This topic walks you through how to deploy and use Web Application Firewall (WAF). WAF protects your website only after you purchase a WAF instance, add your website to WAF, and configure website protection policies. WAF provides security reports that show attack records and access statistics. This way, you can obtain the security posture of your website.

Step 1: Purchase a WAF instance

  1. Log on to the Web Application Firewall console.
  2. On the Welcome to Web Application Firewall (WAF) page, click Purchase WAF Subscription to go to the buy page of WAF.
    If you have purchased a WAF instance, the Welcome to Web Application Firewall page does not appear. For more information, see Step 2: Add a website to WAF. Welcome to Web Application Firewall (WAF) - International site
  3. On the Web Application Firewall buy page, select the product edition and specifications. Then, complete the payment.
    For more information, see Purchase a WAF instance.
  4. After you purchase the WAF instance, go back to the WAF console.

Step 2: Add a website to WAF

To add a website to WAF, you must add the domain name of the website to your WAF instance and change the DNS record of the domain name to redirect the traffic destined for the website to WAF for protection.

Note Before you can add your website to WAF, make sure that your WAF instance is authorized to access other cloud resources. For more information, see Authorize WAF to access cloud resources.
  1. Add the website.
    1. On the Website Access page, click Website Access.
    2. Set Access Mode to CNAME Record and click the Manually Add tab.
    3. Complete the wizard.
      For more information, see Manually add website configurations.
      Notice If you have configured a proxy in front of WAF, select Yes for Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF. Otherwise, WAF cannot obtain the actual IP addresses of clients. Proxies include Anti-DDoS Pro, Anti-DDoS Premium, and Alibaba Cloud CDN.
      Enter Your Website Information
    After the website is added to WAF, you can view the CNAME that WAF assigns to the domain name of the website on the Website Access page. CNAME
    Notice If the website supports HTTPS, you must upload the SSL certificate for the domain name of the website after the website is added. This way, WAF can process HTTPS traffic. For more information, see Upload an HTTPS certificate.
  2. Change the DNS record of the domain name to map the domain name to the CNAME assigned by WAF.
    • If you have not configured a proxy, such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, in front of WAF, visit the website of your DNS service provider to change the CNAME record. If your DNS service provider is Alibaba Cloud DNS, log on to the Alibaba Cloud DNS console and add a CNAME record by using the CNAME assigned by WAF. Change a CNAME record

      For more information, see Change a DNS record.

    • If you have configured a proxy, such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, in front of WAF, log on to the console of the proxy and change the back-to-origin address of the proxy to the CNAME assigned by WAF. This way, WAF can receive the requests destined for the website.

      For more information, see Use WAF with Anti-DDoS Pro or Anti-DDoS Premium and Use WAF with CDN.

Step 3: Configure website protection policies

After you add the domain name, WAF filters access requests and forwards normal requests to the origin servers. WAF provides multiple features to protect your website against different types of attacks. Among the features, only Protection Rules Engine and HTTP Flood Protection are enabled by default. The Protection Rules Engine feature protects your website against common web attacks, such as SQL injections, XSS attacks, and webshell uploads. The HTTP Flood Protection feature protects your website against HTTP flood attacks. You must manually enable other features and configure protection rules. For more information, see Overview.

Step 4: View security reports

On the Security Report page, you can view the attack records and access statistics of the website protected by WAF. For more information, see View security reports. Security reports