This document describes how to quickly deploy and use a WAF instance. Specifically, purchase a WAF instance, organize the website domain name information, perform domain name connection and protection configuration, and get an overview of the business and security through the reports and stay on top of security status. You can view traffic processing details in attack logs and then adjust the protection configuration accordingly to meet special business needs. You can also use CM to configure different types of custom alarms and notification channels for more efficient Ops.
You can purchase multiple WAF instances. Multi-instance management better suits your business division and management requirements and allows you to achieve nearby access and protection of multi-region active-active instances in a unified manner.
There are SaaS WAF and CLB WAF instances.
To protect your website, SaaS WAF assigns a CNAME to your domain name under protection, modifies the DNS resolution record of your website, and forwards the web requests received by your website to WAF. Used with security groups, SaaS WAF can prevent direct attacks toward the real server of your website. To achieve the above, you need to follow the steps below:
CLB WAF associates with Tencent Cloud Layer-7 CLB (listener) cluster by your domain name, and detects and purges HTTP or HTTPS traffic that goes through the CLB instance for side-channel threats. In this way, it can provide protection without interrupting your traffic forwarding. To achieve the above, you need to follow the steps below:
WAF will protect the traffic to the connected website. It has multiple detection and protection modules to help your website tackle different types of security threats. The rule engine is enabled by default and used to defend against common web application attacks such as SQL injection, XSS, and web shell upload. Other modules can be enabled and configured with protection rules manually as needed.
By default, WAF logs attacks only. After purchasing and activating the log service, you can have all access requests logged by domain name.
An attack log records the time, source IP, type, and details of an attack to facilitate real-time threat check and analysis as well as protection policy adjustment, fully meeting the needs of routine security Ops and business.
Currently, attacks are displayed in an aggregated manner; that is, logs of the same type from the same request source IP within a specific period are displayed as one log to reduce your Ops workload and improve the efficiency. Additionally, you can query attack logs with full-text search, fuzzy search, and search by filter. For more information, see Attack Logs.
Access logging is used to record access logs of domain names protected by WAF. It allows you to query and download access logs generated in the last 30 days and retain them for at least 180 days. For more information, see Access Log.
After your website is connected to WAF for protection, you can go to the WAF overview page to query the current total number of domain names, connected website conditions, instance conditions, website business and attack traffic analysis data in the last 30 days, and rule updates. In this way, you can have a better picture of the overall security of your website business. For more information, see Access Log.
After your website is connected to WAF protection, you can configure alarms in CM. Then, WAF will send you alarm notifications when exceptions are detected in the website request traffic and business traffic, so you can stay informed of your business security changes. In this way, you can quickly respond to exceptions and adjust WAF policies to ensure business stability and security.
You can configure the same domain name into instances of the same type in different regions to separate the connection configurations of forwarding and protecting resources while using the same protection policy.