Overview of Web Application Firewall

Learn about Oracle Cloud Infrastructure Oracle Cloud Infrastructure Web Application Firewall, a regional-based and edge enforcement service that is attached to an enforcement point, such as a load balancer or a web application domain name.

WAF protects applications from malicious and unwanted internet traffic. WAF can protect any internet facing endpoint, providing consistent rule enforcement across a customer's applications.

Note

If you want to use WAF for edge enforcement, see Edge Policies for more information.

WAF provides you with the ability to create and manage rules for internet threats including Cross-Site Scripting (XSS), SQL Injection, and other OWASP-defined vulnerabilities. Access rules can limit based on geography or the signature of the request.

WAF policy is a regional solution that works as a plug-in for your load balancer.

Edge policy is a global solution. To use this solution, allowlist Oracle nodes throughout the world and use DNS to point your application to the CNAME that we provide.

You can convert an Edge policy to a WAF policy and vice a versa, by manually recreating the settings and policy. No automated method or tool exists for this conversion.

If you want to use WAF for edge enforcement, see Edge Policies.

WAF Concepts

Describes concepts associated with a web application firewall (WAF).

Access Control Access control encompasses request and response controls. Action

Actions are objects that represent one of the following:

WAF is a Payment Card Industry (PCI) compliant, global security service that protects applications from malicious and unwanted internet traffic.

Authentication and Authorization

Each service in Oracle Cloud Infrastructure integrates with IAM for authentication and authorization, for all interfaces (the Console, SDK or CLI, and REST API).

An administrator in your organization needs to set up groups , compartments , and policies that control which users can access which services, which resources, and the type of access. These policies control who can create users, create and manage the cloud network, launch instances, create buckets, download objects, and similar tasks. For more information, see Getting Started with Policies. For specific details about writing policies for each of the different services, see Policy Reference.

If you're a regular user (not an administrator) who needs to use the Oracle Cloud Infrastructure resources that your company owns, contact your administrator to set up a user ID for you. The administrator can confirm which compartment or compartments you should be using.

Creating Automation with Events

You can create automation based on state changes for your Oracle Cloud Infrastructure resources by using event types, rules, and actions. For more information, see Overview of Events.

Tagging Resources

Apply tags to your resources to help organize them according to your business needs. Apply tags at the time you create a resource, or update the resource later with the wanted tags. For general information about applying tags, see Resource Tags.

Security

This topic describes security for WAF.

For information about how to secure WAF, including security information and recommendations, see Securing Web Application Firewall.