Oracle Cloud Infrastructure Documentation

Overview of the Web Application Firewall Service

Oracle Cloud Infrastructure Web Application Firewall (WAF) is a cloud-based, Payment Card Industry (PCI) compliant, global security service that protects applications from malicious and unwanted internet traffic. WAF can protect any internet facing endpoint, providing consist rule enforcement across a customer's applications.

WAF provides you with the ability to create and manage rules for internet threats including Cross-Site Scripting (XSS), SQL Injection and other OWASP-defined vulnerabilities. Unwanted bots can be mitigated while tactically allowed desirable bots to enter. Access rules can limit based on geography or the signature of the request.

The global Security Operations Center (SOC) will continually monitor the internet threat landscape acting as an extension of your IT infrastructure.

Web Application Firewall Service Components

web application firewall policy
WAF policies encompass the overall configuration of your WAF service, including origin management, protection rule settings, and bot detection features.
origin
Your web application's origin host server. An origin must be defined in your WAF policy in order to set up protection rules or other features.
protection rules
Protection rules can be configured to either allow, block, or log network requests when they meet the specified criteria of a protection rule. The WAF will observe traffic to your web application over time and suggest new rules to apply. To view a list of available WAF rules, see Supported Protection Rules.
bot management
The WAF service includes several features that allow you to detect and either block or allow identified bot traffic to your web applications. Bot management features include: JavaScript Challenge, CAPTCHA Challenge, and GoodBot whitelists. For more information, see Bot Management.

Ways to Access the WAF Service

You can access Oracle Cloud Infrastructure using the Console (a browser-based interface), command line interface (CLI), or the REST API. Instructions for the Console and API are included in topics throughout this guide.

To access the Console, you must use a supported browser. You can use the Console link at the top of this page to go to the sign-in page. Enter your tenancy, user name, and your password.

Authentication and Authorization

Each service in Oracle Cloud Infrastructure integrates with IAM for authentication and authorization, for all interfaces (the Console, SDK or CLI, and REST API).

An administrator in your organization needs to set up A collection of users who all need a particular type of access to a set of resources or compartment., A collection of related resources that can be accessed only by certain groups that have been given permission by an administrator in your organization., and An IAM document that specifies who has what type of access to your resources. It is used in different ways: to mean an individual statement written in the policy language; to mean a collection of statements in a single, named "policy" document (which has an Oracle Cloud ID (OCID) assigned to it); and to mean the overall body of policies your organization uses to control access to resources. that control which users can access which services, which resources, and the type of access. For example, the policies control who can create new users, create and manage the cloud network, launch instances, create buckets, download objects, etc. For more information, see Getting Started with Policies. For specific details about writing policies for each of the different services, see Policy Reference.

If you’re a regular user (not an administrator) who needs to use the Oracle Cloud Infrastructure resources that your company owns, contact your administrator to set up a user ID for you. The administrator can confirm which compartment or compartments you should be using.

Note About The API

The WAF service is powered by the Oracle Cloud Infrastructure Web Application Acceleration and Security (WAAS) API. All WAF related calls must be made using the WAAS API. To create a WAF configuration using the API, you must first create a WAAS policy with a defined origin and domain using the API. For the purposes of access control, you must provide the OCID of the compartment where you want the service to reside. For information about access control and compartments, see Overview of the IAM Service.

WAF Service Capabilities and Limits

The WAF service is limited to 50 policies per tenant and 100 access rules per policy. See Service Limits for a list of applicable limits and instructions for requesting a limit increase. To set compartment-specific limits on a resource or resource family, administrators can use compartment quotas.

The WAF service allows a total run time of 20 minutes for upload and download processes through the WAF.

Required IAM Service Policy

To use Oracle Cloud Infrastructure, you must be given access in a An IAM document that specifies who has what type of access to your resources. It is used in different ways: to mean an individual statement written in the policy language; to mean a collection of statements in a single, named "policy" document (which has an Oracle Cloud ID (OCID) assigned to it); and to mean the overall body of policies your organization uses to control access to resources. for waas-policy. If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you've been granted and which A collection of related resources that can be accessed only by certain groups that have been given permission by an administrator in your organization. you should work in.

Policy examples:

  • To allow a specific user group to manage policies in the WAF:
    Allow group <GroupName> to manage waas-policy in compartment <CompartmentName>
    Allow group <GroupName> to read waas-work-request in compartment <CompartmentName>
  • To allow a specific user group to manage certificates in the WAF:
    Allow group <GroupName> to manage waas-certificate in compartment <CompartmentName>
  • To allow a specific user group view policies in the WAF
    Allow group <GroupName> to read waas-policy in tenancy <TenancyName>

If you're new to policies, see Getting Started with Policies and Common Policies. For more details about policies for WAF, see Details for the WAF Service.

Tagging Resources

You can apply tags to your resources to help you organize them according to your business needs. You can apply tags at the time you create a resource, or you can update the resource later with the desired tags. For general information about applying tags, see Resource Tags.