WAF CheckResponse Intercept Query

Prerequisites

Pre-check: Aliyun CLI >= 3.3.3 required

> Run aliyun version to verify >= 3.3.3. If not installed or version too low,

> run curl -fsSL https://aliyuncli.alicdn.com/setup.sh | bash to update,

> or see references/cli-installation-guide.md for installation instructions.

Pre-check: Aliyun CLI plugin update required

> [MUST] run aliyun configure set --auto-plugin-install true to enable automatic plugin installation.

> [MUST] run aliyun plugin update to ensure that any existing plugins are always up-to-date.

At the start of the Core Workflow (before any CLI invocation):

[MUST] Enable AI-Mode — AI-mode is required for Agent Skill execution.

Run the following commands before any CLI invocation:

aliyun configure ai-mode enable
aliyun configure ai-mode set-user-agent --user-agent "AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query"

[MUST] Disable AI-Mode at EVERY exit point — Before delivering the final response for ANY reason, always disable AI-mode first. This applies to ALL exit paths: workflow success, workflow failure, error/exception, user cancellation, session end, or any other scenario where no further CLI commands will be executed.

AI-mode is only used for Agent Skill invocation scenarios and MUST NOT remain enabled after the skill stops running.

aliyun configure ai-mode disable

[MUST] CLI User-Agent — Every aliyun CLI command invocation must include:

--user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query

Before execution, you must collect the following information from the user:

Optional: WAF Instance ID, SLS Project name, SLS Logstore name (will be auto-discovered if not provided)

Notes:

• Request ID (traceid) is obtained from the HTML body of WAF's block response, or from the 405 block page displayed in the browser
• Uses Alibaba Cloud default credential chain for authentication (ECS RAM Role, ~/.alibabacloud/config, etc.)

Region Information

Query Workflow

Step 1: Information Collection

Confirm the Request ID (traceid) with the user. If the user has not provided one, guide them to obtain it from:

1. The 405 block page displayed in the browser, which shows the Request ID directly
2. The HTML body of WAF's block (intercept) response, which contains the traceid

Step 2: Auto-Discover WAF Instances and Verify Log Service

If the user has not provided WAF Instance ID and SLS configuration, perform auto-discovery:

Step 2a: Discover WAF Instances

# Query WAF instances in both regions in parallel
aliyun waf-openapi DescribeInstance --region cn-hangzhou --RegionId cn-hangzhou --user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query
aliyun waf-openapi DescribeInstance --region ap-southeast-1 --RegionId ap-southeast-1 --user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query

Step 2b: Check Log Service Status (Mandatory Before Querying Logs)

Before retrieving SLS configuration, you MUST first verify that the WAF instance has log service enabled by calling DescribeSlsLogStoreStatus:

aliyun waf-openapi DescribeSlsLogStoreStatus --region <region-id> --InstanceId '<instance-id>' --RegionId '<region-id>' --user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query

• If the response indicates log service is already enabled (SlsLogStoreStatus is true/enabled), skip the enable operation and proceed directly to Step 2c (idempotent: no redundant writes).
• If log service is not enabled, inform the user that WAF log service must be activated before log queries can proceed. With user consent, call ModifyUserWafLogStatus to enable it:

aliyun waf-openapi ModifyUserWafLogStatus \
  --region <region-id> \
  --InstanceId '<instance-id>' \
  --Status 1 \
  --RegionId '<region-id>' \
  --user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query

> Constraint: This skill only supports enabling log service (Status=1). Disabling log service is not permitted. Never call this API with Status=0.

After enabling, wait a moment and re-verify with DescribeSlsLogStoreStatus to confirm activation.

Step 2c: Retrieve SLS Configuration (Mandatory After Confirming Log Service is Enabled)

Once DescribeSlsLogStoreStatus confirms that log service is enabled, you must immediately call DescribeSlsLogStore to obtain the WAF log Project and Logstore information:

aliyun waf-openapi DescribeSlsLogStore --region <region-id> --InstanceId '<instance-id>' --RegionId '<region-id>' --user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query

Key fields in the DescribeSlsLogStore response:

Cross-region note: The SLS log storage region may differ from the WAF instance region (e.g., WAF in ap-southeast-1 but SLS logs stored in ap-southeast-5). When querying SLS in Step 3, always use the region where the SLS Project is located, not the WAF instance region.

Step 3: Query SLS Logs

Use the ProjectName, LogStoreName and SLS region obtained from Step 2 to query block logs (prefer using the Python script):

# Query using script (recommended, supports automatic time range expansion)
python3 scripts/get_waf_logs.py \
  --project <project-name> \
  --logstore <logstore-name> \
  --request-id <request-id> \
  --region <sls-region>

Or use CLI directly:

TO_TIME=$(python3 -c "import time; print(int(time.time()))")
FROM_TIME=$((TO_TIME - 86400))

aliyun sls get-logs \
  --project <project-name> \
  --logstore <logstore-name> \
  --from $FROM_TIME \
  --to $TO_TIME \
  --query "<request-id>" \
  --region <sls-region> \
  --user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query

Important: The --region here must be the SLS log storage region, which may differ from the WAF instance region. Check the DescribeSlsLogStore response from Step 2 to determine the correct SLS region.

Step 4: Query Rule Details

Extract rule_id and final_plugin from the logs to query the rule configuration:

Important: The DescribeDefenseRule API requires the DefenseScene parameter. Common defense scenes include:

• custom_acl - Custom access control rules
• custom_cc - Custom rate limiting rules (CC rules)
• waf_group - WAF protection rules
• antiscan - Anti-scan rules
• dlp - Data leakage prevention
• tamperproof - Anti-tampering

You can determine the defense scene from final_plugin field in the logs:

# Query rule details with DefenseScene
aliyun waf-openapi DescribeDefenseRule \
  --region <region-id> \
  --InstanceId '<instance-id>' \
  --TemplateId <template-id> \
  --RuleId <rule-id> \
  --DefenseScene '<defense-scene>' \
  --RegionId '<region-id>' \
  --user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query

Note: If you don't know the TemplateId, first use DescribeDefenseTemplates to list templates:

aliyun waf-openapi DescribeDefenseTemplates \
  --region <region-id> \
  --InstanceId '<instance-id>' \
  --DefenseScene '<defense-scene>' \
  --RegionId '<region-id>' \
  --user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query

Step 5: Output Analysis Report

Output using the following template:

## WAF Block Analysis Report

### Request Information
- Request ID: {request_id}
- Block Time: {time}
- Client IP: {real_client_ip (masked, e.g. 192.***.***.***)} 
- Request URL: {host}{request_path}?{masked_query_params}

### Block Details
- Rule ID: {rule_id}
- Rule Name: {rule_name}
- Action: {action}

### Recommendations
{Provide recommendations based on rule type, refer to references/common-block-reasons.md}

Troubleshooting

No Logs Found

1. Re-check global log service status (should have been verified in Step 2b, but re-confirm):

```bash

aliyun waf-openapi DescribeSlsLogStoreStatus --region --InstanceId '' --RegionId '' --user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query

```

If not enabled, prompt the user and enable with ModifyUserWafLogStatus (see Step 2b). Only enabling (Status=1) is allowed.

1. Check protection object log switch:

```bash

aliyun waf-openapi DescribeResourceLogStatus --region --InstanceId '' --RegionId '' --user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query

```

1. Enable protection object log collection (check-then-act: only if DescribeResourceLogStatus shows log collection is disabled for the target resource; skip if already enabled):

```bash

aliyun waf-openapi ModifyResourceLogStatus \

--region \

--InstanceId '' \

--Resource '' \

--Status true \

--user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query

```

See references/common-block-reasons.md for protection object naming conventions.

Permission Denied Errors

If you encounter permission errors, check the following:

1. Verify CLI profile configuration:

```bash

aliyun configure list

```

1. Check RAM policy permissions:

Required permissions:

• waf-openapi:DescribeInstance
• waf-openapi:DescribeSlsLogStoreStatus
• waf-openapi:DescribeSlsLogStore
• waf-openapi:ModifyUserWafLogStatus (optional, for enabling log service)
• waf-openapi:DescribeDefenseRule (for rule details)
• sls:GetLogs (for log queries)

1. Try specifying a different profile:

```bash

aliyun waf-openapi DescribeInstance --profile --region --user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query

```

Request ID Not Found

If the Request ID is not found in the logs:

1. Verify Request ID format: Should be 32 characters without hyphens
2. Check time range: The script automatically expands search up to 90 days
3. Verify the correct region: Try both cn-hangzhou and ap-southeast-1
4. Check log retention (TTL): Default is 180 days, use --ttl parameter if different

Multi-Instance Scenarios

If both Chinese Mainland and non-Chinese Mainland instances exist, determine based on query results:

• Logs found in only one region -> use that region directly
• Logs found in both regions -> ask the user for clarification
• No logs found in either region -> ask the user for the expected region, check protection object log switch

Note: Follow the same discovery commands as in Step 2, then query logs across all discovered SLS projects until the Request ID is found.

Rule Operation Constraints

Warning: Rule Disabling Policy

When the user requests to disable a rule:

1. Check current rule status first — call DescribeDefenseRule to query the rule's current status. If the rule is already in the target state (e.g., already disabled), skip the write operation and inform the user (idempotent check-then-act pattern)
2. Only perform disable operations (ModifyDefenseRuleStatus with RuleStatus=0)
3. Never delete rules
4. Never modify rule content
5. Must confirm with user before executing

# Disable a rule (only after confirming it is currently enabled)
aliyun waf-openapi ModifyDefenseRuleStatus \
  --region <region-id> \
  --InstanceId '<instance-id>' \
  --RuleId <rule-id> \
  --RuleStatus 0 \
  --RegionId '<region-id>' \
  --user-agent AlibabaCloud-Agent-Skills/alibabacloud-waf-checkresponse-intercept-query

See references/rule-operations.md for detailed instructions.

References

• RAM Policy Requirements
• Rule Configuration Details
• Rule Operation Policy
• Common Block Reasons
• WAF OpenAPI