WAF CheckResponse Intercept Query
Prerequisites
Pre-check: Aliyun CLI >= 3.3.3 required
Run
to verify >= 3.3.3. If not installed or version too low,
run
curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash
to update,
or see
references/cli-installation-guide.md
for installation instructions.
Pre-check: Aliyun CLI plugin update required
[MUST] run
aliyun configure set --auto-plugin-install true
to enable automatic plugin installation.
[MUST] run
to ensure that any existing plugins are always up-to-date.
At the start of the Core Workflow (before any CLI invocation):
[MUST] Enable AI-Mode — AI-mode is required for Agent Skill execution.
Run the following commands before any CLI invocation:
bash
aliyun configure ai-mode enable
aliyun configure ai-mode set-user-agent --user-agent "AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query"
[MUST] Disable AI-Mode at EVERY exit point — Before delivering the final response for ANY reason, always disable AI-mode first. This applies to ALL exit paths: workflow success, workflow failure, error/exception, user cancellation, session end, or any other scenario where no further CLI commands will be executed.
AI-mode is only used for Agent Skill invocation scenarios and MUST NOT remain enabled after the skill stops running.
bash
aliyun configure ai-mode disable
[MUST] CLI User-Agent — Every
CLI command invocation must include:
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query
Before execution, you must collect the following information from the user:
| Parameter | Description | Required |
|---|
| Request ID | The traceid obtained from the HTML body of WAF's block (intercept) response, or the Request ID shown on the 405 block page displayed in the browser | Yes |
Optional: WAF Instance ID, SLS Project name, SLS Logstore name (will be auto-discovered if not provided)
Notes:
- Request ID (traceid) is obtained from the HTML body of WAF's block response, or from the 405 block page displayed in the browser
- Uses Alibaba Cloud default credential chain for authentication (ECS RAM Role, ~/.alibabacloud/config, etc.)
Region Information
| RegionId Value | Region | Description |
|---|
| Chinese Mainland | WAF instances within mainland China |
| Outside Chinese Mainland | WAF instances in overseas and Hong Kong/Macao/Taiwan regions |
Query Workflow
Step 1: Information Collection
Confirm the Request ID (traceid) with the user. If the user has not provided one, guide them to obtain it from:
- The 405 block page displayed in the browser, which shows the Request ID directly
- The HTML body of WAF's block (intercept) response, which contains the traceid
Step 2: Auto-Discover WAF Instances and Verify Log Service
If the user has not provided WAF Instance ID and SLS configuration, perform auto-discovery:
Step 2a: Discover WAF Instances
bash
# Query WAF instances in both regions in parallel
aliyun waf-openapi DescribeInstance --region cn-hangzhou --RegionId cn-hangzhou --user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query
aliyun waf-openapi DescribeInstance --region ap-southeast-1 --RegionId ap-southeast-1 --user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query
Step 2b: Check Log Service Status (Mandatory Before Querying Logs)
Before retrieving SLS configuration, you MUST first verify that the WAF instance has log service enabled by calling
DescribeSlsLogStoreStatus
:
bash
aliyun waf-openapi DescribeSlsLogStoreStatus --region <region-id> --InstanceId '<instance-id>' --RegionId '<region-id>' --user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query
- If the response indicates log service is already enabled ( is true/enabled), skip the enable operation and proceed directly to Step 2c (idempotent: no redundant writes).
- If log service is not enabled, inform the user that WAF log service must be activated before log queries can proceed. With user consent, call to enable it:
bash
aliyun waf-openapi ModifyUserWafLogStatus \
--region <region-id> \
--InstanceId '<instance-id>' \
--Status 1 \
--RegionId '<region-id>' \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query
Constraint: This skill only supports
enabling log service (
). Disabling log service is
not permitted. Never call this API with
.
After enabling, wait a moment and re-verify with
DescribeSlsLogStoreStatus
to confirm activation.
Step 2c: Retrieve SLS Configuration (Mandatory After Confirming Log Service is Enabled)
Once
DescribeSlsLogStoreStatus
confirms that log service is enabled, you
must immediately call
to obtain the WAF log Project and Logstore information:
bash
aliyun waf-openapi DescribeSlsLogStore --region <region-id> --InstanceId '<instance-id>' --RegionId '<region-id>' --user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query
Key fields in the
response:
| Field | Description |
|---|
| SLS Project name associated with the WAF instance |
| SLS Logstore name for WAF logs |
| Log retention period (in days) |
Cross-region note: The SLS log storage region may differ from the WAF instance region (e.g., WAF in
but SLS logs stored in
). When querying SLS in Step 3, always use the region where the SLS Project is located, not the WAF instance region.
Step 3: Query SLS Logs
Use the
,
and SLS region obtained from Step 2 to query block logs (prefer using the Python script):
bash
# Query using script (recommended, supports automatic time range expansion)
python3 scripts/get_waf_logs.py \
--project <project-name> \
--logstore <logstore-name> \
--request-id <request-id> \
--region <sls-region>
Or use CLI directly:
bash
TO_TIME=$(python3 -c "import time; print(int(time.time()))")
FROM_TIME=$((TO_TIME - 86400))
aliyun sls get-logs \
--project <project-name> \
--logstore <logstore-name> \
--from $FROM_TIME \
--to $TO_TIME \
--query "<request-id>" \
--region <sls-region> \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query
Important: The
here must be the SLS log storage region, which may differ from the WAF instance region. Check the
response from Step 2 to determine the correct SLS region.
Step 4: Query Rule Details
Extract
and
from the logs to query the rule configuration:
Important: The
API requires the
parameter. Common defense scenes include:
- - Custom access control rules
- - Custom rate limiting rules (CC rules)
- - WAF protection rules
- - Anti-scan rules
- - Data leakage prevention
- - Anti-tampering
You can determine the defense scene from
field in the logs:
| final_plugin | DefenseScene |
|---|
| customrule | custom_acl or custom_cc |
| waf | waf_group |
| scanner_behavior | antiscan |
| dlp | dlp |
bash
# Query rule details with DefenseScene
aliyun waf-openapi DescribeDefenseRule \
--region <region-id> \
--InstanceId '<instance-id>' \
--TemplateId <template-id> \
--RuleId <rule-id> \
--DefenseScene '<defense-scene>' \
--RegionId '<region-id>' \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query
Note: If you don't know the
, first use
to list templates:
bash
aliyun waf-openapi DescribeDefenseTemplates \
--region <region-id> \
--InstanceId '<instance-id>' \
--DefenseScene '<defense-scene>' \
--RegionId '<region-id>' \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query
Step 5: Output Analysis Report
Output using the following template:
markdown
## WAF Block Analysis Report
### Request Information
- Request ID: {request_id}
- Block Time: {time}
- Client IP: {real_client_ip (masked, e.g. 192.***.***.***)}
- Request URL: {host}{request_path}?{masked_query_params}
### Block Details
- Rule ID: {rule_id}
- Rule Name: {rule_name}
- Action: {action}
### Recommendations
{Provide recommendations based on rule type, refer to references/common-block-reasons.md}
Troubleshooting
No Logs Found
-
Re-check global log service status (should have been verified in Step 2b, but re-confirm):
bash
aliyun waf-openapi DescribeSlsLogStoreStatus --region <region-id> --InstanceId '<instance-id>' --RegionId '<region-id>' --user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query
If not enabled, prompt the user and enable with
(see Step 2b). Only enabling (
) is allowed.
-
Check protection object log switch:
bash
aliyun waf-openapi DescribeResourceLogStatus --region <region-id> --InstanceId '<instance-id>' --RegionId '<region-id>' --user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query
-
Enable protection object log collection (check-then-act: only if
DescribeResourceLogStatus
shows log collection is disabled for the target resource; skip if already enabled):
bash
aliyun waf-openapi ModifyResourceLogStatus \
--region <region-id> \
--InstanceId '<instance-id>' \
--Resource '<resource-name>' \
--Status true \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query
See references/common-block-reasons.md for protection object naming conventions.
Permission Denied Errors
If you encounter permission errors, check the following:
-
Verify CLI profile configuration:
-
Check RAM policy permissions:
Required permissions:
waf-openapi:DescribeInstance
waf-openapi:DescribeSlsLogStoreStatus
waf-openapi:DescribeSlsLogStore
waf-openapi:ModifyUserWafLogStatus
waf-openapi:DescribeDefenseRule
- (for log queries)
-
Try specifying a different profile:
bash
aliyun waf-openapi DescribeInstance --profile <profile-name> --region <region-id> --user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query
Request ID Not Found
If the Request ID is not found in the logs:
- Verify Request ID format: Should be 32 characters without hyphens
- Check time range: The script automatically expands search up to 90 days
- Verify the correct region: Try both and
- Check log retention (TTL): Default is 180 days, use parameter if different
Multi-Instance Scenarios
If both Chinese Mainland and non-Chinese Mainland instances exist, determine based on query results:
- Logs found in only one region -> use that region directly
- Logs found in both regions -> ask the user for clarification
- No logs found in either region -> ask the user for the expected region, check protection object log switch
Note: Follow the same discovery commands as in Step 2, then query logs across all discovered SLS projects until the Request ID is found.
Rule Operation Constraints
Warning: Rule Disabling Policy
When the user requests to disable a rule:
- Check current rule status first — call to query the rule's current status. If the rule is already in the target state (e.g., already disabled), skip the write operation and inform the user (idempotent check-then-act pattern)
- Only perform disable operations ( with )
- Never delete rules
- Never modify rule content
- Must confirm with user before executing
bash
# Disable a rule (only after confirming it is currently enabled)
aliyun waf-openapi ModifyDefenseRuleStatus \
--region <region-id> \
--InstanceId '<instance-id>' \
--RuleId <rule-id> \
--RuleStatus 0 \
--RegionId '<region-id>' \
--user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query
See references/rule-operations.md for detailed instructions.
References
- RAM Policy Requirements
- Rule Configuration Details
- Rule Operation Policy
- Common Block Reasons
- WAF OpenAPI