AIONCLOUD DocsV3
Go to DocsV2

WEB Application and API Protection

WAAP Service

AIONCLOUD's WEB Application & API Protection(WAAP) provides security functions for various web vulnerabilities, user-defined access control.

image.png




Domain Information Menu

Domain Information menu where you can search the list of domains registered in WAAP and add/change/delete domains.

① Add Domain : This button takes you to the 'Register Domain' page where you can register a new domain.

② Domain List : A list of domains registered for protection with the WAAP.


For the root domain, the Domain Records button is displayed on the right. You can click the Domain Records button to go to the DNS management menu for that root domain. Subdomains that are children of the root domain are displayed as sets of children of the root domain.


In the case of sub domains where the root domain is not registered, it is displayed as a separate list as shown in the figure below.

Click on each domain listing to see a month-long summary of that domain. The data of summary information is initialized on the 1st of every month.

  • WAAP
    • Port
      Port information set as a WAAP protection target. Requests received to ports that are not set as protection targets will be rejected.

    • Traffic
      Capacity information for traffic handled by WAAP. Traffic is expressed in MBytes or GBytes.

    • Visit
      Number of transactions processed by WAAP.

    • Threats
      Number of transactions blocked by WAAP's security policy.

  • CDN

    This feature is only available for paid customers.
    You can change your subscription plan in the UserPortal's Billing menu.

    • Traffic
      Capacity information for traffic handled by CDN. Traffic is expressed in MBytes or GBytes.

    • Request
      Number of requests processed by CDN.
    • Save
      Number of requests cached by CDN.
    • HIT
      Hit rate information for requests processed by CDN.


  • DNS Status
    Information on whether the DNS record for that domain has been changed to the WAAP's proxy address.

    The DNS lookup result for that domain is not in the WAAP's proxy address.
    In this case, the domain is not covered by WAAP's security services.

    The DNS record for that domain is set to the proxy address of the WAAP, and traffic is passing through the WAAP.


  • CDN Status
    CDN service activation status information for a domain.

    image.png

    The CDN service for this domain is inactive.
    In this case, you must set the DNS record of the domain to the proxy address of WAAP for CDN service use.



    The CDN service for this domain is in the active standby state.
    It will take up to an hour to become active.


    The CDN service for this domain is active.


  • Edit / Delete / Detail

    A button that lets you navigate to the Modify Domain Information menu.

    This button allows you to delete a domain.

    A button that allows you to view details other than domain summary information.


image.png

    • Domain
      The name of the registered domain.

    • CNAME
      The name of the CNAME record issued for that domain.

    • Origin
      The destination address of the destination (web server) to which the WAAP proxy forwards traffic.
      Depending on the type of destination address, it is output in the form of an A record or CNAME record.

    • Certificate Expiration Date
      Information about the expiration date of the registered domain certificate. Output only if HTTPS is being serviced.

    • Certificate Type
      Printed if you used a free certificate from AIONCLOUD.

      image.png



Domain Registration

To use WAAP's security features, you must first register the domain associated with the web server.
Before registering the domain in WAAP, please check the following information in advance.
  • The type of domain you want to register(Root domain or subdomain)
    In AIONCLOUD WAAP, as shown in the figure below, a domain with a prefix such as 'www' is called a 'subdomain', and a domain without a prefix is ​​called a 'root domain'.
    Depending on the type of domain, the method of connecting the domain with the WAAP proxy will be different.

ROOT_SUBDOMAIN_EN.png


  • Whether the domain is hosted or not
    Only web services in which the domain is actually hosted and in service can be registered in WAAP.
    If you would like to register a domain with WAAP before hosting your web service, please contact our support center.
  • Web service Protocol and Port

  • SSL certificate and key file
    If your web server is serving HTTPS, please obtain an SSL certificate and key file in advance.
    The types of certificate files that can be registered with WAAP are crt, pem, and pfx.

    If you cannot obtain an SSL certificate and key file, or if you are not serving HTTPS, you can obtain and use a free certificate from AIONCLOUD.


① Go to domain registration menu

 To register a new domain in WAAP, click the Add Domain button at the top right of the 'Domain Info' menu to move to the domain registration menu.

image.png

② Enter domain information

  • Select Domain Type
    Select the type of domain you want to register.
    image.png


  • Enter domain & check domain
    Enter the domain you want to register and click the Domain Check button on the right. When checking a domain, the following verification is performed. 
    • Whether the domain is hosted
    • Whether the domain is reachable
    • Whether the domain is duplicate
    • Check Google Safe browsing 

image.png


  • Select Name Server Operating Method
    If the domain you want to register is the root domain, select the operating method of the name server.

    • Using AIONCLOUD name server
      Select to transfer an existing name server to the name server (ns1.monitorapp.com,ns2.monitorapp.com) provided by AIONCLOUD.
    • Using original name server
      Select if the name server you are currently using provides an alias setting for the root domain, such as ANAME Records or Apex Aliasing.


  • Select CDN usage

    This feature is only available for paid customers.
    You can change your subscription plan in the UserPortal's Billing menu.

    Select whether to use CDN for current domain.


  • Origin Server Protocol / Port Settings
    Enter the protocol (HTTP or HTTPS) of the origin server and the service port for that protocol and click the Add button.
    You can add one or more protocols and ports.


  • Set Origin Server address
    Select the address type (IP or CNAME) of the origin server, enter the address, and click the Add button.


  • Set Fallback Page
    Set the type of Fallback page that responds to the client if the connection to the origin server fails.
    • HTML
      Respond with the HTML entered on the Fallback page.

      Click the preview button to view the screen rendered with the entered HTML.

    • URL redirect
      Redirect to URL entered in Fallback page URL.
      Like 'http://fallback.page.com', you must include a protocol when entering a URL


  • Load Balance Health check paths (when there are more than two addresses)
    In order to set more than one web service address, it must be used together with WAAP's Server Load Balancing (SLB) function.

    • Health Check URL & Test
      Set up health check rules for web server load balancing. You can validate the health check rule by clicking the Test button.  

      • Method
        You can choose between 'HEAD' and 'GET'.

      • Path
        You must include '/' before the path,like '/ping'.


  • Certificate Settings
    Sets the SSL certificate to use for connections between the client and the WAAP during HTTPS service.
    Certificate options can be set as follows.
    • No Certificate
      Select if HTTPS is not serviced HTTPS.

      image.png

    • AIONCLOUD Certificate
      Select if you want to use the free certificate provided by AIONCLOUD.
      You can also choose if you do not own an SSL certificate, or if your web server is not serving HTTPS.
      The AIONCLOUD certificate is valid for 3 months from the issuance date and automatically renews before the expiration date.

      When using the AIONCLOUD certificate, the certificate issuance process starts when you change the domain's DNS record to the WAAP's address.
      It takes about 10 minutes to issue. Until the certificate is issued, a certificate error may occur when accessing the web service.



      image.png
    • Personal Certificate
      Select if you do not want to use the AIONCLOUD certificate, but want to register and use the certificate you own.
      The format of the certificate file that can be registered is crt, pem, and pfx.
      If you register and use  My Certificate, you must renew it before the certificate expiration date.

      If you select Automatic Registration of Certificates, it automatically checks the Internet for the certificate of the domain you want to enroll in. However, since the certificate key cannot be checked through the Internet, you have to register it yourself. If Automatic Registration of Certificates fails, please upload the certificate file manually.

      After registering the certificate and key file, please click  Check Certificate button to verify successful registration.

      If you are registering my certificate, you should pay attention to the order in the certificate file.
      The order of the certificate files must be 'Domain Certificate' - 'Chain Certificate' - 'Root Certificate'.
      For more information, please check the paragraph 'Reference 1. How to sort SSL certificates' below.



      If you use a CDN, only RSA certificate keys are available.
      Other types of keys, such as ECC certificates, cannot be used.


③ Register domain

After entering all domain information, click the Apply button at the bottom to register the domain.

If the domain registration is successful, you can check the DNS record information of WAAP as shown below.

  • If you registered your root domain - DNS record

image.png


  • If you registered your subdomain - CNAME record

image.png


How to sort SSL Certificate method

Typically, a trusted SSL certificate has a structure in which the root CA certificate authenticates the chain certificate, and the chain certificate authenticates the domain certificate.
In some cases, more than one chain certificate may or may not exist at all.

CERTCHAIN_EN.png

Generally, when you purchase an SSL certificate, you receive a file that combines the root CA certificate, chain certificate, and domain certificate.
The SSL certificate that you register with the WAAP must also be registered in one file that contains the contents of all certificates.

If you have the root CA certificate, chain certificate, and domain certificate files individually, please follow the procedure below to merge them into one certificate file and register.


① Converting a certificate file to pem or crt format

To extract the contents of the certificate file, first convert the format of the certificate file.

Existing certificate extension Command (based on UNIX/LINUX)
pfx openssl pkcs12 -in filename.pfx -out filename.pem –nodes
p7b
openssl pkcs7 –inform der –in filename.p7b –print_certs –text –out filename.pem
p7b(Verisign Certification) openssl pkcs7 -print_certs -in filename.p7b -out filename.pem


② Extracting certificate contents from crt/pem file

Open the crt/pem certificate with an editor program and extract the certificate data (CERTIFICATE) excluding the key data (PRIVATE KEY).

image.png


③ Sort certificates in one file

Fill in each certificate data through the editor program in the order below.

  1. Domain Certificate
  2. Chain Certificate
  3. RootCA Certificate

image.png


④ Saving sorted certificates in crt or pem format

image.png


⑤ Obtaining a Private Key File for a Domain Certificate

In process ②, save the private key file of the domain certificate separately and save it in pem or key format.


Changing Domain DNS Records

If you have registered a domain with WAAP, you will need to change the DNS records for that domain so that traffic reaches the WAAP proxy.

Depending on the type of domain registered in the WAAP, the DNS record change method will be different as shown below.

  • Root Domain- Transfer Name server(change DNS record)
  • Sub Domain- Change destination (change CNAME record)


Transfer Name Server(Root Domain)

To apply the root domain to WAAP, you must transfer the name server of the root domain to the name server of AIONCLOUD.

When you transfer a name server, all DNS records in the root domain are replaced to query the name server in AIONCLOUD.
Therefore, it is necessary to register all DNS records in AIONCLOUD's name server in advance to prevent service failure after name server transfer.

The following is a reference book showing the process of migrating the root domain 'gslbtest.click', which uses AWS's Route53 name servers, to AIONCLOUD's name servers.


gslbtest.click currently uses AWS's name servers.

image.png

The record of gslbtest.click checked in the AWS nameserver console is shown below.

image.png


To reduce the DNS propagation time due to record changes, adjust the TTL value of each record low during this process.


Records that need to be migrated to AIONCLOUD's name server in advance from the list of searched records are the ones in bold below.

Record Name Record Type Value
gslbtest.click A 13.125.252.46
gslbtest.click MX 10 mail.aioncloud.com
gslbtest.click NS
ns-1251.awsdns-28.org.
ns-980.awsdns-58.net.
ns-1653.awsdns-14.co.uk.
ns-485.awsdns-60.com.
gslbtest.click SOA
ns-1251.awsdns-28.org. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
gslbtest.click TXT
"v=spf1 a:www2561.aioncloud.com mx ~all"
api.gslbtest.click CNAME api.aioncloud.com
mail.gslbtest.click A 13.125.252.99 
www.gslbtest.click A 13.125.252.46


In the AIONCLOUD console, in the 'Domain Information' menu, click the Domain Records button for the 'gslbtest.click' domain.

Register the sub records of 'gslbtest.click' checked above in the DNS menu.

image.png


Check if the sub records are normally registered in the record list of the AIONCLOUD name server.

image.png


If sub records are registered, it is time to change the name server for the domain 'glsbtest.click'.
The name server change can be done by the hosting company that purchased the domain, and the example below is the process of changing the name server in Route53 in AWS.


From the Route53 console on AWS, go to the 'Domain' > 'Registered Domains' menu.

In the Registered Domains list, click the domain for which you want to transfer the name server.

image.png


Click the Add or Edit Name Servers button to change the name servers.

image.png


Change the name server to the address of the AIONCLOUD name server and click the Update button to request a name server change.

image.png


After requesting the hosting company to change the name servers, use the nslookup command to confirm that the domain name servers have been changed.

The propagation time of the changed name server can take up to 48 hours, depending on the TTL settings and the DNS server refresh cycle.

image.png

In the domain info menu of the AIONCLOUD console, check that the DNS status of the root domain has changed to WAAP.



Change DNS Record(Sub Domain) 

To apply a subdomain to WAAP, you must change the value of the subdomain's DNS record to a CNAME record issued by AIONCLOUD.

The following is a reference book showing the process of changing the DNS record of the subdomain 'www.gslbtest.click' using AWS' Route53 name server to a CNAME record issued by AIONCLOUD.


Currently, 'www.gslbtest.click' is returning the IP of the web server to the DNS query request.

image.png


The value of the 'www.gslbtest.click' record checked in the AWS nameserver console is as follows.

image.png


The content that needs to be changed in the retrieved record is the bold item below.

Record Name Record Type Value
www.gslbtest.click A 13.125.252.46


In the AWS NameServers console, click the Edit Subdomain Records button.

image.png


Change the record type to CNAME, change the value of the record to AIONCLOUD-issued CNAME, and click the Save button.

You can check the CNAME issued by AIONCLOUD by clicking the Detail button in the Domain Info menu of the AIONCLOUD console.

image.png


After waiting for the record change request to propagate, we see that the lookup result of the subdomain has been changed to the IP of AIONCLOUD WAAP.

image.png


In the domain info menu of the AIONCLOUD console, check that the DNS status of the subdomain has changed to WAAP.

DNS Menu

DNS menu is a menu that provides functions such as search/add/delete sub-records of the root domain when using AIONCLOUD's name server by registering the root domain in WAAP.

The DNS menu can be accessed by clicking the Domain Records button of the root domain in the Domain Information menu.

DNSMENU_EN.png

① Add Record : Tab to which you can add new records.

② Record List : A list of records added. You can apply or delete records to WAAP.


To add a new record, click the Add Record tab to expand it.
On the Add Record expanded tab, specify the record's type, name, and value, and click the Add Record button.

image.png


The types of records that can be added to the AIONCLOUD name server are as follows.

  • A
  • AAAA
  • CNAME
  • CAA
  • LOC
  • MX
  • PTR
  • SPF
  • SRV
  • TXT


Among record types, A record and CNAME record can be applied to WAAP by clicking the Unprotected button.
The process of applying the A record and CNAME record to the WAAP is the same as the domain registration process.

image.png

Analytics > CDN

This feature is only available for paid customers.
You can change your subscription plan in the UserPortal's Billing menu.

Analytics > CDN is a menu that allows you to check the overall CDN usage for the domain which is using the CDN service. You can check the CDN's cache hit rate, the total number of requests, the number of cached requests, the total amount of traffic, and so on.

Analytics data is initialized on the 1st of every month.

① Select Domain : Information about the domain you are currently viewing. You can click to change the domain.

② Requests : You can check the CDN's request hit rate, total request amount, and cached request amount and total traffic amount for a domain in numerical and graphical formats.

③ Top Request Country: You can check the country's request ranking and request rate for a domain.

④ Request by Country : You can check the number of requests for each country related to a domain using a map format. The color on the map becomes clearer as the number of requests increases. By hovering the mouse over each country, you can check specific traffic details and the corresponding request amounts.

⑤ Top Request Response Code : You can check the ranking of requests and the percentage of requests by response code for the domain.

⑥ Request by Response Code : You can check the amount of requests per response code for a domain in graph format.

The Requests graph allows you to check information from one month ago by clicking the Last Month button. The Requests graph can be displayed by clicking the Groped/Stacked button to separate or accumulate cached and non-cached data. You can also click the Cached/Uncached button to select the type of data that will be displayed on the graph.

Analytics > WAAP Menu

The Analytics > WAAP menu is a menu that allows you to inquire the overall web service status, such as traffic usage, number of transactions, number of attack detections for a domain registered in WAAP for a month.

Analytics data is initialized on the 1st of every month.

① Select Domain: Information about the domain you are currently viewing. You can click to change the domain.

② Traffic / Visit / Threats : You can view traffic usage, number of transactions, number of attack detections for a domain in numerical and graph format.

③ Top Attack Info : You can see the URLs, policies, and attacker IPs that were detected the most among the attacks detected by the WAAP.

④ Attack Country : You can check the country information corresponding to the attacker IP of the attack detected by the WAAP on a world map.


Traffic / Visit / Threat count graph can be viewed from a month ago by clicking the Last Month button.

If you click Top Attack URL and Top Attack Category in Top Attack Info, you can go to the log menu and check detailed information.

image.png

image.png


If you click the Top Attack IP in the Top Attack Info, you can add the IP to the block list.
At this time, the IP is added to Access Control > Blocked IP List.

image.png

image.png

If you click the X-Forwarded-For button of the Top Attack IP in Top Attack Info, you can check it based on the IP of the X-Forwarded-For header.

image.png


In attack countries, you can check the attack status by country by color.

Red means countries where the attack has been confirmed at least once. The higher the number of attacks, the darker the color.

Black means countries registered in the Blocked Countries list in Access Control > Blocked Country Settings.

capture_202209151354_003.jpg

If you click a country in the map, you can register the country as a list of blocked countries in Access Control > Block Country Settings.

image.png


Security Event Menu

The Security Event menu is a menu that allows you to inquire attacks detected / blocked by the WAAP's security policy.

The Security Event menu allows you to view logs for up to three months.

① Select Domain : Information about the domain you are currently viewing. You can click to change the domain.

② Lookup Date : You can specify the date of the security events to look up.

③ Search Condition : You can specify detailed conditions for the security events to be searched.

④ Security Event List : List of security events searched by the conditions you specified.


You can set the inquiry date by selecting the unit of the inquiry date from daily, weekly, and monthly units and then adjusting the slider at the bottom.

image.png


image.png Click the button to change the way the lookup date is specified from a slider to a calendar.

If the inquiry date designation method has been changed to the calendar, you can inquire by specifying the time.

image.png


In search condition, you can filter logs by specifying conditions such as country, country (X-Forwarded-For IP), client IP, X-Forwarded-For IP, route, event, and action.

Each search condition is AND method, and only logs that match all conditions are searched.


Security Event List summarizes information such as time, client IP, X-Forwarded-For IP, route, pattern, and action.

You can view more detailed information about each event by clicking the magnifying glass button on the right of each event.



  • Detect Time
    Time at which WAAP detected the attack.
  • Country
    This is the result of looking up the client IP of the attack from the country IP DB.
  • Client IP
    The client IP of the attack. Source IP based on WAAP.
  • Country (XFF)
    If the X-Forwarded-For header exists in the attack, it is the result of looking up the X-Forwarded-For IP in the national IP DB.
  • Type
    The type of security policy.
  • X-Forwarded-For IP
    If the X-Forwarded-For header exists in the attack, it is X-Forwarded-For IP information.
  • Detect Event
    Indicates the type of security policy for which the attack was detected.
  • Detect Reason
    Indicates the basis for which the attack was detected.
  • Request URL
    The request URL where the attack was detected.
  • Request
    The body of the request data for the attack.

You can query the machine learning engine of WAAP for the request data and check the analysis results by clicking
Machine Learning Analysis Results button.

If you click the Search IP Reputation button, you can query AILabs to check the reputation information and Whois information of the IP.


The searched list of events can be downloaded in csv format by clicking the Excel Download button.


CDN Settings

This feature is only available for paid customers.
You can change your subscription plan in the UserPortal's Billing menu.

The CDN Settings menu provides overall management of CDN for a domain.

Select Domain : Information about the domain you are currently viewing. You can click to change the domain.

② Cache Target : Specifies the extension or path of the file to be cached.

  • You can register a path pattern for the cache destination, where you can use a wildcard character * that represents more than 0 characters.

    Note: '/*' cannot be requested (meaning the entire default action)


    ex)

    /img/*.jpg : All files with .jpg extensions of the img directory and the img subdirectory

    /img/* : All files in the img directory and the img subdirectory

    /*.jpg : All files with jpg extensions

    /jpg : Single file with jpg file name

③ Purge Cache : If you enter a URL and click the Delete button, it clears the cached file corresponding to the URL you entered from the CDN and imports a new version of the file from the origin server.

  • Delete All : A button that allows you to delete all files cached on the CDN at once.

④ Cache TTL : Specifies how long the content on a Web server is stored on a CDN. If the content expiration time is specified by the web server, it takes precedence over the cache TTL.

Caching Level: ets the caching criteria for CDNs when the URL contains a query string.

  • Use : The CDN generates a separate cache version or cache key for each URL based on the contents of the query string.
    For the two URLs below, two different cache keys are generated.

    www.example.com/members/?id=1&country=us&height=180

    www.example.com/members/?id=1&country=us&height=170

  • Not Use: The CDN ignores the query string when it generates a cache key.
    For the two URLs below, only one cache key is generated for www.example.com/members/ .

    www.example.com/members/?id=1&country=us&height=180

    www.example.com/members/?id=1&country=us&height=170

 CORS Header Support : Set the Access-Control-Allow-Origin header so that the browser can access this domain from another origin.

  • All Origins : Allows access from all other origins.
  • Specify Origin : Allows access only from the added origin.



When the setting is finished, click the Apply button at the top of the page to register the settings.




Access Control

The Access Control is a security function that allows access only to authorized users by predefining access and usage rules for web service resources.

① Select Domain : Information about the domain you are currently viewing. You can click to change the domain.

② Search Condition : You can specify detailed conditions for the security rule list to be searched.

③ List of access control rules : A list of rules filtered based on search condition.


In search condition, you can filter rules by specifying conditions such as Rule Name and Path.

Each search condition is AND method, and only rules that match all conditions are searched.


List of access control rules summarizes information such as rule status, rule name, path, condition, and description.

The list of access control rules is prioritized in a top-down. You can change the priority of access control rules by clicking Change Priority button.

If you click the Change Priority button, the rules are changed to allow drag and drop. Make sure to change the priority of rules and then click the Apply button. 


Creating Access Control rule

You can create a new access control rule by clicking the Create a new rule button.

image.png

Bolded entries are required values.

  • Rule Name
    Set the name of the rule.

  • Rule Description
    Set the description of the rule.

  • Path
    Set the path to apply access control rule. If no value is set, the top-level path will be the target.

  • Bypass URL
    Set URLs to exclude from this rule. You can set multiple URLs by clicking the Add button.

  • Block Method
    Set the HTTP method to block in this rule. 

  • Client IP
    Set client IPs to exclude or block from this rule. You can toggle which list to add.

  • Block Country
    Set client IP by country to block in this rule.


When the rule setting is finished, click the Apply button at the bottom to register the rule.

API Security > API Schema

You can upload API schemas that comply with the OpenAPI Specification (OAS) to monitor API resources and enable API security features. Through schema validation, it is possible to identify requests that deviate from the registered API schema.

① Select Domain : Information about the domain you are currently viewing. You can click to change the domain.

② Search Condition : You can specify detailed conditions for the API security list to be searched.

③ API Schema List : A list of API schemas filtered based on search condition.


In search condition, you can filter API security rules by specifying conditions such as Rule Name and Path.

Each search condition is applied using an AND logic, meaning only rules that match all conditions are retrieved.


API Schema List summarizes information including the status of schema validation usage, schema name, basePath, the number of endpoints a rule applies to, and the rule's description

power-off-solid.png  You can change whether the rule is enabled or not by clicking the button.

search-solid.png  You can view more detailed information about each schema by clicking the magnifying glass button.

 edit-solid.png You can edit the rule by clicking the button.

trash-alt-solid.png  You can delete the rule by clicking the button.

Add an API Schema

You can add a new API schema by clicking the Add an API Schema button.

Bolded entries are required values.

  • Rule Name
    Sets the name of the schema.

  • Rule Description
    Sets the description of the schema.

  • basePath
    Indicates the URL prefix for all paths of the corresponding API schema. It must start with a leading slash, and if no basePath is specified, enter /.
    Example: Assuming that all services of the API are provided at https://example.com/api, then /api corresponds to the basePath.

  • Upload API Schema
    • Upload
      Upload an API schema file compliant with the OpenAPI Spec. You can either select the file from the file system or drag and drop it.

    • Import from an external server
      Specifies the external server from which to import API schema information.

    • URL : Enter the URL of the external server from which to import API schema information.
    • Header : Enter the name of the header to include the required authentication token when sending a request to an external server.
    • Authentication Token : Enter the value of the token used to authenticate the request to the server.
  • Authentication header name
    Enter the header name of the authentication token that is included when the client sends a request using the API.
  • Schema Validation
    Identifies that the client's request matches the registered API schema.You can choose how WAAP acts when identifying a request that does not match the API schema.
    • Action
      You can set an action to be taken if detected by the rule
      If set to Off, disable schema validation for this API schema.
      If set to Detect, log the activity but do not block the request.
      If set to Block, block the request and log the activity. You can select a block message to send to the client when blocking the request.

    • Exception path
      Add endpoints to be excluded from schema validation.


When the rule setting is finished, click the Apply button at the bottom to register the rule.


API Discovery

In the API Discovery menu, you can discover the detailed information of API Schema registered. You can enter the API Discovery menu by clicking the magnifying glass button of View column.


API Security > Token Validation

Validates the validity, integrity of the token included in the request.

① Select Domain : Information about the domain you are currently viewing. You can click to change the domain.

② Search Condition : You can specify detailed conditions for the security rule list to be searched.

③ Change Priority : You can adjust the priority of rule application.

③ Token Validation Rule List : A list of rules filtered based on search condition.


In search condition, you can filter rules by specifying conditions such as Rule Name and API Name.

Each search condition is AND method, and only rules that match all conditions are searched.

Token Validation Rule List summarizes information such as Use status, rule name, API name, the number of target endpoints, division and action.

power-off-solid.png  You can change whether the rule is enabled or not by clicking the button.

 edit-solid.png You can edit the rule by clicking the button.

trash-alt-solid.png  You can delete the rule by clicking the button.

The list of rules is prioritized in a top-down. You can change the priority of rules by clicking Change Priority button.


If you click the Change Priority button, the rules are changed to allow drag and drop. Make sure to change the priority of rules and then click the Apply button. 



Register a token validation rule

You can create a new token validation rule by clicking the Create a new rule button.

Bolded entries are required values.

  • Rule Name
    Set the name of the rule.

  • Rule Description
    Set the description of the rule.

  • Token Validation Control
    해당 룰의 토큰 검증 방식을 설정합니다.
    • Authentication header value(Token)
      • Compares that the value entered matches the authentication header value of the request, which is used when the token value is fixed.
    • Verify JWT integrity
      • Verifies the integrity of the JWT using the Secret Key or Public Key that was used to create the token.
    • Authentication server verification
      • Validate the token's validity using an external server. Forward the tokens included in the request to the server and verify their validity based on the server's response.


  • Target API
    Sets the endpoints of the API schema to which the rule applies.

  • Action
    You can set an action to be taken if detected by the rule
    If set to Detect, log the activity but do not block the request.
    If set to Block, block the request and log the activity. You can select a block message to send to the client when blocking the request.


When the rule setting is finished, click the Apply button at the bottom to register the rule.


API Security > Payload Validation

Validates the token by comparing the value contained in the client's HTTP request with a specific claim in the token payload.

① Select Domain : Information about the domain you are currently viewing. You can click to change the domain.

② Search Condition : You can specify detailed conditions for the security rule list to be searched.

③ Change Priority : You can adjust the priority of rule application.

③ Payload Validation Rule List : A list of rules filtered based on search condition.


In search condition, you can filter rules by specifying conditions such as Rule Name and API Name.

Each search condition is AND method, and only rules that match all conditions are searched.

Payload Validation Rule List summarizes information such as usage status, rule name, API name, number of target endpoints, number of detection conditions, and actions.

power-off-solid.png  You can change whether the rule is enabled or not by clicking the button.

 edit-solid.png You can edit the rule by clicking the button.

trash-alt-solid.png  You can delete the rule by clicking the button.

The list of rules is prioritized in a top-down. You can change the priority of rules by clicking Change Priority button.

If you click the Change Priority button, the rules are changed to allow drag and drop. Make sure to change the priority of rules and then click the Apply button. 

You can create a new payload validation rule by clicking the Create a new rule button.

Bolded entries are required values.

  • Rule Name
    Set the name of the rule.

  • Rule Description
    Set the description of the rule.

  • Condition
    For payload validation, specify the claim of the Token Payload and the corresponding value of the HTTP request.
    • Claim Name
      • Enter the name of the claim to be used for validation.

    • Operator
      Operator sets the conditions under which to detect values ​​for the selected type. The settable detection conditions are as follows.
      • equals
        Detects when the set values ​​match.

      • does not equals
        Detects when the set values ​​do not match.

    • Target
      You can specify the location in the HTTP request to compare with the claim value.
        • Path: Compare the value in the URL path with the Claim value.
        • Cookies: Compare the value contained in cookies of the specified name with the Claim value.
        • Header: Compare the value contained in the header of the specified name with the Claim value.
        • Parameters: Compare the values corresponding to the parameter of the specified name with the Claim value.

    • Name
      Enter a name of the selected target.

  • Target API
    Sets the endpoints of the API schema to which the rule applies.

  • Action
    You can set an action to be taken if detected by the rule
    If set to Detect, log the activity but do not block the request.
  • If set to Block, block the request and log the activity. You can select a block message to send to the client when blocking the request.

When the rule setting is finished, click the Apply button at the bottom to register the rule.

API Security > Rate Limit

Restricts repeated requests from clients with the same IP to specific endpoints based on the set threshold. Blocked clients can be manually unblocked from the block list.


① Select Domain : Information about the domain you are currently viewing. You can click to change the domain.

② Search Blocked : You can search clients in the block list and manually remove them.

Search Condition : You can specify detailed conditions for the log to be searched.

④ Change Priority : You can adjust the priority of rule application.

⑤ Rate limit rule list : A list of rules filtered based on search condition.


In search condition, you can filter rules by specifying conditions such as Rule Name and API Name.

Each search condition is AND method, and only rules that match all conditions are searched.

Rate limit rule list summarizes information such as usage status, rule name, API name, number of target endpoints, detection conditions, and actions.

power-off-solid.png  You can change whether the rule is enabled or not by clicking the button.

 edit-solid.png You can edit the rule by clicking the button.

trash-alt-solid.png  You can delete the rule by clicking the button.

The list of rules is prioritized in a top-down. You can change the priority of rules by clicking Change Priority button.

If you click the Change Priority button, the rules are changed to allow drag and drop. Make sure to change the priority of rules and then click the Apply button. 


You can create a new rate limit rule by clicking the Create a new rule button.

Bolded entries are required values.

  • Rule Name
    Sets the name of the rule.

  • Rule Description
    Sets the description of the rule.

  • Block conditions
    Set the conditions under which the client will be blocked. Blocked clients are added to the block list for that policy.
    • Period - Sets the number of seconds to count the number of detections.
    • Counts - Sets the access threshold within the period.
    • Block - Sets the duration, in minutes, for which a client blocked by the condition will be kept on the block list.

  • Target API
    Sets the endpoints of the API schema to which the rule applies.

  • Action
    You can set an action to be taken if detected by the rule
    If set to Detect, log the activity but do not block the request.
    If set to Block, block the request and log the activity. You can select a block message to send to the client when blocking the request.


When the rule setting is finished, click the Apply button at the bottom to register the rule.

API Security > Access Control

Manages access to API endpoints within protected domains.

① Select Domain : Information about the domain you are currently viewing. You can click to change the domain.

② Search Condition : You can specify detailed conditions for the security rule list to be searched.

③ Change Priority : You can adjust the priority of rule application.

③ Access Control Rule List : A list of rules filtered based on search condition.



In search condition, you can filter rules by specifying conditions such as Rule Name and API Name.

Each search condition is AND method, and only rules that match all conditions are searched.

Access Control rule list summarizes information such as usage status, rule name, API name, number of target endpoints, detection conditions, and actions.

power-off-solid.png  You can change whether the rule is enabled or not by clicking the button.

 edit-solid.png You can edit the rule by clicking the button.

trash-alt-solid.png  You can delete the rule by clicking the button.

The list of rules is prioritized in a top-down. You can change the priority of rules by clicking Change Priority button.

If you click the Change Priority button, the rules are changed to allow drag and drop. Make sure to change the priority of rules and then click the Apply button. 


You can create a new access control rule by clicking the Create a new rule button.

Bolded entries are required values. At least one of the following must be entered: client IP, blocking country, or allowed claims.

  • Rule Name
    Sets the name of the rule.

  • Rule Description
    Sets the description of the rule.

  • Client IP
    Sets the client IP to exclude or block from the rule.
    An IP address can be specified as a single address or a range (0.0.0.0-255.255.255.255), and supports both IPv4 and IPv6.

  • Block Country
    Sets the country IPs to block from the rule.

  • Allow Claim
    Sets the name and value of the claim to be excluded from the rule.

  • Target API
    Sets the endpoints of the API schema to which the rule applies.

  • Action
    You can set an action to be taken if detected by the rule
    If set to Detect, log the activity but do not block the request.
    If set to Block, block the request and log the activity. You can select a block message to send to the client when blocking the request.


When the rule setting is finished, click the Apply button at the bottom to register the rule.


API Security > Block Message

Sets the message to be displayed when a client's request is blocked by API security rules.

① Select Domain : Information about the domain you are currently viewing. You can click to change the domain.

② Search Condition : You can specify detailed conditions for the security rule list to be searched.

③ Block Message List : A list of block messages filtered based on search condition.


You can add a new block message by clicking the Add a block message button.

Bolded entries are required values.

  • Block Message Name
    Sets the name of the block message.

  • Block Message Description
    Sets the description of the block message.

  • Response Code
    Sets the HTTP response code to forward when blocking the request.

  • Block Message
    Sets the blocking message to forward when blocking the request.


When the setting is finished, click the Apply button at the bottom to register the block message.


Web Security > Security

Web Security > Security menu is a menu to check and edit the status of WAAP's web application security policy.

① Select Domain : Information about the domain you are currently viewing. You can click to change the domain.

② Security Settings: You can view and edit the current security policy settings. Consists of the name, description, and action of the security policy.


You can set actions in a security policy with the following conditions.

  • Off : Disable the policy. Disabled policies do not perform scans, so logs are also not logged.
  • Detect : It checks the policy and logs if it is detected, but does not block the request. 
  • Block : It checks the policy and, if detected, block the request and write a log.


If you change a security rule, you must click the Apply button to deploy it.



If you click the Advanced Setting button, you can configure more detailed settings for security rules.

image.png

image.png

Advanced Setting

You can operate the security policy more flexibly by adding various conditions to the basic security policy through the Advanced Setting function.


All security policies basically have only one rule, but multiple rules can be added and operated through detailed policy settings.

image.png

Click the Add button to add a new rule.


image.png

  • ON/OFF
    Set whether to activate the rule. Disabled policies do not perform scans, so logs are also not logged.

  • Action
    Set the action for the rule.
    If it is a detect, log it, but do not block the request.
    If block, block the request and log it.

  • Rule Name
    Set the name of the rule.

  • Client IP
    Specifies the client IP to apply or exempt from this rule. Unless otherwise specified, all client IPs are applied.
    You can click the Apply button to trigger on the exception target.
    IP can be registered individually or as a range.

    image.png



  • Server URL
    Specifies the server URL to apply or exclude from this rule. Unless otherwise specified, all server URLs are applied.
    You can click the Apply button to trigger on the exception target.

    image.png

Web Security > User-Defined Rules

User-Defined Rules menu is a menu that allows you to define and manage web requests to be detected or blocked by client IP and server URL.

① Select Domain : Information about the domain you are currently viewing. You can click to change the domain.

② Search Condition : You can specify detailed conditions for the log to be searched.

③ List of User-Defined rules : A list of rules filtered based on search condition.


Search conditions can filter rules by specifying conditions such as rule name, status, and action.

Each search condition is AND method, and only logs that match all conditions are searched.

List of custom rule summarizes information such as usage, rule name, rule description, condition, and action.

power-off-solid.png  You can change whether the rule is enabled or not by clicking the button.

 edit-solid.png You can edit the rule by clicking the button.

trash-alt-solid.png  You can delete the rule by clicking the button.

Creating User-Defined Rules

You can create a new user defined rule by clicking the create a new rule button.


Bolded entries are required values.

  • Rule Name
    Set the name of the rule.

  • Rule Description
    Set the description of the rule.

  • Condition
    Set the conditions to detect in the rule. Conditions consist of field, operator, values, and and/or operator.
    • Field
      Select the type of condition to detect. Available types include header, cookie, country, method, URI query, user agent, X-Forwarded-For, and payload size.

    • Operator
      Operator sets the conditions under which to detect values ​​for the selected type. The settable detection conditions are as follows.
      • equals
        Detects when the set values ​​match.

      • does not equals
        Detects when the set values ​​do not match.

      • contains
        Detects when the set value is included. If the value is a type consisting of characters, it is output.

      • does not Contains
        Detects when the set value is not included. If the value is a type consisting of characters, it is output.

      • is in
        Detect when the selected value is applicable. Outputs if the value is of a type made up of selections.

      • is not in
        Detect when the selected value is not applicable. Outputs if the value is of a type made up of selections.

      • excess
        Detects when the set value is exceeded. If the value is a numeric type, it is output.

      • less than
        Detects when the set value is less than. If the value is a numeric type, it is output.

      • equal to or greater than
        Detects when the set value is equal to or greater than. If the value is a numeric type, it is output.

      • equal to or less than
        Detects when the set value is equal to or less than. If the value is a numeric type, it is output.

    • AND/OR
      Set the operator to be applied when adding a new condition. The operator can be selected from AND or OR.
      • AND
        Detect when both the new condition to be added and the current condition are met.

      • OR
        Detect when the current condition is met or a condition to be added is met.

  • Client IP
    Set the exception / apply client(Source) IP in the rule. You can set multiple client IP by clicking the Add button.
  • Server URL
    Set the exception / server URL to apply in the rule. You can set multiple server URLs by clicking the Add button.

  • Action
    Set the action for the rule.
    If it is a detect, log it, but do not block the request.
    If block, block the request and log it.


When the rule setting is finished, click the Apply button at the bottom to register the rule.

Web Security > Blocking page

Web Security > Blocking page menu is a menu where you can check and modify the blocking page that responds to clients when web requests are blocked by WAAP's security policy..

① Select Domain : Information about the domain you are currently viewing. You can click to change the domain.

② Blocking page : This is the HTML document of the blocking page currently registered in the WAAP.


Block page can edit HTML directly through the editor.

If you click the Preview button, you can see the block page written in block HTML.

image.png


When you click the Default Block Page button, the default block page provided by WAAP takes effect.

Click the Apply button to apply the edited blocking page.

Bot Management > IP Reputation

This feature is only available to paid users. For free users, click the Upgrade Product button on the top of the page to go to the payment site and use it after payment.

Bot Management > IP Reputation menu uses learned IP reputation information to identify the bot or to respond to attacks through bypass routes.

①  Select Domain : Information about the domain you are currently viewing. You can click to change the domain.

② Security Settings: You can view and edit the current security policy settings based on the IP reputation. A security policy consists of the name, description, and action of the security policy.


You can set actions in a security policy with the following conditions.

  • Off : Disable the policy. Disabled policies do not perform scans, so logs are also not logged.
  • Detect : It checks the policy and logs if it is detected, but does not block the request. 
  • Verify : It checks the policy and, if detected, verify the request using the verification method selected on the Challenge page and write a log.
  • Block : It checks the policy and, if detected, block the request and write a log.


When you change a security rule, you must click the Apply button that is generated at the top of the page to deploy it.

Bot Management > Rate Limit

Bot Management > Rate Limit menu allows you to create and query threshold-based rules for repetitive access from the same client. Clients blocked by the rules are registered in the block list. You can also manually remove the clients in the block list.

① Select Domain : Information about the domain you are currently viewing. You can click to change the domain.

② Search Blocked : You can search clients in the block list and manually remove them.

Search Condition : You can specify detailed conditions for the log to be searched.

④ Rate limit rule list : A list of rules filtered based on search condition.

Search conditions can filter rules by specifying conditions such as rule name, status, and action.

Each search condition is AND method, and only logs that match all conditions are searched.

List of custom rule summarizes information such as usage, rule name, rule description, condition, and action.

power-off-solid.png  You can change whether the rule is enabled or not by clicking the button.

 edit-solid.png You can edit the rule by clicking the button.

trash-alt-solid.png  You can delete the rule by clicking the button.


Register Rate Limit Rule

You can create a new rate limit rule by clicking the Create a new rule button.

Bolded entries are required values.

  • Rule Name
    Sets the name of the rule.
  • Type
    • IP : Sets the criteria for determining the same client to IP.
    • Finger Print : Sets the criteria for determining the same client to FingerPrint.
    • Cookie : Sets the criteria for identifying the same client to the value stored in the cookie's key name.
    • Header: Sets the criteria for identifying the same client to the value stored in the key name of the header.
  • Target URL - Set the URL path to which the policy applies.
    • Multiple paths of the same pattern can be detected by using an asterisk (*).
      ex1) apple/* : Detects all paths starting with '/apple'.
      ex2) apple/*/banana : Detects all paths starting with '/apple' and ending with '/banana'.
      ex3) */apple : Detects all paths ending with '/apple'.
  • Block conditions : Set the conditions under which the client will be blocked. Blocked clients are added to the block list for that policy.
    • Period - Sets the number of seconds to count the number of detections.
    • Counts - Sets the access threshold within the period.
    • Block - Sets the duration, in minutes, for which a client blocked by the condition will be kept on the block list.
  • Rule Description
    Sets the description of the rule.
  • Action
    Select the action if detected by the rule.
    If Detect, log it, but it does not block the request.
    If Verify, verify the request and log it.
    If Block, block the request and log it.

Take the picture above, for example,
Client IPs that make more than 20 HTTP requests within 10 seconds to the /login, /login.prc paths and all paths starting with /members and ending with /next are added to the blocking list for 60 minutes, and access from those IPs is processed to be verified for Bot.


When you are done setting the rule, click the Apply button at the bottom to register the rule.

Bot Management > Forced Browsing

This feature is only available to paid users. For free users, click the Upgrade Product button on the top of the page to go to the payment site and use it after payment.

Bot Management > Forced Browsing menu allows you to detects when the number of HTTP abnormal responses (4XX, 5XX error pages) exceeds the threshold set over a period of time.

① Select Domain : Information about the domain you are currently viewing. You can click to change the domain.

② Search Blocked : You can search clients in the block list and manually remove them.

③ Use: You can change usage status of the policy by clicking the On/Off button. Policies that are not in use do not perform inspections, and therefore, no logs are recorded.

④ Type

  • IP : Sets the criteria for determining the same client to IP.
  • Finger Print : Sets the criteria for determining the same client to FingerPrint.
  • Cookie : Sets the criteria for identifying the same client to the value stored in the cookie's key name.
  • Header: Sets the criteria for identifying the same client to the value stored in the key name of the header.

⑤ Block conditions : Set the conditions under which the client will be blocked. Blocked clients are added to the block list for that policy.

    • Period - Sets the number of seconds to count the number of detections.
    • Counts - Sets the access threshold within the period.
    • Block - Sets the duration, in minutes, for which a client blocked by the condition will be kept on the block list.


⑥ Response Code : Sets the response code that will be considered an abnormal HTTP response. You can set consecutive response codes at once using -.

  • example) 200-300 : All response codes from 200 to 300.

⑦ Rule Description
Sets the description of the rule.

⑧ Action
Select the action if detected by the rule.
If Detect, log it, but it does not block the request.
If Verify, verify the request and log it.
If Block, block the request and log it.


Bot Management > Advance

Bot Management > Advance menu allows you to choose how to automatically identify and mitigate malicious Bot's website visits to websites.

① Select Domain : Information about the domain you are currently viewing. You can click to change the domain.

② Fake Bot

  • Identifies traffic disguised as not malicious bots, such as search engine crawlers, social networks, and website monitoring bots.
  • Click the Off, Detect, Verify, Block buttons to select how to handle suspected rogue Bot approaches.

③ robots.txt violation

  • Identifies traffic that violates the robots.txt definition.
    robots.txt : A protocol to prevent robots from accessing websites
  • Click the Off, Detect, Verify, Block buttons to select how to handle suspected rogue Bot approaches.

Honeypot Trap

  • Includes non-existent URLs in the response data to lure bots and identify abnormal access.
  • Click the Off, Detect, Verify, Block buttons to select how to handle suspected rogue Bot approaches.

 

⑤ Enhanced Mode

  • Automatically identifies and mitigates malicious Bot's website visits with enhanced methods such as proactive Bot defense, headless browser detection, and behavioral analysis.
  • This feature is only available to paid users.
    • For free users, click the Upgrade Product button to go to the payment site and use it after payment.
    • After payment, you can choose how to use the feature, such as Basic Mode.

⑥ Request Throttling

  • Delays requests beyond the specified number to reliably use the server's resources.
  • This feature is only available to paid users.
    • For free users, click the Upgrade Product button to go to the payment site and use it after payment.

Bot Management > Challenge Page

Bot Management > Challenge page menu allows you to check and modify the challenge page that appears to the client when verifying a suspected malicious Bot web request.

① Select Domain : Information about the domain you are currently viewing. You can click to change the domain.

② Bot Verification : Information about the Bot verification method applied to the current domain. You can change the Bot verification method by clicking the radio button and then clicking the Apply button. The default method is Captcha Challenge Page.

③ Captcha Challenge Page : HTML document of the captcha challenge page currently registered with the WAAP.

④ Email 2 Factor Challenge Page : HTML document of email 2 factor challenge page currently registered with WAAP.


Captcha & Email 2 Factor Challenge Page

  • The Captcha Challenge Page and the Email 2 Factor Challenge Page allow you to modify HTML directly through the editor.
    • When modifying HTML on a challenge page, the pattern code inserted within the page code, be careful not to delete the [[%%STATIC-SCRIPT%%]] and [[%%INPUT-FORM%%]].
  • Click the Preview button to see what the challenge page looks like in HTML.


  • When you click the Default Challenge Page button, the WAAP's default challenge page will be applied.
  • Click the Apply button to apply the edited challenge page to the WAAP.

Bot Management > Credential Stuffing

This feature is only available to paid users. For free users, click the Upgrade Product button on the top of the page to go to the payment site and use it after payment.

Bot Management > Credential Stuffing menu blocks attempts to log in using leaked account information against web applications or APIs.


① Select Domain : Information about the domain you are currently viewing. You can click to change the domain.

② Use: You can change usage status of the policy by clicking the On/Off button. Policies that are not in use do not perform inspections, and therefore, no logs are recorded.

③ Target URL : Sets the path of the URL used for login requests.

④ Request field name : Sets the field names representing the username and password when making a login request.

⑤ Types of credentials used : When comparing account information through Credential Stuffing, you can decide which types of credentials to include in the comparison.

Action : Set the action for the rule.
If detect, log it, but do not block the request.
If blockblock the request and log it.


When you are done setting the rule, click the Apply button at the bottom to register the rule.


Security Settings

The Security Settings menu provides management functions for the entire security rules, such as copying policies from one domain to another or initializing security rules.

  • Header-based client IP identification
    Applies security features to the client IP inserted in the specified HTTP header name. If the incoming traffic does not have the specified header name, it identifies the network IP as the client IP.
    Up to five header names can be registered.
  • Custom Client IP Injection
    Inserts the received client IP into the specified HTTP header and sends it to the origin server. If the header name is not specified, the client IP will be inserted in the X-Forwarded-For header.
  • Copying Security Rules
    This function allows you to copy the security rules of the domain you are currently looking up to to another domain.

    image.png

    • Security Rules
      Select the security rules you want to copy. 
    • Domain List
      Select the domain to which the security rules will be copied.


  • Initialize security rules
    This is a function that can initialize the security rules of the currently inquired domain.

    image.png

  • Auto generate monthly report
    This option automatically generates a monthly report. If you check Automatically Generate Monthly Report, a report for the previous month is generated on the 1st of each month.

  • Send Report Mail
    This option allows for monthly reports that are automatically generated to be sent via email. Up to five email accounts can be registered. On the first day of every month, a PDF file of the generated report is attached and sent to the designated email address. If you do not wish to use the email feature, simply set it to Off.

Report

The report menu is a function to view and manage WAAP's Web Security report.

① Select Domain : Information about the domain you are currently viewing. You can click to change the domain.

② Manually Generate Report : You can manually generate a report by setting the data period.

③ Report List : List of generated reports.


In the Report list, information such as report creation time, data period, and report file name is summarized and printed.

image.png Click the button to download the generated report in pdf format.

image.png Click the button to download the generated report in docs format.

Click the Delete button to delete the generated report.

Alarm Setting

The functionality provided only for customers. Contact us at support@aioncloud.com application features, please.

This is a function to send WAAP detection log to security control system such as ESM / SIEM.


SIEM_EN.png

① Select Domain : Information about the domain you are currently viewing. You can click to change the domain.

② Send destination list :  List of destinations to send detection log to. You can add it in IP:PORT format.

③ Custom Log Format : You can add any value to the prefix of the detection log to be sent. A maximum of one can be added.

④ Detect Log Format : Select the information in the detection log to send.

⑤ Preview : You can preview the format of the detection logs that will actually be sent.


The value set in the Custom Log Format is located in the first field of the transmitted detection log.
Below is an example of a log sent when the Custom Log Format is set to 'AIONCLOUD_WAAP'.

image.png


Detect Log Format can set the delimiter, number of delimiters, and language.