Web Application Firewall · Web Application Firewall FAQs Issue 50 Date 2020-03-31 HUAWEI TECHNOLOGIES CO., LTD

Web Application Firewall

FAQs

Issue 50

Date 2020-03-31

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2020. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without priorwritten consent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respectiveholders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei andthe customer. All or part of the products, services and features described in this document may not bewithin the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,information, and recommendations in this document are provided "AS IS" without warranties, guaranteesor representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.

Issue 50 (2020-03-31) Copyright © Huawei Technologies Co., Ltd. i

Contents

1 Protection Bandwidth/Specifications................................................................................. 11.1 How Do I Calculate the Protection Bandwidth?........................................................................................................... 11.2 What Should I Do If the Traffic Exceeds the Protection Bandwidth of WAF?................................................... 11.3 How Do I Handle Insufficient Protection Rules?.......................................................................................................... 11.4 What Are the Differences Between the Enterprise Edition and Premium Edition?..........................................2

2 Product Function Consultation............................................................................................ 32.1 How Do I Obtain the Real IP Address of a Web Visitor?...........................................................................................32.2 Can WAF Protect Offline Servers?..................................................................................................................................... 32.3 Can WAF Protect an IP Address?....................................................................................................................................... 32.4 What Are the Differences Between the Permissions of a Master Account and Those of a Subaccount?.............................................................................................................................................................................................................. 42.5 Can I Use WAF Without a Domain Name?.................................................................................................................... 42.6 Which OSs Does WAF Support?......................................................................................................................................... 42.7 Which Web Service Frameworks Does WAF Support?............................................................................................... 42.8 What Protection Rules Does WAF Support?.................................................................................................................. 42.9 Which Layer Does WAF Provides Protection At?.......................................................................................................... 52.10 Can WAF Continue Protecting a Domain Name When It Expires?......................................................................52.11 Can WAF Protect HTTPS Services?..................................................................................................................................62.12 Is There Any Limit for File Upload?................................................................................................................................ 62.13 In Which Regions Is WAF Available?.............................................................................................................................. 62.14 What Are the Restrictions on Using WAF in Enterprise Projects?........................................................................62.15 What Are Regions and AZs?..............................................................................................................................................72.16 Does WAF Support HTTP/2?............................................................................................................................................. 82.17 How Many Rules Can Be Added to WAF?.................................................................................................................... 82.18 Does WAF Support Health Check?................................................................................................................................. 82.19 Does WAF Have the IPS Module?................................................................................................................................... 82.20 Does WAF Support File Caching?.................................................................................................................................... 92.21 Does WAF Support the WebSocket Protocol?.............................................................................................................92.22 Can My WAF Be Shared by Multiple Accounts?.........................................................................................................9

3 Domain Name Access Configuration................................................................................ 103.1 Which Non-Standard Ports Does WAF Support?....................................................................................................... 103.2 How Do I Add a Domain Name to WAF?.................................................................................................................... 143.3 What Data Needs to Be Prepared Before Connecting a Domain Name to WAF?......................................... 14

Web Application FirewallFAQs Contents

Issue 50 (2020-03-31) Copyright © Huawei Technologies Co., Ltd. ii

3.4 How Do I Deploy Both CDN and WAF?........................................................................................................................ 153.5 How Do I Configure Domain Names to Be Protected When Adding Domain Names?...............................153.6 What Are the Precautions for Configuring Multiple IP Addresses for Backend Servers?.............................163.7 How Do I Configure the Client Protocol and Server Protocol?............................................................................. 163.8 What Are the Differences Between the Old and New CNAMEs?........................................................................ 193.9 Can I Set the IP Address of the Origin Server to a CNAME?................................................................................. 203.10 Can I Access a Website Using an IP Address After a Domain Name Is Connected to WAF?...................203.11 How Do I Configure Non-standard Ports When Adding a Protected Domain Name?.............................. 20

4 Service Interruption Check..................................................................................................244.1 How Do I Troubleshoot 404/502/504 Errors?............................................................................................................. 244.2 How Do I Handle a False Alarm?.................................................................................................................................... 284.3 What Is the Connection Timeout Duration of WAF? Can I Manually Set the Timeout Duration?...........284.4 How Do I Whitelist the WAF Back-to-Source IP Address Ranges?...................................................................... 294.5 How Do I Solve the Problem of Excessive Redirection Times?............................................................................. 314.6 How Do I Solve the Problem that HTTPS Requests Fail on Some Mobile Phones?...................................... 324.7 How Do I Fix an Incomplete Certificate Chain?......................................................................................................... 33

5 Domain Name Resolution................................................................................................... 385.1 How Do I Test WAF?............................................................................................................................................................ 385.2 How Do I Route Website Traffic Through WAF?....................................................................................................... 385.3 What Are the Impacts If a Subdomain Name and TXT Record Are Not Configured?.................................. 395.4 How Do I Perform Verification Using HUAWEI CLOUD DNS?..............................................................................425.5 How Do I Query a Domain Name Provider?............................................................................................................... 465.6 Why Cannot the Protection Mode Be Enabled After a Domain Name Is Connected to WAF?.................47

6 Rule Configuration................................................................................................................486.1 In Which Situations Will the WAF Policies Fail?.........................................................................................................486.2 How Do I Switch the Mode of Basic Web Protection from Log only to Block?.............................................. 486.3 When Is Cookie Used to Identify Users?.......................................................................................................................496.4 How Do I Configure a CC Attack Protection Rule?................................................................................................... 496.5 What Are the Differences Between Rate Limit and Allowable Frequency in a CC Rule?........................506.6 What Do I Do If a Scanner, such as AppScan, Detects that the Cookie Is Missing Secure or HttpOnly?............................................................................................................................................................................................................ 506.7 Is the Path of a WAF Protection Rule Case-sensitive?............................................................................................. 506.8 Can I Export or Back Up the WAF Configuration?.................................................................................................... 51

7 Protection Events...................................................................................................................527.1 Does WAF Provide the Log Service?............................................................................................................................... 527.2 Can WAF Logs Be Obtained Using APIs?......................................................................................................................527.3 How Do I Obtain Blocked Data?..................................................................................................................................... 527.4 How Long Can Protection Logs Be Stored?................................................................................................................. 52

8 Purchase.................................................................................................................................. 538.1 Is the Service Bandwidth Calculated Based on the Incoming Traffic or Outgoing Traffic?........................538.2 What Is the Charging Standard of WAF?..................................................................................................................... 53


Issue 50 (2020-03-31) Copyright © Huawei Technologies Co., Ltd. iii

8.3 How Do I Renew WAF?.......................................................................................................................................................538.4 How Do I Unsubscribe from WAF?................................................................................................................................. 54

9 Domain Name Editing..........................................................................................................569.1 How Do I Safely Delete a Protected Domain Name?.............................................................................................. 56

10 Certificate............................................................................................................................. 5810.1 How Do I Select a Certificate When Configuring a Wildcard Domain Name in WAF?............................. 5810.2 How Do I Delete a Certificate Configured for a Protected Domain Name?..................................................5810.3 How Do I Modify a Certificate?..................................................................................................................................... 58

A Change History...................................................................................................................... 60


Issue 50 (2020-03-31) Copyright © Huawei Technologies Co., Ltd. iv

1 Protection Bandwidth/Specifications

1.1 How Do I Calculate the Protection Bandwidth?The bandwidth in WAF refers to the amount of protected sites' normal traffic(unit: Mbit/s). A bandwidth expansion package contains 20 Mbit/s/50 Mbit/s(on/off HUAWEI CLOUD) or 1,000 QPS. QPS stands for Queries per Second. Forexample, one HTTP Get request is a query.

The bandwidth in WAF is calculated by WAF itself and is not associated with the bandwidthor traffic limit of other HUAWEI CLOUD products (such as CDN, ELB, and ECS).

For details about the bandwidth expansion package, see Bandwidth ExpansionPackage.

1.2 What Should I Do If the Traffic Exceeds theProtection Bandwidth of WAF?

If your legitimate traffic exceeds the bandwidth limit offered by your selectededition, your traffic forwarding may be adversely affected.

For example, traffic limiting and random packet loss may occur. As a result,services are unavailable, frozen, or delayed for a certain period of time.

In this case, upgrade your edition or buy additional bandwidth expansionpackages.

For details about how to upgrade, see Upgrading the Edition.

1.3 How Do I Handle Insufficient Protection Rules?WAF provides enterprise and premium editions. For details about the number ofrules configured for each edition, see Edition. If the number of rules supported bythe purchased edition cannot meet your service requirements, you can upgradethe edition. For details, see Upgrading the Edition.

Web Application FirewallFAQs 1 Protection Bandwidth/Specifications

Issue 50 (2020-03-31) Copyright © Huawei Technologies Co., Ltd. 1

https://support.huaweicloud.com/intl/en-us/usermanual-waf/waf_01_0111.html



https://support.huaweicloud.com/intl/en-us/productdesc-waf/waf_01_0106.html


1.4 What Are the Differences Between the EnterpriseEdition and Premium Edition?

WAF provides enterprise and premium editions. To protect more domain namesand traffic, WAF provides domain name extension packages and bandwidthextension packages. You can select the number of extension packages based onyour service requirements. For details about the features of each edition, seeEdition.

Web Application FirewallFAQs 1 Protection Bandwidth/Specifications



2 Product Function Consultation

2.1 How Do I Obtain the Real IP Address of a WebVisitor?

Generally, a proxy such as CDN, WAF, and AAD is deployed between the client andserver. Web visitors cannot directly access the server. For example, web visitor >CDN/WAF/AAD > origin server. Then, how does the server obtain the real IPaddress of the client when multiple proxies are configured?

When forwarding requests to the downstream server, the transparent proxy serveradds an X-Forwarded-For field to the HTTP header to identify the web visitor'sreal IP address in the format of X-Forwarded-For: real IP address of the webvisitor, proxy 1-IP address, proxy 2-IP address, proxy 3-IP address, ........->....

Therefore, you can obtain the web visitor's real IP address from the first IP addressin the X-Forwarded-For field.

For details, see Obtaining the Real IP Address of a Web Visitor.

2.2 Can WAF Protect Offline Servers?WAF can protect offline servers, but the servers must have been connected to theInternet.

HUAWEI CLOUD WAF protects your servers based on only domain namesregardless of whether your server is online or offline, which region your serverresides, or which project or account your server belongs to.

2.3 Can WAF Protect an IP Address?WAF can only provide protection based on domain names instead of IP addresses.

The origin server IP address configured in WAF can only be a public IP address.

To reduce the number of public IP addresses, you can purchase Elastic LoadBalance (ELB) or set up load balancers to work as proxies of the backend private

Web Application FirewallFAQs 2 Product Function Consultation


https://support.huaweicloud.com/intl/en-us/bestpractice-waf/waf_06_0020.html

IP addresses, and set the EIP (public IP address) as the back-to-source IP addressfor WAF protection.

2.4 What Are the Differences Between the Permissionsof a Master Account and Those of a Subaccount?

WAF has only the WAF administrator permission. Resources of a master accountare isolated from those of a subaccount.

The master account can be used to view a domain name added using asubaccount, but a subaccount cannot be used to view a domain name addedusing the master account.

2.5 Can I Use WAF Without a Domain Name?No. WAF can only provide protection based on domain names.

2.6 Which OSs Does WAF Support?WAF is deployed on the cloud, which is irrelevant to an OS. Therefore, WAFsupports any OS. A domain name server on any OS can be connected to WAF forprotection.

2.7 Which Web Service Frameworks Does WAFSupport?

WAF is deployed on the cloud and is not coupled with services on a web server.Therefore, WAF supports web services on any framework.

2.8 What Protection Rules Does WAF Support?The protection rules supported by WAF are described below.

● Basic Web ProtectionWAF can defend against common web attacks, such as SQL injection, XSS,webshells, and Trojans in HTTP upload channels. Once these functions areenabled, protection takes effect immediately.

● CC Attack ProtectionFlexible rate limiting policies can be set based on the IP addresses, cookies, orReferer field, mitigating CC attacks.

● Precise ProtectionCommon HTTP fields can be combined to customize protection policies, suchas CSRF protection. With user-defined rules, WAF can accurately detectmalicious requests and protect sensitive information in websites.

● Blacklist and Whitelist



Blacklist or whitelist rules allow you to block or allow specific IP addresses oraddress ranges, improving defense accuracy.

● Geolocation Access ControlGeolocation access control rules allow you to customize access control basedon the source IP addresses.

● Web Tamper ProtectionCache configuration is performed on static webpages. When a user accesses awebpage, the system returns a cached page to the user and randomly checkswhether the page has been tampered with.

● Anti-crawler ProtectionThis function dynamically analyzes website service models and accuratelyidentifies crawler behavior based on data risk control and bot identificationsystems, such as JS Challenge.

● False Alarm MaskingThis function ignores certain attack detection rules for specific requests.

● Data MaskingData masking prevents such data as passwords from being displayed in eventlogs.

● Information Leakage PreventionWAF prevents user's sensitive information on webpages from being disclosed,such as ID numbers, phone numbers, and email addresses.

2.9 Which Layer Does WAF Provides Protection At?WAF provides protection for seven layers, namely, the physical layer, data linklayer, network layer, transport layer, session layer, presentation layer, andapplication layer.

2.10 Can WAF Continue Protecting a Domain NameWhen It Expires?

If you do not renew the WAF service after it expires, the public cloud platformprovides a grace period and retention period.

● During this period, WAF forwards traffic but your protection policies will notwork.

● When this period is over, resources will be cleared, that is, all configurations ofyour domain names will be deleted. During the clearing period, domainnames are pointed back to origin severs by default. However, services on yourdomain names may not run properly because there may be inconsistenciesbetween your configured protocols and ports.

To avoid unnecessary loss, you are advised to renew your WAF account.



2.11 Can WAF Protect HTTPS Services?Yes. You simply need to configure HTTPS as the frontend protocol and allow WAFto host your certificate. Then, WAF protects your HTTPS service.

2.12 Is There Any Limit for File Upload?After moving your site to WAF, you can upload a file no greater than 512 MB.

If you want to upload a file greater than 512 MB, upload the file using any of thefollowing methods:

● via the IP address.● on the separate web server.● via FTP.

2.13 In Which Regions Is WAF Available?WAF is available in all regions on HUAWEI CLOUD.

WAF can be purchased in the following regions: CN East-Shanghai2, CN North-Beijing1, CN North-Beijing4, CN South-Guangzhou, AP-Hong Kong, and AP-Bangkok.

In principle, WAF purchased in any region can protect web services in all regions.However, to improve the forwarding efficiency of WAF, you are advised to selectthe nearest region based on the region where the protected services reside whenpurchasing WAF. If you purchase WAF in the Beijing region, services on otherregions (for example, Shanghai) can also be protected by WAF. However, it takes alonger time for WAF to forward traffic of services in Shanghai. Therefore, you areadvised to purchase WAF in Beijing and Shanghai regions to protect services inBeijing and Shanghai, respectively, improving the forwarding efficiency.

2.14 What Are the Restrictions on Using WAF inEnterprise Projects?

Each enterprise project is independent from the others.

● The created policies can be used only by their own projects. For example, ifyou create policy A for a main project, the rules created for the sub-projectsdo not belong to policy A. You must create a policy for sub-projectsseparately.

● The created certificates can be used only by their own projects. A main projectand sub-project can only use its own certificates.



2.15 What Are Regions and AZs?

ConceptA region and availability zone (AZ) identify the location of a data center. You cancreate resources in a specific region and AZ.

● Regions are divided from the dimensions of geographical location andnetwork latency. Public services, such as Elastic Cloud Server (ECS), ElasticVolume Service (EVS), Object Storage Service (OBS), Virtual Private Cloud(VPC), Elastic IP (EIP), and Image Management Service (IMS), are sharedwithin the same region. Regions are classified as universal regions anddedicated regions. A universal region provides universal cloud services forcommon tenants. A dedicated region provides services of the same type onlyor for specific tenants.

● An AZ contains one or more physical data centers. Each AZ has independentcooling, fire extinguishing, moisture-proof, and electricity facilities. Within anAZ, computing, network, storage, and other resources are logically dividedinto multiple clusters. AZs within a region are interconnected using high-speed optical fibers to allow you to build cross-AZ high-availability systems.

Figure 2-1 shows the relationship between the regions and AZs.

Figure 2-1 Region and AZ

HUAWEI CLOUD provides services in many regions around the world. You canselect a region and AZ as needed.

How to Select a Region?When selecting a region, consider the following factors:

● LocationYou are advised to select a region close to you or your target users. Thisreduces network latency and improves access rate. However, Chinesemainland regions provide basically the same infrastructure, BGP networkquality, as well as operations and configurations on resources. Therefore, ifyou or your target users are in the Chinese mainland, you do not need toconsider the network latency differences when selecting a region.



– If you or your target users are in the Asia Pacific region, except theChinese mainland, select the AP-Hong Kong, AP-Bangkok, or AP-Singapore region.

– If you or your target users are in Africa, select the AF-Johannesburgregion.

– If you or your target users are in Europe, select the EU-Paris region.● Resource price

Resource prices may vary in different regions. For details, see Product PricingDetails.

How to Select an AZ?When determining whether to deploy resources in the same AZ, consider yourapplications' requirements on disaster recovery (DR) and network latency.

● For high DR capability, deploy resources in different AZs in the same region.● For low network latency, deploy resources in the same AZ.

Regions and EndpointsBefore using an API to call resources, specify its region and endpoint. For moredetails, see Regions and Endpoints.

2.16 Does WAF Support HTTP/2?Currently, HUAWEI CLOUD WAF does not support HTTP/2 (HTTP 2.0).

2.17 How Many Rules Can Be Added to WAF?The number of rules that can be added varies with different configuration rules.For details about edition specifications, see Edition.

2.18 Does WAF Support Health Check?Currently, WAF does not support the health check function. If you want to use thehealth check function of the server, you are advised to use both ELB and WAF.After ELB is configured, the EIP of ELB is used as the IP address of the server toconnect to WAF for health check.

2.19 Does WAF Have the IPS Module?WAF does not have the IPS module of the traditional firewall, but WAF supportsintrusion detection for the HTTP/HTTPS protocol.



https://www.huaweicloud.com/intl/en-us/pricing/index.html

https://www.huaweicloud.com/intl/en-us/pricing/index.html

https://developer.huaweicloud.com/intl/en-us/endpoint


2.20 Does WAF Support File Caching?WAF caches only static web pages that are configured with web tamper protectionand sends the cached web pages that are not tampered with to web visitors fortamper-proof purposes.

If you want to cache all website contents, you can deploy CDN and deploy WAFbetween CDN and the origin server. For details, see Domain Setup with BothCDN and WAF Deployed.

2.21 Does WAF Support the WebSocket Protocol?WAF supports the WebSocket protocol, which is enabled by default.

2.22 Can My WAF Be Shared by Multiple Accounts?WAF cannot be shared by multiple accounts. Each account needs to purchase WAFindependently. While, WAF can be shared by multiple IAM users.

Sharing WAF Across Multiple IAM UsersAssume that you have created an account, domain1, by registering with HUAWEICLOUD, and used domain1 to create two IAM users, sub-user1a and sub-user1b,in IAM. If you have granted the WAF permissions to sub-user1b, sub-user1b canthen use the WAF service of sub-user1a.

For details about granting permissions, see Creating a User Group and GrantingPermissions.







3 Domain Name Access Configuration

3.1 Which Non-Standard Ports Does WAF Support?In addition to standard ports 80 and 443, WAF supports non-standard ports.

If you want to add a non-standard port when adding a protected domain name,select Non-standard Port and select the corresponding non-standard port fromthe Port drop-down list. Then the non-standard port can be connected to WAF.

Figure 3-1 Configuration of a non-standard port

Ports Supported by Each EditionWAF provides enterprise and premium editions. Table 3-1 lists the ports that canbe protected by each edition.

Table 3-1 Ports supported by each edition

Edition PortCategory

HTTP Protocol HTTPSProtocol

Port Limits

Enterprise

Standardports

80 443 Unlimited

Web Application FirewallFAQs 3 Domain Name Access Configuration




Port Limits

Non-standardports (182in total)

9945, 9770, 81, 82,83, 84, 88, 89, 800,808, 1000, 1090,3128, 3333, 3501,3601, 4444, 5000,5222, 5555, 5601,6001, 6666, 6788,6789, 6842, 6868,7000, 7001, 7002,7003, 7004, 7005,7006, 7009, 7010,7011, 7012, 7013,7014, 7015, 7016,7018, 7019, 7020,7021, 7022, 7023,7024, 7025, 7026,7070, 7081, 7082,7083, 7088, 7097,7777, 7800, 7979,8000, 8001, 8002,8003, 8008, 8009,8010, 8020, 8021,8022, 8025, 8026,8077, 8078, 8080,8085, 8086, 8087,8088, 8089, 8090,8091, 8092, 8093,8094, 8095, 8096,8097, 8098, 8106,8118, 8181, 8334,8336, 8800, 8686,8888, 8889, 8989,8999, 9000, 9001,9002, 9003, 9080,9200, 9802, 10000,10001, 10080, 12601,86, 9021, 9023, 9027,9037, 9081, 9082,9201, 9205, 9207,9208, 9209, 9210,9211, 9212, 9213,48800, 87, 97, 7510,9180, 9898, 9908,9916, 9918, 9919,9928, 9929, 9939,28080, 33702, 8011,8012, 8013, 8014,8015, 8016, 8017,8070

8750, 8445,18010, 4443,5443, 6443,7443, 8081,8082, 8083,8084, 8443,8843, 9443,8553, 8663,9553, 9663,18110, 18381,18980, 28443,18443, 8033,18000, 19000,7072, 7073,8803, 8804,8805, 9999

18 non-standardportssupported bythe enterpriseedition





Port Limits

Premium Standardports

80 443 Unlimited





Port Limits

Non-standardports (199in total)

8899, 8006, 9945,9770, 81, 82, 83, 84,88, 89, 800, 808,1000, 1090, 3128,3333, 3501, 3601,4444, 5000, 5222,5555, 5601, 6001,6666, 6788, 6789,6842, 6868, 7000,7001, 7002, 7003,7004, 7005, 7006,7009, 7010, 7011,7012, 7013, 7014,7015, 7016, 7018,7019, 7020, 7021,7022, 7023, 7024,7025, 7026, 7070,7081, 7082, 7083,7088, 7097, 7777,7800, 7979, 8000,8001, 8002, 8003,8008, 8009, 8010,8020, 8021, 8022,8025, 8026, 8077,8078, 8080, 8085,8086, 8087, 8088,8089, 8090, 8091,8092, 8093, 8094,8095, 8096, 8097,8098, 8106, 8118,8181, 8334, 8336,8800, 8686, 8888,8889, 8989, 8999,9000, 9001, 9002,9003, 9080, 9200,9802, 10000, 10001,10080, 12601, 86,9021, 9023, 9027,9037, 9081, 9082,9201, 9205, 9207,9208, 9209, 9210,9211, 9212, 9213,48800, 87, 97, 7510,9180, 9898, 9908,9916, 9918, 9919,9928, 9929, 9939,28080, 33702, 8011,8012, 8013, 8014,

8750, 9190,9184, 9182,8950, 8920,8910, 8848,8445, 18010,4443, 5443,6443, 7443,8081, 8082,8083, 8084,8443, 8843,9443, 8553,8663, 9553,9663, 18110,18381, 18980,28443, 18443,8033, 18000,19000, 7072,7073, 8803,8804, 8805,9999, 8244,8224, 8281,8211, 8243,8221, 8231

58 non-standardportssupported bythe premiumedition





Port Limits

8015, 8016, 8017,8070, 8232

Why a Third-Party Detection Tool Can Detect My Non-Standard Ports ThatHave Not Been Enabled?

The non-standard port detection engine of WAF is shared by all users. So, a third-party detection tool can detect all non-standard ports that have been used inWAF. The port detection of the domain name is based on the port enabled for theorigin server IP address. Therefore, the port detection engine does not affect thesecurity of the origin server. In addition, WAF ensures the security of the engine IPaddresses returned by the customer after CNAME resolution.

3.2 How Do I Add a Domain Name to WAF?After connecting a domain name, WAF works as a reverse proxy between theclient and server. The real IP address of the server is hidden and only the IPaddress of WAF is visible to web visitors.

For details about add a domain name to WAF, see Adding a Domain Name.

3.3 What Data Needs to Be Prepared BeforeConnecting a Domain Name to WAF?

The following data needs to be prepared:

● Domain name

● Port number: the service port corresponding to the domain name to beprotected. WAF supports non-standard ports. For details, see Which Non-Standard Ports Does WAF Support?.

● Server information

– Client Protocol: protocol used by a client to access a server.

– Server Protocol: protocol over which WAF forwards client requests to theserver

– Server Address: public IP address (generally corresponding to the Arecord of the domain name configured on the DNS) or domain name(generally corresponding to the CNAME of the domain name configuredon the DNS) of the web server that a client accesses.

– Server Port: service port of the server to which WAF client requests areforwarded.

● Certificate: If HTTPS is set for Client Protocol, you need to purchase acertificate for the domain name and push the certificate to WAF.




3.4 How Do I Deploy Both CDN and WAF?After the domain name resolution record is resolved into the CNAME recordprovided by CDN, the back-to-source address of CDN needs to be changed to theCNAME of WAF. In this way, CDN forwards the traffic to WAF. WAF then filters outillegitimate traffic and only routes legitimate traffic back to the origin server. Afterthe configuration is complete, traffic is first processed by CDN and then forwardedto WAF, thereby achieving collaborative protection.

To prevent other users from configuring your domain names on WAF in advance(this will cause interference on your domain name protection), you are advised toadd a subdomain name and TXT record of WAF at your DNS provider.

For details about how to deploy both CDN and WAF, see Domain Setup withBoth CDN and WAF Deployed.

3.5 How Do I Configure Domain Names to Be ProtectedWhen Adding Domain Names?

Before using WAF, you need to add domain names to be protected to WAF basedon your web service protection requirements. WAF supports addition of singledomain names and wildcard domain names. This section describes how toconfigure domain names to be protected.

Basic Concepts● Wildcard domain name

A wildcard domain name is a domain name that contains the wildcard * andstarts with *..For example, *.example.com is a correct wildcard domain name, but*.*.example.com is not.

A wildcard domain name counts as one domain name.

● Single domain nameA single domain name is also called a common domain name and is a specificdomain name (a non-wildcard domain name).For example, www.example.com or example.com is a single domain name.

For example, www.example.com counts as a domain name and so doesa.www.example.com.





Selecting a Domain Name Type

WAF supports single domain names and wildcard domain names.

The domain name purchased from the DNS service provider is a single domainname (example.com). The domain name added to WAF can be example.com, asubdomain name (for example, a.xample.com), or wildcard domain name(*.example.com). You can select a domain name type based on the followingscenarios:

● If services of a domain name to be protected are the same, enter a singledomain name. For example, if all the services of www.example.com to beprotected are services on port 8080, set Domain Name to a single domainname www.example.com.

● If the server IP address of each subdomain name is the same, enter a wildcarddomain name to be protected. For example, if the server IP addressescorresponding to a.example.com, b.example.com, and c.example.com are thesame, Domain Name can be set to a wildcard domain name *.example.com.

● If the server IP addresses of subdomain names are different, add subdomainnames as single domain names one by one.

You are advised to set the added domain name to be protected to be the same as thedomain name that is set at the DNS provider.

3.6 What Are the Precautions for Configuring MultipleIP Addresses for Backend Servers?

● The service ports to be protected must be the same if you want to configuremultiple backend server IP addresses to the same domain name.

● When a domain name is added, WAF supports addition of multiple server IPaddresses. WAF routes legitimate requests back to origin servers in pollingmode, reducing the pressure on the servers and protecting the origin servers.For example, two backend server IP addresses (IP-A and IP-B) are added.When there are 10 requests for accessing the domain name, five requests areforwarded by WAF to the server identified by IP-A, and the other five requestsare forwarded by WAF to the server identified by IP-B.

● WAF does not support the health check function. When a server identified byan IP address is faulty, WAF still forwards traffic to the server identified by thisIP address. As a result, some services are affected. If you want to use thehealth check function of the server, you are advised to use both ELB and WAF.After ELB is configured, the EIP of ELB is used as the IP address of the serverto connect to WAF for health check.

3.7 How Do I Configure the Client Protocol and ServerProtocol?

This FAQ describes how to configure the client and server protocol.



WAF provides various protocol types. If your website is www.example.com, WAFprovides the following four access modes:

● HTTP mode. See Figure 3-2.

Figure 3-2 HTTP mode

NO TICE

You can use this configuration to access your website at http://www.example.com only. If you want to access websites at https://www.example.com, the system will output code 302 Found and your requestwill be redirected to http://www.example.com.

● HTTPS mode. This configuration allows web visitors to access your websiteover HTTPS only. If they access over HTTP, they are redirected to https://www.example.com. See Figure 3-3.



Figure 3-3 HTTPS mode

NO TICE

● If web visitors access your website over HTTPS, the website returns asuccessful response.

● If web visitors access your website over HTTP,the system will output code302 Found and your request will be redirected to http://www.example.com.

● HTTP and HTTPS mode. See Figure 3-4.

Figure 3-4 HTTP and HTTPS mode



NO TICE

● If web visitors access your website over HTTP, the website returns asuccessful response but no communication between the browser andwebsite is encrypted.

● If web visitors access your website over HTTPS, the website returns asuccessful response and all communications between the browser andwebsite are encrypted.

● HTTPS/HTTP mode. See Figure 3-5.

Figure 3-5 HTTPS offloading mode

NO TICE

If web visitors access your website over HTTPS, WAF forwards the requests toyour origin server over HTTP.

3.8 What Are the Differences Between the Old andNew CNAMEs?

Background

WAF upgrades CNAMEs to improve the reliability of domain name resolution.

To ensure that an added domain name can be used properly, WAF retains the oldCNAME on the basic information page of the added domain name and displaysthe new CNAME, as shown in Figure 3-6.



Figure 3-6 New CNAME

Differences Between the Old and New CNAMEsThe new CNAME provides the resolution function for two heterogeneous active/active DNSs, improving the reliability of domain name resolution.

It is recommended that you select a new CNAME during domain name resolution.

3.9 Can I Set the IP Address of the Origin Server to aCNAME?

Yes. If the IP address of the origin server is set to a CNAME, additional DNSresolution is performed after a domain name is added. That is, the CNAME isresolved to an IP address first. DNS resolution increases the delay. Therefore, youare advised to set the origin server address to a public network IP address.

For details about how to add a domain name, see Adding a Domain Name.

3.10 Can I Access a Website Using an IP Address After aDomain Name Is Connected to WAF?

After a domain name is connected to WAF, you can enter the origin server IPaddress in the address bar of the browser to access the website. However, yourorigin server IP address is easily exposed. As a result, attackers can bypass WAFand attack your origin server.

You are advised to configure origin server protection according to the instructionsin Origin Server Protection.

3.11 How Do I Configure Non-standard Ports WhenAdding a Protected Domain Name?

Configuration Example 1: Protecting Standard Port Services of DifferentOrigin Server IP Addresses on the Same Port

1. Deselect Non-standard Port.2. Select HTTP or HTTPS for Client Protocol. Figure 3-7 and Figure 3-8 show

the HTTP and HTTPS protection configurations of port 80 and port 403,respectively.





Figure 3-7 Port 80

Figure 3-8 Port 443

If Client Protocol is set to HTTPS, you need to configure a certificate.

3. When accessing a website, you can access the website without adding a portnumber to the end of the domain name. For example, enter http://www.example.com in the address box of the browser to access the website.

Configuration Example 2: Protecting Non-Standard Port Services of DifferentOrigin Server IP Addresses on the Same Port

1. Select Non-standard Port and select a non-standard port to be protectedfrom the Port drop-down list. For details about the non-standard portssupported by WAF, see Which Non-Standard Ports Does WAF Support?

2. Select HTTP or HTTPS for Client Protocol for all server ports. Figure 3-9 andFigure 3-10 show the configuration of non-standard HTTP or HTTPS port,respectively.

Figure 3-9 Other HTTP port besides port 80



https://support.huaweicloud.com/intl/en-us/waf_faq/waf_01_0032.html

Figure 3-10 Other HTTPS port besides port 443

If Client Protocol is set to HTTPS, you need to configure a certificate.

3. When accessing a website, you must add a non-standard port number to theend of the domain name. Otherwise, error 404 will be reported. For example,if the non-standard port is 8080, enter http://www.example.com:8080 in theaddress box of the browser.

Configuration Example 3: Protecting Different Service PortsIf the service ports to be protected are different, configure the ports separately.For example, to protect ports 8080 and 6443 for your site www.example.com, dothe configurations shown in Figure 3-11 and Figure 3-12.

Figure 3-11 Protecting port 8080



Figure 3-12 Protecting port 6443



4 Service Interruption Check

4.1 How Do I Troubleshoot 404/502/504 Errors?If an error, such as 404 Not Found, 502 Bad Gateway, or 504 Gateway Timeout,occurs after a domain name is connected to WAF, use the following methods tolocate the cause and remove the error:

404 Not Found

Symptom 1: When a visitor accesses your website, the page shown in Figure 4-1is displayed.

Figure 4-1 404 page

Cause: The port added to a URL is incorrect.

● A non-standard port is configured when a protected domain name is added toWAF. No port is added or the origin server port rather than the non-standardport is used to access the website. For example, access https://www.example.com or https://www.example.com:80.

Web Application FirewallFAQs 4 Service Interruption Check


Figure 4-2 Configuration of a non-standard port

Solution: Add the non-standard port to the URL and access the origin serveragain, for example, https://www.example.com:8080.

● No non-standard port is configured when a protected domain name is addedto WAF. A non-standard port or one configured based on the origin serverport is used to access the website. For example, access https://www.example.com:8080 when the protection service shown in Figure 4-3 isconfigured.

Figure 4-3 Unconfiguration of a non-standard port

If no non-standard port is configured, WAF protects services on port 80/443 by default.If you need to protect services on other ports, re-configure domain settings.

Solution: Access the domain name directly. For example, https://www.example.com.

Symptom 2: When a visitor accesses your website, another 404 error page isdisplayed instead of the page shown in Figure 4-1.

Cause: The website does not exist or has been deleted.

Solution: Check your website.

502 Bad GatewaySymptom: Website access is normal after the WAF configuration is complete.However, after a certain period of time, a 502 Bad Gateway error is reportedfrequently when accessing a page.

If your web server is not deployed on HUAWEI CLOUD, you are advised to consult yourserver provider about whether the server has default block settings. If yes, ask the serviceprovider to remove the default block settings.

Possible causes are as follows:

● Cause 1: Your website is using another security protection software. Thesoftware considers back-to-source IP addresses of WAF as malicious and



blocks the requests forwarded by WAF. As a result, the site cannot beaccessed.Solution: Refer to How Do I Whitelist the WAF Back-to-Source IP AddressRanges? to add the WAF IP address ranges to the whitelist of the firewall(hardware or software), security protection software, and rate limitingmodule.

● Cause 2: Multiple backend servers are configured. However, one backendserver is unreachable.Perform the following steps to check whether the origin server configurationis correct:

a. Log in to the HUAWEI CLOUD console, click Service List in the upper partof the page, and choose Security > Web Application Firewall.

b. In the navigation pane, choose Domains. The Domains page is displayed.c. In the Domain Name column, click the target domain name. Its

information is displayed.

d. In the Server Information area, click . On the displayed page, checkwhether the client protocol, server protocol, origin server address, andport number used by the origin server are correct.

Figure 4-4 Server configuration

e. Run the curl command on the host to check whether each origin servercan be properly accessed, as shown in Figure 4-5.curl http://xx.xx.xx.xx:yy -kvv

xx.xx.xx.xx indicates the IP address of the origin server. yy indicates theport number of the origin server. xx.xx.xx.xx and yy must belong to thesame origin server.

● The host where the curl command can be run must meet the followingrequirements:● The network communication is normal.● The curl command has been installed. curl must be manually installed

on the host running the Windows operating system. curl is installedalong with other operating systems.

● You can also enter http://origin server address:origin server port in theaddress bar of the browser to check whether the origin server can be properlyaccessed.



https://curl.haxx.se/

Figure 4-5 Command output

If connection refused is displayed, the origin server is unreachable andwebsite cannot be accessed. Perform the following operations:

▪ Check whether the server is running properly. If it is not, restart theserver.

▪ Refer to How Do I Whitelist the WAF Back-to-Source IP AddressRanges? to add the WAF IP address ranges to the whitelist of thefirewall (hardware or software), security protection software, andrate limiting module.

● Cause 3: Origin server performanceSolution: Contact your website administrator to rectify the fault.

504 Gateway Timeout

Symptom: After the configuration of connecting a domain name to WAF iscomplete, your website works properly. However, with the increasing trafficvolume, the number of 504 errors increases as well. If you directly access the IPaddress of the origin server, the 504 error code is returned sometimes.

The possible causes are as follows:

● Cause 1: Backend server performance issues (such as too many connectionsor high CPU usage)Solution:

a. Optimize the server configuration, including TCP network parameters andulimit parameters.

b. To support increasing service volumes, use method 1 or method 2 toperform the processing.Method 1: Add a backend server group to the ELB..Method 2: Create an ELB. Use the EIP of ELB as the IP address of theserver to connect to WAF.

i. Log in to the HUAWEI CLOUD console, click Service List in the upperpart of the page, and choose Security > Web Application Firewall.

ii. In the navigation pane, choose Domains. The Domains page isdisplayed.

iii. In the Domain Name column, click the target domain name. Itsinformation is displayed.

iv. In the Server Information area, click . On the displayed page,click Add to add backend servers. See Figure 4-6.




c. If the Client Protocol is HTTPS, you can use HTTPS on the WAF side.However, it is recommended that HTTP (Server Protocol) be used toforward the requests to your web server, lowering the computationalpressure on backend servers. See Figure 4-7. For details about how tomodify the server information, see Editing Server Information.


● Cause 2: The WAF IP addresses are not whitelisted or your origin server portis not enabled.

Solution: Whitelist the WAF IP addresses by following instructions in OriginServer Protection.

● Cause 3: The origin server has a firewall and the firewall blocks the WAF IPaddresses.

Solution: Whitelist the WAF IP addresses by following the instructions inOrigin Server Protection or uninstall the firewall software except WAF.

● Cause 4: Connection timeout and read timeout

Solution: Contact technical support.

● Cause 5: The bandwidth of the origin server exceeds the upper limit.

Solution: Increase the bandwidth of the origin server.

4.2 How Do I Handle a False Alarm?You can handle false alarms in the event log if they appear frequently. You canchoose to ignore some URLs or rule IDs so that no alarms are reported or noblocking occurs when the URLs are attacked again.

Handle false alarms according to the instructions in Handling False Alarms.

4.3 What Is the Connection Timeout Duration of WAF?Can I Manually Set the Timeout Duration?

The timeout duration for the connection from the browser to the WAF engine is120 seconds, and that from WAF to the customer's origin server is 60 seconds. Thetimeout duration cannot be manually set.








4.4 How Do I Whitelist the WAF Back-to-Source IPAddress Ranges?

After your domain is connected to WAF, all requests are forwarded to WAF forinspection, and WAF returns the inspected traffic to the origin server. The processof returning traffic to the origin server through WAF is called back-to-source.

What are Back-to-Source IP Addresses?

From the perspective of a server, all web requests originate from WAF. The IPaddresses used by WAF forwarding are back-to-source IP addresses of WAF. Thereal client IP address is written into the X-Forwarded-For (XFF) HTTP header field.

Figure 4-8 Back-to-source IP address

Why Do I Need to Whitelist the WAF IP Address Ranges?

All web requests originate from a limited quantity of WAF IP addresses. Thesecurity software on the origin server may easily regard these IP addresses asmalicious and block them. Once WAF IP addresses are blocked, the website mayfail to be accessed or it opens extremely slowly. Therefore, you need to add theWAF IP addresses to the whitelist of the security software.

After your website is connected to WAF, you are advised to uninstall other security softwarefrom the origin server or allow only the requests from WAF to access your origin server. Thisensures normal access and protects the origin server from hacking.

Procedure

Step 1 Log in to the management console.



https://console-intl.huaweicloud.com/?locale=en-us

Step 2 Click in the upper left corner of the management console and select a regionor project.

Step 3 Click in the upper left corner of the page and choose Security > WebApplication Firewall. In the navigation pane, choose Domains. The Domainspage is displayed.

Step 4 Click WAF Back-to-Source IP Addresses.

The back-to-source IP addresses are periodically updated. Whitelist the new IP addresses intime to prevent these IP addresses from being blocked.

Figure 4-9 Clicking WAF Back-to-Source IP Addresses

Step 5 In the displayed dialog box, click Copy to copy them all.



Figure 4-10 WAF Back-to-Source IP Addresses dialog box

Step 6 Open the security software on the origin server and add the copied IP addressranges to the whitelist.

----End

4.5 How Do I Solve the Problem of ExcessiveRedirection Times?

After a domain name is connected to WAF, if the system displays a messageindicating that there are excessive redirection times when a user requests to accessthe target domain name, the possible cause is that you have configured forcibleredirection from HTTP to HTTPS on the backend server and forwarding fromHTTPS (client protocol) to HTTP (server protocol) is configured on WAF, WAF isforced to redirect user requests, causing an infinite loop. You can edit serverinformation in WAF. For details, see Editing Server Information. Configure twopieces of server information about HTTP (client protocol) to HTTP (server




protocol) and HTTPS (client protocol) to HTTPS (server protocol). Figure 4-11shows the server information after the configuration is complete.

Figure 4-11 Example configuration

4.6 How Do I Solve the Problem that HTTPS RequestsFail on Some Mobile Phones?

Open the browser on a mobile phone and access https://www.defix.cn. If thepage shown in Figure 4-12 is displayed, HTTPS requests fail on the mobile phonebecause the uploaded certificate chain is incomplete. Rectify the fault by referringto How Do I Fix an Incomplete Certificate Chain?.

Figure 4-12 Access failed



4.7 How Do I Fix an Incomplete Certificate Chain?If the certificate provided by the certificate authority is not found in the built-intruststore on your platform and the certificate chain does not have a certificateauthority, the certificate is incomplete. If you use the incomplete certificate toaccess the website corresponding to the protected domain name, the access willfail.

Use either of the following methods to fix it:

● Manually build up a complete certificate chain and upload the certificate.(This function is available soon.)

● Buy a certificate on HUAWEI CLOUD and upload it.

The latest Chrome version supports automatic verification of the trust chain.Huawei certificate is used as an example to describe how to manually create acomplete certificate chain:

Step 1 Check the certificate. Click the padlock in the address bar to view the certificatestatus (see Figure 4-13).

Figure 4-13 Viewing the certificate

Step 2 Check the certificate chain. Click Certificate. Select the Certificate Path tab andthen click the certificate name to view the certificate status (see Figure 4-14).



Figure 4-14 Viewing the certificate chain

Step 3 Save the certificates to the local PC one by one. Select the certificate name andclick the Details tab (see Figure 4-15).



Figure 4-15 Details

Step 4 Click Copy to File, and then click Next as prompted.

Step 5 Select Base-64 encoded X.509 (.CER) and click Next (see Figure 4-16).



Figure 4-16 Certificate Export Wizard

Step 6 After all certificates are exported to the local PC, open the certificate file inNotepad and rebuild the certificate according to the sequence shown in Figure4-17.



Figure 4-17 Certificate rebuilding

Step 7 Upload the certificate again.

----End



5 Domain Name Resolution

5.1 How Do I Test WAF?Before directing the traffic to WAF, you are advised to perform local verification toensure that all configurations are correct.

Before testing WAF, ensure that the protocol, address, and port number used bythe origin server of the domain name (for example, www.example5.com), anduploaded certificate file and private key if Client Protocol is HTTPS are correct.

For details, see Testing WAF.

5.2 How Do I Route Website Traffic Through WAF?After adding your website to WAF, you need to connect the domain to WAF sothat the traffic passes through WAF. After the traffic is routed through WAF, WAFhelps you filter malicious requests and forward legitimate requests to the originserver.

How Does WAF Works● No proxy used

DNS resolves your domain name to the origin server IP address before the siteis moved to WAF. DNS resolves your domain name to the CNAME of WAFafter the site is moved to WAF. Then WAF inspects the incoming traffic andfilters out malicious traffic.

● A proxy (such as AAD) usedIf a proxy such as HUAWEI CLOUD Advanced Anti-DDoS (AAD) has been usedon your site before it is added to WAF, DNS resolves the domain name to theAAD IP address. In this case, the traffic passes through AAD and then AADroutes the traffic back to the origin server. After your site accesses WAF, theback-to-source address of the proxy (such as Advanced Anti-DDoS) needs tobe changed to the CNAME of WAF. In this way, the proxy forwards the trafficto WAF. WAF then filters out illegitimate traffic and only routes legitimatetraffic back to the origin server.

Web Application FirewallFAQs 5 Domain Name Resolution



● To ensure that WAF can properly forward requests, you are advised to performlocal verification by referring to Testing WAF before modifying the DNSconfiguration.

● To prevent other users from configuring your domain names on WAF in advance(this will cause interference on your domain name protection), you are advised toadd the subdomain name and TXT record at your DNS provider. WAF candetermine which user owns the domain name based on the subdomain name andTXT record. For details about the configuration method, see What Are theImpacts If a Subdomain Name and TXT Record Are Not Configured?

Operation GuideAfter a domain name is added, WAF generates a CNAME value, or CNAME,subdomain name, and TXT record for domain name resolution so that websitetraffic can pass through WAF based on whether a proxy is used for the addeddomain name before access to WAF. For details, see Table 5-1.

Table 5-1 Operation guide

Scenario Generated Parameter Value Operation Related toDomain Name Resolution

No proxy used CNAME The DNS obtains theCNAME of WAF.

Proxy used CNAME, subdomain name,and TXT record

● Change the back-to-source IP address of theproxy, such as AdvancedAnti-DDoS (AAD), tothe CNAME of WAF.

● (Optional) Add a WAFsubdomain name andTXT record at your DNSprovider.

ProcedureFor details, see Connecting a Domain Name to WAF.

5.3 What Are the Impacts If a Subdomain Name andTXT Record Are Not Configured?

After you add the domain name of the proxy, such as Advanced Anti-DDoS, inWAF, if the subdomain name and TXT record are not configured at your DNSprovider and other users configure the same domain name in WAF, your domainname protection will be interfered.







How to Determine

The target domain name is in gray in the domain name list, and the workingmode is Suspended and cannot be switched to Enabled. If this symptom occurs,your domain name has been occupied by another user.

Solution

Go to your DNS provider, add a subdomain name, and configure a TXT record forthe subdomain name. The following uses the target domain namewww.example.com as an example to describe how to configure the DNS serviceon HUAWEI CLOUD.

Step 1 Obtain the values of Subdomain Name and TXT Record.

1. Log in to the management console

2. Access the Domains page.

Figure 5-1 Domains

3. In the Domain Name column, click the target domain namewww.example.com to go to the Basic Information page.

4. Locate the Access Status row and click How to Access?.

Figure 5-2 Domain name access information

If a domain name that uses a proxy, such as Advanced Anti-DDoS (AAD), has beenadded to WAF, the value of Proxy Configured is Yes.

5. In the displayed dialog box, click to copy the value of TXT Record.




Figure 5-3 Copying TXT Record

Step 2 Add a WAF subdomain name and TXT record at your DNS provider.

1. In the Operation column of the target domain name www.example.com,click Add Record Set.

Figure 5-4 DNS page

2. In the upper right corner of the displayed page, click Add Record Set to go tothe Add Record Set page.– Name: Paste the TXT record copied in Step 1.5 to the text box.– Type: Select TXT – Specify text records.– Alias: Select No.– Line: Select Default.– TTL (s): The recommended value is 5 min. A larger TTL value will make it

slower for synchronization and update of DNS records.– Value: Add quotation marks to the TXT record copied from Step 1.5 and

paste them in the text box, for example,"37c795804124dd4a0dd88defff8941f".

– Keep other settings unchanged.



Figure 5-5 Adding a record set

3. Click OK.

----End

5.4 How Do I Perform Verification Using HUAWEICLOUD DNS?

Verification by DNS typically requires operations from your domain nameadministrator. If you are managing your domain name on HUAWEI CLOUD andthe domain name is in your account, perform the verification using HUAWEICLOUD DNS.

NO TICE

If you are managing your domain name on another domain managementplatform (such as www.net.cn, www.xinnet.com, and www.dnspod.cn), perform theverification on the corresponding platform. For example, if your domain name ishosted on Alibaba Cloud, perform the verification on Alibaba Cloud.

In the following procedure, a TXT record2019030700000022ams1xbyevdn4jvahact9xzpicb565k9443mryw2qe99mbzpbis added to domain name domain.com to show how to perform the verificationusing HUAWEI CLOUD DNS.



Prerequisites● You have obtained a username and its password for logging in to the

management console.● You have obtained the configuration information (host record and record

value) required for domain name verification.

Procedure


Step 2 In the upper left corner of the console, click and choose Domain NameService under Network. In the navigation pane on the left, choose DNSResolution > Public Zones to display the public zones.

Figure 5-6 Public Zones page

Step 3 In the upper right corner of the page, click Create Public Zone. The Create PublicZone page is displayed.

Figure 5-7 Creating a public zone

Step 4 In the Name box, enter the domain name to be resolved domain.com and clickOK.

Step 5 In the public zone list, click the domain name. The record set of the domain isdisplayed.




Figure 5-8 List of record sets

Step 6 In the upper right corner of the page, click Add Record Set. The Add Record Setpage is displayed. Table 5-2 describes the parameters.

Figure 5-9 Adding a record set

Table 5-2 Parameters for adding a record set

Parameter Description Example Value

Name Host record corresponding tothe domain name (You do notneed to manually add thesuffix.)

_dnsauth

Type Record set type. Set thisparameter to TXT – Specifytext records.

TXT – Specify text records



Parameter Description Example Value

Alias Whether to associate therecord set with a cloudresource name

No

Line Used when the DNS server isresolving a domain name. Itreturns the IP address of theserver according to the visitorsource.You must add a Default line toensure that the website isaccessible to all users.Default is selected by default.

Default

TTL (s) Caching period of the recordset, in seconds.The default value is 5 min.

5 min

Value Indicates the host record valuecorresponding to the domain.Use quotation marks whenentering the record value

"2019030700000022ams1xbyevdn4jvahact9xzpicb565k9443mryw2qe99mbzpb"

Weight The parameter is optional.Weight of the record set. Thedefault value is 1. The valueranges from 0 to 100.When multiple record sets ofthe same name and line arecreated in a zone, the one witha larger weight takes effect inpriority.

1

Tag The parameter is optional.This item is displayed whenyou switch on Other Settings.This parameter indicates theidentifier of a resource. Eachtag contains a key and a value.You can add 10 tags at most toa record set.

-

Description The parameter is optional.Description of the domainname. This item is displayedwhen you switch on OtherSettings.

-

Step 7 Click OK.



If the status of the record set is Normal, it indicates that the record set is addedsuccessfully.

DNS configuration records can be deleted only after the certificate is issued or revoked.

----End

5.5 How Do I Query a Domain Name Provider?By querying domain registration information, you can confirm the informationabout the DNS servers of a domain name and then perform authentication byDNS based on the DNS server information.

Procedure

Step 1 Open a browser and visit https://whois.domaintools.com/.

Step 2 Enter the domain name to be queried and click Search. The domain nameregistration details page is displayed.

Step 3 In the displayed information, check Name Servers to determine the DNS serversof the domain name.

If the value of Name Servers similar to Figure 5-10 is displayed, the DNS serversof the domain name are provided by HUAWEI CLOUD.

Figure 5-10 Name Servers

Perform the verification based on the DNS servers of the domain name as follows:

● If the DNS servers of the domain name are provided by HUAWEI CLOUD,perform the verification on HUAWEI CLOUD by referring to How Do IPerform Verification Using HUAWEI CLOUD DNS?

● If the DNS servers of the domain name are not provided by HUAWEI CLOUD,verify whether you want to migrate the domain from another DNS serviceprovider to HUAWEI CLOUD DNS.– If yes, perform the following operations:

i. Migrate the domain name from another DNS service provider toHUAWEI CLOUD DNS.

ii. Refer to How Do I Perform Verification Using HUAWEI CLOUDDNS? to perform the verification on HUAWEI CLOUD.

– If not, perform the verification on the corresponding platform. Forexample, if your domain name is hosted on Alibaba Cloud, perform theverification on Alibaba Cloud.

----End



5.6 Why Cannot the Protection Mode Be Enabled Aftera Domain Name Is Connected to WAF?

Another tenant has configured the same domain name in WAF. As a result, thedomain name ownership is occupied by another tenant. In this case, add asubdomain name and configure a TXT record for the subdomain name at yourDNS provider. For details, see What Are the Impacts If a Subdomain Name andTXT Record Are Not Configured?.



6 Rule Configuration

6.1 In Which Situations Will the WAF Policies Fail?Normally, all requests destined for your site will pass through WAF. However, ifyour site is using CDN and WAF, the WAF policy targeted at the requests forcaching static content will not take effect because CDN directly returns theserequests to the client.

6.2 How Do I Switch the Mode of Basic Web Protectionfrom Log only to Block?

This FAQ guides you to switch the mode of basic web protection to Block.

Perform the following operations:

Step 1 Access the protection configuration page.

Figure 6-1 Protection configuration page

Step 2 In the Basic Web Protection configuration area shown in Figure 6-2, select Blockfor Mode. Table 6-1 describes the parameters.

Web Application FirewallFAQs 6 Rule Configuration


Figure 6-2 Basic Web Protection configuration area

Table 6-1 Parameter description

Parameter Description

Status Status of Basic Web Protection

● : enabled.

● : disabled.

Mode ● Block: WAF blocks and logs detected attacks.● Log only: WAF logs detected attacks only.

NO TICE

Log only and Block are merely modes of basic web protection. CC attackprotection and precise protection have their own protective actions.

----End

6.3 When Is Cookie Used to Identify Users?During the configuration of a CC attack protection rule, if IP addresses cannotidentify users precisely, for example, when many users share an egress IP address,use Cookie to identify users.

If the cookie contains key values, such as the session value, of users, the key valuecan be used as the basis for identifying users.

NO TICE

Cookie-based identification may not be supported if the URL request configured ina CC attack protection policy is an API called by another service.

6.4 How Do I Configure a CC Attack Protection Rule?When a service interface is under an HTTP flood attack, you can set a CC attackprotection rule on the WAF console to relieve service pressure.

WAF provides the following settings for a CC attack protection rule:



● Number of requests allowed from a web visitor in a specified period● Identification of web visitors based on the IP address, cookie, or Referer field.● Action when the maximum limit is reached, such as Block or Verification

code

For details about configuration rules, see Configuring CC Attack ProtectionRules.

6.5 What Are the Differences Between Rate Limit andAllowable Frequency in a CC Rule?

When configuring a CC protection rule, if Advanced is selected for Mode andBlock dynamically is selected for Protection Action, you need to set both RateLimit and Allowable Frequency.

Differences● The rate limit period of Allowable Frequency is the same as that of Rate

Limit.● Allowable Frequency is lower than or equal to Rate Limit, and Allowable

Frequency can be 0.

Block PrincipleIf the access request frequency exceeds Rate Limit in a rate limit period,triggering blocking, the system dynamically adjusts the blocking threshold toAllowable Frequency in the next rate limit period. If Allowable Frequency is 0,all requests that meet the rule conditions in the next period are blocked afterblocking is triggered in the previous period.

6.6 What Do I Do If a Scanner, such as AppScan,Detects that the Cookie Is Missing Secure or HttpOnly?

Cookies are inserted by back-end web servers and can be implemented throughframework configuration or set-cookie. Secure and HttpOnly in cookies helpdefend against attacks, such as XSS attacks to obtain cookies, and help defendagainst cookie hijacking.

If the AppScan scanner detects that the customer site does not insert securityconfiguration fields, such as HttpOnly and Secure, into the cookie of the scanrequest after scanning the website, it records them as security threats.

WAF does not provide such compliance functions. The website administrator needsto perform related security configuration at the backend.

6.7 Is the Path of a WAF Protection Rule Case-sensitive?

All paths configured for protection rules of WAF are case-sensitive.





6.8 Can I Export or Back Up the WAF Configuration?The current WAF configuration cannot be exported or backed up.



7 Protection Events

7.1 Does WAF Provide the Log Service?WAF does not provide the log service. However, you can use CTS logs to view WAFmonitoring-related metrics.

7.2 Can WAF Logs Be Obtained Using APIs?Currently, protection logs of WAF cannot be obtained using APIs. You candownload protection events on the WAF console. For details, see DownloadingEvents Data.

7.3 How Do I Obtain Blocked Data?WAF allows you to download the attack events (logged-only and blocked events)data of all protected domain names over the past five days, the protection eventdata of the current day, and the PDF file of the protection event data generated inthe early morning of the next day. For details about how to obtain blocked data,see Downloading Events Data.

7.4 How Long Can Protection Logs Be Stored?On the WAF console, you can view only the protection event data of the last 30days. To view the event data of a longer period, contact HUAWEI CLOUD technicalsupport.

Web Application FirewallFAQs 7 Protection Events





8 Purchase

8.1 Is the Service Bandwidth Calculated Based on theIncoming Traffic or Outgoing Traffic?

The service bandwidth in WAF is calculated by WAF itself and is not associatedwith the bandwidth or traffic limit of other HUAWEI CLOUD products (such asCDN, ELB, and ECS).

8.2 What Is the Charging Standard of WAF?Billing mode: Yearly/Monthly

Payment plan: pre-payment

Billing cycle: Yearly or monthly. A bill is generated each time you make a purchase.

Subscription cycle: You are charged monthly or yearly from the date of purchase.Buy one year to get a 17% discount.

Expiration description: If you do not renew your WAF service timely after it expires,HUAWEI CLOUD provides a grace period and retention period.



For price details, see Product Pricing Details.

8.3 How Do I Renew WAF?This section describes how to renew WAF when it is about to expire. After therenewal, users can continue to use WAF.

Web Application FirewallFAQs 8 Purchase


https://www.huaweicloud.com/intl/en-us/pricing/index.html#/waf

Before the service expires, the system will send an SMS message or email toremind you to renew it.

If you do not renew the service after it expires, the public cloud platform providesa grace period and retention period.



To avoid unnecessary loss, you are advised to renew your WAF account.

● If you have selected Auto-renew when buying WAF, the system automatically generatesa renewal order and renews your subscription before WAF expires.

● If you use a member account, grant the BSS Administrator permission to it so that youcan renew the expired subscription using this member account.

Prerequisites● Login credentials have been obtained.● You have bought WAF.

Procedure


Step 2 Choose Fees > Renewal in the upper right corner of the page.

Figure 8-1 Renewal

Step 3 On the renewal management page, complete the renewal as prompted.

For details, see Manually Renewing a Resource.

----End

8.4 How Do I Unsubscribe from WAF?This section describes how to unsubscribe from WAF.



https://support.huaweicloud.com/intl/en-us/usermanual-billing/en-us_topic_0072297179.html

If you use a member account, grant the BSS Administrator permission to it so that you canunsubscribe from WAF using this member account.

Prerequisites● Login credentials have been obtained.● WAF was bought within the last five days.

Procedure


Step 2 In the upper right part of the page, click Billing. The Billing Center page isdisplayed.

Step 3 In the navigation pane, choose Unsubscriptions and Changes > Unsubscriptions.

Step 4 Complete the unsubscription operations as prompted.

For details, see Unsubscription Rules.

----End



https://support.huaweicloud.com/intl/en-us/usermanual-billing/en-us_topic_0083138805.html

9 Domain Name Editing

9.1 How Do I Safely Delete a Protected Domain Name?To delete a domain name that has not been connected to WAF, perform thefollowing operations. To delete a domain name that has been connected to WAF,re-resolve it with the DNS provider to the origin server before performing thefollowing operations.


Step 2 Access the page for deleting a domain name.

Figure 9-1 Deleting a domain name

Step 3 In the Delete Domain Name dialog box, delete the domain name.● For the scenario where no proxy is used: (see Figure 9-2.)

– Ensure that related configurations are completed and select The CNAME of thedomain name has been deleted from the DNS provider, and an A record hasbeen configured to the origin server IP address, or services carried on thedomain name have been brought offline.

– If you want to retain the policy bound to the domain name, select Retain thepolicy of this domain name.

Web Application FirewallFAQs 9 Domain Name Editing



Figure 9-2 Deleting a domain name (without a proxy)

● For the scenario where a proxy is used: (see Figure 9-3.)

– Ensure that related configurations are completed and select The domain namehas been pointed to the origin server on the Advanced Anti-DDoS, CDN, orcloud acceleration product side, or services carried on the domain name havebeen brought offline.

– If you want to retain the policy bound to the domain name, select Retain thepolicy of this domain name.

Figure 9-3 Deleting a domain name (with a proxy)

Step 4 Click OK. If Domain name deleted successfully is displayed in the upper rightcorner, the domain name is deleted.

----End

Web Application FirewallFAQs 9 Domain Name Editing


10 Certificate

10.1 How Do I Select a Certificate When Configuring aWildcard Domain Name in WAF?

Each domain name must correspond to a certificate. A wildcard domain name canonly be used for a wildcard domain certificate. If you have not purchased awildcard domain certificate and have only a single-domain certificate, you canonly add domain names one by one in WAF.

10.2 How Do I Delete a Certificate Configured for aProtected Domain Name?

WAF does not support certificate deletion because website service securityaccidents may occur if a certificate is deleted accidentally.

10.3 How Do I Modify a Certificate?If the purchased certificate is about to expire, you are advised to purchase a newcertificate before the expiration date and update the certificate associated withthe domain name in WAF.

Perform the following operations:


Step 2 Access the domain name configuration page.

Web Application FirewallFAQs 10 Certificate



Figure 10-1 Domains

Step 3 In the Domain Name column, click the target domain name. Its information isdisplayed.

Step 4 Click next to Server Information. If Client Protocol is HTTPS, select a newcertificate from the certificate drop-down list or import a new certificate.

----End

Web Application FirewallFAQs 10 Certificate


A Change History

Released On Description

2020-03-31 This issue is the fiftieth official release.Updated some screenshots.

2020-03-19 This issue is the forty-ninth official release.● Modified supported non-standard ports in for Which

Non-Standard Ports Does WAF Support?● Optimized descriptions in What Are Regions and AZs?

2020-03-06 This issue is the forty-eighth official release.Added the following FAQs:● How Do I Calculate the Protection Bandwidth?● What Should I Do If the Traffic Exceeds the Protection

Bandwidth of WAF?● What Are the Differences Between the Enterprise

Edition and Premium Edition?● How Do I Add a Domain Name to WAF?● How Do I Deploy Both CDN and WAF?

2020-03-03 This issue is the forty-seventh official release.● Adjusted the document structure.● Updated screenshots and descriptions in What Are the

Impacts If a Subdomain Name and TXT Record AreNot Configured?

2020-01-10 This issue is the forty-sixth official release.● Added Does WAF Support the WebSocket Protocol?.● Added Can My WAF Be Shared by Multiple Accounts?.● Optimized descriptions in Can WAF Protect an IP

Address?.

Web Application FirewallFAQs A Change History



2019-12-26 This issue is the forty-fifth official release.Optimized descriptions in Which Non-Standard Ports DoesWAF Support?.

2019-12-20 This issue is the forty-fourth official release.Optimized descriptions in Which Non-Standard Ports DoesWAF Support?.

2019-12-16 This issue is the forty-third official release.Updated the navigation path illustration.

2019-12-09 This issue is the forty-second official release.● Added What Is the Connection Timeout Duration of

WAF? Can I Manually Set the Timeout Duration?.● Added What Data Needs to Be Prepared Before

Connecting a Domain Name to WAF?.● Optimized descriptions in Can WAF Protect Offline

Servers?.● Optimized descriptions in Can WAF Protect an IP

Address?.

2019-11-14 This issue is the forty-first official release.Optimized descriptions in Which Non-Standard Ports DoesWAF Support?.

2019-11-07 This issue is the fortieth official release.Added What Are the Differences Between Rate Limit andAllowable Frequency in a CC Rule?.

2019-11-05 This issue is the thirty-ninth official release.Optimized descriptions in How Do I Troubleshoot404/502/504 Errors?.

2019-11-04 This issue is the thirty-eighth official release.● Added Does WAF Have the IPS Module?.● Added Can WAF Protect Offline Servers?.● Added Does WAF Support File Caching?.● Added Is the Path of a WAF Protection Rule Case-

sensitive?.● Added Can I Export or Back Up the WAF

Configuration?.




2019-10-30 This issue is the thirty-seventh official release.● Added Why Cannot the Protection Mode Be Enabled

After a Domain Name Is Connected to WAF?.● Added How Do I Perform Verification Using HUAWEI

CLOUD DNS?.● Added How Do I Query a Domain Name Provider?.● Added Can I Use WAF Without a Domain Name?.● Added How Do I Select a Certificate When

Configuring a Wildcard Domain Name in WAF?.● Added Does WAF Support HTTP/2?.● Added How Many Rules Can Be Added to WAF?.● Added Does WAF Support Health Check?.● Added How Long Can Protection Logs Be Stored?.● Added How Do I Obtain Blocked Data?.● Added Does WAF Provide the Log Service?.● Added Can WAF Logs Be Obtained Using APIs?.

2019-10-21 This issue is the thirty-sixth official release.Added What Are the Impacts If a Subdomain Name andTXT Record Are Not Configured?.

2019-10-17 This issue is the thirty-fifth official release.● Optimized descriptions in How Do I Route Website

Traffic Through WAF?.● Deleted "What Should I Do If the DNS Status Is

Abnormal?"

2019-10-14 This issue is the thirty-fourth official release.● Optimized descriptions in Which Non-Standard Ports

Does WAF Support?.● Optimized descriptions in How Do I Troubleshoot

404/502/504 Errors?.● Optimized descriptions in Which OSs Does WAF

Support?.● Optimized descriptions in Which Web Service

Frameworks Does WAF Support?.




2019-09-12 This issue is the thirty-third official release.● Added What Do I Do If a Scanner, such as AppScan,

Detects that the Cookie Is Missing Secure orHttpOnly?.

● Added Is the Service Bandwidth Calculated Based onthe Incoming Traffic or Outgoing Traffic?.

● Added What Are the Differences Between thePermissions of a Master Account and Those of aSubaccount?.

2019-09-06 This issue is the thirty-second official release.● Added What Are the Differences Between the Old and

New CNAMEs?.● Added Can I Set the IP Address of the Origin Server to

a CNAME?.● Optimized descriptions in How Do I Troubleshoot

404/502/504 Errors?.● Optimized descriptions in How Do I Modify a

Certificate?.

2019-08-28 This issue is the thirty-first official release.● Optimized descriptions in How Do I Troubleshoot

404/502/504 Errors?.● Added the link to the best practice in How Do I Obtain

the Real IP Address of a Web Visitor?.● Added links to related sections in How Do I Configure a

CC Attack Protection Rule?.● Added links to related sections in How Do I Route

Website Traffic Through WAF?.

2019-08-20 This issue is the thirtieth official release.Optimized some illustrations in the document.

2019-08-15 This issue is the twenty-ninth official release.● Added How Do I Solve the Problem of Excessive

Redirection Times?.● Optimized descriptions in How Do I Route Website

Traffic Through WAF?.

2019-07-15 This issue is the twenty-eighth official release.● Added How Do I Renew WAF?.● Added How Do I Unsubscribe from WAF?.● Optimized descriptions in How Do I Configure Domain

Names to Be Protected When Adding DomainNames?.




2019-07-11 This issue is the twenty-seventh official release.Optimized descriptions in How Do I Configure DomainNames to Be Protected When Adding Domain Names?.

2019-07-02 This issue is the twenty-sixth official release.Added How Do I Configure Domain Names to BeProtected When Adding Domain Names?.

2019-07-01 This issue is the twenty-fifth official release.● Added What Are the Precautions for Configuring

Multiple IP Addresses for Backend Servers?.● Optimized descriptions in How Do I Troubleshoot

404/502/504 Errors?.

2019-06-18 This issue is the twenty-fourth official release.● Added What Are the Restrictions on Using WAF in

Enterprise Projects?.● Added In Which Situations Will the WAF Policies Fail?.

2019-06-06 This issue is the twenty-third official release.● Added In Which Regions Is WAF Available?.● Added Is There Any Limit for File Upload?.● Optimized descriptions in Which Non-Standard Ports

Does WAF Support?.

2019-05-30 This issue is the twenty-second official release.Optimized descriptions in How Do I Route Website TrafficThrough WAF?.

2019-05-16 This issue is the twenty-first official release.Optimized descriptions in How Do I Route Website TrafficThrough WAF?.

2019-05-14 This issue is the twentieth official release.Optimized descriptions in How Do I Troubleshoot404/502/504 Errors?.




2019-05-05 This issue is the nineteenth official release.● Added How Do I Whitelist the WAF Back-to-Source IP

Address Ranges?.● Added How Do I Solve the Problem that HTTPS

Requests Fail on Some Mobile Phones?.● Optimized descriptions in How Do I Troubleshoot

404/502/504 Errors?.● Optimized descriptions in Which Non-Standard Ports

Does WAF Support?.● Optimized descriptions in How Do I Route Website

Traffic Through WAF?.

2019-02-20 This issue is the eighteenth official release.● Optimized descriptions in Which Non-Standard Ports

Does WAF Support?.● Optimized descriptions in What Is the Charging

Standard of WAF?.

2019-01-03 This issue is the seventeenth official release.Adjusted the document layout.

2018-11-08 This issue is the sixteenth official release.Optimized some descriptions.

2018-10-29 This issue is the fifteenth official release.Optimized descriptions in Which Non-Standard Ports DoesWAF Support?.

2018-09-12 This issue is the fourteenth official release.Added How Do I Fix an Incomplete Certificate Chain?.

2018-07-19 This issue is the thirteenth official release.● Added How Do I Obtain the Real IP Address of a Web

Visitor?.● Optimized descriptions in How Do I Modify a

Certificate?.● Updated the screenshots based on the GUI changes.

2018-07-05 This issue is the twelfth official release.● Optimized descriptions in How Do I Route Website

Traffic Through WAF?.● Optimized descriptions in How Do I Test WAF?.

2018-06-14 This issue is the eleventh official release.Updated the screenshots based on the GUI changes.




2018-06-07 This issue is the tenth official release.Added How Do I Modify a Certificate?.

2018-05-31 This issue is the ninth official release.Added How Do I Troubleshoot 404/502/504 Errors?.

2018-05-17 This issue is the eighth official release.Added How Do I Configure the Client Protocol andServer Protocol?.

2018-04-12 This issue is the seventh official release.Added content about sensitive data leakage protection inWhat Protection Rules Does WAF Support?.

2018-04-02 This issue is the sixth official release.● Optimized descriptions in Which Non-Standard Ports

Does WAF Support?.● Updated the GUI description and screenshots based on

the GUI changes.

2018-03-31 This issue is the fifth official release.● Added How Do I Switch the Mode of Basic Web

Protection from Log only to Block?.● Updated the GUI description and screenshots based on

the GUI changes.

2018-03-27 This issue is the fourth official release.● Added Which Non-Standard Ports Does WAF Support?.● Added How Do I Route Website Traffic Through WAF?.● Added How Do I Test WAF?.● Added How Do I Safely Delete a Protected Domain

Name?.● Added Can WAF Continue Protecting a Domain Name

When It Expires?.● Added FAQ "How Do I Enable WAF?"● Updated the GUI description and screenshots based on

the GUI changes.

2018-01-16 This issue is the third official release.Added Can WAF Protect an IP Address?.

2018-01-11 This issue is the second official release.● Added What Protection Rules Does WAF Support?.● Added Which Layer Does WAF Provides Protection At?.

2017-10-30 This issue is the first official release.



Documents

Web Application Firewall · Web Application Firewall FAQs Issue 50 Date 2020-03-31 HUAWEI TECHNOLOGIES CO., LTD