Web Application Firewall
Service Overview
Issue 41
Date 2021-05-27
HUAWEI TECHNOLOGIES CO., LTD.
Copyright © Huawei Technologies Co., Ltd. 2021. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without priorwritten consent of Huawei Technologies Co., Ltd. Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respectiveholders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei andthe customer. All or part of the products, services and features described in this document may not bewithin the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,information, and recommendations in this document are provided "AS IS" without warranties, guaranteesor representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.
Issue 41 (2021-05-27) Copyright © Huawei Technologies Co., Ltd. i
Contents
1 What Is Web Application Firewall?.....................................................................................1
2 Edition Differences.................................................................................................................. 2
3 Functions................................................................................................................................... 8
4 Product Advantages..............................................................................................................16
5 Application Scenarios........................................................................................................... 17
6 Billing Description.................................................................................................................19
7 Project and Enterprise Project............................................................................................22
8 Personal Data Protection Mechanism.............................................................................. 24
9 Permissions Management................................................................................................... 26
10 WAF and Other Services....................................................................................................29
A Change History...................................................................................................................... 32
Web Application FirewallService Overview Contents
Issue 41 (2021-05-27) Copyright © Huawei Technologies Co., Ltd. ii
1 What Is Web Application Firewall?
Web Application Firewall (WAF) keeps web services stable and secure. It examinesall HTTP and HTTPS requests to detect and block the following attacks: StructuredQuery Language (SQL) injection, cross-site scripting (XSS), web shells, commandand code injections, file inclusion, sensitive file access, third-party vulnerabilityexploits, Challenge Collapsar (CC) attacks, malicious crawlers, and cross-siterequest forgery (CSRF).
How WAF WorksAfter purchasing WAF, add the website to WAF on the WAF console. After awebsite is connected to WAF, all website access requests are forwarded to WAFfirst. WAF detects and filters out malicious attack traffic, and returns normaltraffic to the origin server to ensure that the origin server is secure, stable, andavailable.
The process of forwarding traffic from WAF to the origin server is called back-to-source. WAF uses its back-to-source IP addresses to send received client requeststo the origin server. In this way, for the origin server, WAF back-to-source IPaddresses instead of client IP addresses are visible.
Figure 1-1 How WAF protects a website
Web Application FirewallService Overview 1 What Is Web Application Firewall?
Issue 41 (2021-05-27) Copyright © Huawei Technologies Co., Ltd. 1
2 Edition Differences
WAF supports yearly/monthly and pay-per-use billing modes. You can switchbetween yearly/monthly and pay-per-use billing mode. The yearly/monthly billingmode is supported in the professional, enterprise, and premium editions. Getyourself familiar with differences between WAF editions before you make apurchase.
Application ScenariosTable 2-1 describes the application scenarios for different editions. Get familiarwith the application scenarios for each edition and select the one best fits yourneeds.
Table 2-1 Application Scenarios
Item Description
Billing mode ● Yearly/Monthly● Pay-per-useNOTE
Switch between yearly/monthly and pay-per-usepayments is supported by cloud WAF instances.
Edition The yearly/monthly billing mode is supported forthe following service editions:● Professional● Enterprise● Premium
Web Application FirewallService Overview 2 Edition Differences
Issue 41 (2021-05-27) Copyright © Huawei Technologies Co., Ltd. 2
Item Description
Application scenarios Service servers are deployed on a cloud or in on-premises data centers.Application scenarios of each edition:● Professional
Suitable for small- and medium-sized websitesthat do not have special security requirements
● EnterpriseSuitable for medium-sized enterprise websitesor services that are open to the Internet, focuson data security, and have high securityrequirements
● PremiumSuitable for large- and medium-sized enterprisewebsites that have a large service scale or havespecial security requirements
Protected object Domain names
Advantages ● Expand protection capability with just few clicks.● Protect cloud and on-premises web services.
Features and Applicable Service ScaleTable 2-2 and Table 2-3 describe applicable service scale and security features ofeach edition. To protect more domain names and traffic, you can either purchasedomain name, bandwidth, and rule expansion packages under your current WAFedition or upgrade the WAF edition you are using.
The restrictions and specifications of the expansion package are as follows:● A domain package can protect 10 domains, including one top-level domain
and nine subdomains or wildcard domains related to the top-level domain.● A bandwidth expansion package can protect up to 20 Mbit/s of traffic for
services on HUAWEI CLOUD or 50 Mbit/s for applications not on HUAWEICLOUD; or 1,000 Queries per Second (QPS). Each HTTP Get request is a query.
● A rule expansion package allows you to configure up to 10 IP address blacklistand whitelist rules.
Web Application FirewallService Overview 2 Edition Differences
Issue 41 (2021-05-27) Copyright © Huawei Technologies Co., Ltd. 3
NO TICE
● The number of domains is the total number of top-level domain names (forexample, example.com), single domain names/subdomain names (for example,www.example.com), and wildcard domain names (for example, *.example.com).For example, a professional WAF instance can protect 10 domain names. So,you can add 10 single domain names or wildcard domain names to it, or addone top-level domain name and nine subdomain names or wildcard domainnames related to the top-level domain name to it.
● If a domain name maps to different ports, each port is considered to representa different domain name. For example, www.example.com:8080 andwww.example.com:8081 are counted towards your quota as two distinctdomain names.
Table 2-2 Applicable service scale
Service Scale ProfessionalEdition
EnterpriseEdition
PremiumEdition
Pay-Per-Use
Peak rate ofnormal servicerequests
2,000 QPS 5,000 QPS 10,000 QPS -
Servicebandwidththreshold (Theorigin server isdeployed on thecloud.)
100 Mbit/s 200 Mbit/s 300 Mbit/s -
Servicebandwidththreshold (Theorigin server isnot deployedon HUAWEICLOUD.)
30 Mbit/s 50 Mbit/s 100 Mbit/s N/A
Number ofdomains
10 (Supportsone top-leveldomain name.)
50 (Supportsfive top-level domainnames.)
80 (Supportseight top-leveldomain names.)
30(Supports threetop-leveldomainnames.)
Back-to-sourceIP address(number oforigin server IPaddresses underone protecteddomain name)
20 50 80 20
Web Application FirewallService Overview 2 Edition Differences
Issue 41 (2021-05-27) Copyright © Huawei Technologies Co., Ltd. 4
Service Scale ProfessionalEdition
EnterpriseEdition
PremiumEdition
Pay-Per-Use
Peak rate of CCattack defense
100,000 QPS 300,000 QPS 1,000,000 QPS -
Number of CCattack defenserules
20 50 100 200
Number ofpreciseprotection rules
20 50 100 200
Number ofreference tablerules
N/A 50 100 200
Number of IPaddressblacklist orwhitelist rules
20 50 1,000 200
Number ofgeolocationaccess controlrules
N/A 50 100 200
Number of webtamperprotection rules
20 50 100 200
Number ofinformationleakageprevention rules
N/A 50 100 200
Number offalse alarmmasking rules
1,000 1,000 1,000 2,000
Number of datamasking rules
20 50 100 200
Web Application FirewallService Overview 2 Edition Differences
Issue 41 (2021-05-27) Copyright © Huawei Technologies Co., Ltd. 5
Table 2-3 Security features
FunctionTemplate
ProfessionalEdition
EnterpriseEdition
PremiumEdition
Pay-Per-Use
Related Document
Adding wildcarddomain names
Supported
Supported
Supported
Supported
How Do IConfigure DomainNames to BeProtected WhenAdding DomainNames?
Protection forports except 80and 443
Supported
Supported
Supported
Supported
Which Non-Standard PortsDoes WAFSupport?
Flexiblyconfiguringdefense policies ina batch
Notsupported
Supported
Supported
Supported
Adding a Policy
Defending againstcommon webattacks, such asXSS attacks, SQLinjection, and badcrawlers
Supported
Supported
Supported
Supported
Enabling BasicWeb Protection
Updatingprotection rulesagainst zero-dayvulnerabilities tothe latest on thecloud anddelivering virtualpatches in atimely manner
Supported
Supported
Supported
Supported
Web shelldetection
Supported
Supported
Supported
Supported
CC attackprevention
Supported
Supported
Supported
Supported
Configuring CCAttack ProtectionRules
Precise protection Not allsupported
Supported
Supported
Notallsupported
Adding PreciseProtection Rules
Reference tablemanagement
Notsupported
Supported
Supported
× Adding aReference Table
Web Application FirewallService Overview 2 Edition Differences
Issue 41 (2021-05-27) Copyright © Huawei Technologies Co., Ltd. 6
FunctionTemplate
ProfessionalEdition
EnterpriseEdition
PremiumEdition
Pay-Per-Use
Related Document
Configuring an IPaddress blacklistor whitelist
Supported
Supported
Supported
Supported
ConfiguringBlacklist andWhitelist Rules
Allowing orblocking webrequests based onthe countries thatthe requestsoriginate from.
Notsupported
Supported
Supported
Supported
ConfiguringGeolocationAccess ControlRules
Web tamperprotection
Supported
Supported
Supported
Supported
Configuring WebTamper ProtectionRules
Anti-Crawler:Dynamic anti-crawler functionbased on data riskcontrol and botidentificationsystems, such asJavaScriptChallenge.
Notsupported
Supported
Supported
√(JavaScriptanti-crawler notsupported)
Enabling Anti-Crawler
Informationleakageprevention
Notsupported
Supported
Supported
Supported
ConfiguringInformationLeakagePrevention Rules
False alarmmasking
Supported
Supported
Supported
Supported
Configuring FalseAlarm MaskingRules
Data masking Supported
Supported
Supported
Supported
Configuring DataMasking Rules
Web Application FirewallService Overview 2 Edition Differences
Issue 41 (2021-05-27) Copyright © Huawei Technologies Co., Ltd. 7
3 Functions
WAF makes it easier for you to handle web security risks.
Basic Web ProtectionWith an extensive preset reputation database, WAF defends against Open WebApplication Security Project (OWASP) top 10 threats, vulnerability exploits, webshells, and other threats.
● All-around protectionWAF detects and blocks varied attacks, such as SQL injection, XSS, remoteoverflow vulnerabilities, file inclusions, Bash vulnerabilities, remote commandexecution, directory traversal attacks, sensitive file access, and command/codeinjections.
● Web shell detectionWAF protects against web shells from upload interface.
● Precise identification– WAF uses built-in semantic analysis engine and regex engine and
supports configuring of blacklist/whitelist rules, which reduces falsepositives.
– WAF supports anti-escape and automatic restoration of common codes,which improves the capability of recognizing deformation web attacks.WAF can decode the following types of code: url_encode, Unicode, XML,C-OCT, hexadecimal, HTML escape, and base64 code, case confusion,JavaScript, shell, and PHP concatenation confusion
● Deep inspectionWAF identifies and blocks evasion attacks, such as the ones that usehomomorphic character obfuscation, command injection with deformedwildcard characters, UTF7, data URI scheme, and other techniques.
● Header detectionWAF detects all header fields in the requests.
Web Application FirewallService Overview 3 Functions
Issue 41 (2021-05-27) Copyright © Huawei Technologies Co., Ltd. 8
CC Attack PreventionWith CC attack prevention enabled, you can configure protective actions, includingVerification code, Block, Block dynamically, and Log only, and returned pagecontent based on your service needs to effectively mitigate CC attacks.
● Flexible policy configurationWAF allows you to flexibly set rate limiting policies by IP address, cookie, orReferer field.
● Returned page customizationYou can customize returned content and page types to meet diverse serviceneeds.
GUI-based Security DataWAF provides a GUI-based interface for you to monitor attack information andevent logs in real time.
● Centralized policy configurationOn the WAF console, you can configure policies applicable to multipleprotected domain names in a centralized manner so that the policies can bequickly delivered and take effect.
● Traffic and event statisticsWAF displays the number of requests, the number and types of securityevents, and log information in real time.
Non-Standard PortsIn addition to standard ports 80 and 443, WAF also supports non-standard ports.
Table 3-1 Supported ports
Edition PortCategory
HTTP Protocol HTTPSProtocol
Port Limit
Professional
Standardports
80 443 Unlimited
Web Application FirewallService Overview 3 Functions
Issue 41 (2021-05-27) Copyright © Huawei Technologies Co., Ltd. 9
Edition PortCategory
HTTP Protocol HTTPSProtocol
Port Limit
Non-standardports (86in total)
81, 82, 83, 84, 86, 87,88, 89, 800, 808,5000, 8000, 8001,8002, 8003, 8008,8009, 8010, 8020,8021, 8022, 8025,8026, 8077, 8078,8080, 8085, 8086,8087, 8088, 8089,8090, 8091, 8092,8093, 8094, 8095,8096, 8097, 8098,8106, 8118, 8181,8334, 8336, 8800,8686, 8888, 8889,8999, 8011, 8012,8013, 8014, 8015,8016, 8017, and 8070
4443, 5443,6443, 7443,8081, 8082,8083, 8084,8443, 8843,9443, 8553,8663, 9553,9663, 18110,18381, 18980,28443, 18443,8033, 18000,19000, 7072,7073, 8803,8804, and8805
10● Professiona
l: 10 non-standardportssupported
● Cloudmode inpay-per-use billingmode: 20non-standardportssupported
Enterprise
Standardports
80 443 Unlimited
Web Application FirewallService Overview 3 Functions
Issue 41 (2021-05-27) Copyright © Huawei Technologies Co., Ltd. 10
Edition PortCategory
HTTP Protocol HTTPSProtocol
Port Limit
Non-standardports (182in total)
9945, 9770, 81, 82,83, 84, 88, 89, 800,808, 1000, 1090,3128, 3333, 3501,3601, 4444, 5000,5222, 5555, 5601,6001, 6666, 6788,6789, 6842, 6868,7000, 7001, 7002,7003, 7004, 7005,7006, 7009, 7010,7011, 7012, 7013,7014, 7015, 7016,7018, 7019, 7020,7021, 7022, 7023,7024, 7025, 7026,7070, 7081, 7082,7083, 7088, 7097,7777, 7800, 7979,8000, 8001, 8002,8003, 8008, 8009,8010, 8020, 8021,8022, 8025, 8026,8077, 8078, 8080,8085, 8086, 8087,8088, 8089, 8090,8091, 8092, 8093,8094, 8095, 8096,8097, 8098, 8106,8118, 8181, 8334,8336, 8800, 8686,8888, 8889, 8989,8999, 9000, 9001,9002, 9003, 9080,9200, 9802, 10000,10001, 10080, 12601,86, 9021, 9023, 9027,9037, 9081, 9082,9201, 9205, 9207,9208, 9209, 9210,9211, 9212, 9213,48800, 87, 97, 7510,9180, 9898, 9908,9916, 9918, 9919,9928, 9929, 9939,28080, 33702, 8011,8012, 8013, 8014,8015, 8016, 8017, and8070
8750, 8445,18010, 4443,5443, 6443,7443, 8081,8082, 8083,8084, 8443,8843, 9443,8553, 8663,9553, 9663,18110, 18381,18980, 28443,18443, 8033,18000, 19000,7072, 7073,8803, 8804,8805, 9999
18
Web Application FirewallService Overview 3 Functions
Issue 41 (2021-05-27) Copyright © Huawei Technologies Co., Ltd. 11
Edition PortCategory
HTTP Protocol HTTPSProtocol
Port Limit
Premium Standardports
80 443 Unlimited
Web Application FirewallService Overview 3 Functions
Issue 41 (2021-05-27) Copyright © Huawei Technologies Co., Ltd. 12
Edition PortCategory
HTTP Protocol HTTPSProtocol
Port Limit
Non-standardports (199in total)
8899, 8006, 9945,9770, 81, 82, 83, 84,88, 89, 800, 808,1000, 1090, 3128,3333, 3501, 3601,4444, 5000, 5222,5555, 5601, 6001,6666, 6788, 6789,6842, 6868, 7000,7001, 7002, 7003,7004, 7005, 7006,7009, 7010, 7011,7012, 7013, 7014,7015, 7016, 7018,7019, 7020, 7021,7022, 7023, 7024,7025, 7026, 7070,7081, 7082, 7083,7088, 7097, 7777,7800, 7979, 8000,8001, 8002, 8003,8008, 8009, 8010,8020, 8021, 8022,8025, 8026, 8077,8078, 8080, 8085,8086, 8087, 8088,8089, 8090, 8091,8092, 8093, 8094,8095, 8096, 8097,8098, 8106, 8118,8181, 8334, 8336,8800, 8686, 8888,8889, 8989, 8999,9000, 9001, 9002,9003, 9080, 9200,9802, 10000, 10001,10080, 12601, 86,9021, 9023, 9027,9037, 9081, 9082,9201, 9205, 9207,9208, 9209, 9210,9211, 9212, 9213,48800, 87, 97, 7510,9180, 9898, 9908,9916, 9918, 9919,9928, 9929, 9939,28080, 33702, 8011,8012, 8013, 8014,
8750, 9190,9184, 9182,8950, 8920,8910, 8848,8445, 18010,4443, 5443,6443, 7443,8081, 8082,8083, 8084,8443, 8843,9443, 8553,8663, 9553,9663, 18110,18381, 18980,28443, 18443,8033, 18000,19000, 7072,7073, 8803,8804, 8805,9999, 8244,8224, 8281,8211, 8243,8221, and8231
58
Web Application FirewallService Overview 3 Functions
Issue 41 (2021-05-27) Copyright © Huawei Technologies Co., Ltd. 13
Edition PortCategory
HTTP Protocol HTTPSProtocol
Port Limit
8015, 8016, 8017,8070, and 8232
ELBMode
Port 1 to 65535 1 to 65535 Unlimited
Precise ProtectionSupport precise logic- and parameter-based access control policies.
● A variety of parameter conditionsSet conditions with combinations of common HTTP parameters, such as IP,URL, Referer, User Agent, Params, and Header.
● Abundant logical conditionsWAF blocks or allows traffic based on logical conditions, such as "Include","Exclude", "Equal to", "Not equal to", "Prefix is", and "Prefix is not."
IP Address Blacklist and WhitelistThis function allows you to blacklist or whitelist IP addresses or an IP addressrange to improve defense accuracy.
Known Attack Source● If WAF blocks a malicious request by IP address, Cookie, or Params, you can
configure a known attack source rule to let WAF automatically block allrequests from the attack source for a blocking duration set in the knownattack source rule.
● Known attack source rules can be set based on attacks blocked against thebasic web protection, precise access protection, and blacklist and whitelistrules.
Geolocation Access ControlYou can allow some web requests and block others based on the geographicallocations of IP addresses that the requests originate from.
Web Page Tampering PreventionYou can configure cache for static web pages. When a user accesses a web page,the system returns a cached page to the user and randomly checks whether thepage is tampered with.
Anti-Crawler ProtectionDynamically analyze website service models and accurately identify crawlerbehavior based on data risk control and bot identification systems, such asJavaScript Challenge.
Web Application FirewallService Overview 3 Functions
Issue 41 (2021-05-27) Copyright © Huawei Technologies Co., Ltd. 14
● Feature libraryBlocks web page crawling with user-defined scanner and crawler rules. Thisfeature improves protection accuracy.
● JavaScriptIdentifies and blocks JavaScript crawling with user-defined rules.
False Alarm MaskingThis function enables you to ignore certain attack detection rules for specificrequests.
Data MaskingWAF masks sensitive information, such as usernames and passwords, in the eventlog.
Information Leakage PreventionWAF prevents your sensitive information from being disclosed on web pages, suchas ID numbers, phone numbers, and email addresses.
ReliableWAF can be deployed on multiple clusters in multiple regions based on the loadbalancing principle. This can prevent single point of failures (SPOFs) and ensureonline smooth capacity expansion, maximizing service stability.
Alarm NotificationYou can enable notification for attack logs. Once this function is enabled, WAFsends attack logs to you by the method you configure.
Event Management● WAF allows you to view and handle false alarms for blocked or logged events.● You can download events data over the past five days.● You can use Log Tank Service (LTS) on HUAWEI CLOUD to record all WAF
logs, including attack and access logs.
Web Application FirewallService Overview 3 Functions
Issue 41 (2021-05-27) Copyright © Huawei Technologies Co., Ltd. 15
4 Product Advantages
WAF examines web traffic from multiple dimensions to accurately identifymalicious requests and filter attacks, reducing the risks of data being tamperedwith or stolen.
Comprehensive ProtectionWAF uses a built-in extensive database of attack signatures to detect and blockdozens of common web attacks.
Industry-leading TechnologiesWAF leverages industry-leading semantics, regex, and AI engines to accuratelyidentify threats and significantly improve the threat detection rate.
Flexible ConfigurationWAF enables custom precise protection rules to meet diverse requirements ofsecurity operations.
Professional and Reliable ServiceWAF ensures zero service interruption with distributed deployment, 24/7monitoring, and remote disaster recovery.
Web Application FirewallService Overview 4 Product Advantages
Issue 41 (2021-05-27) Copyright © Huawei Technologies Co., Ltd. 16
5 Application Scenarios
Common protection
WAF helps you defend against common web attacks, such as command injectionand sensitive file access.
Protection for online shopping mall promotion activities
Countless malicious requests may be sent to service interfaces during onlinepromotions. WAF allows configurable rate limiting policies to defend against CCattacks. This prevents services from breaking down due to many concurrentrequests, ensuring response to legitimate requests.
Protection against zero-day vulnerabilities
Services cannot recover quickly from impact of zero-day vulnerabilities in third-party web frameworks and plug-ins. WAF updates the preset protection rulesimmediately to add an additional protection layer to such web frameworks andplug-ins and this layer can react faster than fixing the vulnerabilities.
Data leakage prevention
WAF prevents malicious actors from using methods such as SQL injection and webshells to bypass application security and gain remote access to web databases. Youcan configure anti-data leakage rules on WAF to provide the following functions:
● Precise identificationWAF uses semantic analysis & regex to examine traffic from differentdimensions, precisely detecting malicious traffic.
● Distortion attack detectionWAF detects a wide range of distortion attack patterns with 7 decodingmethods to prevent bypass attempts.
Web page tampering prevention
WAF ensures that attackers cannot leave backdoors on your web servers ortamper with your web page content, preventing damage to your credibility. You
Web Application FirewallService Overview 5 Application Scenarios
Issue 41 (2021-05-27) Copyright © Huawei Technologies Co., Ltd. 17
can configure web tamper protection rules on WAF to provide the followingfunctions:
● Website malicious code detectionYou can configure WAF to detect malicious code injected into web servers andensure secure visits to web pages.
● Web page tampering preventionWAF prevents attackers from tampering with web page content or publishinginappropriate information that can damage your reputation.
Web Application FirewallService Overview 5 Application Scenarios
Issue 41 (2021-05-27) Copyright © Huawei Technologies Co., Ltd. 18
6 Billing Description
WAF supports two billing modes: yearly/monthly (prepaid) and pay-per-use(postpaid).
For more details, see Product Pricing Details.
Billing ItemsYou are billed for WAF instances you select based on the billing mode youspecified.
Table 6-1 Billing items
BillingMode
Billing Item Billing Description
Yearly/Monthly
Edition(mandatory)
Billed based on purchased edition(professional, enterprise, or premium)For details about specifications and functionsof each edition, see Edition Differences.
Domain ExpansionPackage(Optional)
Billed based on the number of purchaseddomain expansion packages
BandwidthExpansion Package(Optional)
Billed based on the number of purchasedbandwidth expansion packages
Rule ExpansionPackage (Optional)
Billed based on how many packages youpurchased.
Required Duration Billed on a yearly or monthly basis
Web Application FirewallService Overview 6 Billing Description
Issue 41 (2021-05-27) Copyright © Huawei Technologies Co., Ltd. 19
BillingMode
Billing Item Billing Description
Pay-per-use
● Number ofdomains
● Number ofcustomized rules
● Number ofrequests
● Number of domain names: Billed on anhourly basis. Once a domain name isadded during the billing period, it will bebilled no matter when it is deleted.
● Number of customized rules: Billed on adaily basis. The billing is calculated at00:00 every day.
● Number of requests: Billed on a monthlybasis.
NO TE
Switch between yearly/monthly and pay-per-use payments is supported by WAF instances.
Billing Options● Yearly/Monthly: The longer you subscribe, the more you save. A yearly/
monthly WAF instance is billed based on the required duration you select.
● Pay-per-use: This billing mode allows you to make a subscription orunsubscription at any time.
For a pay-per-use WAF instance, you are billed for the number of addeddomain names, number of customized rules, and number of used requests.
Changing Billing Options● In the yearly/monthly billing mode, you can upgrade the edition of your WAF
instance or increase the number of domain name, bandwidth, and expansionpackages to meet your business needs.
● Unsubscription: If you no longer need your WAF instance that is billed yearly/monthly, unsubscribe from it in the Billing Center.
Renewal
If you do not renew a WAF instance billed on a yearly/monthly basis upon itsexpiration, a retention period is available for you.
For details, see Retention Period.
● During this period, WAF only forwards traffic but does not check it againstyour protection policies.
● When this period ends, resources will be cleared, that is, all configurations ofyour domain names will be deleted. During the clearing period, domainnames are pointed back to origin severs by default. However, services on yourdomain names may not run properly because there may be inconsistenciesbetween your configured protocols and ports.
Web Application FirewallService Overview 6 Billing Description
Issue 41 (2021-05-27) Copyright © Huawei Technologies Co., Ltd. 20
To avoid unnecessary loss caused by security issues, renew your subscriptionbefore the retention period expires. WAF expiration does not affect your otherservices.
You can renew your resources on the management console. For details, seeRenewal Rules.
Expiration and Overdue Payment● Expiration
If you do not renew a WAF instance billed on a yearly/monthly basis upon itsexpiration, a retention period is available for you. For details, see RetentionPeriod.
● Overdue PaymentIf your account of WAF instances billed on a yearly/monthly basis is in arrears,top up your account in a timely manner to let WAF protect your websitecontinuously. For details, see How Does a Common HUAWEI CLOUDCustomer Repay?
FAQsFor more billing FAQs, see WAF FAQs.
Web Application FirewallService Overview 6 Billing Description
Issue 41 (2021-05-27) Copyright © Huawei Technologies Co., Ltd. 21
7 Project and Enterprise Project
Project
Projects in IAM are used to group and isolate OpenStack resources (computingresources, storage resources, and network resources). Resources in your accountmust be mounted under projects. A project can be a department or a projectteam. Multiple projects can be created under one account.
Enterprise Project
Enterprise projects are used to categorize and manage multiple resources.Resources in different regions can belong to one enterprise project. You canclassify resources by department or project group and put related resources intoone enterprise project for management. Resources can be moved betweenenterprise projects.
Differences Between Projects and Enterprise Projects● IAM Project
Projects are used to categorize and physically isolate resources in a region.Resources in an IAM project cannot be transferred. They can only be deletedand then rebuilt.
● Enterprise ProjectEnterprise projects are upgraded based on IAM projects and used tocategorize and manage resources of different projects of an enterprise. Anenterprise project can contain resources of multiple regions, and resources canbe added to or removed from enterprise projects. If you have enabledenterprise management, you cannot create an IAM project and can only
Web Application FirewallService Overview 7 Project and Enterprise Project
Issue 41 (2021-05-27) Copyright © Huawei Technologies Co., Ltd. 22
manage existing projects. In the future, IAM projects will be replaced byenterprise projects, which are more flexible.
Both projects and enterprise projects can be managed by one or more user groups.Users who manage enterprise projects belong to user groups. After a policy isgranted to a user group, users in the group can obtain the permissions defined inthe policy in the project or enterprise project.
For details about how to create a project, create an enterprise project, and grantpolicies, see Managing Projects and Enterprise Projects.
Web Application FirewallService Overview 7 Project and Enterprise Project
Issue 41 (2021-05-27) Copyright © Huawei Technologies Co., Ltd. 23
8 Personal Data Protection Mechanism
To ensure that website visitors' personal data, such as the username, password,and mobile phone number, will not be obtained by unauthorized orunauthenticated entities or people and to prevent data leakage, WAF encryptsyour personal data before storing it to control access to the data and records logsfor operations performed on the data.
Personal Data to Be CollectedWAF records requests that trigger attack alarms in event logs. Table 8-1 providesthe personal data collected and generated by WAF.
Table 8-1 Personal data
Type CollectionMethod
Can Be Modified Mandatory
Request source IPaddress
Attacker IPaddress that isblocked orrecorded by WAFwhen the domainname is attacked.
No Yes
URL Attacked URL ofthe protecteddomain name, orURL of theprotected domainname that isblocked orrecorded by WAF.
No Yes
Web Application FirewallService Overview 8 Personal Data Protection Mechanism
Issue 41 (2021-05-27) Copyright © Huawei Technologies Co., Ltd. 24
Type CollectionMethod
Can Be Modified Mandatory
HTTP/HTTPSheaderinformation(including thecookie)
Cookie value andheader valueentered on theconfigurationpage when youconfigure a CCattack or preciseprotection rule.
No NoThe configuredcookie and headerinformation maynot contain theuser's personalinformation.
Requestparameters (Getand Post)
Request detailsrecorded by WAFin protection logs.
No NoThe requestparameters maynot contain auser's personalinformation.
Storage ModeThe values of sensitive fields are saved after being anonymized, and the values ofother fields are saved in plaintext in logs.
Access ControlUsers can view only logs related to their own services.
Web Application FirewallService Overview 8 Personal Data Protection Mechanism
Issue 41 (2021-05-27) Copyright © Huawei Technologies Co., Ltd. 25
9 Permissions Management
To assign different permissions to employees in your enterprise to access yourWAF resources, IAM is a good choice for fine-grained permissions management.IAM provides identity authentication, permissions management, and accesscontrol, helping you secure access to your HUAWEI CLOUD resources.
With IAM, you can use your HUAWEI CLOUD account to create IAM users for youremployees, and assign permissions to the users to control their access to specificresource types. For example, some software developers in your enterprise need touse WAF resources but must not delete them or perform any high-risk operations.To achieve this result, you can create IAM users for the software developers andgrant them only the permissions required for using WAF resources.
If your HUAWEI CLOUD account does not need individual IAM users forpermissions management, then you may skip over this chapter.
IAM can be used free of charge. You pay only for the resources in your account.For more details, see IAM Service Overview.
WAF Permissions
By default, new IAM users do not have any permissions assigned. You need to adda user to one or more groups, and attach permissions policies or roles to thesegroups. Users inherit permissions from the groups to which they are added andcan perform specified operations on cloud services based on the permissions.
WAF is a project-level service deployed and accessed in specific physical regions.To assign WAF permissions to a user group, specify the scope as region-specificprojects and select projects for the permissions to take effect. If All projects isselected, the permissions will take effect for the user group in all region-specificprojects. When accessing WAF, the users need to switch to a region where theyhave been authorized to use the WAF service.
You can grant users permissions by using roles and policies.
● Roles: A type of coarse-grained authorization mechanism that definespermissions related to users responsibilities. Only a limited number of service-level roles for authorization are available. You need to also assign otherdependent roles for the permission control to take effect. Roles are not idealfor fine-grained authorization and secure access control.
Web Application FirewallService Overview 9 Permissions Management
Issue 41 (2021-05-27) Copyright © Huawei Technologies Co., Ltd. 26
● Policies: A fine-grained authorization mechanism that defines permissionsrequired to perform operations on specific cloud resources under certainconditions. This mechanism allows for more flexible policy-basedauthorization and meets secure access control requirements. For example, youcan grant WAF users only the permissions for managing a certain type ofresources. Most policies define permissions based on APIs. For the API actionssupported by WAF, see Permissions Policies and Supported Actions.
Table 9-1 lists all the system roles supported by WAF.
Table 9-1 System policies supported by WAF
Role/PolicyName
Description Category Dependencies
WAFAdministrator
Administratorpermissions forWAF
System-defined role
Dependent on the TenantGuest and ServerAdministrator roles.● Tenant Guest: A global
role, which must beassigned in the globalproject.
● Server Administrator:A project-level role,which must be assignedin the same project.
WAFFullAccess
All permissionsfor WAF
System-definedpolicy
None.
WAFReadOnlyAccess
Read-onlypermissions forWAF.
System-definedpolicy
Helpful Links● IAM Service Overview● Creating a User Group and User and Granting WAF Permissions● WAF Custom Policies● WAF Permissions and Supported Actions
WAF FullAccess Policy Content{ "Version": "1.1", "Statement": [ { "Action": [ "waf:*:*", "lts:groups:get", "lts:groups:list", "lts:topics:get", "lts:topics:list"
Web Application FirewallService Overview 9 Permissions Management
Issue 41 (2021-05-27) Copyright © Huawei Technologies Co., Ltd. 27
], "Effect": "Allow" } ]}
WAF ReadOnlyAccess Policy Content{ "Version": "1.1", "Statement": [ { "Action": [ "waf:*:get*", "waf:*:list*", "lts:groups:get", "lts:groups:list", "lts:topics:get", "lts:topics:list" ], "Effect": "Allow" } ]}
Web Application FirewallService Overview 9 Permissions Management
Issue 41 (2021-05-27) Copyright © Huawei Technologies Co., Ltd. 28
10 WAF and Other Services
This topic describes WAF and other cloud services.
CTS
Cloud Trace Service (CTS) records all WAF operations for you to query, audit, andbacktrack.
NO TICE
CTS is available for WAF instances purchased in the following regions:● AP-Hong-Kong● AP-Bangkok● AP-Singapore● AF-Johannesburg● LA-Santiago
Table 10-1 WAF operations that can be recorded by CTS
Operation Resource Type Trace Name
Creating a WAF instance instance createInstance
Deleting a WAF instance instance deleteInstance
Modifying a WAF instance instance modifyInstance
Modifying the protection statusof a WAF instance
instance modifyProtectStatus
Modifying the connection statusof a WAF instance
instance modifyAccessStatus
Creating a policy policy createPolicy
Applying a policy policy applyToPolicy
Web Application FirewallService Overview 10 WAF and Other Services
Issue 41 (2021-05-27) Copyright © Huawei Technologies Co., Ltd. 29
Operation Resource Type Trace Name
Modifying a policy policy modifyPolicy
Deleting a policy policy deletePolicy
Modifying alarm notificationsettings
alertNoticeConfig modifyAlertNotice-Config
Uploading a certificate certificate createCertificate
Changing the name of acertificate
certificate modifyCertificate
Deleting a certificate certificate deleteCertificate
Adding a CC attack protectionrule
policy createCc
Modifying a CC attack protectionrule
policy modifyCc
Deleting a CC attack protectionrule
policy deleteCc
Adding a precise protection rule policy createCustom
Modifying a precise protectionrule
policy modifyCustom
Deleting a precise protection rule policy deleteCustom
Adding an IP address blacklist orwhitelist rule
policy createWhiteblackip
Modifying an IP address blacklistor whitelist rule
policy modifyWhiteblackip
Deleting an IP address blacklistor whitelist rule
policy deleteWhiteblackip
Adding a web tamper protectionrule
policy createAntitamper
Updating a web tamperprotection rule
policy refreshAntitamper
Deleting a web tamperprotection rule
policy deleteAntitamper
Adding a false alarm maskingrule
policy createIgnore
Deleting a false alarm maskingrule
policy deleteIgnore
Adding a data masking rule policy createPrivacy
Modifying a data masking rule policy modifyPrivacy
Web Application FirewallService Overview 10 WAF and Other Services
Issue 41 (2021-05-27) Copyright © Huawei Technologies Co., Ltd. 30
Operation Resource Type Trace Name
Deleting a data masking rule policy deletePrivacy
IAMIdentity and Access Management (IAM) provides the permission managementfunction for WAF. Only users granted WAF Administrator permissions can use WAF.To obtain this permission, contact the users who have the Security Administratorpermissions.
LTSLog Tank Service (LTS) collects log data from hosts and cloud services. WAFallows you to transfer WAF attack logs and access logs to LTS so that you canhandle with logs in real time.
SMNSimple Message Notification (SMN) service provides the notification function.After you enable the notification function in WAF, alarm information will be sentto you as configured once your domain name is attacked.
Enterprise ManagementYou can manage multiple projects in an enterprise, separately settle their costs,and assign different personnel for them. A project can be started or stoppedindependently without affecting others. With Enterprise Management, you caneasily manage your projects after creating an enterprise project for each of them.
WAF can be interconnected with Enterprise Management. You can manage WAFresources by enterprise project and grant different permissions to users.
Web Application FirewallService Overview 10 WAF and Other Services
Issue 41 (2021-05-27) Copyright © Huawei Technologies Co., Ltd. 31
A Change History
Released On Description
2021-05-27 This issue is the forty-first official release.Optimized descriptions in Edition Differences.
2021-05-24 This issue is the fortieth official release.Added the description of new features in Functions.
2021-05-18 This issue is the thirty-ninth official release.Added the description of protection objects in What Is WebApplication Firewall?
2021-04-30 This issue is the thirty-eighth official release.Added the billing description of the bandwidth expansionpackage in Billing Description.
2021-04-07 This issue is the thirty-seventh official release.Added the description of security features in EditionDifferences.
2021-03-02 This issue is the thirty-sixth official release.Modified the deployment architecture diagram. For details,see Edition Differences.
2021-02-25 This issue is the thirty-fifth official release.● Added Project and Enterprise Project.● Added the description of the Enterprise Management
service in WAF and Other Services.
2021-02-23 This issue is the thirty-fourth official release.Modified the description in Edition Differences.
2021-02-05 This issue is the thirty-third official release.Added description about the pay-per-use billing mode inBilling Description.
Web Application FirewallService Overview A Change History
Issue 41 (2021-05-27) Copyright © Huawei Technologies Co., Ltd. 32
Released On Description
2021-01-25 This issue is the thirty-second official release.Optimized descriptions in Edition Differences.
2020-12-31 This issue is the thirty-first official release.Optimized descriptions in Functions.
2020-12-25 This issue is the thirtieth official release.Optimized descriptions.
2020-12-11 This issue is the twenty-ninth official release.Deleted the description of the pay-per-use billing mode forthe cloud mode.
2020-10-22 This issue is the twenty-eighth official release.Modified specifications of pay-per-use WAF instances inEdition Differences.
2020-09-23 This issue is the twenty-seventh official release.Optimized descriptions in WAF and Other Services.
2020-09-11 This issue is the twenty-sixth official release.● Added the description of ports supported by cloud
instances billed on a pay-per-use basis in Functions.● Added the description of the pay-per-use billing mode
for cloud instances in Billing Description.
2020-07-31 This issue is the twenty-fifth official release.Optimized descriptions in Billing Description.
2020-07-08 This issue is the twenty-fourth official release.● Optimized descriptions in Edition Differences.● Optimized descriptions in Billing Description.
2020-06-24 This issue is the twenty-third official release.Optimized descriptions in Edition Differences.
2020-06-22 This issue is the twenty-second official release.Added descriptions of fine-grained policy in PermissionsManagement.
2020-06-16 This issue is the twenty-first official release.Optimized the domain name description in EditionDifferences.
2020-06-11 This issue is the twentieth official release.Optimized descriptions in Edition Differences.
Web Application FirewallService Overview A Change History
Issue 41 (2021-05-27) Copyright © Huawei Technologies Co., Ltd. 33
Released On Description
2020-05-26 This issue is the nineteenth official release.Added the description of the professional edition inFunctions and Edition Differences.
2020-05-19 This issue is the eighteenth official release.Added Billing Description.
2020-03-19 This issue is the seventeenth official release.Modified supported non-standard ports in for Functions.
2020-01-20 This issue is the sixteenth official release.Optimized descriptions in Permissions Management.
2019-12-26 This issue is the fifteenth official release.Optimized descriptions in Functions.
2019-12-09 This issue is the fourteenth official release.● Optimized descriptions in Edition Differences.● Optimized descriptions in Functions.
2019-11-28 This issue is the thirteenth official release.● Optimized descriptions in Functions.● Optimized descriptions in Edition Differences.
2019-10-25 This issue is the twelfth official release.Added Personal Data Protection Mechanism.
2019-10-14 This issue is the eleventh official release.● Optimized descriptions in What Is Web Application
Firewall?● Optimized descriptions in Functions.● Optimized descriptions in Edition Differences.● Optimized descriptions in Application Scenarios.
2019-05-16 This issue is the tenth official release.Optimized descriptions in Functions.
2019-05-14 This issue is the ninth official release.● Added Functions.● Optimized descriptions in What Is Web Application
Firewall?● Optimized descriptions in WAF and Other Services.
2018-11-08 This issue is the eighth official release.Optimized some descriptions.
Web Application FirewallService Overview A Change History
Issue 41 (2021-05-27) Copyright © Huawei Technologies Co., Ltd. 34
Released On Description
2018-10-29 This issue is the seventh official release.Optimized descriptions in What Is Web ApplicationFirewall?
2018-04-26 This issue is the sixth official release.Added Permissions Management.
2018-04-12 This issue is the fifth official release.Added content about sensitive data leakage protection inWhat Is Web Application Firewall?
2018-04-02 This issue is the fourth official release.Optimized descriptions in What Is Web ApplicationFirewall?
2018-03-27 This issue is the third official release.● Added function description in What Is Web Application
Firewall?● Deleted section "Concepts."
2018-01-11 This issue is the second official release.Added the description about WAF and CTS in WAF andOther Services.
2017-10-30 This issue is the first official release.
Web Application FirewallService Overview A Change History
Issue 41 (2021-05-27) Copyright © Huawei Technologies Co., Ltd. 35