload a certificate and use it for your website.If your website certificate is about to expire, purcha", + "doc_type":"usermanual", + "kw":"Updating a Certificate,Website Domain Name Management,User Guide", + "title":"Updating a Certificate", + "githuburl":"" + }, + { + "uri":"waf_01_0270.html", + "product_code":"dwaf", + "code":"23", + "des":"WAF allows you to configure traffic identifiers by IP address, session, or user tag to block possibly malicious requests from known attack sources based on IP address, Co", + "doc_type":"usermanual", + "kw":"Configuring a Traffic Identifier for a Known Attack Source,Website Domain Name Management,User Guide", + "title":"Configuring a Traffic Identifier for a Known Attack Source", + "githuburl":"" + }, + { + "uri":"waf_01_0001.html", + "product_code":"dwaf", + "code":"24", + "des":"This topic describes how to edit or add server information for a website to be protected.Applicable scenarios:Modify server information, including Client Protocol, Server", + "doc_type":"usermanual", + "kw":"Editing Server Information,Website Domain Name Management,User Guide", + "title":"Editing Server Information", + "githuburl":"" + }, + { + "uri":"waf_01_0154.html", + "product_code":"dwaf", + "code":"25", + "des":"If a visitor is blocked by WAF, the Default block page of WAF is returned by default. You can also configure Custom or Redirection for the block page to be returned as re", + "doc_type":"usermanual", + "kw":"Modifying the Alarm Page,Website Domain Name Management,User Guide", + "title":"Modifying the Alarm Page", + "githuburl":"" + }, + { + "uri":"waf_01_0005.html", + "product_code":"dwaf", + "code":"26", + "des":"This topic describes how to remove a website from WAF if you no longer need to protect it.A website domain name has been added to WAF.It takes about a minute to remove a ", + "doc_type":"usermanual", + "kw":"Removing a Protected Website from WAF,Website Domain Name Management,User Guide", + "title":"Removing a Protected Website from WAF", + "githuburl":"" + }, + { + "uri":"waf_01_0261.html", + "product_code":"dwaf", + "code":"27", + "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "doc_type":"usermanual", + "kw":"Certificate Management", + "title":"Certificate Management", + "githuburl":"" + }, + { + "uri":"waf_01_0078.html", + "product_code":"dwaf", + "code":"28", + "des":"If you select HTTPS for Client Protocol when you add a website to WAF, a certificate must be associated with the website.You can upload a certificate to WAF. Then you can", + "doc_type":"usermanual", + "kw":"Uploading a Certificate,Certificate Management,User Guide", + "title":"Uploading a Certificate", + "githuburl":"" + }, + { + "uri":"waf_01_0367.html", + "product_code":"dwaf", + "code":"29", + "des":"If you configure Client Protocol to HTTPS for your website, the website needs an SSL certificate. This topic describes how to bind an SSL certificate that you have upload", + "doc_type":"usermanual", + "kw":"Binding a Certificate to a Protected Website,Certificate Management,User Guide", + "title":"Binding a Certificate to a Protected Website", + "githuburl":"" + }, + { + "uri":"waf_01_0263.html", + "product_code":"dwaf", + "code":"30", + "des":"This topic describes how to delete an expired or invalid certificate.The certificate you want to delete is not bound to a protected website.If a certificate to be deleted", + "doc_type":"usermanual", + "kw":"Deleting a Certificate,Certificate Management,User Guide", + "title":"Deleting a Certificate", + "githuburl":"" + }, + { + "uri":"waf_01_0282.html", + "product_code":"dwaf", + "code":"31", + "des":"This topic describes how to view certificate details, including the certificate name, domain name a certificate is used for, and expiration time.You have created or pushe", + "doc_type":"usermanual", + "kw":"Viewing Certificate Information,Certificate Management,User Guide", + "title":"Viewing Certificate Information", + "githuburl":"" + }, + { + "uri":"waf_01_0007.html", + "product_code":"dwaf", + "code":"32", + "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "doc_type":"usermanual", + "kw":"Rule Configuration", + "title":"Rule Configuration", + "githuburl":"" + }, + { + "uri":"waf_01_0129.html", + "product_code":"dwaf", + "code":"33", + "des":"The built-in protection rules of WAF help you defend against common web application attacks, including XSS attacks, SQL injection, crawlers, and web shells. You can custo", + "doc_type":"usermanual", + "kw":"Configuration Guidance,Rule Configuration,User Guide", + "title":"Configuration Guidance", + "githuburl":"" + }, + { + "uri":"waf_01_0008.html", + "product_code":"dwaf", + "code":"34", + "des":"After this function is enabled, WAF can defend against common web attacks, such as SQL injections, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabili", + "doc_type":"usermanual", + "kw":"Configuring Basic Web Protection Rules,Rule Configuration,User Guide", + "title":"Configuring Basic Web Protection Rules", + "githuburl":"" + }, + { + "uri":"waf_01_0009.html", + "product_code":"dwaf", + "code":"35", + "des":"You can customize a CC attack protection rule to restrict access to a specific URL on your website based on an IP address, cookie, or Referer, mitigating CC attacks. To m", + "doc_type":"usermanual", + "kw":"Configuring a CC Attack Protection Rule,Rule Configuration,User Guide", + "title":"Configuring a CC Attack Protection Rule", + "githuburl":"" + }, + { + "uri":"waf_01_0010.html", + "product_code":"dwaf", + "code":"36", + "des":"WAF allows you to customize protection rules by combining HTTP headers, cookies, URLs, request parameters, and client IP addresses.You can combine common HTTP fields, suc", + "doc_type":"usermanual", + "kw":"Configuring a Precise Protection Rule,Rule Configuration,User Guide", + "title":"Configuring a Precise Protection Rule", + "githuburl":"" + }, + { + "uri":"waf_01_0081.html", + "product_code":"dwaf", + "code":"37", + "des":"This topic describes how to create a reference table to batch configure protection metrics of a single type, such as Path, User Agent, IP, Params, Cookie, Referer, and He", + "doc_type":"usermanual", + "kw":"Adding a Reference Table,Rule Configuration,User Guide", + "title":"Adding a Reference Table", + "githuburl":"" + }, + { + "uri":"waf_01_0012.html", + "product_code":"dwaf", + "code":"38", + "des":"You can configure blacklist and whitelist rules to block, log only, or allow access requests from specific IP addresses or IP address ranges.A website has been added to W", + "doc_type":"usermanual", + "kw":"Configuring an IP Address Blacklist or Whitelist Rule,Rule Configuration,User Guide", + "title":"Configuring an IP Address Blacklist or Whitelist Rule", + "githuburl":"" + }, + { + "uri":"waf_01_0271.html", + "product_code":"dwaf", + "code":"39", + "des":"If WAF blocks a malicious request by IP address, Cookie, or Params, you can configure a known attack source rule to let WAF automatically block all requests from the atta", + "doc_type":"usermanual", + "kw":"Configuring a Known Attack Source Rule,Rule Configuration,User Guide", + "title":"Configuring a Known Attack Source Rule", + "githuburl":"" + }, + { + "uri":"waf_01_0013.html", + "product_code":"dwaf", + "code":"40", + "des":"This topic describes how to configure a geolocation access control rule. A geolocation access control rule allows you to control IP addresses forwarded from or to specifi", + "doc_type":"usermanual", + "kw":"Configuring a Geolocation Access Control Rule,Rule Configuration,User Guide", + "title":"Configuring a Geolocation Access Control Rule", + "githuburl":"" + }, + { + "uri":"waf_01_0014.html", + "product_code":"dwaf", + "code":"41", + "des":"WAF can cache configuration for static web pages of websites. After you configure a web tamper protection rule, WAF can:Return directly the cached web page to the normal ", + "doc_type":"usermanual", + "kw":"Configuring a Web Tamper Protection Rule,Rule Configuration,User Guide", + "title":"Configuring a Web Tamper Protection Rule", + "githuburl":"" + }, + { + "uri":"waf_01_0015.html", + "product_code":"dwaf", + "code":"42", + "des":"You can configure website anti-crawler protection rules to protect against search engines, scanners, script tools, and other crawlers, and use JavaScript to create custom", + "doc_type":"usermanual", + "kw":"Configuring Anti-Crawler Rules,Rule Configuration,User Guide", + "title":"Configuring Anti-Crawler Rules", + "githuburl":"" + }, + { + "uri":"waf_01_0054.html", + "product_code":"dwaf", + "code":"43", + "des":"You can add two types of information leakage prevention rules.Sensitive information filtering: prevents disclosure of sensitive information (such as ID numbers, phone num", + "doc_type":"usermanual", + "kw":"Configuring an Information Leakage Prevention Rule,Rule Configuration,User Guide", + "title":"Configuring an Information Leakage Prevention Rule", + "githuburl":"" + }, + { + "uri":"waf_01_0016.html", + "product_code":"dwaf", + "code":"44", + "des":"Once an attack hits a WAF basic web protection rule or a feature-library anti-crawler rule, WAF will respond to the attack immediately according to the protective action ", + "doc_type":"usermanual", + "kw":"Configuring a Global Protection Whitelist (Formerly False Alarm Masking) Rule,Rule Configuration,Use", + "title":"Configuring a Global Protection Whitelist (Formerly False Alarm Masking) Rule", + "githuburl":"" + }, + { + "uri":"waf_01_0017.html", + "product_code":"dwaf", + "code":"45", + "des":"This topic describes how to configure data masking rules. You can configure data masking rules to prevent sensitive data such as passwords from being displayed in event l", + "doc_type":"usermanual", + "kw":"Configuring a Data Masking Rule,Rule Configuration,User Guide", + "title":"Configuring a Data Masking Rule", + "githuburl":"" + }, + { + "uri":"waf_01_0021.html", + "product_code":"dwaf", + "code":"46", + "des":"This topic describes how to view event logs, including attack and request statistics, event distribution, top 10 attacked domain names, top 10 attack source IP addresses,", + "doc_type":"usermanual", + "kw":"Dashboard,User Guide", + "title":"Dashboard", + "githuburl":"" + }, + { + "uri":"waf_01_0018.html", + "product_code":"dwaf", + "code":"47", + "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "doc_type":"usermanual", + "kw":"Event Management", + "title":"Event Management", + "githuburl":"" + }, + { + "uri":"waf_01_0156.html", + "product_code":"dwaf", + "code":"48", + "des":"On the Events page, you can view events generated for blocked attacks and logged only attacks. You can view details of WAF events, including the time an event occurs, ori", + "doc_type":"usermanual", + "kw":"Viewing Protection Event Logs,Event Management,User Guide", + "title":"Viewing Protection Event Logs", + "githuburl":"" + }, + { + "uri":"waf_01_0024.html", + "product_code":"dwaf", + "code":"49", + "des":"If you confirm that an attack event on the Events page is a false alarm, you can handle the event as false alarm by ignoring the URL and rule ID in basic web protection, ", + "doc_type":"usermanual", + "kw":"Handling False Alarms,Event Management,User Guide", + "title":"Handling False Alarms", + "githuburl":"" + }, + { + "uri":"waf_01_0077.html", + "product_code":"dwaf", + "code":"50", + "des":"This topic describes how to download events (logged and blocked events) data for the last five days. One or more CSV files containing the event data of the current day wi", + "doc_type":"usermanual", + "kw":"Downloading Events Data,Event Management,User Guide", + "title":"Downloading Events Data", + "githuburl":"" + }, + { + "uri":"waf_01_0055.html", + "product_code":"dwaf", + "code":"51", + "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "doc_type":"usermanual", + "kw":"Policy Management", + "title":"Policy Management", + "githuburl":"" + }, + { + "uri":"waf_01_0074.html", + "product_code":"dwaf", + "code":"52", + "des":"A policy is a combination of rules, such as basic web protection, blacklist, whitelist, and precise protection rules. A policy can be applied to multiple domain names, bu", + "doc_type":"usermanual", + "kw":"Adding a Policy,Policy Management,User Guide", + "title":"Adding a Policy", + "githuburl":"" + }, + { + "uri":"waf_01_0061.html", + "product_code":"dwaf", + "code":"53", + "des":"This topic describes how to add rules to one or more policies.A website has been added to WAF.To add a CC attack protection rule, see Table 1.To add a precise protection ", + "doc_type":"usermanual", + "kw":"Adding Rules to One or More Policies,Policy Management,User Guide", + "title":"Adding Rules to One or More Policies", + "githuburl":"" + }, + { + "uri":"waf_01_0075.html", + "product_code":"dwaf", + "code":"54", + "des":"This topic describes how to apply a policy to your protected website.A website has been added to WAF.A protected domain name can use only one policy, but one policy can b", + "doc_type":"usermanual", + "kw":"Applying a Policy to Your Website,Policy Management,User Guide", + "title":"Applying a Policy to Your Website", + "githuburl":"" + }, + { + "uri":"waf_01_0253.html", + "product_code":"dwaf", + "code":"55", + "des":"This topic describes how to manage your dedicated WAF instances (or engines), including viewing instance information, upgrading the instance edition, or deleting an insta", + "doc_type":"usermanual", + "kw":"Dedicated WAF Engine Management,User Guide", + "title":"Dedicated WAF Engine Management", + "githuburl":"" + }, + { + "uri":"waf_01_0319.html", + "product_code":"dwaf", + "code":"56", + "des":"On the Product Details page, you can view information about all your WAF instances, including the edition, domain quotas, and specifications.You have purchased a WAF inst", + "doc_type":"usermanual", + "kw":"Viewing Product Details,User Guide", + "title":"Viewing Product Details", + "githuburl":"" + }, + { + "uri":"waf_01_0096.html", + "product_code":"dwaf", + "code":"57", + "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "doc_type":"usermanual", + "kw":"Permissions Management", + "title":"Permissions Management", + "githuburl":"" + }, + { + "uri":"waf_01_0243.html", + "product_code":"dwaf", + "code":"58", + "des":"Custom policies can be created to supplement the system-defined policies of WAF.Example 1: Allowing users to query the protected domain list{\n \"Version\": \"1.1\",\n ", + "doc_type":"usermanual", + "kw":"WAF Custom Policies,Permissions Management,User Guide", + "title":"WAF Custom Policies", + "githuburl":"" + }, + { + "uri":"waf_01_0244.html", + "product_code":"dwaf", + "code":"59", + "des":"This topic describes fine-grained permissions management for your WAF instances. If your account does not need individual IAM users, then you may skip over this topic.By ", + "doc_type":"usermanual", + "kw":"WAF Permissions and Supported Actions,Permissions Management,User Guide", + "title":"WAF Permissions and Supported Actions", + "githuburl":"" + }, + { + "uri":"waf_01_1372.html", + "product_code":"dwaf", + "code":"60", + "des":"This topic describes metrics reported by dedicated WAF to Cloud Eye as well as their namespaces and dimensions. You can use APIs provided by Cloud Eye to query the metric", + "doc_type":"usermanual", + "kw":"Monitored Metrics,User Guide", + "title":"Monitored Metrics", + "githuburl":"" + }, + { + "uri":"waf_01_0022.html", + "product_code":"dwaf", + "code":"61", + "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "doc_type":"usermanual", + "kw":"FAQs", + "title":"FAQs", + "githuburl":"" + }, + { + "uri":"waf_01_0025.html", + "product_code":"dwaf", + "code":"62", + "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "doc_type":"usermanual", + "kw":"About WAF", + "title":"About WAF", + "githuburl":"" + }, + { + "uri":"waf_01_0292.html", + "product_code":"dwaf", + "code":"63", + "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "doc_type":"usermanual", + "kw":"WAF Functions", + "title":"WAF Functions", + "githuburl":"" + }, + { + "uri":"waf_01_0029.html", + "product_code":"dwaf", + "code":"64", + "des":"A WAF instance can protect IP addresses.A dedicated or load balancing WAF instance can protect websites through either domain names or IP addresses.The origin server IP a", + "doc_type":"usermanual", + "kw":"Can WAF Protect an IP Address?,WAF Functions,User Guide", + "title":"Can WAF Protect an IP Address?", + "githuburl":"" + }, + { + "uri":"waf_01_0134.html", + "product_code":"dwaf", + "code":"65", + "des":"WAF can protect domain names or IP addresses.", + "doc_type":"usermanual", + "kw":"What Objects Does WAF Protect?,WAF Functions,User Guide", + "title":"What Objects Does WAF Protect?", + "githuburl":"" + }, + { + "uri":"waf_01_0026.html", + "product_code":"dwaf", + "code":"66", + "des":"WAF is deployed on the cloud, which is irrelevant to an OS. Therefore, WAF supports any OS. A domain name server on any OS can be connected to WAF for protection.", + "doc_type":"usermanual", + "kw":"Which OSs Does WAF Support?,WAF Functions,User Guide", + "title":"Which OSs Does WAF Support?", + "githuburl":"" + }, + { + "uri":"waf_01_0030.html", + "product_code":"dwaf", + "code":"67", + "des":"WAF provides protection at seven layers, namely, the physical layer, data link layer, network layer, transport layer, session layer, presentation layer, and application l", + "doc_type":"usermanual", + "kw":"Which Layers Does WAF Provide Protection At?,WAF Functions,User Guide", + "title":"Which Layers Does WAF Provide Protection At?", + "githuburl":"" + }, + { + "uri":"waf_01_0149.html", + "product_code":"dwaf", + "code":"68", + "des":"WAF caches only static web pages that are configured with web tamper protection and sends the cached web pages that are not tampered with to web visitors.", + "doc_type":"usermanual", + "kw":"Does WAF Support File Caching?,WAF Functions,User Guide", + "title":"Does WAF Support File Caching?", + "githuburl":"" + }, + { + "uri":"waf_01_0229.html", + "product_code":"dwaf", + "code":"69", + "des":"WAF supports access control over content at the application layer. HTTP and HTTPS are both application layer protocols.", + "doc_type":"usermanual", + "kw":"Does WAF Support Application Layer Protocol- and Content-Based Access Control?,WAF Functions,User Gu", + "title":"Does WAF Support Application Layer Protocol- and Content-Based Access Control?", + "githuburl":"" + }, + { + "uri":"waf_01_0187.html", + "product_code":"dwaf", + "code":"70", + "des":"The built-in detection of WAF checks POST data, and web shells are the files submitted in POST requests. WAF checks all data, such as forms and JSON files in POST request", + "doc_type":"usermanual", + "kw":"Can WAF Check the Body I Add to the POST Request?,WAF Functions,User Guide", + "title":"Can WAF Check the Body I Add to the POST Request?", + "githuburl":"" + }, + { + "uri":"waf_01_0257.html", + "product_code":"dwaf", + "code":"71", + "des":"No. However, you can customize a CC attack protection rule to restrict access to a specific URL on your website based on an IP address, cookie, or Referer, mitigating CC ", + "doc_type":"usermanual", + "kw":"Can WAF Limit the Access Speed of a Domain Name?,WAF Functions,User Guide", + "title":"Can WAF Limit the Access Speed of a Domain Name?", + "githuburl":"" + }, + { + "uri":"waf_01_0211.html", + "product_code":"dwaf", + "code":"72", + "des":"No. WAF can only detect and restrict source IP addresses.", + "doc_type":"usermanual", + "kw":"Can WAF Block URL Requests That Contain Special Characters?,WAF Functions,User Guide", + "title":"Can WAF Block URL Requests That Contain Special Characters?", + "githuburl":"" + }, + { + "uri":"waf_01_0280.html", + "product_code":"dwaf", + "code":"73", + "des":"WAF cannot block business-related attacks, such as spam and malicious user registrations. To prevent these attacks, configure the registration verification mechanism on y", + "doc_type":"usermanual", + "kw":"Can WAF Block Spam and Malicious User Registrations?,WAF Functions,User Guide", + "title":"Can WAF Block Spam and Malicious User Registrations?", + "githuburl":"" + }, + { + "uri":"waf_01_0212.html", + "product_code":"dwaf", + "code":"74", + "des":"If the request data for calling other APIs on the web page is included in the domain names protected by WAF, the request data passes through WAF. WAF checks the request d", + "doc_type":"usermanual", + "kw":"Can WAF Block Requests for Calling Other APIs from Web Pages?,WAF Functions,User Guide", + "title":"Can WAF Block Requests for Calling Other APIs from Web Pages?", + "githuburl":"" + }, + { + "uri":"waf_01_0027.html", + "product_code":"dwaf", + "code":"75", + "des":"WAF is deployed on the cloud.Web Application Firewall (WAF) keeps web services stable and secure. It examines all HTTP and HTTPS requests to detect and block the followin", + "doc_type":"usermanual", + "kw":"Which Web Service Framework Protocols Does WAF Support?,WAF Functions,User Guide", + "title":"Which Web Service Framework Protocols Does WAF Support?", + "githuburl":"" + }, + { + "uri":"waf_01_0329.html", + "product_code":"dwaf", + "code":"76", + "des":"Yes. WAF can protect HTTP and HTTPS applications.If a website uses the HTTP Strict Transport Security (HSTS) policy, the client (such as a browser) is forced to use HTTPS", + "doc_type":"usermanual", + "kw":"Can WAF Protect Websites Accessed Through HSTS or NTLM Authentication?,WAF Functions,User Guide", + "title":"Can WAF Protect Websites Accessed Through HSTS or NTLM Authentication?", + "githuburl":"" + }, + { + "uri":"waf_01_0345.html", + "product_code":"dwaf", + "code":"77", + "des":"WAF protects user data on the application layer. It supports cache configuration on static web pages. When a user accesses a web page, the system returns a cached page to", + "doc_type":"usermanual", + "kw":"Does WAF Cache Website Data?,WAF Functions,User Guide", + "title":"Does WAF Cache Website Data?", + "githuburl":"" + }, + { + "uri":"waf_01_0457.html", + "product_code":"dwaf", + "code":"78", + "des":"A Structured Query Language (SQL) injection is a common web attack. The attacker injects malicious SQL commands into database query strings to deceive the server into exe", + "doc_type":"usermanual", + "kw":"How Does WAF Detect SQL Injection and XSS Attacks?,WAF Functions,User Guide", + "title":"How Does WAF Detect SQL Injection and XSS Attacks?", + "githuburl":"" + }, + { + "uri":"waf_01_0293.html", + "product_code":"dwaf", + "code":"79", + "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "doc_type":"usermanual", + "kw":"WAF Usage", + "title":"WAF Usage", + "githuburl":"" + }, + { + "uri":"waf_01_0218.html", + "product_code":"dwaf", + "code":"80", + "des":"WAF protects web application pages. After your website is connected to WAF, there is no impact on your email port or email sending or receiving.", + "doc_type":"usermanual", + "kw":"Does WAF Affect Email Ports or Email Receiving and Sending?,WAF Usage,User Guide", + "title":"Does WAF Affect Email Ports or Email Receiving and Sending?", + "githuburl":"" + }, + { + "uri":"waf_01_0062.html", + "product_code":"dwaf", + "code":"81", + "des":"After you connect a website to your WAF instance, WAF works as a reverse proxy between the client and the server. The real IP address of the server is hidden and only the", + "doc_type":"usermanual", + "kw":"How Do I Obtain the Real IP Address of a Web Visitor?,WAF Usage,User Guide", + "title":"How Do I Obtain the Real IP Address of a Web Visitor?", + "githuburl":"" + }, + { + "uri":"waf_01_0196.html", + "product_code":"dwaf", + "code":"82", + "des":"You can view security events such as file inclusion in WAF protection events to quickly locate attack sources or analyze attack events.Program developers write repeatedly", + "doc_type":"usermanual", + "kw":"What Are Local File Inclusion and Remote File Inclusion?,WAF Usage,User Guide", + "title":"What Are Local File Inclusion and Remote File Inclusion?", + "githuburl":"" + }, + { + "uri":"waf_01_0179.html", + "product_code":"dwaf", + "code":"83", + "des":"Queries Per Second (QPS) indicates the number of requests per second. For example, an HTTP GET request is also called a query. The number of requests is the total number ", + "doc_type":"usermanual", + "kw":"What Is the Difference Between QPS and the Number of Requests?,WAF Usage,User Guide", + "title":"What Is the Difference Between QPS and the Number of Requests?", + "githuburl":"" + }, + { + "uri":"waf_01_0222.html", + "product_code":"dwaf", + "code":"84", + "des":"The number of concurrent requests refers to the number of requests that the system can process simultaneously. When it comes to a website, concurrent requests refer to th", + "doc_type":"usermanual", + "kw":"What Are Concurrent Requests?,WAF Usage,User Guide", + "title":"What Are Concurrent Requests?", + "githuburl":"" + }, + { + "uri":"waf_01_0361.html", + "product_code":"dwaf", + "code":"85", + "des":"WAF preferentially forwards access requests to the single domain name. If the single domain name cannot be identified, access requests will be forwarded to the wildcard d", + "doc_type":"usermanual", + "kw":"How Does WAF Forward Access Requests When Both a Wildcard Domain Name and a Single Domain Name Are C", + "title":"How Does WAF Forward Access Requests When Both a Wildcard Domain Name and a Single Domain Name Are Connected to WAF?", + "githuburl":"" + }, + { + "uri":"waf_01_0366.html", + "product_code":"dwaf", + "code":"86", + "des":"No. After a website is connected to WAF, all website access requests are forwarded to WAF first. WAF detects and filters out malicious attack traffic, and returns normal ", + "doc_type":"usermanual", + "kw":"Does WAF Affect Data Transmission from the Internal Network to an External Network?,WAF Usage,User G", + "title":"Does WAF Affect Data Transmission from the Internal Network to an External Network?", + "githuburl":"" + }, + { + "uri":"waf_01_0124.html", + "product_code":"dwaf", + "code":"87", + "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "doc_type":"usermanual", + "kw":"Website Domain Name Access Configuration", + "title":"Website Domain Name Access Configuration", + "githuburl":"" + }, + { + "uri":"waf_01_0299.html", + "product_code":"dwaf", + "code":"88", + "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "doc_type":"usermanual", + "kw":"Domain Name and Port Configuration", + "title":"Domain Name and Port Configuration", + "githuburl":"" + }, + { + "uri":"waf_01_0176.html", + "product_code":"dwaf", + "code":"89", + "des":"After you connect a domain name or IP address of the website you want to protect to WAF, WAF works as a reverse proxy between the client and the server. The real IP addre", + "doc_type":"usermanual", + "kw":"How Do I Add a Domain Name/IP Address to WAF?,Domain Name and Port Configuration,User Guide", + "title":"How Do I Add a Domain Name/IP Address to WAF?", + "githuburl":"" + }, + { + "uri":"waf_01_0105.html", + "product_code":"dwaf", + "code":"90", + "des":"Before using WAF, you need to add domain names to be protected to WAF based on your web service protection requirements. WAF supports addition of single domain names and ", + "doc_type":"usermanual", + "kw":"How Do I Configure Domain Names to Be Protected When Adding Domain Names?,Domain Name and Port Confi", + "title":"How Do I Configure Domain Names to Be Protected When Adding Domain Names?", + "githuburl":"" + }, + { + "uri":"waf_01_0157.html", + "product_code":"dwaf", + "code":"91", + "des":"Prepare information required for connecting a domain name or IP address to WAF based on the mode of WAF instance you plan to buy.The following data is required:Domain nam", + "doc_type":"usermanual", + "kw":"What Data Is Required for Connecting a Domain Name/IP Address to WAF?,Domain Name and Port Configura", + "title":"What Data Is Required for Connecting a Domain Name/IP Address to WAF?", + "githuburl":"" + }, + { + "uri":"waf_01_0041.html", + "product_code":"dwaf", + "code":"92", + "des":"The deletion operation cannot be cancelled. Exercise caution when performing this operation.If you want to retain the policy applied to the domain name, select Retain the", + "doc_type":"usermanual", + "kw":"How Do I Safely Delete a Protected Domain Name?,Domain Name and Port Configuration,User Guide", + "title":"How Do I Safely Delete a Protected Domain Name?", + "githuburl":"" + }, + { + "uri":"waf_01_0104.html", + "product_code":"dwaf", + "code":"93", + "des":"When configuring multiple server addresses for the same domain name, pay attention to the following:For domain names mapping to non-standard portsThe client protocol, ser", + "doc_type":"usermanual", + "kw":"What Are the Precautions for Configuring Multiple Server Addresses for Backend Servers?,Domain Name ", + "title":"What Are the Precautions for Configuring Multiple Server Addresses for Backend Servers?", + "githuburl":"" + }, + { + "uri":"waf_01_0190.html", + "product_code":"dwaf", + "code":"94", + "des":"Yes. When adding a domain name to WAF, you can configure a single domain name or a wildcard domain name based on your service requirements. The details are as follows:Sin", + "doc_type":"usermanual", + "kw":"Does WAF Support Wildcard Domain Names?,Domain Name and Port Configuration,User Guide", + "title":"Does WAF Support Wildcard Domain Names?", + "githuburl":"" + }, + { + "uri":"waf_01_0301.html", + "product_code":"dwaf", + "code":"95", + "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "doc_type":"usermanual", + "kw":"Certificate Management", + "title":"Certificate Management", + "githuburl":"" + }, + { + "uri":"waf_01_0135.html", + "product_code":"dwaf", + "code":"96", + "des":"Each domain name must correspond to a certificate. A wildcard domain name can only be used for a wildcard domain certificate. If you only have single-domain certificates,", + "doc_type":"usermanual", + "kw":"How Do I Select a Certificate When Configuring a Wildcard Domain Name?,Certificate Management,User G", + "title":"How Do I Select a Certificate When Configuring a Wildcard Domain Name?", + "githuburl":"" + }, + { + "uri":"waf_01_0313.html", + "product_code":"dwaf", + "code":"97", + "des":"Only .pem certificates can be used in WAF. If the certificate is not in .pem format, convert it into .pem locally by referring to Table 1 before uploading it.Certificate ", + "doc_type":"usermanual", + "kw":"How Do I Convert a Certificate into PEM Format?,Certificate Management,User Guide", + "title":"How Do I Convert a Certificate into PEM Format?", + "githuburl":"" + }, + { + "uri":"waf_01_0127.html", + "product_code":"dwaf", + "code":"98", + "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "doc_type":"usermanual", + "kw":"Service Interruption Check", + "title":"Service Interruption Check", + "githuburl":"" + }, + { + "uri":"waf_01_0066.html", + "product_code":"dwaf", + "code":"99", + "des":"If an error, such as 404 Not Found, 502 Bad Gateway, or 504 Gateway Timeout, occurs after a domain name is connected to WAF, use the following methods to locate the cause", + "doc_type":"usermanual", + "kw":"404,502,504,How Do I Troubleshoot 404/502/504 Errors?,Service Interruption Check,User Guide", + "title":"How Do I Troubleshoot 404/502/504 Errors?", + "githuburl":"" + }, + { + "uri":"waf_01_0038.html", + "product_code":"dwaf", + "code":"100", + "des":"Once an attack hits a WAF rule, WAF will respond to the attack immediately according to the protective action (Log only or Block) you configured for the rule and display ", + "doc_type":"usermanual", + "kw":"How Do I Handle False Alarms as WAF Blocks Normal Requests to My Website?,Service Interruption Check", + "title":"How Do I Handle False Alarms as WAF Blocks Normal Requests to My Website?", + "githuburl":"" + }, + { + "uri":"waf_01_0160.html", + "product_code":"dwaf", + "code":"101", + "des":"The default timeout duration for connections between a browser and WAF is 120 seconds, which cannot be manually set.The default timeout duration for connections between W", + "doc_type":"usermanual", + "kw":"What Is the Connection Timeout Duration of WAF? Can I Manually Set the Timeout Duration?,Service Int", + "title":"What Is the Connection Timeout Duration of WAF? Can I Manually Set the Timeout Duration?", + "githuburl":"" + }, + { + "uri":"waf_01_0093.html", + "product_code":"dwaf", + "code":"102", + "des":"If your visitors receive a page similar to the one in Figure 1 when they try to access your website through a mobile phone, an incomplete certificate chain is uploaded wh", + "doc_type":"usermanual", + "kw":"Why Are HTTPS Requests Denied on Some Mobile Phones?,Service Interruption Check,User Guide", + "title":"Why Are HTTPS Requests Denied on Some Mobile Phones?", + "githuburl":"" + }, + { + "uri":"waf_01_0082.html", + "product_code":"dwaf", + "code":"103", + "des":"If the certificate provided by the certificate authority is not found in the built-in trust store on your platform and the certificate chain does not have a certificate a", + "doc_type":"usermanual", + "kw":"How Do I Fix an Incomplete Certificate Chain?,Service Interruption Check,User Guide", + "title":"How Do I Fix an Incomplete Certificate Chain?", + "githuburl":"" + }, + { + "uri":"waf_01_1082.html", + "product_code":"dwaf", + "code":"104", + "des":"After an HTTPS certificate is uploaded to the AAD or WAF console, a message is displayed indicating that the certificate and key do not match.How Do I Fix an Incomplete C", + "doc_type":"usermanual", + "kw":"Why Does My Certificate Not Match the Key?,Service Interruption Check,User Guide", + "title":"Why Does My Certificate Not Match the Key?", + "githuburl":"" + }, + { + "uri":"waf_01_0198.html", + "product_code":"dwaf", + "code":"105", + "des":"If the request contains malicious load and is intercepted by WAF, error 418 is reported when you access the domain name protected by WAF. You can view WAF protection logs", + "doc_type":"usermanual", + "kw":"Why Am I Seeing Error Code 418?,Service Interruption Check,User Guide", + "title":"Why Am I Seeing Error Code 418?", + "githuburl":"" + }, + { + "uri":"waf_01_0100.html", + "product_code":"dwaf", + "code":"106", + "des":"After your website is connected to WAF, the file visitors can upload each time cannot exceed 512 MB.To upload a file greater than 512 MB, upload the file through:IP addre", + "doc_type":"usermanual", + "kw":"How Can I Upload Files After the Website Is Connected to WAF?,Service Interruption Check,User Guide", + "title":"How Can I Upload Files After the Website Is Connected to WAF?", + "githuburl":"" + }, + { + "uri":"waf_01_0063.html", + "product_code":"dwaf", + "code":"107", + "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "doc_type":"usermanual", + "kw":"Protection Rule Configuration", + "title":"Protection Rule Configuration", + "githuburl":"" + }, + { + "uri":"waf_01_0304.html", + "product_code":"dwaf", + "code":"108", + "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "doc_type":"usermanual", + "kw":"Basic Web Protection", + "title":"Basic Web Protection", + "githuburl":"" + }, + { + "uri":"waf_01_0053.html", + "product_code":"dwaf", + "code":"109", + "des":"This FAQ guides you to switch the mode of basic web protection to Block.Perform the following operations:Log only and Block are merely modes of basic web protection. CC a", + "doc_type":"usermanual", + "kw":"How Do I Switch the Mode of Basic Web Protection from Log Only to Block?,Basic Web Protection,User G", + "title":"How Do I Switch the Mode of Basic Web Protection from Log Only to Block?", + "githuburl":"" + }, + { + "uri":"waf_01_0204.html", + "product_code":"dwaf", + "code":"110", + "des":"WAF provides three basic web protection levels: Low, Medium, and High. The default option is Medium. For details, see Table 1.", + "doc_type":"usermanual", + "kw":"Which Protection Levels Can Be Set for Basic Web Protection?,Basic Web Protection,User Guide", + "title":"Which Protection Levels Can Be Set for Basic Web Protection?", + "githuburl":"" + }, + { + "uri":"waf_01_0305.html", + "product_code":"dwaf", + "code":"111", + "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "doc_type":"usermanual", + "kw":"CC Attack Protection Rules", + "title":"CC Attack Protection Rules", + "githuburl":"" + }, + { + "uri":"waf_01_0035.html", + "product_code":"dwaf", + "code":"112", + "des":"When a service interface is under an HTTP flood attack, you can set a CC attack protection rule on the WAF console to relieve service pressure.WAF provides the following ", + "doc_type":"usermanual", + "kw":"HTTP flood,How Do I Configure a CC Attack Protection Rule?,CC Attack Protection Rules,User Guide", + "title":"How Do I Configure a CC Attack Protection Rule?", + "githuburl":"" + }, + { + "uri":"waf_01_0036.html", + "product_code":"dwaf", + "code":"113", + "des":"During the configuration of a CC attack protection rule, if IP addresses cannot identify users precisely, for example, when many users share an egress IP address, use Coo", + "doc_type":"usermanual", + "kw":"When Is Cookie Used to Identify Users?,CC Attack Protection Rules,User Guide", + "title":"When Is Cookie Used to Identify Users?", + "githuburl":"" + }, + { + "uri":"waf_01_0308.html", + "product_code":"dwaf", + "code":"114", + "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "doc_type":"usermanual", + "kw":"Anti-Crawler Protection", + "title":"Anti-Crawler Protection", + "githuburl":"" + }, + { + "uri":"waf_01_0254.html", + "product_code":"dwaf", + "code":"115", + "des":"After JavaScript anti-crawler is enabled, WAF returns a piece of JavaScript code to the client when the client sends a request. If the client sends a normal request to th", + "doc_type":"usermanual", + "kw":"Why Is the Requested Page Unable to Load After JavaScript Anti-Crawler Is Enabled?,Anti-Crawler Prot", + "title":"Why Is the Requested Page Unable to Load After JavaScript Anti-Crawler Is Enabled?", + "githuburl":"" + }, + { + "uri":"waf_01_0309.html", + "product_code":"dwaf", + "code":"116", + "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "doc_type":"usermanual", + "kw":"Others", + "title":"Others", + "githuburl":"" + }, + { + "uri":"waf_01_0102.html", + "product_code":"dwaf", + "code":"117", + "des":"Normally, all requests destined for your site will pass through WAF. However, if your site is using CDN and WAF, the WAF policy targeted at the requests for caching stati", + "doc_type":"usermanual", + "kw":"In Which Situations Will the WAF Policies Fail?,Others,User Guide", + "title":"In Which Situations Will the WAF Policies Fail?", + "githuburl":"" + }, + { + "uri":"waf_01_0151.html", + "product_code":"dwaf", + "code":"118", + "des":"All paths configured for protection rules of WAF are case-sensitive.", + "doc_type":"usermanual", + "kw":"Is the Path of a WAF Protection Rule Case-sensitive?,Others,User Guide", + "title":"Is the Path of a WAF Protection Rule Case-sensitive?", + "githuburl":"" + }, + { + "uri":"waf_01_0028.html", + "product_code":"dwaf", + "code":"119", + "des":"The protection rules supported by WAF are described below.Basic Web ProtectionWAF can defend against common web attacks, such as SQL injection, XSS, web shells, and Troja", + "doc_type":"usermanual", + "kw":"What Protection Rules Does WAF Support?,Others,User Guide", + "title":"What Protection Rules Does WAF Support?", + "githuburl":"" + }, + { + "uri":"waf_01_0265.html", + "product_code":"dwaf", + "code":"120", + "des":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "doc_type":"usermanual", + "kw":"Change History,User Guide", + "title":"Change History", + "githuburl":"" + } +] \ No newline at end of file diff --git a/docs/wafd/umn/CLASS.TXT.json b/docs/wafd/umn/CLASS.TXT.json new file mode 100644 index 000000000..d69ade316 --- /dev/null +++ b/docs/wafd/umn/CLASS.TXT.json @@ -0,0 +1,1082 @@ +[ + { + "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "product_code":"dwaf", + "title":"Service Overview", + "uri":"waf_01_0064.html", + "doc_type":"usermanual", + "p_code":"", + "code":"1" + }, + { + "desc":"Web Application Firewall (WAF) keeps web services stable and secure. It examines all HTTP and HTTPS requests to detect and block the following attacks: Structured Query L", + "product_code":"dwaf", + "title":"What Is Web Application Firewall?", + "uri":"waf_01_0045.html", + "doc_type":"usermanual", + "p_code":"1", + "code":"2" + }, + { + "desc":"WAF is deployed in dedicated mode. The following tables describe specifications and functions of the dedicated WAF instances.Table 1 describes dedicated WAF instances.For", + "product_code":"dwaf", + "title":"Specifications", + "uri":"waf_01_0272.html", + "doc_type":"usermanual", + "p_code":"1", + "code":"3" + }, + { + "desc":"WAF makes it easier for you to handle web security risks.WAF keeps applications stable and secure. It examines HTTP and HTTPS requests to detect and block attacks, such a", + "product_code":"dwaf", + "title":"Functions", + "uri":"waf_01_0094.html", + "doc_type":"usermanual", + "p_code":"1", + "code":"4" + }, + { + "desc":"WAF examines web traffic from multiple dimensions to accurately identify malicious requests and filter attacks, reducing the risks of data being tampered with or stolen.W", + "product_code":"dwaf", + "title":"Product Advantages", + "uri":"waf_01_0065.html", + "doc_type":"usermanual", + "p_code":"1", + "code":"5" + }, + { + "desc":"WAF helps you defend against common web attacks, such as command injection and sensitive file access.Countless malicious requests may be sent to service interfaces during", + "product_code":"dwaf", + "title":"Application Scenarios", + "uri":"waf_01_0046.html", + "doc_type":"usermanual", + "p_code":"1", + "code":"6" + }, + { + "desc":"If you need to assign different permissions to employees in your enterprise to access your WAF resources, IAM is a good choice for fine-grained permissions management. IA", + "product_code":"dwaf", + "title":"WAF Permissions Management", + "uri":"waf_01_0052.html", + "doc_type":"usermanual", + "p_code":"1", + "code":"7" + }, + { + "desc":"This topic describes WAF and other cloud services.Cloud Eye monitors the indicators of the dedicated WAF, so that you can understand the protection status of the dedicate", + "product_code":"dwaf", + "title":"WAF and Other Services", + "uri":"waf_01_0051.html", + "doc_type":"usermanual", + "p_code":"1", + "code":"8" + }, + { + "desc":"Sort out all website services you want to protect with WAF. This helps you learn about your workloads and specific data of your workloads so that you can choose and confi", + "product_code":"dwaf", + "title":"Overview", + "uri":"waf_01_0071.html", + "doc_type":"usermanual", + "p_code":"", + "code":"9" + }, + { + "desc":"If your service servers are deployed on the cloud, you can buy dedicated WAF instances (or dedicated WAF engines) to protect important websites through domain names or to", + "product_code":"dwaf", + "title":"Applying for a Dedicated WAF Instance", + "uri":"waf_01_1072.html", + "doc_type":"usermanual", + "p_code":"", + "code":"10" + }, + { + "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "product_code":"dwaf", + "title":"Enabling WAF Protection", + "uri":"waf_01_0070.html", + "doc_type":"usermanual", + "p_code":"", + "code":"11" + }, + { + "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "product_code":"dwaf", + "title":"Connecting a Website to WAF", + "uri":"waf_01_0249.html", + "doc_type":"usermanual", + "p_code":"11", + "code":"12" + }, + { + "desc":"If your service servers are deployed on the cloud, you can add the domain name or IP address of the website to WAF so that the website traffic is forwarded to WAF for ins", + "product_code":"dwaf", + "title":"Step 1: Add a Website to WAF", + "uri":"waf_01_0250.html", + "doc_type":"usermanual", + "p_code":"12", + "code":"13" + }, + { + "desc":"To ensure your dedicated WAF instance reliability, after you add a website to it, use Elastic Load Balance (ELB) to configure a load balancer and a health check for the d", + "product_code":"dwaf", + "title":"Step 2: Configure a Load Balancer", + "uri":"waf_01_0251.html", + "doc_type":"usermanual", + "p_code":"12", + "code":"14" + }, + { + "desc":"After you configure a load balancer for your dedicated WAF instance, you need to unbind the EIP from the origin server and then bind this EIP to the load balancer you con", + "product_code":"dwaf", + "title":"Step 3: Bind an EIP to a Load Balancer", + "uri":"waf_01_0252.html", + "doc_type":"usermanual", + "p_code":"12", + "code":"15" + }, + { + "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "product_code":"dwaf", + "title":"Website Domain Name Management", + "uri":"waf_01_0067.html", + "doc_type":"usermanual", + "p_code":"", + "code":"16" + }, + { + "desc":"This topic describes how to view the basic information about a protected website, switch WAF working mode, and delete a domain name of a protected website from WAF.A webs", + "product_code":"dwaf", + "title":"Viewing Basic Information", + "uri":"waf_01_0020.html", + "doc_type":"usermanual", + "p_code":"16", + "code":"17" + }, + { + "desc":"You can change the working mode of WAF. WAF can work in Enabled or Suspended mode.The domain name of the website to be protected has been connected to WAF.Enabled: In thi", + "product_code":"dwaf", + "title":"Switching WAF Working Mode", + "uri":"waf_01_0003.html", + "doc_type":"usermanual", + "p_code":"16", + "code":"18" + }, + { + "desc":"Transport Layer Security (TLS) provides confidentiality and ensures data integrity for data sent between applications over the Internet. HTTPS is a network protocol const", + "product_code":"dwaf", + "title":"Configuring PCI DSS/3DS Certification Check and TLS Version", + "uri":"waf_01_0169.html", + "doc_type":"usermanual", + "p_code":"16", + "code":"19" + }, + { + "desc":"If you want to set a timeout duration for each request between your WAF instance and origin server, enable Timeout Settings and specify WAF-to-Server connection timeout (", + "product_code":"dwaf", + "title":"Configuring Connection Timeout", + "uri":"waf_01_1171.html", + "doc_type":"usermanual", + "p_code":"16", + "code":"20" + }, + { + "desc":"If a large number of 502 Bad Gateway and 504 Gateway Timeout errors are detected, you can enable WAF breakdown protection and connection protection to let WAF suspend you", + "product_code":"dwaf", + "title":"Configuring Connection Protection", + "uri":"waf_01_1172.html", + "doc_type":"usermanual", + "p_code":"16", + "code":"21" + }, + { + "desc":"If you set Client Protocol to HTTPS when you add a website to WAF, upload a certificate and use it for your website.If your website certificate is about to expire, purcha", + "product_code":"dwaf", + "title":"Updating a Certificate", + "uri":"waf_01_0262.html", + "doc_type":"usermanual", + "p_code":"16", + "code":"22" + }, + { + "desc":"WAF allows you to configure traffic identifiers by IP address, session, or user tag to block possibly malicious requests from known attack sources based on IP address, Co", + "product_code":"dwaf", + "title":"Configuring a Traffic Identifier for a Known Attack Source", + "uri":"waf_01_0270.html", + "doc_type":"usermanual", + "p_code":"16", + "code":"23" + }, + { + "desc":"This topic describes how to edit or add server information for a website to be protected.Applicable scenarios:Modify server information, including Client Protocol, Server", + "product_code":"dwaf", + "title":"Editing Server Information", + "uri":"waf_01_0001.html", + "doc_type":"usermanual", + "p_code":"16", + "code":"24" + }, + { + "desc":"If a visitor is blocked by WAF, the Default block page of WAF is returned by default. You can also configure Custom or Redirection for the block page to be returned as re", + "product_code":"dwaf", + "title":"Modifying the Alarm Page", + "uri":"waf_01_0154.html", + "doc_type":"usermanual", + "p_code":"16", + "code":"25" + }, + { + "desc":"This topic describes how to remove a website from WAF if you no longer need to protect it.A website domain name has been added to WAF.It takes about a minute to remove a ", + "product_code":"dwaf", + "title":"Removing a Protected Website from WAF", + "uri":"waf_01_0005.html", + "doc_type":"usermanual", + "p_code":"16", + "code":"26" + }, + { + "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "product_code":"dwaf", + "title":"Certificate Management", + "uri":"waf_01_0261.html", + "doc_type":"usermanual", + "p_code":"", + "code":"27" + }, + { + "desc":"If you select HTTPS for Client Protocol when you add a website to WAF, a certificate must be associated with the website.You can upload a certificate to WAF. Then you can", + "product_code":"dwaf", + "title":"Uploading a Certificate", + "uri":"waf_01_0078.html", + "doc_type":"usermanual", + "p_code":"27", + "code":"28" + }, + { + "desc":"If you configure Client Protocol to HTTPS for your website, the website needs an SSL certificate. This topic describes how to bind an SSL certificate that you have upload", + "product_code":"dwaf", + "title":"Binding a Certificate to a Protected Website", + "uri":"waf_01_0367.html", + "doc_type":"usermanual", + "p_code":"27", + "code":"29" + }, + { + "desc":"This topic describes how to delete an expired or invalid certificate.The certificate you want to delete is not bound to a protected website.If a certificate to be deleted", + "product_code":"dwaf", + "title":"Deleting a Certificate", + "uri":"waf_01_0263.html", + "doc_type":"usermanual", + "p_code":"27", + "code":"30" + }, + { + "desc":"This topic describes how to view certificate details, including the certificate name, domain name a certificate is used for, and expiration time.You have created or pushe", + "product_code":"dwaf", + "title":"Viewing Certificate Information", + "uri":"waf_01_0282.html", + "doc_type":"usermanual", + "p_code":"27", + "code":"31" + }, + { + "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "product_code":"dwaf", + "title":"Rule Configuration", + "uri":"waf_01_0007.html", + "doc_type":"usermanual", + "p_code":"", + "code":"32" + }, + { + "desc":"The built-in protection rules of WAF help you defend against common web application attacks, including XSS attacks, SQL injection, crawlers, and web shells. You can custo", + "product_code":"dwaf", + "title":"Configuration Guidance", + "uri":"waf_01_0129.html", + "doc_type":"usermanual", + "p_code":"32", + "code":"33" + }, + { + "desc":"After this function is enabled, WAF can defend against common web attacks, such as SQL injections, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabili", + "product_code":"dwaf", + "title":"Configuring Basic Web Protection Rules", + "uri":"waf_01_0008.html", + "doc_type":"usermanual", + "p_code":"32", + "code":"34" + }, + { + "desc":"You can customize a CC attack protection rule to restrict access to a specific URL on your website based on an IP address, cookie, or Referer, mitigating CC attacks. To m", + "product_code":"dwaf", + "title":"Configuring a CC Attack Protection Rule", + "uri":"waf_01_0009.html", + "doc_type":"usermanual", + "p_code":"32", + "code":"35" + }, + { + "desc":"WAF allows you to customize protection rules by combining HTTP headers, cookies, URLs, request parameters, and client IP addresses.You can combine common HTTP fields, suc", + "product_code":"dwaf", + "title":"Configuring a Precise Protection Rule", + "uri":"waf_01_0010.html", + "doc_type":"usermanual", + "p_code":"32", + "code":"36" + }, + { + "desc":"This topic describes how to create a reference table to batch configure protection metrics of a single type, such as Path, User Agent, IP, Params, Cookie, Referer, and He", + "product_code":"dwaf", + "title":"Adding a Reference Table", + "uri":"waf_01_0081.html", + "doc_type":"usermanual", + "p_code":"32", + "code":"37" + }, + { + "desc":"You can configure blacklist and whitelist rules to block, log only, or allow access requests from specific IP addresses or IP address ranges.A website has been added to W", + "product_code":"dwaf", + "title":"Configuring an IP Address Blacklist or Whitelist Rule", + "uri":"waf_01_0012.html", + "doc_type":"usermanual", + "p_code":"32", + "code":"38" + }, + { + "desc":"If WAF blocks a malicious request by IP address, Cookie, or Params, you can configure a known attack source rule to let WAF automatically block all requests from the atta", + "product_code":"dwaf", + "title":"Configuring a Known Attack Source Rule", + "uri":"waf_01_0271.html", + "doc_type":"usermanual", + "p_code":"32", + "code":"39" + }, + { + "desc":"This topic describes how to configure a geolocation access control rule. A geolocation access control rule allows you to control IP addresses forwarded from or to specifi", + "product_code":"dwaf", + "title":"Configuring a Geolocation Access Control Rule", + "uri":"waf_01_0013.html", + "doc_type":"usermanual", + "p_code":"32", + "code":"40" + }, + { + "desc":"WAF can cache configuration for static web pages of websites. After you configure a web tamper protection rule, WAF can:Return directly the cached web page to the normal ", + "product_code":"dwaf", + "title":"Configuring a Web Tamper Protection Rule", + "uri":"waf_01_0014.html", + "doc_type":"usermanual", + "p_code":"32", + "code":"41" + }, + { + "desc":"You can configure website anti-crawler protection rules to protect against search engines, scanners, script tools, and other crawlers, and use JavaScript to create custom", + "product_code":"dwaf", + "title":"Configuring Anti-Crawler Rules", + "uri":"waf_01_0015.html", + "doc_type":"usermanual", + "p_code":"32", + "code":"42" + }, + { + "desc":"You can add two types of information leakage prevention rules.Sensitive information filtering: prevents disclosure of sensitive information (such as ID numbers, phone num", + "product_code":"dwaf", + "title":"Configuring an Information Leakage Prevention Rule", + "uri":"waf_01_0054.html", + "doc_type":"usermanual", + "p_code":"32", + "code":"43" + }, + { + "desc":"Once an attack hits a WAF basic web protection rule or a feature-library anti-crawler rule, WAF will respond to the attack immediately according to the protective action ", + "product_code":"dwaf", + "title":"Configuring a Global Protection Whitelist (Formerly False Alarm Masking) Rule", + "uri":"waf_01_0016.html", + "doc_type":"usermanual", + "p_code":"32", + "code":"44" + }, + { + "desc":"This topic describes how to configure data masking rules. You can configure data masking rules to prevent sensitive data such as passwords from being displayed in event l", + "product_code":"dwaf", + "title":"Configuring a Data Masking Rule", + "uri":"waf_01_0017.html", + "doc_type":"usermanual", + "p_code":"32", + "code":"45" + }, + { + "desc":"This topic describes how to view event logs, including attack and request statistics, event distribution, top 10 attacked domain names, top 10 attack source IP addresses,", + "product_code":"dwaf", + "title":"Dashboard", + "uri":"waf_01_0021.html", + "doc_type":"usermanual", + "p_code":"", + "code":"46" + }, + { + "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "product_code":"dwaf", + "title":"Event Management", + "uri":"waf_01_0018.html", + "doc_type":"usermanual", + "p_code":"", + "code":"47" + }, + { + "desc":"On the Events page, you can view events generated for blocked attacks and logged only attacks. You can view details of WAF events, including the time an event occurs, ori", + "product_code":"dwaf", + "title":"Viewing Protection Event Logs", + "uri":"waf_01_0156.html", + "doc_type":"usermanual", + "p_code":"47", + "code":"48" + }, + { + "desc":"If you confirm that an attack event on the Events page is a false alarm, you can handle the event as false alarm by ignoring the URL and rule ID in basic web protection, ", + "product_code":"dwaf", + "title":"Handling False Alarms", + "uri":"waf_01_0024.html", + "doc_type":"usermanual", + "p_code":"47", + "code":"49" + }, + { + "desc":"This topic describes how to download events (logged and blocked events) data for the last five days. One or more CSV files containing the event data of the current day wi", + "product_code":"dwaf", + "title":"Downloading Events Data", + "uri":"waf_01_0077.html", + "doc_type":"usermanual", + "p_code":"47", + "code":"50" + }, + { + "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "product_code":"dwaf", + "title":"Policy Management", + "uri":"waf_01_0055.html", + "doc_type":"usermanual", + "p_code":"", + "code":"51" + }, + { + "desc":"A policy is a combination of rules, such as basic web protection, blacklist, whitelist, and precise protection rules. A policy can be applied to multiple domain names, bu", + "product_code":"dwaf", + "title":"Adding a Policy", + "uri":"waf_01_0074.html", + "doc_type":"usermanual", + "p_code":"51", + "code":"52" + }, + { + "desc":"This topic describes how to add rules to one or more policies.A website has been added to WAF.To add a CC attack protection rule, see Table 1.To add a precise protection ", + "product_code":"dwaf", + "title":"Adding Rules to One or More Policies", + "uri":"waf_01_0061.html", + "doc_type":"usermanual", + "p_code":"51", + "code":"53" + }, + { + "desc":"This topic describes how to apply a policy to your protected website.A website has been added to WAF.A protected domain name can use only one policy, but one policy can b", + "product_code":"dwaf", + "title":"Applying a Policy to Your Website", + "uri":"waf_01_0075.html", + "doc_type":"usermanual", + "p_code":"51", + "code":"54" + }, + { + "desc":"This topic describes how to manage your dedicated WAF instances (or engines), including viewing instance information, upgrading the instance edition, or deleting an insta", + "product_code":"dwaf", + "title":"Dedicated WAF Engine Management", + "uri":"waf_01_0253.html", + "doc_type":"usermanual", + "p_code":"", + "code":"55" + }, + { + "desc":"On the Product Details page, you can view information about all your WAF instances, including the edition, domain quotas, and specifications.You have purchased a WAF inst", + "product_code":"dwaf", + "title":"Viewing Product Details", + "uri":"waf_01_0319.html", + "doc_type":"usermanual", + "p_code":"", + "code":"56" + }, + { + "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "product_code":"dwaf", + "title":"Permissions Management", + "uri":"waf_01_0096.html", + "doc_type":"usermanual", + "p_code":"", + "code":"57" + }, + { + "desc":"Custom policies can be created to supplement the system-defined policies of WAF.Example 1: Allowing users to query the protected domain list{\n \"Version\": \"1.1\",\n ", + "product_code":"dwaf", + "title":"WAF Custom Policies", + "uri":"waf_01_0243.html", + "doc_type":"usermanual", + "p_code":"57", + "code":"58" + }, + { + "desc":"This topic describes fine-grained permissions management for your WAF instances. If your account does not need individual IAM users, then you may skip over this topic.By ", + "product_code":"dwaf", + "title":"WAF Permissions and Supported Actions", + "uri":"waf_01_0244.html", + "doc_type":"usermanual", + "p_code":"57", + "code":"59" + }, + { + "desc":"This topic describes metrics reported by dedicated WAF to Cloud Eye as well as their namespaces and dimensions. You can use APIs provided by Cloud Eye to query the metric", + "product_code":"dwaf", + "title":"Monitored Metrics", + "uri":"waf_01_1372.html", + "doc_type":"usermanual", + "p_code":"", + "code":"60" + }, + { + "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "product_code":"dwaf", + "title":"FAQs", + "uri":"waf_01_0022.html", + "doc_type":"usermanual", + "p_code":"", + "code":"61" + }, + { + "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "product_code":"dwaf", + "title":"About WAF", + "uri":"waf_01_0025.html", + "doc_type":"usermanual", + "p_code":"61", + "code":"62" + }, + { + "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "product_code":"dwaf", + "title":"WAF Functions", + "uri":"waf_01_0292.html", + "doc_type":"usermanual", + "p_code":"62", + "code":"63" + }, + { + "desc":"A WAF instance can protect IP addresses.A dedicated or load balancing WAF instance can protect websites through either domain names or IP addresses.The origin server IP a", + "product_code":"dwaf", + "title":"Can WAF Protect an IP Address?", + "uri":"waf_01_0029.html", + "doc_type":"usermanual", + "p_code":"63", + "code":"64" + }, + { + "desc":"WAF can protect domain names or IP addresses.", + "product_code":"dwaf", + "title":"What Objects Does WAF Protect?", + "uri":"waf_01_0134.html", + "doc_type":"usermanual", + "p_code":"63", + "code":"65" + }, + { + "desc":"WAF is deployed on the cloud, which is irrelevant to an OS. Therefore, WAF supports any OS. A domain name server on any OS can be connected to WAF for protection.", + "product_code":"dwaf", + "title":"Which OSs Does WAF Support?", + "uri":"waf_01_0026.html", + "doc_type":"usermanual", + "p_code":"63", + "code":"66" + }, + { + "desc":"WAF provides protection at seven layers, namely, the physical layer, data link layer, network layer, transport layer, session layer, presentation layer, and application l", + "product_code":"dwaf", + "title":"Which Layers Does WAF Provide Protection At?", + "uri":"waf_01_0030.html", + "doc_type":"usermanual", + "p_code":"63", + "code":"67" + }, + { + "desc":"WAF caches only static web pages that are configured with web tamper protection and sends the cached web pages that are not tampered with to web visitors.", + "product_code":"dwaf", + "title":"Does WAF Support File Caching?", + "uri":"waf_01_0149.html", + "doc_type":"usermanual", + "p_code":"63", + "code":"68" + }, + { + "desc":"WAF supports access control over content at the application layer. HTTP and HTTPS are both application layer protocols.", + "product_code":"dwaf", + "title":"Does WAF Support Application Layer Protocol- and Content-Based Access Control?", + "uri":"waf_01_0229.html", + "doc_type":"usermanual", + "p_code":"63", + "code":"69" + }, + { + "desc":"The built-in detection of WAF checks POST data, and web shells are the files submitted in POST requests. WAF checks all data, such as forms and JSON files in POST request", + "product_code":"dwaf", + "title":"Can WAF Check the Body I Add to the POST Request?", + "uri":"waf_01_0187.html", + "doc_type":"usermanual", + "p_code":"63", + "code":"70" + }, + { + "desc":"No. However, you can customize a CC attack protection rule to restrict access to a specific URL on your website based on an IP address, cookie, or Referer, mitigating CC ", + "product_code":"dwaf", + "title":"Can WAF Limit the Access Speed of a Domain Name?", + "uri":"waf_01_0257.html", + "doc_type":"usermanual", + "p_code":"63", + "code":"71" + }, + { + "desc":"No. WAF can only detect and restrict source IP addresses.", + "product_code":"dwaf", + "title":"Can WAF Block URL Requests That Contain Special Characters?", + "uri":"waf_01_0211.html", + "doc_type":"usermanual", + "p_code":"63", + "code":"72" + }, + { + "desc":"WAF cannot block business-related attacks, such as spam and malicious user registrations. To prevent these attacks, configure the registration verification mechanism on y", + "product_code":"dwaf", + "title":"Can WAF Block Spam and Malicious User Registrations?", + "uri":"waf_01_0280.html", + "doc_type":"usermanual", + "p_code":"63", + "code":"73" + }, + { + "desc":"If the request data for calling other APIs on the web page is included in the domain names protected by WAF, the request data passes through WAF. WAF checks the request d", + "product_code":"dwaf", + "title":"Can WAF Block Requests for Calling Other APIs from Web Pages?", + "uri":"waf_01_0212.html", + "doc_type":"usermanual", + "p_code":"63", + "code":"74" + }, + { + "desc":"WAF is deployed on the cloud.Web Application Firewall (WAF) keeps web services stable and secure. It examines all HTTP and HTTPS requests to detect and block the followin", + "product_code":"dwaf", + "title":"Which Web Service Framework Protocols Does WAF Support?", + "uri":"waf_01_0027.html", + "doc_type":"usermanual", + "p_code":"63", + "code":"75" + }, + { + "desc":"Yes. WAF can protect HTTP and HTTPS applications.If a website uses the HTTP Strict Transport Security (HSTS) policy, the client (such as a browser) is forced to use HTTPS", + "product_code":"dwaf", + "title":"Can WAF Protect Websites Accessed Through HSTS or NTLM Authentication?", + "uri":"waf_01_0329.html", + "doc_type":"usermanual", + "p_code":"63", + "code":"76" + }, + { + "desc":"WAF protects user data on the application layer. It supports cache configuration on static web pages. When a user accesses a web page, the system returns a cached page to", + "product_code":"dwaf", + "title":"Does WAF Cache Website Data?", + "uri":"waf_01_0345.html", + "doc_type":"usermanual", + "p_code":"63", + "code":"77" + }, + { + "desc":"A Structured Query Language (SQL) injection is a common web attack. The attacker injects malicious SQL commands into database query strings to deceive the server into exe", + "product_code":"dwaf", + "title":"How Does WAF Detect SQL Injection and XSS Attacks?", + "uri":"waf_01_0457.html", + "doc_type":"usermanual", + "p_code":"63", + "code":"78" + }, + { + "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "product_code":"dwaf", + "title":"WAF Usage", + "uri":"waf_01_0293.html", + "doc_type":"usermanual", + "p_code":"62", + "code":"79" + }, + { + "desc":"WAF protects web application pages. After your website is connected to WAF, there is no impact on your email port or email sending or receiving.", + "product_code":"dwaf", + "title":"Does WAF Affect Email Ports or Email Receiving and Sending?", + "uri":"waf_01_0218.html", + "doc_type":"usermanual", + "p_code":"79", + "code":"80" + }, + { + "desc":"After you connect a website to your WAF instance, WAF works as a reverse proxy between the client and the server. The real IP address of the server is hidden and only the", + "product_code":"dwaf", + "title":"How Do I Obtain the Real IP Address of a Web Visitor?", + "uri":"waf_01_0062.html", + "doc_type":"usermanual", + "p_code":"79", + "code":"81" + }, + { + "desc":"You can view security events such as file inclusion in WAF protection events to quickly locate attack sources or analyze attack events.Program developers write repeatedly", + "product_code":"dwaf", + "title":"What Are Local File Inclusion and Remote File Inclusion?", + "uri":"waf_01_0196.html", + "doc_type":"usermanual", + "p_code":"79", + "code":"82" + }, + { + "desc":"Queries Per Second (QPS) indicates the number of requests per second. For example, an HTTP GET request is also called a query. The number of requests is the total number ", + "product_code":"dwaf", + "title":"What Is the Difference Between QPS and the Number of Requests?", + "uri":"waf_01_0179.html", + "doc_type":"usermanual", + "p_code":"79", + "code":"83" + }, + { + "desc":"The number of concurrent requests refers to the number of requests that the system can process simultaneously. When it comes to a website, concurrent requests refer to th", + "product_code":"dwaf", + "title":"What Are Concurrent Requests?", + "uri":"waf_01_0222.html", + "doc_type":"usermanual", + "p_code":"79", + "code":"84" + }, + { + "desc":"WAF preferentially forwards access requests to the single domain name. If the single domain name cannot be identified, access requests will be forwarded to the wildcard d", + "product_code":"dwaf", + "title":"How Does WAF Forward Access Requests When Both a Wildcard Domain Name and a Single Domain Name Are Connected to WAF?", + "uri":"waf_01_0361.html", + "doc_type":"usermanual", + "p_code":"79", + "code":"85" + }, + { + "desc":"No. After a website is connected to WAF, all website access requests are forwarded to WAF first. WAF detects and filters out malicious attack traffic, and returns normal ", + "product_code":"dwaf", + "title":"Does WAF Affect Data Transmission from the Internal Network to an External Network?", + "uri":"waf_01_0366.html", + "doc_type":"usermanual", + "p_code":"79", + "code":"86" + }, + { + "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "product_code":"dwaf", + "title":"Website Domain Name Access Configuration", + "uri":"waf_01_0124.html", + "doc_type":"usermanual", + "p_code":"61", + "code":"87" + }, + { + "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "product_code":"dwaf", + "title":"Domain Name and Port Configuration", + "uri":"waf_01_0299.html", + "doc_type":"usermanual", + "p_code":"87", + "code":"88" + }, + { + "desc":"After you connect a domain name or IP address of the website you want to protect to WAF, WAF works as a reverse proxy between the client and the server. The real IP addre", + "product_code":"dwaf", + "title":"How Do I Add a Domain Name/IP Address to WAF?", + "uri":"waf_01_0176.html", + "doc_type":"usermanual", + "p_code":"88", + "code":"89" + }, + { + "desc":"Before using WAF, you need to add domain names to be protected to WAF based on your web service protection requirements. WAF supports addition of single domain names and ", + "product_code":"dwaf", + "title":"How Do I Configure Domain Names to Be Protected When Adding Domain Names?", + "uri":"waf_01_0105.html", + "doc_type":"usermanual", + "p_code":"88", + "code":"90" + }, + { + "desc":"Prepare information required for connecting a domain name or IP address to WAF based on the mode of WAF instance you plan to buy.The following data is required:Domain nam", + "product_code":"dwaf", + "title":"What Data Is Required for Connecting a Domain Name/IP Address to WAF?", + "uri":"waf_01_0157.html", + "doc_type":"usermanual", + "p_code":"88", + "code":"91" + }, + { + "desc":"The deletion operation cannot be cancelled. Exercise caution when performing this operation.If you want to retain the policy applied to the domain name, select Retain the", + "product_code":"dwaf", + "title":"How Do I Safely Delete a Protected Domain Name?", + "uri":"waf_01_0041.html", + "doc_type":"usermanual", + "p_code":"88", + "code":"92" + }, + { + "desc":"When configuring multiple server addresses for the same domain name, pay attention to the following:For domain names mapping to non-standard portsThe client protocol, ser", + "product_code":"dwaf", + "title":"What Are the Precautions for Configuring Multiple Server Addresses for Backend Servers?", + "uri":"waf_01_0104.html", + "doc_type":"usermanual", + "p_code":"88", + "code":"93" + }, + { + "desc":"Yes. When adding a domain name to WAF, you can configure a single domain name or a wildcard domain name based on your service requirements. The details are as follows:Sin", + "product_code":"dwaf", + "title":"Does WAF Support Wildcard Domain Names?", + "uri":"waf_01_0190.html", + "doc_type":"usermanual", + "p_code":"88", + "code":"94" + }, + { + "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "product_code":"dwaf", + "title":"Certificate Management", + "uri":"waf_01_0301.html", + "doc_type":"usermanual", + "p_code":"87", + "code":"95" + }, + { + "desc":"Each domain name must correspond to a certificate. A wildcard domain name can only be used for a wildcard domain certificate. If you only have single-domain certificates,", + "product_code":"dwaf", + "title":"How Do I Select a Certificate When Configuring a Wildcard Domain Name?", + "uri":"waf_01_0135.html", + "doc_type":"usermanual", + "p_code":"95", + "code":"96" + }, + { + "desc":"Only .pem certificates can be used in WAF. If the certificate is not in .pem format, convert it into .pem locally by referring to Table 1 before uploading it.Certificate ", + "product_code":"dwaf", + "title":"How Do I Convert a Certificate into PEM Format?", + "uri":"waf_01_0313.html", + "doc_type":"usermanual", + "p_code":"95", + "code":"97" + }, + { + "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "product_code":"dwaf", + "title":"Service Interruption Check", + "uri":"waf_01_0127.html", + "doc_type":"usermanual", + "p_code":"61", + "code":"98" + }, + { + "desc":"If an error, such as 404 Not Found, 502 Bad Gateway, or 504 Gateway Timeout, occurs after a domain name is connected to WAF, use the following methods to locate the cause", + "product_code":"dwaf", + "title":"How Do I Troubleshoot 404/502/504 Errors?", + "uri":"waf_01_0066.html", + "doc_type":"usermanual", + "p_code":"98", + "code":"99" + }, + { + "desc":"Once an attack hits a WAF rule, WAF will respond to the attack immediately according to the protective action (Log only or Block) you configured for the rule and display ", + "product_code":"dwaf", + "title":"How Do I Handle False Alarms as WAF Blocks Normal Requests to My Website?", + "uri":"waf_01_0038.html", + "doc_type":"usermanual", + "p_code":"98", + "code":"100" + }, + { + "desc":"The default timeout duration for connections between a browser and WAF is 120 seconds, which cannot be manually set.The default timeout duration for connections between W", + "product_code":"dwaf", + "title":"What Is the Connection Timeout Duration of WAF? Can I Manually Set the Timeout Duration?", + "uri":"waf_01_0160.html", + "doc_type":"usermanual", + "p_code":"98", + "code":"101" + }, + { + "desc":"If your visitors receive a page similar to the one in Figure 1 when they try to access your website through a mobile phone, an incomplete certificate chain is uploaded wh", + "product_code":"dwaf", + "title":"Why Are HTTPS Requests Denied on Some Mobile Phones?", + "uri":"waf_01_0093.html", + "doc_type":"usermanual", + "p_code":"98", + "code":"102" + }, + { + "desc":"If the certificate provided by the certificate authority is not found in the built-in trust store on your platform and the certificate chain does not have a certificate a", + "product_code":"dwaf", + "title":"How Do I Fix an Incomplete Certificate Chain?", + "uri":"waf_01_0082.html", + "doc_type":"usermanual", + "p_code":"98", + "code":"103" + }, + { + "desc":"After an HTTPS certificate is uploaded to the AAD or WAF console, a message is displayed indicating that the certificate and key do not match.How Do I Fix an Incomplete C", + "product_code":"dwaf", + "title":"Why Does My Certificate Not Match the Key?", + "uri":"waf_01_1082.html", + "doc_type":"usermanual", + "p_code":"98", + "code":"104" + }, + { + "desc":"If the request contains malicious load and is intercepted by WAF, error 418 is reported when you access the domain name protected by WAF. You can view WAF protection logs", + "product_code":"dwaf", + "title":"Why Am I Seeing Error Code 418?", + "uri":"waf_01_0198.html", + "doc_type":"usermanual", + "p_code":"98", + "code":"105" + }, + { + "desc":"After your website is connected to WAF, the file visitors can upload each time cannot exceed 512 MB.To upload a file greater than 512 MB, upload the file through:IP addre", + "product_code":"dwaf", + "title":"How Can I Upload Files After the Website Is Connected to WAF?", + "uri":"waf_01_0100.html", + "doc_type":"usermanual", + "p_code":"98", + "code":"106" + }, + { + "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "product_code":"dwaf", + "title":"Protection Rule Configuration", + "uri":"waf_01_0063.html", + "doc_type":"usermanual", + "p_code":"61", + "code":"107" + }, + { + "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "product_code":"dwaf", + "title":"Basic Web Protection", + "uri":"waf_01_0304.html", + "doc_type":"usermanual", + "p_code":"107", + "code":"108" + }, + { + "desc":"This FAQ guides you to switch the mode of basic web protection to Block.Perform the following operations:Log only and Block are merely modes of basic web protection. CC a", + "product_code":"dwaf", + "title":"How Do I Switch the Mode of Basic Web Protection from Log Only to Block?", + "uri":"waf_01_0053.html", + "doc_type":"usermanual", + "p_code":"108", + "code":"109" + }, + { + "desc":"WAF provides three basic web protection levels: Low, Medium, and High. The default option is Medium. For details, see Table 1.", + "product_code":"dwaf", + "title":"Which Protection Levels Can Be Set for Basic Web Protection?", + "uri":"waf_01_0204.html", + "doc_type":"usermanual", + "p_code":"108", + "code":"110" + }, + { + "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "product_code":"dwaf", + "title":"CC Attack Protection Rules", + "uri":"waf_01_0305.html", + "doc_type":"usermanual", + "p_code":"107", + "code":"111" + }, + { + "desc":"When a service interface is under an HTTP flood attack, you can set a CC attack protection rule on the WAF console to relieve service pressure.WAF provides the following ", + "product_code":"dwaf", + "title":"How Do I Configure a CC Attack Protection Rule?", + "uri":"waf_01_0035.html", + "doc_type":"usermanual", + "p_code":"111", + "code":"112" + }, + { + "desc":"During the configuration of a CC attack protection rule, if IP addresses cannot identify users precisely, for example, when many users share an egress IP address, use Coo", + "product_code":"dwaf", + "title":"When Is Cookie Used to Identify Users?", + "uri":"waf_01_0036.html", + "doc_type":"usermanual", + "p_code":"111", + "code":"113" + }, + { + "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "product_code":"dwaf", + "title":"Anti-Crawler Protection", + "uri":"waf_01_0308.html", + "doc_type":"usermanual", + "p_code":"107", + "code":"114" + }, + { + "desc":"After JavaScript anti-crawler is enabled, WAF returns a piece of JavaScript code to the client when the client sends a request. If the client sends a normal request to th", + "product_code":"dwaf", + "title":"Why Is the Requested Page Unable to Load After JavaScript Anti-Crawler Is Enabled?", + "uri":"waf_01_0254.html", + "doc_type":"usermanual", + "p_code":"114", + "code":"115" + }, + { + "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "product_code":"dwaf", + "title":"Others", + "uri":"waf_01_0309.html", + "doc_type":"usermanual", + "p_code":"107", + "code":"116" + }, + { + "desc":"Normally, all requests destined for your site will pass through WAF. However, if your site is using CDN and WAF, the WAF policy targeted at the requests for caching stati", + "product_code":"dwaf", + "title":"In Which Situations Will the WAF Policies Fail?", + "uri":"waf_01_0102.html", + "doc_type":"usermanual", + "p_code":"116", + "code":"117" + }, + { + "desc":"All paths configured for protection rules of WAF are case-sensitive.", + "product_code":"dwaf", + "title":"Is the Path of a WAF Protection Rule Case-sensitive?", + "uri":"waf_01_0151.html", + "doc_type":"usermanual", + "p_code":"116", + "code":"118" + }, + { + "desc":"The protection rules supported by WAF are described below.Basic Web ProtectionWAF can defend against common web attacks, such as SQL injection, XSS, web shells, and Troja", + "product_code":"dwaf", + "title":"What Protection Rules Does WAF Support?", + "uri":"waf_01_0028.html", + "doc_type":"usermanual", + "p_code":"116", + "code":"119" + }, + { + "desc":"HUAWEI CLOUD Help Center presents technical documents to help you quickly get started with HUAWEI CLOUD services. The technical documents include Service Overview, Price Details, Purchase Guide, User Guide, API Reference, Best Practices, FAQs, and Videos.", + "product_code":"dwaf", + "title":"Change History", + "uri":"waf_01_0265.html", + "doc_type":"usermanual", + "p_code":"", + "code":"120" + } +] \ No newline at end of file diff --git a/docs/wafd/umn/PARAMETERS.txt b/docs/wafd/umn/PARAMETERS.txt new file mode 100644 index 000000000..6da8d5f07 --- /dev/null +++ b/docs/wafd/umn/PARAMETERS.txt @@ -0,0 +1,3 @@ +version="" +language="en-us" +type="" \ No newline at end of file diff --git a/docs/wafd/umn/en-us_image_0000001081671555.jpg b/docs/wafd/umn/en-us_image_0000001081671555.jpg new file mode 100644 index 000000000..22c76c8e5 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001081671555.jpg differ diff --git a/docs/wafd/umn/en-us_image_0000001081906323.jpg b/docs/wafd/umn/en-us_image_0000001081906323.jpg new file mode 100644 index 000000000..22c76c8e5 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001081906323.jpg differ diff --git a/docs/wafd/umn/en-us_image_0000001082065421.jpg b/docs/wafd/umn/en-us_image_0000001082065421.jpg new file mode 100644 index 000000000..22c76c8e5 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001082065421.jpg differ diff --git a/docs/wafd/umn/en-us_image_0000001126290859.png b/docs/wafd/umn/en-us_image_0000001126290859.png new file mode 100644 index 000000000..9cc3fc110 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001126290859.png differ diff --git a/docs/wafd/umn/en-us_image_0000001127096041.png b/docs/wafd/umn/en-us_image_0000001127096041.png new file mode 100644 index 000000000..7346d7f69 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001127096041.png differ diff --git a/docs/wafd/umn/en-us_image_0000001127126255.png b/docs/wafd/umn/en-us_image_0000001127126255.png new file mode 100644 index 000000000..df8a9d0f7 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001127126255.png differ diff --git a/docs/wafd/umn/en-us_image_0000001133216533.jpg b/docs/wafd/umn/en-us_image_0000001133216533.jpg new file mode 100644 index 000000000..22c76c8e5 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001133216533.jpg differ diff --git a/docs/wafd/umn/en-us_image_0000001191376107.jpg b/docs/wafd/umn/en-us_image_0000001191376107.jpg new file mode 100644 index 000000000..cc595ad9d Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001191376107.jpg differ diff --git a/docs/wafd/umn/en-us_image_0000001227094315.png b/docs/wafd/umn/en-us_image_0000001227094315.png new file mode 100644 index 000000000..19b0e9bb0 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001227094315.png differ diff --git a/docs/wafd/umn/en-us_image_0000001238212390.png b/docs/wafd/umn/en-us_image_0000001238212390.png new file mode 100644 index 000000000..930cfd6e9 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001238212390.png differ diff --git a/docs/wafd/umn/en-us_image_0000001238508978.jpg b/docs/wafd/umn/en-us_image_0000001238508978.jpg new file mode 100644 index 000000000..22c76c8e5 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001238508978.jpg differ diff --git a/docs/wafd/umn/en-us_image_0000001238531606.png b/docs/wafd/umn/en-us_image_0000001238531606.png new file mode 100644 index 000000000..6e43f2e85 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001238531606.png differ diff --git a/docs/wafd/umn/en-us_image_0000001240865319.jpg b/docs/wafd/umn/en-us_image_0000001240865319.jpg new file mode 100644 index 000000000..22c76c8e5 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001240865319.jpg differ diff --git a/docs/wafd/umn/en-us_image_0000001241293100.png b/docs/wafd/umn/en-us_image_0000001241293100.png new file mode 100644 index 000000000..930cfd6e9 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001241293100.png differ diff --git a/docs/wafd/umn/en-us_image_0000001241765756.png b/docs/wafd/umn/en-us_image_0000001241765756.png new file mode 100644 index 000000000..6e43f2e85 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001241765756.png differ diff --git a/docs/wafd/umn/en-us_image_0000001260399509.jpg b/docs/wafd/umn/en-us_image_0000001260399509.jpg new file mode 100644 index 000000000..22c76c8e5 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001260399509.jpg differ diff --git a/docs/wafd/umn/en-us_image_0000001275434812.png b/docs/wafd/umn/en-us_image_0000001275434812.png new file mode 100644 index 000000000..930cfd6e9 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001275434812.png differ diff --git a/docs/wafd/umn/en-us_image_0000001282207201.png b/docs/wafd/umn/en-us_image_0000001282207201.png new file mode 100644 index 000000000..6e43f2e85 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001282207201.png differ diff --git a/docs/wafd/umn/en-us_image_0000001282375645.png b/docs/wafd/umn/en-us_image_0000001282375645.png new file mode 100644 index 000000000..6e43f2e85 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001282375645.png differ diff --git a/docs/wafd/umn/en-us_image_0000001282406385.png b/docs/wafd/umn/en-us_image_0000001282406385.png new file mode 100644 index 000000000..930cfd6e9 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001282406385.png differ diff --git a/docs/wafd/umn/en-us_image_0000001284383208.png b/docs/wafd/umn/en-us_image_0000001284383208.png new file mode 100644 index 000000000..28807ed30 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001284383208.png differ diff --git a/docs/wafd/umn/en-us_image_0000001284790620.png b/docs/wafd/umn/en-us_image_0000001284790620.png new file mode 100644 index 000000000..9c0f87337 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001284790620.png differ diff --git a/docs/wafd/umn/en-us_image_0000001284850794.png b/docs/wafd/umn/en-us_image_0000001284850794.png new file mode 100644 index 000000000..1c0acd55d Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001284850794.png differ diff --git a/docs/wafd/umn/en-us_image_0000001284852786.png b/docs/wafd/umn/en-us_image_0000001284852786.png new file mode 100644 index 000000000..12c5a8da8 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001284852786.png differ diff --git a/docs/wafd/umn/en-us_image_0000001284861820.png b/docs/wafd/umn/en-us_image_0000001284861820.png new file mode 100644 index 000000000..3b233e5a9 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001284861820.png differ diff --git a/docs/wafd/umn/en-us_image_0000001284948512.png b/docs/wafd/umn/en-us_image_0000001284948512.png new file mode 100644 index 000000000..68a0f4264 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001284948512.png differ diff --git a/docs/wafd/umn/en-us_image_0000001285022128.png b/docs/wafd/umn/en-us_image_0000001285022128.png new file mode 100644 index 000000000..a197f1717 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001285022128.png differ diff --git a/docs/wafd/umn/en-us_image_0000001285028708.png b/docs/wafd/umn/en-us_image_0000001285028708.png new file mode 100644 index 000000000..df03ee537 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001285028708.png differ diff --git a/docs/wafd/umn/en-us_image_0000001285178604.png b/docs/wafd/umn/en-us_image_0000001285178604.png new file mode 100644 index 000000000..1c0acd55d Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001285178604.png differ diff --git a/docs/wafd/umn/en-us_image_0000001285430612.png b/docs/wafd/umn/en-us_image_0000001285430612.png new file mode 100644 index 000000000..d3181e064 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001285430612.png differ diff --git a/docs/wafd/umn/en-us_image_0000001285485922.png b/docs/wafd/umn/en-us_image_0000001285485922.png new file mode 100644 index 000000000..5484b02de Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001285485922.png differ diff --git a/docs/wafd/umn/en-us_image_0000001285486134.png b/docs/wafd/umn/en-us_image_0000001285486134.png new file mode 100644 index 000000000..103b38cd0 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001285486134.png differ diff --git a/docs/wafd/umn/en-us_image_0000001285577484.png b/docs/wafd/umn/en-us_image_0000001285577484.png new file mode 100644 index 000000000..02064941e Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001285577484.png differ diff --git a/docs/wafd/umn/en-us_image_0000001285577912.png b/docs/wafd/umn/en-us_image_0000001285577912.png new file mode 100644 index 000000000..06ba8c092 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001285577912.png differ diff --git a/docs/wafd/umn/en-us_image_0000001285588948.png b/docs/wafd/umn/en-us_image_0000001285588948.png new file mode 100644 index 000000000..d9fa5b4fb Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001285588948.png differ diff --git a/docs/wafd/umn/en-us_image_0000001285636510.png b/docs/wafd/umn/en-us_image_0000001285636510.png new file mode 100644 index 000000000..192aa59da Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001285636510.png differ diff --git a/docs/wafd/umn/en-us_image_0000001285643550.png b/docs/wafd/umn/en-us_image_0000001285643550.png new file mode 100644 index 000000000..1cc4085c2 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001285643550.png differ diff --git a/docs/wafd/umn/en-us_image_0000001285661276.png b/docs/wafd/umn/en-us_image_0000001285661276.png new file mode 100644 index 000000000..74d46bdc4 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001285661276.png differ diff --git a/docs/wafd/umn/en-us_image_0000001285684556.png b/docs/wafd/umn/en-us_image_0000001285684556.png new file mode 100644 index 000000000..1af9d515c Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001285684556.png differ diff --git a/docs/wafd/umn/en-us_image_0000001285728898.png b/docs/wafd/umn/en-us_image_0000001285728898.png new file mode 100644 index 000000000..0bbcc97ae Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001285728898.png differ diff --git a/docs/wafd/umn/en-us_image_0000001285737132.png b/docs/wafd/umn/en-us_image_0000001285737132.png new file mode 100644 index 000000000..7e4fa5cb5 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001285737132.png differ diff --git a/docs/wafd/umn/en-us_image_0000001285803110.png b/docs/wafd/umn/en-us_image_0000001285803110.png new file mode 100644 index 000000000..fcdd34424 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001285803110.png differ diff --git a/docs/wafd/umn/en-us_image_0000001285811290.png b/docs/wafd/umn/en-us_image_0000001285811290.png new file mode 100644 index 000000000..00856df82 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001285811290.png differ diff --git a/docs/wafd/umn/en-us_image_0000001285815180.png b/docs/wafd/umn/en-us_image_0000001285815180.png new file mode 100644 index 000000000..72407d9b9 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001285815180.png differ diff --git a/docs/wafd/umn/en-us_image_0000001285950994.png b/docs/wafd/umn/en-us_image_0000001285950994.png new file mode 100644 index 000000000..895f47bdf Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001285950994.png differ diff --git a/docs/wafd/umn/en-us_image_0000001285975220.png b/docs/wafd/umn/en-us_image_0000001285975220.png new file mode 100644 index 000000000..d03569f11 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001285975220.png differ diff --git a/docs/wafd/umn/en-us_image_0000001285981628.png b/docs/wafd/umn/en-us_image_0000001285981628.png new file mode 100644 index 000000000..d0cdaf7eb Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001285981628.png differ diff --git a/docs/wafd/umn/en-us_image_0000001285986476.png b/docs/wafd/umn/en-us_image_0000001285986476.png new file mode 100644 index 000000000..1cb9d3955 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001285986476.png differ diff --git a/docs/wafd/umn/en-us_image_0000001285992940.png b/docs/wafd/umn/en-us_image_0000001285992940.png new file mode 100644 index 000000000..fd6bca83d Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001285992940.png differ diff --git a/docs/wafd/umn/en-us_image_0000001286051354.png b/docs/wafd/umn/en-us_image_0000001286051354.png new file mode 100644 index 000000000..afa7592d9 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001286051354.png differ diff --git a/docs/wafd/umn/en-us_image_0000001286052290.png b/docs/wafd/umn/en-us_image_0000001286052290.png new file mode 100644 index 000000000..889d1c172 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001286052290.png differ diff --git a/docs/wafd/umn/en-us_image_0000001286058500.png b/docs/wafd/umn/en-us_image_0000001286058500.png new file mode 100644 index 000000000..2cb70c800 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001286058500.png differ diff --git a/docs/wafd/umn/en-us_image_0000001286061432.png b/docs/wafd/umn/en-us_image_0000001286061432.png new file mode 100644 index 000000000..004f239d9 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001286061432.png differ diff --git a/docs/wafd/umn/en-us_image_0000001286529486.png b/docs/wafd/umn/en-us_image_0000001286529486.png new file mode 100644 index 000000000..d0855593f Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001286529486.png differ diff --git a/docs/wafd/umn/en-us_image_0000001286548588.png b/docs/wafd/umn/en-us_image_0000001286548588.png new file mode 100644 index 000000000..b9f9566a5 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001286548588.png differ diff --git a/docs/wafd/umn/en-us_image_0000001287944330.png b/docs/wafd/umn/en-us_image_0000001287944330.png new file mode 100644 index 000000000..28807ed30 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001287944330.png differ diff --git a/docs/wafd/umn/en-us_image_0000001287946362.png b/docs/wafd/umn/en-us_image_0000001287946362.png new file mode 100644 index 000000000..28807ed30 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001287946362.png differ diff --git a/docs/wafd/umn/en-us_image_0000001287946366.png b/docs/wafd/umn/en-us_image_0000001287946366.png new file mode 100644 index 000000000..28807ed30 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001287946366.png differ diff --git a/docs/wafd/umn/en-us_image_0000001287947022.png b/docs/wafd/umn/en-us_image_0000001287947022.png new file mode 100644 index 000000000..28807ed30 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001287947022.png differ diff --git a/docs/wafd/umn/en-us_image_0000001288099090.png b/docs/wafd/umn/en-us_image_0000001288099090.png new file mode 100644 index 000000000..28807ed30 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001288099090.png differ diff --git a/docs/wafd/umn/en-us_image_0000001288106282.png b/docs/wafd/umn/en-us_image_0000001288106282.png new file mode 100644 index 000000000..28807ed30 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001288106282.png differ diff --git a/docs/wafd/umn/en-us_image_0000001288106346.png b/docs/wafd/umn/en-us_image_0000001288106346.png new file mode 100644 index 000000000..28807ed30 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001288106346.png differ diff --git a/docs/wafd/umn/en-us_image_0000001288106950.png b/docs/wafd/umn/en-us_image_0000001288106950.png new file mode 100644 index 000000000..28807ed30 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001288106950.png differ diff --git a/docs/wafd/umn/en-us_image_0000001288264194.png b/docs/wafd/umn/en-us_image_0000001288264194.png new file mode 100644 index 000000000..28807ed30 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001288264194.png differ diff --git a/docs/wafd/umn/en-us_image_0000001288266226.png b/docs/wafd/umn/en-us_image_0000001288266226.png new file mode 100644 index 000000000..28807ed30 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001288266226.png differ diff --git a/docs/wafd/umn/en-us_image_0000001288266230.png b/docs/wafd/umn/en-us_image_0000001288266230.png new file mode 100644 index 000000000..28807ed30 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001288266230.png differ diff --git a/docs/wafd/umn/en-us_image_0000001288266902.png b/docs/wafd/umn/en-us_image_0000001288266902.png new file mode 100644 index 000000000..28807ed30 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001288266902.png differ diff --git a/docs/wafd/umn/en-us_image_0000001288423818.png b/docs/wafd/umn/en-us_image_0000001288423818.png new file mode 100644 index 000000000..28807ed30 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001288423818.png differ diff --git a/docs/wafd/umn/en-us_image_0000001288425878.png b/docs/wafd/umn/en-us_image_0000001288425878.png new file mode 100644 index 000000000..28807ed30 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001288425878.png differ diff --git a/docs/wafd/umn/en-us_image_0000001288427746.png b/docs/wafd/umn/en-us_image_0000001288427746.png new file mode 100644 index 000000000..28807ed30 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001288427746.png differ diff --git a/docs/wafd/umn/en-us_image_0000001317947942.jpg b/docs/wafd/umn/en-us_image_0000001317947942.jpg new file mode 100644 index 000000000..22c76c8e5 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001317947942.jpg differ diff --git a/docs/wafd/umn/en-us_image_0000001324043026.png b/docs/wafd/umn/en-us_image_0000001324043026.png new file mode 100644 index 000000000..12c5a8da8 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001324043026.png differ diff --git a/docs/wafd/umn/en-us_image_0000001326514597.png b/docs/wafd/umn/en-us_image_0000001326514597.png new file mode 100644 index 000000000..6e43f2e85 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001326514597.png differ diff --git a/docs/wafd/umn/en-us_image_0000001326640436.png b/docs/wafd/umn/en-us_image_0000001326640436.png new file mode 100644 index 000000000..6e7d232d6 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001326640436.png differ diff --git a/docs/wafd/umn/en-us_image_0000001326802772.png b/docs/wafd/umn/en-us_image_0000001326802772.png new file mode 100644 index 000000000..371459598 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001326802772.png differ diff --git a/docs/wafd/umn/en-us_image_0000001327191500.png b/docs/wafd/umn/en-us_image_0000001327191500.png new file mode 100644 index 000000000..824f1e801 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001327191500.png differ diff --git a/docs/wafd/umn/en-us_image_0000001327470582.png b/docs/wafd/umn/en-us_image_0000001327470582.png new file mode 100644 index 000000000..86931c51b Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001327470582.png differ diff --git a/docs/wafd/umn/en-us_image_0000001336983185.jpg b/docs/wafd/umn/en-us_image_0000001336983185.jpg new file mode 100644 index 000000000..22c76c8e5 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001336983185.jpg differ diff --git a/docs/wafd/umn/en-us_image_0000001337244713.png b/docs/wafd/umn/en-us_image_0000001337244713.png new file mode 100644 index 000000000..b42196678 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001337244713.png differ diff --git a/docs/wafd/umn/en-us_image_0000001337404641.png b/docs/wafd/umn/en-us_image_0000001337404641.png new file mode 100644 index 000000000..9d45c05d5 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001337404641.png differ diff --git a/docs/wafd/umn/en-us_image_0000001337470357.png b/docs/wafd/umn/en-us_image_0000001337470357.png new file mode 100644 index 000000000..843e8e97d Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001337470357.png differ diff --git a/docs/wafd/umn/en-us_image_0000001337771401.png b/docs/wafd/umn/en-us_image_0000001337771401.png new file mode 100644 index 000000000..5d69d7cae Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001337771401.png differ diff --git a/docs/wafd/umn/en-us_image_0000001337772205.png b/docs/wafd/umn/en-us_image_0000001337772205.png new file mode 100644 index 000000000..dc81236c2 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001337772205.png differ diff --git a/docs/wafd/umn/en-us_image_0000001337772269.png b/docs/wafd/umn/en-us_image_0000001337772269.png new file mode 100644 index 000000000..8ed210bf6 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001337772269.png differ diff --git a/docs/wafd/umn/en-us_image_0000001337772549.png b/docs/wafd/umn/en-us_image_0000001337772549.png new file mode 100644 index 000000000..016ae8249 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001337772549.png differ diff --git a/docs/wafd/umn/en-us_image_0000001337775421.png b/docs/wafd/umn/en-us_image_0000001337775421.png new file mode 100644 index 000000000..52f33ad9d Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001337775421.png differ diff --git a/docs/wafd/umn/en-us_image_0000001337777849.png b/docs/wafd/umn/en-us_image_0000001337777849.png new file mode 100644 index 000000000..1cc4085c2 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001337777849.png differ diff --git a/docs/wafd/umn/en-us_image_0000001337778441.png b/docs/wafd/umn/en-us_image_0000001337778441.png new file mode 100644 index 000000000..4820ecab2 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001337778441.png differ diff --git a/docs/wafd/umn/en-us_image_0000001337808105.png b/docs/wafd/umn/en-us_image_0000001337808105.png new file mode 100644 index 000000000..298b07cd7 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001337808105.png differ diff --git a/docs/wafd/umn/en-us_image_0000001337887457.png b/docs/wafd/umn/en-us_image_0000001337887457.png new file mode 100644 index 000000000..6f8569b98 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001337887457.png differ diff --git a/docs/wafd/umn/en-us_image_0000001337894657.png b/docs/wafd/umn/en-us_image_0000001337894657.png new file mode 100644 index 000000000..4e78c1a73 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001337894657.png differ diff --git a/docs/wafd/umn/en-us_image_0000001337958950.png b/docs/wafd/umn/en-us_image_0000001337958950.png new file mode 100644 index 000000000..0ef639f97 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001337958950.png differ diff --git a/docs/wafd/umn/en-us_image_0000001338016357.png b/docs/wafd/umn/en-us_image_0000001338016357.png new file mode 100644 index 000000000..8ce4d5a20 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001338016357.png differ diff --git a/docs/wafd/umn/en-us_image_0000001338096873.png b/docs/wafd/umn/en-us_image_0000001338096873.png new file mode 100644 index 000000000..86dcf261b Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001338096873.png differ diff --git a/docs/wafd/umn/en-us_image_0000001338097417.png b/docs/wafd/umn/en-us_image_0000001338097417.png new file mode 100644 index 000000000..0bbcc97ae Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001338097417.png differ diff --git a/docs/wafd/umn/en-us_image_0000001338129425.png b/docs/wafd/umn/en-us_image_0000001338129425.png new file mode 100644 index 000000000..db787de59 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001338129425.png differ diff --git a/docs/wafd/umn/en-us_image_0000001338155669.png b/docs/wafd/umn/en-us_image_0000001338155669.png new file mode 100644 index 000000000..5ba03118e Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001338155669.png differ diff --git a/docs/wafd/umn/en-us_image_0000001338214477.png b/docs/wafd/umn/en-us_image_0000001338214477.png new file mode 100644 index 000000000..ef87a8fbe Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001338214477.png differ diff --git a/docs/wafd/umn/en-us_image_0000001338230701.png b/docs/wafd/umn/en-us_image_0000001338230701.png new file mode 100644 index 000000000..de668d13a Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001338230701.png differ diff --git a/docs/wafd/umn/en-us_image_0000001338298405.png b/docs/wafd/umn/en-us_image_0000001338298405.png new file mode 100644 index 000000000..fd6fd03cc Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001338298405.png differ diff --git a/docs/wafd/umn/en-us_image_0000001338300589.png b/docs/wafd/umn/en-us_image_0000001338300589.png new file mode 100644 index 000000000..a93a1db9c Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001338300589.png differ diff --git a/docs/wafd/umn/en-us_image_0000001338332661.png b/docs/wafd/umn/en-us_image_0000001338332661.png new file mode 100644 index 000000000..09cde81f3 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001338332661.png differ diff --git a/docs/wafd/umn/en-us_image_0000001338407897.png b/docs/wafd/umn/en-us_image_0000001338407897.png new file mode 100644 index 000000000..000ca05f2 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001338407897.png differ diff --git a/docs/wafd/umn/en-us_image_0000001338527429.png b/docs/wafd/umn/en-us_image_0000001338527429.png new file mode 100644 index 000000000..cddf6109c Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001338527429.png differ diff --git a/docs/wafd/umn/en-us_image_0000001338628737.png b/docs/wafd/umn/en-us_image_0000001338628737.png new file mode 100644 index 000000000..e9b61f7d7 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001338628737.png differ diff --git a/docs/wafd/umn/en-us_image_0000001340304197.png b/docs/wafd/umn/en-us_image_0000001340304197.png new file mode 100644 index 000000000..28807ed30 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001340304197.png differ diff --git a/docs/wafd/umn/en-us_image_0000001340304201.png b/docs/wafd/umn/en-us_image_0000001340304201.png new file mode 100644 index 000000000..28807ed30 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001340304201.png differ diff --git a/docs/wafd/umn/en-us_image_0000001340305457.png b/docs/wafd/umn/en-us_image_0000001340305457.png new file mode 100644 index 000000000..28807ed30 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001340305457.png differ diff --git a/docs/wafd/umn/en-us_image_0000001340305633.png b/docs/wafd/umn/en-us_image_0000001340305633.png new file mode 100644 index 000000000..28807ed30 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001340305633.png differ diff --git a/docs/wafd/umn/en-us_image_0000001340306233.png b/docs/wafd/umn/en-us_image_0000001340306233.png new file mode 100644 index 000000000..28807ed30 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001340306233.png differ diff --git a/docs/wafd/umn/en-us_image_0000001340306901.png b/docs/wafd/umn/en-us_image_0000001340306901.png new file mode 100644 index 000000000..28807ed30 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001340306901.png differ diff --git a/docs/wafd/umn/en-us_image_0000001340308129.png b/docs/wafd/umn/en-us_image_0000001340308129.png new file mode 100644 index 000000000..28807ed30 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001340308129.png differ diff --git a/docs/wafd/umn/en-us_image_0000001340308381.png b/docs/wafd/umn/en-us_image_0000001340308381.png new file mode 100644 index 000000000..28807ed30 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001340308381.png differ diff --git a/docs/wafd/umn/en-us_image_0000001340424065.png b/docs/wafd/umn/en-us_image_0000001340424065.png new file mode 100644 index 000000000..28807ed30 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001340424065.png differ diff --git a/docs/wafd/umn/en-us_image_0000001340424693.png b/docs/wafd/umn/en-us_image_0000001340424693.png new file mode 100644 index 000000000..28807ed30 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001340424693.png differ diff --git a/docs/wafd/umn/en-us_image_0000001340425481.png b/docs/wafd/umn/en-us_image_0000001340425481.png new file mode 100644 index 000000000..28807ed30 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001340425481.png differ diff --git a/docs/wafd/umn/en-us_image_0000001340426097.png b/docs/wafd/umn/en-us_image_0000001340426097.png new file mode 100644 index 000000000..28807ed30 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001340426097.png differ diff --git a/docs/wafd/umn/en-us_image_0000001340426101.png b/docs/wafd/umn/en-us_image_0000001340426101.png new file mode 100644 index 000000000..28807ed30 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001340426101.png differ diff --git a/docs/wafd/umn/en-us_image_0000001340427973.png b/docs/wafd/umn/en-us_image_0000001340427973.png new file mode 100644 index 000000000..28807ed30 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001340427973.png differ diff --git a/docs/wafd/umn/en-us_image_0000001340583529.png b/docs/wafd/umn/en-us_image_0000001340583529.png new file mode 100644 index 000000000..28807ed30 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001340583529.png differ diff --git a/docs/wafd/umn/en-us_image_0000001340585565.png b/docs/wafd/umn/en-us_image_0000001340585565.png new file mode 100644 index 000000000..28807ed30 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001340585565.png differ diff --git a/docs/wafd/umn/en-us_image_0000001340585569.png b/docs/wafd/umn/en-us_image_0000001340585569.png new file mode 100644 index 000000000..28807ed30 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001340585569.png differ diff --git a/docs/wafd/umn/en-us_image_0000001340586225.png b/docs/wafd/umn/en-us_image_0000001340586225.png new file mode 100644 index 000000000..28807ed30 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001340586225.png differ diff --git a/docs/wafd/umn/en-us_image_0000001340663937.png b/docs/wafd/umn/en-us_image_0000001340663937.png new file mode 100644 index 000000000..28807ed30 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001340663937.png differ diff --git a/docs/wafd/umn/en-us_image_0000001340665981.png b/docs/wafd/umn/en-us_image_0000001340665981.png new file mode 100644 index 000000000..28807ed30 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001340665981.png differ diff --git a/docs/wafd/umn/en-us_image_0000001340666645.png b/docs/wafd/umn/en-us_image_0000001340666645.png new file mode 100644 index 000000000..28807ed30 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001340666645.png differ diff --git a/docs/wafd/umn/en-us_image_0000001340667861.png b/docs/wafd/umn/en-us_image_0000001340667861.png new file mode 100644 index 000000000..28807ed30 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001340667861.png differ diff --git a/docs/wafd/umn/en-us_image_0000001344294497.png b/docs/wafd/umn/en-us_image_0000001344294497.png new file mode 100644 index 000000000..bb0ac5a7f Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001344294497.png differ diff --git a/docs/wafd/umn/en-us_image_0000001344977541.png b/docs/wafd/umn/en-us_image_0000001344977541.png new file mode 100644 index 000000000..4d9ceca7c Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001344977541.png differ diff --git a/docs/wafd/umn/en-us_image_0000001345013254.png b/docs/wafd/umn/en-us_image_0000001345013254.png new file mode 100644 index 000000000..7aabd8ec9 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001345013254.png differ diff --git a/docs/wafd/umn/en-us_image_0000001345013500.png b/docs/wafd/umn/en-us_image_0000001345013500.png new file mode 100644 index 000000000..3de8d42dd Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001345013500.png differ diff --git a/docs/wafd/umn/en-us_image_0000001345171226.png b/docs/wafd/umn/en-us_image_0000001345171226.png new file mode 100644 index 000000000..498f7b86e Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001345171226.png differ diff --git a/docs/wafd/umn/en-us_image_0000001345173294.png b/docs/wafd/umn/en-us_image_0000001345173294.png new file mode 100644 index 000000000..9e28eed01 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001345173294.png differ diff --git a/docs/wafd/umn/en-us_image_0000001345332674.png b/docs/wafd/umn/en-us_image_0000001345332674.png new file mode 100644 index 000000000..6148d7a20 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001345332674.png differ diff --git a/docs/wafd/umn/en-us_image_0000001345493078.png b/docs/wafd/umn/en-us_image_0000001345493078.png new file mode 100644 index 000000000..224322a89 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001345493078.png differ diff --git a/docs/wafd/umn/en-us_image_0000001377910101.png b/docs/wafd/umn/en-us_image_0000001377910101.png new file mode 100644 index 000000000..cabfab803 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001377910101.png differ diff --git a/docs/wafd/umn/en-us_image_0000001377911005.png b/docs/wafd/umn/en-us_image_0000001377911005.png new file mode 100644 index 000000000..38459a061 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001377911005.png differ diff --git a/docs/wafd/umn/en-us_image_0000001378030725.png b/docs/wafd/umn/en-us_image_0000001378030725.png new file mode 100644 index 000000000..f0d15611f Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001378030725.png differ diff --git a/docs/wafd/umn/en-us_image_0000001378108553.png b/docs/wafd/umn/en-us_image_0000001378108553.png new file mode 100644 index 000000000..71c2b2b8b Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001378108553.png differ diff --git a/docs/wafd/umn/en-us_image_0000001379820401.jpg b/docs/wafd/umn/en-us_image_0000001379820401.jpg new file mode 100644 index 000000000..22c76c8e5 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001379820401.jpg differ diff --git a/docs/wafd/umn/en-us_image_0000001388712885.png b/docs/wafd/umn/en-us_image_0000001388712885.png new file mode 100644 index 000000000..52b476890 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001388712885.png differ diff --git a/docs/wafd/umn/en-us_image_0000001388786649.png b/docs/wafd/umn/en-us_image_0000001388786649.png new file mode 100644 index 000000000..309cc70dd Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001388786649.png differ diff --git a/docs/wafd/umn/en-us_image_0000001395650509.png b/docs/wafd/umn/en-us_image_0000001395650509.png new file mode 100644 index 000000000..20937afed Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001395650509.png differ diff --git a/docs/wafd/umn/en-us_image_0000001395732753.png b/docs/wafd/umn/en-us_image_0000001395732753.png new file mode 100644 index 000000000..b72846c96 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001395732753.png differ diff --git a/docs/wafd/umn/en-us_image_0000001395732757.png b/docs/wafd/umn/en-us_image_0000001395732757.png new file mode 100644 index 000000000..89ada9eb1 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001395732757.png differ diff --git a/docs/wafd/umn/en-us_image_0000001395852973.png b/docs/wafd/umn/en-us_image_0000001395852973.png new file mode 100644 index 000000000..016757b22 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001395852973.png differ diff --git a/docs/wafd/umn/en-us_image_0000001395853109.png b/docs/wafd/umn/en-us_image_0000001395853109.png new file mode 100644 index 000000000..73d421be5 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001395853109.png differ diff --git a/docs/wafd/umn/en-us_image_0000001395970885.png b/docs/wafd/umn/en-us_image_0000001395970885.png new file mode 100644 index 000000000..425ca70eb Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001395970885.png differ diff --git a/docs/wafd/umn/en-us_image_0000001395970965.png b/docs/wafd/umn/en-us_image_0000001395970965.png new file mode 100644 index 000000000..b36aa0aea Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001395970965.png differ diff --git a/docs/wafd/umn/en-us_image_0000001395972785.png b/docs/wafd/umn/en-us_image_0000001395972785.png new file mode 100644 index 000000000..7ff247097 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001395972785.png differ diff --git a/docs/wafd/umn/en-us_image_0000001396154617.png b/docs/wafd/umn/en-us_image_0000001396154617.png new file mode 100644 index 000000000..60c75eb10 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001396154617.png differ diff --git a/docs/wafd/umn/en-us_image_0000001427503477.png b/docs/wafd/umn/en-us_image_0000001427503477.png new file mode 100644 index 000000000..a16b51288 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0000001427503477.png differ diff --git a/docs/wafd/umn/en-us_image_0167644254.jpg b/docs/wafd/umn/en-us_image_0167644254.jpg new file mode 100644 index 000000000..821271f43 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0167644254.jpg differ diff --git a/docs/wafd/umn/en-us_image_0168547060.png b/docs/wafd/umn/en-us_image_0168547060.png new file mode 100644 index 000000000..9ee58a13c Binary files /dev/null and b/docs/wafd/umn/en-us_image_0168547060.png differ diff --git a/docs/wafd/umn/en-us_image_0168632822.png b/docs/wafd/umn/en-us_image_0168632822.png new file mode 100644 index 000000000..0404e1d90 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0168632822.png differ diff --git a/docs/wafd/umn/en-us_image_0169130550.png b/docs/wafd/umn/en-us_image_0169130550.png new file mode 100644 index 000000000..c956debe4 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0169130550.png differ diff --git a/docs/wafd/umn/en-us_image_0210924450.jpg b/docs/wafd/umn/en-us_image_0210924450.jpg new file mode 100644 index 000000000..22c76c8e5 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0210924450.jpg differ diff --git a/docs/wafd/umn/en-us_image_0210924454.jpg b/docs/wafd/umn/en-us_image_0210924454.jpg new file mode 100644 index 000000000..821271f43 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0210924454.jpg differ diff --git a/docs/wafd/umn/en-us_image_0212852906.png b/docs/wafd/umn/en-us_image_0212852906.png new file mode 100644 index 000000000..6443d563d Binary files /dev/null and b/docs/wafd/umn/en-us_image_0212852906.png differ diff --git a/docs/wafd/umn/en-us_image_0234013368.png b/docs/wafd/umn/en-us_image_0234013368.png new file mode 100644 index 000000000..19b0e9bb0 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0234013368.png differ diff --git a/docs/wafd/umn/en-us_image_0246108677.png b/docs/wafd/umn/en-us_image_0246108677.png new file mode 100644 index 000000000..f9390c006 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0246108677.png differ diff --git a/docs/wafd/umn/en-us_image_0246108818.png b/docs/wafd/umn/en-us_image_0246108818.png new file mode 100644 index 000000000..27e55c1d3 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0246108818.png differ diff --git a/docs/wafd/umn/en-us_image_0246109037.png b/docs/wafd/umn/en-us_image_0246109037.png new file mode 100644 index 000000000..a7a3b246d Binary files /dev/null and b/docs/wafd/umn/en-us_image_0246109037.png differ diff --git a/docs/wafd/umn/en-us_image_0246112199.png b/docs/wafd/umn/en-us_image_0246112199.png new file mode 100644 index 000000000..2fdf96682 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0246112199.png differ diff --git a/docs/wafd/umn/en-us_image_0268155242.png b/docs/wafd/umn/en-us_image_0268155242.png new file mode 100644 index 000000000..ea6ebc5a8 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0268155242.png differ diff --git a/docs/wafd/umn/en-us_image_0269115287.png b/docs/wafd/umn/en-us_image_0269115287.png new file mode 100644 index 000000000..c44d82dce Binary files /dev/null and b/docs/wafd/umn/en-us_image_0269115287.png differ diff --git a/docs/wafd/umn/en-us_image_0269496734.png b/docs/wafd/umn/en-us_image_0269496734.png new file mode 100644 index 000000000..fec4196dc Binary files /dev/null and b/docs/wafd/umn/en-us_image_0269496734.png differ diff --git a/docs/wafd/umn/en-us_image_0269497434.jpg b/docs/wafd/umn/en-us_image_0269497434.jpg new file mode 100644 index 000000000..22c76c8e5 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0269497434.jpg differ diff --git a/docs/wafd/umn/en-us_image_0274310129.png b/docs/wafd/umn/en-us_image_0274310129.png new file mode 100644 index 000000000..5da9c223c Binary files /dev/null and b/docs/wafd/umn/en-us_image_0274310129.png differ diff --git a/docs/wafd/umn/en-us_image_0282893059.jpg b/docs/wafd/umn/en-us_image_0282893059.jpg new file mode 100644 index 000000000..821271f43 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0282893059.jpg differ diff --git a/docs/wafd/umn/en-us_image_0283637109.png b/docs/wafd/umn/en-us_image_0283637109.png new file mode 100644 index 000000000..b32fe9ff6 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0283637109.png differ diff --git a/docs/wafd/umn/en-us_image_0301168075.png b/docs/wafd/umn/en-us_image_0301168075.png new file mode 100644 index 000000000..9f433f712 Binary files /dev/null and b/docs/wafd/umn/en-us_image_0301168075.png differ diff --git a/docs/wafd/umn/public_sys-resources/caution_3.0-en-us.png b/docs/wafd/umn/public_sys-resources/caution_3.0-en-us.png new file mode 100644 index 000000000..60f607621 Binary files /dev/null and b/docs/wafd/umn/public_sys-resources/caution_3.0-en-us.png differ diff --git a/docs/wafd/umn/public_sys-resources/commonltr.css b/docs/wafd/umn/public_sys-resources/commonltr.css new file mode 100644 index 000000000..c5480b0ab --- /dev/null +++ b/docs/wafd/umn/public_sys-resources/commonltr.css @@ -0,0 +1 @@ +body{font-size:10pt;font-family:Arial;margin:1.5em;border-top:2pt;padding-top:1em;padding-bottom:2em}.msgph{font-family:Courier New}.rowlinecopyright{color:red;margin-top:10pt}.unresolved{background-color:skyblue}.noTemplate{background-color:yellow}.base{background-color:#fff}.nested0{margin-top:1em}.p{margin-top:.6em;margin-bottom:.6em}p{margin-top:.5em;margin-bottom:.5em}.note p{margin-top:.5em;margin-bottom:.5em}.tip p{margin-top:.5em;margin-bottom:.5em}.danger p{margin-top:.5em;margin-bottom:.5em}.notice p{margin-top:.5em;margin-bottom:.5em}.warning p{margin-top:.5em;margin-bottom:.5em}.caution p{margin-top:.5em;margin-bottom:.5em}.attention p{margin-top:.5em;margin-bottom:.5em}table p{margin-top:.2em;margin-bottom:.2em}table .p{margin-top:.4em;margin-bottom:.2em}.figcap{font-size:10pt}img{margin-top:.3em}.figdesc{font-style:normal}.figborder{border-style:solid;padding-left:3px;border-width:2px;padding-right:3px;margin-top:1em;border-color:Silver}.figsides{border-left:2px solid;padding-left:3px;border-right:2px solid;padding-right:3px;margin-top:1em;border-color:Silver}.figtop{border-top:2px solid;margin-top:1em;border-color:Silver}.figbottom{border-bottom:2px solid;border-color:Silver}.figtopbot{border-top:2px solid;border-bottom:2px solid;margin-top:1em;border-color:Silver}.fignone{font-size:10pt;margin-top:8pt;margin-bottom:8pt}.familylinks{margin-top:1.5em;margin-bottom:1em}.ullinks{list-style-type:none}.linklist{margin-bottom:1em}.linklistwithchild{margin-left:1.5em;margin-bottom:1em}.sublinklist{margin-left:1.5em;margin-bottom:1em}.relconcepts{margin-top:.6em;margin-bottom:.6em}.reltasks{margin-top:.6em;margin-bottom:.6em}.relref{margin-top:.6em;margin-bottom:.6em}.relinfo{margin-top:.6em;margin-bottom:.6em}.breadcrumb{font-size:smaller;margin-bottom:.6em}.prereq{margin-left:20px}.parentlink{margin-top:.6em;margin-bottom:.6em}.nextlink{margin-top:.6em;margin-bottom:.6em}.previouslink{margin-top:.6em;margin-bottom:.6em}.topictitle1{margin-top:0;margin-bottom:1em;font-size:14pt;color:#007af4}.topictitle2{margin-top:1pc;margin-bottom:.45em;font-size:1.17em;color:#007af4}.topictitle3{margin-top:1pc;margin-bottom:.17em;font-size:1.17em;font-weight:bold;color:#007af4}.topictitle4{margin-top:.83em;font-size:1.17em;font-weight:bold}.topictitle5{font-size:1.17em;font-weight:bold}.topictitle6{font-size:1.17em;font-style:italic}.sectiontitle{margin-top:1em;margin-bottom:1em;color:black;font-size:10.5pt;font-weight:bold;color:#007af4;overflow:auto}.section{margin-top:1em;margin-bottom:1em}.example{margin-top:1em;margin-bottom:1em}.sectiontitle2contents:link{color:#007af4}.sectiontitle2contents:visited{color:#800080}.note{margin-top:1em;margin-bottom:1em;background-color:#ffc}.notetitle{font-weight:bold}.notelisttitle{font-weight:bold}.tip{margin-top:1em;margin-bottom:1em;background-color:#ffc}.tiptitle{font-weight:bold}.fastpath{margin-top:1em;margin-bottom:1em;background-color:#ffc}.fastpathtitle{font-weight:bold}.important{margin-top:1em;margin-bottom:1em;background-color:#ffc}.importanttitle{font-weight:bold}.remember{margin-top:1em;margin-bottom:1em;background-color:#ffc}.remembertitle{font-weight:bold}.restriction{margin-top:1em;margin-bottom:1em;background-color:#ffc}.restrictiontitle{font-weight:bold}.attention{margin-top:1em;margin-bottom:1em;background-color:#ffc}.attentiontitle{font-weight:bold}.dangertitle{font-weight:bold}.danger{margin-top:1em;margin-bottom:1em;background-color:#ffc}.noticetitle{font-weight:bold}.notice{margin-top:1em;margin-bottom:1em;background-color:#ffc}.warningtitle{font-weight:bold}.warning{margin-top:1em;margin-bottom:1em;background-color:#ffc}.cautiontitle{font-weight:bold}.caution{margin-top:1em;margin-bottom:1em;background-color:#ffc}ul.simple{list-style-type:none}li ul{margin-top:.6em}li{margin-top:.6em;margin-bottom:.6em}.note li{margin-top:.2em;margin-bottom:.2em}.tip li{margin-top:.2em;margin-bottom:.2em}.danger li{margin-top:.2em;margin-bottom:.2em}.warning li{margin-top:.2em;margin-bottom:.2em}.notice li{margin-top:.2em;margin-bottom:.2em}.caution li{margin-top:.2em;margin-bottom:.2em}.attention li{margin-top:.2em;margin-bottom:.2em}table li{margin-top:.2em;margin-bottom:.2em}ol{margin-top:1em;margin-bottom:1em;margin-left:2.4em;padding-left:0}ul{margin-top:1em;margin-bottom:1em;margin-left:2.0em;padding-left:0}ol ul{list-style:disc}ul ul{list-style:square}ol ul ul{list-style:square}ol ul{list-style-type:disc}table ol{margin-top:.4em;margin-bottom:.4em;list-style:decimal}table ul{margin-top:.4em;margin-bottom:.4em;list-style:disc}table ul ul{margin-top:.4em;margin-bottom:.4em;list-style:square}table ol ol{margin-top:.4em;margin-bottom:.4em;list-style:lower-alpha}table ol ul{margin-top:.4em;margin-bottom:.4em;list-style:disc}table ul ol{margin-top:.4em;margin-bottom:.4em;list-style:decimal}.substepthirdol{list-style-type:lower-roman}.firstcol{font-weight:bold}th{background-color:#cfcfcf}table{margin-top:8pt;margin-bottom:12pt;width:100%}table caption{margin-top:8pt;text-align:left}.bold{font-weight:bold}.boldItalic{font-weight:bold;font-style:italic}.italic{font-style:italic}.underlined{text-decoration:underline}.var{font-style:italic}.shortcut{text-decoration:underline}.dlterm{font-weight:bold}dd{margin-top:.5em;margin-bottom:.5em}.dltermexpand{font-weight:bold;margin-top:1em}*[compact="yes"]>li{margin-top:0}*[compact="no"]>li{margin-top:.53em}.liexpand{margin-top:1em;margin-bottom:1em}.sliexpand{margin-top:1em;margin-bottom:1em}.dlexpand{margin-top:1em;margin-bottom:1em}.ddexpand{margin-top:1em;margin-bottom:1em}.stepexpand{margin-top:.3em;margin-bottom:.3em}.substepexpand{margin-top:.3em;margin-bottom:.3em}div.imageleft{text-align:left}div.imagecenter{text-align:center}div.imageright{text-align:right}div.imagejustify{text-align:justify}div.noblankline{text-align:center}div.noblankline img{margin-top:0}pre.screen{margin-top:2px;margin-bottom:2px;padding:1.5px 1.5px 0 1.5px;border:0;background-color:#ddd;white-space:pre}pre.codeblock{margin-top:2px;margin-bottom:2px;padding:1.5px 1.5px 0 1.5px;border:0;background-color:#ddd;white-space:pre}.hrcopyright{color:#3f4e5d;margin-top:18pt}.hwcopyright{text-align:center}.comment{margin:2px 2px 2px 2px;font-family:Arial;font-size:10pt;background-color:#bfb;color:#000}.dropdownAllButtonexpand{cursor:pointer;background-repeat:no-repeat;background-position:0 4px;padding-left:15px;background-image:url(icon-arrowrt.gif);text-decoration:underline;color:#007af4}.dropdownAllButtoncollapse{cursor:pointer;background-repeat:no-repeat;background-position:0 4px;padding-left:15px;background-image:url(icon-arrowdn.gif);text-decoration:underline;color:#007af4;text-decoration:underline;color:#007af4}.dropdowntitle{background-repeat:no-repeat;background-position:0 4px;padding-left:15px;cursor:pointer;text-decoration:underline;color:#007af4}.dropdownexpand .dropdowntitle{background-image:url(icon-arrowdn.gif);text-decoration:underline;color:#007af4;margin:0 0 8px 0}.dropdowncollapse .dropdowncontext{display:none}.dropdowncollapse .dropdowntitle{background-image:url(icon-arrowrt.gif);text-decoration:underline;color:#007af4}.dropdowncollapsetable{border:0}.dropdowncollapsetable .dropdowncontext{display:none}.dropdowncollapsetable .dropdowntitle{background-image:url(icon-arrowrt.gif);text-decoration:underline;color:#007af4}pre{font-size:10pt;font-weight:normal;margin-left:9;margin-top:2;margin-bottom:2}.termcolor{color:blue;cursor:pointer}#dhtmlgoodies_tooltip{background-color:#f0f0d2;border:1px solid #000;position:absolute;display:none;z-index:20000;padding:2px;font-size:.9em;-moz-border-radius:6px;font-family:"Trebuchet MS","Lucida Sans Unicode",Arial,sans-serif}#dhtmlgoodies_tooltipShadow{position:absolute;background-color:#555;display:none;z-index:10000;opacity:.7;filter:alpha(opacity=70);-khtml-opacity:.7;-moz-opacity:.7;-moz-border-radius:6px}.freeze{position:fixed;_position:absolute;_top:expression(eval(document.documentElement.scrollTop));left:10;top:0} \ No newline at end of file diff --git a/docs/wafd/umn/public_sys-resources/commonltr_print.css b/docs/wafd/umn/public_sys-resources/commonltr_print.css new file mode 100644 index 000000000..a59823141 --- /dev/null +++ b/docs/wafd/umn/public_sys-resources/commonltr_print.css @@ -0,0 +1 @@ +body{font-size:12.0pt;margin:1.5em;margin-left:1.6cm}.msgph{font-family:Courier New}.rowlinecopyright{color:red;margin-top:10pt}.unresolved{background-color:skyblue}.noTemplate{background-color:yellow}.base{background-color:#fff}.nested0{margin-top:1em}.p{margin-top:1em}p{margin-top:.5em;margin-bottom:.5em}.note p{margin-top:.5em;margin-bottom:.5em}.tip p{margin-top:.5em;margin-bottom:.5em}.danger p{margin-top:.5em;margin-bottom:.5em}.warning p{margin-top:.5em;margin-bottom:.5em}.notice p{margin-top:.5em;margin-bottom:.5em}.caution p{margin-top:.5em;margin-bottom:.5em}.attention p{margin-top:.5em;margin-bottom:.5em}table p{margin-top:.2em;margin-bottom:.2em}table .p{margin-top:.4em;margin-bottom:.2em}.covertable{border:0;width:100% cellpadding:8pt;cellspacing:8pt}.cover_productname{font-size:15.0pt;font-family:"Arial"}.cover_manualtitle{font-size:24.0pt;font-weight:bold;font-family:"Arial"}.cover_manualsubtitle{font-size:18.0pt;font-weight:bold;font-family:"Arial"}.cover_heading{font-size:12.0pt;font-weight:bold;font-family:"Arial"}.cover_text{font-size:9.0pt;font-family:"Arial"}.tocheading,.heading1,.topictitle1{margin-top:40.0pt;margin-right:0;margin-bottom:20.0pt;margin-left:-1cm;text-align:left;border:0;border-bottom:solid windowtext .5pt;font-size:22.0pt;font-family:"Arial";font-weight:bold}.topictitlenumber1{font-size:72.0pt;font-family:"Book Antiqua";font-weight:bold}.topictitle2{margin-top:10.0pt;margin-right:0;margin-bottom:8.0pt;margin-left:-1cm;text-indent:0;font-size:18.0pt;font-family:"Arial";font-weight:bold}.topictitle3{margin-top:10.0pt;margin-right:0;margin-bottom:8.0pt;margin-left:0;text-indent:0;font-size:16.0pt;font-family:"Book Antiqua";font-weight:bold}.topictitle4{margin-top:10.0pt;margin-right:0;margin-bottom:8.0pt;margin-left:0;text-indent:0;font-size:14.0pt;font-family:"Book Antiqua";font-weight:bold}.topictitle5{margin-top:10.0pt;margin-right:0;margin-bottom:8.0pt;margin-left:0;text-indent:0;font-size:13.0pt;font-family:"Book Antiqua";font-weight:bold}.blocklabel,.topictitle6{margin-top:15.0pt;margin-right:0;margin-bottom:4.0pt;margin-left:0;text-indent:0;font-size:13.0pt;font-family:"Book Antiqua";font-weight:bold}.sectiontitle{margin-top:15.0pt;margin-right:0;margin-bottom:4.0pt;margin-left:-1cm;text-indent:0;font-size:13.0pt;font-family:"Arial";font-weight:bold}.tocentry1{margin-top:8.0pt;margin-right:0;margin-bottom:4.0pt;margin-left:0;line-height:12.0pt;font-size:12.0pt;font-family:"Book Antiqua";font-weight:bold}.tocentry2{margin-top:4.0pt;margin-right:0;margin-bottom:4.0pt;margin-left:0;line-height:12.0pt;font-size:11.0pt;font-family:"Times New Roman"}.tocentry3{margin-top:4.0pt;margin-right:0;margin-bottom:4.0pt;margin-left:0;line-height:12.0pt;font-size:11.0pt;font-family:"Times New Roman"}.tocentry4{margin-top:4.0pt;margin-right:0;margin-bottom:4.0pt;margin-left:0;line-height:12.0pt;font-size:11.0pt;font-family:"Times New Roman"}.tocentry5{margin-top:4.0pt;margin-right:0;margin-bottom:4.0pt;margin-left:0;line-height:12.0pt;font-size:11.0pt;font-family:"Times New Roman"}.tofentry1{margin-top:8.0pt;margin-right:0;margin-bottom:4.0pt;margin-left:0;line-height:12.0pt;font-size:11.0pt;font-family:"Times New Roman";font-weight:normal}.totentry1{margin-top:8.0pt;margin-right:0;margin-bottom:4.0pt;margin-left:0;line-height:12.0pt;font-size:11.0pt;font-family:"Times New Roman";font-weight:normal}.indexheading{margin-top:15.0pt;margin-right:0;margin-bottom:4.0pt;margin-left:0;text-indent:0;font-size:13.0pt;font-family:"Book Antiqua";font-weight:bold}.indexentry1{margin-top:4pt;margin-right:0;margin-bottom:0;margin-left:0;line-height:12.0pt;font-size:12.0pt;font-family:"Times New Roman"}.indexentry2{margin-top:0;margin-right:0;margin-bottom:0;margin-left:24.0pt;line-height:12.0pt;font-size:12.0pt}.indexentry3{margin-top:0;margin-right:0;margin-bottom:0;margin-left:48pt;line-height:12.0pt;font-size:12.0pt}.figurenumber{font-weight:bold}.tablenumber{font-weight:bold}.familylinks{margin-top:1.5em;margin-bottom:1em}.figcap{font-size:11.0pt}.tablecap{font-size:11.0pt}.figdesc{font-style:normal}.fignone{margin-top:8.0pt}.figborder{border-style:solid;padding-left:3px;border-width:2px;padding-right:3px;margin-top:1em;border-color:Silver}.figsides{border-left:2px solid;padding-left:3px;border-right:2px solid;padding-right:3px;margin-top:1em;border-color:Silver}.figtop{border-top:2px solid;margin-top:1em;border-color:Silver}.figbottom{border-bottom:2px solid;border-color:Silver}.figtopbot{border-top:2px solid;border-bottom:2px solid;margin-top:1em;border-color:Silver}.ullinks{margin-left:0;list-style-type:none}.ulchildlink{margin-top:1em;margin-bottom:1em}.olchildlink{margin-top:1em;margin-bottom:1em;margin-left:1em}.linklist{margin-bottom:1em}.linklistwithchild{margin-left:1.5em;margin-bottom:1em}.sublinklist{margin-left:1.5em;margin-bottom:1em}.relconcepts{margin-left:1cm;margin-top:1em;margin-bottom:1em}.reltasks{margin-left:1cm;margin-top:1em;margin-bottom:1em}.relref{margin-left:1cm;margin-top:1em;margin-bottom:1em}.relinfo{margin-top:1em;margin-bottom:1em}.breadcrumb{font-size:smaller;margin-bottom:1em}.prereq{margin-left:0}.parentlink{margin-top:.6em;margin-bottom:.6em}.nextlink{margin-top:.6em;margin-bottom:.6em}.previouslink{margin-top:.6em;margin-bottom:.6em}.section{margin-top:1em;margin-bottom:1em}.example{margin-top:1em;margin-bottom:1em}table .note{margin-top:1em;margin-bottom:1em;border:0;font-size:10.0pt;font-family:"Times New Roman"}.note{margin-top:1em;margin-bottom:1em;border:0;font-size:10.0pt;border-top:solid .5pt;border-bottom:solid .5pt}.notetitle{font-weight:bold;font-size:11.0pt}.notelisttitle{font-weight:bold}table .tip{margin-top:1em;margin-bottom:1em;border:0;font-size:10.0pt;font-family:"Times New Roman"}.tip{margin-top:1em;margin-bottom:1em;border:0;font-size:10.0pt;border-top:solid .5pt;border-bottom:solid .5pt}.tiptitle{font-weight:bold;font-size:11.0pt}table .fastpath{margin-top:1em;margin-bottom:1em;border:0;font-size:10.0pt;font-family:"Times New Roman"}.fastpath{margin-top:1em;margin-bottom:1em;border:0;font-size:10.0pt;border-top:solid .5pt;border-bottom:solid .5pt}.fastpathtitle{font-weight:bold;font-size:11.0pt}table .important{margin-top:1em;margin-bottom:1em;border:0;font-size:10.0pt;font-family:"Times New Roman";font-style:italic}.important{margin-top:1em;margin-bottom:1em;border:0;font-size:10.0pt;border-top:solid .5pt;border-bottom:solid .5pt}.importanttitle{font-weight:bold;font-size:11.0pt}table .remember{margin-top:1em;margin-bottom:1em;border:0;font-size:10.0pt;font-family:"Times New Roman";font-style:italic}.remember{margin-top:1em;margin-bottom:1em;border:0;font-size:10.0pt;border-top:solid .5pt;border-bottom:solid .5pt}.remembertitle{font-weight:bold;font-size:11.0pt}table .restriction{margin-top:1em;margin-bottom:1em;border:0;font-size:10.0pt;font-family:"Times New Roman";font-style:italic}.restriction{margin-top:1em;margin-bottom:1em;border:0;font-size:10.0pt;border-top:solid .5pt;border-bottom:solid .5pt}.restrictiontitle{font-weight:bold;font-size:11.0pt}table .attention{margin-top:1em;margin-bottom:1em;border:0;font-size:10.0pt;font-family:"Times New Roman"}.attention{margin-top:1em;margin-bottom:1em;border:0;border-top:solid .5pt;border-bottom:solid .5pt}.attentiontitle{font-weight:bold}table .danger{margin-top:1em;margin-bottom:1em;border:0;font-size:10.0pt;font-family:"Times New Roman"}.dangertitle{font-weight:bold}.danger{margin-top:1em;margin-bottom:1em;border:0;border-top:solid .5pt;border-bottom:solid .5pt}table .notice{margin-top:1em;margin-bottom:1em;border:0;font-size:10.0pt;font-family:"Times New Roman"}.noticetitle{font-weight:bold}.notice{margin-top:1em;margin-bottom:1em;border:0;border-top:solid .5pt;border-bottom:solid .5pt}table .warning{margin-top:1em;margin-bottom:1em;border:0;font-size:10.0pt;font-family:"Times New Roman"}.warningtitle{font-weight:bold}.warning{margin-top:1em;margin-bottom:1em;border:0;border-top:solid .5pt;border-bottom:solid .5pt}table .caution{margin-top:1em;margin-bottom:1em;border:0;font-size:10.0pt;font-family:"Times New Roman"}table caption{margin-top:8pt;text-align:left;font-weight:bold}.tablenoborder{margin-top:8pt}.cautiontitle{font-weight:bold}.caution{margin-top:1em;margin-bottom:1em;border:0;border-top:solid .5pt;border-bottom:solid .5pt}ul.simple{list-style-type:none}li ul{margin-top:.6em}li{margin-top:.6em;margin-bottom:.6em}.note li{margin-top:.2em;margin-bottom:.2em}.tip li{margin-top:.2em;margin-bottom:.2em}.danger li{margin-top:.2em;margin-bottom:.2em}.warning li{margin-top:.2em;margin-bottom:.2em}.notice li{margin-top:.2em;margin-bottom:.2em}.caution li{margin-top:.2em;margin-bottom:.2em}.attention li{margin-top:.2em;margin-bottom:.2em}table li{margin-top:.2em;margin-bottom:.2em}.firstcol{font-weight:bold}th{background-color:#cfcfcf}.bold{font-weight:bold}.boldItalic{font-weight:bold;font-style:italic}.italic{font-style:italic}.underlined{text-decoration:underline}.var{font-style:italic}.shortcut{text-decoration:underline}.dlterm{font-weight:bold}dd{margin-top:.5em;margin-bottom:.5em}.dltermexpand{font-weight:bold;margin-top:1em}*[compact="yes"]>li{margin-top:0}*[compact="no"]>li{margin-top:.53em}.liexpand{margin-top:1em;margin-bottom:1em}.sliexpand{margin-top:1em;margin-bottom:1em}.dlexpand{margin-top:1em;margin-bottom:1em}.ddexpand{margin-top:1em;margin-bottom:1em}.stepexpand{margin-top:1em;margin-bottom:1em}.substepexpand{margin-top:1em;margin-bottom:1em}table{margin-top:8pt;margin-bottom:10.0pt;width:100%}thead{font-size:10.0pt;font-family:"Book Antiqua";font-weight:bold}tbody{font-size:11.0pt}ol{margin-top:1em;margin-bottom:1em;margin-left:1.7em;-webkit-padding-start:0}ul{margin-top:1em;margin-bottom:1em;margin-left:1.2em;-webkit-padding-start:0}ol ul{list-style:disc}ul ul{list-style:square}ol ol{list-style-type:lower-alpha}table ol{margin-top:.4em;margin-bottom:.4em;list-style:decimal}table ul{margin-top:.4em;margin-bottom:.4em;list-style:disc}table ul ul{margin-top:.4em;margin-bottom:.4em;list-style:square}table ol ol{margin-top:.4em;margin-bottom:.4em;list-style:lower-alpha}table ol ul{margin-top:.4em;margin-bottom:.4em;list-style:disc}table ul ol{margin-top:.4em;margin-bottom:.4em;list-style:decimal}.substepthirdol{list-style-type:lower-roman}div.imageleft{text-align:left}div.imagecenter{text-align:center}div.imageright{text-align:right}div.imagejustify{text-align:justify}div.noblankline{text-align:center}div.noblankline img{margin-top:0}pre{font-size:10.0pt;border-width:2px;padding:2px;margin-top:5px;margin-bottom:5px;white-space:pre-wrap;white-space:-moz-pre-wrap;white-space:-pre-wrap;white-space:-o-pre-wrap;word-wrap:break-word}pre.screen{margin-top:2px;margin-bottom:2px;padding:1.5px 1.5px 0 1.5px;border:0;white-space:pre}pre.codeblock{margin-top:2px;margin-bottom:2px;padding:1.5px 1.5px 0 1.5px;border:0;white-space:pre}.dropdownAllButtonexpand{cursor:pointer;background-repeat:no-repeat;background-position:0 4px;padding-left:15px;background-image:url(icon-arrowrt.gif);text-decoration:underline;color:#007af4}.dropdownAllButtoncollapse{cursor:pointer;background-repeat:no-repeat;background-position:0 4px;padding-left:15px;background-image:url(icon-arrowdn.gif);text-decoration:underline;color:#007af4;text-decoration:underline;color:#007af4}.dropdowntitle{background-repeat:no-repeat;background-position:0 4px;padding-left:15px;cursor:pointer;text-decoration:underline;color:#007af4}.dropdownexpand .dropdowntitle{background-image:url(icon-arrowdn.gif);text-decoration:underline;color:#007af4;margin:0 0 8px 0}.dropdowncollapse .dropdowntitle{background-image:url(icon-arrowrt.gif);text-decoration:underline;color:#007af4;margin:0 0 8px 0}.dropdowncollapsetable .dropdowntitle{background-image:url(icon-arrowrt.gif);text-decoration:underline;color:#007af4;margin:0 0 8px 0}.prefacesectiontitle1{margin-top:10.0pt;margin-right:0;margin-bottom:8.0pt;margin-left:-1cm;text-indent:0;font-size:18.0pt;font-family:"Book Antiqua";font-weight:bold;overflow:auto}.termcolor{color:blue;cursor:pointer}#dhtmlgoodies_tooltip{background-color:#f0f0d2;border:1px solid #000;position:absolute;display:none;z-index:20000;padding:2px;font-size:.9em;-moz-border-radius:6px;font-family:"Trebuchet MS","Lucida Sans Unicode",Arial,sans-serif}#dhtmlgoodies_tooltipShadow{position:absolute;background-color:#555;display:none;z-index:10000;opacity:.7;filter:alpha(opacity=70);-khtml-opacity:.7;-moz-opacity:.7;-moz-border-radius:6px}.freeze{position:fixed;_position:absolute;_top:expression(eval(document.documentElement.scrollTop));left:10;top:0}.hrcopyright{color:#3f4e5d;margin-top:18pt;margin-left:-1cm}.hwcopyright{text-align:center;font-family:Arial;margin-left:-1cm} \ No newline at end of file diff --git a/docs/wafd/umn/public_sys-resources/commonrtl.css b/docs/wafd/umn/public_sys-resources/commonrtl.css new file mode 100644 index 000000000..f261da752 --- /dev/null +++ b/docs/wafd/umn/public_sys-resources/commonrtl.css @@ -0,0 +1,2 @@ +/*! Copyright (c) Huawei Technologies Co., Ltd. 2020-2022. All rights reserved. */.msgph{font-family:Courier New}.unresolved{background-color:#87ceeb}.noTemplate{background-color:#ff0}.base{background-color:#fff}/*! Add space for top level topics */.nested0,.p{margin-top:1em}/*! div with class=p is used for paragraphs that contain blocks, to keep the XHTML valid *//*! Default of italics to set apart figure captions */.figcap,.italic,.var{font-style:italic}.figdesc{font-style:normal}/*! Use @frame to create frames on figures */.figborder{padding-left:3px;padding-right:3px;margin-top:1em;border:2px solid Silver}.figsides{margin-top:1em;padding-left:3px;padding-right:3px;border-left:2px solid Silver;border-right:2px solid Silver}.figtop{border-top:2px solid Silver;margin-top:1em}.figbottom{border-bottom:2px solid Silver}.figtopbot{border-top:2px solid Silver;border-bottom:2px solid Silver;margin-top:1em}/*! Most link groups are created with
. Ensure they have space before and after. */.ullinks,ul.simple{list-style-type:none}.attention,.danger,.ddexpand,.dlexpand,.example,.fastpath,.important,.liexpand,.linklist,.note,.notice,.olchildlink,.relconcepts,.relinfo,.relref,.reltasks,.remember,.restriction,.section,.sliexpand,.stepexpand,.substepexpand,.tip,.ulchildlink,.warning{margin-top:1em;margin-bottom:1em}.linklistwithchild,.sublinklist{margin-top:1em;margin-right:1.5em;margin-bottom:1em}.breadcrumb{font-size:smaller;margin-bottom:1em}.prereq{margin-right:20px}/*! Set heading sizes, getting smaller for deeper nesting */.topictitle1{font-size:1.34em;margin-top:0;margin-bottom:.1em}.topictitle2,.topictitle3,.topictitle4,.topictitle5,.topictitle6,.sectiontitle{font-size:1.17em}.topictitle2{margin-top:1pc;margin-bottom:.45em}.topictitle3{margin-top:1pc;margin-bottom:.17em;font-weight:700}.topictitle4{margin-top:.83em;font-weight:700}.topictitle5{font-weight:700}.topictitle6{font-style:italic}.sectiontitle{margin-top:1em;margin-bottom:0;color:#000;font-weight:700}/*! All note formats have the same default presentation */.attentiontitle,.bold,.cautiontitle,.dangertitle,.dlterm,.fastpathtitle,.firstcol,.importanttitle,.notelisttitle,.notetitle,.noticetitle,.parmname,.remembertitle,.restrictiontitle,.tiptitle,.uicontrol,.warningtitle{font-weight:700}.caution{font-weight:700;margin-bottom:1em}/*! Simple lists do not get a bullet *//*! Used on the first column of a table, when rowheader="firstcol" is used *//*! Various basic phrase styles */.boldItalic{font-weight:700;font-style:italic}.shortcut,.underlined{text-decoration:underline}/*! 2008-10-27 keyword采用跟随上下文的样式 +*//*! Default of bold for definition list terms *//*! Use CSS to expand lists with @compact="no" */.dltermexpand{font-weight:700;margin-top:1em}[compact="yes"]>li{margin-top:0}[compact="no"]>li{margin-top:.53em}/*! Align images based on @align on topic/image */div.imageleft,.text-align-left{text-align:left}div.imagecenter,.text-align-center{text-align:center}div.imageright,.text-align-right{text-align:right}div.imagejustify,.text-align-justify{text-align:justify}.cellrowborder{border-right:0;border-top:0;border-left:1px solid;border-bottom:1px solid}.row-nocellborder{border-left:hidden;border-right:0;border-top:0;border-bottom:1px solid}.cell-norowborder{border-top:0;border-bottom:hidden;border-right:0;border-left:1px solid}.nocellnorowborder{border:0;border-left:hidden;border-bottom:hidden}pre.codeblock,pre.screen{padding:5px;border:outset;background-color:#ccc;margin-top:2px;margin-bottom:2px;white-space:pre} \ No newline at end of file diff --git a/docs/wafd/umn/public_sys-resources/danger_3.0-en-us.png b/docs/wafd/umn/public_sys-resources/danger_3.0-en-us.png new file mode 100644 index 000000000..47a9c7235 Binary files /dev/null and b/docs/wafd/umn/public_sys-resources/danger_3.0-en-us.png differ diff --git a/docs/wafd/umn/public_sys-resources/delta.gif b/docs/wafd/umn/public_sys-resources/delta.gif new file mode 100644 index 000000000..0d1b1f674 Binary files /dev/null and b/docs/wafd/umn/public_sys-resources/delta.gif differ diff --git a/docs/wafd/umn/public_sys-resources/deltaend.gif b/docs/wafd/umn/public_sys-resources/deltaend.gif new file mode 100644 index 000000000..cc7da0fc8 Binary files /dev/null and b/docs/wafd/umn/public_sys-resources/deltaend.gif differ diff --git a/docs/wafd/umn/public_sys-resources/icon-arrowdn.gif b/docs/wafd/umn/public_sys-resources/icon-arrowdn.gif new file mode 100644 index 000000000..84eec9be2 Binary files /dev/null and b/docs/wafd/umn/public_sys-resources/icon-arrowdn.gif differ diff --git a/docs/wafd/umn/public_sys-resources/icon-arrowrt.gif b/docs/wafd/umn/public_sys-resources/icon-arrowrt.gif new file mode 100644 index 000000000..39583d168 Binary files /dev/null and b/docs/wafd/umn/public_sys-resources/icon-arrowrt.gif differ diff --git a/docs/wafd/umn/public_sys-resources/icon-caution.gif b/docs/wafd/umn/public_sys-resources/icon-caution.gif new file mode 100644 index 000000000..079c79b26 Binary files /dev/null and b/docs/wafd/umn/public_sys-resources/icon-caution.gif differ diff --git a/docs/wafd/umn/public_sys-resources/icon-danger.gif b/docs/wafd/umn/public_sys-resources/icon-danger.gif new file mode 100644 index 000000000..079c79b26 Binary files /dev/null and b/docs/wafd/umn/public_sys-resources/icon-danger.gif differ diff --git a/docs/wafd/umn/public_sys-resources/icon-huawei.gif b/docs/wafd/umn/public_sys-resources/icon-huawei.gif new file mode 100644 index 000000000..a31d60f89 Binary files /dev/null and b/docs/wafd/umn/public_sys-resources/icon-huawei.gif differ diff --git a/docs/wafd/umn/public_sys-resources/icon-note.gif b/docs/wafd/umn/public_sys-resources/icon-note.gif new file mode 100644 index 000000000..31be2b039 Binary files /dev/null and b/docs/wafd/umn/public_sys-resources/icon-note.gif differ diff --git a/docs/wafd/umn/public_sys-resources/icon-notice.gif b/docs/wafd/umn/public_sys-resources/icon-notice.gif new file mode 100644 index 000000000..409070650 Binary files /dev/null and b/docs/wafd/umn/public_sys-resources/icon-notice.gif differ diff --git a/docs/wafd/umn/public_sys-resources/icon-tip.gif b/docs/wafd/umn/public_sys-resources/icon-tip.gif new file mode 100644 index 000000000..c47bae05c Binary files /dev/null and b/docs/wafd/umn/public_sys-resources/icon-tip.gif differ diff --git a/docs/wafd/umn/public_sys-resources/icon-warning.gif b/docs/wafd/umn/public_sys-resources/icon-warning.gif new file mode 100644 index 000000000..079c79b26 Binary files /dev/null and b/docs/wafd/umn/public_sys-resources/icon-warning.gif differ diff --git a/docs/wafd/umn/public_sys-resources/imageclose.gif b/docs/wafd/umn/public_sys-resources/imageclose.gif new file mode 100644 index 000000000..3a3344af4 Binary files /dev/null and b/docs/wafd/umn/public_sys-resources/imageclose.gif differ diff --git a/docs/wafd/umn/public_sys-resources/imageclosehover.gif b/docs/wafd/umn/public_sys-resources/imageclosehover.gif new file mode 100644 index 000000000..8699d5e36 Binary files /dev/null and b/docs/wafd/umn/public_sys-resources/imageclosehover.gif differ diff --git a/docs/wafd/umn/public_sys-resources/imagemax.gif b/docs/wafd/umn/public_sys-resources/imagemax.gif new file mode 100644 index 000000000..99c07dc25 Binary files /dev/null and b/docs/wafd/umn/public_sys-resources/imagemax.gif differ diff --git a/docs/wafd/umn/public_sys-resources/imagemaxhover.gif b/docs/wafd/umn/public_sys-resources/imagemaxhover.gif new file mode 100644 index 000000000..d01d77d6e Binary files /dev/null and b/docs/wafd/umn/public_sys-resources/imagemaxhover.gif differ diff --git a/docs/wafd/umn/public_sys-resources/macFFBgHack.png b/docs/wafd/umn/public_sys-resources/macFFBgHack.png new file mode 100644 index 000000000..ec811470c Binary files /dev/null and b/docs/wafd/umn/public_sys-resources/macFFBgHack.png differ diff --git a/docs/wafd/umn/public_sys-resources/note_3.0-en-us.png b/docs/wafd/umn/public_sys-resources/note_3.0-en-us.png new file mode 100644 index 000000000..57a0e1f53 Binary files /dev/null and b/docs/wafd/umn/public_sys-resources/note_3.0-en-us.png differ diff --git a/docs/wafd/umn/public_sys-resources/notice_3.0-en-us.png b/docs/wafd/umn/public_sys-resources/notice_3.0-en-us.png new file mode 100644 index 000000000..fa4b64990 Binary files /dev/null and b/docs/wafd/umn/public_sys-resources/notice_3.0-en-us.png differ diff --git a/docs/wafd/umn/public_sys-resources/thickbox.css b/docs/wafd/umn/public_sys-resources/thickbox.css new file mode 100644 index 000000000..aa0cf3743 --- /dev/null +++ b/docs/wafd/umn/public_sys-resources/thickbox.css @@ -0,0 +1 @@ +#TB_window{font:12px Arial,Helvetica,sans-serif;color:#333333;}#TB_secondLine{font:10px Arial,Helvetica,sans-serif;color:#666666;}#TB_window a:link{color:#666666;}#TB_window a:visited{color:#666666;}#TB_window a:hover{color:#000;}#TB_window a:active{color:#666666;}#TB_window a:focus{color:#666666;}#TB_overlay{position:fixed;z-index:100;top:0;left:0;height:100%;width:100%;}.TB_overlayMacFFBGHack{background:url(macFFBgHack.png) repeat;}.TB_overlayBG{background-color:#000;filter:alpha(opacity=30);-moz-opacity:.75;opacity:.75;}* html #TB_overlay{position:absolute;height:expression(document.body.scrollHeight>document.body.offsetHeight ? document.body.scrollHeight:document.body.offsetHeight+'px');}#TB_window{position:fixed;background:#ffffff;z-index:102;color:#000000;display:none;border:2px solid #525252;text-align:left;top:50%;left:50%;}* html #TB_window{position:absolute;margin-top:expression(0 - parseInt(this.offsetHeight / 2)+(TBWindowMargin = document.documentElement && document.documentElement.scrollTop || document.body.scrollTop)+'px');}#TB_window img#TB_Image{display:block;margin:0 auto;border-right:1px solid #ccc;border-bottom:1px solid #ccc;border-top:1px solid #666;border-left:1px solid #666;cursor:pointer;}#TB_caption{padding:7px 30px 10px 25px;float:left;}#TB_closeWindow{color:#999999;padding:8px 0 25px;font-size:12px;}#TB_closeWindow a{float:left;height:17px;line-height:100px;margin-left:10px;overflow:hidden;width:17px;}#TB_closeWindow a:hover{float:left;height:17px;line-height:100px;margin-left:10px;overflow:hidden;width:17px;}#TB_closeWindow a.imgadjust{background:url(imagemax.gif) no-repeat 0 top;}#TB_closeWindow a.imgclose{background:url(imageclose.gif) no-repeat 0 top;}#TB_closeWindow a.imgadjust:hover{background:url(imagemaxhover.gif) no-repeat 0 top;}#TB_closeWindow a.imgclose:hover{background:url(imageclosehover.gif) no-repeat 0 top;}.TB_padding{padding:5px 10px 10px;}#TB_closeAjaxWindow{padding:7px 10px 5px 0;margin-bottom:1px;text-align:right;float:right;}#TB_ajaxWindowTitle{float:left;padding:7px 0 5px 10px;margin-bottom:1px;}#TB_title{background-color:#e8e8e8;height:27px;}#TB_ajaxContent{clear:both;padding:2px 15px 15px 15px;overflow:auto;text-align:left;line-height:1.4em;}#TB_ajaxContent.TB_modal{padding:15px;}#TB_ajaxContent p{padding:5px 0 5px 0;}#TB_load{position:fixed;display:none;height:13px;width:208px;z-index:103;top:50%;left:50%;margin:-6px 0 0 -104px;}* html #TB_load{position:absolute;margin-top:expression(0 - parseInt(this.offsetHeight / 2)+(TBWindowMargin = document.documentElement && document.documentElement.scrollTop || document.body.scrollTop)+'px');}#TB_HideSelect{z-index:99;position:fixed;top:0;left:0;background-color:#fff;border:none;filter:alpha(opacity=0);-moz-opacity:0;opacity:0;height:100%;width:100%;}* html #TB_HideSelect{position:absolute;height:expression(document.body.scrollHeight>document.body.offsetHeight ? document.body.scrollHeight:document.body.offsetHeight+'px');}#TB_iframeContent{clear:both;border:none;margin-bottom:-1px;margin-top:1px;_margin-bottom:1px;} \ No newline at end of file diff --git a/docs/wafd/umn/public_sys-resources/warning_3.0-en-us.png b/docs/wafd/umn/public_sys-resources/warning_3.0-en-us.png new file mode 100644 index 000000000..def5c3565 Binary files /dev/null and b/docs/wafd/umn/public_sys-resources/warning_3.0-en-us.png differ diff --git a/docs/wafd/umn/waf_01_0001.html b/docs/wafd/umn/waf_01_0001.html new file mode 100644 index 000000000..05a329134 --- /dev/null +++ b/docs/wafd/umn/waf_01_0001.html @@ -0,0 +1,31 @@ + + +

Editing Server Information

+

This topic describes how to edit or add server information for a website to be protected.

+
Applicable scenarios:
  • Modify server information, including Client Protocol, Server Protocol, VPC, Server Address, and Server Port.
  • Add server configurations.
  • Update a certificate by referring to Updating a Certificate.
+
+

Prerequisites

A website has been added to WAF.

+
+

Impact on the System

Modifying the server configuration does not affect services.

+
+

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane, choose Website Settings.
  5. In the Domain Name column, click the domain name of the website to go to the basic information page.
  6. In the Server Information area, click .

    Figure 1 Server Information
    +

  7. On the Edit Server Information page, edit the server configurations (such as client protocol and associated certificate).

    • For details about certificate, see Updating a Certificate.
    • WAF supports configuring of multiple backend servers. To add a backend server, click Add.
    +
    +
    Figure 2 Edit Server Information
    +
    +

  8. Click Confirm.
+
+
+
+
+
Parent topic: Website Domain Name Management
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0003.html b/docs/wafd/umn/waf_01_0003.html new file mode 100644 index 000000000..2a5d3da5a --- /dev/null +++ b/docs/wafd/umn/waf_01_0003.html @@ -0,0 +1,27 @@ + + +

Switching WAF Working Mode

+

You can change the working mode of WAF. WAF can work in Enabled or Suspended mode.

+

Prerequisites

The domain name of the website to be protected has been connected to WAF.

+
+

Application Scenarios

  • Enabled: In this mode, WAF defends your website against attacks based on configured policies.
  • Suspended: If a large number of normal requests are blocked, for example, status code 418 is frequently returned, then you can switch the mode to Suspended. In this mode, your website is not protected because WAF only forwards requests. It does not scan for or log attacks. This mode is risky. You are advised to use the false alarm masking rules to reduce false alarms.
+
+

Impact on the System

In the Suspended mode, your website is not protected because WAF only forwards requests. It does not scan for attacks. To avoid normal requests from being blocked, configure false alarm masking rules, instead of using the Suspended mode.

+
+

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane, choose Website Settings.
  5. In the Mode column of the row containing the target domain name, click and select a working mode.

    Figure 1 Switching WAF working mode
    +

+
+
+
+
+
Parent topic: Website Domain Name Management
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0005.html b/docs/wafd/umn/waf_01_0005.html new file mode 100644 index 000000000..b6f70a39b --- /dev/null +++ b/docs/wafd/umn/waf_01_0005.html @@ -0,0 +1,27 @@ + + +

Removing a Protected Website from WAF

+

This topic describes how to remove a website from WAF if you no longer need to protect it.

+

Prerequisites

A website domain name has been added to WAF.

+
+

Impact on the System

It takes about a minute to remove a website from WAF, but once this action is started, it cannot be cancelled. Exercise caution when removing a website from WAF.

+
+

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane, choose Website Settings.
  5. In the row containing the website domain name you want to delete, click Delete in the Operation column.
  6. In the displayed confirmation dialog box, confirm the deletion.

    If you want to retain the policy applied to the domain name, select Retain the policy of this domain name.

    +
    Figure 1 Deleting a protected domain name from WAF
    +

  7. Click OK.

    If Domain name deleted successfully is displayed in the upper right corner, the domain name of the website was deleted.

    +

+
+
+
+
+
Parent topic: Website Domain Name Management
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0007.html b/docs/wafd/umn/waf_01_0007.html new file mode 100644 index 000000000..f795d411e --- /dev/null +++ b/docs/wafd/umn/waf_01_0007.html @@ -0,0 +1,35 @@ + + +

Rule Configuration

+
+
+ +
+ diff --git a/docs/wafd/umn/waf_01_0008.html b/docs/wafd/umn/waf_01_0008.html new file mode 100644 index 000000000..7e9eafae9 --- /dev/null +++ b/docs/wafd/umn/waf_01_0008.html @@ -0,0 +1,163 @@ + + +

Configuring Basic Web Protection Rules

+

After this function is enabled, WAF can defend against common web attacks, such as SQL injections, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabilities, remote command execution, directory traversal, sensitive file access, and command/code injections. You can also enable other checks in basic web protection, such as web shell detection, deep inspection against evasion attacks, and header inspection.

+

Basic web protection has two modes: Block and Log only.

+
+

Prerequisites

A website has been added to WAF.

+
+

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane, choose Website Settings.
  5. In the Policy column of the row containing the target website, click the number to go to the policy configuration page.
  6. In the Basic Web Protection configuration area, change Status and Mode as needed by referring to Table 1.

    Figure 1 Basic Web Protection configuration area
    + +
    + + + + + + + + + + +
    Table 1 Parameter description

    Parameter

    +

    Description

    +

    Status

    +

    Status of Basic Web Protection

    +
    • : enabled.
    • : disabled
    +

    Mode

    +
    • Block: WAF blocks and logs detected attacks.
    • Log only: WAF only logs detected attacks.
    +
    +
    +

  7. In the Basic Web Protection configuration area, click Advanced Settings.
  8. Click the Protection Status tab, and enable protection types one by one by referring to Table 3. Figure 2 shows an example.

    Figure 2 Basic web protection
    +
    1. Set the protection level.

      In the upper part of the page, set Protection Level to Low, Medium, or High. The default value is Medium.

      + +
      + + + + + + + + + + + + + +
      Table 2 Protection levels

      Protection Level

      +

      Description

      +

      Low

      +

      WAF only blocks the requests with obvious attack signatures.

      +

      If a large number of false alarms are reported, Low is recommended.

      +

      Medium

      +

      The default level is Medium, which meets a majority of web protection requirements.

      +

      High

      +

      At this level, WAF provides the finest granular protection and can intercept attacks with complex bypass features, such as Jolokia cyber attacks, common gateway interface (CGI) vulnerability detection, and Druid SQL injection attacks.

      +

      To let WAF defend against more attacks but make minimum effect on normal requests, observe your workloads for a period of time first. Then, configure a global protection whitelist rule and select High.

      +
      +
      +
    2. Set the protection type.

      By default, General Check is enabled. You can enable other protection types by referring to Table 3.

      +
      +
    + +
    + + + + + + + + + + + + + + + + +
    Table 3 Protection types

    Type

    +

    Description

    +

    General Check

    +

    Defends against attacks such as SQL injections, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabilities, remote command execution, directory traversal, sensitive file access, and command/code injections. SQL injection attacks are mainly detected based on semantics.

    +
    NOTE:

    If you enable General Check, WAF checks your websites based on the built-in rules.

    +
    +

    Webshell Detection

    +

    Protects against web shells from upload interface.

    +
    NOTE:

    If you enable Webshell Detection, WAF detects web page Trojan horses inserted through the upload interface.

    +
    +

    Deep Inspection

    +

    Identifies and blocks evasion attacks, such as the ones that use homomorphic character obfuscation, command injection with deformed wildcard characters, UTF7, data URI scheme, and other techniques.

    +
    NOTE:

    If you enable Deep Inspection, WAF detects and defends against evasion attacks in depth.

    +
    +

    Header Inspection

    +

    This function is disabled by default. When it is disabled, General Check will check some of the header fields, such as User-Agent, Content-type, Accept-Language, and Cookie.

    +
    NOTE:

    If you enable this function, WAF checks all header fields in the requests.

    +
    +
    +
    +

  9. Click the Protection Rules tab to view details. For more details about the parameters, see Table 4.

    Click to search for a rule by CVE ID, Risk Severity, Application Type, or Protection Type.

    +
    + +
    + + + + + + + + + + + + + + + + + + + + + + +
    Table 4 Protection rules

    Parameter

    +

    Description

    +

    Rule ID

    +

    The protection rule ID, which is generated automatically.

    +

    Rule Description

    +

    Details of attacks the protection rule is configured for.

    +

    CVE ID

    +

    Common Vulnerabilities & Exposures (CVE) ID, which corresponds to the protection rule. For non-CVE vulnerabilities, a double dash (--) is displayed.

    +

    Risk Severity

    +

    The severity of the vulnerability, including:

    +
    • High
    • Medium
    • Low
    +

    Application Type

    +

    The application type the protection rule is used for.

    +

    Protection Type

    +

    The type of the protection rule. WAF can discover SQL injection, command injection, XSS attacks, XML external entity (XXE) injection, Expression Language (EL) Injection, CSRF, SSRF, local file inclusion, remote file inclusion, website Trojans, malicious crawlers, session fixation attacks, deserialization vulnerabilities, remote command execution, information leakage, DoS attacks, source code/data leakage.

    +
    +
    +

+
+

Protection Effect

If General Check is enabled and Mode is set to Block for your domain name, to verify WAF is protecting your website (www.example.com) against general check items:

+
  1. Clear the browser cache and enter the domain name in the address box of a browser to check whether the website is accessible.

    • If the website is inaccessible, connect the website domain name to WAF by following the instructions in Step 1: Add a Website to WAF.
    • If the website is accessible, go to Step 2.
    +

  2. Clear the browser cache and enter http://www.example.com?id=1%27%20or%201=1 in the address box of the browser to simulate an SQL injection attack.
  3. Return to the WAF console. In the navigation pane, choose Events. On the displayed page, view or download events data.
+
+
+
+
+
Parent topic: Rule Configuration
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0009.html b/docs/wafd/umn/waf_01_0009.html new file mode 100644 index 000000000..5657323bb --- /dev/null +++ b/docs/wafd/umn/waf_01_0009.html @@ -0,0 +1,164 @@ + + +

Configuring a CC Attack Protection Rule

+

You can customize a CC attack protection rule to restrict access to a specific URL on your website based on an IP address, cookie, or Referer, mitigating CC attacks. To make your custom CC attack protection rules take effect, ensure that you have enabled CC attack protection.

+

Prerequisites

A website has been added to WAF.

+
+

Constraints

  • It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.
  • A reference table can be added to a CC attack protection rule. The reference table takes effect for all protected domain names.
  • A CC attack protection rule offers protective actions such as Verification code and Block for your choice. For example, you can configure a CC attack protection rule to block requests from a visit for 600 seconds by identifying their cookie (name field) if the visitor accessed a URL (for example, /admin*) of your website over 10 times within 60 seconds.
  • The path in a CC attack protection rule must be set to a URL (excluding the domain name). This parameter allows prefix match and exact match.
    • Prefix match: A path ending with * indicates that the path is used as a prefix. The * can be used as a wildcard value. For example, to protect /admin/test.php or /adminabc, you can set Path to /admin*.
    • Exact match: The path to be entered must be the same as the path to be protected. For example, to protect /admin, then Path must be set to /admin.
    +
+
+

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane, choose Website Settings.
  1. In the Policy column of the row containing the target website, click the number to go to the policy configuration page.
  2. In the CC Attack Protection configuration area, change Status if needed and click Customize Rule to go to the CC Attack Protection page.

    Figure 1 CC Attack Protection configuration area
    +

  3. In the upper left corner of the CC Attack Protection page, click Add Rule.
  4. In the displayed dialog box, configure a CC attack protection rule by referring to Table 1.

    If a visitor whose cookie is name accesses a page on your website where the address includes /admin at the end (for example, https://www.example.com/adminlogic) more than 10 times within 60 seconds, WAF blocks the requests from visitors of the same cookie name for 600s and returns the page configured for Page Content. Figure 2 shows the configurations.
    Figure 2 Adding a CC attack protection rule
    + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Table 1 Rule parameters

    Parameter

    +

    Description

    +

    Example Value

    +

    Mode

    +
    • Standard: Only the protection path of a domain name can be restricted.
    • Advanced: The path, IP address, cookie, header, and params fields can all be restricted.
    +

    Standard

    +

    Path

    +

    Set this parameter only when Standard is selected for Mode.

    +

    Part of the URL without the domain name.

    +
    • Prefix match: A path ending with * indicates that the path is used as a prefix. The * can be used as a wildcard value. For example, to protect /admin/test.php or /adminabc, you can set Path to /admin*.
    • Exact match: The path to be entered must be the same as the path to be protected. For example, to protect /admin, then Path must be set to /admin.
    +
    NOTE:
    • The path supports prefix and exact matches only but does not support regular expressions.
    • The path cannot contain two or more consecutive slashes. For example, ///admin. If you enter ///admin, WAF will convert /// to /.
    • The path is case-sensitive.
    • If Path is set to /, all paths of the website are protected.
    +
    +

    /admin*

    +

    Condition List

    +

    Set this parameter only when Advanced is selected for Mode.

    +

    Click Add to add conditions. At least one condition is required, but up to 30 conditions are allowed. If you add more than one condition, the rule will only take effect if all of the conditions are met.

    +
    • Field: The options are Path, IP, Cookie, Header, and Params.
    • Subfield: Configure this field only when Cookie, Header, or Params is selected for Field.
      NOTICE:

      The length of a subfield cannot exceed 2048 bytes. Only digits, letters, underscores (_), and hyphens (-) are allowed.

      +
      +
    • Logic: Select a logical relationship from the drop-down list.
      NOTE:

      If you set Logic to Include any value, Exclude any value, Equal to any value, Not equal to any value, Prefix is any value, Prefix is not any of them, Suffix is any value, or Suffix is not any of them, select an existing reference table. For details, see Adding a Reference Table.

      +
      +
    • Content: Enter or select the content that matches the condition.
    +

    Path Include /admin

    +

    Rate Limit Mode

    +
    • Per IP address: A website visitor is identified by the IP address.
    • Per user: A website visitor is identified by the key value of Cookie or Header.
    • Other: A website visitor is identified by the Referer field (user-defined request source).
      NOTE:

      If you set Rate Limit Mode to Other, set Content of Referer to a complete URL containing the domain name. The Content field supports prefix match and exact match only, but cannot contain two or more consecutive slashes, for example, ///admin. If you enter ///admin, WAF will convert it to /admin.

      +

      For example, if Path is /admin, and you do not want visitors to access the page from www.test.com, set Content of Referer to http://www.test.com.

      +
      +
    +

    Per user

    +

    User Identifier

    +

    This parameter is mandatory when you select Per user for Rate Limit Mode.

    +
    • Cookie: A cookie field name. You need to configure an attribute variable name in the cookie that can uniquely identify a web visitor based on your website requirements. This field does not support regular expressions. Only complete matches are supported.

      For example, if a website uses the name field in the cookie to uniquely identify a website visitor, select name.

      +
    • Header: Set the user-defined HTTP header you want to protect. You need to configure the HTTP header that can identify web visitors based on your website requirements.
    +

    name

    +

    Rate Limit

    +

    The number of requests allowed from a website visitor in the rate limit period. If the number of requests exceeds the rate limit, WAF takes the action you configure for Protective Action.

    +

    All WAF instances: Requests to on one or more WAF instances will be counted together according to the rate limit mode you select. By default, requests to each WAF instance are counted. If you enable this, WAF will count requests to all your WAF instances for triggering this rule. To enable user-based rate limiting, Per user or Other (Referer must be configured) instead of Per IP address must be selected for Rate Limit Mode. This is because IP address-based rate limiting cannot limit the access rate of a specific user. However, in user-based rate limiting, requests may be forwarded to one or more WAF instances. Therefore, All WAF instances must be enabled for triggering the rule precisely.

    +

    10 requests allowed in 60 seconds

    +

    Protective Action

    +

    The action that WAF will take if the number of requests exceeds Rate Limit you configured. The options are as follows:

    +
    • Verification code: WAF allows requests that trigger the rule as long as your website visitors complete the required verification.
    • Block: WAF blocks requests that trigger the rule.
    • Block dynamically: WAF blocks requests that trigger the rule based on Allowable Frequency, which you configure after the first rate limit period is over.

      The protective action is supported only when Advanced is selected for Mode.

      +
    • Log only: WAF only logs requests that trigger the rule. You can download event data and view the protection logs of a specific domain name.
    +

    Block

    +

    Allowable Frequency

    +

    This parameter can be set if you select Block dynamically for Protective Action.

    +

    WAF blocks requests that trigger the rule based on Rate Limit first. Then, in the following rate limit period, WAF blocks requests that trigger the rule based on Allowable Frequency you configure.

    +

    Allowable Frequency cannot be larger than Rate Limit.

    +
    NOTE:

    If you set Allowable Frequency to 0, WAF blocks all requests that trigger the rule in the next rate limit period.

    +
    +

    8 requests allowed in 60 seconds

    +

    Block Duration

    +

    Period of time for which to block the item when you set Protective Action to Block.

    +

    600 seconds

    +

    Block Page

    +

    The page displayed if the maximum number of requests has been reached. This parameter is configured only when Protective Action is set to Block.

    +
    • If you select Default settings, the default block page is displayed.
    • If you select Custom, a custom error message is displayed.
    +

    Custom

    +

    Block Page Type

    +

    If you select Custom for Block Page, select a type of block page. The options are:

    +
    • application/jsontext/html
    • text/htmltext/xml
    • text/xml
    +

    text/html

    +

    Page Content

    +

    If you select Custom for Block Page, configure the content to be returned.

    +

    Page content styles corresponding to different page types are as follows:

    +
    • text/html: <html><body>Forbidden</body></html>
    • application/json: {"msg": "Forbidden"}
    • text/xml: <?xml version="1.0" encoding="utf-8"?><error> <msg>Forbidden</msg></error>
    +

    Rule Description

    +

    A description of the rule. This parameter is optional.

    +

    None

    +
    +
    +
    +

  5. Click Confirm. You can then view the added CC attack protection rule in the CC rule list.

    Figure 3 CC rule list
    +
    • To disable a rule, click Disable in the Operation column of the rule. The default Rule Status is Enabled.
    • To modify a rule, click Modify in the row containing the rule.
    • To delete a rule, click Delete in the row containing the rule.
    +

+
+

Protection Effect

If you have configured a CC attack protection rule for your domain name, with Protective Action set to Block, as shown in Figure 2, to verify WAF is protecting your website (www.example.com) against the configured CC attack protection rule:

+
  1. Clear the browser cache and enter the domain name in the address box of a browser to check whether the website is accessible.

    • If the website is inaccessible, connect the website domain name to WAF by following the instructions in Step 1: Add a Website to WAF.
    • If the website is accessible, go to Step 2.
    +

  2. Clear the browser cache, enter http://www.example.com/admin in the address bar, and refresh the page 10 times within 60 seconds. In normal cases, the custom block page will be displayed the eleventh time you refresh the page, and the requested page will be accessible when you refresh the page 600 seconds later.

    If you select Verification code for protective action, a verification code is required for visitors to continue the access if they exceed the configured rate limit.

    +

    +

  3. Return to the WAF console. In the navigation pane, choose Events. On the displayed page, view or download events data.
+
+
+
+
+
Parent topic: Rule Configuration
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0010.html b/docs/wafd/umn/waf_01_0010.html new file mode 100644 index 000000000..527bf478e --- /dev/null +++ b/docs/wafd/umn/waf_01_0010.html @@ -0,0 +1,207 @@ + + +

Configuring a Precise Protection Rule

+

WAF allows you to customize protection rules by combining HTTP headers, cookies, URLs, request parameters, and client IP addresses.

+

You can combine common HTTP fields, such as IP, Path, Referer, User Agent, and Params in a protection rule to let WAF allow, block, or only log the requests that match the combined conditions.

+

A reference table can be added to a precise protection rule. The reference table takes effect for all protected domain names.

+

Prerequisites

A website has been added to WAF.

+
+

Application Scenarios

Precise protection rules are used for anti-leeching and website management background protection.

+
+

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane, choose Website Settings.
  5. In the Policy column of the row containing the target website, click the number to go to the policy configuration page.
  6. In the Precise Protection configuration area, change Status as needed and click Customize Rule to go to the Precise Protection page.

    Figure 1 Precise Protection configuration area
    +

    +

  7. On the Precise Protection page, set Detection Mode. Figure 2 shows an example.

    Two detection modes are available:
    • Instant Detection: If a request matches a configured precise protection rule, WAF immediately ends threat detection and blocks the request.
    • Full Detection: If a request matches a configured precise protection rule, WAF finishes its scan first and then blocks all requests that match the configured precise protection rule.
      Figure 2 Setting Detection Mode
      +
    +
    +

  8. Click Add Rule.
  9. In the displayed dialog box, add a rule by referring to Table 1.

    The settings shown in Figure 3 are used as an example. If a visitor tries to access a URL containing /admin, WAF will block the request.

    +

    To ensure that WAF blocks only attack requests, configure Protective Action to Log only first and check whether normal requests are blocked on the Events page. If no normal requests are blocked, configure Protective Action to Block.

    +
    +
    Figure 3 Add Precise Protection Rule
    +
    +
    +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Table 1 Rule parameters

    Parameter

    +

    Description

    +

    Example Value

    +

    Protective Action

    +

    You can select Block, Allow, or Log only. Default value: Block

    +

    Block

    +

    Known Attack Source

    +

    If you set Protective Action to Block, you can select a blocking type for a known attack source rule. Then, WAF blocks requests matching the configured IP, Cookie, or Params for a length of time that depends on the selected blocking type.

    +

    Long-term IP address blocking

    +

    Effective Date

    +

    Select Immediate to enable the rule immediately, or select Custom to configure when you wish the rule to be enabled.

    +

    Immediate

    +

    Condition List

    +

    Click Add to add conditions. At least one condition needs to be added. You can add up to 30 conditions to a protection rule. If more than one condition is added, all of the conditions must be met for the rule to be applied. A condition includes the following parameters:

    +
    Parameters for configuring a condition are described as follows:
    • Field
    • Subfield: Configure this field only when Params, Cookie, or Header is selected for Field.
      NOTICE:

      The length of a subfield cannot exceed 2,048 bytes. Only digits, letters, underscores (_), and hyphens (-) are allowed.

      +
      +
    • Logic: Select a logical relationship from the drop-down list.
      NOTE:
      • If Include any value, Exclude any value, Equal to any value, Not equal to any value, Prefix is any value, Prefix is not any of them, Suffix is any value, or Suffix is not any of them is selected, select an existing reference table in the Content drop-down list. For details, see Adding a Reference Table.
      • Exclude any value, Not equal to any value, Prefix is not any of them, and Suffix is not any of them indicates, respectively, that WAF performs the protection action (block, allow, or log only) when the field in the access request does not contain, is not equal to, or the prefix or suffix is not any value set in the reference table. For example, assume that Path field is set to Exclude any value and the test reference table is selected. If test1, test2, and test3 are set in the test reference table, WAF performs the protection action when the path of the access request does not contain test1, test2, or test3.
      +
      +
    • Content: Enter or select the content of condition matching.
    +
    +
    NOTE:

    For more details about the configurations in general, see Table 2.

    +
    +

    Path Include /admin

    +

    Priority

    +

    Rule priority. If you have added multiple rules, rules are matched by priority. The smaller the value you set, the higher the priority.

    +

    +

    5

    +

    Rule Description

    +

    A brief description of the rule. This parameter is optional.

    +

    None

    +
    +
    + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Table 2 Condition list configurations

    Field

    +

    Example Subfield

    +

    Logic

    +

    Example Content

    +

    Path: Part of a URL that does not include a domain name. This value supports exact matches only. For example, if the path to be protected is /admin, Path must be set to /admin.

    +

    None

    +

    Select a logical relationship from the drop-down list.

    +

    /buy/phone/

    +
    NOTICE:

    If Path is set to /, all paths of the website are protected.

    +
    +

    User Agent: A user agent of the scanner to be checked.

    +

    None

    +

    Mozilla/5.0 (Windows NT 6.1)

    +

    IP: An IP address of the visitor for the protection.

    +

    None

    +

    XXX.XXX.1.1

    +

    Params: A request parameter.

    +

    sttl

    +

    201901150929

    +

    Referer: A user-defined request resource.

    +

    For example, if the protected path is /admin/xxx and you do not want visitors to access the page from www.test.com, set Content to http://www.test.com.

    +

    None

    +

    http://www.test.com

    +

    Cookie: A small piece of data to identify web visitors.

    +

    name

    +

    jsessionid

    +

    Header: A user-defined HTTP header.

    +

    Accept

    +

    text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8

    +

    Method: the user-defined request method.

    +

    None

    +

    GET, POST, PUT, DELETE, and PATCH

    +

    Request Line: Length of a user-defined request line.

    +

    None

    +

    50

    +

    Request: Length of a user-defined request. It includes the request header, request line, and request body.

    +

    None

    +

    None

    +

    Protocol: the protocol of the request.

    +

    None

    +

    http

    +
    +
    +
    +

  10. Click Confirm. You can then view the added precise protection rule in the protection rule list.

    Figure 4 Protection rules
    +
    • To disable a rule, click Disable in the Operation column of the rule. The default Rule Status is Enabled.
    • To modify a rule, click Modify in the row containing the rule.
    • To delete a rule, click Delete in the row containing the rule.
    +

+
+

Protection Effect

If you have configured a precise protection rule as shown in Figure 3 for your domain name, to verify WAF is protecting your website (www.example.com) against the rule:

+
  1. Clear the browser cache and enter the domain name in the address bar to check whether the website is accessible.

    • If the website is inaccessible, connect the website domain name to WAF by following the instructions in Step 1: Add a Website to WAF.
    • If the website is accessible, go to Step 2.
    +

  2. Clear the browser cache and enter http://www.example.com/admin (or any page containing /admin) in the address bar. Normally, WAF blocks the requests that meet the conditions and returns the block page.
  3. Return to the WAF console. In the navigation pane, click Events. On the displayed page, view or download events data.
+
+

Configuration Example - Blocking a Certain Type of Attack Requests

Analysis of a specific type of WordPress pingback attack shows that the User Agent field contains WordPress. See Figure 5.

+
Figure 5 WordPress pingback attack
+

A precise rule as shown in the figure can block this type of attack.

+
Figure 6 User Agent configuration
+
+
+
+
+
Parent topic: Rule Configuration
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0012.html b/docs/wafd/umn/waf_01_0012.html new file mode 100644 index 000000000..3a5a3acfa --- /dev/null +++ b/docs/wafd/umn/waf_01_0012.html @@ -0,0 +1,85 @@ + + +

Configuring an IP Address Blacklist or Whitelist Rule

+

You can configure blacklist and whitelist rules to block, log only, or allow access requests from specific IP addresses or IP address ranges.

+

Prerequisites

A website has been added to WAF.

+
+

Constraints

  • WAF does not support batch import of blacklists or whitelists. To configure multiple IP address or IP address range rules, add blacklist and whitelist rules one by one to allow or block specified IP addresses or IP address ranges.
  • It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.
+
+

Impact on the System

If an IP address is added to a blacklist or whitelist, WAF blocks or allows requests from that IP address without checking whether the requests are malicious.

+
+

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane, choose Website Settings.
  5. In the Policy column of the row containing the target website, click the number to go to the policy configuration page.
  6. In the Blacklist and Whitelist configuration area, change Status as needed and click Customize Rule.

    Figure 1 Blacklist and Whitelist configuration area
    +

  7. In the upper left corner of the Blacklist and Whitelist page, click Add Rule.
  8. In the displayed dialog box, specify the parameters by referring to Table 1.

    • If you select Log only for Protective Action for an IP address, WAF only identifies and logs requests from the IP address.
    • Other IP addresses are evaluated based on other configured WAF protection rules.
    +
    +
    Figure 2 Adding a blacklist or whitelist rule
    + +
    + + + + + + + + + + + + + + + + + + + + + + + + + +
    Table 1 Rule parameters

    Parameter

    +

    Description

    +

    Example Value

    +

    Rule Name

    +

    Rule name you entered.

    +

    WAF

    +

    IP Address/Range

    +

    IP addresses or IP address ranges are supported.

    +
    • IP address: IP address to be added to the blacklist or whitelist
    • IP address range: IP address and subnet mask defining a network segment
    +

    XXX.XXX.2.3

    +

    Protective Action

    +
    • Block: Select Block if you want to blacklist an IP address or IP address range.
    • Allow: Select Allow if you want to whitelist an IP address or IP address range.
    • Log only: Select Log only if you want to observe an IP address or IP address range. Then, WAF determines whether the IP address or IP address range are blacklisted or whitelisted based on the events data.
    +

    Block

    +

    Known Attack Source

    +

    If you select Block for Protective Action, you can select a blocking type of a known attack source rule. WAF will block requests matching the configured IP address, Cookie, or Params for a length of time configured as part of the rule.

    +

    Long-term IP address blocking

    +

    Rule Description

    +

    A brief description of the rule. This parameter is optional.

    +

    None

    +
    +
    +
    +

  9. Click OK. You can then view the added rule in the list of blacklist and whitelist rules.

    Figure 3 Blacklist or whitelist rules
    +
    • To disable a rule, click Disable in the Operation column of the rule. The default Rule Status is Enabled.
    • To modify a rule, click Modify in the row containing the rule.
    • To delete a rule, click Delete in the row containing the rule.
    +

+
+

Protection Effect

If you have added domain name www.example.com to this rule, to verify WAF is protecting the corresponding website:

+
  1. Clear the browser cache and enter the domain name in the address bar to check whether the website is accessible.

    • If the website is inaccessible, connect the website domain name to WAF by following the instructions in Step 1: Add a Website to WAF.
    • If the website is accessible, go to Step 2.
    +

  2. Blacklist the IP address of a client according to the instructions in Procedure.
  3. Clear the browser cache and access http://www.example.com. Normally, WAF blocks such requests and returns the block page.
  4. Return to the WAF console. In the navigation pane, choose Events. On the displayed page, view or download events data.
+
+
+
+
+
Parent topic: Rule Configuration
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0013.html b/docs/wafd/umn/waf_01_0013.html new file mode 100644 index 000000000..512f4bcdf --- /dev/null +++ b/docs/wafd/umn/waf_01_0013.html @@ -0,0 +1,65 @@ + + +

Configuring a Geolocation Access Control Rule

+

This topic describes how to configure a geolocation access control rule. A geolocation access control rule allows you to control IP addresses forwarded from or to specified countries and regions.

+

Prerequisites

A website has been added to WAF.

+
+

Constraints

  • One region can be configured in only one geolocation access control rule.
  • It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.
+
+

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane, choose Website Settings.
  5. In the Policy column of the row containing the target website, click the number to go to the Policies page.
  6. In the Geolocation Access Control configuration area, change Status if needed and click Customize Rule.

    Figure 1 Geolocation Access Control configuration area
    +

  7. In the upper left corner of the Geolocation Access Control page, click Add Rule.
  8. In the displayed dialog box, add a geolocation access control rule by referring to Table 1.

    Figure 2 Adding a geolocation access control rule
    + +
    + + + + + + + + + + + + + + + + + +
    Table 1 Rule parameters

    Parameter

    +

    Description

    +

    Example Value

    +

    Rule Description

    +

    A brief description of the rule. This parameter is optional.

    +

    waf

    +

    Geolocation

    +

    Geographical scope of the IP address.

    +

    -

    +

    Protective Action

    +

    Action WAF will take if the rule is hit. You can select Block, Allow, or Log only.

    +

    Block

    +
    +
    +

  9. Click Confirm. You can then view the added rule in the list of the geolocation access control rules.

    Figure 3 List of geolocation access control rules
    +
    • To disable a rule, click Disable in the Operation column of the rule. The default Rule Status is Enabled.
    • To modify a rule, click Modify in the row containing the rule.
    • To delete a rule, click Delete in the row containing the rule.
    +

+
+

Protection Effect

To verify WAF is protecting your website (www.example.com) against a rule:

+
  1. Clear the browser cache and enter the domain name in the address box of a browser to check whether the website is accessible.

    • If the website is inaccessible, connect the website domain name to WAF by following the instructions in Step 1: Add a Website to WAF.
    • If the website is accessible, go to 2.
    +

  2. Add a geolocation access control rule by referring to Procedure.
  3. Clear the browser cache and access http://www.example.com. Normally, WAF blocks such requests and returns the block page.
  4. Go to the WAF console. In the navigation pane on the left, choose Events. On the displayed page, view or download events data.
+
+
+
+
+
Parent topic: Rule Configuration
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0014.html b/docs/wafd/umn/waf_01_0014.html new file mode 100644 index 000000000..88cae314f --- /dev/null +++ b/docs/wafd/umn/waf_01_0014.html @@ -0,0 +1,73 @@ + + +

Configuring a Web Tamper Protection Rule

+
WAF can cache configuration for static web pages of websites. After you configure a web tamper protection rule, WAF can:
  • Return directly the cached web page to the normal web visitor to accelerate request response.
  • Return the cached original web pages to visitors if an attacker has tampered with the static web pages. This ensures that your website visitors always get the right web pages.
  • Protect all resources in the web page path. For example, if a web tamper protection rule is configured for static page www.example.com/admin, WAF protects all resources in the /admin directory.

    So, if the URL in the value of the Referer request header is the same as the configured anti-tamper path, for example, /admin, all resources (resources ending with png, jpg, jpeg, gif, bmp, css or js) hit by the request are also cached.

    +
+
+

Prerequisites

A website has been added to WAF.

+
+

Constraints

It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.

+
+

Application Scenarios

  • Quicker response to requests

    After a web tamper protection rule is configured, WAF caches static web pages on the server. When receiving a request from a web visitor, WAF directly returns the cached web page to the web visitor.

    +
  • Web tamper protection

    If an attacker modifies a static web page on the server, WAF still returns the cached original web page to visitors. Visitors never see the pages that were tampered with.

    +
+
+

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane, choose Website Settings.
  5. In the Policy column of the row containing the target website, click the number to go to the Policies page.
  6. In the Web Tamper Protection configuration area, change Status if needed and click Customize Rule to go to the Web Tamper Protection page.

    Figure 1 Web Tamper Protection configuration area
    +

  7. In the upper left corner of the Web Tamper Protection page, click Add Rule.
  8. In the displayed dialog box, specify the parameters by referring to Table 1.

    Figure 2 Adding a web tamper protection rule
    + +
    + + + + + + + + + + + + + + + + + +
    Table 1 Rule parameters

    Parameter

    +

    Description

    +

    Example Value

    +

    Domain Name

    +

    Domain name of the website to be protected

    +

    www.example.com

    +

    Path

    +

    A part of the URL, not including the domain name

    +

    A URL is used to define the address of a web page. The basic URL format is as follows:

    +

    Protocol name://Domain name or IP address[:Port]/[Path/.../File name].

    +

    For example, if the URL is http://www.example.com/admin, set Path to /admin.

    +
    NOTE:
    • The path does not support regular expressions.
    • The path cannot contain two or more consecutive slashes. For example, ///admin. If you enter ///admin, WAF converts /// to /.
    +
    +

    /admin

    +

    Rule Description

    +

    A brief description of the rule. This parameter is optional.

    +

    None

    +
    +
    +

  9. Click Confirm. You can view the rule in the list of web tamper protection rules.

    Figure 3 List of web tamper protection rules
    +

+
+

Other Operations

  • To disable a rule, click Disable in the Operation column of the rule. The default Rule Status is Enabled.
  • To update cache of a protected web page, click Update Cache in the row containing the corresponding web tamper protection rule. If the rule fails to be updated, WAF will return the recently cached page but not the latest page.
  • To delete a rule, click Delete in the row containing the rule.
+
+
+
+
+
Parent topic: Rule Configuration
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0015.html b/docs/wafd/umn/waf_01_0015.html new file mode 100644 index 000000000..e6738caab --- /dev/null +++ b/docs/wafd/umn/waf_01_0015.html @@ -0,0 +1,156 @@ + + +

Configuring Anti-Crawler Rules

+

You can configure website anti-crawler protection rules to protect against search engines, scanners, script tools, and other crawlers, and use JavaScript to create custom anti-crawler protection rules.

+

Prerequisites

A website has been added to WAF.

+
+

Constraints

  • Cookies must be enabled and JavaScript supported by any browser used to access a website protected by anti-crawler protection rules.
  • If your service is connected to CDN, exercise caution when using the JS anti-crawler function.

    CDN caching may impact JS anti-crawler performance and page accessibility.

    +
  • WAF only logs JavaScript challenge and JavaScript authentication events. No other protective actions can be configured for JavaScript challenge and authentication.
  • WAF JavaScript-based anti-crawler rules only check GET requests and do not check POST requests.
+
+

How JavaScript Anti-Crawler Protection Works

Figure 1 shows how JavaScript anti-crawler detection works, which includes JavaScript challenges (step 1 and step 2) and JavaScript authentication (step 3).

+
Figure 1 JavaScript Anti-Crawler protection process
+

If JavaScript anti-crawler is enabled when a client sends a request, WAF returns a piece of JavaScript code to the client.

+
  • If the client sends a normal request to the website, triggered by the received JavaScript code, the client will automatically send the request to WAF again. WAF then forwards the request to the origin server. This process is called JavaScript verification.
  • If the client is a crawler, it cannot be triggered by the received JavaScript code and will not send a request to WAF again. The client fails JavaScript authentication.
  • If a client crawler fabricates a WAF authentication request and sends the request to WAF, the WAF will block the request. The client fails JavaScript authentication.
+

By collecting statistics on the number of JavaScript challenges and authentication responses, the system calculates how many requests the JavaScript anti-crawler defends. In Figure 2, the JavaScript anti-crawler has logged 18 events, 16 of which are JavaScript challenge responses, and 2 of which are JavaScript authentication responses. Others is the number of WAF authentication requests fabricated by the crawler.

+
Figure 2 Parameters of a JavaScript anti-crawler protection rule
+

WAF only logs JavaScript challenge and JavaScript authentication events. No other protective actions can be configured for JavaScript challenge and authentication.

+
+
+

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane, choose Website Settings.
  5. In the Policy column of the row containing the target website, click the number to go to the Policies page.
  6. In the Anti-Crawler configuration area, enable anti-crawler using the toggle on the right, as shown in Figure 3. If you enable this function, click Configure Anti-Crawler.

    Figure 3 Anti-Crawler configuration area
    +

  7. Select the Feature Library tab and enable the protection by referring to Table 1. Figure 4 shows an example.

    A feature-based anti-crawler rule has two protective actions:
    • Block

      WAF blocks and logs detected attacks.

      +
    • Log only

      Detected attacks are logged only. This is the default protective action.

      +
    +
    +
    Scanner is enabled by default, but you can enable other protection types if needed.
    Figure 4 Feature Library
    +
    +

    + +
    + + + + + + + + + + + + + + + + + + + + + +
    Table 1 Anti-crawler detection features

    Type

    +

    Description

    +

    Remarks

    +

    Search Engine

    +

    This rule is used to block web crawlers, such as Googlebot and Baiduspider, from collecting content from your site.

    +

    If you enable this rule, WAF detects and blocks search engine crawlers.

    +
    NOTE:

    If Search Engine is not enabled, WAF does not block POST requests from Googlebot or Baiduspider. If you want to block POST requests from Baiduspider, use the configuration described in Configuration Example - Search Engine.

    +
    +

    Scanner

    +

    This rule is used to block scanners, such as OpenVAS and Nmap. A scanner scans for vulnerabilities, viruses, and other jobs.

    +

    After you enable this rule, WAF detects and blocks scanner crawlers.

    +

    Script Tool

    +

    This rule is used to block script tools. A script tool is often used to execute automatic tasks and program scripts, such as HttpClient, OkHttp, and Python programs.

    +

    If you enable this rule, WAF detects and blocks the execution of automatic tasks and program scripts.

    +
    NOTE:

    If your application uses scripts such as HttpClient, OkHttp, and Python, disable Script Tool. Otherwise, WAF will identify such script tools as crawlers and block the application.

    +
    +

    Other

    +

    This rule is used to block crawlers used for other purposes, such as site monitoring, using access proxies, and web page analysis.

    +
    NOTE:

    To avoid being blocked by WAF, crawlers may use a large number of IP address proxies.

    +
    +

    If you enable this rule, WAF detects and blocks crawlers that are used for various purposes.

    +
    +
    +

  8. Select the JavaScript tab and configure Status and Protective Action.

    JavaScript anti-crawler is disabled by default. To enable it, click and click Confirm in the displayed dialog box. indicates that JavaScript anti-crawler is enabled.

    +
    Figure 5 JavaScript
    +
    • Cookies must be enabled and JavaScript supported by any browser used to access a website protected by anti-crawler protection rules.
    • If your service is connected to CDN, exercise caution when using the JS anti-crawler function.

      CDN caching may impact JS anti-crawler performance and page accessibility.

      +
    +
    +

  9. Configure a JavaScript-based anti-crawler rule by referring to Table 2.

    Two protective actions are provided: Protect all paths and Protect a specified path.

    +
    • To protect all paths except a specified path
      Select Protect all paths, but then in the upper left corner of the page, click Exclude Path. Configure the required parameters in the displayed dialog box and click OK.
      Figure 6 Exclude Path
      +
      +
    +
    • To protect a specified path only

      Select Protect a specified path. In the upper left corner of the page, click Add Path. In the displayed dialog box, configure required parameters and click OK.

      +
      Figure 7 Add Path
      +
    + +
    + + + + + + + + + + + + + + + + + + + + + +
    Table 2 Parameters of a JavaScript-based anti-crawler protection rule

    Parameter

    +

    Description

    +

    Example Value

    +

    Rule Name

    +

    Name of the rule

    +

    wafjs

    +

    Path

    +

    A part of the URL, not including the domain name

    +

    A URL is used to define the address of a web page. The basic URL format is as follows:

    +

    Protocol name://Domain name or IP address[:Port]/[Path/.../File name].

    +

    For example, if the URL is http://www.example.com/admin, set Path to /admin.

    +
    NOTE:
    • The path does not support regular expressions.
    • The path cannot contain two or more consecutive slashes. For example, ///admin. If you enter ///admin, WAF converts /// to /.
    +
    +

    /admin

    +

    Logic

    +

    Select a logical relationship from the drop-down list.

    +

    Include

    +

    Rule Description

    +

    A brief description of the rule.

    +

    None

    +
    +
    +

+
+

Other Operations

  • To disable a rule, click Disable in the Operation column of the rule. The default Rule Status is Enabled.
  • To modify a rule, click Modify in the row containing the rule.
  • To delete a rule, click Delete in the row containing the rule.
+
+

Configuration Example - Logging Script Crawlers Only

To verify that WAF is protecting domain name www.example.com against an anti-crawler rule:

+
  1. Execute a JavaScript tool to crawl web page content.
  2. On the Feature Library tab, enable Script Tool and select Log only for Protective Action. (If WAF detects an attack, it logs the attack only.)

    Figure 8 Enabling Script Tool
    +

  3. Enable anti-crawler protection.

    Figure 9 Anti-Crawler configuration area
    +

  4. In the navigation pane on the left, choose Events to go to the Events page.
+
+

Configuration Example - Search Engine

The following shows how to allow the search engine of Baidu or Google and block the POST request of Baidu.

+
  1. Set Status of Search Engine to by referring to the instructions in Step 6.
  2. Configure a precise protection rule by referring to Configuring a Precise Protection Rule, as shown in Figure 10.

    Figure 10 Blocking POST requests
    +

+
+
+
+
+
Parent topic: Rule Configuration
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0016.html b/docs/wafd/umn/waf_01_0016.html new file mode 100644 index 000000000..42dfff7f7 --- /dev/null +++ b/docs/wafd/umn/waf_01_0016.html @@ -0,0 +1,124 @@ + + +

Configuring a Global Protection Whitelist (Formerly False Alarm Masking) Rule

+

Once an attack hits a WAF basic web protection rule or a feature-library anti-crawler rule, WAF will respond to the attack immediately according to the protective action (Log only or Block) you configured for the rule and display an event on the Events page.

+

You can add false alarm masking rules to let WAF ignore certain rule IDs or event types (for example, skip XSS checks for a specific URL).

+ +

Prerequisites

A website has been added to WAF.

+
+

Constraints

  • If you select Basic web protection for Ignore WAF Protection, global protection whitelist (formerly false alarm masking) rules take effect only for events triggered against WAF built-in rules in Basic Web Protection and anti-crawler rules under Feature Library.
    • Basic web protection rules

      Basic web protection defends against common web attacks, such as SQL injection, XSS attacks, remote buffer overflow attacks, file inclusion, Bash vulnerability exploits, remote command execution, directory traversal, sensitive file access, and command and code injections. Basic web protection also detects web shells and evasion attacks.

      +
    • Feature-based anti-crawler protection

      Feature-based anti-crawler identifies and blocks crawler behavior from search engines, scanners, script tools, and other crawlers.

      +
    +
  • It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.
  • You can configure a global protection whitelist (formerly false alarm masking) rule by referring to Handling False Alarms. After handling a false alarm, you can view the rule in the rule list.
+
+

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane, choose Website Settings.
  5. In the Policy column of the row containing the target website, click the number to go to the Policies page.
  6. In the Global Protection Whitelist (Formerly False Alarm Masking) configuration area, click Status if needed. Then, click Customize Rule.

    Figure 1 Global Protection Whitelist configuration area
    +

  7. In the upper left corner of the Global Protection Whitelist page, click Add Rule.
  8. Add a global whitelist rule by referring to Table 1. Figure 2 shows an example.

    Figure 2 Add Global Protection Whitelist Rule
    +

    + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Table 1 Parameters

    Parameter

    +

    Description

    +

    Example Value

    +

    Scope

    +
    • All domain names: By default, this rule will be used to all domain names that are protected by the current policy.
    • Specified domain names: This rule will be used to the specified domain names that match the wildcard domain name being protected by the current policy.
    +

    Specified domain names

    +

    Domain Name

    +

    This parameter is mandatory when you select Specified domain names for Scope.

    +

    Enter a single domain name that matches the wildcard domain name being protected by the current policy.

    +

    www.example.com

    +

    Condition List

    +

    Click Add to add conditions. At least one condition needs to be added. You can add up to 30 conditions to a protection rule. If more than one condition is added, all of the conditions must be met for the rule to be applied. A condition includes the following parameters:

    +
    Parameters for configuring a condition are described as follows:
    • Field
    • Subfield: Configure this field only when Params, Cookie, or Header is selected for Field.
      NOTICE:

      The length of a subfield cannot exceed 2,048 bytes. Only digits, letters, underscores (_), and hyphens (-) are allowed.

      +
      +
    • Logic: Select a logical relationship from the drop-down list.
    • Content: Enter or select the content that matches the condition.
    +
    +

    Path, Include, /product

    +

    Ignore WAF Protection

    +
    • All protection: All WAF rules do not take effect, and WAF allows all request traffic to the domain names in the rule.
    • Basic Web Protection: You can ignore basic web protection by rule ID, attack type, or all built-in rules. For example, if XSS check is not required for a URL, you can whitelist XSS rule.
    +

    Basic Web Protection

    +

    Ignored Protection Type

    +

    If you select Basic web protection for Ignored Protection Type, specify the following parameters:

    +
    • ID: Configure the rule by event ID.
    • Attack type: Configure the rule by attack type, such as XSS and SQL injection. One type contains one or more rule IDs.
    • All built-in rules: all checks enabled in Basic Web Protection.
    +

    Attack type

    +

    ID

    +

    This parameter is mandatory when you select ID for Ignored Protection Type.

    +

    ID of an attack event on the Events page. If the event type is Custom, it has no event ID. Click Handle False Alarm in the row containing the attack event to obtain the ID. You are advised to configure global protection whitelist (formerly false alarm masking) rules on the Events page by referring to Handling False Alarms.

    +

    041046

    +

    Attack type

    +

    This parameter is mandatory when you select Attack type for Ignored Protection Type.

    +

    Select an attack type from the drop-down list box.

    +

    WAF can defend against XSS attacks, web shells, SQL injection attacks, malicious crawlers, remote file inclusions, local file inclusions, command injection attacks, and other attacks.

    +

    SQL injection

    +

    Rule Description

    +

    A brief description of the rule. This parameter is optional.

    +

    SQL injection attacks are not intercepted.

    +

    Advanced Settings

    +

    To ignore attacks of a specific field, specify the field in the Advanced Settings area. After you add the rule, WAF will stop blocking attack events of the specified field.

    +
    Select a target field from the first drop-down list box on the left. The following fields are supported: Params, Cookie, Header, Body, and Multipart.
    • If you select Params, Cookie, or Header, you can select All or Specified field to configure a subfield.
    • If you select Body or Multipart, you can select All.
    • If you select Cookie, the Domain Name and Path can be empty.
    +
    NOTE:

    If All is selected, WAF will not block all attack events of the selected field.

    +
    +
    +

    Params

    +

    All

    +
    +
    +

  9. Click OK.

    Figure 3 Global protection whitelist (formerly false alarm masking) rules
    +

+
+

Other Operations

  • To disable a rule, click Disable in the Operation column of the rule. The default Rule Status is Enabled.
  • To modify a global protection whitelist (formerly false alarm masking) rule, click Modify in the row containing the rule.
  • To delete a global protection whitelist (formerly false alarm masking) rule, click Delete in the row containing the rule.
+
+
+
+
+
Parent topic: Rule Configuration
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0017.html b/docs/wafd/umn/waf_01_0017.html new file mode 100644 index 000000000..b4a5dc619 --- /dev/null +++ b/docs/wafd/umn/waf_01_0017.html @@ -0,0 +1,80 @@ + + +

Configuring a Data Masking Rule

+

This topic describes how to configure data masking rules. You can configure data masking rules to prevent sensitive data such as passwords from being displayed in event logs.

+

Prerequisites

A website has been added to WAF.

+
+

Constraints

  • It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.
+
+

Impact on the System

Sensitive data in the events will be masked to protect your website visitor's privacy.

+
+

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane, choose Website Settings.
  5. In the Policy column of the row containing the target website, click the number to go to the Policies page.
  6. In the Data Masking configuration area, change Status if needed and click Customize Rule.

    Figure 1 Data Masking configuration area
    +

  7. In the upper left corner of the Data Masking page, click Add Rule.
  8. In the displayed dialog box, specify the parameters described in Table 1.

    Figure 2 Adding a data masking rule
    + +
    + + + + + + + + + + + + + + + + + + + + +
    Table 1 Rule parameters

    Parameter

    +

    Description

    +

    Example Value

    +

    Path

    +

    Part of the URL that does not include the domain name.

    +
    • Prefix match: The path ending with * indicates that the path is used as a prefix. For example, if the path to be protected is /admin/test.php or /adminabc, set Path to /admin*.
    • Exact match: The path to be entered must match the path to be protected. If the path to be protected is /admin, set Path to /admin.
    +
    NOTE:
    • The path supports prefix and exact matches only and does not support regular expressions.
    • The path cannot contain two or more consecutive slashes. For example, ///admin. If you enter ///admin, WAF converts /// to /.
    +
    +

    /admin/login.php

    +

    For example, if the URL to be protected is http://www.example.com/admin/login.php, set Path to /admin/login.php.

    +

    Masked Field

    +
    A field set to be masked
    • Params: A request parameter
    • Cookie: A small piece of data to identify web visitors
    • Header: A user-defined HTTP header
    • Form: A form parameter
    +
    +
    • If Masked Field is Params and Field Name is id, content that matches id is masked.
    • If Masked Field is Cookie and Field Name is name, content that matches name is masked.
    +

    Field Name

    +

    Set the parameter based on Masked Field. The masked field will not be displayed in logs.

    +
    NOTICE:

    The length of a subfield cannot exceed 2,048 bytes. Only digits, letters, underscores (_), and hyphens (-) are allowed.

    +
    +

    Rule Description

    +

    A brief description of the rule. This parameter is optional.

    +

    None

    +
    +
    +

  9. Click Confirm. The added data masking rule is displayed in the list of data masking rules.
+
+

Other Operations

  • To disable a rule, click Disable in the Operation column of the rule. The default Rule Status is Enabled.
  • To modify a rule, click Modify in the row containing the rule.
  • To delete a rule, click Delete in the row containing the rule.
+
+

Configuration Example - Masking the Cookie Field

To verify that WAF is protecting your domain name www.example.com against a data masking rule (with Cookie selected for Masked Field and jsessionid entered in Field Name):

+
  1. Add a data masking rule.

    Figure 3 Select Cookie for Masked Field and enter jsessionid in Field Name.
    +

  2. Enable data masking.
  3. In the navigation pane on the left, choose Events.
  4. In the row containing the event hit the rule, click Details in the Operation column and view the event details.

    Data in the jsessionid cookie field is masked.

    +

+
+
+
+
+
Parent topic: Rule Configuration
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0018.html b/docs/wafd/umn/waf_01_0018.html new file mode 100644 index 000000000..8c56784a0 --- /dev/null +++ b/docs/wafd/umn/waf_01_0018.html @@ -0,0 +1,15 @@ + + +

Event Management

+
+
+ +
+ diff --git a/docs/wafd/umn/waf_01_0020.html b/docs/wafd/umn/waf_01_0020.html new file mode 100644 index 000000000..5c7e270a1 --- /dev/null +++ b/docs/wafd/umn/waf_01_0020.html @@ -0,0 +1,74 @@ + + +

Viewing Basic Information

+

This topic describes how to view the basic information about a protected website, switch WAF working mode, and delete a domain name of a protected website from WAF.

+

Prerequisites

A website has been connected to WAF.

+
+

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane, choose Website Settings.
  5. View the protected website lists. For details about parameters, see Table 1.

    Figure 1 Website list
    +
    +
    + + + + + + + + + + + + + + + + + + + + + + + + + +
    Table 1 Parameter description

    Parameter

    +

    Description

    +

    Domain Name

    +

    Domain name or IP address of a website to be protected.

    +

    Deployment Mode

    +

    How your WAF instance is deployed for your website. Only Dedicated mode is available.

    +

    Last 3 Days

    +

    Protection status of the domain name over the past three days.

    +

    Mode

    +

    WAF mode of the protected domain name. Click Switch and select one of the following working modes: Click and select one of the following working mode:

    +
    • Enabled: WAF is enabled.
    • Suspended: WAF is disabled. If a large number of normal requests are blocked, for example, status code 418 is frequently returned, then you can switch the mode to Suspended. In this mode, your website is not protected because WAF only forwards requests. It does not scan for attacks. This mode is risky. You are advised to use the false alarm masking rules to reduce false alarms.
    +

    Policy

    +

    The total number of protection policies configured in WAF. You can click a number to go to the rule configuration page.

    +

    Access Progress/Status

    +

    The progress of connecting your website to WAF or the website access status.

    +

    Operation

    +

    To remove a protected website from WAF, click Delete.

    +
    WARNING:

    The deletion operation cannot be cancelled. Exercise caution when performing this operation.

    +
    +
    +
    +
    +

  6. In the Domain Name column, click the domain name of the website to go to the basic information page.
  7. View the basic information about the domain name of the protected website. Figure 2 shows an example.View the basic information about the protected website.

    Figure 2 Basic Information
    +
    • Update the certificate: If you select HTTPS for Client Protocol, an SSL certificate is required. To update the certificate, click next to the certificate name in the Certificate Name row. Then, in the displayed dialog box, upload a new certificate or select an existing certificate. For more details, see Updating a Certificate.
    • Update the TLS version and TLS cipher suite for accessing the origin server: If you select HTTPS for Client Protocol, you can change TLS version to a more secure one. To do so, click next to the TLS Configuration field. Then, in the displayed dialog box, select the desired TLS version and TLS cipher suite. For more details, see Configuring PCI DSS/3DS Certification Check and TLS Version.
    • Modify the field of Proxy Configured: Click . In the displayed dialog box, select Yes if your web server is using a proxy.
    • Customize the alarm page: Click . In the displayed dialog box, select Custom or Redirection and complete required configurations. By default, Alarm Page is Default.
    • If you want to set a timeout duration for each request, enable Timeout Settings and click to specify WAF-to-Server Connection Timeout (s), Read Timeout (s), and Write Timeout (s). This function cannot be disabled after being enabled. For details, see Configuring Connection Timeout.
    +

+
+
+
+
+
Parent topic: Website Domain Name Management
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0021.html b/docs/wafd/umn/waf_01_0021.html new file mode 100644 index 000000000..b198b5aa7 --- /dev/null +++ b/docs/wafd/umn/waf_01_0021.html @@ -0,0 +1,126 @@ + + +

Dashboard

+

This topic describes how to view event logs, including attack and request statistics, event distribution, top 10 attacked domain names, top 10 attack source IP addresses, and top 10 attacked URLs in a specified time range, such as yesterday, today, past 3 days, past 7 days, or past 30 days.

+

Prerequisites

  • A domain name has been added and connected to WAF.
  • WAF protection is enabled.
  • At least one protection rule has been configured for the domain name.
+
+

Specification Limitations

On the Dashboard page, protection data of a maximum of 30 days can be viewed.

+
+

How to Calculate QPS

The QPS calculation method varies depending on the time range. For details, see Table 1.

+ +
+ + + + + + + + + + + + + + + + + + + + + +
Table 1 QPS calculation

Time Range

+

Average QPS Description

+

Peak QPS Description

+

Yesterday or Today

+

The QPS curve is made with the average QPSs in every minute.

+

The QPS curve is made with each peak QPS in every minute.

+

Past 3 days

+

The QPS curve is made with the average QPSs in every five minutes.

+

The QPS curve is made with each peak QPS in every five minutes.

+

Past 7 days

+

The QPS curve is made with the maximum value among the average QPSs in every five minutes at a 10-minute interval.

+

The QPS curve is made with each peak QPS in every 10 minutes.

+

Past 30 days

+

The QPS curve is made with the maximum value among the average QPSs in every five minutes at a one-hour interval.

+

The QPS curve is made with the peak QPSs in every hour.

+
+
+

Queries Per Second (QPS) indicates the number of requests per second. For example, an HTTP GET request is also called a query. The number of requests is the total number of requests in a specific time range.

+
+
+

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the upper part of the page, specify the website, instance, and time period you want to query.

    • By default, the information about all websites you add to WAF in all enterprise projects are displayed.
    • Domain Names: shows information about website domain names added to the WAF instance. Click View to go to the Website Settings page and view details about domain names of protected websites.
    • Query time: You can select Yesterday, Today, Past 3 days, Past 7 days, or Past 30 days.
    +
    Figure 1 Setting search criteria
    +

  5. View how many requests, attacks, and pages under each type of attacks.

    • Requests: shows the page views of the website, making it easy for you to view the total number of pages accessed by visitors in a certain period of time.
    • Attacks: shows how many times the website are attacked.
    • You can view how many pages are attacked by a certain type of attacks within a certain period of time.
    +
    Figure 2 Protection action statistics
    +

  6. Query security data in the Security Event Statistics area.

    By day: You can select this option to view the data gathered by the day. If you leave this option unselected, you have the following options:
    • Yesterday and Today: Security event data is gathered every 2 minutes.
    • Past 3 days: Security event data is gathered every 5 minutes.
    • Past 7 days: Security event data is gathered every 10 minutes.
    • Past 30 days: Security event data is gathered every hour.
    +
    +
    Figure 3 Security Event Statistics
    + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Table 2 Parameters in Security Event Statistics

    Parameter

    +

    Description

    +

    Requests

    +

    You can view how many requests for your website as well as total attacks and attacks of each attack type.

    +

    QPS

    +

    Average number of requests per second for the domain name. For details about the values of QPS, see How to Calculate QPS.

    +

    Queries Per Second (QPS) indicates the number of requests per second. For example, an HTTP GET request is also called a query.

    +

    Bandwidth

    +

    Bandwidth usage

    +

    Response Code

    +

    Response codes returned by WAF to the client or returned by the origin server to WAF along with the corresponding number of responses. You can click WAF to Client or Origin Server to WAF to view the corresponding information.

    +

    The number of response codes is accumulated based on the sequence of response codes (from left to right) in the lower part of the chart. The number of response codes is the difference between two lines. If the value of a response code is 0, the line of the response code overlaps that of the previous response code.

    +

    Event Distribution

    +

    Types of attack events

    +

    Click an area in the Event Distribution area to view the type, number, and proportion of an attack.

    +

    Top 10 Attacked Domain Names

    +

    The ten most attacked domain names and the number of attacks on each domain name.

    +

    Click View More to go to the Events page and view more protection data.

    +

    Top 10 Attack Source IP Addresses

    +

    The ten source IP addresses with the most attacks and the number of attacks from each source IP address.

    +

    Click View More to go to the Events page and view more protection data.

    +

    Top 10 Attacked URLs

    +

    The ten most attacked URLs and the number of attacks on each URL.

    +

    Click View More to go to the Events page and view more protection data.

    +
    +
    +

+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0022.html b/docs/wafd/umn/waf_01_0022.html new file mode 100644 index 000000000..392c5a82f --- /dev/null +++ b/docs/wafd/umn/waf_01_0022.html @@ -0,0 +1,17 @@ + + +

FAQs

+
+
+ +
+ diff --git a/docs/wafd/umn/waf_01_0024.html b/docs/wafd/umn/waf_01_0024.html new file mode 100644 index 000000000..b73715791 --- /dev/null +++ b/docs/wafd/umn/waf_01_0024.html @@ -0,0 +1,241 @@ + + +

Handling False Alarms

+

If you confirm that an attack event on the Events page is a false alarm, you can handle the event as false alarm by ignoring the URL and rule ID in basic web protection, or by deleting or disabling the corresponding protection rule you configured. After an attack event is handled as a false alarm, the event will not be displayed on the Events page anymore. You will no longer receive any alarm notifications about the event.

+

WAF detects attacks by using built-in basic web protection rules, built-in features in anti-crawler protection, and custom rules you configured (such as CC attack protection, precise access protection, blacklist, whitelist, and geolocation access control rules). WAF will respond to detected attacks based on the protective actions (such as Block and Log only) defined in the rules and display attack events on the Events page.

+

Prerequisites

There is at least one false alarm event in the event list.

+
+

Constraints

  • Only attack events blocked or recorded by preconfigured basic web protection rules and features in anti-crawler protection can be handled as false alarms.
  • For events generated based on custom rules (such as a CC attack protection rule, precise protection rule, blacklist rule, whitelist rule, or geolocation access control rule), they cannot be handled as false alarms. To ignore such an event, delete or disable the custom rule hit by the event.
  • An attack event can only be handled as a false alarm once.
+
+

Impact on the System

The attack event will not be displayed on the Events page. You will no longer receive any alarm notifications about the event.

+
+

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane on the left, choose Events.
  5. Select the Search tab. Select a website from the All protected websites drop-down list. Then, select Yesterday, Today, Past 3 days, Past 7 days, Past 30 days, or a custom time range. Figure 1 shows an example. Table 1 and Table 2 describe parameters.

    Figure 1 Viewing protection events
    + +
    + + + + + + + + + + + + + + + + + + + +
    Table 1 Event parameters

    Parameter

    +

    Description

    +

    Event Type

    +

    Type of attack.

    +

    By default, All is selected. You can view logs of all attack types or select an attack type to view corresponding attack logs.

    +

    Protective Action

    +

    The options are Block, Log only, and Verification code.

    +

    Source IP Address

    +

    Public IP address of the web visitor/attacker

    +

    By default, All is selected. You can view logs of all attack source IP addresses, select an attack source IP address, or enter an attack source IP address to view corresponding attack logs.

    +

    URL

    +

    Attacked URL

    +

    Event ID

    +

    ID of the event

    +
    +
    + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Table 2 Parameters in the event list

    Parameter

    +

    Description

    +

    Example Value

    +

    Time

    +

    When the attack occurred

    +

    2021/02/04 13:20:04

    +

    Source IP Address

    +

    Public IP address of the web visitor/attacker

    +

    None

    +

    Geolocation

    +

    Location where the IP address of the attack originates from

    +

    -

    +

    Domain Name

    +

    Attacked domain name

    +

    www.example.com

    +

    URL

    +

    Attacked URL

    +

    /admin

    +

    Malicious Load

    +

    The location or part of the attack that causes damage or the number of times that the URL was accessed.

    +
    NOTE:
    • In a CC attack, the malicious load indicates the number of times that the URL was accessed.
    • For blacklist protection events, the malicious load is left blank.
    +
    +

    id=1 and 1='1

    +

    Event Type

    +

    Type of attack

    +

    SQL injection

    +

    Protective Action

    +

    Protective actions configured in the rule. The options are Block, Log only, and Verification code.

    +
    NOTE:

    If an access request matches a web tamper protection rule, information leakage prevention rule, or data masking rule, the protective action is marked as Mismatch.

    +
    +

    Block

    +

    Status Code

    +

    HTTP status code returned on the block page.

    +

    418

    +
    +
    +

    To view event details, click Details in the Operation column of the event list.

    +
    +

  6. After you confirm that an event is a false alarm, click Handle False Alarm in the Operation column of the row and add a false alarm masking rule. Figure 2 shows an example. Table 3 describes parameters.

    Figure 2 Handling a false alarm
    +

    + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Table 3 Parameters

    Parameter

    +

    Description

    +

    Example Value

    +

    Scope

    +
    • All domain names: By default, this rule will be used to all domain names that are protected by the current policy.
    • Specified domain names: This rule will be used to the specified domain names that match the wildcard domain name being protected by the current policy.
    +

    Specified domain names

    +

    Domain Name

    +

    This parameter is mandatory when you select Specified domain names for Scope.

    +

    Enter a single domain name that matches the wildcard domain name being protected by the current policy.

    +

    www.example.com

    +

    Condition List

    +

    Click Add to add conditions. At least one condition needs to be added. You can add up to 30 conditions to a protection rule. If more than one condition is added, all of the conditions must be met for the rule to be applied. A condition includes the following parameters:

    +
    Parameters for configuring a condition are described as follows:
    • Field
    • Subfield: Configure this field only when Params, Cookie, or Header is selected for Field.
      NOTICE:

      The length of a subfield cannot exceed 2,048 bytes. Only digits, letters, underscores (_), and hyphens (-) are allowed.

      +
      +
    • Logic: Select a logical relationship from the drop-down list.
    • Content: Enter or select the content that matches the condition.
    +
    +

    Path, Include, /product

    +

    Ignore WAF Protection

    +
    • All protection: All WAF rules do not take effect, and WAF allows all request traffic to the domain names in the rule.
    • Basic Web Protection: You can ignore basic web protection by rule ID, attack type, or all built-in rules. For example, if XSS check is not required for a URL, you can whitelist XSS rule.
    +

    Basic Web Protection

    +

    Ignored Protection Type

    +

    If you select Basic web protection for Ignored Protection Type, specify the following parameters:

    +
    • ID: Configure the rule by event ID.
    • Attack type: Configure the rule by attack type, such as XSS and SQL injection. One type contains one or more rule IDs.
    • All built-in rules: all checks enabled in Basic Web Protection.
    +

    Attack type

    +

    ID

    +

    This parameter is mandatory when you select ID for Ignored Protection Type.

    +

    ID of an attack event on the Events page. If the event type is Custom, it has no event ID. Click Handle False Alarm in the row containing the attack event to obtain the ID. You are advised to configure global protection whitelist (formerly false alarm masking) rules on the Events page by referring to Handling False Alarms.

    +

    041046

    +

    Attack type

    +

    This parameter is mandatory when you select Attack type for Ignored Protection Type.

    +

    Select an attack type from the drop-down list box.

    +

    WAF can defend against XSS attacks, web shells, SQL injection attacks, malicious crawlers, remote file inclusions, local file inclusions, command injection attacks, and other attacks.

    +

    SQL injection

    +

    Rule Description

    +

    A brief description of the rule. This parameter is optional.

    +

    SQL injection attacks are not intercepted.

    +

    Advanced Settings

    +

    To ignore attacks of a specific field, specify the field in the Advanced Settings area. After you add the rule, WAF will stop blocking attack events of the specified field.

    +
    Select a target field from the first drop-down list box on the left. The following fields are supported: Params, Cookie, Header, Body, and Multipart.
    • If you select Params, Cookie, or Header, you can select All or Specified field to configure a subfield.
    • If you select Body or Multipart, you can select All.
    • If you select Cookie, the Domain Name and Path can be empty.
    +
    NOTE:

    If All is selected, WAF will not block all attack events of the selected field.

    +
    +
    +

    Params

    +

    All

    +
    +
    +

  7. Click OK.
+
+

Verification

A false alarm will be deleted within about a minute after the handling configuration is done. It will no longer be displayed in the attack event details list. You can refresh the browser cache and request the page for which the false alarm masking rule is configured to check whether the configuration takes effect.

+
+

Other Operations

If an event is handled as a false alarm, the rule hit will be added to the global protection whitelist (formerly false alarm masking) rule list. You can go to the Policies page and then switch to the Global Protection Whitelist (Formerly False Alarm Masking) page to manage the rule, including querying, disabling, deleting, and modifying the rule. For details, see Configuring a Global Protection Whitelist (Formerly False Alarm Masking) Rule.

+
+
+
+
+
Parent topic: Event Management
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0025.html b/docs/wafd/umn/waf_01_0025.html new file mode 100644 index 000000000..bd72c334b --- /dev/null +++ b/docs/wafd/umn/waf_01_0025.html @@ -0,0 +1,17 @@ + + +

About WAF

+
+
+ + +
+
Parent topic: FAQs
+
+
+ diff --git a/docs/wafd/umn/waf_01_0026.html b/docs/wafd/umn/waf_01_0026.html new file mode 100644 index 000000000..acf7c83d9 --- /dev/null +++ b/docs/wafd/umn/waf_01_0026.html @@ -0,0 +1,11 @@ + + +

Which OSs Does WAF Support?

+

WAF is deployed on the cloud, which is irrelevant to an OS. Therefore, WAF supports any OS. A domain name server on any OS can be connected to WAF for protection.

+
+
+
+
Parent topic: WAF Functions
+
+
+ diff --git a/docs/wafd/umn/waf_01_0027.html b/docs/wafd/umn/waf_01_0027.html new file mode 100644 index 000000000..82c3da848 --- /dev/null +++ b/docs/wafd/umn/waf_01_0027.html @@ -0,0 +1,15 @@ + + +

Which Web Service Framework Protocols Does WAF Support?

+

WAF is deployed on the cloud.

+

Web Application Firewall (WAF) keeps web services stable and secure. It examines all HTTP and HTTPS requests to detect and block the following attacks: Structured Query Language (SQL) injection, cross-site scripting (XSS), web shells, command and code injections, file inclusion, sensitive file access, third-party vulnerability exploits, Challenge Collapsar (CC) attacks, malicious crawlers, and cross-site request forgery (CSRF).

+

WAF can examine the following requests:

+ +
+
+
+
Parent topic: WAF Functions
+
+
+ diff --git a/docs/wafd/umn/waf_01_0028.html b/docs/wafd/umn/waf_01_0028.html new file mode 100644 index 000000000..f4a5969eb --- /dev/null +++ b/docs/wafd/umn/waf_01_0028.html @@ -0,0 +1,22 @@ + + +

What Protection Rules Does WAF Support?

+

The protection rules supported by WAF are described below.

+ +
+
+
+
Parent topic: Others
+
+
+ diff --git a/docs/wafd/umn/waf_01_0029.html b/docs/wafd/umn/waf_01_0029.html new file mode 100644 index 000000000..9d16136eb --- /dev/null +++ b/docs/wafd/umn/waf_01_0029.html @@ -0,0 +1,15 @@ + + +

Can WAF Protect an IP Address?

+

A WAF instance can protect IP addresses.

+

Dedicated Mode

A dedicated or load balancing WAF instance can protect websites through either domain names or IP addresses.

+

The origin server IP address configured in WAF can be a public IP address or internal IP address.

+
+

For details about how to add a domain name to WAF, see How Do I Add a Domain Name/IP Address to WAF?.

+
+
+
+
Parent topic: WAF Functions
+
+
+ diff --git a/docs/wafd/umn/waf_01_0030.html b/docs/wafd/umn/waf_01_0030.html new file mode 100644 index 000000000..583979c15 --- /dev/null +++ b/docs/wafd/umn/waf_01_0030.html @@ -0,0 +1,11 @@ + + +

Which Layers Does WAF Provide Protection At?

+

WAF provides protection at seven layers, namely, the physical layer, data link layer, network layer, transport layer, session layer, presentation layer, and application layer.

+
+
+
+
Parent topic: WAF Functions
+
+
+ diff --git a/docs/wafd/umn/waf_01_0035.html b/docs/wafd/umn/waf_01_0035.html new file mode 100644 index 000000000..40dd73240 --- /dev/null +++ b/docs/wafd/umn/waf_01_0035.html @@ -0,0 +1,14 @@ + + +

How Do I Configure a CC Attack Protection Rule?

+

When a service interface is under an HTTP flood attack, you can set a CC attack protection rule on the WAF console to relieve service pressure.

+

WAF provides the following settings for a CC attack protection rule:

+ +

For details, see Configuring a CC Attack Protection Rule.

+
+
+
+
Parent topic: CC Attack Protection Rules
+
+
+ diff --git a/docs/wafd/umn/waf_01_0036.html b/docs/wafd/umn/waf_01_0036.html new file mode 100644 index 000000000..fa7dfe543 --- /dev/null +++ b/docs/wafd/umn/waf_01_0036.html @@ -0,0 +1,12 @@ + + +

When Is Cookie Used to Identify Users?

+

During the configuration of a CC attack protection rule, if IP addresses cannot identify users precisely, for example, when many users share an egress IP address, use Cookie to identify users.

+

If the cookie contains key values, such as the session value, of users, the key value can be used as the basis for identifying users.

+
+
+
+
Parent topic: CC Attack Protection Rules
+
+
+ diff --git a/docs/wafd/umn/waf_01_0038.html b/docs/wafd/umn/waf_01_0038.html new file mode 100644 index 000000000..b420ac2f5 --- /dev/null +++ b/docs/wafd/umn/waf_01_0038.html @@ -0,0 +1,52 @@ + + +

How Do I Handle False Alarms as WAF Blocks Normal Requests to My Website?

+

Once an attack hits a WAF rule, WAF will respond to the attack immediately according to the protective action (Log only or Block) you configured for the rule and display an event on the Events page.

+

If a large number of false alarms are reported for a specific service, handle them on the Events page. To do so, you can ignore the specific URL and rule ID. Then, WAF will no longer block the same type of request to the URL.

+

In the row containing the false alarm event, click Details in the Operation column and view the event details. If you are sure that the event is a false positive, handle it as a false alarm by referring to Table 1. After an event is handled as a false alarm, WAF stops blocking corresponding type of event. No such type of event will be displayed on the Events page and you will no longer receive alarm notifications accordingly.

+ +
+ + + + + + + + + + + + + + + + + +
Table 1 Handling false alarms

Type of Hit Rule

+

Hit Rule

+

Handling Method

+

WAF built-in protection rules

+
  • Basic web protection rules

    Basic web protection defends against common web attacks, such as SQL injection, XSS attacks, remote buffer overflow attacks, file inclusion, Bash vulnerability exploits, remote command execution, directory traversal, sensitive file access, and command and code injections. Basic web protection also detects web shells and evasion attacks.

    +
  • Feature-based anti-crawler protection

    Feature-based anti-crawler identifies and blocks crawler behavior from search engines, scanners, script tools, and other crawlers.

    +
+

In the row containing the attack event, click Handle False Alarm in the Operation column. For details, see Handling False Alarms.

+

Custom protection rules

+
  • CC attack protection rules
  • Precise protection rules
  • Blacklist and whitelist rules
  • Geolocation access control rules
  • Web tamper protection rules
  • JavaScript anti-crawler protection
  • Information leakage prevention rules
  • Data masking rules
+

Go to the page displaying the hit rule and delete it.

+

Other

+

Invalid access requests

+
NOTE:
If either of the following numbers in an access request exceeds 512, WAF blocks the access request as an invalid request:
  • Number of parameters in a form when form-data is used for POST or PUT requests
  • Number of URI parameters
+
+
+

Allow the blocked requests by referring to Configuring a Precise Protection Rule. The Handle False Alarm button for invalid access events are grayed out as such events are generated against a precise protection rule.

+
+
+

For details, see Handling False Alarms.

+
+
+
+
Parent topic: Service Interruption Check
+
+
+ diff --git a/docs/wafd/umn/waf_01_0041.html b/docs/wafd/umn/waf_01_0041.html new file mode 100644 index 000000000..b0f6f821d --- /dev/null +++ b/docs/wafd/umn/waf_01_0041.html @@ -0,0 +1,23 @@ + + +

How Do I Safely Delete a Protected Domain Name?

+

The deletion operation cannot be cancelled. Exercise caution when performing this operation.

+

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane, choose Website Settings.
  5. In the row containing the website domain name you want to delete, click Delete in the Operation column.
  6. In the displayed confirmation dialog box, confirm the deletion.

    If you want to retain the policy applied to the domain name, select Retain the policy of this domain name.

    +
    Figure 1 Deleting a protected domain name from WAF
    +

  7. Click OK.

    If Domain name deleted successfully is displayed in the upper right corner, the domain name of the website was deleted.

    +

+
+
+
+
+
Parent topic: Domain Name and Port Configuration
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0045.html b/docs/wafd/umn/waf_01_0045.html new file mode 100644 index 000000000..eebf4964e --- /dev/null +++ b/docs/wafd/umn/waf_01_0045.html @@ -0,0 +1,12 @@ + + +

What Is Web Application Firewall?

+

Web Application Firewall (WAF) keeps web services stable and secure. It examines all HTTP and HTTPS requests to detect and block the following attacks: Structured Query Language (SQL) injection, cross-site scripting (XSS), web shells, command and code injections, file inclusion, sensitive file access, third-party vulnerability exploits, Challenge Collapsar (CC) attacks, malicious crawlers, and cross-site request forgery (CSRF).

+

After you enable a WAF instance, add your website domain to the WAF instance on the WAF console. All public network traffic for your website then goes to WAF first. WAF identifies and filters out the illegitimate traffic, and routes only the legitimate traffic to your origin server to ensure site security.

+
+
+
+
Parent topic: Service Overview
+
+
+ diff --git a/docs/wafd/umn/waf_01_0046.html b/docs/wafd/umn/waf_01_0046.html new file mode 100644 index 000000000..93942d741 --- /dev/null +++ b/docs/wafd/umn/waf_01_0046.html @@ -0,0 +1,26 @@ + + +

Application Scenarios

+

Common protection

WAF helps you defend against common web attacks, such as command injection and sensitive file access.

+
+

Protection for online shopping mall promotion activities

Countless malicious requests may be sent to service interfaces during online promotions. WAF allows configurable rate limiting policies to defend against CC attacks. This prevents services from breaking down due to many concurrent requests, ensuring response to legitimate requests.

+
+

Protection against zero-day vulnerabilities

Services cannot recover quickly from impact of zero-day vulnerabilities in third-party web frameworks and plug-ins. WAF updates the preset protection rules immediately to add an additional protection layer to such web frameworks and plug-ins, and this layer can react faster than fixing the vulnerabilities.

+
+

Data leakage prevention

WAF prevents malicious actors from using methods such as SQL injection and web shells to bypass application security and gain remote access to web databases. You can configure anti-data leakage rules on WAF to provide the following functions:

+
  • Precise identification

    WAF uses semantic analysis & regex to examine traffic from different dimensions, precisely detecting malicious traffic.

    +
  • Distortion attack detection

    WAF detects a wide range of distortion attack patterns with 7 decoding methods to prevent bypass attempts.

    +
+
+

Web page tampering prevention

WAF ensures that attackers cannot leave backdoors on your web servers or tamper with your web page content, preventing damage to your credibility. You can configure web tamper protection rules on WAF to provide the following functions:

+
  • Website malicious code detection

    You can configure WAF to detect malicious code injected into web servers and ensure secure visits to web pages.

    +
  • Web page tampering prevention

    WAF prevents attackers from tampering with web page content or publishing inappropriate information that can damage your reputation.

    +
+
+
+
+
+
Parent topic: Service Overview
+
+
+ diff --git a/docs/wafd/umn/waf_01_0051.html b/docs/wafd/umn/waf_01_0051.html new file mode 100644 index 000000000..6d8c6ba39 --- /dev/null +++ b/docs/wafd/umn/waf_01_0051.html @@ -0,0 +1,248 @@ + + +

WAF and Other Services

+

This topic describes WAF and other cloud services.

+

CTS

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Table 1 WAF operations that can be recorded by CTS

Operation

+

Resource Type

+

Trace Name

+

Creating a WAF instance

+

instance

+

createInstance

+

Deleting a WAF instance

+

instance

+

deleteInstance

+

Modifying a WAF instance

+

instance

+

alterInstanceName

+

Modifying the protection status of a WAF instance

+

instance

+

modifyProtectStatus

+

Modifying the connection status of a WAF instance

+

instance

+

modifyAccessStatus

+

Creating a WAF policy

+

policy

+

createPolicy

+

Applying a WAF policy

+

policy

+

applyToHost

+

Modifying a policy

+

policy

+

modifyPolicy

+

Deleting a WAF policy

+

policy

+

deletePolicy

+

Uploading a certificate

+

certificate

+

createCertificate

+

Changing the name of a certificate

+

certificate

+

modifyCertificate

+

Adding a CC attack protection rule

+

policy

+

createCc

+

Modifying a CC attack protection rule

+

policy

+

modifyCc

+

Deleting a CC attack protection rule

+

policy

+

deleteCc

+

Adding a precise protection rule

+

policy

+

createCustom

+

Modifying a precise protection rule

+

policy

+

modifyCustom

+

Deleting a precise protection rule

+

policy

+

deleteCustom

+

Adding an IP address blacklist or whitelist rule

+

policy

+

createWhiteblackip

+

Modifying an IP address blacklist or whitelist rule

+

policy

+

modifyWhiteblackip

+

Deleting an IP address blacklist or whitelist rule

+

policy

+

deleteWhiteblackip

+

Creating/updating a web tamper protection rule

+

policy

+

createAntitamper

+

Deleting a web tamper protection rule

+

policy

+

deleteAntitamper

+

Creating a false alarm maskingglobal protection whitelist (formerly false alarm masking) rule

+

policy

+

createIgnore

+

Deleting a false alarm maskingglobal protection whitelist (formerly false alarm masking) rule

+

policy

+

deleteIgnore

+

Adding a data masking rule

+

policy

+

createPrivacy

+

Modifying a data masking rule

+

policy

+

modifyPrivacy

+

Deleting a data masking rule

+

policy

+

deletePrivacy

+
+
+
+

Cloud Eye

Cloud Eye monitors the indicators of the dedicated WAF, so that you can understand the protection status of the dedicated WAF in a timely manner, and set protection policies accordingly. For details, see the Cloud Eye User Guide.

+

For details about WAF monitored metrics, see WAF Monitored Metrics.

+
+

ELB

You can add your WAF instances to a load balancer so that your website traffic is distributed by the load balancer across WAF instances for detection and then forwarded by WAF to the origin server. In this way, website traffic will be protected even if one of your WAF instances becomes faulty.

+
+

IAM

Identity and Access Management (IAM) provides the permission management function for WAF. Only users granted WAF Administrator permissions can use WAF. To obtain this permission, contact the users who have the Security Administrator permissions.

+
+

TMS

Tag Management Service (TMS) is a visualized service for fast and unified tag management that enables you to label and manage WAF instances by tags.

+ +
+ + + + + + + + + + + + + +
Table 2 WAF operations supported by TMS

Operation

+

Resource Type

+

Trace Name

+

Creating a WAF instance tag

+

Tag

+

createResourceTag

+

Deleting a WAF instance tag

+

Tag

+

deleteResourceTag

+
+
+
+
+
+
+
Parent topic: Service Overview
+
+
+ diff --git a/docs/wafd/umn/waf_01_0052.html b/docs/wafd/umn/waf_01_0052.html new file mode 100644 index 000000000..e81fb46b6 --- /dev/null +++ b/docs/wafd/umn/waf_01_0052.html @@ -0,0 +1,59 @@ + + +

WAF Permissions Management

+

If you need to assign different permissions to employees in your enterprise to access your WAF resources, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you secure access to your resources.

+

With IAM, you can use your account to create IAM users, and assign permissions to the users to control their access to specific resources. For example, some software developers in your enterprise need to use WAF resources but must not delete them or perform any high-risk operations. To achieve this result, you can create IAM users for the software developers and grant them only the permissions required for using WAF resources.

+

If your account does not need individual IAM users for permissions management, then you may skip over this chapter.

+

WAF Permissions

By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and attach permissions policies or roles to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.

+

WAF is a project-level service deployed and accessed in specific physical regions. To assign WAF permissions to a user group, specify the scope as region-specific projects and select projects for the permissions to take effect. If All projects is selected, the permissions will take effect for the user group in all region-specific projects. When accessing WAF, the users need to switch to a region where they have been authorized to use the WAF service.

+
You can grant users permissions by using roles and policies.
  • Roles: A type of coarse-grained authorization mechanism that defines permissions related to users responsibilities. Only a limited number of service-level roles for authorization are available. You need to also assign other dependent roles for the permission control to take effect. Roles are not ideal for fine-grained authorization and secure access control.
  • Policies: A fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions. This mechanism allows for more flexible policy-based authorization and meets secure access control requirements. For example, you can grant WAF users only the permissions for managing a certain type of resources. Most policies define permissions based on APIs. For the API actions supported by WAF, see WAF Permissions and Supported Actions.
+
+

Table 1 lists all the system roles supported by WAF.

+ +
+ + + + + + + + + + + + + + + + + + + + +
Table 1 System policies supported by WAF

Role/Policy Name

+

Description

+

Category

+

Dependencies

+

WAF Administrator

+

Administrator permissions for WAF

+

System-defined role

+

Dependent on the Tenant Guest and Server Administrator roles.

+
  • Tenant Guest: A global role, which must be assigned in the global project.
  • Server Administrator: A project-level role, which must be assigned in the same project.
+

WAF FullAccess

+

All permissions for WAF

+

System-defined policy

+

None.

+

WAF ReadOnlyAccess

+

Read-only permissions for WAF.

+

System-defined policy

+
+
+
+
+
+
+
Parent topic: Service Overview
+
+
+ diff --git a/docs/wafd/umn/waf_01_0053.html b/docs/wafd/umn/waf_01_0053.html new file mode 100644 index 000000000..289ae7db7 --- /dev/null +++ b/docs/wafd/umn/waf_01_0053.html @@ -0,0 +1,22 @@ + + +

How Do I Switch the Mode of Basic Web Protection from Log Only to Block?

+

This FAQ guides you to switch the mode of basic web protection to Block.

+

Perform the following operations:

+
  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane, choose Website Settings.
  5. In the Policy column of the row containing the target website, click the number to go to the policy configuration page.
  6. In the Basic Web Protection configuration area, set Mode to Block.

    Log only and Block are merely modes of basic web protection. CC attack protection and precise protection have their own protective actions.

    +
    +

+
+
+
+
Parent topic: Basic Web Protection
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0054.html b/docs/wafd/umn/waf_01_0054.html new file mode 100644 index 000000000..b523b8930 --- /dev/null +++ b/docs/wafd/umn/waf_01_0054.html @@ -0,0 +1,84 @@ + + +

Configuring an Information Leakage Prevention Rule

+

You can add two types of information leakage prevention rules.

+ +

Prerequisites

A website has been added to WAF.

+
+

Constraints

It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.

+
+

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane, choose Website Settings.
  5. In the Policy column of the row containing the target website, click the number to go to the Policies page.
  6. In the Information Leakage Prevention configuration area, change Status if needed and click Customize Rule.

    Figure 1 Information Leakage Prevention configuration area
    +

  7. In the upper left corner of the Information Leakage Prevention page, click Add Rule.
  8. In the dialog box displayed, add an information leakage prevention rule by referring to Table 1. Figure 2 and Figure 3 show two examples.

    Information leakage prevention rules prevent sensitive information (such as ID numbers, phone numbers, and email addresses) from being disclosed. This type of rule can also block specified HTTP status codes.

    +
    Sensitive information filtering: Configure rules to mask sensitive information, such as phone numbers and ID numbers, from web pages. For example, you can set the following protection rules to mask sensitive information, such as ID numbers, phone numbers, and email addresses:
    Figure 2 Sensitive information leakage
    +
    +
    Response code interception: An error page of a specific HTTP response code may contain sensitive information. You can configure rules to block such error pages to prevent such information from being leaked out. For example, you can set the following rule to block error pages of specified HTTP response codes 404, 502, and 503.
    Figure 3 Blocking response codes
    +
    +
    +
    + + + + + + + + + + + + + + + + + + + + + +
    Table 1 Rule parameters

    Parameter

    +

    Description

    +

    Example Value

    +

    Path

    +

    A part of the URL that does not include the domain name. The URL can contain sensitive information (such as ID numbers, phone numbers, and email addresses) or a blocked error code.

    +
    • Prefix match: Only the prefix of the path to be entered must match that of the path to be protected.

      If the path to be protected is /admin, set Path to /admin*.

      +
    • Exact match: The path to be entered must match the path to be protected.

      If the path to be protected is /admin, set Path to /admin.

      +
      NOTE:
      • The path supports prefix and exact matches only. Regular expressions are not supported.
      • The path cannot contain two or more consecutive slashes. For example, ///admin. If you enter ///admin, the WAF engine converts /// to /.
      +
      +
    +

    /admin*

    +

    Type

    +
    • Sensitive information filtering
    • Response code interception: Enable WAF to block the specified HTTP response code page.
    +

    Sensitive information filtering

    +

    Content

    +

    Information to be protected. Options are Identification card, Phone number, and Email.

    +

    Identification card

    +

    Rule Description

    +

    A brief description of the rule. This parameter is optional.

    +

    None

    +
    +
    +
    +

  9. Click Confirm. The added information leakage prevention rule is displayed in the list of information leakage prevention rules.

    Figure 4 List of information leakage prevention rules
    +

+
+

Other Operations

  • To disable a rule, click Disable in the Operation column of the rule. The default Rule Status is Enabled.
  • To modify a rule, click Modify in the row containing the rule.
  • To delete a rule, click Delete in the row containing the rule.
+
+

Configuration Example — Masking Sensitive Information

To verify that WAF is protecting your domain name www.example.com against an information leakage prevention rule:

+
  1. Add an information leakage prevention rule.
  2. Enabling information leakage prevention.
  3. Clear the browser cache and access http://www.example.com/admin/.

    The email address, phone number, and identity number on the returned page are masked.

    +

+
+
+
+
+
Parent topic: Rule Configuration
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0055.html b/docs/wafd/umn/waf_01_0055.html new file mode 100644 index 000000000..940c6765f --- /dev/null +++ b/docs/wafd/umn/waf_01_0055.html @@ -0,0 +1,15 @@ + + +

Policy Management

+
+
+ +
+ diff --git a/docs/wafd/umn/waf_01_0061.html b/docs/wafd/umn/waf_01_0061.html new file mode 100644 index 000000000..4c54a763e --- /dev/null +++ b/docs/wafd/umn/waf_01_0061.html @@ -0,0 +1,27 @@ + + +

Adding Rules to One or More Policies

+

This topic describes how to add rules to one or more policies.

+

Prerequisites

A website has been added to WAF.

+
+

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane on the left, choose Policies.
  5. In the upper left corner of the page, click All Rules.

    Figure 1 View Rules
    +

  6. In the upper left corner above a rule to be added, click Add Rule.

    Figure 2 Adding a rule to one or more policies
    +

  7. Select one or more policies from the Policy Name drop-down list.
  8. Set other parameters.

    • To add a CC attack protection rule, see Table 1.
    • To add a precise protection rule, see Table 1.
    • To add a blacklist or whitelist rule, see Table 1.
    • To add a geolocation access control rule, see Table 1.
    • To add a WTP rule, see Table 1.
    • To add an information leakage prevention rule, see Table 1.
    • To add a global protection whitelist rule, see Table 1.
    • To add a data masking rule, see Table 1.
    +

  9. Click OK.
+
+

Other Operations

  • After a rule is added, the rule is Enabled by default. To disable it, click Disable in the Operation column of the target rule. You can also select multiple rules and click Disable above the rule list to disable them all together.
  • To modify a rule, locate the row that contains the rule and click Modify in the Operation column. You can also select multiple rules and click Modify above the list to modify them all together.
  • To delete a rule, locate the row that contains the rule and click Delete in the Operation column. You can also select multiple rules and click Delete above the list to delete them all together.
+
+
+
+
+
Parent topic: Policy Management
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0062.html b/docs/wafd/umn/waf_01_0062.html new file mode 100644 index 000000000..bfcb6f458 --- /dev/null +++ b/docs/wafd/umn/waf_01_0062.html @@ -0,0 +1,14 @@ + + +

How Do I Obtain the Real IP Address of a Web Visitor?

+

After you connect a website to your WAF instance, WAF works as a reverse proxy between the client and the server. The real IP address of the server is hidden and only the IP address of WAF is visible to web visitors.

+

Generally, a proxy such as CDN, WAF, and anti-DDoS service is deployed between the client and server. Web visitors cannot directly access the server. For example, web visitor > CDN/WAF/anti-DDoS > origin server.

+

When forwarding requests to the downstream server, the transparent proxy server adds an X-Forwarded-For field to the HTTP header to identify the web visitor's real IP address in the format of X-Forwarded-For: real IP address of the web visitor, proxy 1-IP address, proxy 2-IP address, proxy 3-IP address, ........->....

+

Therefore, you can obtain the web visitor's real IP address from the X-Forwarded-For field. The first IP address in this field is the web visitor's real IP address.

+
+
+
+
Parent topic: WAF Usage
+
+
+ diff --git a/docs/wafd/umn/waf_01_0063.html b/docs/wafd/umn/waf_01_0063.html new file mode 100644 index 000000000..38a55563d --- /dev/null +++ b/docs/wafd/umn/waf_01_0063.html @@ -0,0 +1,21 @@ + + +

Protection Rule Configuration

+
+
+ + +
+
Parent topic: FAQs
+
+
+ diff --git a/docs/wafd/umn/waf_01_0064.html b/docs/wafd/umn/waf_01_0064.html new file mode 100644 index 000000000..9d04cccb8 --- /dev/null +++ b/docs/wafd/umn/waf_01_0064.html @@ -0,0 +1,23 @@ + + +

Service Overview

+
+
+ +
+ diff --git a/docs/wafd/umn/waf_01_0065.html b/docs/wafd/umn/waf_01_0065.html new file mode 100644 index 000000000..bf0a8e4c1 --- /dev/null +++ b/docs/wafd/umn/waf_01_0065.html @@ -0,0 +1,17 @@ + + +

Product Advantages

+

WAF examines web traffic from multiple dimensions to accurately identify malicious requests and filter attacks, reducing the risks of data being tampered with or stolen.

+

Precisely and Efficiently Identify Threats

  • WAF uses rule and AI dual engines and integrates our latest security rules and best practices.
  • You can configure enterprise-grade policies to protect your website more precisely, including custom alarm pages, combining multiple conditions in a CC attack protection rule, and blacklisting or whitelisting a large number of IP addresses.
+
+

Zero-Day Vulnerabilities Patched Fast

A specialized security team provides 24/7 service support to fix zero-day vulnerabilities within 2 hours.

+
+

Strong Protection for User Data Privacy

  • Sensitive information, such as accounts and passwords, in attack logs can be anonymized.
  • PCI-DSS checks for SSL encryption are available.
  • The minimum TLS protocol version and cipher suite can be configured.
+
+
+
+
+
Parent topic: Service Overview
+
+
+ diff --git a/docs/wafd/umn/waf_01_0066.html b/docs/wafd/umn/waf_01_0066.html new file mode 100644 index 000000000..1a71fabd7 --- /dev/null +++ b/docs/wafd/umn/waf_01_0066.html @@ -0,0 +1,68 @@ + + +

How Do I Troubleshoot 404/502/504 Errors?

+

If an error, such as 404 Not Found, 502 Bad Gateway, or 504 Gateway Timeout, occurs after a domain name is connected to WAF, use the following methods to locate the cause and remove the error:

+

404 Not Found

Scenario 1: When a visitor accesses your website, the page shown in Figure 1 is displayed.
Figure 1 404 page
+
+
Cause: The port added to a URL is incorrect.
  • A non-standard port is configured when a domain name is connected to WAF. No port is added or the origin server port instead of the non-standard port is used to access the website. For example, use https://www.example.com or https://www.example.com:80 to access the website.

    Solution: Add the non-standard port to the URL and access the origin server again, for example, https://www.example.com:8080.

    +
  • No non-standard port is configured when a domain name is added to WAF. A non-standard port or the origin server port is used to access the website. For example, use https://www.example.com:8080 to access the website.

    If no non-standard port is configured, WAF protects services on port 80/443 by default. To protect services on other ports, re-configure domain settings.

    +
    +

    Solution: The domain name needs to be accessed directly. For example, https://www.example.com.

    +
+
+

Scenario 2: When a visitor accesses your website, another 404 error page is displayed instead of the page shown in Figure 1.

+

Cause: The website does not exist or has been deleted.

+

Solution: Check your website.

+
+

502 Bad Gateway

Scenario: Website access is normal after the WAF configuration is complete. However, after a certain period of time, a 502 Bad Gateway error is reported frequently.

If your web server is not deployed on the cloud, consult your server provider about whether the server has default block settings. If there are default block settings, ask the service provider to remove them.

+
+
+

Possible causes are as follows:

+
  • Cause 1: Your website is using another security protection software. The software considers back-to-source IP addresses of WAF as malicious and blocks the requests forwarded by WAF. As a result, the site becomes inaccessible.

    +

    Solution: Add the WAF IP address ranges to the whitelist of the firewall (hardware or software), security protection software, and rate limiting module.

    +
  • Cause 2: Multiple backend servers are configured. However, one backend server is unreachable.
    Perform the following steps to check whether the origin server configuration is correct:
    1. Log in to the management console, click Service List in the upper part of the page, and choose Security > Web Application Firewall (Dedicated).
    2. In the navigation pane, choose Website Settings.
    3. In the Protected Website column, click the domain name to go to the Basic Information page.
    4. In the Server Information area, click . On the displayed page, check whether the client protocol, server protocol, origin server address, and port used by the origin server are correct.
    5. Run the curl command on the host to check whether each origin server can be properly accessed.
      curl http://xx.xx.xx.xx:yy -kvv
      +

      xx.xx.xx.xx indicates the IP address of the origin server. yy indicates the port of the origin server. xx.xx.xx.xx and yy must belong to the same origin server.

      +
      • The host where the curl command can be run must meet the following requirements:
        • The network communication is normal.
        • The curl command has been installed. curl must be manually installed on the host running the Windows operating system. curl is installed along with other operating systems.
        +
      • You can also enter http://origin server address:origin server port in the address bar of the browser to check whether the origin server can be properly accessed.
      +
      +

      If connection refused is displayed, the origin server is unreachable and website cannot be accessed. Perform the following operations:

      +
      • Check whether the server is running properly. If it is not, restart the server.
      • Add the WAF IP address ranges to the whitelist of the firewall (hardware or software), security protection software, and rate limiting module.
      +
    +
    +
  • Cause 3: Origin server performance

    Solution: Contact your website owner to rectify the fault.

    +
+
+

504 Gateway Timeout

Scenario: After the configuration of connecting a domain name to WAF is complete, your website works properly. However, with the increasing traffic volume, the number of 504 errors also increases. If you directly access the IP address of the origin server, the 504 error code is returned sometimes.

+

The possible causes are as follows:

+
  • Cause 1: Backend server performance issues (such as too many connections or high CPU usage)
    Solution:
    1. Optimize the server configuration, including TCP network parameters and ulimit parameters.
    2. To handle large-scale service increase, use method 1 or method 2 to perform the processing.

      Method 1: Add a backend server group to the ELB.

      +
      Method 2: Create an ELB. Use the EIP of ELB as the IP address of the server to connect to WAF.
      1. Log in to the management console, click Service List in the upper part of the page, and choose Security > Web Application Firewall (Dedicated).
      2. In the navigation pane, choose Website Settings.
      3. In the Protected Website column, click the domain name to go to the Basic Information page.
      4. In the Server Information area, click . On the displayed page, click Add.
      +
      +
    3. If the Client Protocol is HTTPS, you can use HTTPS on the WAF side. However, it is recommended that HTTP (Server Protocol) to forward the requests to your web server, lowering the computational demands on backend servers.
    +
    +
  • Cause 2: The WAF back-to-source IP addresses are not whitelisted or your origin server port is not enabled.

    +

    Solution: Whitelist the WAF back-to-source IP addresses in the corresponding ECS security groups.

    +
  • Cause 3: The origin server has a firewall and the firewall blocks the WAF IP addresses.

    +

    Solution: Whitelist the WAF back-to-source IP addresses in the corresponding ECS security groups or uninstall the firewall software except WAF.

    +
  • Cause 4: Connection timeout and read timeout

    Solution

    +
    • Database queries are slow.
      • Tune services to shorten the query duration and improve user experience.
      • Modify the request interaction mode so that the persistent connection can have some data transmitted within 60 seconds, such as ACK packets, heartbeat packets, keep-alive packets, and other packets that can keep the session alive.
      +
    • It takes a long time to upload large files.
      • Tune services to shorten the file upload time.
      • An FTP server is recommended for file upload.
      • Upload the file through an IP address or a domain name that is not protected by WAF.
      • The default timeout period for a dedicated WAF instance to respond origin servers is 180s.
      +
    • The origin server is faulty.

      Check whether the origin server works properly.

      +
    +
  • Cause 5: The bandwidth of the origin server exceeds the upper limit.

    Solution: Increase the bandwidth of the origin server.

    +
+
+

+
+
+
+
Parent topic: Service Interruption Check
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0067.html b/docs/wafd/umn/waf_01_0067.html new file mode 100644 index 000000000..9d9fce199 --- /dev/null +++ b/docs/wafd/umn/waf_01_0067.html @@ -0,0 +1,29 @@ + + +

Website Domain Name Management

+
+
+ +
+ diff --git a/docs/wafd/umn/waf_01_0070.html b/docs/wafd/umn/waf_01_0070.html new file mode 100644 index 000000000..cf02a1f46 --- /dev/null +++ b/docs/wafd/umn/waf_01_0070.html @@ -0,0 +1,11 @@ + + +

Enabling WAF Protection

+
+
+ +
+ diff --git a/docs/wafd/umn/waf_01_0071.html b/docs/wafd/umn/waf_01_0071.html new file mode 100644 index 000000000..3eec22983 --- /dev/null +++ b/docs/wafd/umn/waf_01_0071.html @@ -0,0 +1,169 @@ + + +

Overview

+

Website Service Review

Sort out all website services you want to protect with WAF. This helps you learn about your workloads and specific data of your workloads so that you can choose and configure appropriate protection policies.

+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Table 1 Website services

Item

+

Description

+

Website and Service Information

+

Daily peak traffic of website/web application services, including the bandwidth (in Mbit/s) and QPS

+

Use it as the basis for selecting the service bandwidth and QPS specifications.

+
NOTE:

If your website traffic peak exceeds the maximum QPS specifications you are using, WAF will stop checking the traffic and directly forward it to the origin server. There is no protection for your website or applications.

+
+

Major user group (for example, major locations where the requests originate from)

+

Determine the attack source and then set geolocation access control rules to block users from these locations.

+

Whether the service uses a C/S architecture

+

If yes, check whether there is an app client, Windows client, Linux client, code callback, or any other client.

+

Location where the origin server is deployed

+

Decide which region you want to buy the instance.

+

Operating system (Linux or Windows) and web service middleware (Apache, Nginx, or IIS) of the origin server

+

Check whether access control is enabled for the origin server. If yes, whitelist WAF IP addresses.

+

Domain protocol

+

Check whether WAF supports the communication protocol used by your site.

+
NOTE:
WAF can protect your website only when Client Protocol and Server Protocol are configured based on the real situation of your website.
  • Client Protocol: the protocol used by a client (for example, a browser) to access your website. You can select HTTP or HTTPS.
  • Server Protocol: the protocol used by WAF to forward requests from the client (such as a browser) to the origin server. You can select HTTP or HTTPS.
+
+
+

Service port

+

Check whether your service ports are within the port range supported by WAF.

+
  • Standard ports
    • 80: default port when the client protocol is HTTP
    • 443: default port when the client protocol is HTTPS
    +
  • Non-standard ports

    Ports other than ports 80 and 443 For Non-standard ports supported by WAF, see Non-Standard Ports.

    +
+

Whether TLSv1.0 or weak encryption suite is supported

+

Check whether WAF supports the encryption suite used by your site.

+

Whether advanced anti-DDoS, CDN, or other proxy services are deployed in front of WAF.

+

Check whether a proxy is used and whether domain name is resolved to a correct address.

+

Whether the client supports Server Name Indication (for HTTPS services)

+

If your domain name supports HTTPS, the client and server must support Server Name Indication (SNI).

+

Service interaction

+

Understand the service interaction process and service processing logic to facilitate subsequent configuration of protection policies.

+

Active users

+

Determine the severity of an attack event to take a low-risk measure to respond it.

+

Services and Attacks

+

Service types and features (such as games, cards, websites, or apps)

+

Help analyze the attack signatures.

+

Inbound traffic range and connection status of a single user or a single IP address

+

Help determine whether a rate limiting policy can be configured per IP address.

+

User group attribute

+

For example, individual users, Internet cafe users, or proxy users

+

Whether your website experienced large-volumetric attacks, the attack type, and maximum peak traffic

+

Determine whether a DDoS protection service is required and determine the DDoS protection specifications based on the peak attack traffic.

+

Whether your website experienced CC attacks and the maximum peak QPS in a CC attack

+

Configure the protection policies based on attack signatures.

+

Whether the pressure test has been performed

+

Evaluate the request processing performance of the origin server to determine whether service anomaly occurs due to attacks.

+
+
+
+

How to Use WAF

Table 2 describes the procedure to use WAF. +
+ + + + + + + + + + + + + + + + + + + + + + +
Table 2 Procedure to use WAF

Step

+

Description

+

Applying for dedicated WAF instances

+

Apply for a dedicated WAF instance.

+

For details, see Applying for a Dedicated WAF Instance.

+

Adding a website to WAF

+

Add the website you want to protect to WAF.

+

For details, see Step 1: Add a Website to WAF.

+

Enabling WAF protection

+

Enable WAF protection to protect added website.

+
NOTE:
  • Using WAF does not affect your web server performance because the WAF engine is not running on your web server.
  • After your domain name is connected to WAF, there will be a latency of tens of milliseconds, which might be raised based on the size of the requested page or number of incoming requests.
+
+

Configuring protection rules

+

Use WAF built-in protection rules and configure custom rules to protect your website. For more details, see Rule Configuration.

+

Handling false alarms

+

Mask blocked or logged events which are handled as false alarms. For more details, see Handling False Alarms.

+

Viewing Dashboard

+

View protection data of yesterday, today, last 3 days, last 7 days, or last 30 days. For more details, see Dashboard.

+
+
+
+
+
For details about how to connect your website to WAF, see Figure 1.
Figure 1 Flowchart of connecting a website to WAF
+
+
+ diff --git a/docs/wafd/umn/waf_01_0074.html b/docs/wafd/umn/waf_01_0074.html new file mode 100644 index 000000000..9d8576c7f --- /dev/null +++ b/docs/wafd/umn/waf_01_0074.html @@ -0,0 +1,28 @@ + + +

Adding a Policy

+

A policy is a combination of rules, such as basic web protection, blacklist, whitelist, and precise protection rules. A policy can be applied to multiple domain names, but only one policy can be used for a domain name. This topic describes how to add a policy to your WAF instance.

+

Prerequisites

A website has been added to WAF.

+
+

Constraints

A protected website domain name can use only one policy.

+
+

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane on the left, choose Policies.
  5. In the upper left corner, click Add Policy.

    Figure 1 Policies
    +

  6. In the displayed dialog box, enter the policy name and click Confirm. The added policy will be displayed in the policy list.

    Figure 2 Add Policy
    +

  7. In the Policy Name column, click the policy name. On the displayed page, add rules to the policy by referring to Rule Configurations.
+
+

Other Operations

  • To modify a policy name, click next to the policy name. In the dialog box displayed, enter a new policy name.
  • To delete a rule, click Delete in the row containing the rule.
+
+
+
+
+
Parent topic: Policy Management
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0075.html b/docs/wafd/umn/waf_01_0075.html new file mode 100644 index 000000000..462980509 --- /dev/null +++ b/docs/wafd/umn/waf_01_0075.html @@ -0,0 +1,26 @@ + + +

Applying a Policy to Your Website

+

This topic describes how to apply a policy to your protected website.

+

Prerequisites

A website has been added to WAF.

+
+

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane on the left, choose Policies.
  5. In the row containing the policy you want to apply to a website, click Add Domain Name in the Operation column.

    Figure 1 Adding a domain name to a policy
    +

  6. Select one or more domain names from the Domain Name drop-down list. Figure 2 shows an example.

    • A protected domain name can use only one policy, but one policy can be applied to multiple domain names.
    • To delete a policy that has been applied to domain names, add these domain names to other policies first. Then, click Delete in the Operation column of the policy you want to delete.
    +
    +
    Figure 2 Selecting one or more domain names
    +

  7. Click Confirm.
+
+
+
+
+
Parent topic: Policy Management
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0077.html b/docs/wafd/umn/waf_01_0077.html new file mode 100644 index 000000000..167553172 --- /dev/null +++ b/docs/wafd/umn/waf_01_0077.html @@ -0,0 +1,164 @@ + + +

Downloading Events Data

+

This topic describes how to download events (logged and blocked events) data for the last five days. One or more CSV files containing the event data of the current day will be generated at the beginning of the next day.

+

Prerequisites

  • The website to be protected has been added to WAF.
  • An event file has been generated.
+
+

Specification Limitations

  • Each file can include a maximum of 5,000 events. If there are more than 5,000 events, another file is generated.
  • Only event data for the last five days can be downloaded through the WAF console.
+
+

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane on the left, choose Events.
  5. Click the Download Events tab and download the desired protection data. Table 1 describes the parameters.

    +

    + + + + + + + + + + +
    Table 1 Parameter description

    Parameter

    +

    Description

    +

    File Name

    +

    The format is file-name.csv.

    +

    Number of Events

    +

    Total number of blocked and logged events

    +
    NOTE:

    The maximum number of events in a file is 10,000. If there are more than 10,000 events, another file is generated.

    +
    +
    +
    +

  6. In the Operation column, click Download to download data to the local PC.
+
+

Fields in a Protection Event Data File

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Field

+

Description

+

Example Value

+

action

+

Protective action taken in response to the event

+

block

+

attack

+

Attack type

+

SQL Injection

+

body

+

Request content of the attack

+

N/A

+

cookie

+

Cookie of the attacker

+

N/A

+

headers

+

Header of the attacker

+

N/A

+

host

+

Domain name or IP address of the protected website

+

www.example.com

+

id

+

ID of the event.

+

02-11-16-20201121060347-feb42002

+

payload

+

The part of the attack that causes damage to the protected website

+

python-requests/2.20.1

+

payload_location

+

The location of the attack that causes damage or the number of times that the URL is accessed by the attacker

+

user-agent

+

policyid

+

Policy ID.

+

d5580c8f6cd4403ebbf85892d4bbb8e4

+

request_line

+

Request line of the attack

+

GET /

+

rule

+

ID of the rule against which the event is generated.

+

81066

+

sip

+

Public IP address of the web visitor/attacker

+

N/A

+

time

+

When the event occurred.

+

2020/11/21 0:20:44

+

url

+

URL of the protected domain name

+

N/A

+
+
+
+
+
+
+
Parent topic: Event Management
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0078.html b/docs/wafd/umn/waf_01_0078.html new file mode 100644 index 000000000..6e6063880 --- /dev/null +++ b/docs/wafd/umn/waf_01_0078.html @@ -0,0 +1,76 @@ + + +

Uploading a Certificate

+

If you select HTTPS for Client Protocol when you add a website to WAF, a certificate must be associated with the website.

+

You can upload a certificate to WAF. Then you can directly select the uploaded certificate for the protected website.

+

Prerequisites

You have obtained the certificate file and certificate private key.

+
+

Specification Limitations

You can create as many certificates in WAF as the number of domain names that can be protected by your WAF instances in the same account. For example, if WAF can protect 10 domain names, you can create 10 certificates in WAF.

+
+

Constraints

If you import a new certificate when adding a protected website or updating a certificate, the certificate is added to the certificate list on the Certificates page, and the imported certificates is counted in the number of created certificates.

+
+

Application Scenario

If you select HTTPS for Client Protocol, a certificate is required.

+
+

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane, choose Objects > Certificates.

    Figure 1 Certificate list
    +

  5. Click Upload Certificate.
  6. In the Upload Certificate dialog box, enter a certificate name, and copy the certificate file and private key into the corresponding text boxes.

    Figure 2 Upload Certificate
    +

    +
    Only .pem certificates can be used in WAF. If the certificate is not in .pem format, convert it into .pem locally by referring to Table 1 before uploading it. +
    + + + + + + + + + + + + + + + + +
    Table 1 Certificate conversion commands

    Format

    +

    Conversion Method

    +

    CER/CRT

    +

    Rename the cert.crt certificate file to cert.pem.

    +

    PFX

    +
    • Obtain a private key. For example, run the following command to convert cert.pfx into key.pem:

      openssl pkcs12 -in cert.pfx -nocerts -out key.pem -nodes

      +
    • Obtain a certificate. For example, run the following command to convert cert.pfx into cert.pem:

      openssl pkcs12 -in cert.pfx -nokeys -out cert.pem

      +
    +

    P7B

    +
    1. Convert a certificate. For example, run the following command to convert cert.p7b into cert.cer:

      openssl pkcs7 -print_certs -in cert.p7b -out cert.cer

      +
    2. Rename certificate file cert.cer to cert.pem.
    +

    DER

    +
    • Obtain a private key. For example, run the following command to convert privatekey.der into privatekey.pem:

      openssl rsa -inform DER -outform PEM -in privatekey.der -out privatekey.pem

      +
    • Obtain a certificate. For example, run the following command to convert cert.cer into cert.pem:

      openssl x509 -inform der -in cert.cer -out cert.pem

      +
    +
    +
    +
    • Before running an OpenSSL command, ensure that the OpenSSL tool has been installed on the local host.
    • If your local PC runs a Windows operating system, go to the command line interface (CLI) and then run the certificate conversion command.
    +
    +
    +

  7. Click Confirm.
+
+

Verification

The certificate you created is displayed in the certificate list.

+
+

Other Operations

  • To change the certificate name, move the cursor over the name of the certificate, click , and enter a certificate name.

    If the certificate is in use, unbind the certificate from the domain name first. Otherwise, the certificate name cannot be changed.

    +
    +
  • To view details about a certificate, click View in the Operation column of the certificate.
  • In the row containing the certificate you want, click Use in the Operation column to use the certificate to the corresponding domain name.
  • To delete a certificate, locate the row of the certificate and click Delete in the Operation column.
+
+
+
+
+
Parent topic: Certificate Management
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0081.html b/docs/wafd/umn/waf_01_0081.html new file mode 100644 index 000000000..e01eeb78c --- /dev/null +++ b/docs/wafd/umn/waf_01_0081.html @@ -0,0 +1,65 @@ + + +

Adding a Reference Table

+

This topic describes how to create a reference table to batch configure protection metrics of a single type, such as Path, User Agent, IP, Params, Cookie, Referer, and Header. A reference table can be referenced by CC attack protection rules and precise protection rules.

+

Prerequisites

A website has been added to WAF.

+
+

Application Scenarios

You can use a reference table when you configure protection fields in batches for CC attack protection rules and precise access protection rules.

+
+

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane, choose Website Settings.
  5. In the Policy column of the row containing the target website, click the number to go to the policy configuration page.
  6. In the CC Attack Protection or Precise Protection area, click Customize Rule.
  7. Click Reference Table Management in the upper left corner of the list.

    Figure 1 Reference Table Management
    +

  8. On the Reference Table Management page, click Add Reference Table.

    Figure 2 Add Reference Table
    +

  9. In the Add Reference Table dialog box, specify the parameters by referring to Table 1.

    Figure 3 Adding a reference table
    + +
    + + + + + + + + + + + + + + + + + +
    Table 1 Parameter description

    Parameter

    +

    Description

    +

    Example Value

    +

    Name

    +

    Table name you entered

    +

    test

    +

    Type

    +
    • Path: A URL to be protected, excluding a domain name
    • User Agent: A user agent of the scanner to be protected
    • IP: An IP address of the visitor to be protected.
    • Params: A request parameter to be protected
    • Cookie: A small piece of data to identify web visitors
    • Referer: A user-defined request resource

      For example, if the protected path is /admin/xxx and you do not want visitors to be able to access it from www.test.com, set Value to http://www.test.com.

      +
    • Header: A user-defined HTTP header
    +

    Path

    +

    Value

    +

    Value of the corresponding Type. Wildcards are not allowed.

    +
    NOTE:

    Click Add to add more than one value.

    +
    +

    /buy/phone/

    +
    +
    +

  10. Click Confirm. You can then view the added reference table in the reference table list.
+
+

Other Operations

  • To modify a reference table, click Modify in the row containing the reference table.
  • To delete a reference table, click Delete in the row containing the reference table.
+
+
+
+
+
Parent topic: Rule Configuration
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0082.html b/docs/wafd/umn/waf_01_0082.html new file mode 100644 index 000000000..7f4a9eb7d --- /dev/null +++ b/docs/wafd/umn/waf_01_0082.html @@ -0,0 +1,28 @@ + + +

How Do I Fix an Incomplete Certificate Chain?

+

If the certificate provided by the certificate authority is not found in the built-in trust store on your platform and the certificate chain does not have a certificate authority, the certificate is incomplete. If you use the incomplete certificate to access the website corresponding to the protected domain name, the access will fail.

+

Use either of the following methods to fix it:

+ +

The latest Google Chrome version supports automatic verification of the trust chain. The following describes how to manually create a complete certificate chain:

+
  1. Check the certificate. Click the padlock in the address bar to view the certificate status. Figure 1 shows an example.

    Figure 1 Viewing the certificate
    +

  2. Check the certificate chain. Click Certificate. Select the Certificate Path tab and then click the certificate name to view the certificate status. Figure 2 shows an example.

    Figure 2 Viewing the certificate chain
    +

  3. Save the certificates to the local PC one by one.

    1. Select the certificate name and click the Details tab. Figure 3 shows an example.
      Figure 3 Details
      +
    2. Click Copy to File, and then click Next as prompted.
    3. Select Base-64 encoded X.509 (.CER) and click Next. Figure 4 shows an example.
      Figure 4 Certificate Export Wizard
      +
    +

  4. Rebuild the certificate. After all certificates are exported to the local PC, open the certificate file in Notepad and rebuild the certificate according to the sequence shown in Figure 5.

    Figure 5 Certificate rebuilding
    +

  5. Upload the certificate again.
+
+
+
+
Parent topic: Service Interruption Check
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0093.html b/docs/wafd/umn/waf_01_0093.html new file mode 100644 index 000000000..6dfee2ec2 --- /dev/null +++ b/docs/wafd/umn/waf_01_0093.html @@ -0,0 +1,19 @@ + + +

Why Are HTTPS Requests Denied on Some Mobile Phones?

+

If your visitors receive a page similar to the one in Figure 1 when they try to access your website through a mobile phone, an incomplete certificate chain is uploaded when you connect the website to WAF. Rectify the fault by referring to How Do I Fix an Incomplete Certificate Chain?

+
Figure 1 Access failed
+
+
+
+
Parent topic: Service Interruption Check
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0094.html b/docs/wafd/umn/waf_01_0094.html new file mode 100644 index 000000000..8e236ad49 --- /dev/null +++ b/docs/wafd/umn/waf_01_0094.html @@ -0,0 +1,100 @@ + + +

Functions

+

WAF makes it easier for you to handle web security risks.

+

HTTP/HTTPS Service Protection

WAF keeps applications stable and secure. It examines HTTP and HTTPS requests to detect and block attacks, such as Structure Query Language (SQL) injections, cross-site scripting (XSS), web shell upload, command or code injections, file inclusion, sensitive file access, third-party vulnerability exploits, CC attacks, malicious crawlers, and cross-site request forgery (CSRF).

+
+

WebSocket/WebSockets

WAF supports the WebSocket/WebSockets protocol, which is enabled by default.

+
+

Basic Web Protection

With an extensive preset reputation database, WAF defends against Open Web Application Security Project (OWASP) top 10 threats, malicious scanners, IP addresses, web shells, and other threats.

+
  • All-around protection

    WAF detects and blocks varied attacks, such as SQL injection, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabilities, directory (path) traversal attacks, sensitive file access, command and code injections, web shells, backdoors, malicious HTTP requests, and third-party vulnerability exploits.

    +
  • Precise identification
    • WAF uses built-in semantic analysis engine and regex engine and supports configuring of blacklist/whitelist rules, which reduces false positives.
    • WAF supports anti-escape and automatic restoration of common codes, which improves the capability of recognizing deformation web attacks.

      WAF can decode the following types of code: url_encode, Unicode, XML, OCT, hexadecimal, HTML escape, and base64 code, case confusion, JavaScript, shell, and PHP concatenation confusion

      +
    +
+
+

CC Attack Prevention

You can customize a CC attack protection rule to restrict access to a specific URL on your website based on an IP address, cookie, or Referer, mitigating CC attacks. Protective actions of CC attack protection rules include Verification code, Block, Dynamically block, and Log only.

+
  • Flexible policy configuration

    WAF allows you to flexibly set rate limiting policies by IP address, cookie, or Referer field.

    +
  • Returned page customization

    You can customize returned content and page types to meet diverse service needs.

    +
+
+

GUI-based Security Data

WAF provides a GUI-based interface for you to monitor attack information and event logs in real time.

+
  • Centralized policy configuration

    On the WAF console, you can configure policies applicable to multiple protected domain names in a centralized manner so that the policies can be quickly delivered and take effect.

    +
  • Traffic and event statistics

    WAF displays the number of requests, the number and types of security events, and log information in real time.

    +
+
+

Non-Standard Ports

WAF can protect standard ports, such as 80 and 443 and a wide range of non-standard ports.

+ +
+ + + + + + + + + + + + + + + + +
Table 1 Supported ports

Port Category

+

HTTP Protocol

+

HTTPS Protocol

+

Port Limit

+

Standard ports

+

80

+

443

+

Unlimited

+

Non-standard ports (182 in total)

+

9945, 9770, 81, 82, 83, 84, 88, 89, 800, 808, 1000, 1090, 3128, 3333, 3501, 3601, 4444, 5000, 5222, 5555, 5601, 6001, 6666, 6788, 6789, 6842, 6868, 7000, 7001, 7002, 7003, 7004, 7005, 7006, 7009, 7010, 7011, 7012, 7013, 7014, 7015, 7016, 7018, 7019, 7020, 7021, 7022, 7023, 7024, 7025, 7026, 7070, 7081, 7082, 7083, 7088, 7097, 7777, 7800, 7979, 8000, 8001, 8002, 8003, 8008, 8009, 8010, 8020, 8021, 8022, 8025, 8026, 8077, 8078, 8080, 8085, 8086, 8087, 8088, 8089, 8090, 8091, 8092, 8093, 8094, 8095, 8096, 8097, 8098, 8106, 8118, 8181, 8334, 8336, 8800, 8686, 8888, 8889, 8989, 8999, 9000, 9001, 9002, 9003, 9080, 9200, 9802, 10000, 10001, 10080, 12601, 86, 9021, 9023, 9027, 9037, 9081, 9082, 9201, 9205, 9207, 9208, 9209, 9210, 9211, 9212, 9213, 48800, 87, 97, 7510, 9180, 9898, 9908, 9916, 9918, 9919, 9928, 9929, 9939, 28080, 33702, 8011, 8012, 8013, 8014, 8015, 8016, 8017, and 8070

+

8750, 8445, 18010, 4443, 5443, 6443, 7443, 8081, 8082, 8083, 8084, 8443, 8843, 9443, 8553, 8663, 9553, 9663, 18110, 18381, 18980, 28443, 18443, 8033, 18000, 19000, 7072, 7073, 8803, 8804, 8805, and 9999

+

Unlimited

+
+
+
+

Precise Protection

Support precise logic- and parameter-based access control policies.

+
  • A variety of parameter conditions

    Set conditions with combinations of common HTTP parameters, such as IP, URL, Referer, User Agent, Params, and Header.

    +
  • Abundant logical conditions

    WAF blocks or allows traffic based on logical conditions, such as "Include", "Exclude", "Equal to", "Not equal to", "Prefix is", and "Prefix is not."

    +
+
+

Malicious Scanner and Crawler Prevention

Blocks web page crawling with user-defined scanner and crawler rules. This feature improves protection accuracy.

+
+

IP Address Blacklist and Whitelist

This function allows you to blacklist or whitelist IP addresses or an IP address range to improve defense accuracy.

+
+

Known Attack Source

  • If WAF blocks a malicious request by IP address, Cookie, or Params, you can configure a known attack source rule to let WAF automatically block all requests from the attack source for a blocking duration set in the known attack source rule.
  • Known attack source rules can be set based on attacks blocked against the basic web protection, precise access protection, and blacklist and whitelist rules.
+
+

Connection Protection

If a large number of 502 Bad Gateway and 504 Gateway Timeout errors are detected, you can enable WAF breakdown protection and connection protection to let WAF suspend your website and protect your origin servers from being crashed. When the 502/504 error requests and pending URL requests reach the thresholds you configure, WAF enables corresponding protection for your website.

+
+

Configuring Connection Timeout

  • The default timeout duration for connections between a browser and WAF is 120 seconds, which cannot be manually set.
  • The default timeout duration for connections between WAF and your origin server is 60 seconds. You can customize a timeout duration.

    In the Basic Information area on the website information page, enable Timeout Settings. Then, click next to WAF-to-Server Connection Timeout, Read Timeout, and Write Timeout, modify settings one by one, and click to save.

    +
+
+

Geolocation Access Control

You can allow some web requests and block others based on the geographical locations of IP addresses that the requests originate from.

+
+

Web Page Tampering Prevention

You can configure cache for static web pages. When a user accesses a web page, the system returns a cached page to the user and randomly checks whether the page is tampered with.

+
+

Anti-Crawler Protection

WAF dynamically analyzes your website service models and accurately identifies crawler behavior based on data risk control and bot identification systems.

+
  • Feature library

    Blocks web page crawling with user-defined scanner and crawler rules. This feature improves protection accuracy.

    +
  • JavaScript

    Identifies and blocks JavaScript crawling with user-defined rules.

    +
+
+

Global Protection Whitelist (Formerly False Alarm Masking)

This function enables you to ignore certain attack detection rules for specific requests.

+
+

Data Masking

WAF masks sensitive information, such as usernames and passwords, in the event log.

+
+

Information Leakage Prevention

WAF prevents your sensitive information from being disclosed on web pages, such as ID numbers, phone numbers, and email addresses.

+
+

Reliable

WAF can be deployed on multiple clusters in multiple regions based on the load balancing principle. This can prevent single point of failures (SPOFs) and ensure online smooth capacity expansion, maximizing service stability.

+
+

Event Management

  • WAF allows you to view and handle false alarms for blocked or logged events.
  • You can download events data over the past five days.
+
+
+
+
+
Parent topic: Service Overview
+
+
+ diff --git a/docs/wafd/umn/waf_01_0096.html b/docs/wafd/umn/waf_01_0096.html new file mode 100644 index 000000000..685d4b3d0 --- /dev/null +++ b/docs/wafd/umn/waf_01_0096.html @@ -0,0 +1,13 @@ + + +

Permissions Management

+
+
+ +
+ diff --git a/docs/wafd/umn/waf_01_0100.html b/docs/wafd/umn/waf_01_0100.html new file mode 100644 index 000000000..00917a875 --- /dev/null +++ b/docs/wafd/umn/waf_01_0100.html @@ -0,0 +1,13 @@ + + +

How Can I Upload Files After the Website Is Connected to WAF?

+

After your website is connected to WAF, the file visitors can upload each time cannot exceed 512 MB.

+

To upload a file greater than 512 MB, upload the file through:

+ +
+
+
+
Parent topic: Service Interruption Check
+
+
+ diff --git a/docs/wafd/umn/waf_01_0102.html b/docs/wafd/umn/waf_01_0102.html new file mode 100644 index 000000000..343ead4d4 --- /dev/null +++ b/docs/wafd/umn/waf_01_0102.html @@ -0,0 +1,11 @@ + + +

In Which Situations Will the WAF Policies Fail?

+

Normally, all requests destined for your site will pass through WAF. However, if your site is using CDN and WAF, the WAF policy targeted at the requests for caching static content will not take effect because CDN directly returns these requests to the client.

+
+
+
+
Parent topic: Others
+
+
+ diff --git a/docs/wafd/umn/waf_01_0104.html b/docs/wafd/umn/waf_01_0104.html new file mode 100644 index 000000000..7ecc64428 --- /dev/null +++ b/docs/wafd/umn/waf_01_0104.html @@ -0,0 +1,14 @@ + + +

What Are the Precautions for Configuring Multiple Server Addresses for Backend Servers?

+
+
+
+
+
Parent topic: Domain Name and Port Configuration
+
+
+ diff --git a/docs/wafd/umn/waf_01_0105.html b/docs/wafd/umn/waf_01_0105.html new file mode 100644 index 000000000..59031b171 --- /dev/null +++ b/docs/wafd/umn/waf_01_0105.html @@ -0,0 +1,27 @@ + + +

How Do I Configure Domain Names to Be Protected When Adding Domain Names?

+

Before using WAF, you need to add domain names to be protected to WAF based on your web service protection requirements. WAF supports addition of single domain names and wildcard domain names. This section describes how to configure domain names to be protected.

+

Basic Concepts

  • Wildcard domain name

    A wildcard domain name is a domain name that contains the wildcard * and starts with *..

    +

    For example, *.example.com is a correct wildcard domain name, but *.*.example.com is not.

    +

    A wildcard domain name counts as one domain name.

    +
    +
  • Single domain name

    A single domain name is also called a common domain name and is a specific domain name (a non-wildcard domain name).

    +

    For example, www.example.com or example.com is a single domain name.

    +

    For example, www.example.com counts as a domain name and so does a.www.example.com.

    +
    +
+
+

Selecting a Domain Name Type

WAF supports single domain names and wildcard domain names.

+
The domain name purchased from the DNS service provider is a single domain name (example.com). The domain name added to WAF can be example.com, a subdomain name (for example, a.xample.com), or wildcard domain name (*.example.com). You can select a domain name type based on the following scenarios:
  • If services of a domain name to be protected are the same, enter a single domain name. For example, if all the services of www.example.com to be protected are services on port 8080, set Domain Name to a single domain name www.example.com.
  • If the server IP address of each subdomain name is the same, enter a wildcard domain name to be protected. For example, if the server IP addresses corresponding to a.example.com, b.example.com, and c.example.com are the same, Domain Name can be set to a wildcard domain name *.example.com.
  • If the server IP addresses of subdomain names are different, add subdomain names as single domain names one by one.
+
+
+

You are advised to set the added domain name to be protected to be the same as the domain name that is set at the DNS provider.

+
+
+
+
+
Parent topic: Domain Name and Port Configuration
+
+
+ diff --git a/docs/wafd/umn/waf_01_0124.html b/docs/wafd/umn/waf_01_0124.html new file mode 100644 index 000000000..4a0f0881f --- /dev/null +++ b/docs/wafd/umn/waf_01_0124.html @@ -0,0 +1,17 @@ + + +

Website Domain Name Access Configuration

+
+
+ + +
+
Parent topic: FAQs
+
+
+ diff --git a/docs/wafd/umn/waf_01_0127.html b/docs/wafd/umn/waf_01_0127.html new file mode 100644 index 000000000..b1a166962 --- /dev/null +++ b/docs/wafd/umn/waf_01_0127.html @@ -0,0 +1,29 @@ + + +

Service Interruption Check

+
+
+ + +
+
Parent topic: FAQs
+
+
+ diff --git a/docs/wafd/umn/waf_01_0129.html b/docs/wafd/umn/waf_01_0129.html new file mode 100644 index 000000000..b4541fd69 --- /dev/null +++ b/docs/wafd/umn/waf_01_0129.html @@ -0,0 +1,119 @@ + + +

Configuration Guidance

+

How WAF Engine Works

The built-in protection rules of WAF help you defend against common web application attacks, including XSS attacks, SQL injection, crawlers, and web shells. You can customize protection rules to let WAF better protect your website services using these custom rules. Figure 1 shows how WAF engine built-in protection rules work. Figure 2 shows the detection sequence of user-defined rules.

+
Figure 1 WAF engine detection process
+
Figure 2 Priorities of custom protection rules
+
Response actions
  • Pass: The current request is unconditionally permitted after a protection rule is matched.
  • Block: The current request is blocked after a rule is matched.
  • CAPTCHA: The system will perform human-machine verification after a rule is matched.
  • Redirect: The system will notify you to redirect the request after a rule is matched.
  • Log: Only attack information is recorded after a rule is matched.
  • Mask: The system will anonymize sensitive information after a rule is matched.
+
+
+

Protection Rule Configuration Methods

WAF provides the following customized configuration methods to simplify the configuration process. Select a proper configuration method to meet your service requirements.

+

Method 1: Configuring protection rules for a single domain name

+
This method is recommended when you have few domain name services or have different configuration rules for domain name services.

After a domain name is added to WAF, WAF automatically associates a protection policy with the domain name, and protection rules configured for the domain name are also added to the protection policy by default. If there are domain names applicable to the protection policy, you can directly add them to the policy. For details, see Applying a Policy to Your Website.

+
+
  • Where to configure
    1. In the navigation pane, choose Website Settings.
    2. In the Policy column of the row containing the target website, click the number to go to the Policies page.
    +
  • Protection rules you can configure on the rule configuration page +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Table 1 Configurable protection rules

    Protection Rule

    +

    Description

    +

    Reference

    +

    Basic web protection rules

    +

    With an extensive reputation database, WAF defends against Open Web Application Security Project (OWASP) top 10 threats, and detects and blocks threats, such as malicious scanners, IP addresses, and web shells.

    +

    Configuring Basic Web Protection Rules

    +

    CC attack protection rules

    +

    CC attack protection rules can be customized to restrict access to a specific URL on your website based on a unique IP address, cookie, or referer field, mitigating CC attacks.

    +

    Configuring a CC Attack Protection Rule

    +

    Precise protection rules

    +

    You can customize protection rules by combining HTTP headers, cookies, URLs, request parameters, and client IP addresses.

    +

    Configuring a Precise Protection Rule

    +

    Blacklist and whitelist rules

    +

    You can configure blacklist and whitelist rules to block, log only, or allow access requests from specified IP addresses.

    +

    Configuring an IP Address Blacklist or Whitelist Rule

    +

    Geolocation access control rules

    +

    You can customize these rules to allow or block requests from a specific country or region.

    +

    Configuring a Geolocation Access Control Rule

    +

    Web tamper protection rules

    +

    You can configure these rules to prevent a static web page from being tampered with.

    +

    Configuring a Web Tamper Protection Rule

    +

    Website anti-crawler protection

    +

    This function dynamically analyzes website service models and accurately identifies crawler behavior based on data risk control and bot identification systems, such as JS Challenge.

    +

    Configuring Anti-Crawler Rules

    +

    Information leakage prevention rules

    +

    You can add two types of information leakage prevention rules.

    +
    • Sensitive information filtering: prevents disclosure of sensitive information (such as ID numbers, phone numbers, and email addresses).
    • Response code interception: blocks the specified HTTP status codes.
    +

    Configuring an Information Leakage Prevention Rule

    +

    Global protection whitelist (formerly false alarm masking) rules

    +

    You can configure these rules to let WAF ignore certain rules for specific requests.

    +

    Configuring a Global Protection Whitelist (Formerly False Alarm Masking) Rule

    +

    Data masking rules

    +

    You can configure data masking rules to prevent sensitive data such as passwords from being displayed in event logs.

    +

    Configuring a Data Masking Rule

    +
    +
    +
+
+

Method 2: Configuring protection rules for multiple domain names

+
This method is recommended if you have many domain name services and require the same protection policy for multiple domain names. This method greatly reduces repeated configuration workloads and improves the protection efficiency. +
+
+
+
+
+
Parent topic: Rule Configuration
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0134.html b/docs/wafd/umn/waf_01_0134.html new file mode 100644 index 000000000..1d0e097dd --- /dev/null +++ b/docs/wafd/umn/waf_01_0134.html @@ -0,0 +1,11 @@ + + +

What Objects Does WAF Protect?

+

WAF can protect domain names or IP addresses.

+
+
+
+
Parent topic: WAF Functions
+
+
+ diff --git a/docs/wafd/umn/waf_01_0135.html b/docs/wafd/umn/waf_01_0135.html new file mode 100644 index 000000000..bbd347702 --- /dev/null +++ b/docs/wafd/umn/waf_01_0135.html @@ -0,0 +1,11 @@ + + +

How Do I Select a Certificate When Configuring a Wildcard Domain Name?

+

Each domain name must correspond to a certificate. A wildcard domain name can only be used for a wildcard domain certificate. If you only have single-domain certificates, you need to add domain names one by one in WAF.

+
+
+
+
Parent topic: Certificate Management
+
+
+ diff --git a/docs/wafd/umn/waf_01_0149.html b/docs/wafd/umn/waf_01_0149.html new file mode 100644 index 000000000..6fc9c5a70 --- /dev/null +++ b/docs/wafd/umn/waf_01_0149.html @@ -0,0 +1,11 @@ + + +

Does WAF Support File Caching?

+

WAF caches only static web pages that are configured with web tamper protection and sends the cached web pages that are not tampered with to web visitors.

+
+
+
+
Parent topic: WAF Functions
+
+
+ diff --git a/docs/wafd/umn/waf_01_0151.html b/docs/wafd/umn/waf_01_0151.html new file mode 100644 index 000000000..d0eb00dd6 --- /dev/null +++ b/docs/wafd/umn/waf_01_0151.html @@ -0,0 +1,11 @@ + + +

Is the Path of a WAF Protection Rule Case-sensitive?

+

All paths configured for protection rules of WAF are case-sensitive.

+
+
+
+
Parent topic: Others
+
+
+ diff --git a/docs/wafd/umn/waf_01_0154.html b/docs/wafd/umn/waf_01_0154.html new file mode 100644 index 000000000..3fab5b075 --- /dev/null +++ b/docs/wafd/umn/waf_01_0154.html @@ -0,0 +1,30 @@ + + +

Modifying the Alarm Page

+

If a visitor is blocked by WAF, the Default block page of WAF is returned by default. You can also configure Custom or Redirection for the block page to be returned as required.

+

Prerequisites

A website has been added to WAF.

+
+

Constraints

  • The content of the text/html, text/xml, and application/json pages can be configured on the Custom block page to be returned.
  • The root domain name of the redirection address must be the same as the currently protected domain name (including a wildcard domain name). For example, if the protected domain name is www.example.com and the port is 8080, the redirection URL can be set to http://www.example.com:8080/error.html.
+
+

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane, choose Website Settings.
  5. In the Domain Name column, click the domain name of the website to go to the basic information page.
  6. Click next to the page template name in the row where Alarm Page is located. In the displayed Alarm Page dialog box, specify Page Template.

    • To use the built-in page, select Default. An HTTP code 418 is returned.
      Figure 1 Default alarm page
      +
    • To customize the alarm page, select Custom and configure following parameters.
      • HTTP Return Code: return code configured on a custom page.
      • Block Page Type: The options are text/html, text/xml, and application/json.
      • Page Content: Configure the page content based on the selected value for Block Page Type.
      +
      Figure 2 Custom alarm page
      +
    • To configure a redirection URL, select Redirection.
      Figure 3 Redirection alarm page
      +

      The root domain name of the redirection URL must be the same as the currently protected domain name (including a wildcard domain name). For example, if the protected domain name is www.example.com and the port is 8080, the redirection URL can be set to http://www.example.com:8080/error.html.

      +
    +

  7. Click Confirm.
+
+
+
+
+
Parent topic: Website Domain Name Management
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0156.html b/docs/wafd/umn/waf_01_0156.html new file mode 100644 index 000000000..d09b79e0d --- /dev/null +++ b/docs/wafd/umn/waf_01_0156.html @@ -0,0 +1,141 @@ + + +

Viewing Protection Event Logs

+

On the Events page, you can view events generated for blocked attacks and logged only attacks. You can view details of WAF events, including the time an event occurs, origin server IP address, geographic location of the origin server IP address, malicious load, and hit rule.

+

Prerequisites

The website to be protected has been connected to WAF.

+
+

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane on the left, choose Events.
  5. Click the Search tab. In the website or instance drop-down list, select a website to view corresponding event logs. The query time can be Yesterday, Today, Past 3 days, Past 7 days, Past 30 days, or a time range you configure. Table 2 lists related parameters.

    Figure 1 Viewing protection events
    + +
    + + + + + + + + + + + + + + + + + + + +
    Table 1 Event parameters

    Parameter

    +

    Parameters

    +

    Event Type

    +

    Type of the attack.

    +

    By default, All is selected. You can view logs of all attack types or select an attack type to view corresponding attack logs.

    +

    Protective Action

    +

    The options are Block, Log only, and Verification code.

    +

    Source IP Address

    +

    Public IP address of the web visitor/attacker

    +

    By default, All is selected. You can view logs of all attack source IP addresses, select an attack source IP address, or enter an attack source IP address to view corresponding attack logs.

    +

    URL

    +

    Attacked URL.

    +

    Event ID

    +

    ID of the event.

    +
    +
    + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Table 2 Parameters in the event list

    Parameter

    +

    Description

    +

    Example Value

    +

    Time

    +

    When the attack occurred

    +

    2021/02/04 13:20:04

    +

    Source IP Address

    +

    Public IP address of the web visitor/attacker

    +

    None

    +

    Geolocation

    +

    Location where the IP address of the attack originates from

    +

    -

    +

    Domain Name

    +

    Attacked domain name

    +

    www.example.com

    +

    URL

    +

    Attacked URL

    +

    /admin

    +

    Malicious Load

    +

    The location or part of the attack that causes damage or the number of times that the URL was accessed.

    +
    NOTE:
    • In a CC attack, the malicious load indicates the number of times that the URL was accessed.
    • For blacklist protection events, the malicious load is left blank.
    +
    +

    id=1 and 1='1

    +

    Event Type

    +

    Type of attack

    +

    SQL injection

    +

    Protective Action

    +

    Protective actions configured in the rule. The options are Block, Log only, and Verification code.

    +
    NOTE:

    If an access request matches a web tamper protection rule, information leakage prevention rule, or data masking rule, the protective action is marked as Mismatch.

    +
    +

    Block

    +

    Status Code

    +

    HTTP status code returned on the block page.

    +

    418

    +
    +
    +

    To view event details, click Details in the Operation column of the event list.

    +
    +

+
+
+
+
+
Parent topic: Event Management
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0157.html b/docs/wafd/umn/waf_01_0157.html new file mode 100644 index 000000000..0930393d1 --- /dev/null +++ b/docs/wafd/umn/waf_01_0157.html @@ -0,0 +1,14 @@ + + +

What Data Is Required for Connecting a Domain Name/IP Address to WAF?

+

Prepare information required for connecting a domain name or IP address to WAF based on the mode of WAF instance you plan to buy.

+

The following data is required:

+ +
+
+
+
Parent topic: Domain Name and Port Configuration
+
+
+ diff --git a/docs/wafd/umn/waf_01_0160.html b/docs/wafd/umn/waf_01_0160.html new file mode 100644 index 000000000..0cc147449 --- /dev/null +++ b/docs/wafd/umn/waf_01_0160.html @@ -0,0 +1,12 @@ + + +

What Is the Connection Timeout Duration of WAF? Can I Manually Set the Timeout Duration?

+
+
+
+
+
Parent topic: Service Interruption Check
+
+
+ diff --git a/docs/wafd/umn/waf_01_0169.html b/docs/wafd/umn/waf_01_0169.html new file mode 100644 index 000000000..920ce297a --- /dev/null +++ b/docs/wafd/umn/waf_01_0169.html @@ -0,0 +1,365 @@ + + +

Configuring PCI DSS/3DS Certification Check and TLS Version

+

Transport Layer Security (TLS) provides confidentiality and ensures data integrity for data sent between applications over the Internet. HTTPS is a network protocol constructed based on TLS and HTTP and can be used for encrypted transmission and identity authentication. If you set Client Protocol to HTTPS, set the minimum TLS version and cipher suite (a set of multiple cryptographic algorithms) for your domain name to block requests that use a TLS version earlier than the configured one.

+

TLS v1.0 and the cipher suite 1 are configured by default in WAF for general security. To protect your websites better, set the minimum TLS version to a later version and select a more secure cipher suite.

+

Prerequisites

  • The website to be protected has been added to WAF.
  • Your website uses HTTPS as the client protocol.
+
+

Application Scenarios

By default, the minimum TLS version configured for WAF is TLS v1.0. To ensure website security, configure the right TLS version for your service requirements. Table 1 lists the recommended minimum TLS versions for different scenarios.

+ +
+ + + + + + + + + + + + + + + + + +
Table 1 Recommended minimum TLS versions

Scenario

+

Minimum TLS Version (Recommended)

+

Protection Effect

+

Websites that handle critical business data, such as sites used in banking, finance, securities, and e-commerce.

+

TLS v1.2

+

WAF automatically blocks website access requests that use TLS v1.0 or TLS v1.1.

+

Websites with basic security requirements, for example, small- and medium-sized enterprise websites.

+

TLS v1.1

+

WAF automatically blocks website access requests that use TLS v1.0.

+

Client applications with no special security requirements

+

TLS v1.0

+

Requests using any TLS protocols can access the website.

+
+
+

The recommended cipher suite in WAF is Cipher suite 1. Cipher suite 1 offers a good mix of browser compatibility and security. For details about each cipher suite, see Table 2.

+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + +
Table 2 Description of cipher suites

Cipher Suite Name

+

Supported cryptographic algorithms

+

Description

+

Default cipher suite

+
  • ECDHE-RSA-AES256-SHA384
  • AES256-SHA256
  • HIGH
  • !MD5
  • !aNULL
  • !eNULL
  • !NULL
  • !DH
  • !EDH
  • !AESGCM
+
  • Compatibility: Good.

    A wide range of browsers are supported.

    +
  • Security: Average
+

Cipher suite 1

+
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • HIGH
  • !MEDIUM
  • !LOW
  • !aNULL
  • !eNULL
  • !DES
  • !MD5
  • !PSK
  • !kRSA
  • !SRP
  • !3DES
  • !DSS
  • !EXP
  • !CAMELLIA
  • @STRENGTH
+

Recommended configuration.

+
  • Compatibility: Good.

    A wide range of browsers are supported.

    +
  • Security: Good
+

Cipher suite 2

+
  • EECDH+AESGCM
  • EDH+AESGCM
+
  • Compatibility: Average.

    Strict compliance with forward secrecy requirements of PCI DSS and excellent protection, but browsers of earlier versions may be unable to access the website.

    +
  • Security: Excellent
+

Cipher suite 3

+
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-SHA384
  • HIGH
  • !MD5
  • !aNULL
  • !eNULL
  • !NULL
  • !DH
  • !EDH
+
  • Compatibility: Average.

    Earlier versions of browsers may be unable to access the website.

    +
  • Security: Excellent.

    Multiple algorithms, such as ECDHE, DHE-GCM, and RSA-AES-GCM, are supported.

    +
+

Cipher suite 4

+
  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES256-SHA384
  • AES256-SHA256
  • HIGH
  • !MD5
  • !aNULL
  • !eNULL
  • !NULL
  • !EDH
+
  • Compatibility: Good.

    A wide range of browsers are supported.

    +
  • Security: Average.

    The GCM algorithm is supported.

    +
+
+
+

The TLS cipher suites in WAF are compatible with all browsers and clients of later versions but are incompatible with some browsers of earlier versions. Table 3 lists the incompatible browsers and clients if the TLS v1.0 protocol is used.

+

It is recommended that compatibility tests should be carried out on the service environment to ensure service stability.

+
+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Table 3 Incompatible browsers and clients for cipher suites under TLS v1.0

Browser/Client

+

Default Cipher Suite

+

Cipher Suite 1

+

Cipher Suite 2

+

Cipher Suite 3

+

Cipher Suite 4

+

Google Chrome 63 /macOS High Sierra 10.13.2

+

Not compatible

+

Compatible

+

Compatible

+

Compatible

+

Not compatible

+

Google Chrome 49/ Windows XP SP3

+

Not compatible

+

Not compatible

+

Not compatible

+

Not compatible

+

Not compatible

+

Internet Explorer 6

+

/Windows XP

+

Not compatible

+

Not compatible

+

Not compatible

+

Not compatible

+

Not compatible

+

Internet Explorer 8

+

/Windows XP

+

Not compatible

+

Not compatible

+

Not compatible

+

Not compatible

+

Not compatible

+

Safari 6/iOS 6.0.1

+

Compatible

+

Compatible

+

Not compatible

+

Compatible

+

Compatible

+

Safari 7/iOS 7.1

+

Compatible

+

Compatible

+

Not compatible

+

Compatible

+

Compatible

+

Safari 7/OS X 10.9

+

Compatible

+

Compatible

+

Not compatible

+

Compatible

+

Compatible

+

Safari 8/iOS 8.4

+

Compatible

+

Compatible

+

Not compatible

+

Compatible

+

Compatible

+

Safari 8/OS X 10.10

+

Compatible

+

Compatible

+

Not compatible

+

Compatible

+

Compatible

+

Internet Explorer

+

7/Windows Vista

+

Compatible

+

Compatible

+

Not compatible

+

Compatible

+

Compatible

+

Internet Explorer 8, 9, or 10

+

/Windows 7

+

Compatible

+

Compatible

+

Not compatible

+

Compatible

+

Compatible

+

Internet Explorer 10

+

/Windows Phone 8.0

+

Compatible

+

Compatible

+

Not compatible

+

Compatible

+

Compatible

+

Java 7u25

+

Compatible

+

Compatible

+

Not compatible

+

Compatible

+

Compatible

+

OpenSSL 0.9.8y

+

Not compatible

+

Not compatible

+

Not compatible

+

Not compatible

+

Not compatible

+

Safari 5.1.9/OS X 10.6.8

+

Compatible

+

Compatible

+

Not compatible

+

Compatible

+

Compatible

+

Safari 6.0.4/OS X 10.8.4

+

Compatible

+

Compatible

+

Not compatible

+

Compatible

+

Compatible

+
+
+
+

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Security > Web Application Firewall (Dedicated).
  4. In the navigation pane, choose Website Settings.
  5. In the Domain Name column, click the domain name of the website to go to the basic information page.
  6. In the Compliance Certification row, you can select PCI DSS and/or PCI 3DS to allow WAF to check your website for the corresponding PCI certification compliance. In the TLS Configuration row, click to complete TLS configuration. Figure 1 shows an example.

    Figure 1 TLS configuration modification
    +
    • Select PCI DSS. In the displayed Warning dialog box, click OK to enable the PCI DSS certification check.

      +

      +

      +

      If PCI DSS certification check is enabled, the minimum TLS version and cypher suite cannot be changed.

      +
      +
    • Select PCI 3DS. In the displayed Warning dialog box, click OK to enable the PCI 3DS certification check.

      +

      +

      +
      • If PCI 3DS certification check is enabled, the minimum TLS version cannot be changed.
      • Once enabled, the PCI 3DS certification check cannot be disabled.
      +
      +
    +

  7. In the displayed TLS Configuration dialog box, select the minimum TLS version and cipher suite. Figure 2 shows an example.

    Figure 2 TLS Configuration
    +
    Select the minimum TLS version you need. The options are as follows:
    • TLS v1.0: the default version. Requests using TLS v1.0 or later can access the domain name.
    • TLS v1.1: Only requests using TLS v1.1 or later can access the domain name.
    • TLS v1.2: Only requests using TLS v1.2 or later can access the domain name.
    +
    +

  8. Click OK.
+
+

Verification

If the Minimum TLS Version is set to TLS v1.2, the website can be accessed over connections secured by TLS v1.2 or later, but cannot be accessed over connections secured by TLS v1.1 or earlier.

+
+
+
+
+
Parent topic: Website Domain Name Management
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0176.html b/docs/wafd/umn/waf_01_0176.html new file mode 100644 index 000000000..9befaf81d --- /dev/null +++ b/docs/wafd/umn/waf_01_0176.html @@ -0,0 +1,12 @@ + + +

How Do I Add a Domain Name/IP Address to WAF?

+

After you connect a domain name or IP address of the website you want to protect to WAF, WAF works as a reverse proxy between the client and the server. The real IP address of the server is hidden and only the IP address of WAF is visible to web visitors. For details, see Step 1: Add a Website to WAF.

+ +
+
+
+
Parent topic: Domain Name and Port Configuration
+
+
+ diff --git a/docs/wafd/umn/waf_01_0179.html b/docs/wafd/umn/waf_01_0179.html new file mode 100644 index 000000000..9e64a4536 --- /dev/null +++ b/docs/wafd/umn/waf_01_0179.html @@ -0,0 +1,55 @@ + + +

What Is the Difference Between QPS and the Number of Requests?

+

Queries Per Second (QPS) indicates the number of requests per second. For example, an HTTP GET request is also called a query. The number of requests is the total number of requests in a specific time range.

+

Queries Per Second (QPS) is the number of requests a server can handle per second.

+

QPS is used to measure the number of queries, or requests, per second.

+
+

For details about QPS on the Dashboard page, see Table 1.

+ +
+ + + + + + + + + + + + + + + + + + + + + +
Table 1 QPS calculation

Time Range

+

Average QPS Description

+

Peak QPS Description

+

Yesterday or Today

+

The QPS curve is made with the average QPSs in every minute.

+

The QPS curve is made with each peak QPS in every minute.

+

Past 3 days

+

The QPS curve is made with the average QPSs in every five minutes.

+

The QPS curve is made with each peak QPS in every five minutes.

+

Past 7 days

+

The QPS curve is made with the maximum value among the average QPSs in every five minutes at a 10-minute interval.

+

The QPS curve is made with each peak QPS in every 10 minutes.

+

Past 30 days

+

The QPS curve is made with the maximum value among the average QPSs in every five minutes at a one-hour interval.

+

The QPS curve is made with the peak QPSs in every hour.

+
+
+
+
+
+
Parent topic: WAF Usage
+
+
+ diff --git a/docs/wafd/umn/waf_01_0187.html b/docs/wafd/umn/waf_01_0187.html new file mode 100644 index 000000000..6406d5d44 --- /dev/null +++ b/docs/wafd/umn/waf_01_0187.html @@ -0,0 +1,12 @@ + + +

Can WAF Check the Body I Add to the POST Request?

+

The built-in detection of WAF checks POST data, and web shells are the files submitted in POST requests. WAF checks all data, such as forms and JSON files in POST requests based on the default protection policies.

+

You can configure a precise protection rule to check the body added to POST requests.

+
+
+
+
Parent topic: WAF Functions
+
+
+ diff --git a/docs/wafd/umn/waf_01_0190.html b/docs/wafd/umn/waf_01_0190.html new file mode 100644 index 000000000..ad6d59e7f --- /dev/null +++ b/docs/wafd/umn/waf_01_0190.html @@ -0,0 +1,15 @@ + + +

Does WAF Support Wildcard Domain Names?

+

Yes. When adding a domain name to WAF, you can configure a single domain name or a wildcard domain name based on your service requirements. The details are as follows:

+ +
+
+
+
Parent topic: Domain Name and Port Configuration
+
+
+ diff --git a/docs/wafd/umn/waf_01_0196.html b/docs/wafd/umn/waf_01_0196.html new file mode 100644 index 000000000..3675b10ab --- /dev/null +++ b/docs/wafd/umn/waf_01_0196.html @@ -0,0 +1,14 @@ + + +

What Are Local File Inclusion and Remote File Inclusion?

+

You can view security events such as file inclusion in WAF protection events to quickly locate attack sources or analyze attack events.

+

Program developers write repeatedly used functions into a single file. When such functions need to be used, the file is directly invoked. The file invoking process is called file inclusion. File inclusion vulnerabilities are classified into two categories, based on whether the file is a remotely hosted file or a local file available on the web server:

+ +

A file inclusion vulnerability allows an attacker to access unauthorized or sensitive files available on the web server or to execute malicious files on the web server by using such a file. This vulnerability is mainly due to a bad input validation mechanism, wherein the user's input that is passed to the file include commands without proper validation. The impact of this vulnerability can lead to malicious code execution on the server or reveal data present in sensitive files.

+
+
+
+
Parent topic: WAF Usage
+
+
+ diff --git a/docs/wafd/umn/waf_01_0198.html b/docs/wafd/umn/waf_01_0198.html new file mode 100644 index 000000000..37a859411 --- /dev/null +++ b/docs/wafd/umn/waf_01_0198.html @@ -0,0 +1,12 @@ + + +

Why Am I Seeing Error Code 418?

+

If the request contains malicious load and is intercepted by WAF, error 418 is reported when you access the domain name protected by WAF. You can view WAF protection logs to view the cause.

+ +
+
+
+
Parent topic: Service Interruption Check
+
+
+ diff --git a/docs/wafd/umn/waf_01_0204.html b/docs/wafd/umn/waf_01_0204.html new file mode 100644 index 000000000..6a03bb950 --- /dev/null +++ b/docs/wafd/umn/waf_01_0204.html @@ -0,0 +1,38 @@ + + +

Which Protection Levels Can Be Set for Basic Web Protection?

+

WAF provides three basic web protection levels: Low, Medium, and High. The default option is Medium. For details, see Table 1.

+ +
+ + + + + + + + + + + + + +
Table 1 Protection levels

Protection Level

+

Description

+

Low

+

WAF only blocks the requests with obvious attack signatures.

+

If a large number of false alarms are reported, Low is recommended.

+

Medium

+

The default level is Medium, which meets a majority of web protection requirements.

+

High

+

At this level, WAF provides the finest granular protection and can intercept attacks with complex bypass features, such as Jolokia cyber attacks, common gateway interface (CGI) vulnerability detection, and Druid SQL injection attacks.

+

To let WAF defend against more attacks but make minimum effect on normal requests, observe your workloads for a period of time first. Then, configure a global protection whitelist rule and select High.

+
+
+
+
+
+
Parent topic: Basic Web Protection
+
+
+ diff --git a/docs/wafd/umn/waf_01_0211.html b/docs/wafd/umn/waf_01_0211.html new file mode 100644 index 000000000..d35e22466 --- /dev/null +++ b/docs/wafd/umn/waf_01_0211.html @@ -0,0 +1,11 @@ + + +

Can WAF Block URL Requests That Contain Special Characters?

+

No. WAF can only detect and restrict source IP addresses.

+
+
+
+
Parent topic: WAF Functions
+
+
+ diff --git a/docs/wafd/umn/waf_01_0212.html b/docs/wafd/umn/waf_01_0212.html new file mode 100644 index 000000000..75a940c83 --- /dev/null +++ b/docs/wafd/umn/waf_01_0212.html @@ -0,0 +1,12 @@ + + +

Can WAF Block Requests for Calling Other APIs from Web Pages?

+

If the request data for calling other APIs on the web page is included in the domain names protected by WAF, the request data passes through WAF. WAF checks the request data and blocks it if it is an attack.

+

If the request data for calling other APIs on the web page is not included in the domain names protected by WAF, the request data does not pass through WAF. WAF cannot block the request data.

+
+
+
+
Parent topic: WAF Functions
+
+
+ diff --git a/docs/wafd/umn/waf_01_0218.html b/docs/wafd/umn/waf_01_0218.html new file mode 100644 index 000000000..8ea545380 --- /dev/null +++ b/docs/wafd/umn/waf_01_0218.html @@ -0,0 +1,11 @@ + + +

Does WAF Affect Email Ports or Email Receiving and Sending?

+

WAF protects web application pages. After your website is connected to WAF, there is no impact on your email port or email sending or receiving.

+
+
+
+
Parent topic: WAF Usage
+
+
+ diff --git a/docs/wafd/umn/waf_01_0222.html b/docs/wafd/umn/waf_01_0222.html new file mode 100644 index 000000000..8d83c960e --- /dev/null +++ b/docs/wafd/umn/waf_01_0222.html @@ -0,0 +1,11 @@ + + +

What Are Concurrent Requests?

+

The number of concurrent requests refers to the number of requests that the system can process simultaneously. When it comes to a website, concurrent requests refer to the requests from the visitors at the same time.

+
+
+
+
Parent topic: WAF Usage
+
+
+ diff --git a/docs/wafd/umn/waf_01_0229.html b/docs/wafd/umn/waf_01_0229.html new file mode 100644 index 000000000..425baf627 --- /dev/null +++ b/docs/wafd/umn/waf_01_0229.html @@ -0,0 +1,11 @@ + + +

Does WAF Support Application Layer Protocol- and Content-Based Access Control?

+

WAF supports access control over content at the application layer. HTTP and HTTPS are both application layer protocols.

+
+
+
+
Parent topic: WAF Functions
+
+
+ diff --git a/docs/wafd/umn/waf_01_0243.html b/docs/wafd/umn/waf_01_0243.html new file mode 100644 index 000000000..1d9f7664d --- /dev/null +++ b/docs/wafd/umn/waf_01_0243.html @@ -0,0 +1,59 @@ + + +

WAF Custom Policies

+

Custom policies can be created to supplement the system-defined policies of WAF.

+

Example Custom Policies

  • Example 1: Allowing users to query the protected domain list
    {
+        "Version": "1.1",
+        "Statement": [
+                {
+                        "Effect": "Allow",
+                        "Action": [
+                                "waf:instance:list"
+                                                       ]
+                }
+        ]
+}
    +
+
  • Example 2: Denying the user request of deleting web tamper protection rules

    A deny policy must be used together with other policies. If the permissions assigned to a user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.

    +

    The following method can be used if you need to assign permissions of the WAF FullAccess policy to a user but also forbid the user from deleting web tamper protection rules (waf:antiTamperRule:delete). Create a custom policy with the action to delete web tamper protection rules, set its Effect to Deny, and assign both this policy and the WAF FullAccess policy to the group the user belongs to. Then the user can perform all operations on WAF except deleting web tamper protection rules. The following is a policy for denying web tamper protection rule deletion.

    +
    {
+        "Version": "1.1",
+        "Statement": [
+                {
+                        "Effect": "Deny",
+                        "Action": [
+                                "waf:antiTamperRule:delete"                                
+                        ]
+                },
+        ]
+}
    +
  • Multi-action policy

    A custom policy can contain the actions of multiple services that are of the project-level type. The following is an example policy containing actions of multiple services:

    +
    {
+        "Version": "1.1",
+        "Statement": [
+                {
+                        "Effect": "Allow",
+                        "Action": [
+                                "waf:instance:get",
+                                "waf:certificate:get"
+                        ]
+                },
+               {
+                        "Effect": "Allow",
+                        "Action": [
+                                "hss:hosts:switchVersion",
+                                "hss:hosts:manualDetect",
+                                "hss:manualDetectStatus:get"
+                        ]
+                }
+        ]
+}
    +
+
+
+
+
+
Parent topic: Permissions Management
+
+
+ diff --git a/docs/wafd/umn/waf_01_0244.html b/docs/wafd/umn/waf_01_0244.html new file mode 100644 index 000000000..a6ffde48c --- /dev/null +++ b/docs/wafd/umn/waf_01_0244.html @@ -0,0 +1,316 @@ + + +

WAF Permissions and Supported Actions

+

This topic describes fine-grained permissions management for your WAF instances. If your account does not need individual IAM users, then you may skip over this topic.

+

By default, new IAM users do not have any permissions assigned. You need to add a user to one or more groups, and assign permissions policies to these groups. Users inherit permissions from the groups to which they are added and can perform specified operations on cloud services based on the permissions.

+

You can grant users permissions by using roles and policies. Roles are provided by IAM to define service-based permissions depending on user's job responsibilities. Policies: A type of fine-grained authorization mechanism that defines permissions required to perform operations on specific cloud resources under certain conditions.

+

Supported Actions

WAF provides system-defined policies that can be directly used in IAM. You can also create custom policies and use them to supplement system-defined policies, implementing more refined access control.

+
  • Permission: A statement in a policy that allows or denies certain operations.
  • Action: Specific operations that are allowed or denied.
+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

Permission

+

Action

+

Querying an information leakage prevention rule

+

waf:antiLeakageRule:get

+

Querying a web tamper protection rule

+

waf:antiTamperRule:get

+

Querying a CC attack protection rule

+

waf:ccRule:get

+

Querying a precise protection rule

+

waf:preciseProtectionRule:get

+

Querying a false alarm masking rule

+

waf:falseAlarmMaskRule:get

+

Querying a data masking rule

+

waf:privacyRule:get

+

Querying a blacklist or whitelist rule

+

waf:whiteBlackIpRule:get

+

Querying a geolocation access control rule

+

waf:geoIpRule:get

+

Querying a certificate

+

waf:certificate:get

+

Modifying WAF certificates

+

waf:certificate:put

+

Querying a protection event

+

waf:event:get

+

Querying a protected domain

+

waf:instance:get

+

Querying a protection policy

+

waf:policy:get

+

Querying quota package information

+

waf:bundle:get

+

Querying the protection event download link

+

waf:dumpEventLink:get

+

Querying configurations

+

waf:consoleConfig:get

+

Querying the back-to-source IP address segment

+

waf:sourceIp:get

+

Updating an information leakage prevention rule

+

waf:antiLeakageRule:put

+

Updating a web tamper protection rule

+

waf:antiTamperRule:put

+

Updating a CC attack protection rule

+

waf:ccRuleRule:put

+

Updating a precise protection rule

+

waf:preciseProtectionRule:put

+

Updating a false alarm masking rule

+

waf:falseAlarmMaskRule:put

+

Updating a data masking rule

+

waf:privacyRule:put

+

Updating an IP address blacklist or whitelist rule

+

waf:whiteBlackIpRule:put

+

Updating a geolocation access control rule

+

waf:geoIpRule:put

+

Updating a protected domain

+

waf:instance:put

+

Updating a protection policy

+

waf:policy:put

+

Deleting an information leakage prevention rule

+

waf:antiLeakageRule:delete

+

Deleting a web tamper protection rule

+

waf:antiTamperRule:delete

+

Deleting a CC attack protection rule

+

waf:ccRule:delete

+

Configuring a precise protection rule

+

waf:preciseProtectionRule:delete

+

Deleting a false alarm masking rule

+

waf:falseAlarmMaskRule:delete

+

Deleting a data masking rule

+

waf:privacyRule:delete

+

Deleting a blacklist or whitelist rule

+

waf:whiteBlackIpRule:delete

+

Deleting a geolocation access control rule

+

waf:geoIpRule:delete

+

Deleting a protected domain

+

waf:instance:delete

+

Deleting a protection policy

+

waf:policy:delete

+

Adding an information leakage prevention rule

+

waf:antiLeakageRule:create

+

Adding a web tamper protection rule

+

waf:antiTamperRule:create

+

Adding a CC attack protection rules

+

waf:ccRule:create

+

Adding a precise protection rule

+

waf:preciseProtectionRule:create

+

Creating a false alarm masking rule

+

waf:falseAlarmMaskRule:create

+

Adding a data masking rule

+

waf:privacyRule:create

+

Adding a blacklist or whitelist rule

+

waf:whiteBlackIpRule:create

+

Adding a geolocation access control rule

+

waf:geoIpRule:create

+

Adding a certificate

+

waf:certificate:create

+

Adding a domain

+

waf:instance:create

+

Adding a policy

+

waf:policy:create

+

Querying information leakage prevention rules

+

waf:antiLeakageRule:list

+

Querying web tamper protection rules

+

waf:antiTamperRule:list

+

Querying CC attack protection rules

+

waf:ccRuleRule:list

+

Querying precise protection rules

+

waf:preciseProtectionRule:list

+

Querying the false alarm masking rule list

+

waf:falseAlarmMaskRule:list

+

Querying data masking rules

+

waf:privacyRule:list

+

Querying blacklist and whitelist rules

+

waf:whiteBlackIpRule:list

+

Querying geolocation access control rules

+

waf:geoIpRule:list

+

Querying the protection domains

+

waf:instance:list

+

Querying protection policies

+

waf:policy:list

+
+
+
+
+
+
+
Parent topic: Permissions Management
+
+
+ diff --git a/docs/wafd/umn/waf_01_0249.html b/docs/wafd/umn/waf_01_0249.html new file mode 100644 index 000000000..17a065931 --- /dev/null +++ b/docs/wafd/umn/waf_01_0249.html @@ -0,0 +1,20 @@ + + +

Connecting a Website to WAF

+

+
+
+ + +
+
Parent topic: Enabling WAF Protection
+
+
+ diff --git a/docs/wafd/umn/waf_01_0250.html b/docs/wafd/umn/waf_01_0250.html new file mode 100644 index 000000000..765a332fc --- /dev/null +++ b/docs/wafd/umn/waf_01_0250.html @@ -0,0 +1,154 @@ + + +

Step 1: Add a Website to WAF

+

If your service servers are deployed on the cloud, you can add the domain name or IP address of the website to WAF so that the website traffic is forwarded to WAF for inspection.

+

Prerequisites

+

You have purchased a dedicated WAF instance.

+
+

Constraints

  • An Internet-facing load balancer has been deployed on the website you want to protect with dedicated WAF instances.
  • If your website has no layer-7 proxy server such as CDN and cloud acceleration service deployed in front of WAF and uses only layer-4 load balancers (or NAT), set Proxy Configured to No. Otherwise, Proxy Configured must be set to Yes. This ensures that WAF obtains real IP addresses of website visitors and takes protective actions configured in protection policies.
+
+

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  1. In the navigation pane, choose Website Settings.
  2. In the upper left corner of the website list, click Add Website.
  3. Configure basic information of the domain name. Figure 1 shows an example. Table 1 lists parameters.

    Figure 1 Configuring basic settings of a website
    +
    +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Table 1 Parameter description

    Parameter

    +

    Description

    +

    Example Value

    +

    Website Name

    +

    Website name you specify.

    +

    WAF-DT

    +

    Protected Object

    +

    A domain name or IP address of the website to be protected. The domain name can be a single domain name or a wildcard domain name.

    +
    • Single domain name: Enter a single domain name. For example, www.example.com.
    • Wildcard domain name
      NOTE:

      Wildcard domain names cannot contain underscores (_).

      +
      +
      • If the server IP address of each subdomain name is the same, enter a wildcard domain name to be protected. For example, if the subdomain names a.example.com, b.example.com, and c.example.com have the same server IP address, you can add the wildcard domain name *.example.com to WAF to protect all three.
      • If the server IP addresses of subdomain names are different, add subdomain names as single domain names one by one.
      +
    +

    Single domain name: www.example.com

    +

    Wildcard domain name: *.example.com

    +

    IP address format: XXX.XXX.1.1

    +

    Website Remarks

    +

    Brief description of the website

    +

    test

    +

    Protected Port

    +

    Select the port that needs to be protected from the drop-down list box.

    +

    To protect port 80 or 443, select Standard port from the drop-down list.

    +

    Standard ports

    +

    Server Configuration

    +

    Address of the web server. The configuration contains the Client Protocol, Server protocol, VPC, Server Address, and Server Port.

    +
    • Client Protocol: Protocol used for forwarding a client requests to the dedicated WAF instance. The options are HTTP and HTTPS.
    • Server Protocol: Protocol used for forwarding a client request to the origin server through the dedicated WAF instance. The options are HTTP and HTTPS.
      NOTE:

      WAF can check WebSocket and WebSockets requests, which is enabled by default.

      +
      +
    • VPC: Select the VPC to which the dedicated WAF instance belongs.
    • Server Address: Private IP address or domain name of the website server that a client (for example, a browser) accesses.
    • Server Port: service port of the server to which the dedicated WAF instance forwards client requests.
    +

    Client Protocol: HTTP

    +

    Server Protocol: HTTP

    +

    VPC: vpc-default

    +

    Server Address: 192.168.1.1

    +

    Server Port: 80

    +

    Certificate Name

    +

    If you set Client Protocol to HTTPS, an SSL certificate is required. You can select an existing certificate or import an external certificate. For details about how to import a certificate, see Importing a New Certificate.

    +

    For details about how to create a certificate, see Uploading a Certificate.

    +
    NOTICE:
    • Only .pem certificates can be used in WAF. If the certificate is not in .pem, convert it into a .pem certificate by referring to Importing a New Certificate before uploading the certificate.
    • Each domain name must have a certificate associated. A wildcard domain name can only use a wildcard domain certificate. If you only have single-domain certificates, you need to add domain names one by one in WAF.
    +
    +

    -

    +
    +
    +
    +

  4. Configure Proxy.

    If your website has no layer-7 proxy server such as CDN and cloud acceleration service deployed in front of WAF and uses only layer-4 load balancers (or NAT), set Proxy Configured to No. Otherwise, Proxy Configured must be set to Yes. This ensures that WAF obtains real IP addresses of website visitors and takes protective actions configured in protection policies.

    +

  5. Select a policy. By default, system-generated policy is selected.

    You can select a policy you configured. You can also customize rules after the domain name is connected to WAF.

    +

    System-generated policies:

    +
    • Basic web protection (Log only mode and common checks)

      The basic web protection defends against attacks such as SQL injections, XSS, remote overflow vulnerabilities, file inclusions, Bash vulnerabilities, remote command execution, directory traversal, sensitive file access, and command/code injections.

      +
    • Anti-crawler (Log only mode and Scanner feature)

      WAF only logs web scanning tasks, such as vulnerability scanning and virus scanning, such as crawling behavior of OpenVAS and Nmap.

      +
    +

    Log only: WAF only logs detected attack events instead of blocking them.

    +
    +

  6. Click Confirm.

    To enable WAF protection, there are still several steps, including configuring a load balancer, binding an EIP to the load balancer, and whitelisting WAF IP addresses. You can click Later in this step. Then, follow the instructions and finish those steps by referring to Step 2: Configure a Load Balancer and Step 3: Bind an EIP to a Load Balancer.

    +

+
+

Verification

The initial Access Status of a website is Inaccessible. After you configure a load balancer and bind an EIP to the load balancer for your website, when a request reaches the WAF dedicated instance, the access status automatically changes to Accessible.

+
+

Importing a New Certificate

If you set Client Protocol to HTTPS, an SSL certificate is required. You can perform the following steps to import a new certificate.

+
  1. Click Import New Certificate. In the displayed dialog box, enter a certificate name and copy the certificate file and private key to the corresponding text boxes.
    Figure 2 Import New Certificate
    +

    WAF encrypts and saves the private key to keep it safe.

    +
    +
    +
    Only .pem certificates can be used in WAF. If the certificate is not in .pem format, convert it into .pem locally by referring to Table 2 before uploading it. +
    + + + + + + + + + + + + + + + + +
    Table 2 Certificate conversion commands

    Format

    +

    Conversion Method

    +

    CER/CRT

    +

    Rename the cert.crt certificate file to cert.pem.

    +

    PFX

    +
    • Obtain a private key. For example, run the following command to convert cert.pfx into key.pem:

      openssl pkcs12 -in cert.pfx -nocerts -out key.pem -nodes

      +
    • Obtain a certificate. For example, run the following command to convert cert.pfx into cert.pem:

      openssl pkcs12 -in cert.pfx -nokeys -out cert.pem

      +
    +

    P7B

    +
    1. Convert a certificate. For example, run the following command to convert cert.p7b into cert.cer:

      openssl pkcs7 -print_certs -in cert.p7b -out cert.cer

      +
    2. Rename certificate file cert.cer to cert.pem.
    +

    DER

    +
    • Obtain a private key. For example, run the following command to convert privatekey.der into privatekey.pem:

      openssl rsa -inform DER -outform PEM -in privatekey.der -out privatekey.pem

      +
    • Obtain a certificate. For example, run the following command to convert cert.cer into cert.pem:

      openssl x509 -inform der -in cert.cer -out cert.pem

      +
    +
    +
    +
    • Before running an OpenSSL command, ensure that the OpenSSL tool has been installed on the local host.
    • If your local PC runs a Windows operating system, go to the command line interface (CLI) and then run the certificate conversion command.
    +
    +
    +
  2. Click OK.
+
+
+
+
+
Parent topic: Connecting a Website to WAF
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0251.html b/docs/wafd/umn/waf_01_0251.html new file mode 100644 index 000000000..34a2befa0 --- /dev/null +++ b/docs/wafd/umn/waf_01_0251.html @@ -0,0 +1,40 @@ + + +

Step 2: Configure a Load Balancer

+

To ensure your dedicated WAF instance reliability, after you add a website to it, use Elastic Load Balance (ELB) to configure a load balancer and a health check for the dedicated WAF instance.

+

Prerequisites

  • You have added a website to a dedicated WAF instance.
  • You have created a load balancer.
  • Related ports have been enabled in the security group to which the dedicated WAF instance belongs.
    You can configure your security group as follows:
    • Inbound rules

      Add an inbound rule to allow incoming network traffic to pass through over a specified port based on your service requirements. For example, if you want to allow access from port 80, add a rule that allows TCP and port 80.

      +
    • Outbound rules

      Retain the default settings. All outgoing network traffic is allowed by default.

      +
    +
    +
+
+

Constraints

The listening port of the dedicated WAF instance must be the same as that configured in Step 1: Add a Website to WAF.

+
+

Impact on the System

If you select Weighted round robin for Load Balancing Algorithm, disable Sticky Session. If you enable Sticky Session, the same requests will be forwarded to the same dedicated WAF instance. If this instance becomes faulty, an error will occur when the requests come to it next time.

+
+

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner of the page and choose Elastic Load Balance under Network to go to the ELB console.
  4. Click the name of your load balancer in the Name column to go to the Basic Information page.
  5. Click the Listeners tab, click Add Listener, and configure the listener information. Figure 1 shows an example.

    Figure 1 Configuring a listener
    +

  6. Click Next and configure the backend server group and health check. Figure 2 and Figure 3 show examples.

    Figure 2 Configuring a Backend Host Group
    +

    If you select Round robin for Load Balancing Algorithm, disable Sticky Session. If you enable Sticky Session, the same requests will be forwarded to the same dedicated WAF instance. If this instance becomes faulty, an error will occur when the requests come to it next time.

    +
    +
    Figure 3 Health Check Settings
    +

  7. Click Next: Confirm.
  8. Click Finish and then OK.
  9. Go to the page of the added listener, select the Backend Server Groups tab, and click Add.
  10. In the Add Backend Server dialog box, select the dedicated WAF instance you have created.

    Figure 4 Selecting the created dedicated WAF instance
    +

  11. Click Next and configure a port for the dedicated engine. Figure 5 shows an example.

    The listening port of the dedicated WAF instance must be the same as that configured in Step 1: Add a Website to WAF. If you configure a standard port for the website, set the HTTP listening port to 80 and HTTPS listening port to 443.

    +
    +
    Figure 5 Configuring a port for the dedicated WAF instance
    +

  12. Click Finish.
+
+

+
+
+
+
Parent topic: Connecting a Website to WAF
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0252.html b/docs/wafd/umn/waf_01_0252.html new file mode 100644 index 000000000..ba6280ff5 --- /dev/null +++ b/docs/wafd/umn/waf_01_0252.html @@ -0,0 +1,23 @@ + + +

Step 3: Bind an EIP to a Load Balancer

+

After you configure a load balancer for your dedicated WAF instance, you need to unbind the EIP from the origin server and then bind this EIP to the load balancer you configured. For details, see Configuring a Load Balancer. The request traffic then goes to the dedicated WAF instance for attack detection first and then go to the origin server, ensuring the security, stability, and availability of the origin server.

+

Prerequisites

You have configured a load balancer for a dedicated WAF instance.

+
+

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner of the page and choose Elastic Load Balance under Network to go to the ELB console.
  4. On the Elastic Load Balancers page, locate the row that contains the load balancer configured for the origin server, click More in the Operation column, and select Unbind IPv4 EIP. Figure 1 shows an example.

    Figure 1 Unbinding an EIP
    +

  5. In the displayed dialog box, click Yes.
  6. On the Load Balancers page, locate the row that contains the load balancer configured for the dedicated WAF instance, click More in the Operation column, and select Bind EIP.
  7. In the Bind EIP dialog box, select the EIP unbound in Step 4 and click OK.
+
+
+
+
+
Parent topic: Connecting a Website to WAF
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0253.html b/docs/wafd/umn/waf_01_0253.html new file mode 100644 index 000000000..46c4c8ed6 --- /dev/null +++ b/docs/wafd/umn/waf_01_0253.html @@ -0,0 +1,122 @@ + + +

Dedicated WAF Engine Management

+

This topic describes how to manage your dedicated WAF instances (or engines), including viewing instance information, upgrading the instance edition, or deleting an instance.

+

Prerequisites

You have purchased a dedicated WAF instance.

+
+

Viewing Information About a Dedicated WAF Instance

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane on the left, choose Instance Management > Dedicated Engine to go to the dedicated WAF instance page.

    Figure 1 Dedicated engine list
    +

  5. View information about a dedicated WAF instance. Table 1 describes parameters.

    +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Table 1 Parameters of a dedicated instance

    Parameter

    +

    Description

    +

    Example Value

    +

    Instance Name

    +

    Name automatically generated when an instance is created.

    +

    None

    +

    Protected Website

    +

    Domain name of the website protected by the instance.

    +

    www.example.com

    +

    VPC

    +

    VPC where the instance resides

    +

    vpc-waf

    +

    Subnet

    +

    Subnet where an instance resides

    +

    subnet-62bb

    +

    IP Addresses

    +

    IP address of the subnet in the VPC where the WAF instance is deployed.

    +

    192.168.0.186

    +

    Access Status

    +

    Connection status of the instance.

    +

    Accessible

    +

    Running Status

    +

    Status of the instance.

    +

    Running

    +

    Deployment

    +

    How the instance is deployed.

    +

    Standard mode (reverse proxy)

    +

    Specifications

    +

    Specifications of resources hosting the instance.

    +

    8 vCPUs | 16 GB

    +

    Operation

    +    		 +

    -

    +
    +
    +

+
+

Viewing Metrics of a Dedicated WAF Instance

When a WAF instance is in the Running status, you can view the monitored metrics about the instance.

+
  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane on the left, choose Instance Management > Dedicated Engine to go to the dedicated WAF instance page.

    Figure 2 Dedicated engine list
    +

  5. In the row of the instance, click Cloud Eye in the Operation column to go to the Cloud Eye console and view the monitoring information, such as CPU, memory, and bandwidth.
+
+

Upgrading a Dedicated WAF Instance

Only dedicated WAF instances in the Running status can be upgraded to the latest version.

+
  • It takes about 20 minutes for upgrading an instance. During the upgrade, the instance is not available and cannot protect your domain names connected to it. To prevent service interruptions, use either of the following solutions:
    • Solution 1: Deploy multiple dedicated WAF instances for your domain name, add them to a backend server group of your load balancer, and enable the health check policy for the load balancer. In this way, if one dedicated WAF instance is not available, WAF automatically distributes the traffic to other healthy instances. There is almost no impact on your services except that website requests might be intermittently interrupted for few seconds.
    • Solution 2: If you deploy only one dedicated WAF instance, configure a load balancer before you start to let website traffic bypass WAF during the upgrade. After the upgrade is complete, configure the load balancer to distribute traffic to WAF.
    +
  • If you are using the latest version of WAF, the Upgrade button is grayed out.
+
+
  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane on the left, choose Instance Management > Dedicated Engine to go to the dedicated WAF instance page.

    Figure 3 Dedicated engine list
    +

  5. In the row containing the instance you want to upgrade, click More > Upgrade in the Operation column.
  6. Confirm the upgrade conditions and click Confirm.
+
+

Change Security Group for a Dedicated WAF Instance

If you select Network Interface for Instance Type, you can change the security group to which your dedicated instance belongs. After you select a security group, the WAF instance will be protected by the access rules of the security group.

+
  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane on the left, choose Instance Management > Dedicated Engine to go to the dedicated WAF instance page.

    Figure 4 Dedicated engine list
    +

  5. In the row containing the instance, choose More > Change Security Group in the Operation column.
  6. In the dialog box displayed, select the new security group and click Confirm.
+
+

Deleting a Dedicated WAF Instance

You can delete a dedicated WAF instance at any time. A deleted dedicated WAF instance will no longer protect the website added to it.

+

Resources on deleted instance are released and cannot be restored. Exercise caution when performing this operation.

+
+
  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane on the left, choose Instance Management > Dedicated Engine to go to the dedicated WAF instance page.

    Figure 5 Dedicated engine list
    +

  5. In the row of the instance, click Delete in the Operation column.
  6. Click Confirm.

    Figure 6 Deleting an instance
    +

+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0254.html b/docs/wafd/umn/waf_01_0254.html new file mode 100644 index 000000000..f4d92f304 --- /dev/null +++ b/docs/wafd/umn/waf_01_0254.html @@ -0,0 +1,22 @@ + + +

Why Is the Requested Page Unable to Load After JavaScript Anti-Crawler Is Enabled?

+

After JavaScript anti-crawler is enabled, WAF returns a piece of JavaScript code to the client when the client sends a request. If the client sends a normal request to the website, triggered by the received JavaScript code, the client will automatically send the request to WAF again. WAF then forwards the request to the origin server. This process is called JavaScript verification. Figure 1 shows how JavaScript verification works.

+
Figure 1 JavaScript anti-crawler detection process
+
  • To enable the JavaScript anti-crawler protection, the browser on the client must have JavaScript and cookies enabled.
  • If the client does not meet the preceding requirements, only steps 1 and 2 can be performed. In this case, the client request fails to obtain the page.
+

Check your services. If your website can be accessed by other means except for a browser, disable JavaScript anti-crawler protection.

+
+
+
+
+
Parent topic: Anti-Crawler Protection
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0257.html b/docs/wafd/umn/waf_01_0257.html new file mode 100644 index 000000000..e24ff819b --- /dev/null +++ b/docs/wafd/umn/waf_01_0257.html @@ -0,0 +1,11 @@ + + +

Can WAF Limit the Access Speed of a Domain Name?

+

No. However, you can customize a CC attack protection rule to restrict access to a specific URL on your website based on an IP address, cookie, or Referer, mitigating CC attacks.

+
+
+
+
Parent topic: WAF Functions
+
+
+ diff --git a/docs/wafd/umn/waf_01_0261.html b/docs/wafd/umn/waf_01_0261.html new file mode 100644 index 000000000..38e47f66d --- /dev/null +++ b/docs/wafd/umn/waf_01_0261.html @@ -0,0 +1,17 @@ + + +

Certificate Management

+
+
+ +
+ diff --git a/docs/wafd/umn/waf_01_0262.html b/docs/wafd/umn/waf_01_0262.html new file mode 100644 index 000000000..b1dfaa9ac --- /dev/null +++ b/docs/wafd/umn/waf_01_0262.html @@ -0,0 +1,70 @@ + + +

Updating a Certificate

+

If you set Client Protocol to HTTPS when you add a website to WAF, upload a certificate and use it for your website.

+ +

Prerequisites

  • The website to be protected has been added to WAF.
  • Your website uses HTTPS as the client protocol.
+
+

Constraints

  • Each domain name must have a certificate associated. A wildcard domain name can only use a wildcard domain certificate. If you only have single-domain certificates, add domain names one by one in WAF.
  • Only .pem certificates can be used in WAF. If the certificate is not in .pem, before uploading it, convert it to .pem by referring to Step 6.
+
+

Impact on the System

  • It is recommended that you update the certificate before it expires. Otherwise, all WAF protection rules will fail to take effect, and there can be massive impacts on the origin server, even more severe than a crashed host or website access failures.
  • Updating certificates does not affect services. The old certificate still works during the certificate replacement. The new certificate will take over the job once it has been uploaded and successfully associated with the domain name.
+
+

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane, choose Website Settings.
  5. In the Domain Name column, click the domain name of the website to go to the basic information page.
  6. Click next to the certificate name. In the Update Certificate dialog box, import a new certificate or select an existing certificate.

    • If you select Import new certificate for Update Method, enter a certificate name, and copy and paste the certificate file and private key into the corresponding text boxes. Figure 1 shows an example.

      WAF encrypts and saves the private key to keep it safe.

      +
      +
      Figure 1 Update Certificate
      +
      Only .pem certificates can be used in WAF. If the certificate is not in .pem format, convert it into .pem locally by referring to Table 1 before uploading it. +
      + + + + + + + + + + + + + + + + +
      Table 1 Certificate conversion commands

      Format

      +

      Conversion Method

      +

      CER/CRT

      +

      Rename the cert.crt certificate file to cert.pem.

      +

      PFX

      +
      • Obtain a private key. For example, run the following command to convert cert.pfx into key.pem:

        openssl pkcs12 -in cert.pfx -nocerts -out key.pem -nodes

        +
      • Obtain a certificate. For example, run the following command to convert cert.pfx into cert.pem:

        openssl pkcs12 -in cert.pfx -nokeys -out cert.pem

        +
      +

      P7B

      +
      1. Convert a certificate. For example, run the following command to convert cert.p7b into cert.cer:

        openssl pkcs7 -print_certs -in cert.p7b -out cert.cer

        +
      2. Rename certificate file cert.cer to cert.pem.
      +

      DER

      +
      • Obtain a private key. For example, run the following command to convert privatekey.der into privatekey.pem:

        openssl rsa -inform DER -outform PEM -in privatekey.der -out privatekey.pem

        +
      • Obtain a certificate. For example, run the following command to convert cert.cer into cert.pem:

        openssl x509 -inform der -in cert.cer -out cert.pem

        +
      +
      +
      +
      • Before running an OpenSSL command, ensure that the OpenSSL tool has been installed on the local host.
      • If your local PC runs a Windows operating system, go to the command line interface (CLI) and then run the certificate conversion command.
      +
      +
      +
    • If you select Select existing certificate for Update Method, select an existing certificate from the Certificate Name drop-down list.
      Figure 2 Selecting an existing certificate
      +
    +

  7. Click Confirm.
+
+
+
+
+
Parent topic: Website Domain Name Management
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0263.html b/docs/wafd/umn/waf_01_0263.html new file mode 100644 index 000000000..6069adf20 --- /dev/null +++ b/docs/wafd/umn/waf_01_0263.html @@ -0,0 +1,27 @@ + + +

Deleting a Certificate

+

This topic describes how to delete an expired or invalid certificate.

+

Prerequisites

The certificate you want to delete is not bound to a protected website.

+
+

Constraints

If a certificate to be deleted is bound to a website, unbind it from the website before deletion.

+
+

Impact on the System

  • Deleting certificates does not affect services.
  • Deleted certificates cannot be recovered. Exercise caution when performing this operation.
+
+

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane, choose Objects > Certificates.

    Figure 1 Certificate list
    +

  5. In the row containing the certificate you want to delete, click Delete in the Operation column.
  6. In the displayed dialog box, click Confirm.
+
+
+
+
+
Parent topic: Certificate Management
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0265.html b/docs/wafd/umn/waf_01_0265.html new file mode 100644 index 000000000..bf747c770 --- /dev/null +++ b/docs/wafd/umn/waf_01_0265.html @@ -0,0 +1,20 @@ + + +

Change History

+
+
+ + + + + + + +

Released On

+

Description

+

2022-10-30

+

This issue is the first official release.

+
+
+
+ diff --git a/docs/wafd/umn/waf_01_0270.html b/docs/wafd/umn/waf_01_0270.html new file mode 100644 index 000000000..d4be028a6 --- /dev/null +++ b/docs/wafd/umn/waf_01_0270.html @@ -0,0 +1,61 @@ + + +

Configuring a Traffic Identifier for a Known Attack Source

+

WAF allows you to configure traffic identifiers by IP address, session, or user tag to block possibly malicious requests from known attack sources based on IP address, Cookie, or Params.

+

Prerequisites

The website to be protected has been added to WAF.

+
+

Constraints

  • If the IP address tag is configured, ensure that the protected website has a layer-7 proxy configured in front of WAF and that Proxy Configured is set to Yes for the protected website.

    If the IP address tag is not configured, WAF identifies the client IP address by default.

    +
  • Before enabling Cookie- or Params-based known attack source rules, configure a session or user tag for the corresponding website domain name.
+
+

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane, choose Website Settings.
  5. In the Domain Name column, click the domain name of the target website to go to the basic information page.
  6. In the Traffic Identifier area, click next to IP Tag, Session Tag, or User Tag to configure a traffic identifier by referring to Table 1. Figure 1 shows an example.

    Figure 1 Traffic Identifier
    +

    + +
    + + + + + + + + + + + + + + + + + +
    Table 1 Traffic identifier parameters

    Tag

    +

    Description

    +

    Example Value

    +

    IP Tag

    +

    HTTP request header field of the original client IP address.

    +

    Ensure that the protected website has a layer-7 proxy configured in front of WAF and that Proxy Configured under the website basic information settings is set to Yes for this parameter to take effect.

    +

    X-Forwarded-For

    +

    Session Tag

    +

    This tag is used to block possibly malicious requests based on the cookie attributes of an attack source. Configure this parameter to block requests based on cookie attributes.

    +

    jssessionid

    +

    User Tag

    +

    This tag is used to block possibly malicious requests based on the Params attribute of an attack source. Configure this parameter to block requests based on the Params attributes.

    +

    name

    +
    +
    +

  7. Click Confirm.
+
+
+
+
+
Parent topic: Website Domain Name Management
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0271.html b/docs/wafd/umn/waf_01_0271.html new file mode 100644 index 000000000..6f095756f --- /dev/null +++ b/docs/wafd/umn/waf_01_0271.html @@ -0,0 +1,66 @@ + + +

Configuring a Known Attack Source Rule

+

If WAF blocks a malicious request by IP address, Cookie, or Params, you can configure a known attack source rule to let WAF automatically block all requests from the attack source for a blocking duration set in the known attack source rule. For example, if a blocked malicious request originates from an IP address and you set the blocking duration to 500 seconds, WAF will block the IP address for 500 seconds after the known attack source rule takes effect.

+

Prerequisites

A website has been added to WAF.

+
+

Constraints

  • For a known attack source rule to take effect, it must be enabled when you configure basic web protection, precise protection, blacklist, or whitelist protection rules.
  • It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.
  • Before adding a known attack source rule for malicious requests blocked by Cookie or Params, a traffic identifier must be configured for the corresponding domain name. For more details, see Configuring a Traffic Identifier for a Known Attack Source.
+
+

Specification Limitations

  • You can configure up to six blocking types. Each type can have one known attack source rule configured.
  • The maximum time an IP address can be blocked for is 30 minutes.
+
+

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane, choose Website Settings.
  5. In the Policy column of the row containing the target website, click the number to go to the policy configuration page.
  6. In the Known Attack Source configuration area, change Status if needed and click Customize Rule to go to the Known Attack Source page. Figure 1 shows an example.

    Figure 1 Known Attack Source configuration
    +

  7. In the upper left corner of the known attack source rules, click Add Known Attack Source Rule.
  8. In the displayed dialog box, specify the parameters by referring to Table 1. Figure 2 shows an example.

    Figure 2 Add Known Attack Source Rule
    + +
    + + + + + + + + + + + + + + + + + +
    Table 1 Known attack source parameters

    Parameter

    +

    Description

    +

    Example Value

    +

    Blocking Type

    +

    Specifies the blocking type. The options are:

    +
    • Long-term IP address blocking
    • Short-term IP address blocking
    • Long-term Cookie blocking
    • Short-term Cookie blocking
    • Long-term Params blocking
    • Short-term Params blocking
    +

    Long-term IP address blocking

    +

    Blocking Duration (s)

    +

    The blocking duration must be an integer and range from:

    +
    • (300, 1800] for long-term blocking
    • (0, 300] for short-term blocking
    +

    500

    +

    Rule Description

    +

    A brief description of the rule. This parameter is optional.

    +

    None

    +
    +
    +

  9. Click Confirm. You can then view the added known attack source rule in the list.

    Figure 3 Known attack source rules
    +

+
+

Other Operations

  • To modify a rule, click Modify in row containing the rule.
  • To delete a rule, click Delete in the row containing the rule.
+
+
+
+
+
Parent topic: Rule Configuration
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0272.html b/docs/wafd/umn/waf_01_0272.html new file mode 100644 index 000000000..0335affc7 --- /dev/null +++ b/docs/wafd/umn/waf_01_0272.html @@ -0,0 +1,118 @@ + + +

Specifications

+

WAF is deployed in dedicated mode. The following tables describe specifications and functions of the dedicated WAF instances.

+

Dedicated Mode

Table 1 describes dedicated WAF instances.

+ +
+ + + + + + + + + + + + + + + + +
Table 1 Dedicated mode description

Item

+

Description

+

Deployment mode

+

Dedicated WAF instances

+

Application scenarios

+

Service servers are deployed on the cloud.

+

Suitable for large enterprise websites that have a large service scale and have customized security requirements.

+

Protection objects

+

Domain names or IP addresses

+

Advantages

+
  • Enable cloud and on-premises deployment.
  • Enable exclusive use of WAF instance.
  • Meet requirements for protection against large-scale traffic attacks.
  • Deploy dedicated WAF instances in a VPC to reduce network latency.
+
+
+
+

Service Scale

For more details, see Table 2.

+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Table 2 Service specifications

Service metrics

+

Specifications

+

Peak rate of normal service requests

+
  • 2,000 QPS (WAF instance specifications: 100 Mbit/s)
  • 10,000 QPS (WAF instance specifications: 500 Mbit/s)
+

Service bandwidth threshold (Origin servers are deployed on the cloud.)

+
  • 100 Mbit/s (WAF instance specifications: 100 Mbit/s)
  • 500 Mbit/s (WAF instance specifications: 500 Mbit/s)
+

Number of domains

+

2,000 (Supports 2,000 top-level domain names)

+

Peak rate of CC attack protection

+

500,000 QPS

+

CC attack protection rules

+

100

+

Precise protection rules

+

100

+

IP address blacklist and whitelist rules

+

100

+

Geolocation access control rules

+

100

+

Web tamper protection rules

+

100

+

Information leakage prevention rules

+

100

+

Global Protection Whitelist (Formerly False Alarm Masking)

+

1,000

+

Data masking rules

+

100

+
+
+
  • The number of domains is the total number of top-level domain names (for example, example.com), single domain names/subdomain names (for example, www.example.com), and wildcard domain names (for example, *.example.com).
  • If a domain name maps to different ports, each port is considered to represent a different domain name. For example, www.example.com:8080 and www.example.com:8081 are counted towards your quota as two distinct domain names.
+
+
+
+
+
+
Parent topic: Service Overview
+
+
+ diff --git a/docs/wafd/umn/waf_01_0280.html b/docs/wafd/umn/waf_01_0280.html new file mode 100644 index 000000000..e29d2dba3 --- /dev/null +++ b/docs/wafd/umn/waf_01_0280.html @@ -0,0 +1,12 @@ + + +

Can WAF Block Spam and Malicious User Registrations?

+

WAF cannot block business-related attacks, such as spam and malicious user registrations. To prevent these attacks, configure the registration verification mechanism on your website.

+

WAF is designed to keep web applications stable and secure. It examines all HTTP and HTTPS requests to detect for and block suspicious network attacks, such as Structure Query Language (SQL) injections, cross-site scripting (XSS) attacks, web shell upload, command or code injections, file inclusion, unauthorized sensitive file access, third-party vulnerability exploits, Challenge Collapsar (CC) attacks, malicious crawlers, and cross-site request forgery (CSRF).

+
+
+
+
Parent topic: WAF Functions
+
+
+ diff --git a/docs/wafd/umn/waf_01_0282.html b/docs/wafd/umn/waf_01_0282.html new file mode 100644 index 000000000..1c5934fa2 --- /dev/null +++ b/docs/wafd/umn/waf_01_0282.html @@ -0,0 +1,53 @@ + + +

Viewing Certificate Information

+

This topic describes how to view certificate details, including the certificate name, domain name a certificate is used for, and expiration time.

+

Prerequisites

You have created or pushed a certificate to WAF.

+
+

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane, choose Objects > Certificates.

    Figure 1 Certificate list
    +

  5. View the certificate information. Table 1 describes the parameters.

    +

    + + + + + + + + + + + + + +
    Table 1 Parameter description

    Parameter

    +

    Parameter description

    +

    Name

    +

    Certificate name.

    +

    Expired

    +

    Certificate expiration time.

    +

    It is recommended that you update the certificate before it expires. Otherwise, all WAF protection rules will be unable to take effect, and there can be massive impacts on the origin server, even more severe than a crashed host or website access failures. For more details, see Updating a Certificate.

    +

    Domain Name

    +

    The domain names protected by the certificate. Each domain name must be bound to a certificate. One certificate can be used for multiple domain names.

    +
    +
    +

+
+

Other Operations

  • To change the certificate name, move the cursor over the name of the certificate, click , and enter a certificate name.

    If the certificate is in use, unbind the certificate from the domain name first. Otherwise, the certificate name cannot be changed.

    +
    +
  • To view details about a certificate, click View in the Operation column of the certificate.
  • In the row containing the certificate you want, click Use in the Operation column to use the certificate to the corresponding domain name.
  • To delete a certificate, locate the row of the certificate and click Delete in the Operation column.
+
+
+
+
+
Parent topic: Certificate Management
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0292.html b/docs/wafd/umn/waf_01_0292.html new file mode 100644 index 000000000..534c8c342 --- /dev/null +++ b/docs/wafd/umn/waf_01_0292.html @@ -0,0 +1,47 @@ + + + +

WAF Functions

+ +

+
+ +
+ + +
+
Parent topic: About WAF
+
+
+ diff --git a/docs/wafd/umn/waf_01_0293.html b/docs/wafd/umn/waf_01_0293.html new file mode 100644 index 000000000..9707e2fcc --- /dev/null +++ b/docs/wafd/umn/waf_01_0293.html @@ -0,0 +1,31 @@ + + + +

WAF Usage

+ +

+
+ +
+ + +
+
Parent topic: About WAF
+
+
+ diff --git a/docs/wafd/umn/waf_01_0299.html b/docs/wafd/umn/waf_01_0299.html new file mode 100644 index 000000000..36f0ff5e1 --- /dev/null +++ b/docs/wafd/umn/waf_01_0299.html @@ -0,0 +1,29 @@ + + + +

Domain Name and Port Configuration

+ +

+
+ +
+ + +
+
Parent topic: Website Domain Name Access Configuration
+
+
+ diff --git a/docs/wafd/umn/waf_01_0301.html b/docs/wafd/umn/waf_01_0301.html new file mode 100644 index 000000000..06022cf31 --- /dev/null +++ b/docs/wafd/umn/waf_01_0301.html @@ -0,0 +1,21 @@ + + + +

Certificate Management

+ +

+
+ +
+ + +
+
Parent topic: Website Domain Name Access Configuration
+
+
+ diff --git a/docs/wafd/umn/waf_01_0304.html b/docs/wafd/umn/waf_01_0304.html new file mode 100644 index 000000000..d09e2919a --- /dev/null +++ b/docs/wafd/umn/waf_01_0304.html @@ -0,0 +1,17 @@ + + +

Basic Web Protection

+
+
+ + +
+
Parent topic: Protection Rule Configuration
+
+
+ diff --git a/docs/wafd/umn/waf_01_0305.html b/docs/wafd/umn/waf_01_0305.html new file mode 100644 index 000000000..ba95a26a6 --- /dev/null +++ b/docs/wafd/umn/waf_01_0305.html @@ -0,0 +1,17 @@ + + +

CC Attack Protection Rules

+
+
+ + +
+
Parent topic: Protection Rule Configuration
+
+
+ diff --git a/docs/wafd/umn/waf_01_0308.html b/docs/wafd/umn/waf_01_0308.html new file mode 100644 index 000000000..0a16d83ba --- /dev/null +++ b/docs/wafd/umn/waf_01_0308.html @@ -0,0 +1,19 @@ + + + +

Anti-Crawler Protection

+ +

+
+ +
+ + +
+
Parent topic: Protection Rule Configuration
+
+
+ diff --git a/docs/wafd/umn/waf_01_0309.html b/docs/wafd/umn/waf_01_0309.html new file mode 100644 index 000000000..b33836b96 --- /dev/null +++ b/docs/wafd/umn/waf_01_0309.html @@ -0,0 +1,23 @@ + + + +

Others

+ +

+
+ +
+ + +
+
Parent topic: Protection Rule Configuration
+
+
+ diff --git a/docs/wafd/umn/waf_01_0313.html b/docs/wafd/umn/waf_01_0313.html new file mode 100644 index 000000000..baf8f56e4 --- /dev/null +++ b/docs/wafd/umn/waf_01_0313.html @@ -0,0 +1,48 @@ + + +

How Do I Convert a Certificate into PEM Format?

+
Only .pem certificates can be used in WAF. If the certificate is not in .pem format, convert it into .pem locally by referring to Table 1 before uploading it. +
+ + + + + + + + + + + + + + + + +
Table 1 Certificate conversion commands

Format

+

Conversion Method

+

CER/CRT

+

Rename the cert.crt certificate file to cert.pem.

+

PFX

+
  • Obtain a private key. For example, run the following command to convert cert.pfx into key.pem:

    openssl pkcs12 -in cert.pfx -nocerts -out key.pem -nodes

    +
  • Obtain a certificate. For example, run the following command to convert cert.pfx into cert.pem:

    openssl pkcs12 -in cert.pfx -nokeys -out cert.pem

    +
+

P7B

+
  1. Convert a certificate. For example, run the following command to convert cert.p7b into cert.cer:

    openssl pkcs7 -print_certs -in cert.p7b -out cert.cer

    +
  2. Rename certificate file cert.cer to cert.pem.
+

DER

+
  • Obtain a private key. For example, run the following command to convert privatekey.der into privatekey.pem:

    openssl rsa -inform DER -outform PEM -in privatekey.der -out privatekey.pem

    +
  • Obtain a certificate. For example, run the following command to convert cert.cer into cert.pem:

    openssl x509 -inform der -in cert.cer -out cert.pem

    +
+
+
+
  • Before running an OpenSSL command, ensure that the OpenSSL tool has been installed on the local host.
  • If your local PC runs a Windows operating system, go to the command line interface (CLI) and then run the certificate conversion command.
+
+
+
+
+
+
Parent topic: Certificate Management
+
+
+ diff --git a/docs/wafd/umn/waf_01_0319.html b/docs/wafd/umn/waf_01_0319.html new file mode 100644 index 000000000..b91b68c6b --- /dev/null +++ b/docs/wafd/umn/waf_01_0319.html @@ -0,0 +1,20 @@ + + +

Viewing Product Details

+

On the Product Details page, you can view information about all your WAF instances, including the edition, domain quotas, and specifications.

+

Prerequisites

You have purchased a WAF instance.

+
+

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane on the left, choose Instance Management > Product Details.
  5. On the Product Details page, view the WAF edition, specifications, and expiration time.

    • Click Details to view the detailed specifications of the current WAF edition.
    • When you move the cursor to the WAF edition shown in the upper right corner of the page, the specifications are displayed.
    +
    Figure 1 Product information
    +

+
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0329.html b/docs/wafd/umn/waf_01_0329.html new file mode 100644 index 000000000..28239b502 --- /dev/null +++ b/docs/wafd/umn/waf_01_0329.html @@ -0,0 +1,13 @@ + + +

Can WAF Protect Websites Accessed Through HSTS or NTLM Authentication?

+

Yes. WAF can protect HTTP and HTTPS applications.

+ +
+
+
+
Parent topic: WAF Functions
+
+
+ diff --git a/docs/wafd/umn/waf_01_0345.html b/docs/wafd/umn/waf_01_0345.html new file mode 100644 index 000000000..311bc0125 --- /dev/null +++ b/docs/wafd/umn/waf_01_0345.html @@ -0,0 +1,11 @@ + + +

Does WAF Cache Website Data?

+

WAF protects user data on the application layer. It supports cache configuration on static web pages. When a user accesses a web page, the system returns a cached page to the user and randomly checks whether the page has been tampered with.

+
+
+
+
Parent topic: WAF Functions
+
+
+ diff --git a/docs/wafd/umn/waf_01_0361.html b/docs/wafd/umn/waf_01_0361.html new file mode 100644 index 000000000..4db9c8da5 --- /dev/null +++ b/docs/wafd/umn/waf_01_0361.html @@ -0,0 +1,14 @@ + + +

How Does WAF Forward Access Requests When Both a Wildcard Domain Name and a Single Domain Name Are Connected to WAF?

+

WAF preferentially forwards access requests to the single domain name. If the single domain name cannot be identified, access requests will be forwarded to the wildcard domain name.

+

For example, if you connect single domain name a.example.com and wildcard domain name *.example.com to WAF, WAF preferentially forwards access requests to single domain name a.example.com.

+

If you are configuring a wildcard domain name, pay attention to the following:

+ +
+
+
+
Parent topic: WAF Usage
+
+
+ diff --git a/docs/wafd/umn/waf_01_0366.html b/docs/wafd/umn/waf_01_0366.html new file mode 100644 index 000000000..25fd14dd3 --- /dev/null +++ b/docs/wafd/umn/waf_01_0366.html @@ -0,0 +1,11 @@ + + +

Does WAF Affect Data Transmission from the Internal Network to an External Network?

+

No. After a website is connected to WAF, all website access requests are forwarded to WAF first. WAF detects and filters out malicious attack traffic, and returns normal traffic to the origin server to keep your origin server is secure, stable, and available.

+
+
+
+
Parent topic: WAF Usage
+
+
+ diff --git a/docs/wafd/umn/waf_01_0367.html b/docs/wafd/umn/waf_01_0367.html new file mode 100644 index 000000000..e49066cd3 --- /dev/null +++ b/docs/wafd/umn/waf_01_0367.html @@ -0,0 +1,33 @@ + + +

Binding a Certificate to a Protected Website

+

If you configure Client Protocol to HTTPS for your website, the website needs an SSL certificate. This topic describes how to bind an SSL certificate that you have uploaded to WAF to a website.

+

Prerequisites

  • Your certificate is still valid.
  • Your website uses HTTPS as the client protocol.
+
+

Constraints

  • An SSL certificate can be used for multiple protected websites.
  • A protected website can use only one SSL certificate.
+
+

Application Scenario

If you configure Client Protocol to HTTPS, a certificate is required.

+
+

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane, choose Objects > Certificates.

    Figure 1 Certificate list
    +

  5. In the row containing the certificate you want to use, click Use in the Operation column.
  6. In the displayed Domain Name dialog box, select the website you want to use the certificate to.
  7. Click Confirm.
+
+

Verification

The protected website is listed in the Domain Name column of the certificate.

+
+

Other Operations

  • To change the certificate name, move the cursor over the name of the certificate, click , and enter a certificate name.

    If the certificate is in use, unbind the certificate from the domain name first. Otherwise, the certificate name cannot be changed.

    +
    +
  • To view details about a certificate, click View in the Operation column of the certificate.
  • To delete a certificate, locate the row of the certificate and click Delete in the Operation column.
+
+
+
+
+
Parent topic: Certificate Management
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_0457.html b/docs/wafd/umn/waf_01_0457.html new file mode 100644 index 000000000..5ee561be2 --- /dev/null +++ b/docs/wafd/umn/waf_01_0457.html @@ -0,0 +1,20 @@ + + +

How Does WAF Detect SQL Injection and XSS Attacks?

+

A Structured Query Language (SQL) injection is a common web attack. The attacker injects malicious SQL commands into database query strings to deceive the server into executing commands. By exploiting these commands, the attacker can obtain sensitive information, add users, export files, or even gain the highest permissions to the database or system.

+

XSS attacks exploit vulnerabilities left during web page development to inject malicious instruction code into web pages so that attackers can trick visitors into loading and executing malicious web page programs attackers fabricated. These malicious web page programs are usually JavaScript, but they can also include Java, VBScript, ActiveX, Flash, or even common HTML. After an attack succeeds, the attacker may obtain various content, including but not limited to higher permissions (for example, permissions for certain operations), private content, sessions, and cookies.

+

How Does WAF Detect SQL Injection Attacks?

WAF detects and matches SQL keywords, special characters, operators, and comment symbols.

+
  • SQL keywords: union, Select, from, as, asc, desc, order by, sort, and, or, load, delete, update, execute, count, top, between, declare, distinct, distinctrow, sleep, waitfor, delay, having, sysdate, when, dba_user, case, delay, and the like
  • Special characters: ',; ()
  • Mathematical operators: ±, *, /, %, and |
  • Operators: =, >, <, >=, <=, !=, +=, and -=
  • Comment symbols: or /**/
+
+

How Does WAF Detect XSS Attacks?

WAF checks HTML script tags, event processors, script protocols, and styles to prevent malicious users from injecting malicious XSS statements through client requests.

+
  • XSS keywords (such as javascript, script, object, style, iframe, body, input, form, onerror, and alert)
  • Special characters (<, >, ', and ")
  • External links (href="http://xxx/",src="http://xxx/attack.js")
+

Rich text can be uploaded using multipart upload instead of body. In multipart upload, rich text is stored in forms and can be decoded even if it is encoded using Base64. Analyze your services and do not use quotation marks and angle brackets as far as possible.

+
+
+
+
+
+
Parent topic: WAF Functions
+
+
+ diff --git a/docs/wafd/umn/waf_01_1072.html b/docs/wafd/umn/waf_01_1072.html new file mode 100644 index 000000000..5d73858d2 --- /dev/null +++ b/docs/wafd/umn/waf_01_1072.html @@ -0,0 +1,107 @@ + + +

Applying for a Dedicated WAF Instance

+

If your service servers are deployed on the cloud, you can buy dedicated WAF instances (or dedicated WAF engines) to protect important websites through domain names or to protect web applications with only IP addresses.

+

Prerequisites

  • You have obtained management console login credentials for an account with the WAF Administrator and WAF FullAccess permissions.
  • A VPC is available.
  • Resource sets have been created.
+
+

Before You Start

After your application for a dedicated WAF instance succeeds, its specifications cannot be modified.

It takes about 10 minutes to create a dedicated WAF instance. If the instance is in the Running status, the instance has been created successfully.

+
+
+
+

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the upper right corner of the page, click Apply for Dedicated Engine.
  5. (Optional): Select an enterprise project from the Enterprise Project drop-down list.

    This option is only available if you are logged in using an enterprise account, or if you have enabled enterprise projects. You can use enterprise projects to more efficiently manage cloud resources and project members.

    +

    default: indicates the default enterprise project. Resources that are not allocated to any enterprise projects under your account are listed in the default enterprise project.

    +
    +

  6. Configure instance parameters by referring to Table 1. Figure 1 shows an example.

    Figure 1 Configuring a dedicated WAF instance
    + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Table 1 Parameters of a dedicated WAF instance

    Parameter

    +

    Description

    +

    WAF Mode

    +

    Dedicated Mode

    +

    Region

    +

    Generally, a WAF instance you apply for in any region can protect web services in all regions. To make a WAF instance forward your website traffic faster, select the region nearest to your services.

    +

    AZ

    +

    Select an AZ in the selected region.

    +

    Instance Name Prefix

    +

    Set a prefix of the dedicated WAF instance name. If you apply for multiple instances at a time, the prefix to each instance name is the same.

    +

    Quantity

    +

    Set the number of WAF instances you want to apply for.

    +

    Specifications

    +

    Select specifications for your instance. WAF offers two types of specifications, 500 Mbit/s and 100 Mbit/s.

    +

    WAF Instance Type

    +

    Your WAF instance will be connected to your network through a VPC network interface. (If ELB is used, only dedicated load balancers can be used.)

    +

    CPU Architecture

    +

    Select CPU architecture for your instance.

    +

    ECS Specifications

    +

    Select ECS specifications for your instance.

    +

    VPC

    +

    Select the VPC to which the origin server belongs.

    +

    Subnet

    +

    Select a subnet configured in the VPC.

    +

    Security Group

    +

    Select a security group in the region or click Manage Security Group to go to the VPC console and create a security group. After you select a security group, the WAF instance will be protected by the access rules of the security group.

    +
    NOTICE:
    • You can configure your security group as follows:
      • Inbound rules

        Add an inbound rule to allow incoming network traffic to pass through over a specified port based on your service requirements. For example, if you want to allow access from port 80, you can add a rule that allows TCP and port 80.

        +
      • Outbound rules

        The value is Default. All outgoing network traffic is allowed by default.

        +
      +
    • If your dedicated WAF instance and origin server are not in the same VPC, enable communications between the instance and the subnet of the origin server in the security group.
    +
    +

    Tag

    +

    It is recommended that you use TMS's predefined tag function to add the same tag to different cloud resources.

    +
    +
    +

  7. In the lower right corner of the page, click Create Now.
  8. Confirm the configuration and click Create Now.
  1. Click Back to Dedicated Engine List. On the Dedicated Engine page, view the instance status.

    It takes about 10 minutes to create a dedicated WAF instance. If the instance is in the Running status, the instance has been created.

    +

+
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_1082.html b/docs/wafd/umn/waf_01_1082.html new file mode 100644 index 000000000..5c85325fc --- /dev/null +++ b/docs/wafd/umn/waf_01_1082.html @@ -0,0 +1,38 @@ + + +

Why Does My Certificate Not Match the Key?

+

After an HTTPS certificate is uploaded to the AAD or WAF console, a message is displayed indicating that the certificate and key do not match.

+

+

Solution

+
+ + + + + + + + + + +

Possible Cause

+

How to Fix

+

The uploaded certificate does not match the uploaded private key.

+
  1. Run the following commands to check the MD5 hash values of the certificate and private key file:
    openssl x509 -noout -modulus -in <certificate file>|openssl md5
+openssl rsa -noout -modulus -in <private key file>|openssl md5
    +
  2. Check whether the MD5 values of the certificate and private key file are the same. If they are different, the certificate file and private key file are associated with different domain names, and the content of the certificate does not match that of the private key file.
  3. If the certificate does not match the private key file, upload the correct certificate and private key file.
+

Incorrect RSA private key format

+
  1. Run the following command to generate a new private key:
    openssl rsa -in <private key file> -out <New private key file>
    +
  2. Upload the private key again.
+
+
+
+

Other Operations

+
+
+
+
+
Parent topic: Service Interruption Check
+
+
+ diff --git a/docs/wafd/umn/waf_01_1171.html b/docs/wafd/umn/waf_01_1171.html new file mode 100644 index 000000000..5512b1b0e --- /dev/null +++ b/docs/wafd/umn/waf_01_1171.html @@ -0,0 +1,25 @@ + + +

Configuring Connection Timeout

+

If you want to set a timeout duration for each request between your WAF instance and origin server, enable Timeout Settings and specify WAF-to-Server connection timeout (s), Read timeout (s), and Write timeout (s). This function cannot be disabled once it is enabled.

+
  • The default timeout duration for connections between a browser and WAF is 120 seconds, which cannot be manually set.
  • The default timeout duration for the connection between WAF and an origin server is 60 seconds. This topic walks you through how to customize the timeout duration.
+
+

Prerequisites

The website you want to protect has been added to WAF.

+
+

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane, choose Website Settings.
  5. In the Domain Name column, click the domain name of the website to go to the basic information page.

    Figure 1 Basic Information area
    +

  6. In the Timeout Settings row, click the Status toggle and enable it if needed.
  7. Click , specify WAF-to-Server connection timeout (s), Read timeout (s), and Write timeout (s), and click to save settings.
+
+
+
+
+
Parent topic: Website Domain Name Management
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_1172.html b/docs/wafd/umn/waf_01_1172.html new file mode 100644 index 000000000..cfb910f1e --- /dev/null +++ b/docs/wafd/umn/waf_01_1172.html @@ -0,0 +1,88 @@ + + +

Configuring Connection Protection

+

If a large number of 502 Bad Gateway and 504 Gateway Timeout errors are detected, you can enable WAF breakdown protection and connection protection to let WAF suspend your website and protect your origin servers from being crashed. When the 502/504 error requests and pending URL requests reach the thresholds you configure, WAF enables corresponding protection for your website.

+

Prerequisites

  • The website you want to protect has been added to WAF.
  • You have upgraded the dedicated WAF instance to the latest version. For details, see Upgrading a Dedicated WAF Instance.
+
+

Constraints

+
+

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane, choose Website Settings.
  5. In the Domain Name column, click the domain name of the website to go to the basic information page.

    Figure 1 Basic Information area
    +

  6. In the Connection Protection area, click the status toggle to enable it.
  7. Click next to each parameter, edit Breakdown Protection and Connection Protection parameters to meet your requirements, and click to save settings. Table 1 describes these parameters.

    +

    + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Table 1 Connection Protection parameters

    Parameter

    +

    Description

    +

    Example Value

    +

    Breakdown Protection

    +

    502/504 Error Threshold

    +

    30s 502/504 Error Threshold

    +

    1000

    +

    502/504 Error Percentage (%)

    +

    A breakdown is triggered when the 502/504 error threshold and percentage threshold have been reached.

    +

    90

    +

    Initial Downtime (s)

    +

    Protection period upon the first breakdown. During this period, WAF stops forwarding client requests.

    +

    180

    +

    Multiplier for Consecutive Breakdowns

    +

    The maximum multiplier you can use for consecutive breakdowns. The number of breakdowns are counted from 0 every time the accumulated breakdown protection duration reaches 3,600s.

    +
    For example, assume that Initial Downtime (s) is set to 180s and Multiplier for Consecutive Breakdowns is set to 3.
    • If the breakdown is triggered for the second time, that is, less than 3, the protection duration is 360s (180s x 2).
    • If the breakdown is triggered for the third or fourth time, that is, equal to or greater than 3, the protection duration is 540s (180s x 3).
    • When the accumulated downtime duration exceeds 1 hour (3,600s), the number of breakdowns are counted from 0.
    +
    +

    3

    +

    Connection Protection

    +

    Pending URL Request Threshold

    +

    Connection Protection is triggered when the number of read URL requests reaches the threshold you configure.

    +

    6,000

    +

    Duration (s)

    +

    Protection duration. During this period, WAF stops forwarding client requests.

    +

    60

    +
    +
    +

    The following uses Connection Protection settings in Figure 1 as an example to describe how the protection works.

    +
    • Breakdown Protection: When the number of 502/504 errors returned by the protected website exceeds 1,000 and accounts for 90% or more of the total access requests of the website for the first time, the first breakdown protection is triggered. During the first breakdown protection, WAF stops forwarding client requests for 180s (that is, blocks visitors access to the website for 180s). If a second consecutive breakdown protection is triggered, WAF stops forwarding client requests for 360s (180 x 2). If a third or more consecutive breakdowns are triggered, WAF stops forwarding client requests for 540s (180s x 3). The breakdowns are counted from 0 when the total downtime duration exceeds one hour (3,600s).
    • Connection Protection: When the number of read URL requests in the waiting queue exceeds 6,000, WAF stops forwarding client requests for 60 seconds and returns the maintenance page of the website to visitors.
    +
    +

+
+
+
+
+
Parent topic: Website Domain Name Management
+
+
+ + + \ No newline at end of file diff --git a/docs/wafd/umn/waf_01_1372.html b/docs/wafd/umn/waf_01_1372.html new file mode 100644 index 000000000..333cadc97 --- /dev/null +++ b/docs/wafd/umn/waf_01_1372.html @@ -0,0 +1,324 @@ + + +

Monitored Metrics

+

Introduction

This topic describes metrics reported by dedicated WAF to Cloud Eye as well as their namespaces and dimensions. You can use APIs provided by Cloud Eye to query the metrics of the monitored object and alarms generated for dedicated WAF. You can also query them on the Cloud Eye console.

+
+

namespaces

SYS.WAF

+

A namespace is an abstract collection of resources and objects. Multiple namespaces can be created in a single cluster with the data isolated from each other. This enables namespaces to share the same cluster services without affecting each other.

+
+
+

Metrics for Dedicated WAF Instances

+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Table 1 Metrics for dedicated waf instances

Metric ID

+

Metric Name

+

Description

+

Value Range

+

Monitored Object

+

Monitoring Interval (Raw Data)

+

cpu_util

+

CPU Usage

+

CPU usage of the monitored object

+

Unit: percentage (%)

+

Collection method: 100% minus idle CPU usage percentage

+

0% to 100%

+

Value type: Float

+

Dedicated WAF instances

+

1 minute

+

mem_util

+

Memory Usage

+

Memory usage of the monitored object

+

Unit: percentage (%)

+

Collection method: 100% minus idle memory percentage

+

0% to 100%

+

Value type: Float

+

Dedicated WAF instances

+

1 minute

+

disk_util

+

Disk Usage

+

Disk usage of the monitored object

+

Unit: percentage (%)

+

Collection method: 100% minus idle disk space percentage

+

0% to 100%

+

Value type: Float

+

Dedicated WAF instances

+

1 minute

+

disk_avail_size

+

Available Disk Space

+

Available disk space of the monitored object

+

Unit: byte, KB, MB, GB, TB or PB

+

Collection mode: size of free disk space

+

≥ 0 bytes

+

Value type: Float

+

Dedicated WAF instances

+

1 minute

+

disk_read_bytes_rate

+

Disk Read Rate

+

Number of bytes the monitored object reads from the disk per second

+

Unit: byte/s, KB/s, MB/s, or GB/s

+

Collection mode: number of bytes read from the disk per second

+

≥0 byte/s

+

Value type: Float

+

Dedicated WAF instances

+

1 minute

+

disk_write_bytes_rate

+

Disk Write Rate

+

Number of bytes the monitored object writes into the disk per second

+

Unit: byte/s, KB/s, MB/s, or GB/s

+

Collection mode: number of bytes written into the disk per second

+

≥0 byte/s

+

Value type: Float

+

Dedicated WAF instances

+

1 minute

+

disk_read_requests_rate

+

Disk Read Requests

+

Number of requests the monitored object reads from the disk per second

+

Unit: Requests/s

+

Collection mode: number of read requests processed by the disk per second

+

≥0 request/s

+

Value type: Float

+

Dedicated WAF instances

+

1 minute

+

disk_write_requests_rate

+

Disk Write Requests

+

Number of requests the monitored object writes into the disk per second

+

Unit: Requests/s

+

Collection method: Number of write requests processed by the disk per second

+

≥0 request/s

+

Value type: Float

+

Dedicated WAF instances

+

1 minute

+

network_incoming_bytes_rate

+

Incoming Traffic

+

Incoming traffic per second on the monitored object

+

Unit:

+

byte/s, KB/s, MB/s, or GB/s

+

Collection method: Incoming traffic over the NIC per second

+

≥0 byte/s

+

Value type: Float

+

Dedicated WAF instances

+

1 minute

+

network_outgoing_bytes_rate

+

Outgoing Traffic

+

Outgoing traffic per second on the monitored object

+

Unit:

+

byte/s, KB/s, MB/s, or GB/s

+

Collection method: Outgoing traffic over the NIC per second

+

≥0 byte/s

+

Value type: Float

+

Dedicated WAF instances

+

1 minute

+

network_incoming_packets_rate

+

Incoming Packet Rate

+

Incoming packets per second on the monitored object

+

Unit:

+

packet/s

+

Collection method: Incoming packets over the NIC per second

+

≥0 packet/s

+

Value type: Int

+

Dedicated WAF instances

+

1 minute

+

network_outgoing_packets_rate

+

Outgoing Packet Rate

+

Outgoing packets per second on the monitored object

+

Unit:

+

packet/s

+

Collection method: Outgoing packets over the NIC per second

+

≥0 packet/s

+

Value type: Int

+

Dedicated WAF instances

+

1 minute

+

concurrent_connections

+

Concurrent Connections

+

Number of concurrent connections being processed

+

Unit: count

+

Collection method: Number of concurrent connections in the system

+

≥0 count

+

Value type: Int

+

Dedicated WAF instances

+

1 minute

+

active_connections

+

Active Connections

+

Number of active connections

+

Unit: count

+

Collection method: Number of active connections in the system

+

≥0 count

+

Value type: Int

+

Dedicated WAF instances

+

1 minute

+

latest_policy_sync_time

+

Latest Rule Synchronization

+

Time elapsed for the WAF to synchronize the latest custom rules

+

Unit: ms

+

Collection method: Time elapsed for synchronizing to the last policies

+

≥0 ms

+

Value type: Int

+

Dedicated WAF instances

+

1 minute

+
+
+
+

Dimensions

+
+ + + + + + + + + + +

Key

+

Value

+

instance_id

+

ID of the dedicated WAF instance

+

waf_instance_id

+

ID of the website protected with WAF

+
+
+
+

Example of Raw Data Format of Monitored Metrics

[
+    {
+        "metric": {
+             // Namespace
+            "namespace": "SYS.WAF",
+            "dimensions": [
+                {
+                    // Dimension name, for example, protected website
+                    "name": "waf_instance_id",
+                    // ID of the monitored object in this dimension, for example, ID of the protected website
+                    "value": "082db2f542e0438aa520035b3e99cd99"
+                }
+            ],
+           //Metric ID
+            "metric_name": "waf_http_2xx"
+        },
+        // Time to live, which is predefined for the metric
+        "ttl": 172800,
+         // Metric value
+        "value": 0.0,
+       // Metric unit
+        "unit": "Count",
+         // Metric value type
+        "type": "float",
+        // Collection time for the metric
+        "collect_time": 1637677359778
+    }
+]
+
+
+