What is WafCharm?
How often are the rules updated automatically?
AWS WAF does not have reporting or notification capabilities, but is there any such functionality in WafCharm?
The monthly reporting function provides a detailed summary of detection status of the previous month. Number of detections, attack type, attack source country & IP address of each rule for each WebACL can be confirmed in this report.
Email notification function is a function to notify the detected content in real time via email.
Is there any way to safely check the effectiveness of the rules on the service in operation?
What does the “Default action” specify in “If a request does not match any rules, take the default action” of the Web ACL of AWS WAF?
WafCharm users should set the default action to “Allow” for these requests that do not match any rules, as these are normal requests.
Is it possible to set a custom rule on the Web ACL?
Since WafCharm can only manage rules registered with a prefix “wafcharm-“, users can create a custom rule with a different prefix, and it won’t be modified or deleted by WafCharm.
Is it possible to check the response data?
How can I check BLOCK (COUNT) for web requests on AWS WAF?
– use CloudWatch
1. Go to Cloudwatch on AWS Management Console
2. Choose Metrics
3. Search for WAF
4. Click “WAF > Region, Rule, WebACL”
5. Choose what you want to see
How to check the detection status in more detail
– Please refer to the following blog.
Reference blog: https://www.wafcharm.com/en/blog/aws-waf-full-log-s3-output/
You can check AWS WAF detection status
How long does it take to reflect Blacklist / Whitelist registered from the WafCharm management screen?
Is it possible to change the mode of the rule applied to WebACL to Count or Block?
You can also delete the “Action” for each rule from the same page.
What is the Blacklist function provided by WafCharm?
・Rematching access log to hundreds of signatures, and each time registering into Blacklist (Every hour)
・Blacklist by CSC’s original IP reputation (Every day)
・IP address registered to Blacklist by users directly using WafCharm management screen (Reflects in about 5 to 10 minutes after setting)
In CloudFront, in order to allow POST requests, DELETE, PATCH, OPTIONS, etc. are also set to be permitted.
Is it possible to create a rule that allows only POST requests with the same setting in WafCharm?
WafCharm support will create a rule to reject anything other than the required HTTP method.
Is country-level IP restriction possible with WafCharm?
Please contact WafCharm support.
I want to put a usage restriction on the access key, secret key.
As we want to control with GIP on WafCharm side, is it possible to disclose the GIP?
Please contact WafCharm support.
Please tell me about implementation requirements.
② Output the access log of the resource to which WAF is applied to S3 bucket and give WafCharm Read permission to that S3 bucket.
③ Have full access to the AWS WAF to update rules using the API.
Please refer to the following blog for necessary settings.
Reference blog: https://www.wafcharm.com/en/blog/aws-iam-setting-for-wafcharm/
※ It is necessary to register AccessKey of ② and ③ on WafCharm management console.
※ AWS WAF can be used with CloudFront, ALB (Application Load Balancer) or Amazon API Gateway.
Please tell me about the WafCharm setting procedure necessary for implementation.
Reference blog: https://www.wafcharm.com/en/blog/check-wafcharm-setting/
Is it necessary to set rules on the created Web ACL?
After completing the initial setup on WafCharm dashboard, WafCharm will automatically put the rules in WebACL in about 5 to 10 minutes.
Please tell us about the application procedure for WafCharm.
Before selecting a plan, we would like to confirm the current number of web requests. Is there any way to confirm it?
Number of web requests for the past 3 months can be confirmed from the “Account” page accessible from the “Menu” on top right corner of the WafCharm management screen.
・Confirm on AWS Management Console
On AWS Management Console, under Billing > Invoices > WAF Items, it is displayed as “Price per HTTP request” , “1,713,241 Requests” , “$1.03”
・Confirm from the number of rows in the Web server’s access log
There is a method to estimate the number of web requests by the number of rows in the access log as a guide.
Example）# cat /var/log/httpd/access_log | wc -l
Is there an SLA?
Also, business plan and above will be supported 24/7, but depending on the degree of urgency, it may be the next business day.
In case of false-positives, is it possible to customize special rules?
What kind of false-positive correspondence is possible with WafCharm when false-positive occurs only with a specific URI?
First of all, you can send us only the screen shot of the image posted at the end of the following reference blog.
Reference Blog: https://www.wafcharm.com/blog/about-aws-waf-attack-state-jp/
Although the response policy differs depending on the content, the following response will be proposed and implemented.
・Custom correspondence that avoids false-positive by changing the condition itself, not the exclusion of URI.
・Custom correspondence that excludes specific URI as detection exception for specific rule.
・Creation of rule which makes specific URI as detection exception for all rules
※ The above customization can not be implemented for the entry plan customers. If necessary, it will be quoted separately.