All Products
Search
Document Center

Web Application Firewall:Getting started

Last Updated:Jan 10, 2024

To use Web Application Firewall (WAF) to protect a website, you must purchase a WAF instance, add the website to WAF, and configure website protection rules. WAF security reports provide information about attack records and access statistics. You can view security reports to obtain the security status of your website.

Procedure

image

Step 1: Purchase a WAF instance

  • If WAF is not activated, perform the following operations to purchase a WAF instance.

  • If WAF is activated, skip this step and perform Step 2. For more information, see Step 2: Add a website to WAF.

  1. Log on to the WAF console. On the Welcome to Web Application Firewall (WAF) page, click Purchase WAF Subscription.

  2. On the buy page, select the edition and specifications. Then, complete the payment.

  3. After you purchase a WAF instance, click Console to go to the WAF console.

Step 2: Add a website to WAF

You can use one of the following methods to add your website to WAF:

  • CNAME record mode: You can add your website to WAF in CNAME record mode regardless of whether your origin server is deployed in the cloud or a data center. The origin server must be accessible over the Internet and you must change the DNS record. For more information, see CNAME record mode.

  • Transparent proxy mode: If your origin server is deployed on an Elastic Compute Service (ECS) instance or Internet-facing Server Load Balancer (SLB) instance, you can add your website to WAF in transparent proxy mode without the need to update the DNS record. For more information, see Transparent proxy mode.

Note

Before you add your website to WAF, make sure that WAF is authorized to access cloud resources. For more information, see Authorize WAF to access cloud resources.

  1. Add a website.

    1. In the left-side navigation pane, choose Asset Center > Website Access.

    2. On the Domain Names tab, click Website Access.

    3. On the Add Domain Name page, set Access Mode to CNAME Record or Transparent Proxy Mode.

    4. Complete the configuration steps.

      • For more information about how to add a website to WAF in CNAME record mode, see Add a domain name to WAF. Step 4

      • For more information about how to add a website to WAF in transparent proxy mode, see Transparent proxy mode. Step 5

    After the website is added to WAF, you can navigate to the Website Access page to view the CNAME that is assigned by WAF to the domain name of the website.

  2. If you set Access Mode to CNAME Record, perform the following operations to update the DNS record of the domain name and map the domain name to the CNAME assigned by WAF.

    • If your website is not added to a Layer 7 service such as Anti-DDoS Pro or Anti-DDoS Premium and Alibaba Cloud CDN, add a CNAME record in the system of your DNS service provider and set the CNAME value to the CNAME assigned by WAF.

      If you use Alibaba Cloud DNS, you can update the DNS record in the Alibaba Cloud DNS console. For more information, see Modify a DNS record.

    • If your website is added to a Layer 7 service such as Anti-DDoS Pro or Anti-DDoS Premium and Alibaba Cloud CDN, go to the console of the Layer 7 service and change the back-to-origin address of the Layer 7 service to the CNAME assigned by WAF. This way, WAF can receive the requests that are destined for your website. For more information, see Protect a website service by using both Anti-DDoS Pro or Anti-DDoS Premium and WAF and Use WAF together with CDN.

    You can ping the domain name of your website or use a DNS verification tool to check whether the DNS record takes effect. The DNS record does not immediately take effect. If the verification fails, verify the DNS record again after 10 minutes.

Step 3: Configure website protection rules

After you add your website to WAF, Protection Rules Engine and HTTP Flood Protection are automatically enabled. The Protection Rules Engine feature protects websites against common web attacks, such as SQL injections, cross-site scripting (XSS) attacks, and webshell uploads. The HTTP Flood Protection feature protects websites against HTTP flood attacks. If you want to enable other features, perform the following operations:

  1. In the left-side navigation pane, choose Protection Settings > Website Protection. In the upper part of the Website Protection page, select the domain name for which you want to configure protection rules.

    You can also choose Asset Center > Website Access. On the Domain Names tab, find the domain name that you want to protect in the domain name list and click Config in the Actions column.

  2. Click the Web Security, Bot Management, or Access Control/Throttling tab to configure protection rules. For more information, see Overview.

Step 4: View security reports

  1. In the left-side navigation pane, choose Security Operations > Security Report.

  2. Click the Web Security, Bot Management, or Access Control/Throttling tab to view the attack records and access statistics of websites that are added to WAF. For more information, see View security reports.