About function

What is WafCharm?

WafCharm is a service for automatic optimization of AWS WAF rules. It uses an internationally patented AI to set the most optimum rules for user’s website.

How often are the rules updated automatically?

The optimization of rules itself changes according to the amount of data affecting the trend, therefore the rules are updated almost once everyday.

AWS WAF does not have reporting or notification capabilities, but is there any such functionality in WafCharm?

Yes, both reporting function & email notification function is available in WafCharm regardless of the plan chosen by user.
The monthly reporting function provides a detailed summary of detection status of the previous month. Number of detections, attack type, attack source country & IP address of each rule for each WebACL can be confirmed in this report.
Email notification function is a function to notify the detected content in real time via email.

Is there any way to safely check the effectiveness of the rules on the service in operation?

Yes, in AWS WAF, you can specify ALLOW mode, COUNT mode, and BLOCK mode for each rule. On the WafCharm dashboard, it is possible to use WafCharm in detection mode by specifying COUNT as Default Action.

What does the “Default action” specify in “If a request does not match any rules, take the default action” of the Web ACL of AWS WAF?

It determines the handling of requests that did not match any rules.
WafCharm users should set the default action to “Allow” for these requests that do not match any rules, as these are normal requests.

Is it possible to set a custom rule on the Web ACL?

Yes, it is possible.
Since WafCharm can only manage rules registered with a prefix “wafcharm-“, users can create a custom rule with a different prefix, and it won’t be modified or deleted by WafCharm.

Is it possible to check the response data?

As a specification of AWS WAF, it is not possible to check the response data.

How can I check BLOCK (COUNT) for web requests on AWS WAF?

How to check the detction status
– use CloudWatch
1. Go to Cloudwatch on AWS Management Console
2. Choose Metrics
3. Search for WAF
4. Click “WAF > Region, Rule, WebACL”
5. Choose what you want to see

How to check the detection status in more detail
– Please refer to the following blog.
Reference blog: https://www.wafcharm.com/en/blog/aws-waf-full-log-s3-output/

You can check AWS WAF detection status

How long does it take to reflect Blacklist / Whitelist registered from the WafCharm management screen?

Although it differs somewhat depending on the load on the server, it takes around 5 to 10 minutes to reflect.

Is it possible to change the mode of the rule applied to WebACL to Count or Block?

Yes, it is possible to change the mode of the rule applied to WebACL from AWS Management Console.
You can also delete the “Action” for each rule from the same page.

What is the Blacklist function provided by WafCharm?

There are 3 main Blacklist functions.
・Rematching access log to hundreds of signatures, and each time registering into Blacklist (Every hour)
・Blacklist by CSC’s original IP reputation (Every day)
・IP address registered to Blacklist by users directly using WafCharm management screen (Reflects in about 5 to 10 minutes after setting)

In CloudFront, in order to allow POST requests, DELETE, PATCH, OPTIONS, etc. are also set to be permitted.
Is it possible to create a rule that allows only POST requests with the same setting in WafCharm?

Yes, it is possible.
WafCharm support will create a rule to reject anything other than the required HTTP method.

Is country-level IP restriction possible with WafCharm?

Yes, it is possible.
Please contact WafCharm support.

I want to put a usage restriction on the access key, secret key.
As we want to control with GIP on WafCharm side, is it possible to disclose the GIP?

Yes, it is possible.
Please contact WafCharm support.

About implementation

Please tell me about implementation requirements.

① Availability of AWS WAF.
② Output the access log of the resource to which WAF is applied to S3 bucket and give WafCharm Read permission to that S3 bucket.
③ Have full access to the AWS WAF to update rules using the API.

Please refer to the following blog for necessary settings.
Reference blog: https://www.wafcharm.com/en/blog/aws-iam-setting-for-wafcharm/

※ It is necessary to register AccessKey of ② and ③ on WafCharm management console.
※ AWS WAF can be used with CloudFront, ALB (Application Load Balancer) or Amazon API Gateway.

Please tell me about the WafCharm setting procedure necessary for implementation.

Please refer to the following blog for necessary settings after applying for the subscription plan.
Reference blog: https://www.wafcharm.com/en/blog/check-wafcharm-setting/

Is it necessary to set rules on the created Web ACL?

There is no need for such a setting, and therefore you can start using WafCharm immediately.
After completing the initial setup on WafCharm dashboard, WafCharm will automatically put the rules in WebACL in about 5 to 10 minutes.

About Subscription/Payment

Please tell us about the application procedure for WafCharm.

Please contact us from the following

Before selecting a plan, we would like to confirm the current number of web requests. Is there any way to confirm it?

【User who can log in to WafCharm management screen during the free trial】
Number of web requests for the past 3 months can be confirmed from the “Account” page accessible from the “Menu” on top right corner of the WafCharm management screen.

【Other users】
・Confirm on AWS Management Console
On AWS Management Console, under Billing > Invoices > WAF Items, it is displayed as “Price per HTTP request” , “1,713,241 Requests” , “$1.03”

・Confirm from the number of rows in the Web server’s access log
There is a method to estimate the number of web requests by the number of rows in the access log as a guide.
Example)# cat /var/log/httpd/access_log | wc -l

About support

Is there an SLA?

There is no SLA regarding the response time.
Also, business plan and above will be supported 24/7, but depending on the degree of urgency, it may be the next business day.

In case of false-positives, is it possible to customize special rules?

Yes, it is possible. Please contact WafCharm support.

What kind of false-positive correspondence is possible with WafCharm when false-positive occurs only with a specific URI?

Please provide the detection log to WafCharm support.
First of all, you can send us only the screen shot of the image posted at the end of the following reference blog.
Reference Blog: https://www.wafcharm.com/blog/about-aws-waf-attack-state-jp/

Although the response policy differs depending on the content, the following response will be proposed and implemented.
・Custom correspondence that avoids false-positive by changing the condition itself, not the exclusion of URI.
・Custom correspondence that excludes specific URI as detection exception for specific rule.
・Creation of rule which makes specific URI as detection exception for all rules
※ The above customization can not be implemented for the entry plan customers. If necessary, it will be quoted separately.