If you add a website to Web Application Firewall (WAF) and the website uses HTTPS to transmit data, you can customize TLS version settings and cipher suites for the domain name of the website. This way, you can increase the security performance of the website in scenarios in which compliance with classified protection is required. You can also improve the TLS compatibility of the website in scenarios in which compatibility with earlier TLS versions of clients is required.
After an HTTPS website is added to WAF, WAF automatically specifies TLS settings for the website to ensure secure communication. If requests use TLS versions and cipher suites that are not within the specified ranges, WAF blocks the requests.
WAF allows you to customize TLS cipher suites. This helps prevent access failures caused by the mismatch between the cipher suites used by the website and the cipher suites automatically specified by WAF. You can modify TLS version settings and cipher suites for the website based on your business requirements.
- The website is added to WAF.
- The website uses HTTPS to transmit data, and the required HTTPS certificate is uploaded.
Configure TLS settings
- Log on to the WAF console.
- In the left-side navigation pane, choose .
- On the Website Access page, find the domain name for which you want to configure TLS settings and click
Configure TLS in the Actions column. Note You can configure TLS settings only for the domain names that use HTTPS to transmit data. If a domain name uses HTTP or a domain name uses HTTPS but has no HTTPS certificate uploaded, the Configure TLS button does not appear.
- On the Configure TLS Security Policy page, configure the TLS version settings and cipher suites.
Parameter Description Domain Name The domain name for which you want to configure TLS settings. This value is automatically filled. You do not need to enter the domain name. TLS Version Select the TLS version used by the website. Valid values:
- Support TLS 1.0 and Later (High Compatibility and Low Security): WAF supports TLS 1.0 and later for your website.
- Support TLS 1.1 and Later (Moderate Compatibility and Moderate Security): WAF supports TLS 1.1 and later for your website. If an access request of the website uses TLS 1.0, the request fails.
- Support TLS 1.2 and Later (Moderate Compatibility and High Security): WAF supports TLS 1.2 and later for your website. If an access request of the website uses TLS 1.0 or 1.1, the request fails.
Enable support for TLS 1.3 Select Enable support for TLS 1.3. Cipher Suite Select the cipher suite template that you want to use. Valid values:
- All Cipher Suites (High Compatibility and Low Security): The following cipher suites are supported:
- Strong cipher suites:
- Weak cipher suites:
- Strong cipher suites:
- Custom Cipher Suite (Select It Based on Protocol Version. Proceed with Caution.)
- Click Save. If requests use the TLS versions and cipher suites that are not within the specified ranges, WAF blocks the requests.