Overview of Web Application Firewall

Oracle Cloud Infrastructure Web Application Firewall (WAF) is a regional-based and edge enforcement service that is attached to an enforcement point, such as a load balancer or a web application domain name. WAF protects applications from malicious and unwanted internet traffic. WAF can protect any internet facing endpoint, providing consistent rule enforcement across a customer's applications.

If you want to use WAF for edge enforcement, see Edge Policies for more information.

WAF provides you with the ability to create and manage rules for internet threats including Cross-Site Scripting (XSS), SQL Injection, and other OWASP-defined vulnerabilities. Access rules can limit based on geography or the signature of the request.

WAF Concepts

Describes concepts associated with a web application firewall (WAF).

Access Control
Access control encompasses request and response controls.
Action

Actions are objects that represent one of the following:

  • Allow: An action, which upon matching rule, skips all remaining rules in the current module.
  • Check: An action which does not stop the execution of rules in current module. Instead it generates a log message documenting result of rule execution.
  • Return HTTP response: An action which returns a defined HTTP response.
Condition
Each rule accepts a JMESPath expression as the condition. HTTP requests or HTTP responses (depending on the type of rule) trigger WAF rules.
Firewall
The Firewall resource is a logical link between a WAF policy and an enforcement point, such as a load balancer.
Network Address List
Network address lists are collections of individual public IP addresses and CIDR IP ranges or private IP addresses used by WAF policies.
Origin
Your web application's origin host server.
Protection Rule
Protection rules are sets of protection capabilities that are used to determine if traffic should be logged, allowed, or blocked. The WAF will observe traffic to your web application. To view a list of available WAF rules, see Protection Rules for Web Application Firewall.
Rate Limiting
Rate limiting allows inspection of HTTP connection properties and limits the frequency of requests for a given key.
Request Control
Request control allows inspection of HTTP request properties and to return a defined HTTP response.
Request Protection Rules
Request protection rules enable the checking of HTTP requests for malicious content and to return a defined HTTP response.
Response Control
Response control allows inspection of HTTP response properties and to return a defined HTTP response.
Web Application Firewall (WAF)

WAF is a Payment Card Industry (PCI) compliant, global security service that protects applications from malicious and unwanted internet traffic.

Authentication and Authorization

Each service in Oracle Cloud Infrastructure integrates with IAM for authentication and authorization, for all interfaces (the Console, SDK or CLI, and REST API).

An administrator in your organization needs to set up groups , compartments , and policies  that control which users can access which services, which resources, and the type of access. These policies control who can create users, create and manage the cloud network, launch instances, create buckets, download objects, and similar tasks. For more information, see Getting Started with Policies. For specific details about writing policies for each of the different services, see Policy Reference.

If you’re a regular user (not an administrator) who needs to use the Oracle Cloud Infrastructure resources that your company owns, contact your administrator to set up a user ID for you. The administrator can confirm which compartment or compartments you should be using.

Creating Automation with Events

You can create automation based on state changes for your Oracle Cloud Infrastructure resources by using event types, rules, and actions. For more information, see Overview of Events.

Tagging Resources

You can apply tags to your resources to help you organize them according to your business needs. You can apply tags at the time you create a resource, or you can update the resource later with the wanted tags. For general information about applying tags, see Resource Tags.