After you add your website to Web Application Firewall (WAF), you can enable the IPv6 traffic protection feature for the website with a few clicks. This feature protects your website against attacks that originate from IPv6 sources.
Prerequisites
- A subscription WAF instance is purchased. The WAF instance runs the Business, Enterprise, or Exclusive edition. For more information, see Purchase a WAF instance.
- The WAF instance resides in mainland China.
Note IPv6 traffic protection is not supported for WAF instances that reside outside mainland China.
- Your website is added to WAF. For more information, see Add a website.
Background information
- Resolution requests from IPv4 clients are resolved to a protection cluster for IPv4 addresses.
- Resolution requests from IPv6 clients are resolved to a protection cluster for IPv6 addresses.
Two-channel resolution allows WAF to detect and block threats that originate from IPv4 and IPv6 sources. Only normal traffic is forwarded to origin servers.
In addition, you can enable the feature of forwarding requests to origin servers over IPv6. To enable this feature, you must configure back-to-origin IPv4 and IPv6 addresses and select Use the Same Protocol. This way, WAF forwards requests to origin servers based on the protocol that is specified in the requests. For more information, see Add a website.

Procedure
What to do next
To ensure that origin servers can receive the requests forwarded by WAF, you must configure the origin servers to allow the requests from the new back-to-origin CIDR blocks of WAF. This applies especially when you have configured the origin servers to allow requests from only the back-to-origin CIDR blocks of WAF. If you do not configure the origin servers to allow the requests from the new back-to-origin CIDR blocks of WAF, access from IPv6 clients may encounter errors or fail. For more information, see Allow access from WAF back-to-origin CIDR blocks and Configure protection for an origin server.