Tencent Cloud Web Application Firewall (WAF) is an AI-based one-stop solution for Web business operation risk protection. It identifies malicious traffic through dual engines of AI + rules, protects website security, and enhances the security and reliability of web sites. Through BOT Behavior Analytics, it defends against malicious access behaviors and safeguards the core business security and data security of websites.
Step 1: Instance Purchase
Tencent Cloud WAF supports purchasing multiple instances. Through multi-instance management, it adapts to your business segmentation and management needs. You can also achieve unified protection with nearby access for multi-region active-active services through multiple instances.
Step 2: Website Access
Tencent Cloud WAF provides two product forms: SaaS WAF and Cloud Native WAF.
SaaS WAF Domain Access Guide
SaaS WAF assigns a CNAME to the domain name protected by SaaS WAF. By modifying the DNS resolution record of the website, Web requests to the website are forwarded to WAF, thereby providing security protection for the website. Used in conjunction with security groups, it prevents attackers from bypassing WAF and directly attacking the origin server of the website. To implement the above feature, you need to complete the following steps:
Cloud Native WAF Domain Configuration Guide
Cloud Native WAF integrates with Tencent Cloud layer-7 CLB (listener) clusters by configuring domain names. It performs bypass threat detection and cleansing on HTTP or HTTPS traffic passing through the load balancer, achieving decoupling of service forwarding and security protection. To implement the above feature, you need to complete the following steps:
Step 3: Protection Configuration
The traffic to the accessed website is protected by WAF, which includes multiple protection and detection modules to help the website defend against various security threats. Among them, the rule engine is enabled by default to defend against common Web application attacks (such as SQL injection, XSS, and webshell uploads). Other protection modules require you to manually enable and configure protection rules.
Step 4: Log Analysis
WAF by default only records attack logs. After users purchase and enable CLS, it supports domain-level full access log recording.
Attack Logs
Detailed records of attack time, attacker IP address, attack type, and attack details help you monitor and analyze threat attacks in real time, adjust protection policies appropriately, and effectively address daily security Ops and business needs.
Attack logs are clustered by default. Logs of the same type from the same source IP address are automatically aggregated into a single log entry within a specified time period, reducing your Ops workload and improving efficiency. Additionally, attack logs support full-text search, fuzzy search, and combined condition search. For details, see Attack Logs. Access Logs
Used to record access logs of domain names protected by WAF. It enables the feature of recording, searching for, and downloading access logs for the last 30 days, while providing access log storage services for no less than 180 days to help customers meet Cybersecurity Classified Protection Compliance Service requirements. For details, see Access Logs. Step 5: Security Report
After website services are connected to WAF protection, you can use the WAF overview page to query the current total number of domains, the status of connected websites, and instance status. The WAF overview page helps you understand the overall security status of website services with analysis data of website services and attack traffic in the last 30 days, and recently released rule updates. For details, see Access Logs. Step 6: Cloud Monitor Configuration
After connecting your website to WAF protection, you can configure alarm settings in Cloud Monitor. This enables WAF to detect abnormal attack traffic or unusual business traffic patterns in website requests and send alarm notifications, helping you keep track of security dynamics in real time. This allows quick response to exceptions and timely adjustments of Web Application Firewall policies to ensure business stability and security.
Multi-instance support allows the same domain name to be configured in the same type of instances across different regions, achieving independent access configuration (forwarding and protection resources) while maintaining identical protection policy configurations.