Oracle Cloud Infrastructure WAF FAQ

General Questions

What is Oracle Cloud Infrastructure Web Application Firewall (WAF) Service?

Oracle Cloud Infrastructure Web Application Firewall (WAF) is a cloud-based, PCI-compliant, global security service that protects applications from malicious and unwanted internet traffic. Oracle Cloud Infrastructure WAF can protect any internet-facing endpoint, providing consistent rule enforcement across a customer's applications.

Oracle Cloud Infrastructure WAF enables customers to create and manage rules for avoiding internet threats, including cross-site scripting (XSS), SQL injection, and other OWASP-defined vulnerabilities. Unwanted bots can be mitigated while allowing desirable bots and to enter. The rules can also be used limit access based on geography or the signature of incoming requests.

Oracle's 24x7 global Security Operations Center (SOC) will continually monitor the internet threat landscape and act as an extension of your IT security team.

What is the use case for Oracle Cloud Infrastructure WAF?

The Oracle Cloud Infrastructure WAF should be considered for any internet-facing web application or HTTP-based API.

What is the shared responsibility model for Oracle Cloud Infrastructure WAF?

Responsibility Oracle Customer
Onboard/configure the WAF policy for the web application No Yes
Configure WAF onboarding dependencies (DNS, ingress rules, network) No Yes
Provide high availability (HA) for the WAF Yes No
Monitor for distributed denial of service (DDoS) attacks Yes No
Keep WAF infrastructure patched and up-to-date Yes No
Monitor data-plane logs for abnormal, undesired behavior Yes Yes
Construct new rules based on new vulnerabilities and mitigations Yes No
Review and accept new recommended rules No Yes
Tune the WAF's access rules and bot management strategies for your traffic No Yes

What are the benefits of Oracle Cloud Infrastructure WAF?

Oracle Cloud Infrastructure WAF filters out malicious requests to your web application or API. It also gives you more visibility as to the where the traffic is coming from—and Layer 7 DDoS attacks are mitigated, ensuring greater availability.

The bot management solution uses detection techniques such as IP rate limiting, CAPTCHA, device fingerprinting, and human interaction challenges to identify and block bad and/or suspicious bot activity from scraping your website for competitive data. At the same time, the WAF can allow legitimate bot traffic from Google, Facebook, and others to continue to access your web applications as intended.

Oracle Cloud Infrastructure WAF employs an intelligent DNS data-driven algorithm that determines the best global point of presence (POP) to serve a given user in real time. As a result, users are routed around global network issues and potential latency while offering the best possible uptime and service levels.

What capabilities and key features do I get with Oracle Cloud Infrastructure WAF?

  • Architecture deployment and origin lock down: Restrict traffic to ports 80 & 443, which results in all other connections being dropped.
  • Dynamic traffic routing via DNS: Leverage DNS-based traffic-routing algorithms that consider user latency from thousands of global locations to determine the lowest latency routes.
  • High availability: When configuring web-application delivery, Oracle Cloud Infrastructure WAF offers several high availability configuration options with the ability to add multiple origin servers. These settings and/or servers will only be used in cases where primary origin servers are offline or not responding correctly to health checks.
  • Managing policies: Configure and manage features and functionality within the Oracle Cloud Infrastructure WAF configuration.
  • Monitoring and reporting: This functionality gives users the ability to access reporting related to their content library.
  • Support: Alert support teams of an issue and escalate a ticket depending on urgency (i.e. sev1, 2, or 3).

How do I get started with Oracle Cloud Infrastructure WAF?

Oracle Cloud Infrastructure WAF is available to Universal Credit Model subscribers. Universal Credit Model subscribers can access Oracle Cloud Infrastructure WAF via the Oracle Cloud Infrastructure Console under the Edge Services tab. There is a Getting Started Guide in the documentation that is the ideal place to start.

The Oracle Cloud Infrastructure WAF utilize universal credits model and burn down based on the following metrics:

The Oracle Cloud Infrastructure WAF utilize universal credits model and burn down based on the following metrics:

  • Number of requests (higher price with Bot Management enabled)
  • Amount of data/traffic egressed from the WAF
  • Number of non-Oracle Cloud Infrastructure endpoints (monthly)

Can I subscribe to Oracle Cloud Infrastructure WAF without using any other services?

Yes. Oracle Cloud Infrastructure WAF is available to Universal Credit Model Subscribers. Customers may choose to leverage only Oracle Cloud Infrastructure WAF to protect non-OCI workloads. There is a small dependency on object storage to leverage the Oracle Cloud Infrastructure console that will show up on your billing.

Are all Oracle Cloud Infrastructure WAF capabilities available in the API?

Yes. Oracle Cloud Infrastructure WAF was designed API-first, so anything you can do in the console is available in the API.

Are all Oracle Cloud Infrastructure WAF controls available via the console?

Not as of February 2019. There are some management functions that can only be performed via API. Some of these API-only functions include:

  • Threat intelligence
  • Exclusions to protection rules
  • IP rate limiting
  • Sorting access rules
  • Certificate management (beyond uploading a single certificate/key)
  • Device fingerprinting and human interaction bot challenges
  • Reporting and telemetry (assuming Oracle Cloud Infrastructure public telemetry is not available to you)

We will continue to add these items to the console and publish API, SDK, and Terraform examples for managing these features.

How do I import Oracle Cloud Infrastructure WAF logs to my SIEM?

The recommended approach is to use the API to have SIEM consume WAF logs. We do not provide any pre-built plug-ins for SIEM providers today.

From which Oracle Cloud Infrastructure regions can I configure the WAF?

Oracle Cloud Infrastructure WAF is a global service that can be configured from any commercial region. It is not limited to that region for data, though. Any Oracle Cloud Infrastructure WAF configuration is added to the global 'edge'.

Where are the global points of presence for Oracle Cloud Infrastructure WAF?

Today, the edge nodes are available in the following points of presence:

  • Vancouver
  • Toronto
  • Dallas
  • Chicago
  • Ashburn
  • Seattle
  • Frankfurt
  • London
  • Miami
  • Hong Kong
  • Tokyo

Back to Top

Technical Questions

How do I lock down my origin to only accept connections from the Oracle Cloud Infrastructure WAF edge nodes?

Configure your origin ingress rules to only accept connections from the following CIDR ranges:

  • 192.157.18.0/23
  • 205.147.88.0/21
  • 192.69.118.0/23
  • 198.181.48.0/21
  • 199.195.6.0/23

Can a customer brand their CAPTCHA pages?

Yes, but this is not a self-service option. They can file a support ticket with My Oracle Support to request an update to their CAPTCHA page. A requirement is that it must be HTML with all JavaScript inline; no external files.

What Core Rule Set (CRS) of OWASP does Oracle Cloud Infrastructure WAF support?

Presently (March 2018), ZenEdge supports CRS 2.

Is there a way to enable all rules, in all sets, at the same time?

We suggest using the API, CLI, SDK, or Terraform to script this.

Back to Top

×
Call us now
1-800-633-0738 (United States)

Contact
×
Call us now
1-800-633-0738 (United States)

Technical Support

Oracle Cloud Discussion Forums