Web Application Firewall · The bandwidth in WAF is calculated by WAF itself and is not associated...

Web Application Firewall

FAQs

Issue 61

Date 2020-09-23

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2020. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without priorwritten consent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respectiveholders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei andthe customer. All or part of the products, services and features described in this document may not bewithin the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,information, and recommendations in this document are provided "AS IS" without warranties, guaranteesor representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.

Issue 61 (2020-09-23) Copyright © Huawei Technologies Co., Ltd. i

Contents

1 Protection Bandwidth/Specifications................................................................................. 11.1 How Do I Calculate the Protection Bandwidth?........................................................................................................... 11.2 What Should I Do If the Traffic Exceeds the Protection Bandwidth of WAF?................................................... 11.3 What Should I Do If Protection Rules Are Insufficient?............................................................................................. 11.4 What Are the Impacts When QPS Exceeds the Allowed Peak Rate?.................................................................... 21.5 Does WAF Have a Limit on the Number of Concurrent Requests?....................................................................... 21.6 Is the Service Bandwidth Calculated Based on the Incoming Traffic or Outgoing Traffic?.......................... 2

2 Product Function Consultation............................................................................................ 42.1 How Do I Obtain the Real IP Address of a Web Visitor?...........................................................................................42.2 Can WAF Protect Both Cloud or On-premises Servers?............................................................................................. 42.3 Can WAF Protect an IP Address?....................................................................................................................................... 42.4 What Are the Differences Between the Permissions of an Account and Those of IAM Users?...................52.5 What Does WAF Protect?..................................................................................................................................................... 52.6 Which OSs Does WAF Support?......................................................................................................................................... 52.7 Which Web Service Frameworks Does WAF Support?............................................................................................... 52.8 What Protection Rules Does WAF Support?.................................................................................................................. 52.9 Which Layers Does WAF Provide Protection At?.......................................................................................................... 62.10 Can WAF Continue Protecting a Domain Name When It Expires?......................................................................62.11 Can WAF Protect HTTPS Services?..................................................................................................................................72.12 What Is the Size Limit for Uploading Files After My Website Is Connected to WAF?.................................. 72.13 In Which Regions Is WAF Available?.............................................................................................................................. 72.14 What Are the Restrictions on Using WAF in Enterprise Projects?........................................................................72.15 What Are Regions and AZs?..............................................................................................................................................72.16 Does WAF Support HTTP/2?............................................................................................................................................. 92.17 How Many Rules Can Be Added to a WAF Instance?.............................................................................................. 92.18 Does WAF Support Health Check?................................................................................................................................. 92.19 Does WAF Have the IPS Module?................................................................................................................................... 92.20 Does WAF Support File Caching?.................................................................................................................................... 92.21 Does WAF Support the WebSocket Protocol?.......................................................................................................... 102.22 Can My WAF Be Shared by Multiple Accounts?...................................................................................................... 102.23 What Are the Differences Between Professional, Enterprise, and Premium Editions?...............................102.24 Can I Export the Blacklist and Whitelist from WAF?..............................................................................................102.25 Does WAF Support Wildcard Domain Names?........................................................................................................ 10

Web Application FirewallFAQs Contents

Issue 61 (2020-09-23) Copyright © Huawei Technologies Co., Ltd. ii

2.26 What Are Local File Inclusion and Remote File Inclusion?.................................................................................. 112.27 Which of the WAF Protection Rules Support the Log-Only Protective Action?............................................112.28 Can I Use a Question Mark as the Blocking Matching Condition to Block URL Requests?..................... 112.29 Can WAF Block Requests for Calling Other APIs from Web Pages?.................................................................122.30 Can I Configure Session Cookies in WAF?................................................................................................................. 122.31 Can I Configure the Blacklist and Whitelist Rules in Batches?........................................................................... 122.32 Can I Query Protection Events of a Batch of Specified IP Addresses at Once?............................................ 132.33 Does WAF Affect Email Ports or Email Receiving and Sending?....................................................................... 132.34 Will Traffic Be Permitted After WAF Is Switched to the Bypassed Mode?..................................................... 132.35 What Working Modes and Protection Mechanisms Does WAF Have?............................................................142.36 Is There Any Impact on Website Loading Speed If Other Crawler Check in Basic Web Protection IsEnabled?.......................................................................................................................................................................................... 152.37 Can WAF Block Data Packets in multipart/form-data Format?.........................................................................16

3 Domain Name Access Configuration................................................................................ 173.1 Which Non-Standard Ports Does WAF Support?....................................................................................................... 173.2 How Do I Add a Domain Name to WAF?.................................................................................................................... 223.3 What Data Is Required for Connecting a Domain Name to WAF?..................................................................... 233.4 How Do I Deploy Both CDN and WAF?........................................................................................................................ 233.5 How Do I Configure Domain Names to Be Protected When Adding Domain Names?...............................243.6 What Are the Precautions for Configuring Multiple IP Addresses for Backend Servers?.............................253.7 How Do I Route Website Traffic Through WAF?....................................................................................................... 253.8 How Do I Configure the Client Protocol and Server Protocol?............................................................................. 263.9 What Are the Differences Between the Old and New CNAMEs?........................................................................ 293.10 Can I Set the IP Address of the Origin Server to a CNAME?...............................................................................293.11 Can I Access a Website Using an IP Address After a Domain Name Is Connected to WAF?...................293.12 How Do I Configure Non-standard Ports When Adding a Protected Domain Name?.............................. 303.13 How Can I Forward Requests Directly to the Origin Server Without Passing Through WAF?................ 323.14 Why Cannot the Protection Mode Be Enabled After a Domain Name Is Connected to WAF?...............333.15 How Do I Test WAF?..........................................................................................................................................................333.16 How Do I Configure the TXT Record on HUAWEI CLOUD DNS Service?....................................................... 333.17 How Do I Query a Domain Name Provider?............................................................................................................ 343.18 What Are the Impacts If a Subdomain Name and TXT Record Are Not Configured?................................353.19 How Do I Perform Verification Using HUAWEI CLOUD DNS?........................................................................... 373.20 What Can I Do If the Message "Illegal server address" Is Displayed When I Add a Domain Name?............................................................................................................................................................................................................ 42

4 Service Interruption Check..................................................................................................434.1 How Do I Troubleshoot 404/502/504 Errors?............................................................................................................. 434.2 How Do I Handle a False Alarm?.................................................................................................................................... 474.3 What Is the Connection Timeout Duration of WAF? Can I Manually Set the Timeout Duration?...........474.4 How Do I Whitelist the WAF Back-to-Source IP Address Ranges?...................................................................... 474.5 How Do I Solve the Problem of Excessive Redirection Times?............................................................................. 504.6 How Do I Solve the Problem that HTTPS Requests Fail on Some Mobile Phones?...................................... 50


Issue 61 (2020-09-23) Copyright © Huawei Technologies Co., Ltd. iii

4.7 How Do I Fix an Incomplete Certificate Chain?......................................................................................................... 514.8 What Should I Do If the Program Access Page Fails to Respond After the HTTP Forwarding Policy IsConfigured?.................................................................................................................................................................................... 564.9 What Can I Do If the Verification Code Cannot Be Refreshed After Verification Code Is Configured in aCC Attack Protection Rule?....................................................................................................................................................... 56

5 Rule Configuration................................................................................................................605.1 In Which Situations Will the WAF Policies Fail?.........................................................................................................605.2 How Do I Switch the Mode of Basic Web Protection from Log Only to Block?............................................. 605.3 When Is Cookie Used to Identify Users?.......................................................................................................................615.4 How Do I Configure a CC Attack Protection Rule?................................................................................................... 615.5 What Are the Differences Between Rate Limit and Allowable Frequency in a CC Rule?........................625.6 What Do I Do If a Scanner, such as AppScan, Detects that the Cookie Is Missing Secure or HttpOnly?............................................................................................................................................................................................................ 625.7 Is the Path of a WAF Protection Rule Case-sensitive?............................................................................................. 625.8 Can I Export or Back Up the WAF Configuration?.................................................................................................... 625.9 Can a Precise Protection Rule Take Effect in a Specified Period?........................................................................ 635.10 Which Protection Levels Can Be Set for Basic Web Protection?........................................................................ 635.11 Why No Logs Are Found for Some Requests Blocked by WAF After Anti-Crawler Is Enabled?..............63

6 Protection Logging................................................................................................................656.1 Does WAF Provide the Log Service?............................................................................................................................... 656.2 Can WAF Logs Be Obtained Using APIs?......................................................................................................................656.3 How Do I Obtain Data about Block Actions?............................................................................................................. 656.4 Can WAF Logs Be Transferred to OBS?......................................................................................................................... 656.5 How Long Can WAF Protection Logs Be Stored?...................................................................................................... 66

7 Others...................................................................................................................................... 677.1 What Is the Charging Standard of WAF?..................................................................................................................... 677.2 Can I Switch Between the Yearly/Monthly and Pay-Per-Use Billing Modes?...................................................677.3 How Do I Renew WAF?.......................................................................................................................................................697.4 How Do I Unsubscribe from WAF?................................................................................................................................. 707.5 How Do I Change the WAF Instance Edition to a Lower One and Reduce Number of Packages?......... 717.6 Can the Original Configurations Be Saved When I Unsubscribe from a WAF Instance and Then Re-Purchase Another One?............................................................................................................................................................. 717.7 How Do I Safely Delete a Protected Domain Name?.............................................................................................. 727.8 How Do I Select a Certificate When Configuring a Wildcard Domain Name?............................................... 737.9 How Do I Delete a Certificate Configured for a Protected Domain Name?.................................................... 737.10 How Do I Modify a Certificate?..................................................................................................................................... 747.11 Why Cannot the SSL Certificate of HUAWEI CLOUD SCM Be Viewed on WAF?......................................... 74

A Change History...................................................................................................................... 75


Issue 61 (2020-09-23) Copyright © Huawei Technologies Co., Ltd. iv

1 Protection Bandwidth/Specifications

1.1 How Do I Calculate the Protection Bandwidth?The bandwidth in WAF refers to the amount of protected sites' normal traffic(unit: Mbit/s). A bandwidth expansion package contains 20 Mbit/s for services onHUAWEI CLOUD or 50 Mbit/s for services not on HUAWEI CLOUD or 1,000Queries per Second (QPS). One HTTP Get request is a query.

NO TE

The bandwidth in WAF is calculated by WAF itself and is not associated with the bandwidthor traffic limit of other HUAWEI CLOUD products (such as CDN, ELB, and ECS).

For details about the bandwidth expansion package, see Bandwidth ExpansionPackage.

1.2 What Should I Do If the Traffic Exceeds theProtection Bandwidth of WAF?

If your legitimate traffic exceeds the bandwidth limit offered by your selectededition, your traffic forwarding may be adversely affected.

For example, traffic limiting and random packet loss may occur. As a result,services are unavailable, frozen, or delayed for a certain period of time.

In this case, upgrade your edition or buy additional bandwidth expansionpackages.

For details about how to upgrade, see Upgrading the Edition.

1.3 What Should I Do If Protection Rules AreInsufficient?

WAF provides professional, enterprise, and premium editions for you. For detailsabout the number of each type of protection rules for each edition, see Edition

Web Application FirewallFAQs 1 Protection Bandwidth/Specifications

Issue 61 (2020-09-23) Copyright © Huawei Technologies Co., Ltd. 1

https://support.huaweicloud.com/intl/en-us/usermanual-waf/waf_01_0111.html



https://support.huaweicloud.com/intl/en-us/productdesc-waf/waf_01_0106.html

Differences. If the number of protection rules cannot meet your servicerequirements, you can upgrade your WAF edition. For details, see Upgrading theEdition.

1.4 What Are the Impacts When QPS Exceeds theAllowed Peak Rate?

If the QPS exceeds the peak rate supported by the current WAF edition, theoverflowed requests will bypass WAF and directly go to your servers. There is noimpact on your services except potential security risks.

Table 1-1 lists the QPS specifications supported by each WAF edition.

Table 1-1 QPS specifications supported by WAF

Edition Peak Rate of Normal ServiceRequests

Peak Rate of CCAttack Defense

Professional 2,000 QPS 100,000 QPS

Enterprise 5,000 QPS 300,000 QPS

Premium 10,000 QPS 1,000,000 QPS

For details about the specifications of each WAF edition, see Edition Differences.

1.5 Does WAF Have a Limit on the Number ofConcurrent Requests?

The number of concurrent requests refers to the number of requests that thesystem can process simultaneously. When it comes to a website, concurrentrequests refer to the requests from the visitors at the same time.

WAF does not limit the number of concurrent requests. After your domain name isconnected to WAF, all public network traffic to the website goes to WAF first. WAFchecks HTTP/HTTPS requests for malicious traffic against protection rules youconfigured and returns authenticated traffic to the origin server IP address,ensuring the security of the origin server.

For details about features of WAF, see Functions.

1.6 Is the Service Bandwidth Calculated Based on theIncoming Traffic or Outgoing Traffic?

The service bandwidth in WAF is calculated by WAF itself and is not associatedwith the bandwidth or traffic limit of other HUAWEI CLOUD products (such asCDN, ELB, and ECS).








For details about bandwidth, see Bandwidth Expansion Package.




2 Product Function Consultation

2.1 How Do I Obtain the Real IP Address of a WebVisitor?

Generally, a proxy such as CDN, WAF, and AAD is deployed between the client andserver. Web visitors cannot directly access the server. For example, web visitor >CDN/WAF/AAD > origin server. Then, how does the server obtain the real IPaddress of the client when multiple proxies are configured?

When forwarding requests to the downstream server, the transparent proxy serveradds an X-Forwarded-For field to the HTTP header to identify the web visitor'sreal IP address in the format of X-Forwarded-For: real IP address of the webvisitor, proxy 1-IP address, proxy 2-IP address, proxy 3-IP address, ........->....

Therefore, you can obtain the web visitor's real IP address from the first IP addressin the X-Forwarded-For field.

For details, see Obtaining the Real IP Address of a Web Visitor.

2.2 Can WAF Protect Both Cloud or On-premisesServers?

Yes. A WAF instance can protect both cloud and on-premises servers, provided theservers are connected to the Internet.

A WAF instance protects your servers based on domain names regardless ofwhether your server is on the cloud or not, where your server resides, or to whichproject or account your server belongs.

2.3 Can WAF Protect an IP Address?A WAF instance can only protect websites based on domain names but cannotprotect IP addresses.

The origin server IP address configured in WAF can only be a public IP address.

Web Application FirewallFAQs 2 Product Function Consultation


https://support.huaweicloud.com/intl/en-us/bestpractice-waf/waf_06_0020.html

To reduce the number of public IP addresses, you can purchase Elastic LoadBalance (ELB) or set up load balancers to work as proxies of the backend privateIP addresses, and set the EIP (public IP address) as the WAF back-to-source IPaddress.

2.4 What Are the Differences Between the Permissionsof an Account and Those of IAM Users?

Resources of an account are isolated from those of IAM users

The master account can be used to view a domain name added using asubaccount, but a subaccount cannot be used to view a domain name addedusing the master account.

For details about WAF account permissions, see Permissions Management.

2.5 What Does WAF Protect?WAF can protect websites based on domain names.

2.6 Which OSs Does WAF Support?WAF is deployed on the cloud, which is irrelevant to an OS. Therefore, WAFsupports any OS. A domain name server on any OS can be connected to WAF forprotection.

2.7 Which Web Service Frameworks Does WAFSupport?

WAF is deployed on the cloud and is not coupled with services on a web server.Therefore, WAF supports web services on any framework.

2.8 What Protection Rules Does WAF Support?The protection rules supported by WAF are described below.

● Basic Web ProtectionWAF can defend against common web attacks, such as SQL injection, XSS,web shells, and Trojans in HTTP upload channels. Once these functions areenabled, protection takes effect immediately.

● CC Attack ProtectionFlexible rate limiting policies can be set based on the IP addresses, cookies, orReferer field, mitigating CC attacks.

● Precise ProtectionCommon HTTP fields can be combined to customize protection policies, suchas CSRF protection. With user-defined rules, WAF can accurately detectmalicious requests and protect sensitive information in websites.




● Blacklist and Whitelist

Blacklist or whitelist rules allow you to block or allow specific IP addresses oraddress ranges, improving defense accuracy.

● Geolocation Access Control

Geolocation access control rules allow you to customize access control basedon the source IP addresses.

● Web Tamper Protection

Cache configuration is performed on static web pages. When a user accessesa web page, the system returns a cached page to the user and randomlychecks whether the page is tampered with.

● Anti-crawler Protection

This function dynamically analyzes website service models and accuratelyidentifies crawler behavior based on data risk control and bot identificationsystems, such as JS Challenge.

● False Alarm Masking

This function ignores certain attack detection rules for specific requests.

● Data Masking

Data masking prevents such data as passwords from being displayed in eventlogs.

● Information Leakage Prevention

WAF prevents user's sensitive information on web pages from being disclosed,such as ID numbers, phone numbers, and email addresses.

2.9 Which Layers Does WAF Provide Protection At?WAF provides protection at seven layers, namely, the physical layer, data link layer,network layer, transport layer, session layer, presentation layer, and applicationlayer.

2.10 Can WAF Continue Protecting a Domain NameWhen It Expires?

After your cloud WAF instance expires, there is a retention period.

● During this period, WAF only forwards traffic but does not check it againstyour protection policies.

● When this period ends, resources will be cleared, that is, all configurations ofyour domain names will be deleted. During the clearing period, domainnames are pointed back to origin severs by default. However, services on yourdomain names may not run properly because there may be inconsistenciesbetween your configured protocols and ports.

To prevent security issues from occurring, it is recommended that you renew thecloud WAF instance before its retention period expires. If the cloud WAF instanceexpires, it does not impact other services.



2.11 Can WAF Protect HTTPS Services?Yes. You just need to configure HTTPS as the frontend protocol and allow WAF tohost your certificate. Then, WAF protects your HTTPS service.

2.12 What Is the Size Limit for Uploading Files AfterMy Website Is Connected to WAF?

After you connect your website to WAF, you can upload a file of up to 512 MB insize.

If you want to upload a file with a file size greater than 512 MB, upload the filethrough:

● IP address.● Separate web server.● FTP server.

2.13 In Which Regions Is WAF Available?WAF is available in all regions on HUAWEI CLOUD.

WAF is available in the following regions: AP-Hong Kong, AP-Bangkok, AP-Singapore, and LA-Sao Paulo1.

Generally, a WAF instance purchased in any region can protect web services in allregions. However, to improve the forwarding efficiency of WAF instances, you areadvised to select the region nearest to your services.

2.14 What Are the Restrictions on Using WAF inEnterprise Projects?

Each enterprise project is independent from the others.

● The created policies can be used only by their own projects. For example, ifyou create policy A for a main project, the rules created for the sub-projectsdo not belong to policy A. You must create a policy for sub-projectsseparately.

● The created certificates can be used only by their own projects. A main projectand sub-project can only use its own certificates.

2.15 What Are Regions and AZs?

ConceptA region and availability zone (AZ) identify the location of a data center. You cancreate resources in a specific region and AZ.



● Regions are divided from the dimensions of geographical location andnetwork latency. Public services, such as Elastic Cloud Server (ECS), ElasticVolume Service (EVS), Object Storage Service (OBS), Virtual Private Cloud(VPC), Elastic IP (EIP), and Image Management Service (IMS), are sharedwithin the same region. Regions are classified as universal regions anddedicated regions. A universal region provides universal cloud services forcommon tenants. A dedicated region provides services of the same type onlyor for specific tenants.

● An AZ contains one or more physical data centers. Each AZ has independentcooling, fire extinguishing, moisture-proof, and electricity facilities. Within anAZ, computing, network, storage, and other resources are logically dividedinto multiple clusters. AZs within a region are interconnected using high-speed optical fibers to allow you to build cross-AZ high-availability systems.

Figure 2-1 shows the relationship between the regions and AZs.

Figure 2-1 Region and AZ

HUAWEI CLOUD provides services in many regions around the world. You canselect a region and AZ as needed.

How to Select a Region?

When selecting a region, consider the following factors:

● LocationYou are advised to select a region close to you or your target users. Thisreduces network latency and improves access rate. However, Chinesemainland regions provide basically the same infrastructure, BGP networkquality, as well as operations and configurations on resources. Therefore, ifyou or your target users are in the Chinese mainland, you do not need toconsider the network latency differences when selecting a region.– If you or your target users are in the Asia Pacific region, except the

Chinese mainland, select the AP-Hong Kong, AP-Bangkok, or AP-Singapore region.

– If you or your target users are in Africa, select the AF-Johannesburgregion.

– If you or your target users are in Europe, select the EU-Paris region.● Resource price



Resource prices may vary in different regions. For details, see Product PricingDetails.

How to Select an AZ?When determining whether to deploy resources in the same AZ, consider yourapplications' requirements on disaster recovery (DR) and network latency.

● For high DR capability, deploy resources in different AZs in the same region.● For low network latency, deploy resources in the same AZ.

Regions and EndpointsBefore using an API to call resources, specify its region and endpoint. For moredetails, see Regions and Endpoints.

2.16 Does WAF Support HTTP/2?Currently, WAF does not support HTTP/2 (HTTP 2.0).

2.17 How Many Rules Can Be Added to a WAFInstance?

The number of rules that can be added varies depending on the protection typesin the WAF edition you are using. For details about edition specifications, seeEdition Differences.

2.18 Does WAF Support Health Check?Currently, WAF does not support the health check function. If you want to checkthe health status of servers, it is recommended that you use both ELB and WAF.After you configure ELB, the EIP of ELB is used as the IP address of the server toconnect to WAF for health check.

2.19 Does WAF Have the IPS Module?WAF does not have the IPS module of the traditional firewall, but WAF supportsintrusion detection for the HTTP/HTTPS protocol.

2.20 Does WAF Support File Caching?WAF caches only static web pages that are configured with web tamper protectionand sends the cached web pages that are not tampered with to web visitors fortamper-proof purposes.

If you want to cache all website contents, you can deploy CDN and deploy WAFbetween CDN and the origin server. For details, see Domain Setup with BothCDN and WAF Deployed.



https://www.huaweicloud.com/intl/en-us/pricing/index.html

https://www.huaweicloud.com/intl/en-us/pricing/index.html

https://developer.huaweicloud.com/intl/en-us/endpoint




2.21 Does WAF Support the WebSocket Protocol?WAF supports the WebSocket protocol, which is enabled by default.

2.22 Can My WAF Be Shared by Multiple Accounts?WAF cannot be shared by multiple accounts. Each account needs to individuallypurchase a WAF instance. However, a WAF instance can be shared by multiple IAMusers.

Sharing WAF Among Multiple IAM UsersAssume that you have created an account, domain1, by registering with HUAWEICLOUD, and used domain1 to create two IAM users, sub-user1a and sub-user1b,in IAM. If you have granted WAF permissions to sub-user1b, sub-user1b can thenuse the WAF service of sub-user1a.

For details about granting permissions, see Creating a User Group and GrantingPermissions.

2.23 What Are the Differences Between Professional,Enterprise, and Premium Editions?

WAF provides professional, enterprise, and premium editions for you.

For details about the features of each edition, see Edition Difference.

2.24 Can I Export the Blacklist and Whitelist fromWAF?

No. WAF does not support exporting of the blacklist. You can view the configuredblacklist rules in the blacklist and whitelist rule list.

For details about how to configure the blacklist and whitelist rules, seeConfiguring Blacklist and Whitelist Rules.

2.25 Does WAF Support Wildcard Domain Names?Yes. When adding a domain name to WAF, you can configure a single domainname or a wildcard domain name based on your service requirements. The detailsare as follows:

● Single domain nameConfigure a single domain name to be protected. For example,www.example.com

● Wildcard domain name







You can configure a wildcard domain name to let WAF protect multi-leveldomain names under the wildcard domain name.– If the server IP address of each subdomain name is the same, enter a

wildcard domain name to be protected. For example, if the subdomainnames a.example.com, b.example.com, and c.example.com have thesame server IP address, you can directly add the wildcard domain name*.example.com to WAF for protection.

– If each subdomain name points to different server IP addresses, addsubdomain names as single domain names one by one.

For more details, see Adding a Domain Name.

2.26 What Are Local File Inclusion and Remote FileInclusion?

You can view security events such as file inclusion in WAF protection events toquickly locate attack sources or analyze attack events.

File inclusion indicates that program developers write repeatedly used functions toa single file. When a such function needs to be used, the file is directly invokedwithout re-writing. The file invoking process is called file inclusion. File inclusionvulnerabilities fall in two different categories, based on whether the file is aremotely hosted file or a local file available on the web server:

● Local file inclusion● Remote file inclusion

A file inclusion vulnerability allows an attacker to access unauthorized or sensitivefiles available on the web server or to execute malicious files on the web server byusing a such file. This vulnerability is mainly due to a bad input validationmechanism, wherein the user's input is passed to the file include commandswithout proper validation. The impact of this vulnerability can lead to maliciouscode execution on the server or reveal data present in sensitive files.

For details about protection event logs, see Viewing Protection Event Logs.

2.27 Which of the WAF Protection Rules Support theLog-Only Protective Action?

In WAF, Log only is available for Protective Action in basic web protection rules.

Log only is available for Protective Action in CC attack protection rules, preciseprotection rules, blacklist and whitelist rules, and geolocation access control rules.

2.28 Can I Use a Question Mark as the BlockingMatching Condition to Block URL Requests?

No. Question marks (?) cannot be used as the matching condition to block URLrequests. WAF detects source IP addresses against a matching condition andblocks suspicious IP addresses.





2.29 Can WAF Block Requests for Calling Other APIsfrom Web Pages?

WAF does not block requests for calling other APIs because these requests do nopass through WAF.

2.30 Can I Configure Session Cookies in WAF?WAF does not support session cookies.

WAF can configure CC attack protection rules to limit the access frequency of aspecific path (URL) in a single cookie field, accurately identify CC attacks, andeffectively mitigate CC attacks. For example, if a user whose cookie ID is nameaccesses the /admin* page under the protected domain name for more than 10times within 60 seconds, you can configure a CC attack protection rule to forbidthe user to access the domain name for 600 seconds.

For details about how to configure a CC attack protection rule, see ConfiguringCC Attack Protection Rules.

What Are Cookies?

Cookies are data (usually encrypted) stored on the local terminal of a user by awebsite to identify the user and trace sessions. Cookies are sent by a web server toa browser to record personal information of the user.

A cookie consists of a name, a value, and several optional attributes that controlthe cookie validity period, security, and usage scope. Cookies are classified intosession cookies and persistent cookies. The details are as follows:

● Session cookie

A session cookie exists only in temporary memory while the user navigatesthe website. It does not have an expiration data assigned to. When thebrowser is closed, session cookies are deleted.

● Persistent cookie

A persistent cookie has an expiration data assigned and stored in the disks.Persistent cookies will be deleted after a specific length of time.

2.31 Can I Configure the Blacklist and Whitelist Rulesin Batches?

WAF does not support batch configuration of blacklist and whitelist protectionrules. You can configure a blacklist and whitelist rule to block, record, or permitaccess requests from a specified IP address or IP address segment. Each rulecorresponds to an IP address or IP address segment. If you have multiple IPaddresses or IP address segments, configure blacklist and whitelist rules for eachIP address or IP address segment.





For details about how to configure, see Configuring Blacklist and WhitelistRules.

2.32 Can I Query Protection Events of a Batch ofSpecified IP Addresses at Once?

WAF does not support batch query of protection events of a batch of specified IPaddresses at once. On the Events page, you can view events by a certaincombination of Event Type, Protective Action, Source IP Address, URL, andEvent ID. Figure 2-2 shows an example.

Figure 2-2 Viewing protection events

For details about protection events, see Viewing Protection Event Logs.

2.33 Does WAF Affect Email Ports or Email Receivingand Sending?

WAF protects web application pages. After your website is connected to WAF,there is no impact on your email port or email sending or receiving.

2.34 Will Traffic Be Permitted After WAF Is Switched tothe Bypassed Mode?

If you switch the WAF working Mode to Bypassed, requests are directly sent tothe original backend server without passing through WAF.

Switch the WAF mode to Bypassed only if one of the following conditions is met:● Services need to be restored to the status where the domain is not connected

to WAF.● You need to check for website malfunctions, such as 502, 504, or other

incompatibility issues.● No proxy is configured between the client and WAF.






Effective Time of WAF Bypassed Working Mode

After you switch the WAF work Mode to Bypassed, it takes effect within 3 to 5minutes.

Procedure for WAF Working Mechanism Switchover

Step 1 Log in to the management console.

Step 2 Click in the upper left corner of the management console and select a regionor project.

Step 3 Click in the upper left corner and choose Web Application Firewall underSecurity.

Step 4 In the navigation pane, choose Website Settings.

Step 5 In the row containing the desired website, click Switch Mode in the Modecolumn.

Step 6 In the Switch Mode dialog box, select the working mode and then click OK.

----End

2.35 What Working Modes and Protection MechanismsDoes WAF Have?

After you connect a domain name to your WAF instance, WAF works as a reverseproxy between the client and server. The real IP address of the server is hiddenand only the IP address of WAF is visible to web visitors.

WAF supports the following working modes:● Enabled● Suspended● Bypassed

For more details about WAF working mode, see Switching a Working Mode.

Table 2-1 describes the protection mechanism.

Table 2-1 Supported protection mechanism

Protection Rule Protective Action

Configuring Basic WebProtection Rules

● Block● Log only

Configuring CC AttackProtection Rules

● Verification code● Block● Block dynamically● Log only



https://console-intl.huaweicloud.com/?locale=en-us






Protection Rule Protective Action

Configuring PreciseProtection Rules

● Block● Allow● Log only

Configuring Blacklist andWhitelist Rules

● Block● Allow● Log only

Configuring GeolocationAccess Control Rules

● Block● Allow● Log onlyNOTICE

Geolocation access control rules are available only inWAF enterprise and premium editions.

NO TE

● Block: WAF blocks and logs detected attacks.

● Log only: WAF logs detected attacks only.

2.36 Is There Any Impact on Website Loading Speed IfOther Crawler Check in Basic Web Protection IsEnabled?

If you have enabled Other during basic web protection configuration, WAF detectscrawlers for various purposes, such as website monitoring, access proxy, and webpage analysis. Figure 2-3 shows an example. Enabling this option does not affectweb page visits or the web page browsing speed.

Figure 2-3 Enabling Other

For details about how to configure basic web protection, see Configuring BasicWeb Protection Rules.











2.37 Can WAF Block Data Packets in multipart/form-data Format?

Yes. You can submit a service ticket to apply for configuration to block datapackets in multipart/form-data format.

The multipart/form-data indicates that the browser uses a form to upload files.For example, if an attachment is added to an email, the attachment is usuallyuploaded to the server in multipart/form-data format.



https://support.huaweicloud.com/intl/en-us/usermanual-ticket/en-us_topic_0065264094.html

3 Domain Name Access Configuration

3.1 Which Non-Standard Ports Does WAF Support?In addition to standard ports 80 and 443, WAF supports many non-standard ports.The supported non-standard ports vary depending on the WAF edition and billingmode you select.

If you want to add a non-standard port when adding a protected domain name,select Non-standard Port and select the corresponding non-standard port fromthe Port drop-down list. Then the non-standard port can be connected to WAF.

Figure 3-1 Configuration of a non-standard port

Ports Supported by WAFYou can buy WAF instances billed on a yearly/monthly or pay-per-use basis. Theyearly/monthly billing mode is available in the WAF professional, enterprise, andpremium editions. Table 3-1 lists the ports that can be protected by WAF.

Table 3-1 Supported ports

WAFEdition/BillingMode

PortCategory

HTTP Protocol HTTPSProtocol

Port Limit

Professional

Standardports

80 443 Unlimited

Web Application FirewallFAQs 3 Domain Name Access Configuration



PortCategory


Port Limit

Non-standardports (86in total)

81, 82, 83, 84, 86, 87,88, 89, 800, 808,5000, 8000, 8001,8002, 8003, 8008,8009, 8010, 8020,8021, 8022, 8025,8026, 8077, 8078,8080, 8085, 8086,8087, 8088, 8089,8090, 8091, 8092,8093, 8094, 8095,8096, 8097, 8098,8106, 8118, 8181,8334, 8336, 8800,8686, 8888, 8889,8999, 8011, 8012,8013, 8014, 8015,8016, 8017, and 8070

4443, 5443,6443, 7443,8081, 8082,8083, 8084,8443, 8843,9443, 8553,8663, 9553,9663, 18110,18381, 18980,28443, 18443,8033, 18000,19000, 7072,7073, 8803,8804, and8805

10 non-standardportssupported bytheprofessionaledition

Enterprise

Standardports

80 443 Unlimited




PortCategory


Port Limit


9945, 9770, 81, 82,83, 84, 88, 89, 800,808, 1000, 1090,3128, 3333, 3501,3601, 4444, 5000,5222, 5555, 5601,6001, 6666, 6788,6789, 6842, 6868,7000, 7001, 7002,7003, 7004, 7005,7006, 7009, 7010,7011, 7012, 7013,7014, 7015, 7016,7018, 7019, 7020,7021, 7022, 7023,7024, 7025, 7026,7070, 7081, 7082,7083, 7088, 7097,7777, 7800, 7979,8000, 8001, 8002,8003, 8008, 8009,8010, 8020, 8021,8022, 8025, 8026,8077, 8078, 8080,8085, 8086, 8087,8088, 8089, 8090,8091, 8092, 8093,8094, 8095, 8096,8097, 8098, 8106,8118, 8181, 8334,8336, 8800, 8686,8888, 8889, 8989,8999, 9000, 9001,9002, 9003, 9080,9200, 9802, 10000,10001, 10080, 12601,86, 9021, 9023, 9027,9037, 9081, 9082,9201, 9205, 9207,9208, 9209, 9210,9211, 9212, 9213,48800, 87, 97, 7510,9180, 9898, 9908,9916, 9918, 9919,9928, 9929, 9939,28080, 33702, 8011,8012, 8013, 8014,

8750, 8445,18010, 4443,5443, 6443,7443, 8081,8082, 8083,8084, 8443,8843, 9443,8553, 8663,9553, 9663,18110, 18381,18980, 28443,18443, 8033,18000, 19000,7072, 7073,8803, 8804,8805, 9999

18 non-standardportssupported bythe enterpriseedition




PortCategory


Port Limit

8015, 8016, 8017, and8070

Premium Standardports

80 443 Unlimited




PortCategory


Port Limit


8899, 8006, 9945,9770, 81, 82, 83, 84,88, 89, 800, 808,1000, 1090, 3128,3333, 3501, 3601,4444, 5000, 5222,5555, 5601, 6001,6666, 6788, 6789,6842, 6868, 7000,7001, 7002, 7003,7004, 7005, 7006,7009, 7010, 7011,7012, 7013, 7014,7015, 7016, 7018,7019, 7020, 7021,7022, 7023, 7024,7025, 7026, 7070,7081, 7082, 7083,7088, 7097, 7777,7800, 7979, 8000,8001, 8002, 8003,8008, 8009, 8010,8020, 8021, 8022,8025, 8026, 8077,8078, 8080, 8085,8086, 8087, 8088,8089, 8090, 8091,8092, 8093, 8094,8095, 8096, 8097,8098, 8106, 8118,8181, 8334, 8336,8800, 8686, 8888,8889, 8989, 8999,9000, 9001, 9002,9003, 9080, 9200,9802, 10000, 10001,10080, 12601, 86,9021, 9023, 9027,9037, 9081, 9082,9201, 9205, 9207,9208, 9209, 9210,9211, 9212, 9213,48800, 87, 97, 7510,9180, 9898, 9908,9916, 9918, 9919,9928, 9929, 9939,28080, 33702, 8011,

8750, 9190,9184, 9182,8950, 8920,8910, 8848,8445, 18010,4443, 5443,6443, 7443,8081, 8082,8083, 8084,8443, 8843,9443, 8553,8663, 9553,9663, 18110,18381, 18980,28443, 18443,8033, 18000,19000, 7072,7073, 8803,8804, 8805,9999, 8244,8224, 8281,8211, 8243,8221, and8231

58 non-standardportssupported bythe premiumedition




PortCategory


Port Limit

8012, 8013, 8014,8015, 8016, 8017,8070, and 8232

Pay-per-usebilling(cloudmode)

Standardports

80 443 Unlimited


81, 82, 83, 84, 86, 87,88, 89, 800, 808,5000, 8000, 8001,8002, 8003, 8008,8009, 8010, 8020,8021, 8022, 8025,8026, 8077, 8078,8080, 8085, 8086,8087, 8088, 8089,8090, 8091, 8092,8093, 8094, 8095,8096, 8097, 8098,8106, 8118, 8181,8334, 8336, 8800,8686, 8888, 8889,8999, 8011, 8012,8013, 8014, 8015,8016, 8017, 8070

4443, 5443,6443, 7443,8081, 8082,8083, 8084,8443, 8843,9443, 8553,8663, 9553,9663, 18110,18381, 18980,28443, 18443,8033, 18000,19000, 7072,7073, 8803,8804, 8805

20 non-standardportssupported inthe pay-per-use billingmode

Why a Third-Party Detection Tool Can Detect My Non-Standard Ports ThatHave Not Been Enabled?

The non-standard port detection engine of WAF is shared by all users. So, a third-party detection tool can detect all non-standard ports that have been used inWAF. The port detection of the domain name is based on the port enabled for theorigin server IP address. Therefore, the port detection engine does not affect thesecurity of the origin server. In addition, WAF ensures the security of the engine IPaddresses returned by the customer after CNAME resolution.

3.2 How Do I Add a Domain Name to WAF?After connecting a domain name, WAF works as a reverse proxy between theclient and server. The real IP address of the server is hidden and only the IPaddress of WAF is visible to web visitors.

For more details, see Adding a Domain Name to WAF.




3.3 What Data Is Required for Connecting a DomainName to WAF?

The following data is required:

● Domain name● Port number: the service port corresponding to the domain name to be

protected. WAF supports non-standard ports. For details, see Which Non-Standard Ports Does WAF Support?

● Server information– Client Protocol: protocol used by a client to access a server.– Server Protocol: protocol over which WAF forwards client requests to the

server.– Server Address: public IP address (generally corresponding to the A

record of the domain name configured on the DNS) or domain name(generally corresponding to the CNAME of the domain name configuredon the DNS) of the web server that a client accesses.

– Server Port: service port of the server to which WAF client requests areforwarded.

● Certificate: If HTTPS is set for Client Protocol, you need to purchase acertificate for the domain name and push the certificate to WAF.

3.4 How Do I Deploy Both CDN and WAF?After the domain name resolution record is resolved into the CNAME recordprovided by CDN, the back-to-source address of CDN needs to be changed to theCNAME of WAF. In this way, CDN forwards the traffic to WAF. WAF then filters outillegitimate traffic and only routes legitimate traffic back to the origin server. Afterthe configuration is complete, traffic is first processed by CDN and then forwardedto WAF, thereby achieving collaborative protection.

To prevent other users from configuring your domain names on WAF in advance(this will cause interference on your domain name protection), you are advised toadd a subdomain name and TXT record of WAF at your DNS provider.

For details about how to deploy both CDN and WAF, see Domain Setup withBoth CDN and WAF Deployed.





3.5 How Do I Configure Domain Names to Be ProtectedWhen Adding Domain Names?

Before using WAF, you need to add domain names to be protected to WAF basedon your web service protection requirements. WAF supports addition of singledomain names and wildcard domain names. This section describes how toconfigure domain names to be protected.

Basic Concepts● Wildcard domain name

A wildcard domain name is a domain name that contains the wildcard * andstarts with *..

For example, *.example.com is a correct wildcard domain name, but*.*.example.com is not.

NO TE

A wildcard domain name counts as one domain name.

● Single domain name

A single domain name is also called a common domain name and is a specificdomain name (a non-wildcard domain name).

For example, www.example.com or example.com is a single domain name.

NO TE

For example, www.example.com counts as a domain name and so doesa.www.example.com.

Selecting a Domain Name Type

WAF supports single domain names and wildcard domain names.

The domain name purchased from the DNS service provider is a single domainname (example.com). The domain name added to WAF can be example.com, asubdomain name (for example, a.xample.com), or wildcard domain name(*.example.com). You can select a domain name type based on the followingscenarios:

● If services of a domain name to be protected are the same, enter a singledomain name. For example, if all the services of www.example.com to beprotected are services on port 8080, set Domain Name to a single domainname www.example.com.

● If the server IP address of each subdomain name is the same, enter a wildcarddomain name to be protected. For example, if the server IP addressescorresponding to a.example.com, b.example.com, and c.example.com are thesame, Domain Name can be set to a wildcard domain name *.example.com.

● If the server IP addresses of subdomain names are different, add subdomainnames as single domain names one by one.



NO TE

You are advised to set the added domain name to be protected to be the same as thedomain name that is set at the DNS provider.

3.6 What Are the Precautions for Configuring MultipleIP Addresses for Backend Servers?

● The service ports to be protected must be the same if you want to configuremultiple backend server IP addresses to the same domain name.

● When a domain name is added, WAF supports addition of multiple server IPaddresses. WAF routes legitimate requests back to origin servers in pollingmode, reducing the pressure on the servers and protecting the origin servers.For example, two backend server IP addresses (IP-A and IP-B) are added.When there are 10 requests for accessing the domain name, five requests areforwarded by WAF to the server identified by IP-A, and the other five requestsare forwarded by WAF to the server identified by IP-B.

3.7 How Do I Route Website Traffic Through WAF?After adding your website to WAF, you need to connect the domain to WAF sothat the traffic passes through WAF. After the traffic is routed through WAF, WAFhelps you filter malicious requests and forward legitimate requests to the originserver.

How WAF Works● No proxy used

DNS resolves your domain name to the origin server IP address before the siteis connected to WAF. DNS resolves your domain name to the CNAME of WAFafter the site is connected to WAF. Then WAF inspects the incoming trafficand filters out malicious traffic.

● A proxy (such as anti-DDoS service) usedIf a proxy such as anti-DDoS service is used on your site before it is connectedto WAF, DNS resolves the domain name of your site to the anti-DDoS IPaddress. The traffic goes to the anti-DDoS service and the anti-DDoS servicethen routes the traffic back to the origin server. After your website isconnected to WAF, you need to change the back-to-source address of theproxy (such as anti-DDoS service) to the CNAME of WAF. In this way, theproxy forwards the traffic to WAF. WAF then filters out illegitimate traffic andonly routes legitimate traffic back to the origin server.



NO TE

● To ensure that WAF can properly forward requests, you are advised to performlocal verification by referring to Testing WAF before modifying the DNSconfiguration.

● To prevent other users from configuring your domain names on WAF in advance(this will cause interference on your domain name protection), you are advised toadd the subdomain name and TXT record on your DNS management platform.WAF can determine which user owns the domain name based on the subdomainname and TXT record. For details about the configuration method, see What Arethe Impacts If a Subdomain Name and TXT Record Are Not Configured?

Operation GuideAfter a domain name is added, WAF generates a CNAME value, or CNAME,subdomain name, and TXT record for DNS to resolve the domain name to WAF sothat website traffic can pass through WAF for detection. For details, see Table 3-2.

Table 3-2 Operation guide

Scenario Generated Parameter Value Operation Related toDomain Name Resolution

No proxy used CNAME The DNS obtains theCNAME of WAF.

Proxy used CNAME, subdomain name,and TXT record

● Change the back-to-source IP address of theproxy, such as anti-DDoS service, to theCNAME of WAF.

● (Optional) Add a WAFsubdomain name andTXT record at your DNSprovider.

ProcedureFor details, see Connecting a Domain Name to WAF.

3.8 How Do I Configure the Client Protocol and ServerProtocol?

This FAQ describes how to configure the client and server protocol.

WAF provides various protocol types. Use www.example.com as an example. Youcan configure your WAF instance using any of the following methods:

HTTP Access - 302 Redirection ResponseSet Client Protocol and Server Protocol to HTTP. Figure 3-2 shows an example.




https://support.huaweicloud.com/intl/en-us/waf_faq/waf_01_0056.html



NO TICE

This configuration allows web visitors to access your website over HTTP only. Ifthey access over HTTPS, they receive the 302 Found code and are redirected tohttp://www.example.com.

Figure 3-2 HTTP mode

HTTPS Forcible Conversion

Set Client Protocol and Server Protocol to HTTPS. Figure 3-3 shows an example.When the HTTP protocol is used to access the server, all initial client requests areforcibly converted from HTTP to HTTPS.

NO TICE

● If web visitors access your website over HTTPS, the website returns a successfulresponse.

● If web visitors access your website over HTTP, the system will output code 302Found and your request will be redirected to https://www.example.com.

Figure 3-3 HTTPS mode

HTTP and HTTPS

Set Client Protocol and Server Protocol. Figure 3-4 shows an example.



NO TICE

● If web visitors access your website over HTTP, the website returns a successfulresponse but no communication between the browser and website is encrypted.

● If web visitors access your website over HTTPS, the website returns a successfulresponse and all communications between the browser and website areencrypted.

Figure 3-4 HTTP and HTTPS mode

HTTPS OffloadingSet Client Protocol to HTTPS and Server Protocol to HTTP. Figure 3-5 shows anexample.

NO TICE

If web visitors access your website over HTTPS, WAF forwards the requests to yourorigin server over HTTP.

Figure 3-5 HTTPS offloading



3.9 What Are the Differences Between the Old andNew CNAMEs?

BackgroundWAF upgrades CNAMEs to improve the reliability of domain name resolution.

To ensure that an added domain name can be used properly, WAF retains the oldCNAME on the basic information page of the added domain name and displaysthe new CNAME, as shown in Figure 3-6.

Figure 3-6 New CNAME

Differences Between the Old and New CNAMEsThe new CNAME provides the resolution function for two heterogeneous active/active DNSs, improving the reliability of domain name resolution.

It is recommended that you select a new CNAME during domain name resolution.

3.10 Can I Set the IP Address of the Origin Server to aCNAME?

Yes. If the IP address of the origin server is set to a CNAME, additional DNSresolution is performed after a domain name is added. That is, the CNAME isresolved to an IP address first. DNS resolution increases the delay. Therefore, youare advised to set the origin server address to a public network IP address.

For details about how to add a domain name, see Adding a Domain Name.

3.11 Can I Access a Website Using an IP Address After aDomain Name Is Connected to WAF?

After a domain name is connected to WAF, you can enter the origin server IPaddress in the address bar of the browser to access the website. However, yourorigin server IP address is easily exposed. As a result, attackers can bypass WAFand attack your origin server.

You are advised to configure origin server protection according to the instructionsin Origin Server Protection.





3.12 How Do I Configure Non-standard Ports WhenAdding a Protected Domain Name?

Configuration Example 1: Protecting Standard Port Services of DifferentOrigin Server IP Addresses on the Same Port

1. Deselect Non-standard Port.2. Select HTTP or HTTPS for Client Protocol. Figure 3-7 and Figure 3-8 show

the HTTP and HTTPS protection configurations of port 80 and port 403,respectively.

Figure 3-7 Port 80

Figure 3-8 Port 443

NO TE

If Client Protocol is set to HTTPS, you need to configure a certificate.

3. When accessing a website, your website visitors can access the websitewithout adding a port number to the end of the domain name. For example,enter http://www.example.com in the address box of the browser to accessthe website.

Configuration Example 2: Protecting Non-Standard Port Services of DifferentOrigin Server IP Addresses on the Same Port

1. Select Non-standard Port and select a non-standard port to be protectedfrom the Port drop-down list. For details about the non-standard portssupported by WAF, see Which Non-Standard Ports Does WAF Support?




2. Select HTTP or HTTPS for Client Protocol for all server ports. Figure 3-9 andFigure 3-10 show the configuration of non-standard HTTP or HTTPS port,respectively.

Figure 3-9 Other HTTP port besides port 80

Figure 3-10 Other HTTPS port besides port 443

NO TE

If Client Protocol is set to HTTPS, you need to configure a certificate.

3. When accessing a website, your website visitor must add the configured non-standard port to the domain name. Otherwise, error 404 is returned. If thenon-standard port is 8080, enter http://www.example.com:8080 in the addressbox of the browser.

Configuration Example 3: Protecting Different Service PortsIf the service ports to be protected are different, configure the ports separately.For example, to protect ports 8080 and 6443 for your site www.example.com, dothe configurations shown in Figure 3-11 and Figure 3-12.



Figure 3-11 Protecting port 8080

Figure 3-12 Protecting port 6443

3.13 How Can I Forward Requests Directly to the OriginServer Without Passing Through WAF?

When you switch the Mode of a WAF instance to Bypassed, requests are directlysent to the original backend server without passing through WAF. The bypassmode takes effect 3 to 5 minutes after the switchover.

Switch the mode to Bypassed only if one of the following conditions is met:

● Services need to be restored to the status where the domain is not connectedto WAF.

● You need to check for website malfunctions, such as 502, 504, or otherincompatibility issues.

● No proxy is configured between the client and WAF.

Procedure








Step 5 In the row containing the desired website, click Switch Mode in the Modecolumn.

Step 6 In the Switch Mode dialog box, select the working mode and then click OK.

----End

3.14 Why Cannot the Protection Mode Be EnabledAfter a Domain Name Is Connected to WAF?

Another tenant has configured the same domain name in WAF. As a result, thedomain name ownership is occupied by another tenant. In this case, add asubdomain name and configure a TXT record for the subdomain name at yourDNS provider. For details, see What Are the Impacts If a Subdomain Name andTXT Record Are Not Configured?

3.15 How Do I Test WAF?Before directing the traffic to WAF, you are advised to perform local verification toensure that all configurations are correct.

Before testing WAF, ensure that the protocol, address, and port number used bythe origin server of the domain name (for example, www.example5.com), anduploaded certificate file and private key if Client Protocol is HTTPS are correct.

For details, see Testing WAF.

3.16 How Do I Configure the TXT Record on HUAWEICLOUD DNS Service?

After you add the domain name of the proxy, such as Advanced Anti-DDoS (AAD),in WAF, configured the subdomain name and TXT record at your DNS provider toprotect your domain names. If other users configure the same domain name inWAF, your protection for the domain name will be adversely affected.

If you use the DNS service on HUAWEI CLOUD, add double quotation marks ("")to the TXT record and paste them in the text box, for example,"37c795804124dd4a0dd88defff8941f".




Figure 3-13 Adding a record set

For details about how to configure a subdomain name and TXT record on the DNSservice on HUAWEI CLOUD, see What Are the Impacts If a Subdomain Nameand TXT Record Are Not Configured?

3.17 How Do I Query a Domain Name Provider?By querying domain registration information, you can confirm the informationabout the DNS servers of a domain name and then perform authentication byDNS based on the DNS server information.

Procedure

Step 1 Open a browser and visit https://whois.domaintools.com/.

Step 2 Enter the domain name to be queried and click Search. The domain nameregistration details page is displayed.

Step 3 In the displayed information, check Name Servers to determine the DNS serversof the domain name.

If the value of Name Servers similar to Figure 3-14 is displayed, the DNS serversof the domain name are provided by HUAWEI CLOUD.



Figure 3-14 Name Servers

Perform the verification based on the DNS servers of the domain name as follows:

● If the DNS servers of the domain name are provided by HUAWEI CLOUD,perform the verification on HUAWEI CLOUD by referring to How Do IPerform Verification Using HUAWEI CLOUD DNS?

● If the DNS servers of the domain name are not provided by HUAWEI CLOUD,verify whether you want to migrate the domain from another DNS serviceprovider to HUAWEI CLOUD DNS.

– If yes, perform the following operations:

i. Migrate the domain name from another DNS service provider toHUAWEI CLOUD DNS.

ii. Perform the verification on HUAWEI CLOUD by referring to How DoI Perform Verification Using HUAWEI CLOUD DNS?

– If not, perform the verification on the corresponding platform. Forexample, if your domain name is hosted on Alibaba Cloud, perform theverification on Alibaba Cloud.

----End

3.18 What Are the Impacts If a Subdomain Name andTXT Record Are Not Configured?

After you add the domain name of the proxy, such as Advanced Anti-DDoS, inWAF, if the subdomain name and TXT record are not configured at your DNSprovider and other users configure the same domain name in WAF, your domainname protection will be interfered.

How to Determine

The target domain name is in gray in the domain name list, and the workingmode is Suspended and cannot be switched to Enabled. If this symptom occurs,your domain name has been occupied by another user.

Solution

Go to your DNS provider, add a subdomain name, and configure a TXT record forthe subdomain name. The following uses the target domain namewww.example.com as an example to describe how to configure the DNS serviceon HUAWEI CLOUD.

Step 1 Obtain the values of Subdomain Name and TXT Record.

1. Log in to the management console.




2. Click in the upper left corner of the management console and chooseSecurity > Web Application Firewall. In the navigation pane, chooseWebsite Settings.

3. In the Domain Name column, click the target domain namewww.example.com to go to the Basic Information page.

4. Locate the Access Status row and click How to Access.

Figure 3-15 Domain name access information

NO TE

If a domain name that uses a proxy, such as Advanced Anti-DDoS (AAD), has beenadded to WAF, the value of Proxy Configured is Yes.

5. In the displayed dialog box, click to copy the value of TXT Record.

Figure 3-16 Copying TXT Record

Step 2 Add a WAF subdomain name and TXT record at your DNS provider.

1. In the Operation column of the target domain name www.example.com,click Add Record Set.

Figure 3-17 DNS page



2. In the upper right corner of the displayed page, click Add Record Set to go tothe Add Record Set page.– Name: Paste the TXT record copied in Step 1.5 to the text box.– Type: Select TXT – Specify text records.– Alias: Select No.– Line: Select Default.– TTL (s): The recommended value is 5 min. A larger TTL value will make it

slower for synchronization and update of DNS records.– Value: Add quotation marks to the TXT record copied from Step 1.5 and

paste them in the text box, for example,"37c795804124dd4a0dd88defff8941f".

– Keep other settings unchanged.


3. Click OK.

----End

3.19 How Do I Perform Verification Using HUAWEICLOUD DNS?

Verification by DNS typically requires operations from your domain nameadministrator. If you are managing your domain name on HUAWEI CLOUD and



the domain name is in your account, perform the verification using HUAWEICLOUD DNS.

NO TICE

If you are managing your domain name on another domain managementplatform (such as www.net.cn, www.xinnet.com, and www.dnspod.cn), perform theverification on the corresponding platform. For example, if your domain name ishosted on Alibaba Cloud, perform the verification on Alibaba Cloud.

In the following procedure, a TXT record2019030700000022ams1xbyevdn4jvahact9xzpicb565k9443mryw2qe99mbzpbis added to domain name domain.com to show how to perform the verificationusing HUAWEI CLOUD DNS.

Prerequisites● You have obtained a username and its password for logging in to the

management console.● You have obtained the configuration information (host record and record

value) required for domain name verification.

Procedure


Step 2 In the upper left corner of the console, click and choose Domain NameService under Network. In the navigation pane on the left, choose DNSResolution > Public Zones to display the public zones.

Figure 3-19 Public Zones page

Step 3 In the upper right corner of the page, click Create Public Zone. The Create PublicZone page is displayed.




Figure 3-20 Creating a public zone

Step 4 In the Name box, enter the domain name to be resolved domain.com and clickOK.

Step 5 In the public zone list, click the domain name. The record set of the domain isdisplayed.

Figure 3-21 List of record sets

Step 6 In the upper right corner of the page, click Add Record Set. The Add Record Setpage is displayed. Table 3-3 describes the parameters.




Table 3-3 Parameters for adding a record set

Parameter Description Example Value

Name Host record corresponding tothe domain name (You do notneed to manually add thesuffix.)

_dnsauth

Type Record set type. Set thisparameter to TXT – Specifytext records.

TXT – Specify text records

Alias Whether to associate therecord set with a cloudresource name

No

Line Used when the DNS server isresolving a domain name. Itreturns the IP address of theserver according to the visitorsource.You must add a Default line toensure that the website isaccessible to all users.Default is selected by default.

Default



Parameter Description Example Value

TTL (s) Caching period of the recordset, in seconds.The default value is 5 min.

5 min

Value Indicates the host record valuecorresponding to the domain.Use quotation marks whenentering the record value

"2019030700000022ams1xbyevdn4jvahact9xzpicb565k9443mryw2qe99mbzpb"

Weight The parameter is optional.Weight of the record set. Thedefault value is 1. The valueranges from 0 to 100.When multiple record sets ofthe same name and line arecreated in a zone, the one witha larger weight takes effect inpriority.

1

Tag The parameter is optional.This item is displayed whenyou switch on Other Settings.This parameter indicates theidentifier of a resource. Eachtag contains a key and a value.You can add 10 tags at most toa record set.

-

Description The parameter is optional.Description of the domainname. This item is displayedwhen you switch on OtherSettings.

-

Step 7 Click OK.

If the status of the record set is Normal, it indicates that the record set is addedsuccessfully.

NO TE

DNS configuration records can be deleted only after the certificate is issued or revoked.

----End



3.20 What Can I Do If the Message "Illegal serveraddress" Is Displayed When I Add a Domain Name?

SymptomWhen a user adds a domain name to be protected, the system displays a messageindicating that the origin server address is invalid. Figure 3-23 shows an example.

Figure 3-23 Illegal server address

Possible Causes● Server Address is set to a private IP address reserved for internal use.● Server Address and Domain Name are set to the same IP address.

SolutionSet the Server Address to the actual origin server IP address (public IP address) oran independent back-to-source domain name, which cannot be the same as theprotected domain name.



4 Service Interruption Check

4.1 How Do I Troubleshoot 404/502/504 Errors?If an error, such as 404 Not Found, 502 Bad Gateway, or 504 Gateway Timeout,occurs after a domain name is connected to WAF, use the following methods tolocate the cause and resolve the error:

404 Not Found

Scenario 1: When a visitor accesses your website, the page shown in Figure 4-1 isdisplayed.

Figure 4-1 404 page

Cause: The port added to a URL is incorrect.

● A non-standard port is configured when a protected domain name is added toWAF. No port is added or the origin server port instead of the non-standardport is used to access the website. For example, access https://www.example.com or https://www.example.com:80.

Web Application FirewallFAQs 4 Service Interruption Check


Figure 4-2 Configuration of a non-standard port

Solution: Add the non-standard port to the URL and access the origin serveragain, for example, https://www.example.com:8080.

● No non-standard port is configured when a protected domain name is addedto WAF. A non-standard port or a port configured based on the origin serverport is used to access the website. For example, access https://www.example.com:8080 when the protection service shown in Figure 4-3 isconfigured.

Figure 4-3 Non-standard port unconfigured

NO TE

If no non-standard port is configured, WAF protects services on port 80/443 by default.If you need to protect services on other ports, re-configure domain settings.

Solution: The domain name needs to be accessed directly. For example,https://www.example.com.

Scenario 2: When a visitor accesses your website, another 404 error page isdisplayed instead of the page shown in Figure 4-1.

Cause: The website does not exist or has been deleted.

Solution: Check your website.

502 Bad Gateway

Scenario: Website access is normal after the WAF configuration is complete.However, after a certain period of time, a 502 Bad Gateway error is reportedfrequently when accessing a page.

NO TE

If your web server is not deployed on HUAWEI CLOUD, consult your service provider aboutwhether the server has default block settings. If yes, request the service provider to removethe default block settings.

Possible causes are as follows:



● Cause 1: Your website is using another security protection software. Thesoftware considers back-to-source IP addresses of WAF as malicious andblocks the requests forwarded by WAF. As a result, the site cannot beaccessed.

Solution: Add the WAF IP address ranges to the whitelist of the firewall(hardware or software), security protection software, and rate limiting moduleby referring to How Do I Whitelist the WAF Back-to-Source IP AddressRanges?

● Cause 2: Multiple backend servers are configured. However, one backendserver is unreachable.

Perform the following steps to check whether the origin server configurationis correct:

a. Log in to the management console, click Service List in the upper part ofthe page, and choose Security > Web Application Firewall.

b. In the navigation pane, choose Website Settings.

c. In the Protected Website column, click the target domain name to go tothe Basic Information page.

d. In the Server Information area, click . On the displayed page, checkwhether the client protocol, server protocol, origin server address, andport number used by the origin server are correct.

Figure 4-4 Server configuration

e. Run the curl command on the host to check whether each origin servercan be properly accessed, as shown in Figure 4-5.curl http://xx.xx.xx.xx:yy -kvv

xx.xx.xx.xx indicates the IP address of the origin server. yy indicates theport number of the origin server. xx.xx.xx.xx and yy must belong to thesame origin server.

NO TE

● The host where the curl command can be run must meet the followingrequirements:

● The network communication is normal.

● The curl command has been installed. curl must be manually installedon the host running the Windows operating system. curl is installedalong with other operating systems.

● You can also enter http://origin server address:origin server port in theaddress bar of the browser to check whether the origin server can be properlyaccessed.



https://curl.haxx.se/

Figure 4-5 Command output

If connection refused is displayed, the origin server is unreachable andwebsite cannot be accessed. Perform the following operations:

▪ Check whether the server is running properly. If it is not, restart theserver.

▪ Add the WAF back-to-source IP address ranges to the whitelist of thefirewall (hardware or software), security protection software, andrate limiting module by referring to How Do I Whitelist the WAFBack-to-Source IP Address Ranges?

● Cause 3: Origin server performanceSolution: Contact your website administrator to rectify the fault.

504 Gateway TimeoutScenario: After the configuration of connecting a domain name to WAF iscomplete, your website works properly. However, with the increasing trafficvolume, the number of 504 errors also increases. If you directly access the IPaddress of the origin server, the 504 error code is returned sometimes.

The possible causes are as follows:

● Cause 1: Backend server performance issues (such as too many connectionsor high CPU usage)Solution:

a. Optimize the server configuration, including TCP network parameters andulimit parameters.

b. To support increasing service volumes, use method 1 or method 2 toperform the processing.Method 1: Add a backend server group to the ELB.Method 2: Create an ELB. Use the EIP of ELB as the IP address of theserver to connect to WAF.

i. Log in to the management console, click Service List in the upperpart of the page, and choose Security > Web Application Firewall.

ii. In the navigation pane, choose Website Settings.iii. In the Protected Website column, click the domain name to go to

the Basic Information page.

iv. In the Server Information area, click . On the displayed page,click Add.

c. If the Client Protocol is HTTPS, you can use HTTPS on the WAF side.However, it is recommended that HTTP (Server Protocol) to forward the



requests to your web server, lowering the computational demands onbackend servers. For details about how to modify the server information,see Editing Server Information.

● Cause 2: The WAF back-to-source IP addresses are not whitelisted or yourorigin server port is not enabled.

Solution: Whitelist the WAF back-to-source IP addresses by followinginstructions in Origin Server Protection.

● Cause 3: The origin server has a firewall and the firewall blocks the WAF IPaddresses.

Solution: Whitelist the WAF back-to-source IP addresses by following theinstructions in Origin Server Protection or uninstall the firewall softwareexcept WAF.

● Cause 4: Connection timeout and read timeout

Solution: Contact technical support.

● Cause 5: The bandwidth of the origin server exceeds the upper limit.

Solution: Increase the bandwidth of the origin server.

4.2 How Do I Handle a False Alarm?You can handle false alarms in the event log if they appear frequently. You canchoose to ignore some URLs or rule IDs so that no alarms are reported or noblocking occurs when the URLs are attacked again.

Handle false alarms according to the instructions in Handling False Alarms.

4.3 What Is the Connection Timeout Duration of WAF?Can I Manually Set the Timeout Duration?

The timeout duration for the connection from the browser to the WAF engine is120 seconds, and that from WAF to the customer's origin server is 60 seconds. Thetimeout duration cannot be manually set.

4.4 How Do I Whitelist the WAF Back-to-Source IPAddress Ranges?

After your domain is connected to WAF, all requests are forwarded to WAF forinspection, and WAF returns the inspected traffic to the origin server. The processof returning traffic to the origin server through WAF is called back-to-source.

What are Back-to-Source IP Addresses?

From the perspective of a server, all web requests originate from WAF. The IPaddresses used by WAF forwarding are back-to-source IP addresses of WAF. Thereal client IP address is written into the X-Forwarded-For (XFF) HTTP header field.







Figure 4-6 Back-to-source IP address

Why Do I Need to Whitelist the WAF IP Address Ranges?

All web requests originate from a limited quantity of WAF IP addresses. Thesecurity software on the origin server may easily regard these IP addresses asmalicious and block them. Once WAF IP addresses are blocked, the website mayfail to be accessed or it opens extremely slowly. Therefore, you need to add theWAF IP addresses to the whitelist of the security software.

NO TE

After your website is connected to WAF, you are advised to uninstall other security softwarefrom the origin server or allow only the requests from WAF to access your origin server. Thisensures normal access and protects the origin server from hacking.

Procedure





Step 5 On the left of the website list, click WAF Back-to-Source IP Addresses.

NO TE

The back-to-source IP addresses are periodically updated. Whitelist the new IP addresses intime to prevent these IP addresses from being blocked.




Figure 4-7 WAF Back-to-Source IP Addresses

Step 6 In the displayed dialog box, click Copy to copy all the addresses.

Figure 4-8 WAF Back-to-Source IP Addresses dialog box

Step 7 Open the security software on the origin server and add the copied IP addresses tothe whitelist.

----End



4.5 How Do I Solve the Problem of ExcessiveRedirection Times?

After a domain name is connected to WAF, if the system displays a messageindicating that there are excessive redirection times when a user requests to accessthe target domain name, the possible cause is that you have configured forcibleredirection from HTTP to HTTPS on the backend server and forwarding fromHTTPS (client protocol) to HTTP (server protocol) is configured on WAF, WAF isforced to redirect user requests, causing an infinite loop. You can edit serverinformation in WAF. For details, see Editing Server Information. Configure twopieces of server information about HTTP (client protocol) to HTTP (serverprotocol) and HTTPS (client protocol) to HTTPS (server protocol). Figure 4-9shows the server information after the configuration is complete.

Figure 4-9 Example configuration

4.6 How Do I Solve the Problem that HTTPS RequestsFail on Some Mobile Phones?

Open the browser on a mobile phone and access https://www.defix.cn. If thepage shown in Figure 4-10 is displayed, HTTPS requests fail on the mobile phonebecause the uploaded certificate chain is incomplete. Rectify the fault by referringto How Do I Fix an Incomplete Certificate Chain?




Figure 4-10 Access failed

4.7 How Do I Fix an Incomplete Certificate Chain?If the certificate provided by the certificate authority is not found in the built-intrust store on your platform and the certificate chain does not have a certificateauthority, the certificate is incomplete. If you use the incomplete certificate toaccess the website corresponding to the protected domain name, the access willfail.

Use either of the following methods to fix it:

● Manually build up a complete certificate chain and upload the certificate.(This function is available soon.)

● Purchase a new certificate and upload it.

The latest Chrome version supports automatic verification of the trust chain.Huawei certificate is used as an example to describe how to manually create acomplete certificate chain:

Step 1 Check the certificate. Click the padlock in the address bar to view the certificatestatus.



Figure 4-11 Viewing the certificate

Step 2 Check the certificate chain. Click Certificate. Select the Certificate Path tab andthen click the certificate name to view the certificate status.



Figure 4-12 Viewing the certificate chain

Step 3 Save the certificates to the local PC one by one. Select the certificate name andclick the Details tab.



Figure 4-13 Details

Step 4 Click Copy to File, and then click Next as prompted.

Step 5 Select Base-64 encoded X.509 (.CER) and click Next.



Figure 4-14 Certificate Export Wizard

Step 6 After all certificates are exported to the local PC, open the certificate file inNotepad and rebuild the certificate according to the sequence shown in Figure4-15.



Figure 4-15 Certificate rebuilding

Step 7 Upload the certificate again.

----End

4.8 What Should I Do If the Program Access Page Failsto Respond After the HTTP Forwarding Policy IsConfigured?

If the page fails to respond after the HTTP forwarding policy is configured, addHTTP to HTTP and HTTPS to HTTPS forwarding protocol rules.

For details about how to configure a forwarding rule, see How Do I Solve theProblem of Excessive Redirection Times?

4.9 What Can I Do If the Verification Code Cannot BeRefreshed After Verification Code Is Configured in a CCAttack Protection Rule?

SymptomAfter you add a CC attack rule with Protective Action set to Verification code onWAF, the verification code cannot be refreshed and the verification fails when thewebsite is requested.



Figure 4-16 Verification failed

After Verification code is configured, a verification code is required when thenumber of requests exceeds the maximum limit within a specified period. Uponcompleting the verification, the access limit is lifted.

For details about how to configure a CC attack protection rule, see ConfiguringCC Attack Protection Rules.

Possible Causes

When a domain name is connected to both WAF and Content Delivery Network(CDN), and the value for Path of the CC attack protection rule contains a staticpage, the static page is cached by CDN. As a result, the verification code cannot berefreshed and the verification fails.

Solution

In CDN, configure cache policies to bypass the cache for static URLs.

NO TICE

After the configuration is complete, it takes 3 to 5 minutes for the configuredcache policies to take effect.



Step 3 Click in the upper left corner of the page, under Storage, select CDN.

Step 4 In the navigation pane, choose Domains.

Step 5 In the Domain Name column, click the name of the target domain name.

Step 6 Click the Cache Settings tab and click Edit.






Step 7 In the displayed Configure Cache Policy dialog box, click Add below the policy listto add two cache policy rules. For parameter description, see Table 4-1.

Figure 4-17 Configure Cache Policy

Table 4-1 Parameters for configuring static URL cache policy

Parameter Configuration Description

Type Select Full path.

Content The content of the two policies to be added are as follows:● /verifydwhzqcp-captcha● /getdwhzqcp-captcha.jpg

Priority Set the two policies to the highest priority.

Maximum Age Set this parameter to 0 seconds, indicating that static URLsare not cached.

Step 8 Click OK.

Figure 4-18 Configured cache policies



After the configuration is complete, it takes 3 to 5 minutes for the configuredcache policies to take effect.

----End



5 Rule Configuration

5.1 In Which Situations Will the WAF Policies Fail?Normally, all requests destined for your site will pass through WAF. However, ifyour site is using CDN and WAF, the WAF policy targeted at the requests forcaching static content will not take effect because CDN directly returns theserequests to the client.

5.2 How Do I Switch the Mode of Basic Web Protectionfrom Log Only to Block?

This FAQ guides you to switch the mode of basic web protection to Block.

Perform the following operations:





Step 5 In the Policy column of the row containing the target domain name, clickConfigure Policy.

Step 6 In the Basic Web Protection configuration area shown in Figure 5-1, select Blockfor Mode. Table 5-1 describes the parameters.

Figure 5-1 Basic Web Protection configuration area

Web Application FirewallFAQs 5 Rule Configuration



Table 5-1 Parameter description

Parameter Description

Status Status of Basic Web Protection

● : enabled.

● : disabled.

Mode ● Block: WAF blocks and logs detected attacks.● Log only: WAF logs detected attacks only.

NO TICE

Log only and Block are merely modes of basic web protection. CC attackprotection and precise protection have their own protective actions.

----End

5.3 When Is Cookie Used to Identify Users?During the configuration of a CC attack protection rule, if IP addresses cannotidentify users precisely, for example, when many users share an egress IP address,use Cookie to identify users.

If the cookie contains key values, such as the session value, of users, the key valuecan be used as the basis for identifying users.

NO TICE

Cookie-based identification may not be supported if the URL request configured ina CC attack protection policy is an API called by another service.

5.4 How Do I Configure a CC Attack Protection Rule?When a service interface is under an HTTP flood attack, you can set a CC attackprotection rule on the WAF console to relieve service pressure.

WAF provides the following settings for a CC attack protection rule:

● Number of requests allowed from a web visitor in a specified period● Identification of web visitors based on the IP address, cookie, or Referer field.● Action when the maximum limit is reached, such as Block or Verification

code

For details about configuration rules, see Configuring CC Attack ProtectionRules.





5.5 What Are the Differences Between Rate Limit andAllowable Frequency in a CC Rule?

When configuring a CC protection rule, if Advanced is selected for Mode andBlock dynamically is selected for Protection Action, you need to set both RateLimit and Allowable Frequency.

Differences● The rate limit period of Allowable Frequency is the same as that of Rate

Limit.

● Allowable Frequency is lower than or equal to Rate Limit, and AllowableFrequency can be 0.

Block Principle

If the access request frequency exceeds Rate Limit in a rate limit period,triggering blocking, the system dynamically adjusts the blocking threshold toAllowable Frequency in the next rate limit period. If Allowable Frequency is 0,all requests that meet the rule conditions in the next period are blocked afterblocking is triggered in the previous period.

5.6 What Do I Do If a Scanner, such as AppScan,Detects that the Cookie Is Missing Secure or HttpOnly?

Cookies are inserted by back-end web servers and can be implemented throughframework configuration or set-cookie. Secure and HttpOnly in cookies helpdefend against attacks, such as XSS attacks to obtain cookies, and help defendagainst cookie hijacking.

If the AppScan scanner detects that the customer site does not insert securityconfiguration fields, such as HttpOnly and Secure, into the cookie of the scanrequest after scanning the website, it records them as security threats.

WAF does not provide such compliance functions. The website administrator needsto perform related security configuration at the backend.

5.7 Is the Path of a WAF Protection Rule Case-sensitive?

All paths configured for protection rules of WAF are case-sensitive.

5.8 Can I Export or Back Up the WAF Configuration?The current WAF configuration cannot be exported or backed up.



5.9 Can a Precise Protection Rule Take Effect in aSpecified Period?

WAF does not allow precise protection access rules to take effect in a specifiedperiod.

You can set precise protection rules to filter access requests based on acombination of common HTTP fields (such as IP address, path, Referer, UserAgent, and Params) to allow or block the requests that match the conditions.

For details about how to configure, see Configuring Precise Protection Rules.

5.10 Which Protection Levels Can Be Set for Basic WebProtection?

WAF provides three basic web protection levels: Low, Medium, and High. Thedefault option is Medium. Table 5-2 describes the protection levels.

Table 5-2 Protection levels

Protection Level Description

Low WAF only blocks the requests with obvious attacksignatures.If a large number of false alarms are reported, Low isrecommended.

Medium The default level is Medium, which meets a majority ofweb protection requirements.

High WAF blocks the requests with no attack signature buthave specific attack patterns.High is recommended if you want to block SQLinjection, XSS, and command injection attacks.

For details about how to configure a basic web protection rule, see ConfiguringBasic Web Protection Rules.

5.11 Why No Logs Are Found for Some RequestsBlocked by WAF After Anti-Crawler Is Enabled?

After you enable the anti-crawler protection, WAF returns a JavaScript code forthe first access request to the domain name to the client browser, and then checkswhether the request is from a valid browser or crawler based on the data resolvedand returned by the client browser.

The normal detection process of the anti-crawler protection is as follows:






1. An initial client request to the website is sent to WAF first.2. WAF returns JavaScript code to the client.3. The client resolves the JavaScript code and returns the execution result to

WAF.4. WAF checks whether the client of the request is a valid browser based on the

result returned by the client.– If it is valid, WAF sends the request to the origin server.– If it is invalid, WAF generates an alarm log.

NO TICE

● To enable the anti-crawler protection, the browser on the client must haveJavaScript and cookies enabled.

● If JavaScript and cookies are not supported by the client browser, only 1 and 2can be performed. As a result, the following problems occur:● The client fails to get the requested pages.● No logs are recorded in WAF because the client does not send the

execution result of parsing the JavaScript code.Check your services. If your website can be accessed by other means except fora browser, the anti-crawler protection is not recommended.



6 Protection Logging

6.1 Does WAF Provide the Log Service?The storage duration depends on your choices. You can store WAF logs in LogTank Service (LTS) for seven days by default and up to 30 days by additionalcustom configuration. Logs earlier than 30 days will be deleted automatically byLTS. If you seek for long-term storage, enable the log transfer function in LTS todump those logs to Object Storage Service (OBS) buckets or enable DataIngestion Service (DIS).

For details about how to enable LTS in WAF, see Enabling LTS for WAFProtection Event Logging.

6.2 Can WAF Logs Be Obtained Using APIs?Currently, protection logs of WAF cannot be obtained using APIs. You candownload protection events on the WAF console. For details, see DownloadingEvents Data.

6.3 How Do I Obtain Data about Block Actions?WAF allows you to download the attack events (log-only and block events) dataof all protected domain names over the past five days. A CSV file of the protectionevent data for the current day will be generated at the beginning of the next day.

For details about how to obtain blocked data, see Downloading Events Data.

6.4 Can WAF Logs Be Transferred to OBS?You can authorize WAF to access LTS and enable the LTS log transfer function todump WAF logs to OBS buckets.


Web Application FirewallFAQs 6 Protection Logging









6.5 How Long Can WAF Protection Logs Be Stored?On the WAF console, you can view protection logs of the last 30 days anddownload protection logs of the last 5 days for all protected domain names.

The storage duration depends on your choices. You can store WAF logs in LogTank Service (LTS) for seven days by default and up to 30 days by additionalcustom configuration. Logs earlier than 30 days will be deleted automatically byLTS. If you seek for long-term storage, enable the log transfer function in LTS todump those logs to Object Storage Service (OBS) buckets or enable DataIngestion Service (DIS).


Web Application FirewallFAQs 6 Protection Logging




7 Others

7.1 What Is the Charging Standard of WAF?Cloud mode WAF supports the yearly/monthly (prepaid) and pay-per-use(postpaid) billing modes. The professional, enterprise, and premium editioninstances are billed on a yearly/monthly basis. In addition, if you buy a cloud WAFinstance billed on a yearly/monthly billing basis, you can buy additional domainname and/or bandwidth expansion packages to meet your business needs. Youwill be billed for the WAF instance and expansion packages you selected based onthe billing mode you specified.

For details about WAF pricing, see Pricing Details.

For price details, see Product Pricing Details.

7.2 Can I Switch Between the Yearly/Monthly and Pay-Per-Use Billing Modes?

Switch between yearly/monthly and pay-per-use payments is supported.

Changing Pay-per-use to Yearly/Monthly

NO TICE

For a cloud WAF instance billed on a pay-per-use basis, you can disable the yearly/monthly billing mode and then enable a WAF instance in yearly/monthly billingmode.● After the pay-per-use billing mode is disabled, the WAF billing stops. The WAF

Mode changes to Suspended. In this situation, WAF forwards your websitetraffic without detecting.

● To avoid repeated configuration workloads, it is recommended that the newand original WAF instances be under the same project in the same region.

Web Application FirewallFAQs 7 Others



https://www.huaweicloud.com/intl/en-us/pricing/index.html#/waf

The pay-per-use billing mode is a postpaid payment method. For a pay-per-usecloud instance, you are billed for the number of added domain names, number ofcustomized rules, and number of requests you use in the entire billing period.

If you want to use WAF for a long time, change its billing mode from pay-per-useto yearly/monthly to reduce costs. Perform the following steps:




Step 4 Disable the WAF instance billed on a pay-per-use basis.

1. In the upper right corner of the page, click Disable Pay-Per-Use CloudInstance.

2. In the displayed dialog box, select "The involved domain names have beenresolved to corresponding origin servers, or they have been brought offline"and click OK.The working Mode of the WAF instance for all domain names on the websitesettings page changes to Suspended.

Step 5 Buy a WAF instance billed on a yearly/monthly basis.

For details, see Buying a WAF Instance Billed on a Yearly/Monthly Basis.

Step 6 Enable the WAF instance.

1. In the navigation pane on the left, choose Website Settings.2. In the row containing the added domain name, click Switch Mode in the

Mode column.3. Select Enabled and click OK.

If the information under Mode changes to Enabled, WAF starts to detect yourwebsite.

----End

Changing Yearly/Monthly to Pay-Per-Use

NO TICE

● For a cloud WAF instance billed on a yearly/monthly basis, after it expires oryou unsubscribe from it, you can enable another WAF instance billed on pay-per-use basis.

● To avoid repeated configuration workloads, it is recommended that the newand original WAF instances be under the same project in the same region orproject.



https://support.huaweicloud.com/intl/en-us/usermanual-waf/waf_01_0109.html#section2

Yearly/Monthly is a prepaid billing mode in which a WAF instance is billed basedon the service duration. This cost-effective mode is ideal when the duration ofWAF instance usage is predictable.

If you require a more flexible billing mode, in which your WAF will be billed basedon usage, you can change the billing mode from yearly/monthly to pay-per-use.Before doing so, ensure that the yearly/monthly subscription has expired or youhave unsubscribed from the yearly/monthly cloud instance. Perform the followingsteps:




Step 4 Unsubscribe from the yearly/monthly WAF instance or confirm that the yearly/monthly subscription has expired.

To view the details about the WAF instance you are using, see informationdisplayed in the upper right corner of the Dashboard page.

For details about unsubscription, see How Do I Unsubscribe from WAF?

Step 5 Enable a WAF instance billed on a pay-per-use basis.

For details, see Buying a WAF Instance Billed on a Pay-Per-Use Basis.

Step 6 Enable the WAF instance.

1. In the navigation pane on the left, choose Website Settings.2. In the row containing the added domain name, click Switch Mode in the

Mode column.3. Select Enabled and click OK.

If the information under Mode changes to Enabled, WAF starts to detect yourwebsite.

----End

7.3 How Do I Renew WAF?This section describes how to renew your subscription to a WAF instance billed ona yearly/monthly basis when it is about to expire. After the renewal, you cancontinue to use your WAF instance.

Before the service expires, the system will send an SMS message or email toremind you to renew it.

If you do not renew the service after it expires, a retention period is available foryou.

● During this period, WAF only forwards traffic but does not check it againstyour protection policies.



https://support.huaweicloud.com/intl/en-us/usermanual-waf/waf_01_0109.html#section3

● When this period ends, resources will be cleared, that is, all configurations ofyour domain names will be deleted. During the clearing period, domainnames are pointed back to origin severs by default. However, services on yourdomain names may not run properly because there may be inconsistenciesbetween your configured protocols and ports.

To avoid unnecessary loss caused by security issues, you are advised to renew itbefore the retention period expires.

NO TE

● If you have selected Auto-renew when buying WAF, the system automatically generatesa renewal order and renews your subscription before WAF expires.

● If you use a member account, grant the BSS Administrator permission to it so that youcan renew the expired subscription using this member account.

Prerequisites● Login credentials have been obtained.● You have bought WAF.

Procedure



Step 3 Click in the left upper corner and choose Security > Web ApplicationFirewall to go to the Dashboard page.

Step 4 Click Renew in the upper right corner of the page.

Figure 7-1 Renewal

Step 5 On the renewal management page, complete the renewal as prompted.

For details, see Renewal Rules.

----End

7.4 How Do I Unsubscribe from WAF?This section describes how to unsubscribe from a WAF instance billed on a yearly/monthly basis.

NO TE

If you use a member account, grant the BSS Administrator permission to it so that you canunsubscribe from WAF using this member account.




https://support.huaweicloud.com/intl/en-us/usermanual-billing/renewals_topic_10000002.html

Prerequisites● Login credentials have been obtained.● WAF was bought within the last five days.

Precautions

When you repurchase a WAF instance after unsubscription, be sure that the newWAF instance is in the same region as the original WAF instance. Otherwise, youneed to add the protected domain name to the new WAF instance and configureprotection rules again. For details, see Can the Original Configurations Be SavedWhen I Unsubscribe from a WAF Instance and Then Re-Purchase AnotherOne?

Procedure


Step 2 In the upper right part of the page, click Billing Center.

Step 3 In the navigation pane, choose Unsubscriptions and Changes > Unsubscriptions.

Step 4 Complete the unsubscription operations as prompted.

For details, see Unsubscription Rules.

----End

7.5 How Do I Change the WAF Instance Edition to aLower One and Reduce Number of Packages?

WAF provides professional, enterprise, and premium editions. If you need tochange your WAF instance to a lower edition, unsubscribe from the one you areusing and then buy a desired one.

NO TE

The domain and bandwidth expansion packages cannot be renewed or unsubscribedseparately because they are bound to a specific WAF edition.

● For details about the specifications of each WAF edition, see EditionDifferences.

● For details about unsubscription, see How Do I Unsubscribe from WAF?

7.6 Can the Original Configurations Be Saved When IUnsubscribe from a WAF Instance and Then Re-Purchase Another One?

For a WAF instance billed on a yearly/monthly basis, after you unsubscribe from it,you can enable another WAF instance billed on either yearly/monthly or pay-per-use basis.




https://support.huaweicloud.com/intl/en-us/usermanual-billing/en-us_topic_0083138805.html



● If you choose the pay-per-use billing mode, the configurations for the originalWAF instance can be saved and used for the newly enabled WAF instance.

● If you choose the yearly/monthly billing mode, the configurations for theoriginal WAF instance can be saved and used for the newly enabled WAFinstance only when they are in the same region. If they are not in the sameregion, such configurations are not saved.

Unsubscribed WAF Instance and Re-Purchased WAF Instance Billed on aYearly/Monthly Basis Are in the Same Region

After you unsubscribe from a WAF instance, its configurations can be stored for 24hours.

After you unsubscribe from WAF, WAF suspends the protection for your domainnames. After purchasing WAF again, you only need to switch the WAF workingmode of the domain name to Enabled. WAF then starts protecting the domainname based on the protection rules configured on WAF.

● For details about unsubscription, see How Do I Unsubscribe from WAF?● For details about how to purchase a HUAWEI CLOUD WAF instance, see

Buying WAF.● For details about how to switch WAF working mode, see Switching a

Working Mode

NO TICE

To keep your configuration on old WAF instance valid after unsubscription, youneed purchase a new WAF instance within 24 hours.

Unsubscribed WAF Instance and Re-Purchased WAF Instance Billed on aYearly/Monthly Basis Are Not in the Same Region

After you unsubscribe from a WAF instance, its configurations are not saved.

After repurchasing a WAF instance, you need to add the domain name to the newWAF instance and configure protection rules again.

● For details about unsubscription, see How Do I Unsubscribe from WAF?● For details about how to get started, see Getting Started.

7.7 How Do I Safely Delete a Protected Domain Name?To delete a domain name that has not been connected to WAF, perform thefollowing operations. To delete a domain name that has been connected to WAF,re-resolve it with the DNS provider to the origin server before performing thefollowing operations.












Step 5 In the row containing the target domain name, click Delete in the Operationcolumn. The Delete Domain Name dialog box is displayed.

Step 6 In the Delete Domain Name dialog box, confirm the deletion.● No proxy used

NO TE

– Ensure that related configurations are completed and select The CNAME of thedomain name has been deleted from the DNS provider, and an A record hasbeen configured to the origin server IP address, or services carried on thedomain name have been brought offline.

– If you want to retain the policy bound to the domain name, select Retain thepolicy of this domain name.

● Proxy used

NO TE

– Ensure that related configurations are completed and select The domain namehas been pointed to the origin server on the Advanced Anti-DDoS, CDN, orcloud acceleration product side, or services carried on the domain name havebeen brought offline.

– If you want to retain the policy bound to the domain name, select Retain thepolicy of this domain name.

Step 7 Click OK. If Domain name deleted successfully is displayed in the upper rightcorner, the domain name of the website is deleted.

----End

7.8 How Do I Select a Certificate When Configuring aWildcard Domain Name?

Each domain name must correspond to a certificate. A wildcard domain name canonly be used for a wildcard domain certificate. If you only have single-domaincertificates, you need to add domain names one by one in WAF.

7.9 How Do I Delete a Certificate Configured for aProtected Domain Name?

If the certificate is not bound to a website, perform the following steps to deletethe certificate:







Step 4 In the navigation pane, choose Certificates.

Step 5 In the row containing the desired certificate, click Delete in the Operationcolumn.

Step 6 In the displayed dialog box, click OK.

----End

7.10 How Do I Modify a Certificate?If the purchased certificate is about to expire, you are advised to purchase a newcertificate before the expiration date and update the certificate associated withthe domain name in WAF.

Perform the following operations:





Step 5 In the Protected Website column, click the domain name of the website to go tothe basic information page.

Step 6 Click next to Server Information. If Client Protocol is HTTPS, select a newcertificate from the certificate drop-down list or import a new certificate.

----End

7.11 Why Cannot the SSL Certificate of HUAWEICLOUD SCM Be Viewed on WAF?

After an SSL certificate is managed by HUAWEI CLOUD SCM, you need to pushthe certificate to WAF by so that it can be used in HUAWEI CLOUD WAF.

For details about how to push an SSL certificate from SCM to WAF, see PushingCertificates to Other Services on HUAWEI CLOUD.




https://support.huaweicloud.com/intl/en-us/usermanual-scm/scm_01_0030.html

https://support.huaweicloud.com/intl/en-us/usermanual-scm/scm_01_0030.html

A Change History

Released On Description

2020-09-23 This issue is the sixty-first official release.● Added Can I Switch Between the Yearly/Monthly and

Pay-Per-Use Billing Modes?● Updated the screenshots in How Do I Troubleshoot

404/502/504 Errors?

2020-09-11 This issue is the sixtieth official release.Added the following FAQs:● What Is the Charging Standard of WAF?● How Do I Unsubscribe from WAF?● Can the Original Configurations Be Saved When I

Unsubscribe from a WAF Instance and Then Re-Purchase Another One?

2020-08-12 This issue is the fifty-ninth official release.Added the following FAQs:● How Do I Delete a Certificate Configured for a

Protected Domain Name?● Why Cannot the SSL Certificate of HUAWEI CLOUD

SCM Be Viewed on WAF?

2020-07-20 This issue is the fifty-eighth official release.Added What Can I Do If the Verification Code Cannot BeRefreshed After Verification Code Is Configured in a CCAttack Protection Rule?

2020-07-16 This issue is the fifty-seventh official release.Added Can WAF Block Data Packets in multipart/form-data Format?

Web Application FirewallFAQs A Change History



2020-07-08 This issue is the fifty-sixth official release.● Added Why No Logs Are Found for Some Requests

Blocked by WAF After Anti-Crawler Is Enabled?● Optimized descriptions in Can WAF Protect Both Cloud

or On-premises Servers?● Optimized descriptions in Can WAF Protect an IP

Address?● Optimized descriptions in What Does WAF Protect?● Optimized descriptions in Does WAF Support Health

Check?

2020-06-24 This issue is the fifty-fifth official release.Added What Can I Do If the Message "Illegal serveraddress" Is Displayed When I Add a Domain Name?

2020-06-16 This issue is the fifty-fourth official release.Adjusted the structure in How Do I Configure the ClientProtocol and Server Protocol?

2020-06-08 This issue is the fifty-third official release.Added the following FAQs:● Will Traffic Be Permitted After WAF Is Switched to

the Bypassed Mode?● What Working Modes and Protection Mechanisms

Does WAF Have?

2020-06-02 This issue is the fifty-second official release.Added the following FAQs:● Can I Export the Blacklist and Whitelist from WAF?● Does WAF Support Wildcard Domain Names?● Can I Configure Session Cookies in WAF?● Can I Query Protection Events of a Batch of Specified

IP Addresses at Once?● How Do I Configure the TXT Record on HUAWEI

CLOUD DNS Service?● Which Protection Levels Can Be Set for Basic Web

Protection?● Can WAF Logs Be Transferred to OBS?




2020-05-26 This issue is the fifty-first official release.Added the following FAQs:● What Are the Impacts When QPS Exceeds the

Allowed Peak Rate?● Does WAF Have a Limit on the Number of Concurrent

Requests?● What Are Local File Inclusion and Remote File

Inclusion?● Can I Configure the Blacklist and Whitelist Rules in

Batches?● Does WAF Affect Email Ports or Email Receiving and

Sending?● Can a Precise Protection Rule Take Effect in a

Specified Period?

2020-03-31 This issue is the fiftieth official release.Updated some screenshots.

2020-03-19 This issue is the forty-ninth official release.● Modified supported non-standard ports in for Which

Non-Standard Ports Does WAF Support?● Optimized descriptions in What Are Regions and AZs?

2020-03-06 This issue is the forty-eighth official release.Added the following FAQs:● How Do I Calculate the Protection Bandwidth?● What Should I Do If the Traffic Exceeds the Protection

Bandwidth of WAF?● What Are the Differences Between Professional,

Enterprise, and Premium Editions?● How Do I Add a Domain Name to WAF?● How Do I Deploy Both CDN and WAF?

2020-03-03 This issue is the forty-seventh official release.● Adjusted the document structure.● Updated screenshots and descriptions in What Are the

Impacts If a Subdomain Name and TXT Record AreNot Configured?

2020-01-10 This issue is the forty-sixth official release.● Added Does WAF Support the WebSocket Protocol?● Added Can My WAF Be Shared by Multiple Accounts?● Optimized descriptions in Can WAF Protect an IP

Address?




2019-12-26 This issue is the forty-fifth official release.Optimized descriptions in Which Non-Standard Ports DoesWAF Support?

2019-12-20 This issue is the forty-fourth official release.Optimized descriptions in Which Non-Standard Ports DoesWAF Support?

2019-12-16 This issue is the forty-third official release.Updated the navigation path illustration.

2019-12-09 This issue is the forty-second official release.● Added What Is the Connection Timeout Duration of

WAF? Can I Manually Set the Timeout Duration?● Added What Data Is Required for Connecting a

Domain Name to WAF?● Optimized descriptions in Can WAF Protect Both Cloud

or On-premises Servers?● Optimized descriptions in Can WAF Protect an IP

Address?

2019-11-14 This issue is the forty-first official release.Optimized descriptions in Which Non-Standard Ports DoesWAF Support?

2019-11-07 This issue is the fortieth official release.Added What Are the Differences Between Rate Limit andAllowable Frequency in a CC Rule?

2019-11-05 This issue is the thirty-ninth official release.Optimized descriptions in How Do I Troubleshoot404/502/504 Errors?

2019-11-04 This issue is the thirty-eighth official release.● Added Does WAF Have the IPS Module?● Added Can WAF Protect Both Cloud or On-premises

Servers?● Added Does WAF Support File Caching?● Added Is the Path of a WAF Protection Rule Case-

sensitive?● Added Can I Export or Back Up the WAF

Configuration?




2019-10-30 This issue is the thirty-seventh official release.● Added Why Cannot the Protection Mode Be Enabled

After a Domain Name Is Connected to WAF?● Added How Do I Perform Verification Using HUAWEI

CLOUD DNS?● Added How Do I Query a Domain Name Provider?● Added What Does WAF Protect?● Added How Do I Select a Certificate When

Configuring a Wildcard Domain Name?● Added Does WAF Support HTTP/2?● Added How Many Rules Can Be Added to a WAF

Instance?● Added Does WAF Support Health Check?● Added How Long Can WAF Protection Logs Be Stored?● Added How Do I Obtain Data about Block Actions?● Added Does WAF Provide the Log Service?● Added Can WAF Logs Be Obtained Using APIs?

2019-10-21 This issue is the thirty-sixth official release.Added What Are the Impacts If a Subdomain Name andTXT Record Are Not Configured?

2019-10-17 This issue is the thirty-fifth official release.● Optimized descriptions in How Do I Route Website

Traffic Through WAF?● Deleted "What Should I Do If the DNS Status Is

Abnormal?"

2019-10-14 This issue is the thirty-fourth official release.● Optimized descriptions in Which Non-Standard Ports

Does WAF Support?● Optimized descriptions in How Do I Troubleshoot

404/502/504 Errors?● Optimized descriptions in Which OSs Does WAF

Support?● Optimized descriptions in Which Web Service

Frameworks Does WAF Support?




2019-09-12 This issue is the thirty-third official release.● Added What Do I Do If a Scanner, such as AppScan,

Detects that the Cookie Is Missing Secure orHttpOnly?

● Added Is the Service Bandwidth Calculated Based onthe Incoming Traffic or Outgoing Traffic?

● Added What Are the Differences Between thePermissions of an Account and Those of IAM Users?

2019-09-06 This issue is the thirty-second official release.● Added What Are the Differences Between the Old and

New CNAMEs?● Added Can I Set the IP Address of the Origin Server to

a CNAME?● Optimized descriptions in How Do I Troubleshoot

404/502/504 Errors?● Optimized descriptions in How Do I Modify a

Certificate?

2019-08-28 This issue is the thirty-first official release.● Optimized descriptions in How Do I Troubleshoot

404/502/504 Errors?● Added the link to the best practice in How Do I Obtain

the Real IP Address of a Web Visitor?● Added links to related sections in How Do I Configure a

CC Attack Protection Rule?● Added links to related sections in How Do I Route

Website Traffic Through WAF?

2019-08-20 This issue is the thirtieth official release.Optimized some illustrations in the document.

2019-08-15 This issue is the twenty-ninth official release.● Added How Do I Solve the Problem of Excessive

Redirection Times?● Optimized descriptions in How Do I Route Website

Traffic Through WAF?

2019-07-15 This issue is the twenty-eighth official release.● Added How Do I Renew WAF?● Added How Do I Unsubscribe from WAF?● Optimized descriptions in How Do I Configure Domain

Names to Be Protected When Adding Domain Names?

2019-07-11 This issue is the twenty-seventh official release.Optimized descriptions in How Do I Configure DomainNames to Be Protected When Adding Domain Names?




2019-07-02 This issue is the twenty-sixth official release.Added How Do I Configure Domain Names to BeProtected When Adding Domain Names?

2019-07-01 This issue is the twenty-fifth official release.● Added What Are the Precautions for Configuring

Multiple IP Addresses for Backend Servers?● Optimized descriptions in How Do I Troubleshoot

404/502/504 Errors?

2019-06-18 This issue is the twenty-fourth official release.● Added What Are the Restrictions on Using WAF in

Enterprise Projects?● Added In Which Situations Will the WAF Policies Fail?

2019-06-06 This issue is the twenty-third official release.● Added In Which Regions Is WAF Available?● Added What Is the Size Limit for Uploading Files After

My Website Is Connected to WAF?● Optimized descriptions in Which Non-Standard Ports

Does WAF Support?

2019-05-30 This issue is the twenty-second official release.Optimized descriptions in How Do I Route Website TrafficThrough WAF?

2019-05-16 This issue is the twenty-first official release.Optimized descriptions in How Do I Route Website TrafficThrough WAF?

2019-05-14 This issue is the twentieth official release.Optimized descriptions in How Do I Troubleshoot404/502/504 Errors?

2019-05-05 This issue is the nineteenth official release.● Added How Do I Whitelist the WAF Back-to-Source IP

Address Ranges?● Added How Do I Solve the Problem that HTTPS

Requests Fail on Some Mobile Phones?● Optimized descriptions in How Do I Troubleshoot

404/502/504 Errors?● Optimized descriptions in Which Non-Standard Ports

Does WAF Support?● Optimized descriptions in How Do I Route Website

Traffic Through WAF?




2019-02-20 This issue is the eighteenth official release.● Optimized descriptions in Which Non-Standard Ports

Does WAF Support?● Optimized descriptions in What Is the Charging

Standard of WAF?

2019-01-03 This issue is the seventeenth official release.Adjusted the document layout.

2018-11-08 This issue is the sixteenth official release.Optimized some descriptions.

2018-10-29 This issue is the fifteenth official release.Optimized descriptions in Which Non-Standard Ports DoesWAF Support?

2018-09-12 This issue is the fourteenth official release.Added How Do I Fix an Incomplete Certificate Chain?

2018-07-19 This issue is the thirteenth official release.● Added How Do I Obtain the Real IP Address of a Web

Visitor?● Optimized descriptions in How Do I Modify a

Certificate?● Updated the screenshots based on the GUI changes.

2018-07-05 This issue is the twelfth official release.● Optimized descriptions in How Do I Route Website

Traffic Through WAF?● Optimized descriptions in How Do I Test WAF?

2018-06-14 This issue is the eleventh official release.Updated the screenshots based on the GUI changes.

2018-06-07 This issue is the tenth official release.Added How Do I Modify a Certificate?

2018-05-31 This issue is the ninth official release.Added How Do I Troubleshoot 404/502/504 Errors?

2018-05-17 This issue is the eighth official release.Added How Do I Configure the Client Protocol andServer Protocol?.

2018-04-12 This issue is the seventh official release.Added content about sensitive data leakage protection inWhat Protection Rules Does WAF Support?




2018-04-02 This issue is the sixth official release.● Optimized descriptions in Which Non-Standard Ports

Does WAF Support?● Updated the GUI description and screenshots based on

the GUI changes.

2018-03-31 This issue is the fifth official release.● Added How Do I Switch the Mode of Basic Web

Protection from Log Only to Block?● Updated the GUI description and screenshots based on

the GUI changes.

2018-03-27 This issue is the fourth official release.● Added Which Non-Standard Ports Does WAF Support?● Added How Do I Route Website Traffic Through WAF?● Added How Do I Test WAF?● Added How Do I Safely Delete a Protected Domain

Name?● Added Can WAF Continue Protecting a Domain Name

When It Expires?● Added FAQ "How Do I Enable WAF?"● Updated the GUI description and screenshots based on

the GUI changes.

2018-01-16 This issue is the third official release.Added Can WAF Protect an IP Address?

2018-01-11 This issue is the second official release.● Added What Protection Rules Does WAF Support?● Added Which Layers Does WAF Provide Protection At?

2017-10-30 This issue is the first official release.



Web Application Firewall · The bandwidth in WAF is calculated by WAF itself and is not associated...

Documents

Transcript of Web Application Firewall · The bandwidth in WAF is calculated by WAF itself and is not associated...