This topic describes the Pro, Business, Enterprise, and Exclusive editions of Web Application Firewall (WAF) and related features. If you want to purchase the Exclusive edition, you must submit a ticket. Each edition applies to a different business scale and provides specific protection features. You can purchase WAF instances based on the subscription billing method. This topic describes the business scales and protection features that WAF supports.

Editions and supported business scales

The following table lists the business scales supported by each edition. We recommend that you choose the Business or Enterprise edition for medium-sized enterprise websites.
Note If you want to purchase the Exclusive edition, you must submit a ticket.
Business specification Pro edition Business edition Enterprise edition Public cloud exclusive edition (submit tickets to purchase) Hybrid cloud exclusive edition (submit tickets to purchase)
Website scale Small- and medium-sized websites that do not have special security requirements Medium-sized enterprise-grade websites that provide services to all Internet users and have high data security requirements Medium- and large-sized enterprise-grade websites that have custom security requirements Large-sized enterprise-grade websites that require business-specific configurations Large-sized enterprise-grade websites that require protection for applications deployed on Alibaba Cloud, on public clouds of other cloud service providers, or in data centers
Peak queries per second (QPS) 2,000 QPS 5,000 QPS Higher than 10,000 5,000 QPS 10,000 QPS
Maximum bandwidth, in Mbit/s (The origin server is deployed on Alibaba Cloud.) 50 Mbps 100 Mbps 200 Mbps 100 Mbps 10 Mbps
Maximum bandwidth, in Mbit/s (The origin server is not deployed on Alibaba Cloud.) 10 Mbps 30 Mbps 50 Mbps 30 Mbps 10 Mbps
Default number of second-level domains that can be protected 1 1 1 200 100
Default number of domains that can be protected in total (Wildcard domains are supported.) 10 10 10 200 100

For more information about how to activate WAF, see Purchase a WAF instance.

Editions and supported features (in mainland China)

The following table describes the features that each edition of WAF supports in mainland China. A WAF instance is billed on a subscription basis.

Symbol descriptions:
  • √: indicates that the feature is supported.
  • ×: indicates that the feature is not supported.
  • ○: indicates that the feature is a value-added service. If you want to enable it, you must pay additional fees. You can enable the feature when you purchase or upgrade a WAF instance.
  • △: indicates that the feature must be separately enabled on the Feature Settings page for a pay-as-you-go WAF instance.
Feature Description Pro edition Business edition Enterprise edition Exclusive edition

(submit tickets to purchase)

Website access
HTTPS protection Allows you to implement HTTPS protection for websites with a few clicks.
HTTP/2 protection Allows you to protect websites that use HTTP/2. ×
Non-standard port protection Protects traffic over the ports other than standard ports 80, 8080, 443, and 8443. ×
Intelligent load balancing Connects to multiple SLB service nodes to implement automatic disaster recovery and optimal routing with low latency.
Exclusive IP address Provides exclusive IP addresses to protect specific domain names.
Exclusive cluster Allows you to customize service access and protection capabilities based on business requirements. × × ×
Website protection
Protection Rules Engine Protects against common web attacks, such as SQL injection and XSS attacks.
Enables automatic update of protection rules against web zero-day vulnerabilities.
Custom protection rule group Allows you to customize protection rule groups. ×
Big Data Deep Learning Engine Detects web zero-day vulnerabilities. ×
Positive security model Provides positive defense capabilities based on deep learning of website traffic. × ×
Website tamper-proofing Locks web pages to prevent against content tampering.
Data leak prevention Prevents against the leak of sensitive data, such as ID card numbers, mobile numbers, and bank card numbers.
HTTP flood protection Protects against common HTTP flood attacks in Prevention or Prevention-emergency mode.
Blacklist Blocks access requests from specific IP addresses or CIDR blocks.
Blocks access requests from specific IP addresses, specific CIDR blocks, or IP addresses in specific regions. ×
Scan protection Blocks the IP addresses where web attacks and path traversal are frequently initiated and the IP addresses of scanning tools, and provides collaborative defense. Default rules are used to block the first type of IP addresses.
Supports the above protection capabilities and allows you to customize blocking rules for high-frequency web attacks and path traversal. ×
Custom protection policy Supports ACL-based access control by using basic fields, such as IP, URL, Referer, User-Agent, and Params.
Supports ACL-based access control by using basic fields and advanced fields. The advanced fields include Cookie, Content-Type, Header, and Http-Method. ×
Allows you to configure rate limiting policies based on IP addresses and sessions. You can customize HTTP flood protection rules in which you can add match conditions and configure rate limiting policies. ×
Allows you to configure rate limiting policies based on IP addresses, sessions, and custom fields. × ×
Data risk control Protects crucial website services, such as registrations, logons, activities, and forums, against fraud.
Allowed crawlers Maintains a whitelist that consists of authorized search engines, such as Google, Bing, Baidu, Sogou and Yandex. The crawlers of these search engines are allowed to access specified domain names.
Bot threat intelligence Provides information about suspicious IP addresses that are used by dialers, data centers, and malicious scanners. This feature also maintains an IP address library of malicious crawlers and prevents crawlers from accessing all pages under your domain name or specific directories.
App protection Provides secure connectivity and anti-bot protection for native apps. This feature can identify requests from proxy servers and emulators and requests with invalid signatures.
Account security Detects dictionary attacks, brute-force attacks, spam user registration, weak passwords, and SMS flood attacks on service endpoints, such as registration and logon endpoints.
Security analysis and support
Log Service for WAF Collects and stores all logs, enables near-real-time query and analysis, and provides online reports. x

Editions and supported features (outside mainland China)

The following table describes the features that each edition of WAF supports outside mainland China. A WAF instance is billed on a subscription basis.

Feature Description Pro edition Business edition Enterprise edition Exclusive edition

(submit tickets to purchase)

Website access
HTTPS protection Allows you to implement HTTPS protection for websites with a few clicks.
HTTP/2 protection Allows you to protect websites that use HTTP/2. ×
Non-standard port protection Protects traffic over the ports other than standard ports 80, 8080, 443, and 8443. ×
Intelligent load balancing Connects to multiple SLB service nodes to implement automatic disaster recovery and optimal routing with low latency. ×
Exclusive IP address Provides exclusive IP addresses to protect specific domain names.
Exclusive cluster Allows you to customize service access and protection capabilities based on business requirements. × × ×
Website protection
Protection Rules Engine Protects against common web attacks, such as SQL injection and XSS attacks.
Enables automatic update of protection rules against web zero-day vulnerabilities.
Custom protection rule group Allows you to customize protection rule groups. × ×
Big Data Deep Learning Engine Detects web zero-day vulnerabilities. × × × ×
Positive security model Provides positive defense capabilities based on deep learning of website traffic. × ×
Website tamper-proofing Locks web pages to prevent tampering with content. × ×
Data leak prevention Prevents against the leak of sensitive data, such as ID card numbers, mobile numbers, and bank card numbers. ×
HTTP flood protection Protects against common HTTP flood attacks in Prevention or Prevention-emergency mode.
Blacklist Blocks access requests from specific IP addresses or CIDR blocks.
Blocks access requests from specific IP addresses, specific CIDR blocks, or IP addresses in specific regions. × ×
Scan protection Blocks the IP addresses where web attacks and path traversal are frequently initiated and the IP addresses of scanning tools, and provides collaborative defense. Default rules are used to block the first type of IP addresses.
Supports the above protection capabilities and allows you to customize blocking rules for high-frequency web attacks and path traversal. ×
Custom protection policy Supports ACL-based access control by using basic fields, such as IP, URL, Referer, User-Agent, and Params.
Supports ACL-based access control by using basic fields and advanced fields. The advanced fields include Cookie, Content-Type, Header, and Http-Method. ×
Allows you to configure rate limiting policies based on IP addresses and sessions. You can customize HTTP flood protection rules in which you can add match conditions and configure rate limiting policies. ×
Allows you to configure rate limiting policies based on IP addresses, sessions, and custom fields. × ×
Data risk control Protects crucial website services, such as registrations, logons, activities, and forums, against fraud. × × × ×
Allowed crawlers Maintains a whitelist that consists of authorized search engines, such as Google, Bing, Baidu, Sogou and Yandex. The crawlers of these search engines are allowed to access specified domain names.
Bot threat intelligence Provides information about suspicious IP addresses that are used by dialers, data centers, and malicious scanners. This feature also maintains an IP address library of malicious crawlers and prevents crawlers from accessing all pages under your domain name or specific directories.
App protection Provides secure connectivity and anti-bot protection for native apps. This feature can identify requests from proxy servers and emulators and requests with invalid signatures.
Account security Detects dictionary attacks, brute-force attacks, spam user registration, weak passwords, and SMS flood attacks on service endpoints, such as registration and logon endpoints.
Security analysis and support
Log Service for WAF Collects and stores all logs, enables near-real-time query and analysis, and provides online reports. ×