- Release Notes and Announcements
- Release Notes
- Product Announcement
- Security Advisory
- Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-44832)
- Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-45046)
- Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-44228)
- Notice for WebLogic Console HTTP RCE Vulnerability
- Notice for Exchange Server Command Execution Vulnerability
- Notice for Yonyou GRP-U8 SQL Injection Vulnerability
- Notice for Apache Cocoon XXE Vulnerability (CVE-2020-11991)
- Notice for WordPress File Manager Arbitrary Code Execution Vulnerability
- Jenkins Security Advisory for September
- Notice for Apache Struts 2 RCE Vulnerabilities (CVE-2019-0230 and CVE-2019-0233)
- Notice for Apache SkyWalking SQL Injection Vulnerability (CVE-2020-13921)
- User Guide
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Best Practice
- FAQS
- Service Level Agreement
- WAF Policy
- Contact Us
- Glossary
- Release Notes and Announcements
- Release Notes
- Product Announcement
- Security Advisory
- Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-44832)
- Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-45046)
- Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-44228)
- Notice for WebLogic Console HTTP RCE Vulnerability
- Notice for Exchange Server Command Execution Vulnerability
- Notice for Yonyou GRP-U8 SQL Injection Vulnerability
- Notice for Apache Cocoon XXE Vulnerability (CVE-2020-11991)
- Notice for WordPress File Manager Arbitrary Code Execution Vulnerability
- Jenkins Security Advisory for September
- Notice for Apache Struts 2 RCE Vulnerabilities (CVE-2019-0230 and CVE-2019-0233)
- Notice for Apache SkyWalking SQL Injection Vulnerability (CVE-2020-13921)
- User Guide
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Best Practice
- FAQS
- Service Level Agreement
- WAF Policy
- Contact Us
- Glossary
Type Overview
Tencent Cloud provides two types of cloud WAF, namely, SaaS WAF and CLB WAF. They have basically the same security protection capabilities but different connection methods and use cases. You can select an appropriate WAF type based on your actual deployment.
| Type | SaaS WAF | CLB WAF |
|---|---|---|
| Use case | It is suitable for all users (Tencent Cloud users and local IDC users) and can be connected through domain names by means of DNS resolution and scheduling. | It is suitable for Tencent Cloud users who are using or plan to use layer-7 CLB. |
| Strength | It is widely applicable to users in and outside Tencent Cloud. | |
| How to choose | If you need to protect both Tencent Cloud-hosted and local websites or layer-7 CLB is not used for your Tencent Cloud resources, you are recommended to use SaaS WAF. | If you are using or plan to use layer-7 CLB and have requirements for web security protection, bot traffic management, CCPC protection, or website security operation, you are recommended to use CLB WAF. |
| Region | You need to select a region when purchasing SaaS WAF | You need to select a region in the console after purchasing CLB WAF. |
SaaS WAF
After you add a protected domain name and set the origin-pull information on WAF, it will assign a unique CNAME address to the protected domain name. You can modify the DNS resolution to change the original A record to the CNAME record and schedule traffic to the protected domain name to the WAF cluster, which will detect and block malicious traffic and forward normal traffic to the real server in order to protect your website security.
CLB WAF
By configuring a domain name, WAF can be connected to a layer-7 CLB (listener) cluster to detect threats in HTTP/HTTPS traffic passing through CLB and cleanse malicious traffic so as to separate business request forwarding from security protection, which minimizes the affect of security protection on your website business and thus ensures stable website operation.
CLB WAF provides two traffic processing modes:
- Mirror mode: Associated with WAF through a domain name, CLB mirrors traffic to the WAF cluster, which performs bypass detection and alarming but does not return the request credibility status.
- Cleansing mode: Associated with WAF through a domain name, CLB mirrors traffic to the WAF cluster, which performs bypass detection and alarming and synchronizes the request credibility status. Then, the CLB cluster will block or allow the requests based on their status.
Yes
No
Was this page helpful?