All Products
Document Center

Web Application Firewall:Enable IPv6 traffic protection

Last Updated:Jun 01, 2023

This feature protects your website against attacks that originate from IPv6 sources. This topic describes how to enable IPv6 traffic protection.

Background information

After you enable IPv6 traffic protection, the CNAME that is automatically generated by Web Application Firewall (WAF) resolves in two channels based on the following rules:

  • Requests that are sent from IPv4 clients are resolved to a protection cluster that uses IPv4.

  • Requests that are sent from IPv6 clients are resolved to a protection cluster that uses IPv6.

The two-channel resolution allows WAF to detect and block threats that originate from IPv4 and IPv6 sources. Only secure traffic is forwarded to origin servers.

In addition, you can enable request forwarding to origin servers over IPv6. To enable this feature, you must configure back-to-origin IPv4 and IPv6 addresses and select Use the Same Protocol. Then, WAF forwards requests to origin servers based on the protocol that is specified in the requests. For more information, see Add a domain name to WAF.


  • A subscription WAF instance of one of the following editions is purchased: Business, Enterprise, and Exclusive.

  • The WAF instance resides in the Chinese mainland.


    IPv6 traffic protection is not supported by WAF instances that reside outside the Chinese mainland.

  • The website that you want to protect is added to WAF in CNAME record mode. For more information, see Add a domain name to WAF.


    IPv6 traffic protection is not supported for websites that are added to WAF in transparent proxy mode.


  1. Log on to the WAF console. In the top navigation bar, select the resource group and the region to which your WAF instance belongs. Select Chinese Mainland.

    If Chinese Mainland is displayed in the WAF console, you do not need to switch the region.

  2. In the left-side navigation pane, choose Asset Center > Website Access.

  3. On the Domain Names tab, find the domain name for which you want to enable IPv6 traffic protection and turn on IPV6 in the Quick Access column. Enable IPv6

  4. In the Tips message, click Confirm.

    After IPv6 protection is enabled, the status of the IPv6 switch in the Quick Access column changes to Enabled.

What to do next

After IPv6 protection is enabled, WAF uses new back-to-origin CIDR blocks to forward the requests from the IPv6 clients to origin servers.

To ensure that origin servers can receive the requests forwarded by WAF, you must configure the origin servers to allow the requests from the new back-to-origin CIDR blocks of WAF, especially when you have configured access control for the origin servers. Otherwise, access from IPv6 clients may encounter errors or failures. For more information, see Allow access from back-to-origin CIDR blocks of WAF and Configure protection for an origin server.