Getting started - Web Application Firewall - Alibaba Cloud Documentation Center

To get started with , you must purchase a WAF instance, add the website that you want to protect to WAF, and configure website protection rules. WAF provides security reports that show attack records and access statistics. These security reports help you gain an understanding about the security status of your website.

Step 1: Purchase a WAF instance

If you have not activated WAF, perform the following operations to purchase a WAF instance.
If you have activated WAF, skip this step and move on to Step 2. For more information, see Step 2: Add a website to WAF.

Log on to the WAF console.On the Welcome to Web Application Firewall (WAF) page, click Purchase WAF Subscription.
On the buy page that appears, select the edition and specifications. Then, complete the payment. For more information about the editions and specifications of WAF, see Purchase a subscription WAF instance.
After you purchase a WAF instance, click Console to go back to the WAF console.

Step 2: Add a website to WAF

You can use either of the following methods to add your website to WAF:

CNAME record mode: You can add your website to WAF in CNAME record mode regardless of whether your origin server is deployed in the cloud or on-premises. However, the origin server must be accessible over the Internet and you must change the DNS record. For more information, see CNAME record mode.
Transparent proxy mode: If your origin server is an Elastic Compute Service (ECS) instance or is added to an Internet-facing Server Load Balancer (SLB) instance, you can add your website to WAF in transparent proxy mode without needing to change the DNS record. For more information, see Add a website in transparent proxy mode.

Note Before you add your website to WAF, make sure that WAF is authorized to access cloud resources. For more information, see Authorize WAF to access cloud resources.

Add a domain name.
1. In the left-side navigation pane, choose Asset Center > Website Access.
2. On the Domain Names tab, click Website Access.
3. On the Add Domain Name page, set Access Mode to CNAME Record or Transparent Proxy Mode.
4. Complete the configuration steps.
  - For more information about how to add a website to WAF in CNAME record mode, see Add a domain name.
  - For more information about how to add a website to WAF in transparent proxy mode, see Add a website in transparent proxy mode.
After the website is added to WAF, you can navigate to the Website Access page to view the CNAME that is assigned by WAF to the domain name of the website.
If you set Access Mode to CNAME Record, perform the following operations to change the DNS record of the domain name and map the domain name to the CNAME assigned by WAF.
- If your website is not added to a Layer 7 service such as Anti-DDoS Pro, Anti-DDoS Premium, and Alibaba Cloud CDN, add a CNAME record in the system of your DNS service provider and set the CNAME value to the CNAME assigned by WAF.
  If you use Alibaba Cloud DNS, you can change the CNAME record in the Alibaba Cloud DNS console. For more information, see Use Alibaba Cloud DNS to change the DNS record.
- If your website has been added to a Layer 7 service such as Anti-DDoS Pro, Anti-DDoS Premium, and Alibaba Cloud CDN, go to the console of the Layer 7 service and change the back-to-origin address of the Layer 7 service to the CNAME assigned by WAF. This way, WAF can receive the requests that are destined for your website. For more information, see Protect a website service by using both Anti-DDoS Pro or Anti-DDoS Premium and WAF and Use WAF with CDN.
You can ping the domain name of your website or use a DNS detection tool to verify whether the DNS record takes effect. The DNS record does not take effect immediately. If the verification fails, verify the DNS record again in 10 minutes.

Step 3: Configure website protection rules

After you add your website to WAF, Protection Rules Engine and HTTP Flood Protection are enabled by default. The Protection Rules Engine feature protects websites against common web attacks, such as SQL injections, cross-site scripting (XSS) attacks, and webshell uploads. The HTTP Flood Protection feature protects websites against HTTP flood attacks. If you want to enable other features, perform the following operations:

In the left-side navigation pane, choose Protection Settings > Website Protection. In the upper part of the Website Protection page, select the domain name for which you want to configure protection rules.
You can also choose Asset Center > Website Access. On the Domain Names tab, find the domain name that you want to protect in the domain name list. Click Config in the Actions column.
Click the Web Security, Bot Management, or Access Control/Throttling tab to configure protection rules. For more information, see Website protection settings.

Step 4: View security reports

In the left-side navigation pane, choose Security Operations > Security Report.
Click the Web Security, Bot Management, or Access Control/Throttling tab to view the attack records and access statistics of websites that are added to WAF and have configured protection rules. For more information, see View security reports.