Web Application Firewall

This topic gives you an overview of Oracle Cloud Infrastructure Web Application Firewall (WAF) components and typical scenarios for using WAF.

Create a service request Ask the community

Virtual network icon Walkthrough icon get help icon
Overview of Web Application Firewall Getting Started Frequently Asked Questions

Get a high-level overview of the WAF service.

Follow a guided journey to set up WAF.

Find answers to frequently asked questions about WAF.


Origin Management
An origin is an endpoint (typically an IP address) of the application protected by the WAF. An origin can be an Oracle Cloud Infrastructure load balancer public IP address which can be used for high availability to an origin. When you create a WAF policy, you define a default origin and optional HTTP headers. An origin must be defined in your WAF policy in order to set up protection rules or other features. The details for the origin can be modified later in the Settings of the WAF policy. In the Origin Settings you can modify or set up HTTP headers for outbound traffic from the WAF to the origin server. These name value pairs are then available to the application.

See Origin Management for more information.

Bot Management

Bot Management enables you to mitigate undesired bot traffic from your site using CAPTCHA and JavaScript detection tools, while enabling known published bot providers to bypass these controls.

Non-human traffic makes up most of the traffic to sites. Bot Manager is designed to detect and block, or otherwise direct, non-human traffic that may interfere with site operations. The Bot Manager features mitigate bots that conduct content and price scraping, vulnerability scanning, comment spam, brute force attacks, and application-layer DDoS attacks. You can also allowlist good bots.

See Bot Management for more information.

WAF Protection Rules
Protection rules match web traffic to rule conditions and determine the action to be taken when the conditions are met. Protection Rule Settings allow you to define the parameters for enforcement any time a protection rule is matched. Recommendations aid in the optimization of your WAF security profile. The Security Operations team proactively monitors all events to provide recommendations about the action of a specific ruleset.

See WAF Protection Rules for more information.

Access Control

As a WAF administrator you can define explicit actions for requests that meet various conditions. Conditions use various operations and regular expressions. A rule action can be set to log and allow, detect, block, redirect, bypass, or show a CAPTCHA for all matched requests. You can also use the IP Whitelist tab to manage whitelists containing trusted IP addresses that bypass all rules and challenges.

See Access Control for more information.

Caching Rules
Caching rules allow you to selectively cache requested content on Oracle Cloud Infrastructure's edge servers, such as web pages or certain file types.

See Caching Rules for more information.