tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
Web Application Firewall
    Documentation
    Download PDF

    Release Notes

    Last updated: 2024-08-28 20:10:35
    Download PDF

      July 2024

      Update
      Description
      Release Date
      Documentation
      Access capability optimization
      CLB-WAF supported configuring multiple domain name policies within CLB listeners, enabling full access to WAF protection for all domain names, thereby enhancing the overall access experience.
      The SaaS-WAF access experience had been optimized by ensuring that private IP addresses cannot be configured as origin-pull addresses and that there were detection and reminders for spaces entered in domain names.
      2024-07-22
      -
      Basic security protection capability optimization
      The security rule engine's rule database had been enhanced with a new risk level field, allowing for the filtering of rules based on different threat risk levels, thereby improving the efficiency of security operations.
      The security rule engine's rule database supported the fuzzy retrieval for the rule content description field, enhancing the customer experience in querying about protection rules for improved security operations.
      Field and matching methods in CC protection had been optimized, improving the user experience.
      The IP query capability had been optimized by enhancing ban query capabilities and adding IP ban log queries.
      The number of domain names supported for an effective single rule configuration in batch protection has been increased to 300, improving the batch protection experience.
      2024-07-22
      -
      Mini programs' security acceleration feature optimization
      Automatic access had been extended to support the developer edition and includes the ability to switch between the developer edition and trial edition, enhancing the user experience during the access testing process.
      Both automatic and manual access supported advanced configuration, allowing users to customize the capitalization of the first letter in response packet header field names.
      Automatic access supported custom configuration of the grayscale release ratio for all editions, enhancing access stability and user experience.
      Manual access had been extended to support both WebSDK and AppSDK, effectively enabling full traffic access to the mini programs security acceleration gateway for comprehensive business protection.
      2024-07-22
      -
      
      API security feature optimization
      API security supported accessing more traffic logs for detection, allowing the shipping of response body traffic from domain names/objects accessed by CLB-WAF or traffic not accessed by WAF to WAF-provided CKafka for API asset discovery and security detection.
      API security rule configuration had been continuously optimized, allowing both API traffic throttling and API authentication features to support regular expression match or direct selection of discovered API assets, thereby enhancing the configuration flexibility.
      API security supported customizing the number of saved asset parameter samples with the ability to switch between them for viewing, as well as quickly copying the sample content.
      The API asset list supported custom policies for determining inactive APIs, enabling effective management of the API asset lifecycle.
      2024-07-22
      -

      May 2024

      Update
      Description
      Release Date
      Documentation
      Billing capability optimization
      The mini programs security acceleration included an additional billing option for mini program nodes, supporting the expansion of the number of mini programs that can be accessed. This was designed to accommodate the needs of large-scale mini program businesses accessing the same WAF instance simultaneously.
      A new postpaid billing management page had been added, allowing users to view detailed historical elastic postpaid bills for easier bill detail queries.
      Newly purchased value-added and expansion capability resources supported automatic association with instance tags. Security log packages were user-specific, allowing resource tags to be set for the log service package individually on the instance management page after purchase.
      2024-05-31
      -
      Protection capability optimization
      CC protection enhancements supported a threshold of 100,000 requests within a 5-minute interval, improving the protection capabilities of custom CC rules.
      CAPTCHA actions supported customizing exemption duration, penalty duration, and retry limits for each domain name.
      2024-05-31
      -
      API security feature optimization
      The API asset list included API authentication detection and display, as well as the ability to add API remarks. Additionally, a new asset hardening operation had been introduced, allowing one-click addition of input parameter detection and traffic throttling rules to the current API.
      API security included the ability to create custom feature scene tags, allowing batch assignment of these tags to APIs that match specific request characteristics through rule configuration.
      After API security was enabled on CLB-WAF, it supported detecting response traffic by shipping the traffic to WAF CKafka.
      The display of API event details in event management had been optimized by adding an attack source IP view, allowing for quick assessment of the impact and prompt action on the attack source.
      2024-05-31
      -
      
      Log and monitoring optimization
      The security overview included a Top 5 bandwidth statistics feature for proxy access traffic, helping customers identify high-bandwidth businesses and thereby enhancing the business operation experience.
      A new event alarm capability had been added, allowing for scheduled alarms for newly detected API and BOT events in event management. Notifications could be sent daily or hourly via internal messages and emails.
      Access log storage and shipping settings supported customizing options to include BOT information. When it was enabled, request records and shipped logs that hit the BOT module contained related BOT fields.
      The stability monitoring of SAAS-WAF service IP addresses supported integration with Tencent Cloud Observability Platform, allowing users to customize real-time monitoring and alarm services for WAF monitoring, thereby improving business operation efficiency.
      2024-05-31
      -

      March 2024

      Update
      Description
      Release Date
      Documentation
      Billing capability and specification optimization
      WAF elastic billing supported bandwidth-based elastic billing, suitable for elastic protection of low QPS and high bandwidth businesses.
      The number of custom domain name policies and precise allowlist policy rules had been expanded to better support complex business security Ops.
      Mini programs security acceleration supported elastic billing, meeting the need for protection during sudden traffic spikes.
      Mini programs security acceleration supported an increased access number of mini program IDs. The Advanced Edition had been upgraded to support up to 3 mini program IDs, while the Enterprise and Ultimate Editions supported up to 4 mini program IDs.
      2024-03-20
      -
      Mini programs security acceleration access capability optimization
      Mini programs security acceleration supported access through cloud native gateways, APISIX, and custom hybrid cloud gateway domain names, enhancing coverage and optimizing the access experience.
      Automatic access supported API interface-based access, catering to the personalized needs of core business access.
      Manual access supported adding multiple origin server domain names and ports, meeting the needs for multi-domain name origin-pull requests.
      2024-03-20
      -
      API security feature optimization
      API security supported detecting horizontal privilege escalation and cross-border data transfer events.
      The API asset list supported grouping assets according to an asset tree, making the API asset hierarchy clearer.
      2024-03-20
      BOT protection capability optimization
      The BOT expert rule set supported batch switching to redirection or CAPTCHA actions, providing more diverse protection options.
      The BOT expert rule set included protection level settings, allowing for switching between strict mode and normal mode.
      2024-03-20
      -
      BOT event management capability release
      Event management capabilities supported BOT risk event alarms, one-click handling, and attack source analysis, enhancing the efficiency of BOT traffic protection and response.
      2024-03-20
      -
      Protection configuration experience optimization
      Custom rules and precise allowlists supported more matching methods, allowing for more flexible traffic matching.
      2024-03-20
      -
      Log and monitoring capability optimization
      Custom access log storage alarm thresholds could be set, with notifications triggered when the specified percentage was reached.
      Access logs had been enhanced with a richer set of fields and operators, improving the retrieval experience.
      Tencent Cloud Observability Platform supported QPS and bandwidth utilization metrics for Web Application Firewall, optimizing the monitoring experience.
      2024-03-20
      Access capability optimization
      SAAS-WAF access domain names had been optimized to disable proxy caching, supporting the access of SSE protocol businesses.
      CLB-WAF provided visibility into the access status of domain names and objects, enhancing the access experience.
      The access list supported customizing column settings, meeting personalized domain name management needs and improving the user experience in access management.
      2024-03-20

      January 2024

      Update
      Description
      Release Date
      Documentation
      API security feature optimization
      API security asset list optimization
      The display of sensitive assets had been optimized, allowing for filtering and viewing of assets with sensitive data in the request body or response body.
      API parameter sample display had been optimized, now supporting the customization of parameter displays with generalized data.
      API security detection events had been enriched with the addition of monitoring for three types of events: vertical privilege escalation, unauthorized access to sensitive information, and excessive sensitive information retrieval. This enhanced the ability to discover API asset risks.
      API security included authentication credential configuration: it supported setting up credential recognition rules for individual APIs or all APIs under a domain name. Custom rules were applied first, and if no custom rules were added, the system's built-in rules would be used for recognition.
      2024-01-22
      BOT management capability optimization
      Session management capabilities in BOT management had been optimized: you could set different session identification extraction rules and prioritize them based on different protection scenes. The session identification parameters also supported extraction through parsing two layers of JSON.
      BOT custom rules supported more parameter configurations: added support for the number of sessions per IP, the most frequent COOKIE, and the most frequent UA fields, allowing for the configuration of related protection rules.
      2024-01-22
      Access log shipping was supported for regions outside the Chinese mainland.
      Log data could be shipped to CLS and TDMQ for CKafka, with billing based on the actual volume shipped.
      2024-01-22
      Protection configuration experience optimization
      Protection configuration rules supported IPV6 and IPV6 address range settings, enhancing the configuration experience.
      Access control rule parameters supported matching empty content values, enhancing traffic management capabilities.
      The Tiga engine supported adding multiple rule IDs to the allowlist for the same URL, improving the user experience.
      The batch protection feature supported adding IP blocking rules, allowing for the management of IP blocking rules across multiple domain names.
      2024-01-22
      Object access supported enabling BOT protection and API security protection.
      Once this feature was enabled, it supported the quick activation of BOT management and API security analysis and protection for CLB objects.
      2024-01-22
      -
      Access list optimization
      Optimized domain name access status display: SaaS-based WAF offered detailed prompts for certificate and DNS resolution status of accessed domain names, along with guidance for resolving abnormal statuses.
      The SaaS-based WAF supported custom WebSocket timeout settings, custom origin-pull HOST settings, and the addition of custom remarks for accessed domain names.
      Object access supported custom Layer-7 proxy services: once enabled, the client IP determination method could be set.
      2024-01-22

      December 2023

      Update
      Description
      Release Date
      Documentation
      Mini programs security acceleration access optimization
      The manual access of Mini Programs Security Acceleration supported hybrid access for both native mini programs and embedded H5 development, enabling protection for hybrid-developed mini programs.
      Mobile Mini Programs Security access supported one-click automatic access and publishing, as well as one-click unpublishing, improving access efficiency and user experience.
      2023-12-25
      -

      November 2023

      Update
      Description
      Release Date
      Documentation
      Enhanced BOT protection scenes
      Spam SMS and Email bombing scene: This scene defended against large-scale spam SMS and email bombing. When a business account was targeted by such attacks, it was recommended to select this scene and customize the protection scope to include the relevant URLs being bombarded.
      Social media flooding scene: This scene defended against automated actions such as registration, comments, and likes. When your social media ecosystem was disrupted by these automated behaviors of your businesses, it was recommended to select this scene and customize the protection scope to include the relevant URLs.
      Automated download scene: This scene defended against automated software/app downloads and attacks on download sites. When your business experienced a high volume of automated downloads or attacks on download sites, it was recommended to select the Automated Download Scene and customize the protection scope to include download-related URLs.
      Custom scene: This scene allowed you to customize protection policies based on the specific characteristics of your business. When you needed policies that suited your unique business needs, it was recommended to select the Custom Scene. If you had any questions during the configuration process, see the Practical Tutorial Documentation.
      2023-11-20
      -
      Security overview report optimization
      A new domain name QPS peak Top 5 analysis chart had been added, enabling quick identification of abnormal domain names and URLs during sudden business traffic surges.
      2023-11-20
      Basic security rule configuration optimization
      Access control and precise allowlist rule copy optimization: When rules were copied to other domain names, a new copy only new rules feature had been added, supporting incremental copying needs and reducing the risk of accidental operations.
      Access control rule configuration optimization: The batch protection module supported access control configuration, allowing rapid deployment of ACL rules to multiple domain names.
      2023-11-20
      API security support for custom API asset aggregation policies
      For specific API paths, matching was performed based on the entered regular expressions:
      No configuration was required by default; if not customized, API aggregation would follow the system's built-in model.
      Since API aggregation was closely related to the user's actual business design, it was difficult to avoid a few cases where API asset aggregation may not meet user expectations. In such instances, custom aggregation rules could be used to adjust the aggregation results.
      Once a custom aggregation rule was matched, the next asset update would discard historical data and display results based on the latest aggregation.
      2023-11-20
      Mini programs security acceleration feature release
      The WeChat gateway access linkage had been established, providing native high-availability acceleration services. In weak network environments, transmission speed was improved by 300%, and network success rates were increased to over 99.9%.
      By combining WeChat security gateway with WAF security protection capabilities, native security protection was provided for mini programs against dozens of typical attacks, including DDoS protection, DNS hijacking prevention, anti-scraping, and anti-fraud measures.
      Ready to use, providing unified security management for both web and mini program platforms.
      2023-11-15
      -

      September 2023

      Update
      Description
      Release Date
      Documentation
      Support for hybrid cloud access and protection capabilities
      By deploying containerized WAF protection nodes in various hybrid cloud web business scenes, such as other public clouds, on-premise IDCs, and server rooms, users could benefit from localized protection for multiple business operations. This setup offered security Ops capabilities consistent with Tencent Cloud WAF protection for web businesses. Additionally, it provided local protection and the same level of efficient, convenient, and secure protection and management capabilities as cloud WAF for web businesses that had not yet migrated to the cloud.
      2023-09-27
      -
      Protection experience optimization
      CC protection supported multiple SESSION configurations: You could configure multiple SESSION settings and customize which SESSION setting to apply when creating new rules, meeting the need to recognize various session IDs when multiple clients accessed the website.
      IP allowlist and blocklist supported one-click clearing of expired rules.
      2023-09-27
      Addition of easy mode support in BOT management
      A built-in expert-managed BOT detection rule set with a false positive rate of less than 0.05% was available, enabling precise identification of suspicious BOT features and quick activation of the interception mode.
      2023-09-27
      -
      BOT protection capability and experience upgrades
      New BOT protection scenes for scanning and critical protection had been added, helping users defend against automated malicious scanning attacks and quickly strengthen protection during critical periods.
      Optimization of BOT management experience:
      Custom rules supported the addition of an IP location field, allowing for more granular protection configurations.
      BOT traffic analysis report included abnormal request trend statistics, making abnormal traffic analysis more intuitive.
      BOT details could be exported, making statistical analysis more convenient.
      Attack log rule management supported BOT custom rule types. When a custom rule was triggered, you could quickly access rule details and make adjustments of the content directly within the interface.
      2023-09-27
      API security support for custom sensitive data detection rules
      API security supported custom sensitive data detection rules, providing three matching methods: keyword matching, character matching, and regular expression matching. This enabled precise identification of sensitive APIs, facilitating their remediation.
      2023-09-27
      Overview and CLS experience optimization
      The overview page displayed options for auto-renewal and upgrades for instances, as well as renewal and upgrade links for the Cloud Log Service, enhancing the user experience for upgrades and renewals.
      The overview page provided basic security analysis, including attack interception statistics related to web security protection, access control, and CC attack protection, along with week-over-week data analysis and corresponding interception trend analysis. Users could also click to view detailed attack logs, enhancing the basic security report experience.
      Attack and access log fields had been optimized to support TOP 50 results statistics in both ascending and descending order, assisting ops analysis.
      2023-09-27

      August 2023

      Update
      Description
      Release Date
      Documentation
      Access capability upgrade
      Grayscale support for cloud-native API Gateway traffic access: Users could configure traffic from cloud-native API gateways for protection through load-balancing WAF, as well as migrate CLB instance traffic for access.
      Grayscale support for object access had been introduced for private network CLB instance access protection and private network CLB domain name access protection in regions outside the Chinese mainland.
      Custom resettings of XFF capability supported for users: If it was confirmed that there were no proxy service before WAF, users could clear the XFF field to prevent access from maliciously spoofed traffic, further enhancing business security.
      For domain name access, the round-robin scheduling policy supported setting the weight to 0, enabling smooth origin-pull switching to different nodes in multi-site active-active scenes.
      2023-08-25
      Protection capability upgrade
      Grayscale support for regular expression rule configuration: Certain fields in basic security custom rules and BOT custom rules supported regular expression configuration. (This feature was available for Enterprise Edition and later editions of WAF instances upon requests for grayscale rollout.)
      The execution methods for precise allowlists and IP allowlists had been optimized.
      Regional blocking supported batch protection settings: You could apply the same region blocking policy to multiple domain names simultaneously.
      Supported BOT protection information transmission: After BOT traffic management was enabled in SaaS-based WAF, the BOT protection information transmission feature could be flexibly activated. This allowed BOT scores and client unique IDs to be inserted into HTTP headers and returned to the origin server. The origin server could then use this information to customize secondary handling policies, supporting business protection needs.
      Addition of UA policy module in BOT Traffic Management - Intelligent Analysis: This feature allowed users to customize which UA types to enable or disable for analysis, facilitating more refined management of UA policies.
      Optimized BOT Traffic Management - Custom Rule Configuration Experience: A new Header parameter value field had been added, allowing actions to be configured based on specific request content. Additionally, string-type matching fields supported multiple matching content entries separated by carriage returns.
      2023-08-25
      -
      User experience optimization
      Domain name list experience optimization:
      Supported batch enabling and disabling of access logs and API security switches.
      Supported fuzzy retrieval of origin server domain names to retrieve accessed domain name information, enhancing the retrieval experience.
      Supported exporting configuration information corresponding to domain names, improving the analysis experience when you checked configurations across multiple domain names in large-scale access scenes.
      The API security user experience had been optimized to support quick analysis of API assets across all domain names and to analyze recent access trends for these assets.
      API Traffic Analysis, API Asset Management, and API Event Management supported viewing from an All Domains perspective.
      The API asset list supported viewing and downloading the call volume for the past 30 days.
      Click View API Asset Details to view the QPS peak for the previous day.
      Log shipping supported selecting CKafka as a target environment with SASL PLAINTEXT for encrypted authentication before shipping.
      2023-08-25
      Result visualization optimization
      The security overview page allowed report filtering and viewing with minute-level granularity. When the selected time period was less than 6 hours, the business analysis curve chart was refined to a 30-second time granularity.
      Attack log field optimization:
      Two new fields, Scene ID and Scene Module, had been added. These allowed users to quickly locate the specific rule triggered by an attack using the Scene ID, Scene Module, and Rule ID fields.
      The status field had been modified to support filtering by action types, including Intercept, Monitor, CAPTCHA, and Redirect.
      A new sec_chain field had been added, allowing users to view the modules a request passed through and the actions executed by each module.
      A new prote_domain field had been added to display the accessed domain name or CLB object. This allowed for the addition of corresponding false positive correction allowlists or source IP blocklists, supporting quick handling of traffic for wildcard domain names, object access, and default domain name scenes.
      The BOT Traffic Analysis Report experience had been optimized to allow for clearer filtering and more detailed BOT statistics.
      HTTP response code filtering had been added.
      Customization of BOT detail list fields was supported.
      The View BOT Details - Request Feature Information module included the scoring information for each BOT module.
      2023-08-25
      Elastic postpaid billing support for BOT management
      Elastic QPS billing supported extended BOT protection: After the elastic billing and BOT protection were enabled, any business request peaks that exceeded the total QPS quota purchased for the instance would incur an additional charge of USD 0.02 per QPS per day.
      2023-08-25

      May 2023

      Update
      Description
      Release Date
      Documentation
      Access capability upgrade
      Object access capabilities had been upgraded to support all IPv6 CLB instances, and WAF instances outside the Chinese mainland could enable object access.
      2023-05-31
      -
      Protection capability upgrade
      CLB-WAF instances supported customizing response status code configurations.
      2023-05-31
      -
      Comprehensive user experience upgrade
      Multi-instance domain name access optimization: The domain name access quantity reminders and instance purchase notifications had been optimized, enhancing the overall service experience.
      Domain name access was case-insensitive, preventing missed interceptions due to case differences and enhancing protection effectiveness.
      The Rule ID field in attack logs supported viewing and editing related custom rules, enhancing the user experience.
      2023-05-31

      April 2023

      Update
      Description
      Release Date
      Documentation
      Access capability upgrade
      CLB-WAF supported the protection of private network-based CLB web business.
      2023-04-27
      -
      Comprehensive user experience upgrade
      The management of instance overage and renewal consistency reminders had been upgraded and improved, ensuring greater service stability.
      API performance and OpenAPI documentation had been upgraded and improved, ensuring stability and ease of use for third-party calls.
      Emergency CC protection capabilities had been optimized and upgraded, improving both protection effectiveness and user experience.
      CLB-WAF supported automated emergency CC protection, effectively ensuring business availability.
      Monitoring capabilities had been upgraded to support the monitoring and alarming of various metrics at the WAF instance level.
      2023-04-27
      -
      Major release of API Security 2.0
      After API security was enabled, you could activate API security analysis for accessed domain names with a single click. This helped businesses identify API risks and sensitive data, effectively reducing API exposure and building an intelligent and precise API security defense system.
      2023-04-24
      -

      June 2022

      Update
      Description
      Release Date
      Documentation
      Launch of SaaS-based WAF in a new region
      SaaS-WAF supported 9 new nodes in Singapore, Bangkok, Jakarta, Seoul, Tokyo, Silicon Valley, Frankfurt, Virginia, and São Paulo.
      2022-06-03
      -
      Launch of CLB-based WAF in a new region
      CLB-based WAF supported multiple new nodes.
      2022-06-03
      -
      Cross-regional simultaneous upgrade support
      Web Application Firewall supported simultaneous upgrades across regions, including both Chinese mainland and non-mainland regions, enhancing user experience and optimizing product capabilities.
      2022-06-03
      -
      Experience upgrade
      The data storage for Web Application Firewall instances outside the Chinese mainland had been optimized to support isolated viewing of resource data by region, enhancing the user operation and management experience.
      2022-06-03
      -
      Access experience optimization
      Access capabilities had been optimized, enhancing user access stability and experience.
      2022-06-03
      -

      April 2022

      Update
      Description
      Release Date
      Documentation
      Operation logs
      The console supported viewing Web Application Firewall operation audit logs, as well as user operation queries and traceability.
      2022-04-29
      -
      Instance list
      Users could purchase multiple editions or upgrade across different editions of Web Application Firewall instances, allowing them to select the appropriate edition based on their specific business protection needs.
      2022-04-29
      Access mode
      In the origin-pull mode, users could customize the configuration of multiple IP weighted round-robin scheduling settings, meeting the load balancing needs for complex SaaS-based accesses.
      2022-04-29
      Precise allowlist rule optimization
      Precise allowlist rules supported allowlisting custom rules (access control), enhancing granular traffic management capabilities.
      2022-04-29
      Protection capability optimization
      Enhanced protection capabilities for ultra-long messages had been added, improving protection, reducing missed interceptions, and optimizing the protection experience.
      The protection capabilities for attack patterns in the header Connection had been enhanced, reducing missed interceptions and improving overall protection.
      2022-04-29
      -
      Log shipping service
      The log shipping feature allowed log data to be shipped to CLS or TDMQ for CKafka, helping to uncover the value of log data and assisting users in addressing log Ops needs.
      2022-04-10
      New BOT session management
      A new BOT session management feature had been added, which optimized BOT protection capabilities by parsing session traffic types.
      2022-04-01
      -
      BOT traffic analysis optimization
      BOT traffic analysis had been enhanced by collecting data from BOT behavior management. This allowed for a quick understanding of the impact of BOTs on selected and enabled domain names. Users could rapidly access information on the current BOT classification trends, handling trends, BOT score distribution, top request volume statistics, and a list of vulnerable asset URLs.
      2022-04-01
      BOT traffic details optimization
      BOT traffic analysis collected data from BOT behavior management, allowing for a quick understanding of the impact of BOTs on selected and enabled domain names. Users could click to view details, see BOT information related to specific access sources, identify access patterns, and detect any exceptions associated with BOT from those sources.
      2022-04-01

      March 2022

      Update
      Description
      Release Date
      Documentation
      Enhanced IP blocking capability
      IP blocking supported domain name-level differentiated blocking, allowing different detection duration and separately calculated blocking time for each domain name.
      2022-03-02

      January 2022

      Update
      Description
      Release Date
      Documentation
      BOT and business security
      A new custom BOT session policy had been introduced.
      2022-01-02
      -
      BOT and business security
      BOT protection supported integration with App CAPTCHA.
      2022-01-02
      
      
      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      Copyright © 2013-2024 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy