Web Application Firewall (WAF) identifies malicious web traffic and forwards normal traffic to your origin server. This protects your origin server from attacks and ensures data security. This topic describes how to get started with WAF 3.0 to protect your web services.
Background information
The following topics can help you become familiar with WAF 3.0:
Step 1: Purchase a WAF 3.0 instance
Log on to the WAF 3.0 console. On the Welcome to Web Application Firewall (WAF) page, click Purchase Subscription Instance or Purchase Pay as you go Instance.
On the Web Application Firewall 3.0 (Subscription) or Web Application Firewall (Pay as you go) buy page, select the specifications based on your business requirements and complete the payment.
For more information about how to purchase a subscription WAF 3.0 instance, see Purchase a WAF 3.0 Basic instance and Purchase a WAF 3.0 Pro, Enterprise, or Ultimate instance.
For more information about how to purchase a pay-as-you-go WAF 3.0 instance, see Purchase a pay-as-you-go WAF 3.0 instance.
After you purchase a WAF 3.0 instance, click Console to go back to the WAF 3.0 console.
Step 2: Add web services to WAF 3.0
You can select an access mode in which you want to add your web services to WAF 3.0 based on the instructions that are shown in the following figure.
Cloud native mode
Different access modes support different protection features. You can select an access mode based on your business requirements. For more information, see Access modes and protection features.
Cloud service | References |
Application Load Balancer (ALB) | |
Microservices Engine (MSE) | |
Function Compute | Enable WAF protection for a custom domain name bound to a web application in Function Compute |
Classic Load Balancer (CLB) | |
Elastic Compute Service (ECS) |
CNAME record mode
Add a domain name to WAF. For more information, see Add a domain name to WAF.
Check whether the forwarding configurations take effect on your on-premises machine. For more information, see Verify domain name settings.
If the origin server on which the domain name is hosted uses a third-party firewall, add the IP address of WAF to the IP address whitelist of the third-party firewall. This prevents normal requests that are forwarded by WAF from being blocked. For more information, see Allow access from back-to-origin CIDR blocks of WAF.
Change the Domain Name System (DNS) record of the domain name to resolve the domain name to the CNAME or IP address of WAF. For more information, see Modify the DNS record of a domain name.
Hybrid cloud mode
If your web services are deployed on third-party clouds, private clouds, or data centers, you can add the web services to WAF in hybrid cloud mode. This way, you can manage and protect your web services in a centralized manner. For more information, see Hybrid cloud mode.
Step 3: Configure protection policies
After you add an instance or a domain name to WAF, WAF automatically adds the instance or domain name as a protected object and enables the protection rules of the basic protection rule module for the object. By default, a medium rule group is used and the protection action is set to Block.
If you do not have special security requirements, you can use default settings. You can view protection details on the Security Reports page. For more information, see Step 4: View security reports.
If your website is under web attacks, we recommend that you configure protection policies based on the attack details that are displayed on the Overview and Security Reports pages. For more information, see Protection configuration overview.
Step 4: View security reports
On the Security Reports page, you can view the protection details of the protection policies that you configured and perform operations on the source IP addresses of attacks.
When you view the security report of the basic protection rule module, you can click Ignore False Positive to add an attack IP address to the whitelist. Then, requests that are initiated from the IP address are allowed.
When you view the security report of the bot management module, you can click Add to Whitelist or Add to Blacklist to add an IP address to the whitelist or blacklist.