This topic describes the access traffic flow of Web Application Firewall (WAF).

Access traffic flow description:

Note IP addresses of WAF instances are all deployed on the cloud. You can use a virtual IP address that is configured for a WAF instance to view traffic over Banff. A WAF instance that is configured with a virtual IP address is an LVS cluster. The virtual IP address is similar to a virtual IP address of an SLB instance. You can view the virtual IP address of the WAF instance and the IP address of a WAF engine at the backend in SLB/VPC Operations and Maintenance System.
  1. A client sends a request to access the virtual IP address of a WAF instance.
  2. The WAF instance forwards the request to backend server A of an LVS cluster.
  3. Server A parses request packets to Layer 7 and checks whether this request is a malicious access request or an attack.
    • If this request is a normal access request, server A forwards it to an origin server.
    • If this request is a malicious access request, server A blocks the request and returns the parsed packet information to the client. The traffic flow ends.
  4. The origin server processes the forwarded request and returns processing results to server A.
    Note Server A has different roles in Step 3 and Step 4.
    • For the client, server A acts as a server.
    • For the origin server, server A acts as a client.
  5. Server A returns packet information to the client by using the IP address of the LVS cluster. The traffic flow ends.