All Products
Document Center

Web Application Firewall:Get started with WAF 3.0

Last Updated:Jan 18, 2024

Web Application Firewall (WAF) identifies malicious web traffic and forwards normal traffic to your origin server. This protects your origin server from attacks and ensures data security. This topic describes how to get started with WAF 3.0 to protect your web services.

Background information

The following topics can help you become familiar with WAF 3.0:

Step 1: Purchase a WAF 3.0 instance

  1. Log on to the WAF 3.0 console. On the Welcome to Web Application Firewall (WAF) page, click Purchase WAF Subscription or Pay-As-You-Go to purchase a subscription or pay-as-you-go WAF 3.0 instance.

  2. On the buy page that appears, select the specifications based on your business requirements and complete the payment.

  3. After you purchase a WAF 3.0 instance, click Console to go back to the WAF 3.0 console.

Step 2: Add web services to WAF 3.0

You can select an access mode in which you want to add your web services to WAF 3.0 based on the instructions that are shown in the following figure.


Cloud Native Mode

Different access modes support different protection features. Select an access mode based on your business requirements. For more information, see Editions.

Cloud service


Application Load Balancer (ALB)

Enable WAF protection for an ALB instance

Microservices Engine (MSE)

Enable WAF protection for an MSE instance

Function Compute

Enable WAF protection for a custom domain name bound to a web application in Function Compute

Classic Load Balancer (CLB)

Elastic Compute Service (ECS)

Add an ECS instance to WAF

CNAME record mode

  1. Add a domain name to WAF. For more information, see Step 1: Add a domain name to WAF.

  2. Check whether the configurations take effect on your on-premises machine. For more information, see Verify domain name settings.

  3. If the origin server on which the domain name is hosted uses a third-party firewall, add the WAF IP address to the IP address whitelist of the third-party firewall. This prevents normal requests that are forwarded by WAF from being blocked. For more information, see Allow access from back-to-origin CIDR blocks of WAF.

  4. Change the DNS record of the domain name to resolve the domain name to the CNAME or IP address of WAF. For more information, see Modify the DNS record of a domain name.

Hybrid cloud mode

If your web services are deployed on third-party clouds and data centers, you can add the web services to WAF in hybrid cloud mode. This way, you can manage and protect the services in a centralized manner. For more information, see Hybrid cloud mode.

Step 3: Configure protection policies

After you add an instance or a domain name to WAF, WAF automatically adds the instance or domain name as a protected object and enables basic protection rules for the object. By default, a medium rule group is used and the protection action is set to Block.

  • If you do not have special security requirements, you can use the default settings and view the protection details on the Security Reports page. For more information, see Step 4: View security reports.

  • If your website is under web attacks, we recommend that you configure protection policies based on the attack details that are displayed on the Overview and Security Reports pages. For more information, see Protection configuration overview.

Step 4: View security reports

On the Security Reports page, view the protection details of the protection policies that you configured and perform operations on the source IP addresses of attacks.

  • When you view the security report of the basic protection rule module, you can enable the false positive ignoring feature to add specific IP addresses to the whitelist to allow requests that are initiated from the IP address.

  • When you view the security report of the bot management module, you can click Add to Whitelist or Add to Blacklist to add specific IP addresses to the whitelist or blacklist.