Quick Starts

Get started with WAF 3.0

Web Application Firewall (WAF) identifies malicious web traffic and then forwards normal traffic to your origin server. This protects your origin server from attacks and ensures data security. This topic describes how to get started with WAF 3.0 to protect your web services.

Background information

The following topics can help you be familiar with WAF 3.0:

Step 1: Purchase a WAF 3.0 instance

  1. Log on to the WAF 3.0 console. On the Welcome to Web Application Firewall (WAF) page, click Purchase WAF Subscription or Pay-As-You-Go to purchase a subscription or pay-as-you-go WAF 3.0 instance.

  2. On the buy page that appears, specify the specifications based on your business requirements and complete the payment.

  3. After you purchase a WAF instance, click Console to go back to the WAF 3.0 console.

Step 2: Access WAF 3.0

You can select an access mode in which you want to add your web services to WAF 3.0 according to the following figure. 接入方式选择-en

Cloud native mode


You cannot enable the following features for resources that are added to WAF in cloud native mode, such as Application Load Balancer (ALB) instances, Microservices Engine (MSE) instances, and custom domain names in Function Compute:

  • Website tamper-proofing

  • Data leakage prevention

  • Automatic integration of the Web SDK in bot management for website protection

  • API security

CNAME record mode

  1. Add a domain name to WAF. For more information, see the "Step 1: Add a domain name" section in the CNAME record mode topic.

  2. Check whether the configurations take effect on your on-premises machine. For more information, see Verify domain name settings.

  3. If the origin server on which the domain name is deployed uses a third-party firewall, add the WAF back-to-origin IP address to the IP address whitelist of the third-party firewall. This prevents normal requests that are forwarded by WAF from being blocked. For more information, see Allow access from back-to-origin CIDR blocks of WAF.

  4. Change the DNS record of the domain name to resolve the domain name to the CNAME or IP address of WAF. For more information, see Change the DNS record of a domain name.

Hybrid cloud mode

If your web services are deployed on third-party clouds and data centers, you can add your web services to WAF in hybrid cloud mode. This way, you can manage and protect the services in a centralized manner. For more information, see Hybrid cloud mode.

Step 3: Configure protection policies

After you add an instance or a domain name to WAF, WAF automatically adds the instance or domain name as a protected object and enables basic protection rules for the protected object. By default, a medium rule group is used and the protection action is set to Block.

  • If you do not have special security requirements, you can use the default settings and view the protection details on the Security Reports page. For more information, see Step 4: View security reports.

  • If your website is under web attacks, we recommend that you configure protection policies based on the attack details that are displayed on the Overview and Security Reports pages. For more information, see Protection configuration overview.

Step 4: View security reports

On the Security Reports page, view the protection details of the protection policies that you configured and perform operations on the IP addresses from which attacks are initiated.

  • When you view the security report of the basic protection rule module, you can enable the false positive ignoring feature to add specific IP addresses to a whitelist to allow requests that are initiated from the IP address.

  • When you view the security report of the bot management module, you can click Add to Whitelist or Add to Blacklist to add specific IP addresses to a whitelist or a blacklist.

Was this helpful?