7.8. Web Security (WAF)

Web Security (WAF) is the service that detects and protects security threats including unauthorized access and attack traffic on the Web application server in the virtual server on Enterprise Cloud. Web Security (WAF) behave as reverse proxy server. So communication is send to Web Server after WAF detection.

7.8.1. Available Features

You can use the following features in Web Security (WAF).
Feature Overview
WAF Detection/protection for attack communication of HTTP/HTTPS communication
IP reputation Protection function based on information about source of threat


  • If NTT Communications judges it necessary, we will notify you via email, etc. regarding the detection and blocking status. It is possible to set email addresses to receive the notifications on the Security Web portal. (Please set an email address if you wish to receive this service, as it is not registered in the initial settings.)
Routing Settings
  • To inspect Web communication, communications with the Web server to be inspected need to be set to communicate with the virtual server of the Web Security (WAF) by using vFirewall/integrated network appliance.
  • For setting of communications from Web Security (WAF) to Web server, the real server of Web Security (WAF) needs to be configured on the security portal.
  • For monitoring on Web Security (WAF), you will require an additional Server Segment for direct connection between vFirewall/Integrated Network Appliance.
Plans and the Amount of Analysis Processing
Plan Traffic processing capacity Structure
Entry Max 50 Mbps This is the total value of uplink and downlink on a Best Effort basis.
Compact Max 200 Mbps
Large Max 400 Mbps


  • Please indicate the Web Security (WAF) plan when sending in your application. No changes can be made among Entry, Compact and Large after the service begins.

7.8.2. WAF

WAF function is the function that inspects Web communication specified by customer and detects/protects unauthorized access and attack traffic.
Communications to be inspected are as follows.
Item Details

Detailed functions are as follows.
Items Details
WAF function
This function inspects Web communications based on the signature.
This function protects the Web server from various attacks from the application layer including cross-site scripting, SQL injection and buffer overflow.
Trust/Black IP control function
It is possible to control communications of the IP address specified by customer.
It is possible to specify Trust IP (IP address that is allowed unconditionally) and Black IP (IP address that is blocked unconditionally). A maximum of 100 addresses can be registered for Trust IP and Black IP in total.
Decoding function It is possible to inspect communications by decoding SSL communications.
X-Forwarded-For function
It is possible to forward information on the source IP address.
It is possible to forward information on the X-Forwarded-For address to the Web server (real server).


  • When using the decoding function, customer needs to prepare a certificate. Customer has the responsibility to acquire, update and manage a certificate. It is possible to set and update a certificate from the security portal.
  • It is possible to set the server certificate in the PEM format or PKCS#12 format.
Initial Tuning Report
Customer can change the policy setting (setting can be changed to detection only/disabled for each signature ID) from the security portal. We can report advices on policy tuning.
Initial tuning report is available only for once. Initial tuning report application sheet is available on the security portal. Input necessary items and request the sheet by using the security ticket.

7.8.3. IP reputation

IP reputation function blocks attacks from the source identified as threat.
Details are as follows.
Items Details
IP reputation function
This is the function for controlling connection from the host based on information on the source of threat.
Classification of threats is as follows.
  • DDoS: Source identified as part of DDoS attack
  • Phishing: Source identified as part of phishing attack or as a host of the Web site for phishing attack
  • Anonymous proxy: Traffic that is sent via anonymous proxy for disguising the original identity of the client and the source is hidden
  • Malicious source: Host that infection by harmful software is identified
  • Spammer: Host identified as the source of spam


  • IP reputation function works as the standard function so that this function cannot be enabled or disabled.

7.8.4. Important Points

Restrictions in non-Japanese Data Centers
  • One global IP address per one Web Security (WAF) service is necessarily assigned to monitoring use for Web Security (WAF) server. When you order 2 Web Security (WAF) services, two global IP addresses are assigned by NTT operator. Therefore, please make sure that you prepare the required quantity of global IP addresses when ordering.
  • Do not change NAT rules for Web Security (WAF) service configured to vFW/INA by NTT Com Group.
Used IP Addresses
  • IP address set as Default gateway in Server Segment setting cannot be assigned on Web Security (WAF) interface.
  • You must first register the Virtual Server IP address as Reserved IP. Reserved IP addresses are set by the Customer Portal.
  • You are responsible for IP address design in Server Segment. NTT Communications assumes no responsibility for any failures that may occur due to IP design problems.
  • Communication that can be handled with this service is Web communication only. Communications other than HTTP, including FTP and SSH, cannot be handled.
  • If the protocol that complies with RFC or encapsulation is used, communications cannot be processed with this service.
  • The appliance that runs this service operates on a single structure. The platform is a dual configuration where it will switch in five to ten minutes after rebooting on the backup platform during failures.
  • This service needs a dedicated compute resource pool. (The pool will be created when applying for Web Security (WAF).) This service cannot be configured on an existing compute resource pool.
  • Customers cannot configure a virtual machine on the compute resource pool operating this service.
  • The dedicated compute resource pool for this service cannot be extended or reduced.
  • Changes in resource allocations for the virtual machine that operates this service cannot be done from the customer portal. (Only we can operate it as it is virtual server controlled by us.)
  • The virtual machine operating the Web Security (WAF) cannot use private catalogues, backup and VM security services.
  • We do not guarantee that features provided by Web Security (WAF) have integrity or accuracy, or they are suitable for your use. Furthermore, the suitability of the algorithms that detect unauthorized/cyber-attack communications provided by the developers or distributors of the devices making up the Web Security (WAF) feature is not guaranteed.
  • The following information might be provided to the developers or the distributors of the devices making up Web Security (WAF) features.
    • Configuration information obtained through providing Web Security (WAF)
    • Information on control of Web Security (WAF)
  • We cannot guarantee recovery from failures that might occur due to incompatibility between the Web Security (WAF) feature and your environment, or failures that occur due to your operations other than those specified by NTT Communications.
  • There may be times when the customer’s environment is affected by maintenance services. An advance notice will be sent when there are possible effects to the customer’s communication. This is not applied when we judge the maintenance work urgent to provide the service.