This topic walks you through how to deploy and use Web Application Firewall (WAF).
WAF protects your website only after you purchase a WAF instance, add your website
to WAF, and configure website protection policies. WAF provides security reports that
show attack records and access statistics. This way, you can obtain the security posture
of your website.
Step 1: Purchase a WAF instance
- Log on to the WAF console.
- On the Welcome to Web Application Firewall (WAF) page, click Purchase WAF Subscription to go to the buy page of WAF.
If you have purchased a WAF instance, the
Welcome to Web Application Firewall page does not appear. For more information, see
Step 2: Add a website to WAF.

- On the Web Application Firewall buy page, select the product edition and specifications. Then, complete the payment.
- After you purchase the WAF instance, go back to the WAF console.
Step 2: Add a website to WAF
To add a website to WAF, you must add the domain name of the website to your WAF instance
and change the DNS record of the domain name to redirect the traffic destined for
the website to WAF for protection.
- Add the website.
- On the Website Access page, click Website Access.
- Set Access Mode to CNAME Record and click the Manually Add tab.
- Complete the wizard.
For more information, see
Manually add domain name configurations.
Notice If you have configured a proxy in front of WAF, select Yes for Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF. Otherwise, WAF cannot obtain the actual IP addresses of clients. Proxies include
Anti-DDoS Pro, Anti-DDoS Premium, and Alibaba Cloud CDN.

After the website is added to WAF, you can view the CNAME that WAF assigns to the
domain name of the website on the
Website Access page.

Notice If the website supports HTTPS, you must upload the SSL certificate for the domain
name of the website after the website is added. This way, WAF can process HTTPS traffic.
For more information, see
Upload an HTTPS certificate.
- Change the DNS record of the domain name to map the domain name to the CNAME assigned
by WAF.
- If you have not configured a proxy, such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba
Cloud CDN, in front of WAF, visit the website of your DNS service provider to change
the CNAME record. If your DNS service provider is Alibaba Cloud DNS, log on to the
Alibaba Cloud DNS console and add a CNAME record by using the CNAME assigned by WAF.

For more information, see Change a DNS record.
- If you have configured a proxy, such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba
Cloud CDN, in front of WAF, log on to the console of the proxy and change the back-to-origin
address of the proxy to the CNAME assigned by WAF. This way, WAF can receive the requests
destined for the website.
For more information, see Add a website to both Anti-DDoS Pro or Anti-DDoS Premium and WAF and Use WAF with CDN.
Step 3: Configure website protection policies
After you add the domain name, WAF filters access requests and forwards normal requests
to the origin servers. WAF provides multiple features to protect your website against
different types of attacks. Among the features, only Protection Rules Engine and HTTP Flood Protection are enabled by default. The Protection Rules Engine feature protects your website
against common web attacks, such as SQL injections, XSS attacks, and webshell uploads.
The HTTP Flood Protection feature protects your website against HTTP flood attacks.
You must manually enable other features and configure protection rules. For more information,
see Overview.
Step 4: View security reports
On the
Security Report page, you can view the attack records and access statistics of the website protected
by WAF. For more information, see
View Security Reports.
