Parsing and Monitoring Settings
Parsing Settings configures the service request to be parsed to DDoS Protection, WAF, or the origin server, depending on the functionality. This makes the setup more closely aligned with the user’s application scenario, enhancing the flexibility and security of WAF configuration.
Monitoring Settings allows users to configure the monitoring method for individual domain names, according to their respective application scenarios, which facilitates receiving related alerting notifications in a timely manner.
!> Important:
For monitoring settings, aside from the automatic failback for business anomalies, other types of monitoring are subject to the control of on/off switches in Global Alerting Settings here serving merely as sub-switches at the domain name level. If the corresponding switch in the Global Alerting setting has not been turned on, SMS or email alerting notifications may not be received.
When the parsing status is set as “DDoS Protection”, the automatic failover mode will not be in effect.
Parsing Settings
Once the domain name has been successfully created, parsing settings can be configured at List Page→More→Parsing Settings, with the default set to WAF Parsing.
Parsing Status: A pop-up window displays the parsing status for all regions of the current domain name.
(1) DDoS Protection: The domain name is parsed to the corresponding DDoS Protection IP.
(2) Normal: The domain name is parsed to WAF.
(3) Failed Back: The domain name is directly parsed to the origin server IP.
WAF Parsing
Once the domain name has been successfully created, settings can be configured at List Page→More→Parsing Settings→Domain name Parsing (Default configuration).
In this mode, UWAF will identify and block malicious requests, and protect domain names in accordance with the corresponding protection rule policies.
Origin Server Parsing
Configuration Path: List Page→More→Parsing Settings→Origin Server Parsing.
In this mode, the client will directly visit the origin server, and the origin server will lose WAF protection. Please configure this setting cautiously.
DDoS Protection Parsing
Configuration Path: List Page→More→Parsing Settings→DDoS Protection Parsing. In this mode, UWAF and UDDOS work together to provide DDoS attack protection for the origin server.
!> Note:
This mode requires users to purchase the UDDOS service and complete related configurations.
Only domain names with the DDoS Protection Parsing feature enabled are eligible for DDoS attack protection.
DDoS Protection Settings
Configuration Path: Domain Name List→More→DDoS Protection Settings.
DDoS Protection Configuration
DDoS Protection Configuration: Click the [DDoS Protection Configuration] button to bring up configuration pop-up. This cannot be configured when already in DDoS Protection Parsing mode. Mode: ① Manual: User manually switches to DDoS Protection, pointing the DNS parsing to the DDoS Protection IP and notifying user after successful configuration. ② Automatic: When the corresponding domain name is under a DDoS attack, it will automatically be parsed to DDoS Protection. User is notified after automatic configuration is successful. This does not affect current parsing status if automatic switching condition is not triggered. Region: Allows configuring different DDoS Protection Parsing IPs for different regions. Corresponding DDoS Protection IP can be purchased at UDDOS. DDoS Protection IP: User configures corresponding DDoS Protection IP, able to read previously created DDoS Protection IP or manually enter one.
DDoS Protection Configuration Synchronization
DDoS Protection Configuration Synchronization: Allows for batch copying origin domain configurations to selected domain names. A maximum of 50 copies can be made.
!> Note:
(1) For domain names with existing configurations, new configurations will overwrite old ones.
(2) Cannot be configured while in DDoS Protection Parsing mode.
(3) Domain names already in DDoS Protection Configuration status cannot be configured.
DDoS Protection Switch Confirmation: Second pop-up confirmation for batch synchronization operation. Synchronization Information Feedback: Feedbacks synchronization results including total synchronization information, number of successful operations, and number of unsuccessful operations and reasons for failures.
Monitoring Settings
Here, the monitoring settings are at the domain name level for receiving or turning off alert information. Except for automatic fallback settings for business anomalies, all are subject to the control of global alert setting switches. If corresponding switches in the global alert settings have not been opened, it will be impossible to receive SMS or email alert notifications.
All the following switches are for turning on or off alerts or monitoring at the domain name level.
Attack Alert Monitoring
UWAF monitors the attack situation of the domain name, by default, if a single IP triggers the same type of attack more than 500 times within 1 minute, an alert email or SMS will be sent to the corresponding message subscription group user.
Abnormal Status Code Monitoring
UWAF monitors the status code of domain business, the business QPS average needs to be more than 10, less than 10 will not trigger an alert. If the proportion of response codes above 499 in the overall requests is more than 30%, an alert email or SMS will be sent to the corresponding message subscription group user. The frequency is once every 5 minutes.
Origin Server Status Monitoring
By default, UWAF will use the HEAD request method to probe the added domain name. The probing path is: Probing client -> UWAF -> origin server or Probing client -> origin server, HTTP and HTTPS business availability represent the status of the former link. Please note whether the origin server or domain name has security policies, if so, the UWAF monitoring IP (return source IP) needs to be whitelisted. If there are abnormal responses in 3 consecutive requests within 5 minutes, an alert email or SMS will be sent to the corresponding message subscription group user. The frequency is once every 5 minutes.
?> Explanation:
After this function is turned off, it will only stop sending alert emails or SMS. UWAF probing clients will still continue to probe the origin server. UWAF probing clients will randomly select an address in the return source IP segment as the source IP for probing (in rare cases, it will use the domain name Protection IP as the source IP). If the origin server or domain name has security policies, the HEAD request from UWAF’s return source IP needs to be released on the origin server, and at the same time, the return source IP should be added to the domain name’s whitelist in the UWAF console.
Users can also customize the request path for probing. If a complete URL is filled in the monitoring address, the probe request will treat the response to accessing this URL as the basis for determining the status of the origin server.
Configuration Example
After we set a custom origin server status monitoring address,
After waiting a few minutes, the probe request received by the origin server should have the custom set file path. The log is as follows:
Automatic Return to Source Setting for Business Anomalies
After enabling the automatic fallback for business anomalies, UWAF will monitor the availability of the business for that domain name, please note whether the origin server or domain name has security policies. If so, the UWAF monitoring IP (return source IP) needs to be whitelisted. If there are more than 499 response codes from the origin server probing requests 10 conescutive times, and the business QPS is more than 50, the DNS parsing address for this domain name will point to the origin server of the domain name (default for the first origin server in case of multiple origin servers). The probing and monitoring principles of this function is the same as Origin Server Status Monitoring, and if a monitoring address is custom set, the URL will be probed. You can also manually parse the domain name to return to the source for business or remove the source return.