Web Application Firewall:Getting started with WAF

Procedure

Step 1: Purchase a WAF instance

• If you have not yet activated WAF, follow these steps to purchase a WAF instance.

• If you have already activated WAF, skip this step and proceed to add your website. For more information, see Step 2: Add a website.

1. Log on to the Web Application Firewall console. On the Welcome to Web Application Firewall page, click Purchase Subscription.

2. On the Subscription pane, select the product edition and specifications, and then complete the purchase.

3. After you complete the purchase, click Management Console to return to the WAF console.

Step 2: Add a website

1. Add a website.

   1. In the navigation pane on the left, choose Asset Center > Website Access.

   2. On the Domain Names tab, click Add Website.

   3. On the Add Domain Name page, set Connection Type to CNAME Record Mode or Transparent Proxy Mode.

   4. Follow the instructions in the configuration wizard to add the domain name information for your website.

      • For instructions on how to use the CNAME record mode, see Step 4.

      • For instructions on how to use the transparent proxy mode, see Step 5.

   After you add the website, you can view the domain name and its CNAME address in the Website Access list.

2. If you set Connection Type to CNAME Record Mode, you must change the DNS record of your domain name to point to the CNAME address.

   • If your website does not use other proxy services, such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, go to the management system of your DNS service provider. Then, add a CNAME record and set its value to the CNAME address that is provided by WAF.

     If you use Alibaba Cloud DNS, you can change the DNS record in the Alibaba Cloud DNS console. For more information, see Change a DNS record.

   • If your website uses other proxy services, such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, go to the console of the proxy service and change the origin URL to the CNAME address that is provided by WAF. This ensures that WAF can receive access requests for your website. For more information, see Improve website security by deploying Anti-DDoS and WAF and Use WAF and CDN to protect an accelerated domain name.

   After you change the DNS record, you can ping the domain name or use a DNS checker to verify that the new record has taken effect. The DNS record may take some time to propagate. If the verification fails, wait 10 minutes and try again.

Step 3: Configure mitigation policies

After you add a website to WAF, the Protection Rules Engine and CC Attack Protection features are enabled by default. These features protect your website from common web application attacks, such as SQL injection, cross-site scripting (XSS), and webshell uploads, and also from CC attacks. To enable other protection modules, follow these steps.

1. In the navigation pane on the left, choose Mitigation Settings > Website Protection. At the top of the Website Protection page, select the domain name that you want to configure.

   Alternatively, you can choose Asset Center > Website Access. In the website list, find the domain name that you want to protect and click Mitigation Settings in the Actions column to go to the Website Protection page for that domain.

2. Click the Web Security, Bot Management, or Access Control/Rate Limiting tab to configure mitigation policies. For more information, see Website protection settings.

Step 4: View security reports

1. In the navigation pane on the left, choose Security Operations > Security Reports.

2. Click the Web Security, Bot Management, or Access Control/Rate Limiting tab to view attack prevention records and access statistics for your protected websites. For more information, see View WAF security reports.