Overview of the Web Application Firewall Service
Oracle Cloud Infrastructure Web Application Firewall (WAF) is a cloud-based, Payment Card Industry (PCI) compliant, global security service that protects applications from malicious and unwanted internet traffic. WAF can protect any internet facing endpoint, providing consistent rule enforcement across a customer's applications.
WAF provides you with the ability to create and manage rules for internet threats including Cross-Site Scripting (XSS), SQL Injection and other OWASP-defined vulnerabilities. Unwanted bots can be mitigated while tactically allowed desirable bots to enter. Access rules can limit based on geography or the signature of the request.
The global Security Operations Center (SOC) will continually monitor the internet threat landscape acting as an extension of your IT infrastructure.
Web Application Firewall Service Components
- WEB APPLICATION FIREWALL POLICY
- WAF policies encompass the overall configuration of your WAF service, including origin management, protection rule settings, and bot detection features.
- Your web application's origin host server. An origin must be defined in your WAF policy in order to set up protection rules or other features.
- PROTECTION RULES
- Protection rules can be configured to either allow, block, or log network requests when they meet the specified criteria of a protection rule. The WAF will observe traffic to your web application over time and suggest new rules to apply. To view a list of available WAF rules, see Supported Protection Rules.
- BOT MANAGEMENT
Ways to Access the WAF Service
You can access Oracle Cloud Infrastructure using the Console (a browser-based interface), command line interface (CLI), or the REST API. Instructions for the Console and API are included in topics throughout this guide.
To access the Console, you must use a supported browser. You can use the Console link at the top of this page to go to the sign-in page. Enter your tenancy, user name, and your password.
Authentication and Authorization
Each service in Oracle Cloud Infrastructure integrates with IAM for authentication and authorization, for all interfaces (the Console, SDK or CLI, and REST API).
An administrator in your organization needs to set up groups , compartments , and policies that control which users can access which services, which resources, and the type of access. For example, the policies control who can create new users, create and manage the cloud network, launch instances, create buckets, download objects, etc. For more information, see Getting Started with Policies. For specific details about writing policies for each of the different services, see Policy Reference.
If you’re a regular user (not an administrator) who needs to use the Oracle Cloud Infrastructure resources that your company owns, contact your administrator to set up a user ID for you. The administrator can confirm which compartment or compartments you should be using.
Note About The API
The WAF service is powered by the Oracle Cloud Infrastructure Web Application Acceleration and Security (WAAS) API. All WAF related calls must be made using the WAAS API. To create a WAF configuration using the API, you must first create a WAAS policy with a defined origin and domain using the API. For the purposes of access control, you must provide the OCID of the compartment where you want the service to reside. For information about access control and compartments, see Overview of the IAM Service.
WAF Service Capabilities and Limits
The WAF service is limited to 50 policies per tenant and 100 access rules per policy. See Service Limits for a list of applicable limits and instructions for requesting a limit increase. To set compartment-specific limits on a resource or resource family, administrators can use compartment quotas.
The WAF service allows a total run time of 20 minutes for upload and download processes through the WAF.
Required IAM Service Policy
To use Oracle Cloud Infrastructure, you must be given access in a policy for waas-policy. If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you've been granted and which compartment you should work in.
- To allow a specific user group to manage policies in the WAF:
Allow group <GroupName> to manage waas-policy in compartment <CompartmentName>
Allow group <GroupName> to read waas-work-request in compartment <CompartmentName>
- To allow a specific user group to manage certificates in the WAF:
Allow group <GroupName> to manage waas-certificate in compartment <CompartmentName>
- To allow a specific user group view policies in the WAF
Allow group <GroupName> to read waas-policy in tenancy <TenancyName>
Moving WAF Policies to a Different Compartment
You can move WAF policies from one compartment to another. After you move a WAF policy to the new compartment, inherent policies apply immediately and affect access to the WAF policies through the Console, SDK or CLI. For more information, see Managing Compartments.
You can monitor the health, capacity, and performance of your Oracle Cloud Infrastructure resources by using metrics, alarms, and notifications. For more information, see Monitoring Overview and Notifications Overview.
For information about available WAF service metrics and how to view them, see WAF Metrics.
Creating Automation with Events
You can apply tags to your resources to help you organize them according to your business needs. You can apply tags at the time you create a resource, or you can update the resource later with the desired tags. For general information about applying tags, see Resource Tags.