Quick start

Step 1: Purchase a WAF instance

1. Log on to the WAF console.
2. On the Welcome to Web Application Firewall (WAF) page, click Purchase WAF Subscription to go to the buy page of WAF.
   If you have purchased a WAF instance, the Welcome to Web Application Firewall page does not appear. For more information, see Step 2: Add a website to WAF.
3. On the Web Application Firewall buy page, select the product edition and specifications. Then, complete the payment.
   For more information, see Purchase a WAF instance.
4. After you purchase the WAF instance, go back to the WAF console.

Step 2: Add a website to WAF

To add a website to WAF, you must add the domain name of the website to your WAF instance and change the DNS record of the domain name to redirect the traffic destined for the website to WAF for protection.

1. Add the website.
   1. On the Website Access page, click Website Access.
   2. Set Access Mode to CNAME Record and click the Manually Add tab.
   3. Complete the wizard.
      For more information, see Manually add domain name configurations.

      Notice If you have configured a proxy in front of WAF, select Yes for Does a layer 7 proxy (DDoS Protection/CDN, etc.) exist in front of WAF. Otherwise, WAF cannot obtain the actual IP addresses of clients. Proxies include Anti-DDoS Pro, Anti-DDoS Premium, and Alibaba Cloud CDN.

      
   After the website is added to WAF, you can view the CNAME that WAF assigns to the domain name of the website on the Website Access page.

   Notice If the website supports HTTPS, you must upload the SSL certificate for the domain name of the website after the website is added. This way, WAF can process HTTPS traffic. For more information, see Upload an HTTPS certificate.
2. Change the DNS record of the domain name to map the domain name to the CNAME assigned by WAF.
   • If you have not configured a proxy, such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, in front of WAF, visit the website of your DNS service provider to change the CNAME record. If your DNS service provider is Alibaba Cloud DNS, log on to the Alibaba Cloud DNS console and add a CNAME record by using the CNAME assigned by WAF.

     For more information, see Change a DNS record.

   • If you have configured a proxy, such as Anti-DDoS Pro, Anti-DDoS Premium, or Alibaba Cloud CDN, in front of WAF, log on to the console of the proxy and change the back-to-origin address of the proxy to the CNAME assigned by WAF. This way, WAF can receive the requests destined for the website.

     For more information, see Add a website to both Anti-DDoS Pro or Anti-DDoS Premium and WAF and Use WAF with CDN.

Step 3: Configure website protection policies

After you add the domain name, WAF filters access requests and forwards normal requests to the origin servers. WAF provides multiple features to protect your website against different types of attacks. Among the features, only Protection Rules Engine and HTTP Flood Protection are enabled by default. The Protection Rules Engine feature protects your website against common web attacks, such as SQL injections, XSS attacks, and webshell uploads. The HTTP Flood Protection feature protects your website against HTTP flood attacks. You must manually enable other features and configure protection rules. For more information, see Overview.

Step 4: View security reports

On the Security Report page, you can view the attack records and access statistics of the website protected by WAF. For more information, see View Security Reports.