yexinru/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity

WAF user guide 20251023 version

Browse Source 
Reviewed-by: Rogal, Marcel <mrogal@noreply.gitea.eco.tsi-dev.otc-service.com>
Co-authored-by: qinweiwei <qinweiwei@huawei.com>
Co-committed-by: qinweiwei <qinweiwei@huawei.com>
This commit is contained in:
Qin, Weiwei
2026-03-26 07:04:29 +00:00
committed by zuul
parent 5bfde208c6
commit e93b6e9947
12 changed files with 17 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
docs/wafd/umn/waf_01_0024.html
View File

@ -4,7 +4,7 @@
<div id="body1513909553045"><p id="waf_01_0024__p2413133973517">If you are sure that a protection event is a false alarm (no malicious link or character was detected), you can handle it as a false alarm, add the client IP address to an address group that is allowed by the policy, add the client IP address to a blacklist/whitelist rule, or disable or delete the hit protection rule. Events that have been handled as false alarms will not be displayed in the event list.</p>
<div class="section" id="waf_01_0024__section143147568713"><h4 class="sectiontitle">Scenarios</h4><p id="waf_01_0024__p2853171174710">If legitimate service requests are blocked by WAF, the website may be inaccessible to some visitors. For example, after you connect a web service deployed on ECSs to WAF over its public domain name and enable basic web protection for it, if its normal traffic hits a protection rule, the access requests will be blocked. The web service becomes inaccessible over the domain name or returns errors to visitors, but it is still accessible over server IP addresses. It is more likely that the requests were blocked mistakenly, and the event is a false alarm. In this case, you need to handle the event as a false alarm.</p>
<p id="waf_01_0024__p84857731520">You can handle false alarms in the following ways based on how they were generated:</p>
<ul id="waf_01_0024__ul191503312150"><li id="waf_01_0024__li854749151916">For a protection event triggered by a WAF built-in rule, you can ignore the corresponding WAF protection in the global protection whitelist rule. For details, see <a href="#waf_01_0024__section1078165815512">Handling False Alarms Triggered by Protection Rules</a>.<p id="waf_01_0024__p15522146209">WAF built-in rules include basic web protection rules, and feature-based anti-crawler rules.</p>
<ul id="waf_01_0024__ul191503312150"><li id="waf_01_0024__li854749151916">For a protection event triggered by a WAF built-in rule, you can ignore the corresponding WAF protection in the global protection whitelist rule. For details, see <a href="#waf_01_0024__section1078165815512">Handling False Alarms Triggered by Protection Rules</a>.<p id="waf_01_0024__p15522146209">WAF built-in rules include basic web protection rules and feature-based anti-crawler rules.</p>
</li><li id="waf_01_0024__li6150173141515">For a protection event triggered by a custom rule, you can disable or delete the corresponding protection rule. For details, see <a href="#waf_01_0024__section1078165815512">Handling False Alarms Triggered by Protection Rules</a>.<p id="waf_01_0024__p737285114236">WAF custom rules include <strong id="waf_01_0024__b152946158251044">CC attack protection rules</strong>, <strong id="waf_01_0024__b55477633951044">precise protection rules</strong>, <strong id="waf_01_0024__b37379922651044">blacklist and whitelist rules</strong>, and <strong id="waf_01_0024__b51340893151044">geolocation access control rules</strong> you create.</p>
</li><li id="waf_01_0024__li1960011052514">For a client IP address mistakenly blocked, you can add it to an address group or add it to a blacklist/whitelist rule to allow it. For details, see <a href="#waf_01_0024__section12680141116438">Handling False Positives Based on Client IP Addresses</a>.</li></ul>
</div>
@ -13,9 +13,9 @@
<div class="section" id="waf_01_0024__section16466131062"><h4 class="sectiontitle">Constraints</h4><ul id="waf_01_0024__ul4606132594520"><li id="waf_01_0024__li86062025204511">A protection event can only be handled as a false alarm once.</li><li id="waf_01_0024__li203391821153311">Dedicated WAF instances earlier than June 2022 do not support <strong id="waf_01_0024__b1994114522322">All protection</strong> for <strong id="waf_01_0024__b794165217322">Ignore WAF Protection</strong>. Only <strong id="waf_01_0024__b6941125213220">Basic web protection</strong> can be selected.</li></ul>
</div>
<div class="section" id="waf_01_0024__section1078165815512"><a name="waf_01_0024__section1078165815512"></a><a name="section1078165815512"></a><h4 class="sectiontitle">Handling False Alarms Triggered by Protection Rules</h4><p id="waf_01_0024__p1771195691011">If you are sure that an event is a false alarm generated based on a WAF built-in rule or custom protection rule, you can handle the event as a false alarm.</p>
<ul id="waf_01_0024__ul21071812141111"><li id="waf_01_0024__li191071412141115">WAF built-in rules include <strong id="waf_01_0024__b634494265594">basic web protection</strong> <strong id="waf_01_0024__b1629721787594">rules</strong>, and <strong id="waf_01_0024__b409274125594">feature-based anti-crawler</strong> <strong id="waf_01_0024__b1699937483594">rules</strong>.</li><li id="waf_01_0024__li810714127111">WAF custom rules include <strong id="waf_01_0024__b73841157351044">CC attack protection rules</strong>, <strong id="waf_01_0024__b184026544651044">precise protection rules</strong>, <strong id="waf_01_0024__b2895928851044">blacklist and whitelist rules</strong>, and <strong id="waf_01_0024__b27282211951044">geolocation access control rules</strong> you create.</li></ul>
<ul id="waf_01_0024__ul21071812141111"><li id="waf_01_0024__li191071412141115">WAF built-in rules include <strong id="waf_01_0024__b634494265594">basic web protection</strong> <strong id="waf_01_0024__b1629721787594">rules</strong> and <strong id="waf_01_0024__b409274125594">feature-based anti-crawler</strong> <strong id="waf_01_0024__b1699937483594">rules</strong>.</li><li id="waf_01_0024__li810714127111">WAF custom rules include <strong id="waf_01_0024__b73841157351044">CC attack protection rules</strong>, <strong id="waf_01_0024__b184026544651044">precise protection rules</strong>, <strong id="waf_01_0024__b2895928851044">blacklist and whitelist rules</strong>, and <strong id="waf_01_0024__b27282211951044">geolocation access control rules</strong> you create.</li></ul>
<ol id="waf_01_0024__ol866815019528"><li id="waf_01_0024__li612711519813"><span>Log in to the management console.</span></li><li id="waf_01_0024__li458314281487"><span>Click <span><img id="waf_01_0024__en-us_topic_0000002335595889_image158886314810" src="en-us_image_0000002395174933.png"></span> in the upper left corner and select a region or project.</span></li><li id="waf_01_0024__li159657213511"><span>Click <span><img id="waf_01_0024__en-us_topic_0000002335595889_image172869321316" src="en-us_image_0000002395334641.png"></span> in the upper left corner and choose <strong id="waf_01_0024__en-us_topic_0000002335595889_b1545322105418">Web Application Firewall (Dedicated)</strong> under <strong id="waf_01_0024__en-us_topic_0000002335595889_b12545122195419">Security</strong>.</span></li><li id="waf_01_0024__li86686045213"><span>In the navigation pane on the left, click <strong id="waf_01_0024__en-us_topic_0000002335595889_b133727181559">Events</strong>.</span></li><li id="waf_01_0024__li86691805525"><span>View protection details of a specified domain name, instance, and time range. </span></li><li id="waf_01_0024__li43285317717"><span>Locate the target protection event and choose <span class="menucascade" id="waf_01_0024__menucascade14338536719"><b><span class="uicontrol" id="waf_01_0024__uicontrol10337536712">More</span></b> &gt; <b><span class="uicontrol" id="waf_01_0024__uicontrol143325319710">Handle as False Alarm</span></b></span> in the <span class="parmname" id="waf_01_0024__parmname203318531675"><b>Operation</b></span> column.</span></li><li id="waf_01_0024__li106698095219"><span>In the <span class="parmname" id="waf_01_0024__parmname77139013576"><b>Handle False Alarm</b></span> dialog box, handle the event.</span><p><ul id="waf_01_0024__ul132701121194316"><li id="waf_01_0024__li10270821154317"><strong id="waf_01_0024__b232173115434">Ignore the corresponding WAF protection based on the request features hit the rule.</strong><p id="waf_01_0024__p1889325474">If a protection event is triggered by a rule in <strong id="waf_01_0024__b8925160134820">Basic Web Protection</strong> or <strong id="waf_01_0024__b3925110134819">Feature-based Anti-Crawler</strong>, the associated request features will be displayed in the <strong id="waf_01_0024__b634382110511">Handle False Alarm</strong> dialog box by default. You need to ignore the corresponding WAF protection type and click <span class="parmname" id="waf_01_0024__parmname176491717193318"><b>OK</b></span>. For details about the parameters of the global whitelist rule, see <a href="#waf_01_0024__table15669504522">Table 1</a>.</p>
<div class="fignone" id="waf_01_0024__fig11669160135218"><span class="figcap"><b>Figure 1 </b>Handle False Alarm</span><br><span><img id="waf_01_0024__image2669303521" src="en-us_image_0000002395335841.png" title="Click to enlarge" class="imgResize"></span></div>
<div class="fignone" id="waf_01_0024__fig11669160135218"><span class="figcap"><b>Figure 1 </b>Handle False Alarm</span><br><span><img id="waf_01_0024__image1950613269445" src="en-us_image_0000002483843449.png" title="Click to enlarge" class="imgResize"></span></div>
<div class="tablenoborder"><a name="waf_01_0024__table15669504522"></a><a name="table15669504522"></a><table cellpadding="4" cellspacing="0" summary="" id="waf_01_0024__table15669504522" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Parameters</caption><thead align="left"><tr id="waf_01_0024__en-us_topic_0110861348_row1423118585235"><th align="left" class="cellrowborder" valign="top" width="22.91229122912291%" id="mcps1.3.5.4.7.2.1.1.4.2.4.1.1"><p id="waf_01_0024__en-us_topic_0110861348_p1537916427241">Parameter</p>
</th>
@ -149,7 +149,7 @@
</tr>
<tr id="waf_01_0024__row187431318162617"><td class="cellrowborder" valign="top" width="23.3%" headers="mcps1.3.6.3.6.2.1.2.1.2.4.2.3.1.1 "><p id="waf_01_0024__p67431518132618">Known Attack Source</p>
</td>
<td class="cellrowborder" valign="top" width="76.7%" headers="mcps1.3.6.3.6.2.1.2.1.2.4.2.3.1.2 "><p id="waf_01_0024__p974318186264">If you select <strong id="waf_01_0024__b135491944161717">Block</strong> for <strong id="waf_01_0024__b135499447176">Protective Action</strong>, you can configure a known attack source rule. Then, WAF blocks the requests matching the configured <strong id="waf_01_0024__b12305942161820">IP</strong>, <strong id="waf_01_0024__b1430554216187">Cookie</strong>, or <strong id="waf_01_0024__b6306124215183">Params</strong> for a period configured by the known attack source rule. For details about know attack source rules, see <a href="waf_01_0271.html">Configuring a Known Attack Source Rule to Block Specific Visitors for a Specified Duration</a>.</p>
<td class="cellrowborder" valign="top" width="76.7%" headers="mcps1.3.6.3.6.2.1.2.1.2.4.2.3.1.2 "><p id="waf_01_0024__p974318186264">If you select <strong id="waf_01_0024__b135491944161717">Block</strong> for <strong id="waf_01_0024__b135499447176">Protective Action</strong>, you can configure a known attack source rule. Then, WAF blocks the requests matching the configured <strong id="waf_01_0024__b12305942161820">IP</strong>, <strong id="waf_01_0024__b1430554216187">Cookie</strong>, or <strong id="waf_01_0024__b6306124215183">Params</strong> for a period configured by the known attack source rule. For details about known attack source rules, see <a href="waf_01_0271.html">Configuring a Known Attack Source Rule to Block Specific Visitors for a Specified Duration</a>.</p>
</td>
</tr>
<tr id="waf_01_0024__row474391882620"><td class="cellrowborder" valign="top" width="23.3%" headers="mcps1.3.6.3.6.2.1.2.1.2.4.2.3.1.1 "><p id="waf_01_0024__p7743161812265">Rule Description</p>