Web Application Firewall FAQ

General questions

What is Oracle Cloud Infrastructure Web Application Firewall (WAF) Service?

Oracle Cloud Infrastructure Web Application Firewall (WAF) is a cloud-based, PCI-compliant, global security service that protects applications from malicious and unwanted internet traffic. Oracle Cloud Infrastructure WAF can protect any internet-facing endpoint, providing consistent rule enforcement across a customer's applications.

Oracle Cloud Infrastructure WAF enables customers to create and manage rules for avoiding internet threats, including cross-site scripting (XSS), SQL injection, and other OWASP-defined vulnerabilities. Unwanted bots can be mitigated while allowing desirable bots to enter. The rules can also be used limit access based on geography or the signature of incoming requests.

Oracle's 24x7 global Security Operations Center (SOC) will continually monitor the internet threat landscape and act as an extension of your IT security team.

What is the use case for Oracle Cloud Infrastructure WAF?

The Oracle Cloud Infrastructure WAF should be considered for any internet-facing web application or HTTP-based API.

What is the shared responsibility model for Oracle Cloud Infrastructure WAF?

Responsibility Oracle Customer
Onboard/configure the WAF policy for the web application No Yes
Configure WAF onboarding dependencies (DNS, ingress rules, network) No Yes
Provide high availability (HA) for the WAF Yes No
Monitor for distributed denial of service (DDoS) attacks Yes No
Keep WAF infrastructure patched and up-to-date Yes No
Monitor data-plane logs for abnormal, undesired behavior Yes Yes
Construct new rules based on new vulnerabilities and mitigations Yes No
Review and accept new recommended rules No Yes
Tune the WAF's access rules and bot management strategies for your traffic No Yes

What are the benefits of Oracle Cloud Infrastructure WAF?

Oracle Cloud Infrastructure WAF filters out malicious requests to your web application or API. It also gives you more visibility as to the where the traffic is coming from—and Layer 7 DDoS attacks are mitigated, ensuring greater availability.

The bot management solution uses detection techniques such as IP rate limiting, CAPTCHA, device fingerprinting, and human interaction challenges to identify and block bad and/or suspicious bot activity from scraping your website for competitive data. At the same time, the WAF can allow legitimate bot traffic from Google, Facebook, and others to continue to access your web applications as intended.

Oracle Cloud Infrastructure WAF employs an intelligent DNS data-driven algorithm that determines the best global point of presence (POP) to serve a given user in real time. As a result, users are routed around global network issues and potential latency while offering the best possible uptime and service levels.

What capabilities and key features do I get with Oracle Cloud Infrastructure WAF?

  • Architecture deployment and origin lock down: Restrict traffic to ports 80 & 443, which results in all other connections being dropped.
  • Dynamic traffic routing via DNS: Leverage DNS-based traffic-routing algorithms that consider user latency from thousands of global locations to determine the lowest latency routes.
  • High availability: When configuring web-application delivery, Oracle Cloud Infrastructure WAF offers several high availability configuration options with the ability to add multiple origin servers. These settings and/or servers will only be used in cases where primary origin servers are offline or not responding correctly to health checks.
  • Managing policies: Configure and manage features and functionality within the Oracle Cloud Infrastructure WAF configuration.
  • Monitoring and reporting: This functionality gives users the ability to access reporting related to their content library.
  • Support: Alert support teams of an issue and escalate a ticket depending on urgency (i.e. sev1, 2, or 3).

How do I get started with Oracle Cloud Infrastructure WAF?

The Oracle Cloud Infrastructure WAF utilize universal credits model and burn down based on the following metrics:

  • Number of requests (higher price with Bot Management enabled)
  • Amount of data/traffic egressed from the WAF
  • Number of non-Oracle Cloud Infrastructure endpoints (monthly)

Can I subscribe to Oracle Cloud Infrastructure WAF without using any other services?

Yes. Oracle Cloud Infrastructure WAF is available to Universal Credit Model Subscribers. Customers may choose to leverage only Oracle Cloud Infrastructure WAF to protect non-OCI workloads. There is a small dependency on object storage to leverage the Oracle Cloud Infrastructure console that will show up on your billing.

Are all Oracle Cloud Infrastructure WAF capabilities available in the API?

Yes. Oracle Cloud Infrastructure WAF was designed API-first, so anything you can do in the console is available in the API.

Are all Oracle Cloud Infrastructure WAF controls available via the console?

Not as of March 2021. There are some management functions that can only be performed via API. Some of these API-only functions include:

  • Threat intelligence
  • IP rate limiting
  • Sorting access rules
  • Certificate management (beyond uploading a single certificate/key)
  • Reporting and telemetry (assuming Oracle Cloud Infrastructure public telemetry is not available to you)

We will continue to add these items to the console and publish API, SDK, and Terraform examples for managing these features.

How do I import Oracle Cloud Infrastructure WAF logs to my SIEM?

The recommended approach is to use the API to have SIEM consume WAF logs. We do not provide any pre-built plug-ins for SIEM providers today.

From which Oracle Cloud Infrastructure regions can I configure the WAF?

Oracle Cloud Infrastructure WAF is a global service that can be configured from any commercial region. It is not limited to that region for data, though. Any Oracle Cloud Infrastructure WAF configuration is added to the global 'edge'.

Where are the global points of presences for Oracle Cloud Infrastructure WAF?

Oracle currently has a total of 11 edge nodes with the following global footprint*:

  • Brazil
  • India
  • Sydney
  • Frankfurt
  • Switzerland
  • London
  • Phoenix
  • Ashburn
  • Toronto
  • Tokyo
  • Seoul

*Note that some locations have more than one PoP.

Technical questions

Does Oracle Cloud Infrastructure provide layer 7 (L7) distributed denial of service (DDoS) protection?

Yes. Oracle Cloud Infrastructure provides unlimited DDoS protection for web applications and services.

Where does the L7 DDoS protection occur?

DDoS protection is provided by the Oracle Cloud Infrastructure edge network, which is comprised of globally-distributed, high-capacity points of presence (PoPs) that support a wide range of edge applications. Oracle Edge PoPs are located in Oracle Cloud Infrastructure regions and at standalone locations worldwide. Specifically, L7 DDoS attacks are managed by the Oracle Web Application Firewall (WAF), which includes a complete set of access control and bot management features designed to defeat L7 DDoS threats. Oracle WAF is designed to protect against the vast majority of DDoS attacks at each PoP. In the event of an extremely-high-volume L7 DDoS attack, Oracle uses DDoS scrubbing centers, which are globally-distributed to ensure quick response times.

How is the Oracle Cloud Infrastructure L7 DDoS mitigation provisioned?

The service is available from the Oracle Cloud Infrastructure console. The customer selects L7 DDoS protection from the console as part of the WAF’s bot management menu. Customers can select one of two options:

1. On-demand: L7 DDoS protection is turned on at the customer's discretion.

2. Always-on: L7 DDoS protection is always on and provides automatic protection.

What is included with the L7 DDoS mitigation?

L7 DDoS mitigation is part of the Oracle Cloud Infrastructure WAF and is activated when users select a range of policy options designed to defeat sophisticated L7 DDoS attacks. Policy options include but are not limited to JavaScript challenges, IP rate limiting, device fingerprinting, and human interaction challenges. These countermeasures are fully automated when the 'always-on' option is selected. Users can also select the 'on-demand' option to manually turn on L7 DDoS protection at their discretion.

What does Oracle charge for the L7 DDoS mitigation?

L7 DDoS mitigation is part of the Oracle Cloud Infrastructure WAF. This is a metered subscription based on traffic and request volumes. See Oracle's pricing page for more information.

How does Oracle Cloud Infrastructure L7 DDoS mitigation work?

Traffic is automatically routed to the Oracle Cloud Infrastructure edge network via a reverse proxy architecture. The edge network includes globallydistributed PoPs that inspect all HTTP and HTTPS traffic before it arrives at the web application. The PoPs use the activated DDoS countermeasures to automatically eliminate traffic that is identified as coming from malicious botnets.

What reporting is provided?

The Oracle Cloud Infrastructure portal contains consoles with near real-time reporting about alerts, blocked requests, bot mitigations, and logs.

How do I lock down my origin to only accept connections from the Oracle Cloud Infrastructure WAF edge nodes?

Configure your origin ingress rules to only accept connections from certain CIDR ranges, please refer to Securing Your WAF in the Getting Started Guide to get the updated list.

Can a customer brand their CAPTCHA pages?

No, we do not support this feature at this time.

What Core Rule Set (CRS) of OWASP does Oracle Cloud Infrastructure WAF support?

Oracle Cloud Infrastructure WAF supports CRS 3.0.

Is there a way to enable all rules, in all sets, at the same time?

We suggest using the API, CLI, SDK, or Terraform to script this, however it is not recommended to enable all at the same time.

Where can I find more information regarding the WAF services?

Please refer to the Web Application Firewall main page for further details.

Oracle Cloud Infrastructure WAF for Fusion Applications

How does Oracle Cloud Infrastructure WAF for Fusion Applications work?

WAF for Oracle Fusion Cloud Applications Suite improves our customers’ security posture by giving the Oracle SaaS Cloud Security team additional visibility into application-level attacks with respect to their application data. WAF for Fusion Applications is completely transparent to customers and managed end-to-end by Oracle's subject matter experts. With this out-of-the-box offering, customers are supported with a 24/7 security operations center that’s responsible for updating, monitoring, managing, responding to, and protecting our Fusion Applications—without impacting application resilience or availability.

How much does Oracle Cloud Infrastructure WAF for Fusion Applications cost?

WAF for Fusion Applications is available free of charge for all Fusion customers hosted on Oracle Cloud Infrastructure.

Will this impact the performance of my Fusion Applications?

WAF for Fusion Applications is deployed along with our load balancer and supports hundreds of rules that can inspect any part of the web request to Fusion Applications and APIs with minimal latency impact to incoming traffic.

What is the difference between Oracle Cloud Infrastructure WAF and WAF for Fusion Applications?

WAF for Fusion Applications is a version of Oracle Cloud Infrastructure WAF that has been fine-tuned for SaaS products. It protects SaaS applications from targeted attacks by filtering traffic based on out-of-the-box rules that SaaS security teams have designed to provide always-on layer-7 protection.