Web Application Firewall - HUAWEI CLOUD2.43 Can WAF Protect Websites Hosted on Non-HUAWEI CLOUD Servers?.....15 3 Domain Name Access Configuration.....16 3.1 Which 3.2 How Do I Add

Web Application Firewall

FAQs

Issue 50

Date 2020-03-31

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2020. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without priorwritten consent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respectiveholders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei andthe customer. All or part of the products, services and features described in this document may not bewithin the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,information, and recommendations in this document are provided "AS IS" without warranties, guaranteesor representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.

Issue 50 (2020-03-31) Copyright © Huawei Technologies Co., Ltd. i

Contents

1 Protection Bandwidth/Specifications................................................................................. 11.1 How Do I Calculate the Protection Bandwidth?........................................................................................................... 11.2 What Should I Do If the Traffic Exceeds the Protection Bandwidth of WAF?................................................... 11.3 How Do I Handle Insufficient Protection Rules?.......................................................................................................... 11.4 What Are the Feature Differences Among Professional, Enterprise, and Premium Editions?...................... 2

2 Product Function Consultation............................................................................................ 32.1 How Do I Obtain the Real IP Address of a Web Visitor?...........................................................................................32.2 Can WAF Protect Offline Servers?..................................................................................................................................... 32.3 Can WAF Protect an IP Address?....................................................................................................................................... 32.4 How Long Can Protection Logs Be Stored?................................................................................................................... 42.5 What Are the Differences Between the Permissions of a Master Account and Those of a Subaccount?.............................................................................................................................................................................................................. 42.6 Can I Use WAF Without a Domain Name?.................................................................................................................... 42.7 Which OSs Does WAF Support?......................................................................................................................................... 42.8 Which Web Service Frameworks Does WAF Support?............................................................................................... 42.9 What Protection Rules Does WAF Support?.................................................................................................................. 42.10 Which Layer Does WAF Provides Protection At?....................................................................................................... 52.11 Can WAF Continue Protecting a Domain Name When It Expires?......................................................................52.12 Can WAF Protect HTTPS Services?..................................................................................................................................62.13 Is There Any Limit for File Upload?................................................................................................................................ 62.14 In Which Regions Is WAF Available?.............................................................................................................................. 62.15 What Are the Restrictions on Using WAF in Enterprise Projects?........................................................................62.16 What Are Regions and AZs?..............................................................................................................................................72.17 Does WAF Support HTTP/2?............................................................................................................................................. 82.18 How Many Rules Can Be Added to WAF?.................................................................................................................... 82.19 Does WAF Support Health Check?................................................................................................................................. 82.20 Does WAF Have the IPS Module?................................................................................................................................... 82.21 Does WAF Support File Caching?.................................................................................................................................... 92.22 Does WAF Support the WebSocket Protocol?.............................................................................................................92.23 Can My WAF Be Shared by Multiple Accounts?.........................................................................................................92.24 Does WAF Protect Both IPv4 and IPv6 Addresses?................................................................................................... 92.25 What Does QPS Stand For?...............................................................................................................................................92.26 What Is a Protected IP Address?................................................................................................................................... 10

Web Application FirewallFAQs Contents

Issue 50 (2020-03-31) Copyright © Huawei Technologies Co., Ltd. ii

2.27 Does WAF Support Vulnerability Detection?............................................................................................................ 102.28 Can I Use WAF for Free?.................................................................................................................................................. 102.29 What Functions Does the Product Expert Service Provide?................................................................................. 102.30 Does WAF Support Two-Way SSL Authentication?................................................................................................ 112.31 What Are the Differences Between WAF and VSS?................................................................................................112.32 Can I Export the Blacklist and Whitelist from WAF?..............................................................................................112.33 Can WAF Check the Body I Add to the POST Request?........................................................................................ 112.34 Will WAF Record Unblocked Events?...........................................................................................................................112.35 How Does WAF Block Requests?.................................................................................................................................. 122.36 Does WAF Support Wildcard Domain Names?........................................................................................................ 122.37 Can the Combination of WAF, CDN, and AAD Work?........................................................................................... 122.38 Does WAF Support Customized Authorization Policies?...................................................................................... 122.39 Does WAF Block Customized POST Requests?.........................................................................................................132.40 Does WAF Support the CORS-Denied Policy?.......................................................................................................... 142.41 Can WAF Block Requests When a Certificate Is Mounted on ELB?.................................................................. 152.42 What Are Local File Inclusion and Remote File Inclusion?.................................................................................. 152.43 Can WAF Protect Websites Hosted on Non-HUAWEI CLOUD Servers?.......................................................... 15

3 Domain Name Access Configuration................................................................................ 163.1 Which Non-Standard Ports Does WAF Support?....................................................................................................... 163.2 How Do I Add a Domain Name to WAF?.................................................................................................................... 213.3 What Data Needs to Be Prepared Before Connecting a Domain Name to WAF?......................................... 213.4 How Do I Deploy Both CDN and WAF?........................................................................................................................ 223.5 How Do I Deploy Both AAD and WAF?........................................................................................................................ 223.6 How Do I Configure Domain Names to Be Protected When Adding Domain Names?...............................223.7 What Are the Precautions for Configuring Multiple IP Addresses for Backend Servers?.............................243.8 How Do I Configure the Client Protocol and Server Protocol?............................................................................. 243.9 What Are the Differences Between the Old and New CNAMEs?........................................................................ 273.10 Can I Set the IP Address of the Origin Server to a CNAME?...............................................................................273.11 Can I Access a Website Using an IP Address After a Domain Name Is Connected to WAF?...................273.12 How Do I Configure Non-standard Ports When Adding a Protected Domain Name?.............................. 28

4 Service Interruption Check..................................................................................................314.1 How Do I Troubleshoot 404/502/504 Errors?............................................................................................................. 314.2 How Do I Handle a False Alarm?.................................................................................................................................... 354.3 What Is the Connection Timeout Duration of WAF? Can I Manually Set the Timeout Duration?...........354.4 How Do I Whitelist the WAF Back-to-Source IP Address Ranges?...................................................................... 364.5 How Do I Solve the Problem of Excessive Redirection Times?............................................................................. 384.6 How Do I Solve the Problem that HTTPS Requests Fail on Some Mobile Phones?...................................... 384.7 How Do I Fix an Incomplete Certificate Chain?......................................................................................................... 394.8 What Should I Do If Error Code 418 Is Reported?.................................................................................................... 444.9 What Should I Do If Error Code 523 Is Reported?.................................................................................................... 444.10 What Can I Do If the Login Page Is Continuously Refreshed After a Domain Name Is Connected toWAF?................................................................................................................................................................................................ 44


Issue 50 (2020-03-31) Copyright © Huawei Technologies Co., Ltd. iii

4.11 What Should I Do If the Program Access Page Fails to Respond After the HTTP Forwarding Policy IsConfigured?.................................................................................................................................................................................... 44

5 Configuring IPv6 Addresses................................................................................................ 455.1 Which Editions of WAF Support IPv6?...........................................................................................................................455.2 What Are the Regions Support IPv6 Protection?....................................................................................................... 455.3 How Do I Check Whether the Origin Server IP Address Configured in WAF Is an IPv6 Address?............45

6 Domain Name Resolution................................................................................................... 476.1 How Do I Test WAF?............................................................................................................................................................ 476.2 How Do I Route Website Traffic Through WAF?....................................................................................................... 476.3 What Are the Impacts If a Subdomain Name and TXT Record Are Not Configured?.................................. 486.4 How Do I Perform Verification Using HUAWEI CLOUD DNS?..............................................................................516.5 How Do I Query a Domain Name Provider?............................................................................................................... 556.6 Why Cannot the Protection Mode Be Enabled After a Domain Name Is Connected to WAF?.................566.7 How Do I Configure the TXT Record on HUAWEI CLOUD DNS Service?.......................................................... 566.8 How Do I Use A Records for Domain Name Resolution?....................................................................................... 576.9 Which Protection Levels Can Be Set for Basic Web Protection?...........................................................................57

7 Rule Configuration................................................................................................................587.1 In Which Situations Will the WAF Policies Fail?.........................................................................................................587.2 How Do I Switch the Mode of Basic Web Protection from Log only to Block?.............................................. 587.3 When Is Cookie Used to Identify Users?.......................................................................................................................597.4 How Do I Configure a CC Attack Protection Rule?................................................................................................... 597.5 What Are the Differences Between Rate Limit and Allowable Frequency in a CC Rule?........................607.6 What Do I Do If a Scanner, such as AppScan, Detects that the Cookie Is Missing Secure or HttpOnly?............................................................................................................................................................................................................ 607.7 Is the Path of a WAF Protection Rule Case-sensitive?............................................................................................. 607.8 Can I Export or Back Up the WAF Configuration?.................................................................................................... 617.9 How Do I Block Abnormal IP Addresses?..................................................................................................................... 61

8 Protection Events...................................................................................................................638.1 Does WAF Provide the Log Service?............................................................................................................................... 638.2 Can WAF Logs Be Obtained Using APIs?......................................................................................................................638.3 How Do I Obtain Blocked Data?..................................................................................................................................... 638.4 Can WAF Logs Be Transferred to OBS?......................................................................................................................... 638.5 Can WAF Forward Logs to the Syslog Server?............................................................................................................63

9 Purchase.................................................................................................................................. 649.1 Is the Service Bandwidth Calculated Based on the Incoming Traffic or Outgoing Traffic?........................649.2 What Is the Charging Standard of WAF?..................................................................................................................... 649.3 How Do I Renew WAF?.......................................................................................................................................................659.4 How Do I Unsubscribe from WAF?................................................................................................................................. 669.5 How Do I Reduce the WAF Quota?................................................................................................................................ 679.6 Can I Purchase the Basic Edition of WAF?................................................................................................................... 67

10 Domain Name Editing........................................................................................................68


Issue 50 (2020-03-31) Copyright © Huawei Technologies Co., Ltd. iv

10.1 How Do I Safely Delete a Protected Domain Name?............................................................................................ 68

11 Certificate............................................................................................................................. 7011.1 How Do I Select a Certificate When Configuring a Wildcard Domain Name in WAF?............................. 7011.2 How Do I Delete a Certificate Configured for a Protected Domain Name?..................................................7011.3 How Do I Modify a Certificate?..................................................................................................................................... 70

A Change History...................................................................................................................... 72


Issue 50 (2020-03-31) Copyright © Huawei Technologies Co., Ltd. v

1 Protection Bandwidth/Specifications

1.1 How Do I Calculate the Protection Bandwidth?The bandwidth in WAF refers to the amount of protected sites' normal traffic(unit: Mbit/s). A bandwidth expansion package contains 20 Mbit/s/50 Mbit/s(on/off HUAWEI CLOUD) or 1,000 QPS. QPS stands for Queries per Second. Forexample, one HTTP Get request is a query.

The bandwidth in WAF is calculated by WAF itself and is not associated with the bandwidthor traffic limit of other HUAWEI CLOUD products (such as CDN, ELB, and ECS).

For details about the bandwidth expansion package, see Bandwidth ExpansionPackage.

1.2 What Should I Do If the Traffic Exceeds theProtection Bandwidth of WAF?

If your legitimate traffic exceeds the bandwidth limit offered by your selectededition, your traffic forwarding may be adversely affected.

For example, traffic limiting and random packet loss may occur. As a result,services are unavailable, frozen, or delayed for a certain period of time.

In this case, upgrade your edition or buy additional bandwidth expansionpackages.

For details about how to upgrade, see Upgrading the Edition.

1.3 How Do I Handle Insufficient Protection Rules?WAF provides three editions: professional, enterprise, and premium. For detailsabout the number of rules configured for each edition, see Edition. If the numberof rules supported by the purchased edition cannot meet your servicerequirements, you can upgrade the edition. For details, see Upgrading theEdition.

Web Application FirewallFAQs 1 Protection Bandwidth/Specifications

Issue 50 (2020-03-31) Copyright © Huawei Technologies Co., Ltd. 1

https://support.huaweicloud.com/en-us/usermanual-waf/waf_01_0111.html



https://support.huaweicloud.com/en-us/productdesc-waf/waf_01_0106.html



1.4 What Are the Feature Differences AmongProfessional, Enterprise, and Premium Editions?

WAF provides three editions: professional, enterprise, and premium. To protectmore domain names and traffic, WAF provides domain name extension packagesand bandwidth extension packages. You can select the number of extensionpackages based on your service requirements. For details about the features ofeach edition, see Edition.

Web Application FirewallFAQs 1 Protection Bandwidth/Specifications



2 Product Function Consultation

2.1 How Do I Obtain the Real IP Address of a WebVisitor?

Generally, a proxy such as CDN, WAF, and AAD is deployed between the client andserver. Web visitors cannot directly access the server. For example, web visitor >CDN/WAF/AAD > origin server. Then, how does the server obtain the real IPaddress of the client when multiple proxies are configured?

When forwarding requests to the downstream server, the transparent proxy serveradds an X-Forwarded-For field to the HTTP header to identify the web visitor'sreal IP address in the format of X-Forwarded-For: real IP address of the webvisitor, proxy 1-IP address, proxy 2-IP address, proxy 3-IP address, ........->....

Therefore, you can obtain the web visitor's real IP address from the first IP addressin the X-Forwarded-For field.

For details, see Obtaining the Real IP Address of a Web Visitor.

2.2 Can WAF Protect Offline Servers?WAF can protect offline servers, but the servers must have been connected to theInternet.

HUAWEI CLOUD WAF protects your servers based on only domain namesregardless of whether your server is online or offline, which region your serverresides, or which project or account your server belongs to.

2.3 Can WAF Protect an IP Address?WAF can only provide protection based on domain names instead of IP addresses.

The origin server IP address configured in WAF can only be a public IP address.

To reduce the number of public IP addresses, you can purchase Elastic LoadBalance (ELB) or set up load balancers to work as proxies of the backend private

Web Application FirewallFAQs 2 Product Function Consultation


https://support.huaweicloud.com/en-us/bestpractice-waf/waf_06_0020.html

IP addresses, and set the EIP (public IP address) as the back-to-source IP addressfor WAF protection.

2.4 How Long Can Protection Logs Be Stored?On the WAF console, you can view only the protection event data of the last 30days. To view the event data of a longer period, contact HUAWEI CLOUD technicalsupport.

2.5 What Are the Differences Between the Permissionsof a Master Account and Those of a Subaccount?

WAF has only the WAF administrator permission. Resources of a master accountare isolated from those of a subaccount.

The master account can be used to view a domain name added using asubaccount, but a subaccount cannot be used to view a domain name addedusing the master account.

2.6 Can I Use WAF Without a Domain Name?No. WAF can only provide protection based on domain names.

2.7 Which OSs Does WAF Support?WAF is deployed on the cloud, which is irrelevant to an OS. Therefore, WAFsupports any OS. A domain name server on any OS can be connected to WAF forprotection.

2.8 Which Web Service Frameworks Does WAFSupport?

WAF is deployed on the cloud and is not coupled with services on a web server.Therefore, WAF supports web services on any framework.

2.9 What Protection Rules Does WAF Support?The protection rules supported by WAF are described below.

● Basic Web ProtectionWAF can defend against common web attacks, such as SQL injection, XSS,webshells, and Trojans in HTTP upload channels. Once these functions areenabled, protection takes effect immediately.

● CC Attack ProtectionFlexible rate limiting policies can be set based on the IP addresses, cookies, orReferer field, mitigating CC attacks.



● Precise ProtectionCommon HTTP fields can be combined to customize protection policies, suchas CSRF protection. With user-defined rules, WAF can accurately detectmalicious requests and protect sensitive information in websites.

● Blacklist and WhitelistBlacklist or whitelist rules allow you to block or allow specific IP addresses oraddress ranges, improving defense accuracy.

● Geolocation Access ControlGeolocation access control rules allow you to customize access control basedon the source IP addresses.

● Web Tamper ProtectionCache configuration is performed on static webpages. When a user accesses awebpage, the system returns a cached page to the user and randomly checkswhether the page has been tampered with.

● Anti-crawler ProtectionThis function dynamically analyzes website service models and accuratelyidentifies crawler behavior based on data risk control and bot identificationsystems, such as JS Challenge.

● False Alarm MaskingThis function ignores certain attack detection rules for specific requests.

● Data MaskingData masking prevents such data as passwords from being displayed in eventlogs.

● Information Leakage PreventionWAF prevents user's sensitive information on webpages from being disclosed,such as ID numbers, phone numbers, and email addresses.

2.10 Which Layer Does WAF Provides Protection At?WAF provides protection for seven layers, namely, the physical layer, data linklayer, network layer, transport layer, session layer, presentation layer, andapplication layer.

2.11 Can WAF Continue Protecting a Domain NameWhen It Expires?

If you do not renew the WAF service after it expires, the public cloud platformprovides a grace period and retention period.

The duration of the grace period and retention period depends your level. Fordetails, see Grace Period and Retention Period.● During this period, WAF forwards traffic but your protection policies will not

work.● When this period is over, resources will be cleared, that is, all configurations of

your domain names will be deleted. During the clearing period, domainnames are pointed back to origin severs by default. However, services on your



https://support.huaweicloud.com/en-us/usermanual-period/en-us_topic_0086671074.html

domain names may not run properly because there may be inconsistenciesbetween your configured protocols and ports.

To avoid unnecessary loss, you are advised to renew your WAF account.

2.12 Can WAF Protect HTTPS Services?Yes. You simply need to configure HTTPS as the frontend protocol and allow WAFto host your certificate. Then, WAF protects your HTTPS service.

2.13 Is There Any Limit for File Upload?After moving your site to WAF, you can upload a file no greater than 512 MB.

If you want to upload a file greater than 512 MB, upload the file using any of thefollowing methods:

● via the IP address.● on the separate web server.● via FTP.

2.14 In Which Regions Is WAF Available?WAF is available in all regions on HUAWEI CLOUD.

WAF can be purchased in the following regions: CN East-Shanghai2, CN North-Beijing1, CN North-Beijing4, CN South-Guangzhou, AP-Hong Kong, and AP-Bangkok.

In principle, WAF purchased in any region can protect web services in all regions.However, to improve the forwarding efficiency of WAF, you are advised to selectthe nearest region based on the region where the protected services reside whenpurchasing WAF. If you purchase WAF in the Beijing region, services on otherregions (for example, Shanghai) can also be protected by WAF. However, it takes alonger time for WAF to forward traffic of services in Shanghai. Therefore, you areadvised to purchase WAF in Beijing and Shanghai regions to protect services inBeijing and Shanghai, respectively, improving the forwarding efficiency.

2.15 What Are the Restrictions on Using WAF inEnterprise Projects?

Each enterprise project is independent from the others.

● The created policies can be used only by their own projects. For example, ifyou create policy A for a main project, the rules created for the sub-projectsdo not belong to policy A. You must create a policy for sub-projectsseparately.

● The created certificates can be used only by their own projects. A main projectand sub-project can only use its own certificates.



2.16 What Are Regions and AZs?

ConceptA region and availability zone (AZ) identify the location of a data center. You cancreate resources in a specific region and AZ.

● Regions are divided from the dimensions of geographical location andnetwork latency. Public services, such as Elastic Cloud Server (ECS), ElasticVolume Service (EVS), Object Storage Service (OBS), Virtual Private Cloud(VPC), Elastic IP (EIP), and Image Management Service (IMS), are sharedwithin the same region. Regions are classified as universal regions anddedicated regions. A universal region provides universal cloud services forcommon tenants. A dedicated region provides services of the same type onlyor for specific tenants.

● An AZ contains one or more physical data centers. Each AZ has independentcooling, fire extinguishing, moisture-proof, and electricity facilities. Within anAZ, computing, network, storage, and other resources are logically dividedinto multiple clusters. AZs within a region are interconnected using high-speed optical fibers to allow you to build cross-AZ high-availability systems.

Figure 2-1 shows the relationship between the regions and AZs.

Figure 2-1 Region and AZ

HUAWEI CLOUD provides services in many regions around the world. You canselect a region and AZ as needed.

How to Select a Region?When selecting a region, consider the following factors:

● LocationYou are advised to select a region close to you or your target users. Thisreduces network latency and improves access rate. However, Chinesemainland regions provide basically the same infrastructure, BGP networkquality, as well as operations and configurations on resources. Therefore, ifyou or your target users are in the Chinese mainland, you do not need toconsider the network latency differences when selecting a region.



– If you or your target users are in the Asia Pacific region, except theChinese mainland, select the AP-Hong Kong, AP-Bangkok, or AP-Singapore region.

– If you or your target users are in Africa, select the AF-Johannesburgregion.

– If you or your target users are in Europe, select the EU-Paris region.● Resource price

Resource prices may vary in different regions. For details, see Product PricingDetails.

How to Select an AZ?When determining whether to deploy resources in the same AZ, consider yourapplications' requirements on disaster recovery (DR) and network latency.

● For high DR capability, deploy resources in different AZs in the same region.● For low network latency, deploy resources in the same AZ.

Regions and EndpointsBefore using an API to call resources, specify its region and endpoint. For moredetails, see Regions and Endpoints.

2.17 Does WAF Support HTTP/2?Currently, HUAWEI CLOUD WAF does not support HTTP/2 (HTTP 2.0).

2.18 How Many Rules Can Be Added to WAF?The number of rules that can be added varies with different configuration rulesand editions. For details about edition specifications, see Edition.

2.19 Does WAF Support Health Check?Currently, WAF does not support the health check function. If you want to use thehealth check function of the server, you are advised to use both ELB and WAF. Fordetails about how to configure ELB, see Adding or Removing Backend Serversfrom an Enhanced Load Balancer. After ELB is configured, the EIP of ELB is usedas the IP address of the server to connect to WAF for health check.

2.20 Does WAF Have the IPS Module?WAF does not have the IPS module of the traditional firewall, but WAF supportsintrusion detection for the HTTP/HTTPS protocol.



https://www.huaweicloud.com/en-us/pricing.html

https://www.huaweicloud.com/en-us/pricing.html

https://developer.huaweicloud.com/en-us/endpoint


https://support.huaweicloud.com/en-us/usermanual-elb/en-us_topic_0052569729.html


2.21 Does WAF Support File Caching?WAF caches only static web pages that are configured with web tamper protectionand sends the cached web pages that are not tampered with to web visitors fortamper-proof purposes.

If you want to cache all website contents, you can deploy CDN and deploy WAFbetween CDN and the origin server. For details, see Domain Setup with BothCDN and WAF Deployed.

2.22 Does WAF Support the WebSocket Protocol?WAF supports the WebSocket protocol, which is enabled by default.

2.23 Can My WAF Be Shared by Multiple Accounts?WAF cannot be shared by multiple accounts. Each account needs to purchase WAFindependently. While, WAF can be shared by multiple IAM users.

Sharing WAF Across Multiple IAM Users

Assume that you have created an account, domain1, by registering with HUAWEICLOUD, and used domain1 to create two IAM users, sub-user1a and sub-user1b,in IAM. If you have granted the WAF permissions to sub-user1b, sub-user1b canthen use the WAF service of sub-user1a.

For details about granting permissions, see Creating a User Group and GrantingPermissions.

2.24 Does WAF Protect Both IPv4 and IPv6 Addresses?WAF can inspect requests from both IPv4 and IPv6 addresses of the same domainname to offer protection for your website.● WAF supports IPv6/IPv4 dual stack and provides IPv6 and IPv4 traffic

protection for the same domain name.● For web services that still use the IPv4 protocol stack, WAF supports the

NAT64 mechanism. (NAT64 is an IPv6 conversion mechanism that enablescommunication between the IPv6 and IPv4 hosts using network addresstranslation (NAT).) That is, WAF can convert an IPv4 source site to an IPv6website and converts external IPv6 access traffic to internal IPv4 traffic.

2.25 What Does QPS Stand For?Queries Per Second (QPS) indicates the number of requests per second. Forexample, an HTTP GET request is also called a query.

For details about the QPS supported by each WAF edition, see Edition.








2.26 What Is a Protected IP Address?A protected IP address is the IP address of a website to be protected.

2.27 Does WAF Support Vulnerability Detection?The basic web protection function of WAF can detect and block threats such asthird-party security tool vulnerability attacks. If you enable the scanner item whenconfiguring basic web protection rules, WAF detects scanners and crawlers, suchas OpenVAS and Nmap.

For details about how to configure a basic web protection rule, see Enabling BasicWeb Protection Rules.

2.28 Can I Use WAF for Free?WAF is a paid service. You need to buy it before use. WAF provides professional,enterprise, and premium editions for you. For details about the specifications andpricing details of each edition, see Product Pricing Details.

2.29 What Functions Does the Product Expert ServiceProvide?

When purchasing WAF, you can select the product expert service, including remotesupport and domain management services. You can purchase the remote supportand/or domain management based on your service requirements.

● WAF Remote Support

The HUAWEI CLOUD security service team provides technical support for WAFremote support and provides security expert services for HUAWEI CLOUDWAF users. WAF remote support helps you effectively use WAF to protect webassets, reduce service security risks, and reduce O&M personnel costs.

If you have purchased HUAWEI CLOUD WAF, have certain service monitoringcapabilities, and can cope with security vulnerabilities, you are advised toselect WAF remote support.

● WAF Domain Management

The HUAWEI CLOUD security service team provides technical support for WAFdomain management and provides security expert services for HUAWEICLOUD WAF users. WAF domain management helps you effectively use WAFto protect web assets, reduce service security risks, and reduce O&Mpersonnel costs.

If you have purchased HUAWEI CLOUD WAF but do not have the capability tocontinuously monitor services and handle security vulnerabilities, you areadvised to use WAF domain management.

For details, see WAF Remote Support and WAF Domain Management.





https://www.huaweicloud.com/en-us/pricing.html#/waf



2.30 Does WAF Support Two-Way SSL Authentication?No. For details about features of WAF, see Functions.

2.31 What Are the Differences Between WAF and VSS?Web Application Firewall (WAF) keeps web services stable and secure. It examinesall HTTP and HTTPS requests to detect and block the following attacks: StructuredQuery Language (SQL) injection, cross-site scripting (XSS), webshells, commandand code injections, file inclusion, sensitive file access, third-party vulnerabilityexploits, Challenge Collapsar (CC) attacks, malicious crawlers, and cross-siterequest forgery (CSRF).

Vulnerability Scan Service (VSS) detects the vulnerabilities in the servers andwebsites. It provides services such as vulnerability assessments, vulnerabilitylifecycle management, and scan customization. After you create a scan job, youcan manually start it to detect the vulnerabilities in the website and obtainrecommended fixes.

The biggest difference between the two services is that WAF can record and blockattacks to ensure the security and stability of web services. VSS scansvulnerabilities and offers suggestions to fix detected vulnerabilities. For detailsabout VSS, see What Is Vulnerability Scan Service.

2.32 Can I Export the Blacklist and Whitelist fromWAF?

No. WAF does not support exporting of the blacklist. You can view the configuredblacklist rules in the blacklist and whitelist rule list.

For details about how to configure the blacklist and whitelist, see ConfiguringBlacklist and Whitelist Rules.

2.33 Can WAF Check the Body I Add to the POSTRequest?

The built-in detection of WAF checks POST data, and web shells are the filessubmitted in POST requests. WAF checks all data, such as forms and JSON files inPOST requests based on the default protection policies.

You can configure a precise protection rule to check the body added to POSTrequests. For details about how to configure a precise protection rule, see AddingPrecise Protection Rules.

2.34 Will WAF Record Unblocked Events?No. WAF blocks attack events based on the configured protection rules andrecords only blocked attack events in protection event logs.




https://support.huaweicloud.com/en-us/productdesc-vss/vss_01_0009.html





For details about protection event logs, see Viewing Protection Event Logs.

2.35 How Does WAF Block Requests?WAF checks both the request header and body. For example, WAF detects therequest body, such as form, XML, and JSON data, and blocks requests that do notcomply with protection rules.

For details about the WAF protection process, see Configuration Guidance.

2.36 Does WAF Support Wildcard Domain Names?Yes. When adding a domain name to WAF, you can configure a single domainname or a wildcard domain name based on your service requirements. The detailsare as follows:

● Single domain nameConfigure a single domain name to be protected. For example,www.example.com

● Wildcard domain name– If the server IP address of each subdomain name is the same, configure a

wildcard domain name to be protected. For example, if the subdomainnames a.example.com, b.example.com, and c.example.com have thesame server IP address, you can directly add the wildcard domain name*.example.com to WAF for protection.

– If each subdomain name points to different server IP addresses, addsubdomain names as single domain names one by one.

For more details, see Adding a Domain Name.

2.37 Can the Combination of WAF, CDN, and AADWork?

No. The combination of WAF, CDN, and AAD cannot work; but each of thefollowing combinations works well: WAF and Advanced Anti-DDoS (AAD), WAFand Content Distribution Network (CDN), or AAD and CDN.

● For details about how to deploy both AAD and WAF, see Domain Setup withBoth Advanced Anti-DDoS and WAF Deployed.

● For details about how to deploy both CDN and WAF, see Domain Setup withBoth CDN and WAF Deployed.

● For details about how to deploy AAD and CDN, see Enabling Both AAD andCDN.

2.38 Does WAF Support Customized AuthorizationPolicies?

No. WAF does not support user-defined authorization policies. With IAM, you can:










https://support.huaweicloud.com/en-us/bestpractice-aad/aad_06_0004.html

https://support.huaweicloud.com/en-us/bestpractice-aad/aad_06_0004.html

● Create IAM users for employees based on the organizational structure of yourenterprise. Each IAM user has their own security credentials, providing accessto WAF resources.

● Grant only the permissions required for users to perform a task.● Entrust a HUAWEI CLOUD account or cloud service to perform professional

and efficient O&M on your WAF resources.

For details about WAF permissions, see Creating a User Group and GrantingPermissions.

2.39 Does WAF Block Customized POST Requests?No. WAF does not block user-defined POST requests. Figure 2-2 shows thedetection process of the built-in protection rules of the WAF engine for originalHTTP/HTTPS requests.





Figure 2-2 WAF engine detection process

For details about the WAF protection process, see Configuration Guidance.

2.40 Does WAF Support the CORS-Denied Policy?No. WAF does not support the configuration of a protection rule that deniesCross-Origin Resource Sharing (CORS) requests. For details about features of WAF,see Functions.





2.41 Can WAF Block Requests When a Certificate IsMounted on ELB?

If the certificate is mounted on ELB, all requests sent through WAF are encrypted.For HTTPS services, you must upload the certificate to WAF so that WAF candetect the decrypted request and determine whether to block the request.

2.42 What Are Local File Inclusion and Remote FileInclusion?

You can view security events such as file inclusion in WAF protection events toquickly locate attack sources or analyze attack events.

File inclusion indicates that program developers write repeatedly used functions toa single file. When a such function needs to be used, the file is directly invokedwithout re-writing. The file invoking process is called file inclusion. File inclusionvulnerabilities fall in two different categories, based on whether the file is aremotely hosted file or a local file available on the web server:

● Local file inclusion● Remote file inclusion

A file inclusion vulnerability allows an attacker to access unauthorized or sensitivefiles available on the web server or to execute malicious files on the web server byusing a such file. This vulnerability is mainly due to a bad input validationmechanism, wherein the user's input is passed to the file include commandswithout proper validation. The impact of this vulnerability can lead to maliciouscode execution on the server or reveal data present in sensitive files.

For details about protection event logs, see Viewing Protection Event Logs.

2.43 Can WAF Protect Websites Hosted on Non-HUAWEI CLOUD Servers?

Yes. WAF protects domain names of websites hosted on HUAWEI CLOUD and non-HUAWEI CLOUD servers. After you enable WAF and connect your website domainname to WAF, all access traffic of the website is forwarded to WAF for monitoringand protection.

For details about how to connect a domain name to WAF, see Adding a DomainName to WAF.






3 Domain Name Access Configuration

3.1 Which Non-Standard Ports Does WAF Support?In addition to standard ports 80 and 443, WAF supports non-standard ports. Thesupported non-standard ports vary depending on editions.

If you want to add a non-standard port when adding a protected domain name,select Non-standard Port and select the corresponding non-standard port fromthe Port drop-down list. Then the non-standard port can be connected to WAF.

Figure 3-1 Configuration of a non-standard port

Ports Supported by Each EditionWAF provides professional, enterprise, and premium editions. Table 3-1 lists theports that can be protected by each edition.

Table 3-1 Ports supported by each edition

Edition PortCategory

HTTP Protocol HTTPSProtocol

Port Limits

Professional

Standardports

80 443 Unlimited

Web Application FirewallFAQs 3 Domain Name Access Configuration




Port Limits

Non-standardports (88in total)

81, 82, 83, 84, 86, 87,88, 89, 800, 808,5000, 8000, 8001,8002, 8003, 8008,8009, 8010, 8020,8021, 8022, 8025,8026, 8077, 8078,8080, 8085, 8086,8087, 8088, 8089,8090, 8091, 8092,8093, 8094, 8095,8096, 8097, 8098,8106, 8118, 8181,8334, 8336, 8800,8686, 8888, 8889,8999, 8011, 8012,8013, 8014, 8015,8016, 8017, 8070,7009, 9001

4443, 5443,6443, 7443,8081, 8082,8083, 8084,8443, 8843,9443, 8553,8663, 9553,9663, 18110,18381, 18980,28443, 18443,8033, 18000,19000, 7072,7073, 8803,8804, 8805

10 non-standardportssupported bytheprofessionaledition

Enterprise

Standardports

80 443 Unlimited





Port Limits


9945, 9770, 81, 82,83, 84, 88, 89, 800,808, 1000, 1090,3128, 3333, 3501,3601, 4444, 5000,5222, 5555, 5601,6001, 6666, 6788,6789, 6842, 6868,7000, 7001, 7002,7003, 7004, 7005,7006, 7009, 7010,7011, 7012, 7013,7014, 7015, 7016,7018, 7019, 7020,7021, 7022, 7023,7024, 7025, 7026,7070, 7081, 7082,7083, 7088, 7097,7777, 7800, 7979,8000, 8001, 8002,8003, 8008, 8009,8010, 8020, 8021,8022, 8025, 8026,8077, 8078, 8080,8085, 8086, 8087,8088, 8089, 8090,8091, 8092, 8093,8094, 8095, 8096,8097, 8098, 8106,8118, 8181, 8334,8336, 8800, 8686,8888, 8889, 8989,8999, 9000, 9001,9002, 9003, 9080,9200, 9802, 10000,10001, 10080, 12601,86, 9021, 9023, 9027,9037, 9081, 9082,9201, 9205, 9207,9208, 9209, 9210,9211, 9212, 9213,48800, 87, 97, 7510,9180, 9898, 9908,9916, 9918, 9919,9928, 9929, 9939,28080, 33702, 8011,8012, 8013, 8014,8015, 8016, 8017,8070

8750, 8445,18010, 4443,5443, 6443,7443, 8081,8082, 8083,8084, 8443,8843, 9443,8553, 8663,9553, 9663,18110, 18381,18980, 28443,18443, 8033,18000, 19000,7072, 7073,8803, 8804,8805, 9999

18 non-standardportssupported bythe enterpriseedition





Port Limits

Premium Standardports

80 443 Unlimited





Port Limits


8899, 8006, 9945,9770, 81, 82, 83, 84,88, 89, 800, 808,1000, 1090, 3128,3333, 3501, 3601,4444, 5000, 5222,5555, 5601, 6001,6666, 6788, 6789,6842, 6868, 7000,7001, 7002, 7003,7004, 7005, 7006,7009, 7010, 7011,7012, 7013, 7014,7015, 7016, 7018,7019, 7020, 7021,7022, 7023, 7024,7025, 7026, 7070,7081, 7082, 7083,7088, 7097, 7777,7800, 7979, 8000,8001, 8002, 8003,8008, 8009, 8010,8020, 8021, 8022,8025, 8026, 8077,8078, 8080, 8085,8086, 8087, 8088,8089, 8090, 8091,8092, 8093, 8094,8095, 8096, 8097,8098, 8106, 8118,8181, 8334, 8336,8800, 8686, 8888,8889, 8989, 8999,9000, 9001, 9002,9003, 9080, 9200,9802, 10000, 10001,10080, 12601, 86,9021, 9023, 9027,9037, 9081, 9082,9201, 9205, 9207,9208, 9209, 9210,9211, 9212, 9213,48800, 87, 97, 7510,9180, 9898, 9908,9916, 9918, 9919,9928, 9929, 9939,28080, 33702, 8011,8012, 8013, 8014,

8750, 9190,9184, 9182,8950, 8920,8910, 8848,8445, 18010,4443, 5443,6443, 7443,8081, 8082,8083, 8084,8443, 8843,9443, 8553,8663, 9553,9663, 18110,18381, 18980,28443, 18443,8033, 18000,19000, 7072,7073, 8803,8804, 8805,9999, 8244,8224, 8281,8211, 8243,8221, 8231

58 non-standardportssupported bythe premiumedition





Port Limits

8015, 8016, 8017,8070, 8232

Why a Third-Party Detection Tool Can Detect My Non-Standard Ports ThatHave Not Been Enabled?

The non-standard port detection engine of WAF is shared by all users. So, a third-party detection tool can detect all non-standard ports that have been used inWAF. The port detection of the domain name is based on the port enabled for theorigin server IP address. Therefore, the port detection engine does not affect thesecurity of the origin server. In addition, WAF ensures the security of the engine IPaddresses returned by the customer after CNAME resolution.

3.2 How Do I Add a Domain Name to WAF?After connecting a domain name, WAF works as a reverse proxy between theclient and server. The real IP address of the server is hidden and only the IPaddress of WAF is visible to web visitors.

For details about add a domain name to WAF, see Adding a Domain Name.

3.3 What Data Needs to Be Prepared BeforeConnecting a Domain Name to WAF?

The following data needs to be prepared:

● Domain name

● Port number: the service port corresponding to the domain name to beprotected. WAF supports non-standard ports. For details, see Which Non-Standard Ports Does WAF Support?.

● Server information

– Client Protocol: protocol used by a client to access a server.

– Server Protocol: protocol over which WAF forwards client requests to theserver

– Server Address: public IP address (generally corresponding to the Arecord of the domain name configured on the DNS) or domain name(generally corresponding to the CNAME of the domain name configuredon the DNS) of the web server that a client accesses.

– Server Port: service port of the server to which WAF client requests areforwarded.

● Certificate: If HTTPS is set for Client Protocol, you need to purchase acertificate for the domain name and push the certificate to WAF.




3.4 How Do I Deploy Both CDN and WAF?After the domain name resolution record is resolved into the CNAME recordprovided by CDN, the back-to-source address of CDN needs to be changed to theCNAME of WAF. In this way, CDN forwards the traffic to WAF. WAF then filters outillegitimate traffic and only routes legitimate traffic back to the origin server. Afterthe configuration is complete, traffic is first processed by CDN and then forwardedto WAF, thereby achieving collaborative protection.

To prevent other users from configuring your domain names on WAF in advance(this will cause interference on your domain name protection), you are advised toadd a subdomain name and TXT record of WAF at your DNS provider.

For details about how to deploy both CDN and WAF, see Domain Setup withBoth CDN and WAF Deployed.

3.5 How Do I Deploy Both AAD and WAF?After the domain name resolution record is resolved into the CNAME recordprovided by Advanced Anti-DDoS, the back-to-source address of Advanced Anti-DDoS needs to be changed to the CNAME of WAF. In this way, Advanced Anti-DDoS forwards the traffic to WAF. WAF then filters out illegitimate traffic and onlyroutes legitimate traffic back to the origin server. After the configuration iscomplete, traffic is first processed by AAD and then forwarded to WAF, therebyachieving collaborative protection.

To prevent other users from configuring your domain names on WAF in advance(this will cause interference on your domain name protection), you are advised toadd a subdomain name and TXT record of WAF at your DNS provider.

For details about how to deploy both Advanced Anti-DDoS (AAD) and WAF, seeDomain Setup with Both Advanced Anti-DDoS and WAF Deployed.

3.6 How Do I Configure Domain Names to Be ProtectedWhen Adding Domain Names?

Before using WAF, you need to add domain names to be protected to WAF basedon your web service protection requirements. WAF supports addition of single






domain names and wildcard domain names. This section describes how toconfigure domain names to be protected.

Basic Concepts● Wildcard domain name

A wildcard domain name is a domain name that contains the wildcard * andstarts with *..For example, *.example.com is a correct wildcard domain name, but*.*.example.com is not.

A wildcard domain name counts as one domain name.

● Single domain nameA single domain name is also called a common domain name and is a specificdomain name (a non-wildcard domain name).For example, www.example.com or example.com is a single domain name.

For example, www.example.com counts as a domain name and so doesa.www.example.com.

Selecting a Domain Name TypeWAF supports single domain names and wildcard domain names.

The domain name purchased from the DNS service provider is a single domainname (example.com). The domain name added to WAF can be example.com, asubdomain name (for example, a.xample.com), or wildcard domain name(*.example.com). You can select a domain name type based on the followingscenarios:● If services of a domain name to be protected are the same, enter a single

domain name. For example, if all the services of www.example.com to beprotected are services on port 8080, set Domain Name to a single domainname www.example.com.

● If the server IP address of each subdomain name is the same, enter a wildcarddomain name to be protected. For example, if the server IP addressescorresponding to a.example.com, b.example.com, and c.example.com are thesame, Domain Name can be set to a wildcard domain name *.example.com.

● If the server IP addresses of subdomain names are different, add subdomainnames as single domain names one by one.

You are advised to set the added domain name to be protected to be the same as thedomain name that is set at the DNS provider.



3.7 What Are the Precautions for Configuring MultipleIP Addresses for Backend Servers?

● The service ports to be protected must be the same if you want to configuremultiple backend server IP addresses to the same domain name.

● When a domain name is added, WAF supports addition of multiple server IPaddresses. WAF routes legitimate requests back to origin servers in pollingmode, reducing the pressure on the servers and protecting the origin servers.For example, two backend server IP addresses (IP-A and IP-B) are added.When there are 10 requests for accessing the domain name, five requests areforwarded by WAF to the server identified by IP-A, and the other five requestsare forwarded by WAF to the server identified by IP-B.

● WAF does not support the health check function. When a server identified byan IP address is faulty, WAF still forwards traffic to the server identified by thisIP address. As a result, some services are affected. If you want to use thehealth check function of the server, you are advised to use both ELB and WAF.For details about how to configure ELB, see Backend Server (Enhanced LoadBalancer). After ELB is configured, the EIP of ELB is used as the IP address ofthe server to connect to WAF for health check.

3.8 How Do I Configure the Client Protocol and ServerProtocol?

This FAQ describes how to configure the client and server protocol.

WAF provides various protocol types. If your website is www.example.com, WAFprovides the following four access modes:

● HTTP mode. See Figure 3-2.

Figure 3-2 HTTP mode





NO TICE

You can use this configuration to access your website at http://www.example.com only. If you want to access websites at https://www.example.com, the system will output code 302 Found and your requestwill be redirected to http://www.example.com.

● HTTPS mode. This configuration allows web visitors to access your websiteover HTTPS only. If they access over HTTP, they are redirected to https://www.example.com. See Figure 3-3.

Figure 3-3 HTTPS mode

NO TICE

● If web visitors access your website over HTTPS, the website returns asuccessful response.

● If web visitors access your website over HTTP, they receive the 302 Foundcode and are directed to https://www.example.com.

● HTTP and HTTPS mode. See Figure 3-4.



Figure 3-4 HTTP and HTTPS mode

NO TICE

● If web visitors access your website over HTTP, the website returns asuccessful response but no communication between the browser andwebsite is encrypted.

● If web visitors access your website over HTTPS, the website returns asuccessful response and all communications between the browser andwebsite are encrypted.

● HTTPS/HTTP mode. See Figure 3-5.

Figure 3-5 HTTPS/HTTP mode



NO TICE

If web visitors access your website over HTTPS, WAF forwards the requests toyour origin server over HTTP.

3.9 What Are the Differences Between the Old andNew CNAMEs?

BackgroundWAF upgrades CNAMEs to improve the reliability of domain name resolution.

To ensure that an added domain name can be used properly, WAF retains the oldCNAME on the basic information page of the added domain name and displaysthe new CNAME, as shown in Figure 3-6.

Figure 3-6 New CNAME

Differences Between the Old and New CNAMEsThe new CNAME provides the resolution function for two heterogeneous active/active DNSs, improving the reliability of domain name resolution.

It is recommended that you select a new CNAME during domain name resolution.

3.10 Can I Set the IP Address of the Origin Server to aCNAME?

Yes. If the IP address of the origin server is set to a CNAME, additional DNSresolution is performed after a domain name is added. That is, the CNAME isresolved to an IP address first. DNS resolution increases the delay. Therefore, youare advised to set the origin server address to a public network IP address.

For details about how to add a domain name, see Adding a Domain Name.

3.11 Can I Access a Website Using an IP Address After aDomain Name Is Connected to WAF?

After a domain name is connected to WAF, you can enter the origin server IPaddress in the address bar of the browser to access the website. However, your




origin server IP address is easily exposed. As a result, attackers can bypass WAFand attack your origin server.

You are advised to configure origin server protection according to the instructionsin Origin Server Protection.

3.12 How Do I Configure Non-standard Ports WhenAdding a Protected Domain Name?

Configuration Example 1: Protecting Standard Port Services of DifferentOrigin Server IP Addresses on the Same Port

1. Deselect Non-standard Port.2. Select HTTP or HTTPS for Client Protocol. Figure 3-7 and Figure 3-8 show

the HTTP and HTTPS protection configurations of port 80 and port 403,respectively.

Figure 3-7 Port 80

Figure 3-8 Port 443

If Client Protocol is set to HTTPS, you need to configure a certificate.

3. When accessing a website, you can access the website without adding a portnumber to the end of the domain name. For example, enter http://www.example.com in the address box of the browser to access the website.




Configuration Example 2: Protecting Non-Standard Port Services of DifferentOrigin Server IP Addresses on the Same Port

1. Select Non-standard Port and select a non-standard port to be protectedfrom the Port drop-down list. For details about the non-standard portssupported by WAF, see Which Non-Standard Ports Does WAF Support?

2. Select HTTP or HTTPS for Client Protocol for all server ports. Figure 3-9 andFigure 3-10 show the configuration of non-standard HTTP or HTTPS port,respectively.

Figure 3-9 Other HTTP port besides port 80

Figure 3-10 Other HTTPS port besides port 443

If Client Protocol is set to HTTPS, you need to configure a certificate.

3. When accessing a website, you must add a non-standard port number to theend of the domain name. Otherwise, error 404 will be reported. For example,if the non-standard port is 8080, enter http://www.example.com:8080 in theaddress box of the browser.

Configuration Example 3: Protecting Different Service Ports

If the service ports to be protected are different, configure the ports separately.For example, to protect ports 8080 and 6443 for your site www.example.com, dothe configurations shown in Figure 3-11 and Figure 3-12.



https://support.huaweicloud.com/en-us/waf_faq/waf_01_0032.html

Figure 3-11 Protecting port 8080

Figure 3-12 Protecting port 6443



4 Service Interruption Check

4.1 How Do I Troubleshoot 404/502/504 Errors?If an error, such as 404 Not Found, 502 Bad Gateway, or 504 Gateway Timeout,occurs after a domain name is connected to WAF, use the following methods tolocate the cause and remove the error:

404 Not Found

Symptom 1: When a visitor accesses your website, the page shown in Figure 4-1is displayed.

Figure 4-1 404 page

Cause: The port added to a URL is incorrect.

● A non-standard port is configured when a protected domain name is added toWAF. No port is added or the origin server port rather than the non-standardport is used to access the website. For example, access https://www.example.com or https://www.example.com:80.

Web Application FirewallFAQs 4 Service Interruption Check


Figure 4-2 Configuration of a non-standard port

Solution: Add the non-standard port to the URL and access the origin serveragain, for example, https://www.example.com:8080.

● No non-standard port is configured when a protected domain name is addedto WAF. A non-standard port or one configured based on the origin serverport is used to access the website. For example, access https://www.example.com:8080 when the protection service shown in Figure 4-3 isconfigured.

Figure 4-3 Unconfiguration of a non-standard port

If no non-standard port is configured, WAF protects services on port 80/443 by default.If you need to protect services on other ports, re-configure domain settings.

Solution: Access the domain name directly. For example, https://www.example.com.

Symptom 2: When a visitor accesses your website, another 404 error page isdisplayed instead of the page shown in Figure 4-1.

Cause: The website does not exist or has been deleted.

Solution: Check your website.

502 Bad GatewaySymptom: Website access is normal after the WAF configuration is complete.However, after a certain period of time, a 502 Bad Gateway error is reportedfrequently when accessing a page.

If your web server is not deployed on HUAWEI CLOUD, you are advised to consult yourserver provider about whether the server has default block settings. If yes, ask the serviceprovider to remove the default block settings.

Possible causes are as follows:

● Cause 1: Your website is using another security protection software. Thesoftware considers back-to-source IP addresses of WAF as malicious and



blocks the requests forwarded by WAF. As a result, the site cannot beaccessed.Solution: Refer to How Do I Whitelist the WAF Back-to-Source IP AddressRanges? to add the WAF IP address ranges to the whitelist of the firewall(hardware or software), security protection software, and rate limitingmodule.

● Cause 2: Multiple backend servers are configured. However, one backendserver is unreachable.Perform the following steps to check whether the origin server configurationis correct:

a. Log in to the HUAWEI CLOUD console, click Service List in the upper partof the page, and choose Security > Web Application Firewall.

b. In the navigation pane, choose Domains. The Domains page is displayed.c. In the Domain Name column, click the target domain name. Its

information is displayed.

d. In the Server Information area, click . On the displayed page, checkwhether the client protocol, server protocol, origin server address, andport number used by the origin server are correct.

Figure 4-4 Server configuration

e. Run the curl command on the host to check whether each origin servercan be properly accessed, as shown in Figure 4-5.curl http://xx.xx.xx.xx:yy -kvv

xx.xx.xx.xx indicates the IP address of the origin server. yy indicates theport number of the origin server. xx.xx.xx.xx and yy must belong to thesame origin server.

● The host where the curl command can be run must meet the followingrequirements:● The network communication is normal.● The curl command has been installed. curl must be manually installed

on the host running the Windows operating system. curl is installedalong with other operating systems.

● You can also enter http://origin server address:origin server port in theaddress bar of the browser to check whether the origin server can be properlyaccessed.



https://curl.haxx.se/

Figure 4-5 Command output

If connection refused is displayed, the origin server is unreachable andwebsite cannot be accessed. Perform the following operations:

▪ Check whether the server is running properly. If it is not, restart theserver.

▪ Refer to How Do I Whitelist the WAF Back-to-Source IP AddressRanges? to add the WAF IP address ranges to the whitelist of thefirewall (hardware or software), security protection software, andrate limiting module.

● Cause 3: Origin server performanceSolution: Contact your website administrator to rectify the fault.

504 Gateway TimeoutSymptom: After the configuration of connecting a domain name to WAF iscomplete, your website works properly. However, with the increasing trafficvolume, the number of 504 errors increases as well. If you directly access the IPaddress of the origin server, the 504 error code is returned sometimes.

The possible causes are as follows:

● Cause 1: Backend server performance issues (such as too many connectionsor high CPU usage)Solution:

a. Optimize the server configuration, including TCP network parameters andulimit parameters.

b. To support increasing service volumes, use method 1 or method 2 toperform the processing.Method 1: Add a backend server group to the ELB. For details, seeAdding or Removing Backend Servers from an Enhanced LoadBalancer.Method 2: Create an ELB. For details, see Creating a Load Balancer. Usethe EIP of ELB as the IP address of the server to connect to WAF.

i. Log in to the HUAWEI CLOUD console, click Service List in the upperpart of the page, and choose Security > Web Application Firewall.

ii. In the navigation pane, choose Domains. The Domains page isdisplayed.

iii. In the Domain Name column, click the target domain name. Itsinformation is displayed.

iv. In the Server Information area, click . On the displayed page,click Add to add backend servers. See Figure 4-6.







c. If the Client Protocol is HTTPS, you can use HTTPS on the WAF side.However, it is recommended that HTTP (Server Protocol) be used toforward the requests to your web server, lowering the computationalpressure on backend servers. See Figure 4-7. For details about how tomodify the server information, see Editing Server Information.


● Cause 2: The WAF IP addresses are not whitelisted or your origin server portis not enabled.

Solution: Whitelist the WAF IP addresses by following instructions in OriginServer Protection.

● Cause 3: The origin server has a firewall and the firewall blocks the WAF IPaddresses.

Solution: Whitelist the WAF IP addresses by following the instructions inOrigin Server Protection or uninstall the firewall software except WAF.

● Cause 4: Connection timeout and read timeout

Solution: Contact technical support.

● Cause 5: The bandwidth of the origin server exceeds the upper limit.

Solution: Increase the bandwidth of the origin server.

4.2 How Do I Handle a False Alarm?You can handle false alarms in the event log if they appear frequently. You canchoose to ignore some URLs or rule IDs so that no alarms are reported or noblocking occurs when the URLs are attacked again.

Handle false alarms according to the instructions in Handling False Alarms.

4.3 What Is the Connection Timeout Duration of WAF?Can I Manually Set the Timeout Duration?

The timeout duration for the connection from the browser to the WAF engine is120 seconds, and that from WAF to the customer's origin server is 60 seconds. Thetimeout duration cannot be manually set.








4.4 How Do I Whitelist the WAF Back-to-Source IPAddress Ranges?

After your domain is connected to WAF, all requests are forwarded to WAF forinspection, and WAF returns the inspected traffic to the origin server. The processof returning traffic to the origin server through WAF is called back-to-source.

What are Back-to-Source IP Addresses?

From the perspective of a server, all web requests originate from WAF. The IPaddresses used by WAF forwarding are back-to-source IP addresses of WAF. Thereal client IP address is written into the X-Forwarded-For (XFF) HTTP header field.

Figure 4-8 Back-to-source IP address

Why Do I Need to Whitelist the WAF IP Address Ranges?

All web requests originate from a limited quantity of WAF IP addresses. Thesecurity software on the origin server may easily regard these IP addresses asmalicious and block them. Once WAF IP addresses are blocked, the website mayfail to be accessed or it opens extremely slowly. Therefore, you need to add theWAF IP addresses to the whitelist of the security software.

After your website is connected to WAF, you are advised to uninstall other security softwarefrom the origin server or allow only the requests from WAF to access your origin server. Thisensures normal access and protects the origin server from hacking.

Procedure

Step 1 Log in to the management console.



https://console.huaweicloud.com/?locale=en-us

Step 2 Click in the upper left corner of the management console and select a regionor project.

Step 3 Click in the upper left corner of the page and choose Security > WebApplication Firewall. In the navigation pane, choose Domains. The Domainspage is displayed.

Step 4 Click WAF Back-to-Source IP Addresses.

The back-to-source IP addresses are periodically updated. Whitelist the new IP addresses intime to prevent these IP addresses from being blocked.

Figure 4-9 Clicking WAF Back-to-Source IP Addresses

Step 5 In the displayed dialog box, click Copy to copy them all.

Figure 4-10 WAF Back-to-Source IP Addresses dialog box



Step 6 Open the security software on the origin server and add the copied IP addressranges to the whitelist.

----End

4.5 How Do I Solve the Problem of ExcessiveRedirection Times?

After a domain name is connected to WAF, if the system displays a messageindicating that there are excessive redirection times when a user requests to accessthe target domain name, the possible cause is that you have configured forcibleredirection from HTTP to HTTPS on the backend server and forwarding fromHTTPS (client protocol) to HTTP (server protocol) is configured on WAF, WAF isforced to redirect user requests, causing an infinite loop. You can edit serverinformation in WAF. For details, see Editing Server Information. Configure twopieces of server information about HTTP (client protocol) to HTTP (serverprotocol) and HTTPS (client protocol) to HTTPS (server protocol). Figure 4-11shows the server information after the configuration is complete.

Figure 4-11 Example configuration

4.6 How Do I Solve the Problem that HTTPS RequestsFail on Some Mobile Phones?

Open the browser on a mobile phone and access https://www.defix.cn. If thepage shown in Figure 4-12 is displayed, HTTPS requests fail on the mobile phonebecause the uploaded certificate chain is incomplete. Rectify the fault by referringto How Do I Fix an Incomplete Certificate Chain?.




Figure 4-12 Access failed

4.7 How Do I Fix an Incomplete Certificate Chain?If the certificate provided by the certificate authority is not found in the built-intruststore on your platform and the certificate chain does not have a certificateauthority, the certificate is incomplete. If you use the incomplete certificate toaccess the website corresponding to the protected domain name, the access willfail.

Use either of the following methods to fix it:

● Manually build up a complete certificate chain and upload the certificate.(This function is available soon.)

● Buy a certificate on HUAWEI CLOUD and upload it.

The latest Chrome version supports automatic verification of the trust chain.Huawei certificate is used as an example to describe how to manually create acomplete certificate chain:

Step 1 Check the certificate. Click the padlock in the address bar to view the certificatestatus (see Figure 4-13).



Figure 4-13 Viewing the certificate

Step 2 Check the certificate chain. Click Certificate. Select the Certificate Path tab andthen click the certificate name to view the certificate status (see Figure 4-14).



Figure 4-14 Viewing the certificate chain

Step 3 Save the certificates to the local PC one by one. Select the certificate name andclick the Details tab (see Figure 4-15).



Figure 4-15 Details

Step 4 Click Copy to File, and then click Next as prompted.

Step 5 Select Base-64 encoded X.509 (.CER) and click Next (see Figure 4-16).



Figure 4-16 Certificate Export Wizard

Step 6 After all certificates are exported to the local PC, open the certificate file inNotepad and rebuild the certificate according to the sequence shown in Figure4-17.

Figure 4-17 Certificate rebuilding

Step 7 Upload the certificate again.

----End



4.8 What Should I Do If Error Code 418 Is Reported?If the request contains malicious load and is intercepted by WAF, error 418 isreported when you access the domain name protected by WAF. You can view WAFprotection logs to view the cause. For details about protection event logs, seeViewing Protection Event Logs.

● If you confirm that the request is a normal service request, you can handlethe false alarm to prevent the recurrence of the protection event.

For details, see Handling False Alarms.

● If you confirm that the protection event is not a false alarm, your website isattacked and the malicious request is blocked by WAF.

4.9 What Should I Do If Error Code 523 Is Reported?If a request passes through WAF twice, WAF blocks the request to prevent aninfinite loop. In this case, error 523 occurs when you access the domain nameprotected by WAF.

You can use the following methods to deal with error 523:

● Direct the request to the internal DNS server so that the request can bypassthe public network.

● Configure the hosts file for invoking the server.

4.10 What Can I Do If the Login Page Is ContinuouslyRefreshed After a Domain Name Is Connected to WAF?

If the sticky session function is enabled for the client IP address, the same remote-IP address will be allocated to the same server. After the domain name isconnected to WAF, the remote-IP address will become the egress IP address ofWAF. In this case, if you log in to the home page, the page will be redirected formultiple times. To avoid this problem, modify the session persistence for remote_ipto variable x-forwarded-for of Nginx on your original server.

4.11 What Should I Do If the Program Access Page Failsto Respond After the HTTP Forwarding Policy IsConfigured?

If the page fails to respond after the HTTP forwarding policy is configured, addHTTP to HTTP and HTTPS to HTTPS forwarding protocol rules.

For details about how to configure a forwarding rule, see How Do I Solve theProblem of Excessive Redirection Times?.





5 Configuring IPv6 Addresses

5.1 Which Editions of WAF Support IPv6?Only premium edition of WAF supports IPv6 protection.

IPv6 protection

WAF can defend against attacks launched in the IPv6 environment, helping yoursource sites protect IPv6 traffic.

With the rapid popularization of the IPv6 protocol, new network environmentsand emerging fields are facing new security challenges. The IPv6 protectionfunction of HUAWEI CLOUD WAF helps you easily build a global securityprotection system.

● WAF supports IPv6/IPv4 dual stack and provides IPv6 and IPv4 trafficprotection for the same domain name.

● For web services that still use the IPv4 protocol stack, WAF supports theNAT64 mechanism. (NAT64 is an IPv6 conversion mechanism that enablescommunication between the IPv6 and IPv4 hosts using network addresstranslation (NAT).) That is, WAF can convert an IPv4 source site to an IPv6website and converts external IPv6 access traffic to internal IPv4 traffic.

5.2 What Are the Regions Support IPv6 Protection?All regions support IPv6 protection.

5.3 How Do I Check Whether the Origin Server IPAddress Configured in WAF Is an IPv6 Address?

Before performing this operation, ensure that a domain name has been added toWAF and the domain name has been connected to WAF.

Web Application FirewallFAQs 5 Configuring IPv6 Addresses


If a domain name www.example.com has been added, you can use the followingmethod to check whether the configured origin server IP address is an IPv6address:

Step 1 Open the cmd command line tool in the Windows operating system.

Step 2 Run the dig AAAA www.example.com command.

If the command output contains an IPv6 address, the configured origin server IPaddress is an IPv6 address.

Figure 5-1 Test result

----End

Web Application FirewallFAQs 5 Configuring IPv6 Addresses


6 Domain Name Resolution

6.1 How Do I Test WAF?Before directing the traffic to WAF, you are advised to perform local verification toensure that all configurations are correct.

Before testing WAF, ensure that the protocol, address, and port number used bythe origin server of the domain name (for example, www.example5.com), anduploaded certificate file and private key if Client Protocol is HTTPS are correct.

For details, see Testing WAF.

6.2 How Do I Route Website Traffic Through WAF?After adding your website to WAF, you need to connect the domain to WAF sothat the traffic passes through WAF. After the traffic is routed through WAF, WAFhelps you filter malicious requests and forward legitimate requests to the originserver.

How Does WAF Works● No proxy used

DNS resolves your domain name to the origin server IP address before the siteis moved to WAF. DNS resolves your domain name to the CNAME of WAFafter the site is moved to WAF. Then WAF inspects the incoming traffic andfilters out malicious traffic.

● A proxy (such as AAD) usedIf a proxy such as HUAWEI CLOUD Advanced Anti-DDoS (AAD) has been usedon your site before it is added to WAF, DNS resolves the domain name to theAAD IP address. In this case, the traffic passes through AAD and then AADroutes the traffic back to the origin server. After your site accesses WAF, theback-to-source address of the proxy (such as Advanced Anti-DDoS) needs tobe changed to the CNAME of WAF. In this way, the proxy forwards the trafficto WAF. WAF then filters out illegitimate traffic and only routes legitimatetraffic back to the origin server.

Web Application FirewallFAQs 6 Domain Name Resolution



● To ensure that WAF can properly forward requests, you are advised to performlocal verification by referring to Testing WAF before modifying the DNSconfiguration.

● To prevent other users from configuring your domain names on WAF in advance(this will cause interference on your domain name protection), you are advised toadd the subdomain name and TXT record at your DNS provider. WAF candetermine which user owns the domain name based on the subdomain name andTXT record. For details about the configuration method, see What Are theImpacts If a Subdomain Name and TXT Record Are Not Configured?

Operation GuideAfter a domain name is added, WAF generates a CNAME value, or CNAME,subdomain name, and TXT record for domain name resolution so that websitetraffic can pass through WAF based on whether a proxy is used for the addeddomain name before access to WAF. For details, see Table 6-1.

Table 6-1 Operation guide

Scenario Generated Parameter Value Operation Related toDomain Name Resolution

No proxy used CNAME The DNS obtains theCNAME of WAF.

Proxy used CNAME, subdomain name,and TXT record

● Change the back-to-source IP address of theproxy, such as AdvancedAnti-DDoS (AAD), tothe CNAME of WAF.

● (Optional) Add a WAFsubdomain name andTXT record at your DNSprovider.

ProcedureFor details, see Connecting a Domain Name to WAF.

6.3 What Are the Impacts If a Subdomain Name andTXT Record Are Not Configured?

After you add the domain name of the proxy, such as Advanced Anti-DDoS, inWAF, if the subdomain name and TXT record are not configured at your DNSprovider and other users configure the same domain name in WAF, your domainname protection will be interfered.







How to Determine

The target domain name is in gray in the domain name list, and the workingmode is Suspended and cannot be switched to Enabled. If this symptom occurs,your domain name has been occupied by another user.

Solution

Go to your DNS provider, add a subdomain name, and configure a TXT record forthe subdomain name. The following uses the target domain namewww.example.com as an example to describe how to configure the DNS serviceon HUAWEI CLOUD.

Step 1 Obtain the values of Subdomain Name and TXT Record.

1. Log in to the management console.

2. Access the Domains page.

Figure 6-1 Domains

3. In the Domain Name column, click the target domain namewww.example.com to go to the Basic Information page.

4. Locate the Access Status row and click How to Access?.

Figure 6-2 Domain name access information

If a domain name that uses a proxy, such as Advanced Anti-DDoS (AAD), has beenadded to WAF, the value of Proxy Configured is Yes.

5. In the displayed dialog box, click to copy the value of TXT Record.




Figure 6-3 Copying TXT Record

Step 2 Add a WAF subdomain name and TXT record at your DNS provider.

1. In the Operation column of the target domain name www.example.com,click Add Record Set.

Figure 6-4 DNS page

2. In the upper right corner of the displayed page, click Add Record Set to go tothe Add Record Set page.– Name: Paste the TXT record copied in Step 1.5 to the text box.– Type: Select TXT – Specify text records.– Alias: Select No.– Line: Select Default.– TTL (s): The recommended value is 5 min. A larger TTL value will make it

slower for synchronization and update of DNS records.– Value: Add quotation marks to the TXT record copied from Step 1.5 and

paste them in the text box, for example,"37c795804124dd4a0dd88defff8941f".

– Keep other settings unchanged.



Figure 6-5 Adding a record set

3. Click OK.

----End

6.4 How Do I Perform Verification Using HUAWEICLOUD DNS?

Verification by DNS typically requires operations from your domain nameadministrator. If you are managing your domain name on HUAWEI CLOUD andthe domain name is in your account, perform the verification using HUAWEICLOUD DNS.

NO TICE

If you are managing your domain name on another domain managementplatform (such as www.net.cn, www.xinnet.com, and www.dnspod.cn), perform theverification on the corresponding platform. For example, if your domain name ishosted on Alibaba Cloud, perform the verification on Alibaba Cloud.

In the following procedure, a TXT record2019030700000022ams1xbyevdn4jvahact9xzpicb565k9443mryw2qe99mbzpb



is added to domain name domain.com to show how to perform the verificationusing HUAWEI CLOUD DNS.

Prerequisites● You have obtained a username and its password for logging in to the

management console.

● You have obtained the configuration information (host record and recordvalue) required for domain name verification.

Procedure


Step 2 In the upper left corner of the console, click and choose Domain NameService under Network. In the navigation pane on the left, choose DNSResolution > Public Zones to display the public zones.

Figure 6-6 Public Zones page

Step 3 In the upper right corner of the page, click Create Public Zone. The Create PublicZone page is displayed.

Figure 6-7 Creating a public zone

Step 4 In the Name box, enter the domain name to be resolved domain.com and clickOK.

Step 5 In the public zone list, click the domain name. The record set of the domain isdisplayed.




Figure 6-8 List of record sets

Step 6 In the upper right corner of the page, click Add Record Set. The Add Record Setpage is displayed. Table 6-2 describes the parameters.


Table 6-2 Parameters for adding a record set

Parameter Description Example Value

Name Host record corresponding tothe domain name (You do notneed to manually add thesuffix.)

_dnsauth

Type Record set type. Set thisparameter to TXT – Specifytext records.

TXT – Specify text records



Parameter Description Example Value

Alias Whether to associate therecord set with a cloudresource name

No

Line Used when the DNS server isresolving a domain name. Itreturns the IP address of theserver according to the visitorsource.You must add a Default line toensure that the website isaccessible to all users.Default is selected by default.

Default

TTL (s) Caching period of the recordset, in seconds.The default value is 5 min.

5 min

Value Indicates the host record valuecorresponding to the domain.Use quotation marks whenentering the record value

"2019030700000022ams1xbyevdn4jvahact9xzpicb565k9443mryw2qe99mbzpb"

Weight The parameter is optional.Weight of the record set. Thedefault value is 1. The valueranges from 0 to 100.When multiple record sets ofthe same name and line arecreated in a zone, the one witha larger weight takes effect inpriority.

1

Tag The parameter is optional.This item is displayed whenyou switch on Other Settings.This parameter indicates theidentifier of a resource. Eachtag contains a key and a value.You can add 10 tags at most toa record set.

-

Description The parameter is optional.Description of the domainname. This item is displayedwhen you switch on OtherSettings.

-

Step 7 Click OK.



If the status of the record set is Normal, it indicates that the record set is addedsuccessfully.

DNS configuration records can be deleted only after the certificate is issued or revoked.

----End

6.5 How Do I Query a Domain Name Provider?By querying domain registration information, you can confirm the informationabout the DNS servers of a domain name and then perform authentication byDNS based on the DNS server information.

Procedure

Step 1 Open a browser and visit https://whois.domaintools.com/.

Step 2 Enter the domain name to be queried and click Search. The domain nameregistration details page is displayed.

Step 3 In the displayed information, check Name Servers to determine the DNS serversof the domain name.

If the value of Name Servers similar to Figure 6-10 is displayed, the DNS serversof the domain name are provided by HUAWEI CLOUD.

Figure 6-10 Name Servers

Perform the verification based on the DNS servers of the domain name as follows:

● If the DNS servers of the domain name are provided by HUAWEI CLOUD,perform the verification on HUAWEI CLOUD by referring to How Do IPerform Verification Using HUAWEI CLOUD DNS?

● If the DNS servers of the domain name are not provided by HUAWEI CLOUD,verify whether you want to migrate the domain from another DNS serviceprovider to HUAWEI CLOUD DNS.– If yes, perform the following operations:

i. Migrate the domain name from another DNS service provider toHUAWEI CLOUD DNS.

ii. Refer to How Do I Perform Verification Using HUAWEI CLOUDDNS? to perform the verification on HUAWEI CLOUD.

– If not, perform the verification on the corresponding platform. Forexample, if your domain name is hosted on Alibaba Cloud, perform theverification on Alibaba Cloud.

----End



6.6 Why Cannot the Protection Mode Be Enabled Aftera Domain Name Is Connected to WAF?

Another tenant has configured the same domain name in WAF. As a result, thedomain name ownership is occupied by another tenant. In this case, add asubdomain name and configure a TXT record for the subdomain name at yourDNS provider. For details, see What Are the Impacts If a Subdomain Name andTXT Record Are Not Configured?.

6.7 How Do I Configure the TXT Record on HUAWEICLOUD DNS Service?

After you add the domain name of the proxy, such as Advanced Anti-DDoS (AAD),in WAF, configured the subdomain name and TXT record at your DNS provider toprotect your domain names. If other users configure the same domain name inWAF, your protection for the domain name will be adversely affected.

If you use the DNS service on HUAWEI CLOUD, add double quotation marks ("")to the TXT record and paste them in the text box, for example,"37c795804124dd4a0dd88defff8941f".




For details about how to configure a subdomain name and TXT record on the DNSservice on HUAWEI CLOUD, see What Are the Impacts If a Subdomain Nameand TXT Record Are Not Configured?.

6.8 How Do I Use A Records for Domain NameResolution?

In the scenario that no proxies are used between the client and WAF, after yoursite is connected to WAF, DNS resolves your domain name to the CNAME of WAF.In this way, the traffic passes through WAF. WAF then filters out illegitimate trafficand only routes legitimate traffic back to the origin server.

When configuring domain name access, you need to configure alias resolution forthe domain name at the DNS provider of the domain name. If the Type of thedomain name host record added on DNS is A - Map domains to IPv4 addresses,complete the configuration based on the instructions in Changing the A Record.

6.9 Which Protection Levels Can Be Set for Basic WebProtection?

WAF provides three basic web protection levels: Low, Medium, and High. Thedefault option is Medium. Table 6-3 describes the protection levels.

Table 6-3 Protection levels

Protection Level Description

Low WAF only blocks the requests with obvious attacksignatures.If a large number of false alarms are reported, Low isrecommended.

Medium The default level is Medium, which meets a majority ofweb protection requirements.

High WAF blocks the requests with no attack signature buthave specific attack patterns.High is recommended if you want to block SQLinjection, XSS, and command injection attacks.

For details about how to configure a basic web protection rule, see Enabling BasicWeb Protection Rules.



https://support.huaweicloud.com/en-us/bestpractice-waf/waf_06_0018.html#section4



7 Rule Configuration

7.1 In Which Situations Will the WAF Policies Fail?Normally, all requests destined for your site will pass through WAF. However, ifyour site is using CDN and WAF, the WAF policy targeted at the requests forcaching static content will not take effect because CDN directly returns theserequests to the client.

7.2 How Do I Switch the Mode of Basic Web Protectionfrom Log only to Block?

This FAQ guides you to switch the mode of basic web protection to Block.

Perform the following operations:


Step 2 Access the protection configuration page.

Figure 7-1 Protection configuration page

Step 3 In the Basic Web Protection configuration area shown in Figure 7-2, select Blockfor Mode. Table 7-1 describes the parameters.

Web Application FirewallFAQs 7 Rule Configuration



Figure 7-2 Basic Web Protection configuration area

Table 7-1 Parameter description

Parameter Description

Status Status of Basic Web Protection

● : enabled.

● : disabled.

Mode ● Block: WAF blocks and logs detected attacks.● Log only: WAF logs detected attacks only.

NO TICE

Log only and Block are merely modes of basic web protection. CC attackprotection and precise protection have their own protective actions.

----End

7.3 When Is Cookie Used to Identify Users?During the configuration of a CC attack protection rule, if IP addresses cannotidentify users precisely, for example, when many users share an egress IP address,use Cookie to identify users.

If the cookie contains key values, such as the session value, of users, the key valuecan be used as the basis for identifying users.

NO TICE

Cookie-based identification may not be supported if the URL request configured ina CC attack protection policy is an API called by another service.

7.4 How Do I Configure a CC Attack Protection Rule?When a service interface is under an HTTP flood attack, you can set a CC attackprotection rule on the WAF console to relieve service pressure.

WAF provides the following settings for a CC attack protection rule:



● Number of requests allowed from a web visitor in a specified period● Identification of web visitors based on the IP address, cookie, or Referer field.● Action when the maximum limit is reached, such as Block or Verification

code

For details about configuration rules, see Configuring CC Attack ProtectionRules.

7.5 What Are the Differences Between Rate Limit andAllowable Frequency in a CC Rule?

When configuring a CC protection rule, if Advanced is selected for Mode andBlock dynamically is selected for Protection Action, you need to set both RateLimit and Allowable Frequency.

Differences● The rate limit period of Allowable Frequency is the same as that of Rate

Limit.● Allowable Frequency is lower than or equal to Rate Limit, and Allowable

Frequency can be 0.

Block PrincipleIf the access request frequency exceeds Rate Limit in a rate limit period,triggering blocking, the system dynamically adjusts the blocking threshold toAllowable Frequency in the next rate limit period. If Allowable Frequency is 0,all requests that meet the rule conditions in the next period are blocked afterblocking is triggered in the previous period.

7.6 What Do I Do If a Scanner, such as AppScan,Detects that the Cookie Is Missing Secure or HttpOnly?

Cookies are inserted by back-end web servers and can be implemented throughframework configuration or set-cookie. Secure and HttpOnly in cookies helpdefend against attacks, such as XSS attacks to obtain cookies, and help defendagainst cookie hijacking.

If the AppScan scanner detects that the customer site does not insert securityconfiguration fields, such as HttpOnly and Secure, into the cookie of the scanrequest after scanning the website, it records them as security threats.

WAF does not provide such compliance functions. The website administrator needsto perform related security configuration at the backend.

7.7 Is the Path of a WAF Protection Rule Case-sensitive?

All paths configured for protection rules of WAF are case-sensitive.





7.8 Can I Export or Back Up the WAF Configuration?The current WAF configuration cannot be exported or backed up.

7.9 How Do I Block Abnormal IP Addresses?You can blacklist an abnormal IP address. WAF directly blocks all the requestsfrom the blacklisted IP address.

To blacklist an IP address, perform the following steps:


Step 2 Access the protection configuration page.

Figure 7-3 Protection configuration page

Step 3 In the Blacklist and Whitelist configuration area, change Status as needed andclick Customize Rule. The Blacklist and Whitelist page is displayed. See Figure7-4.

Figure 7-4 Blacklist and Whitelist configuration area

Step 4 In the upper left corner of the Blacklist and Whitelist page, click Add Rule.

Step 5 In the displayed dialog box, add a blacklist or whitelist rule.

● After an IP address is added to a blacklist or whitelist, WAF does not detect but blocksor allows the requests from this IP address.

● After Log only is configured for an IP address, WAF detects and records the events dataof the IP address based on the protection rule for the access from the IP address.

● Other IP addresses are detected based on the configured WAF protection rules.




Figure 7-5 Adding a blacklist or whitelist rule

Step 6 Click OK. The added blacklist or whitelist is displayed in the list of blacklist orwhitelist rules.

Figure 7-6 List of blacklist or whitelist rules

● After a rule is added, the default Rule Status is Enabled. If you do not wantto make the rule take effect, click Disable in the Operation column of therule.

● To modify the added rule, click Modify in the row containing the target rule.● To delete the added rule, click Delete in the row containing the target rule.

----End



8 Protection Events

8.1 Does WAF Provide the Log Service?WAF does not provide the log service. However, you can use CTS logs to view WAFmonitoring-related metrics.

8.2 Can WAF Logs Be Obtained Using APIs?Currently, protection logs of WAF cannot be obtained using APIs. You candownload protection events on the WAF console. For details, see DownloadingEvents Data.

8.3 How Do I Obtain Blocked Data?WAF allows you to download the attack events (logged-only and blocked events)data of all protected domain names over the past five days, the protection eventdata of the current day, and the PDF file of the protection event data generated inthe early morning of the next day. For details about how to obtain blocked data,see Downloading Events Data.

8.4 Can WAF Logs Be Transferred to OBS?WAF does not support transferring logs to an OBS bucket.

You can download WAF protection logs. For details, see Downloading EventsData.

8.5 Can WAF Forward Logs to the Syslog Server?WAF does not support forwarding logs to the Syslog server.

You can download WAF protection logs. For details, see Downloading EventsData.

Web Application FirewallFAQs 8 Protection Events









9 Purchase

9.1 Is the Service Bandwidth Calculated Based on theIncoming Traffic or Outgoing Traffic?

The service bandwidth in WAF is calculated by WAF itself and is not associatedwith the bandwidth or traffic limit of other HUAWEI CLOUD products (such asCDN, ELB, and ECS). For more information about bandwidth, see BandwidthExpansion Package.

9.2 What Is the Charging Standard of WAF?WAF provides three editions and two expansion packages. The three editions areprofessional, enterprise, and ultimate. The two expansion packages are domainand bandwidth expansion packages. You are charged on a monthly or yearly basisby the WAF edition and expansion package selected.

Billing mode: Yearly/Monthly

Billing items: service edition, expansion package, and product expert service

Payment plan: pre-payment

Billing cycle: Yearly or monthly. A bill is generated each time you make a purchase.

Subscription cycle: You are charged monthly or yearly from the date of purchase.Buy one year to get a 17% discount.

Expiration description: If you do not renew your WAF service timely after it expires,HUAWEI CLOUD provides a grace period and retention period.

The duration of the grace period and retention period depends your level. Fordetails, see Grace Period and Retention Period.● During this period, WAF forwards traffic but your protection policies will not

work.● When this period is over, resources will be cleared, that is, all configurations of

your domain names will be deleted. During the clearing period, domainnames are pointed back to origin severs by default. However, services on your

Web Application FirewallFAQs 9 Purchase





domain names may not run properly because there may be inconsistenciesbetween your configured protocols and ports.

For price details, see Product Pricing Details.

9.3 How Do I Renew WAF?This section describes how to renew WAF when it is about to expire. After therenewal, users can continue to use WAF.

Before the service expires, the system will send an SMS message or email toremind you to renew it.

If you do not renew the service after it expires, the public cloud platform providesa grace period and retention period.

The duration of the grace period and retention period depends your level. Fordetails, see Grace Period and Retention Period.

● During this period, WAF forwards traffic but your protection policies will notwork.

● When this period is over, resources will be cleared, that is, all configurations ofyour domain names will be deleted. During the clearing period, domainnames are pointed back to origin severs by default. However, services on yourdomain names may not run properly because there may be inconsistenciesbetween your configured protocols and ports.

To avoid unnecessary loss, you are advised to renew your WAF account.

● If you have selected Auto-renew when buying WAF, the system automatically generatesa renewal order and renews your subscription before WAF expires.

● If you use a member account, grant the BSS Administrator permission to it so that youcan renew the expired subscription using this member account.

Prerequisites● Login credentials have been obtained.

● You have bought WAF.

Procedure


Step 2 Click in the upper left corner of the management console and select a regionor project.

Step 3 Click at the upper left corner of the page and choose Security > WebApplication Firewall. The Dashboard page is displayed.

Step 4 Click Renew in the upper right corner of the page.



https://www.huaweicloud.com/en-us/pricing.html?#/waf


Figure 9-1 Renewal

Step 5 On the renewal management page, complete the renewal as prompted.

For details, see Manually Renewing a Resource.

----End

9.4 How Do I Unsubscribe from WAF?This section describes how to unsubscribe from WAF.

If you use a member account, grant the BSS Administrator permission to it so that you canunsubscribe from WAF using this member account.

Prerequisites● Login credentials have been obtained.

● WAF was bought within the last five days.

Procedure


Step 2 In the upper right part of the page, click Billing. The Billing Center page isdisplayed.

Step 3 In the navigation pane, choose Unsubscriptions and Changes > Unsubscriptions.

Step 4 Complete the unsubscription operations as prompted.

For details, see Unsubscription Rules.

----End



https://support.huaweicloud.com/en-us/usermanual-billing/en-us_topic_0072297179.html

https://support.huaweicloud.com/en-us/usermanual-billing/en-us_topic_0083138805.html

9.5 How Do I Reduce the WAF Quota?Currently, WAF offers professional, enterprise, and premium editions. If you wantto reduce the WAF quota, you can unsubscribe from the current WAF edition andpurchase a WAF of a lower edition.

● For details about the quota of each WAF edition, see Edition.● For details about unsubscription, see How Do I Unsubscribe from WAF?.

9.6 Can I Purchase the Basic Edition of WAF?Currently, WAF offers professional, enterprise, and premium editions. If you havepurchased the basic edition, upgrade it to any editions of WAF.

For details about how to upgrade, see Upgrading the Edition.





10 Domain Name Editing

10.1 How Do I Safely Delete a Protected DomainName?

To delete a domain name that has not been connected to WAF, perform thefollowing operations. To delete a domain name that has been connected to WAF,re-resolve it with the DNS provider to the origin server before performing thefollowing operations.


Step 2 Access the page for deleting a domain name.

Figure 10-1 Deleting a domain name

Step 3 In the Delete Domain Name dialog box, delete the domain name.● For the scenario where no proxy is used: (see Figure 10-2.)

Web Application FirewallFAQs 10 Domain Name Editing



– Ensure that related configurations are completed and select The CNAME of thedomain name has been deleted from the DNS provider, and an A record hasbeen configured to the origin server IP address, or services carried on thedomain name have been brought offline.

– If you want to retain the policy bound to the domain name, select Retain thepolicy of this domain name.

Figure 10-2 Deleting a domain name (without a proxy)

● For the scenario where a proxy is used: (see Figure 10-3.)

– Ensure that related configurations are completed and select The domain namehas been pointed to the origin server on the Advanced Anti-DDoS, CDN, orcloud acceleration product side, or services carried on the domain name havebeen brought offline.

– If you want to retain the policy bound to the domain name, select Retain thepolicy of this domain name.

Figure 10-3 Deleting a domain name (with a proxy)

Step 4 Click OK. If Domain name deleted successfully is displayed in the upper rightcorner, the domain name is deleted.

----End

Web Application FirewallFAQs 10 Domain Name Editing


11 Certificate

11.1 How Do I Select a Certificate When Configuring aWildcard Domain Name in WAF?

Each domain name must correspond to a certificate. A wildcard domain name canonly be used for a wildcard domain certificate. If you have not purchased awildcard domain certificate and have only a single-domain certificate, you canonly add domain names one by one in WAF.

11.2 How Do I Delete a Certificate Configured for aProtected Domain Name?

WAF does not support certificate deletion because website service securityaccidents may occur if a certificate is deleted accidentally.

11.3 How Do I Modify a Certificate?If the purchased certificate is about to expire, you are advised to purchase a newcertificate before the expiration date and update the certificate associated withthe domain name in WAF.

Perform the following operations:


Step 2 Access the domain name configuration page.

Web Application FirewallFAQs 11 Certificate



Figure 11-1 Domains

Step 3 In the Domain Name column, click the target domain name. Its information isdisplayed.

Step 4 Click next to Server Information. If Client Protocol is HTTPS, select a newcertificate from the certificate drop-down list or import a new certificate.

----End

Web Application FirewallFAQs 11 Certificate


A Change History

Released On Description

2020-03-31 This issue is the fiftieth official release.Updated some screenshots.

Web Application FirewallFAQs A Change History



2020-03-19 This issue is the forty-ninth official release.● Modified supported non-standard ports in for Which

Non-Standard Ports Does WAF Support?● Optimized descriptions in What Are Regions and AZs?● Added the following FAQs:

– What Does QPS Stand For?– What Is a Protected IP Address?– Does WAF Support Vulnerability Detection?– Can I Use WAF for Free?– What Should I Do If Error Code 418 Is Reported?– What Should I Do If Error Code 523 Is Reported?– How Do I Block Abnormal IP Addresses?– What Functions Does the Product Expert Service

Provide?– Does WAF Support Two-Way SSL Authentication?– What Are the Differences Between WAF and VSS?– How Do I Configure the TXT Record on HUAWEI

CLOUD DNS Service?– Can I Export the Blacklist and Whitelist from WAF?– Can WAF Check the Body I Add to the POST

Request?– Will WAF Record Unblocked Events?– Can WAF Logs Be Transferred to OBS?– How Do I Reduce the WAF Quota?– How Does WAF Block Requests?– How Do I Use A Records for Domain Name

Resolution?– Does WAF Support Wildcard Domain Names?– What Are Local File Inclusion and Remote File

Inclusion?– Can the Combination of WAF, CDN, and AAD

Work?– Does WAF Block Customized POST Requests?– Can I Purchase the Basic Edition of WAF?– Does WAF Support Customized Authorization

Policies?– Can WAF Forward Logs to the Syslog Server?– What Should I Do If the Program Access Page Fails

to Respond After the HTTP Forwarding Policy IsConfigured?




– Can WAF Protect Websites Hosted on Non-HUAWEI CLOUD Servers?

– Which Protection Levels Can Be Set for Basic WebProtection?

– Can WAF Block Requests When a Certificate IsMounted on ELB?

– Does WAF Support the CORS-Denied Policy?– What Can I Do If the Login Page Is Continuously

Refreshed After a Domain Name Is Connected toWAF?

2020-03-06 This issue is the forty-eighth official release.Added the following FAQs:● How Do I Calculate the Protection Bandwidth?● What Should I Do If the Traffic Exceeds the Protection

Bandwidth of WAF?● What Are the Feature Differences Among

Professional, Enterprise, and Premium Editions?● How Do I Add a Domain Name to WAF?● How Do I Deploy Both CDN and WAF?● How Do I Deploy Both AAD and WAF?

2020-03-03 This issue is the forty-seventh official release.● Adjusted the document structure.● Updated screenshots and descriptions in What Are the

Impacts If a Subdomain Name and TXT Record AreNot Configured?

2020-01-10 This issue is the forty-sixth official release.● Added Does WAF Protect Both IPv4 and IPv6

Addresses?.● Added How Do I Check Whether the Origin Server IP

Address Configured in WAF Is an IPv6 Address?.● Added Does WAF Support the WebSocket Protocol?.● Added Can My WAF Be Shared by Multiple Accounts?.● Optimized descriptions in Can WAF Protect an IP

Address?.

2019-12-26 This issue is the forty-fifth official release.Optimized descriptions in Which Non-Standard Ports DoesWAF Support?.

2019-12-20 This issue is the forty-fourth official release.Optimized descriptions in Which Non-Standard Ports DoesWAF Support?.




2019-12-16 This issue is the forty-third official release.Updated the navigation path illustration.

2019-12-09 This issue is the forty-second official release.● Added What Is the Connection Timeout Duration of

WAF? Can I Manually Set the Timeout Duration?.● Added What Data Needs to Be Prepared Before

Connecting a Domain Name to WAF?.● Added What Are the Regions Support IPv6

Protection?.● Optimized descriptions in Can WAF Protect Offline

Servers?.● Optimized descriptions in Can WAF Protect an IP

Address?.

2019-11-14 This issue is the forty-first official release.Optimized descriptions in Which Non-Standard Ports DoesWAF Support?.

2019-11-07 This issue is the fortieth official release.Added What Are the Differences Between Rate Limit andAllowable Frequency in a CC Rule?.

2019-11-05 This issue is the thirty-ninth official release.Optimized descriptions in How Do I Troubleshoot404/502/504 Errors?.

2019-11-04 This issue is the thirty-eighth official release.● Added Does WAF Have the IPS Module?.● Added Can WAF Protect Offline Servers?.● Added Does WAF Support File Caching?.● Added Is the Path of a WAF Protection Rule Case-

sensitive?.● Added Can I Export or Back Up the WAF

Configuration?.● Added How Do I Handle Insufficient Protection Rules?.




2019-10-30 This issue is the thirty-seventh official release.● Added Why Cannot the Protection Mode Be Enabled

After a Domain Name Is Connected to WAF?.● Added How Do I Perform Verification Using HUAWEI

CLOUD DNS?.● Added How Do I Query a Domain Name Provider?.● Added Can I Use WAF Without a Domain Name?.● Added How Do I Select a Certificate When

Configuring a Wildcard Domain Name in WAF?.● Added Does WAF Support HTTP/2?.● Added How Many Rules Can Be Added to WAF?.● Added Does WAF Support Health Check?.● Added How Long Can Protection Logs Be Stored?.● Added How Do I Obtain Blocked Data?.● Added Does WAF Provide the Log Service?.● Added Can WAF Logs Be Obtained Using APIs?.

2019-10-21 This issue is the thirty-sixth official release.Added What Are the Impacts If a Subdomain Name andTXT Record Are Not Configured?.

2019-10-17 This issue is the thirty-fifth official release.● Optimized descriptions in How Do I Route Website

Traffic Through WAF?.● Deleted "What Should I Do If the DNS Status Is

Abnormal?"

2019-10-14 This issue is the thirty-fourth official release.● Optimized descriptions in Which Non-Standard Ports

Does WAF Support?.● Optimized descriptions in How Do I Troubleshoot

404/502/504 Errors?.● Optimized descriptions in Which OSs Does WAF

Support?.● Optimized descriptions in Which Web Service

Frameworks Does WAF Support?.




2019-09-12 This issue is the thirty-third official release.● Added What Do I Do If a Scanner, such as AppScan,

Detects that the Cookie Is Missing Secure orHttpOnly?.

● Added Is the Service Bandwidth Calculated Based onthe Incoming Traffic or Outgoing Traffic?.

● Added What Are the Differences Between thePermissions of a Master Account and Those of aSubaccount?.

2019-09-06 This issue is the thirty-second official release.● Added What Are the Differences Between the Old and

New CNAMEs?.● Added Can I Set the IP Address of the Origin Server to

a CNAME?.● Optimized descriptions in How Do I Troubleshoot

404/502/504 Errors?.● Optimized descriptions in How Do I Modify a

Certificate?.

2019-08-28 This issue is the thirty-first official release.● Optimized descriptions in How Do I Troubleshoot

404/502/504 Errors?.● Added the link to the best practice in How Do I Obtain

the Real IP Address of a Web Visitor?.● Added links to related sections in How Do I Configure a

CC Attack Protection Rule?.● Added links to related sections in How Do I Route

Website Traffic Through WAF?.

2019-08-20 This issue is the thirtieth official release.Optimized some illustrations in the document.

2019-08-15 This issue is the twenty-ninth official release.● Added How Do I Solve the Problem of Excessive

Redirection Times?.● Optimized descriptions in How Do I Route Website

Traffic Through WAF?.

2019-07-15 This issue is the twenty-eighth official release.● Added How Do I Renew WAF?.● Added How Do I Unsubscribe from WAF?.● Optimized descriptions in How Do I Configure Domain

Names to Be Protected When Adding DomainNames?.




2019-07-11 This issue is the twenty-seventh official release.Optimized descriptions in How Do I Configure DomainNames to Be Protected When Adding Domain Names?.

2019-07-02 This issue is the twenty-sixth official release.Added How Do I Configure Domain Names to BeProtected When Adding Domain Names?.

2019-07-01 This issue is the twenty-fifth official release.● Added What Are the Precautions for Configuring

Multiple IP Addresses for Backend Servers?.● Optimized descriptions in How Do I Troubleshoot

404/502/504 Errors?.

2019-06-18 This issue is the twenty-fourth official release.● Added What Are the Restrictions on Using WAF in

Enterprise Projects?.● Added In Which Situations Will the WAF Policies Fail?.

2019-06-06 This issue is the twenty-third official release.● Added In Which Regions Is WAF Available?.● Added Is There Any Limit for File Upload?.● Optimized descriptions in Which Non-Standard Ports

Does WAF Support?.

2019-05-30 This issue is the twenty-second official release.Optimized descriptions in How Do I Route Website TrafficThrough WAF?.

2019-05-16 This issue is the twenty-first official release.Optimized descriptions in How Do I Route Website TrafficThrough WAF?.

2019-05-14 This issue is the twentieth official release.Optimized descriptions in How Do I Troubleshoot404/502/504 Errors?.




2019-05-05 This issue is the nineteenth official release.● Added How Do I Whitelist the WAF Back-to-Source IP

Address Ranges?.● Added How Do I Solve the Problem that HTTPS

Requests Fail on Some Mobile Phones?.● Optimized descriptions in How Do I Troubleshoot

404/502/504 Errors?.● Optimized descriptions in Which Non-Standard Ports

Does WAF Support?.● Optimized descriptions in How Do I Route Website

Traffic Through WAF?.

2019-02-20 This issue is the eighteenth official release.● Optimized descriptions in Which Non-Standard Ports

Does WAF Support?.● Optimized descriptions in What Is the Charging

Standard of WAF?.

2019-01-03 This issue is the seventeenth official release.Adjusted the document layout.

2018-11-08 This issue is the sixteenth official release.Optimized some descriptions.

2018-10-29 This issue is the fifteenth official release.Optimized descriptions in Which Non-Standard Ports DoesWAF Support?.

2018-09-12 This issue is the fourteenth official release.Added How Do I Fix an Incomplete Certificate Chain?.

2018-07-19 This issue is the thirteenth official release.● Added How Do I Obtain the Real IP Address of a Web

Visitor?.● Optimized descriptions in How Do I Modify a

Certificate?.● Updated the screenshots based on the GUI changes.

2018-07-05 This issue is the twelfth official release.● Optimized descriptions in How Do I Route Website

Traffic Through WAF?.● Optimized descriptions in How Do I Test WAF?.

2018-06-14 This issue is the eleventh official release.Updated the screenshots based on the GUI changes.




2018-06-07 This issue is the tenth official release.Added How Do I Modify a Certificate?.

2018-05-31 This issue is the ninth official release.Added How Do I Troubleshoot 404/502/504 Errors?.

2018-05-17 This issue is the eighth official release.Added How Do I Configure the Client Protocol andServer Protocol?.

2018-04-12 This issue is the seventh official release.Added content about sensitive data leakage protection inWhat Protection Rules Does WAF Support?.

2018-04-02 This issue is the sixth official release.● Optimized descriptions in Which Non-Standard Ports

Does WAF Support?.● Updated the GUI description and screenshots based on

the GUI changes.

2018-03-31 This issue is the fifth official release.● Added How Do I Switch the Mode of Basic Web

Protection from Log only to Block?.● Updated the GUI description and screenshots based on

the GUI changes.

2018-03-27 This issue is the fourth official release.● Added Which Non-Standard Ports Does WAF Support?.● Added How Do I Route Website Traffic Through WAF?.● Added How Do I Test WAF?.● Added How Do I Safely Delete a Protected Domain

Name?.● Added Can WAF Continue Protecting a Domain Name

When It Expires?.● Added FAQ "How Do I Enable WAF?"● Updated the GUI description and screenshots based on

the GUI changes.

2018-01-16 This issue is the third official release.Added Can WAF Protect an IP Address?.

2018-01-11 This issue is the second official release.● Added What Protection Rules Does WAF Support?.● Added Which Layer Does WAF Provides Protection At?.

2017-10-30 This issue is the first official release.



Documents

Web Application Firewall - HUAWEI CLOUD2.43 Can WAF Protect Websites Hosted on Non-HUAWEI CLOUD Servers?.....15 3 Domain Name Access Configuration.....16 3.1 Which 3.2 How Do I Add