Overview of Web Application Firewall

Oracle Cloud Infrastructure Web Application Firewall (WAF) is a cloud-based, Payment Card Industry (PCI) compliant, global security service that protects applications from malicious and unwanted internet traffic. WAF can protect any internet facing endpoint, providing consistent rule enforcement across a customer's applications.

WAF provides you with the ability to create and manage rules for internet threats including Cross-Site Scripting (XSS), SQL Injection and other OWASP-defined vulnerabilities. Unwanted bots can be mitigated while tactically allowed desirable bots to enter. Access rules can limit based on geography or the signature of the request.

The global Security Operations Center (SOC) will continually monitor the internet threat landscape acting as an extension of your IT infrastructure.

Web Application Firewall Service Components

WAF policies encompass the overall configuration of your WAF service, including origin management, protection rule settings, and bot detection features.
Your web application's origin host server. An origin must be defined in your WAF policy in order to set up protection rules or other features.
Protection rules can be configured to either allow, block, or log network requests when they meet the specified criteria of a protection rule. The WAF will observe traffic to your web application over time and suggest new rules to apply. To view a list of available WAF rules, see Supported Protection Rules.
The WAF service includes several features that allow you to detect and either block or allow identified bot traffic to your web applications. Bot management features include: JavaScript Challenge, CAPTCHA Challenge, and GoodBot whitelists. For more information, see Bot Management.

Ways to Access the WAF Service

You can access Oracle Cloud Infrastructure using the Console (a browser-based interface), command line interface (CLI), or the REST API. Instructions for the Console and API are included in topics throughout this guide.

To access the Console, you must use a supported browser. You can use the Console link at the top of this page to go to the sign-in page. Enter your tenancy, user name, and your password.

Authentication and Authorization

Each service in Oracle Cloud Infrastructure integrates with IAM for authentication and authorization, for all interfaces (the Console, SDK or CLI, and REST API).

An administrator in your organization needs to set up groups , compartments , and policies  that control which users can access which services, which resources, and the type of access. For example, the policies control who can create new users, create and manage the cloud network, launch instances, create buckets, download objects, etc. For more information, see Getting Started with Policies. For specific details about writing policies for each of the different services, see Policy Reference.

If you’re a regular user (not an administrator) who needs to use the Oracle Cloud Infrastructure resources that your company owns, contact your administrator to set up a user ID for you. The administrator can confirm which compartment or compartments you should be using.

Note About The API

The WAF service is powered by the Oracle Cloud Infrastructure Web Application Acceleration and Security (WAAS) API. All WAF related calls must be made using the WAAS API. To create a WAF configuration using the API, you must first create a WAAS policy with a defined origin and domain using the API. For the purposes of access control, you must provide the OCID of the compartment where you want the service to reside. For information about access control and compartments, see Overview of the IAM Service.

WAF Service Capabilities and Limits

The WAF service is limited to 50 policies per tenant. See Service Limits for a list of applicable limits and instructions for requesting a limit increase. To set compartment-specific limits on a resource or resource family, administrators can use compartment quotas.

The WAF service allows a total run time of 20 minutes for upload and download processes through the WAF.

Required IAM Service Policy

To use Oracle Cloud Infrastructure, you must be given access in a policy  for waas-policy. If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you've been granted and which compartment  you should work in.

Policy examples:

  • To allow a specific user group to manage policies in the WAF:
    Allow group <GroupName> to manage waas-policy in compartment <CompartmentName>
    Allow group <GroupName> to read waas-work-request in compartment <CompartmentName>
  • To allow a specific user group to manage certificates in the WAF:
    Allow group <GroupName> to manage waas-certificate in compartment <CompartmentName>
  • To allow a specific user group view policies in the WAF
    Allow group <GroupName> to read waas-policy in tenancy <TenancyName>

If you're new to policies, see Getting Started with Policies and Common Policies. For more details about policies for WAF, see Details for the WAF Service.

Moving WAF Policies to a Different Compartment

You can move WAF policies from one compartment to another. After you move a WAF policy to the new compartment, inherent policies apply immediately and affect access to the WAF policies through the Console, SDK or CLI.  For more information, see Managing Compartments.

Monitoring Resources

You can monitor the health, capacity, and performance of your Oracle Cloud Infrastructure resources by using metrics, alarms, and notifications. For more information, see Monitoring Overview and Notifications Overview.

For information about available WAF service metrics and how to view them, see WAF Metrics.

Creating Automation with Events

You can create automation based on state changes for your Oracle Cloud Infrastructure resources by using event types, rules, and actions. For more information, see Overview of Events.

Tagging Resources

You can apply tags to your resources to help you organize them according to your business needs. You can apply tags at the time you create a resource, or you can update the resource later with the wanted tags. For general information about applying tags, see Resource Tags.