- Release Notes and Announcements
- Release Notes
- Announcements
- Security Advisory
- Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-44832)
- Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-45046)
- Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-44228)
- Notice for WebLogic Console HTTP RCE Vulnerability
- Notice for Exchange Server Command Execution Vulnerability
- Notice for Yonyou GRP-U8 SQL Injection Vulnerability
- Notice for Apache Cocoon XXE Vulnerability (CVE-2020-11991)
- Notice for WordPress File Manager Arbitrary Code Execution Vulnerability
- Jenkins Security Advisory for September
- Notice for Apache Struts 2 RCE Vulnerabilities (CVE-2019-0230 and CVE-2019-0233)
- Notice for Apache SkyWalking SQL Injection Vulnerability (CVE-2020-13921)
- User Guide
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Best Practice
- Combined Application of WAF and Anti-DDoS Pro
- WAF Security Protection for API Gateway
- Applying for and Using Free HTTPS Certificates
- Obtaining Real Client IPs
- Replacing Certificate
- Setting CC Protection
- WAF CCP Overview
- Connecting Frontend-Backend Separated Site to WAF CAPTCHA
- Best Practices of Bot Behavior Management Connection
- FAQS
- Service Level Agreement
- WAF Policy
- Contact Us
- Glossary
- Release Notes and Announcements
- Release Notes
- Announcements
- Security Advisory
- Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-44832)
- Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-45046)
- Notice for Apache Log4j 2 RCE Vulnerability (CVE-2021-44228)
- Notice for WebLogic Console HTTP RCE Vulnerability
- Notice for Exchange Server Command Execution Vulnerability
- Notice for Yonyou GRP-U8 SQL Injection Vulnerability
- Notice for Apache Cocoon XXE Vulnerability (CVE-2020-11991)
- Notice for WordPress File Manager Arbitrary Code Execution Vulnerability
- Jenkins Security Advisory for September
- Notice for Apache Struts 2 RCE Vulnerabilities (CVE-2019-0230 and CVE-2019-0233)
- Notice for Apache SkyWalking SQL Injection Vulnerability (CVE-2020-13921)
- User Guide
- Product Introduction
- Purchase Guide
- Getting Started
- Operation Guide
- Best Practice
- Combined Application of WAF and Anti-DDoS Pro
- WAF Security Protection for API Gateway
- Applying for and Using Free HTTPS Certificates
- Obtaining Real Client IPs
- Replacing Certificate
- Setting CC Protection
- WAF CCP Overview
- Connecting Frontend-Backend Separated Site to WAF CAPTCHA
- Best Practices of Bot Behavior Management Connection
- FAQS
- Service Level Agreement
- WAF Policy
- Contact Us
- Glossary
Can I use, migrate, and share WAF instances across accounts?
No, you cannot use, migrate, or share WAF instances across accounts.
Is WAF available to servers outside Tencent Cloud?
WAF can be connected with servers in data centers outside Tencent Cloud. WAF protects servers in any public networks, including but not limited to Tencent Cloud, and clouds and IDCs from other vendors.
Note:Domain names connected in the Chinese mainland must be ICP filed as required by the Ministry of Industry and Information Technology of China.
Does WAF support HTTPS protection?
WAF fully supports HTTPS services. You just need to upload the SSL certificate and private key as instructed or select the Tencent Cloud-hosted certificate to use WAF for HTTPS traffic protection.
Does the WAF QPS limit apply to the entire instance, or to a single domain name?
The QPS limit in WAF is for the entire instance. For example, if three domain names are protected, the total QPS of the three domain names cannot exceed the limit. If the QPS limit of the purchased instance is exceeded, speed will be limited and packets will be lost.
Can Anti-DDoS Pro instances be used for WAF?
Yes. You can empower WAF with high DDoS protection capabilities simply by selecting IPs specified in a WAF instance on the configuration page in the Anti-DDoS Pro console. For more information, see Combination of Anti-DDoS Pro and Web Application Firewall.
Are there any risks in uploading an SSL certificate's private key?
An SSL certificate's private key hosted on Tencent Cloud will enjoy extremely high security, in terms of:
Uploading stage
The process from uploading the private key to configuring the certificate on the Tencent Cloud certificate hosting platform is protected with HTTPS, an encrypted communication, and enterprise SSL certificates, ensuring the safety of communication data.
Saving stage
- After uploading, the certificate is stored in the database. The certificate's private key will be encrypted using the AES CBC mode, which effectively prevents the private key from brute force attacks.
- The certificate database will be backed up for disaster recovery. For high availability and high security of the certificate data, no external APIs will be used and the data will be protected by STGW.
- There are multiple backend servers for SSL certificates, which are accessed via a load balancer to ensure API stability.
Managing and reading certificates
- Integrating resource-level Cloud Access Management (CAM), SSL Certificate Service is backed by a well-established access management system that allows you to grant different permissions to your sub-accounts on different certificates to prevent malicious revocation and deletion.
- The certificate pulling in WAF is protected by STGW. The business pulls the certificate on demand while identifying and authenticating the source of the request to avoid illegal and unnecessary access.
Is the SSL mutual authentication supported by both the SaaS WAF and CLB WAF?
It is supported by CLB WAF but not by SaaS WAF.
What are the differences between WAF and CFW?
The differences are as follows:
| Product Item |
Tencent Cloud WAF | Tencent Cloud CFW | |
|---|---|---|---|
| SaaS WAF | CLB WAF | ||
| Protected Target | Websites and API services. | Websites and API services. | Businesses completely exposed on the internet |
| Application Scenarios | It is applicable to those who require multi-level protection or cybersecurity assurance service, particularly for webs, APIs, application layers and anti-cheating behavior. | It is applicable to those who require multi-level protection or cybersecurity assurance service, particularly for webs, APIs, application layers and anti-cheating behavior, and who have used or plan to use layer-7 CLB instances on Tencent Cloud. | It is applicable to those who require multi-level protection or cybersecurity assurance service, or who require protection for CVMs and network. |
| Core Protection Capability |
|
|
|
| Core Strength | It is applicable to Tencent Cloud and non-Tencent Cloud users. | Cloud-native access ensures the safety, stability and reliability of Tencent Cloud users' website business with separation between forwarding and security protection via one-click bypass, which is implemented without changing the existing network architecture. Besides, multi-region access is also supported. | The cloud-native firewall can be enabled with one click, without affecting your business. It integrates security capabilities, such as IPS, threat intelligence, and omission scanning, necessary for multi-level protection and cybersecurity assurance scenarios, which is only available to Tencent Cloud users. |
| How to Choose | SaaS WAF is recommended for those who require protection for websites and APIs on cloud and in local IDC. | CLB WAF is recommended for those who have used or plan to use layer-7 CLB instances. | CFW is recommended for those who have concerns over the security of CVM (whether it will be overwhelmed), and businesses exposed on the internet that expose public network businesses in addition to web businesses. |
How does WAF prioritize hit rules?
WAF rules follow the following hit priorities: precise allowlist > IP allowlist > IP blocklist, regional blocking, access control, CC rules > bot protection > web protection (rule engine), AI engine, tamper protection, leakage protection.
Yes
No
Was this page helpful?