All Products
Search
Document Center

Web Application Firewall:Get started with WAF 3.0

Last Updated:Nov 14, 2024

Web Application Firewall (WAF) identifies malicious web traffic and forwards normal traffic to your origin server. This protects your origin server from attacks and ensures data security. This topic describes how to get started with WAF 3.0 to protect your web services.

Background information

The following topics can help you become familiar with WAF 3.0:

Step 1: Purchase a WAF 3.0 instance

  1. Log on to the WAF 3.0 console. On the Welcome to Web Application Firewall (WAF) page, click Purchase WAF Subscription or Activate Pay-as-you-go Edition.

  2. On the Web Application Firewall 3.0 (Subscription) or Web Application Firewall (Pay as you go) buy page, select the specifications based on your business requirements and complete the payment.

  3. After you purchase a WAF 3.0 instance, click Console to go back to the WAF 3.0 console.

Step 2: Add web services to WAF 3.0

You can select an access mode in which you want to add your web services to WAF 3.0 based on the instructions that are shown in the following figure.

image

Cloud native mode

Different access modes support different protection features. You can select an access mode based on your business requirements. For more information, see Access modes and protection features.

Cloud service

References

Application Load Balancer (ALB)

Enable WAF protection for an ALB instance

Microservices Engine (MSE)

Enable WAF protection for an MSE instance

Function Compute

Enable WAF protection for a custom domain name bound to a web application in Function Compute

Classic Load Balancer (CLB)

Elastic Compute Service (ECS)

Enable WAF protection for an ECS instance

CNAME record mode

  1. Add a domain name to WAF. For more information, see Add a domain name to WAF.

  2. Check whether the forwarding configurations take effect on your on-premises machine. For more information, see Verify domain name settings.

  3. If the origin server on which the domain name is hosted uses a third-party firewall, add the IP address of WAF to the IP address whitelist of the third-party firewall. This prevents normal requests that are forwarded by WAF from being blocked. For more information, see Allow access from back-to-origin CIDR blocks of WAF.

  4. Change the Domain Name System (DNS) record of the domain name to resolve the domain name to the CNAME or IP address of WAF. For more information, see Modify the DNS record of a domain name.

Hybrid cloud mode

If your web services are deployed on third-party clouds, private clouds, or data centers, you can add the web services to WAF in hybrid cloud mode. This way, you can manage and protect your web services in a centralized manner. For more information, see Hybrid cloud mode.

Step 3: Configure protection policies

After you add an instance or a domain name to WAF, WAF automatically adds the instance or domain name as a protected object and enables the protection rules of the basic protection rule module for the object. By default, medium and loose rules are used and the protection action is set to Block.

  • If you do not have special security requirements, you can use default settings. You can view protection details on the Security Reports page. For more information, see Step 4: View security reports.

  • If your website is under web attacks, we recommend that you configure protection policies based on the attack details that are displayed on the Overview and Security Reports pages. For more information, see Protection configuration overview.

Step 4: View security reports

On the Security Reports page, you can view the protection details of the protection policies that you configured and perform operations on the source IP addresses of attacks.

  • When you view the security report of the basic protection rule module, you can click Ignore False Positive to add an attack IP address to the whitelist. Then, requests that are initiated from the IP address are allowed.

  • When you view the security report of the bot management module, you can click Add to Whitelist or Add to Blacklist to add an IP address to the whitelist or blacklist.