After you add your website to Web Application Firewall (WAF), you can enable the IPv6 traffic protection feature for the website with a few clicks. This feature protects your website against attacks that originate from IPv6 sources.

Prerequisites

  • A subscription WAF instance is purchased. The WAF instance runs the Business, Enterprise, or Exclusive edition. For more information, see Purchase a WAF instance.
  • The WAF instance resides in mainland China.
    Note IPv6 traffic protection is not supported for WAF instances that reside outside mainland China.
  • Your website is added to WAF. For more information, see Add a website.

Background information

After IPv6 traffic protection is enabled, the Canonical Name (CNAME) that is automatically generated by WAF is resolved in two channels. Take note of the following resolution rules:
  • Resolution requests from IPv4 clients are resolved to a protection cluster for IPv4 addresses.
  • Resolution requests from IPv6 clients are resolved to a protection cluster for IPv6 addresses.

Two-channel resolution allows WAF to detect and block threats that originate from IPv4 and IPv6 sources. Only normal traffic is forwarded to origin servers.

In addition, you can enable the feature of forwarding requests to origin servers over IPv6. To enable this feature, you must configure back-to-origin IPv4 and IPv6 addresses and select Use the Same Protocol. This way, WAF forwards requests to origin servers based on the protocol that is specified in the requests. For more information, see Add a website.

Configuration to forward requests to origin servers over IPv6

Procedure

  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group and region to which the WAF instance belongs. The region can be Mainland China or International.
  3. In the left-side navigation pane, choose Asset Center > Website Access.
  4. In the domain name list, find the domain name that you want to manage, and turn on the IPv6switch in the Quick Access column. IPv6 switch
  5. In the Tips message, click OK. Tips message

What to do next

After IPv6 is enabled, WAF uses new back-to-origin Classless Inter-Domain Routing (CIDR) blocks to forward the requests from the IPv6 clients to origin servers.

To ensure that origin servers can receive the requests forwarded by WAF, you must configure the origin servers to allow the requests from the new back-to-origin CIDR blocks of WAF. This applies especially when you have configured the origin servers to allow requests from only the back-to-origin CIDR blocks of WAF. If you do not configure the origin servers to allow the requests from the new back-to-origin CIDR blocks of WAF, access from IPv6 clients may encounter errors or fail. For more information, see Allow access from WAF back-to-origin CIDR blocks and Configure protection for an origin server.