keep on record Console
Web application firewall WAF
The web application firewall identifies and protects the malicious characteristics of the website or APP business traffic, and returns the normal and safe traffic to the server. Avoid malicious intrusion of website server, ensure the security of core data of business, and solve the problem of abnormal server performance caused by malicious attacks. Refer to 95187-1 for details
The price of the volume based resource package 2000SeCU is reduced by 20%, and you can deduct up to three months' pay as you go bills for only 80 yuan>>click to view

Product advantages

Professional, stable, one-stop solution to core security pain points of web applications
major : It has multiple protection rules of self-developed rules+AI deep learning+active defense, and supports flexible user-defined rules
stable : Multi line node disaster tolerance, intelligent optimal path, millisecond response, and up to one million QPS service access protection
timely : 0day Automatic hourly defense against web application vulnerabilities
comprehensive : One stop protection for vulnerabilities, web attacks, machine traffic, data and account security, and meet security operation and maintenance requirements
Compliance : Meet the requirements of equal assurance and compliance, PCI-DSS, etc., and help enterprises build safety and compliance
Threat intelligence : Have the threat intelligence of the whole network accumulated and constantly updated by Alibaba's real business scenarios
Obtained the grand slam in international evaluation of web application firewall
Recognized by international authoritative institutions : Get the Grand Slam of Web Application Firewall (Gartner Forrester、IDC、Frost&Sullivan)
Deep accumulation : Many years of protection for Space Cat, Taobao Double 11, protection for Ali's core business, accumulated a large number of attack and defense data and practical experience
Support hybrid cloud/multi cloud deployment, flexible access and billing methods
Hybrid cloud/multi cloud application : Meet public cloud (both Alibaba and non Alibaba Cloud), hybrid cloud, IDC, offline machine room and other scenarios
Flexible deployment mode : Provide a software based deployment mode, and the traffic can enjoy the same protection capability as the cloud without going to the cloud
Flexible access mode : Support one click access of Alibaba Cloud products such as SLB/CDN/ECS and DNS fast access of non cloud services
Flexible payment methods : It supports monthly package purchase and pay as you go

Product Functions

Web Intrusion Prevention
Automatic vulnerability protection 0day web application vulnerability hour level automatic defense, without manual patching
Multiple Dynamic Defense Self developed rules+AI in-depth learning+active defense, combined with constantly updated threat intelligence across the network, to eliminate defense gaps
Anti scanning and detection According to the characteristics and behaviors of scanning and detection, cooperate with the threat intelligence and deep learning algorithm of the whole network to automatically intercept, so as to prevent hackers from discovering exploitable system weaknesses
Protection rules can be customized The protection rules can be flexibly customized according to the actual business needs
Traffic management and crawler prevention and control
Flexible traffic management Support user-defined combination of full HTTP header and body features to meet the access control and speed limit requirements of personalized business needs
CC attack protection Based on different levels of default protection strategies and flexible precise access control and speed limit strategies, it can effectively mitigate CC attacks (HTTP Flood) in combination with human-computer identification, blocking and other disposal means
Accurately identify reptiles Based on multi-dimensional data such as fingerprint, behavior, feature and intelligence, and in combination with AI intelligence, accurately identify reptiles and automatically respond to reptile variations
Full scene prevention and control It is applicable to the prevention and control of crawler risks in various types of web businesses such as websites, H5, APP, and applets, and helps enterprises prevent and control business risks such as cheating and wool collecting
Rich reptile disposal methods According to the actual business scenario requirements, traffic can be handled by means of interception, human-computer identification, flow restriction, deception, etc
Scenario configuration Scenario based configuration guidance to help 0 experience quickly get started with Alibaba's best practices
Data security prevention and control
Protect API security Actively discover API interfaces with risks of aging, lack of authentication, excessive data exposure, sensitive information disclosure, etc
Prevent sensitive information disclosure Detect and protect the leakage of sensitive information such as ID card, bank card, mobile phone number and sensitive words
Anti page tampering By locking the content of key pages, it is ensured that even if the page is tampered with, the content of the page seen by the user can be kept unchanged by returning to the cache
Test account risk Automatic identification of common account risks such as database collision, brute force cracking and weak password
Security operation and maintenance and compliance
Secure access One click implementation of HTTPS, full link IPv6, intelligent load balancing, cloud on cloud and cloud off cloud high availability and rapid disaster recovery
Full Access Log Record and store full Web access logs, support real-time SQL query analysis and user-defined alarms
Automated asset identification Based on cloud big data, fully discover domain name assets without access protection, and converge attack surface
Hybrid cloud deployment Support local protection of non cloud traffic
Meet the compliance of equal protection Meet the compliance requirements of various industries

Product specification

Pay as you go version

Pay as you go, pay as you go
region
Mainland China
WAF version
3.0 by volume

Volume based preferential resource package

It is used to deduct the volume based WAF bill, which can save up to 20%
Resource package specification
two thousand
Purchase quantity
one
term of validity
1 year

Basic Edition

Applicable to small and medium-sized web application business protection on cloud
edition
Basic Edition
Purchase duration
1 month

Advanced and above

It is applicable to the business protection of medium and large web applications on the cloud
edition
Advanced Edition
Purchase duration
1 month

Hybrid cloud/multi cloud version

It is applicable to services that cannot be accessed to Alibaba Cloud and need to be deployed locally
Multi cloud/hybrid cloud protection extension node
two
Purchase duration
1 year

Vulnerability scanning service_30 assets or less

Provide web vulnerability scanning and host vulnerability scanning services for your assets
Number of scans
Once
Service cycle
1 month

Application scenarios

Web application basic security protection scenario
Business risk protection scenario
Hybrid cloud/multi cloud protection scenario
Necessary security capabilities for cloud on web applications
It provides automatic protection against 0day vulnerabilities of web applications without manual patching and repair, and can help you effectively reduce the hacker and virus intrusion of web applications such as websites, H5, APP, and applets, and reduce the risk of hanging horses, page tampering, crawling, data leakage, CC attacks, and so on.
Problems that can be solved
Comprehensive protection against SQL injection, XSS, web shell upload, directory traversal, back door isolation and other common web attacks
Prevent hackers from using CC attack software to control broilers from launching CC attacks on applications
0Day vulnerabilities are quickly and automatically repaired through virtual patches to solve problems such as difficult code transformation and long cycle
Actively sort out and find obsolete/outdated data interfaces and assets that lack permissions and rate control, and reduce the risk of data leakage
Automatic interception, scanning and detection
Recommended combination
DDoS protection
Prevent business cheating and wool pulling
The system availability caused by the large flow of business operation activities and the "wool pulling" caused by discounts are common, which will seriously affect the operation effect and even have a negative impact. Based on the group's years of business operation experience, Alibaba Cloud provides customers with a complete business operation risk protection scheme.
Problems that can be solved
Ensure the stable operation of the business operation and maintenance activity system, and avoid problems such as website jams and even downtime caused by machine traffic
Prevent "pulling wool", prevent business cheating, and let the operation strategy act on real customers
Alleviate the problem of data being crawled and excessive bandwidth cost caused by crawlers
Recommended combination
DDoS protection
Risk identification
Cloud Security Center
Web application firewall hybrid cloud/multi cloud solution
By deploying the cloud WAF protection cluster to the customer's local environment, it supports web service protection in a variety of environments, such as public cloud, private cloud, offline IDC, and computer room, and supports unified control and operation and maintenance on and off the cloud through the AliCloud WAF console.
Applicable scenarios
It has high requirements for delay sensitivity and high reliability, and requires unified protection of multi active disaster tolerant services across multiple network environments.
Due to the particularity of the business itself, there is web business protection that cannot be protected by Alibaba Cloud WAF.
On cloud or off cloud, private network web service protection.
Recommended combination
DDoS protection

Customer Stories

Product Dynamics

2018-04-27 New Features/Specifications
Upgrade and release of precise access control function of web application firewall
View details
2018-04-28 Function optimization
Console key tips after the Web application firewall expires
View details
2018-05-29 New Features/Specifications
Web application firewall launches business data large screen trial
View details
2018-06-12 New Region/New Availability Zone
AliCloud web application firewall goes online in Dubai
View details
New products on June 15, 2018
Verification code service released and launched
View details
2018-07-10 Fix the problem
Black hole notification alarm after the instance of Web application firewall in non mainland China enters
View details
2018-07-27 New functions/specifications
Web application firewall OpenAPI publishing
View details
2018-08-09 New Features/Specifications
Web application firewall supports deep learning engine
View details
2018-08-16 Function optimization
Web application firewall nailing service group QR code disclosure
View details
2018-09-05 New functions/specifications
Web application firewall supports large visualization screen
View details
New functions/specifications on October 1, 2018
Web application firewall supports security event alarm
View details
New functions/specifications on October 17, 2018
Web application firewall full log supports blocking event unique ID query
View details
2018-10-19 Function optimization
Web application firewall full log search and homepage display optimization
View details
New functions/specifications on October 24, 2018
Web application firewall supports traffic marking function
View details
New functions/specifications on November 16, 2018
Web application firewall supports business log storage for up to one year
View details
2018-11-27 Fix the problem
The Web application firewall fixes the security log display problem in the alert mode.
View details
November 28, 2018 Function optimization
The web application firewall supports account change and quick configuration of the same domain name
View details
November 28, 2018 Function optimization
The web application firewall supports A account authorization and B account configuration corresponding to the precise domain name with universal domain name permissions.
View details
2018-12-06 Function optimization
Web application firewall data risk control JS insertion optimization release
View details
2018-12-11 Function optimization
Web application firewall overview page interception curve optimization release
View details
2018-12-12 Function optimization
Web application firewall QPS curve graph optimization release
View details
New functions/specifications on December 13, 2018
Web Application Firewall Custom Web Protection Rule Group Publishing
View details
New functions/specifications from December 20, 2018
Web application firewall Web page tamper proof API publishing
View details
2019-01-03 New functions/specifications
WAF's regional IP blocking supports user-defined countries/regions
View details
2019-01-26 Function optimization
Alibaba Cloud WAF logs - Operation center: topology, filtering and interaction
View details
New functions/specifications on March 15, 2019
Transparent Access Mode Publishing of Web Application Firewall
View details
New functions/specifications on March 19, 2019
Web application firewall anti web attack scanning function release
View details
2019-04-12 Function optimization
Web application firewall full log function optimization
View details
New functions/specifications on April 30, 2019
Application protection release of IPV6 service of Web application firewall
View details
2019-05-30 New functions/specifications
Upgrade of product overview page (WAF-V4.0.1-0-20190530)
View details
2019-05-30 New functions/specifications
ACL rule optimization of web application firewall (WAF-V4.0.1-0-20190530)
View details
2019-06-06 Function optimization
Experience optimization of product overview page (WAF-V4.1.0.1-20190606)
View details
2019-06-13 New functions/specifications
Protection configuration supports user-defined configuration of web decoding mode (WAF-V4.1.1.0-20190613)
View details
2019-06-27 New functions/specifications
Web application firewall supports HTTP2 protocol based applications (WAF-V4.2.0.0-20190627)
View details
2019-06-28 New functions/specifications
Web application firewall is available for sale as a resource package (WAF-V4.2.0.0)
View details
2019-07-18 New functions/specifications
Web application firewall adds web attack details page (WAF-V4.2.1.0)
View details
2019-07-30 New functions/specifications
Web application firewall cloud website asset management function released online (WAF-V4.3.0.0)
View details
New functions/specifications on August 22, 2019
Web application firewall active defense capability released online (WAF-V4.4.0.0)
View details
2019-09-24 New functions/specifications
Web application firewall asset management online one click to add application protection capability (WAF-V4.4.0.1)
View details
New functions/specifications on October 16, 2019
Web application firewall overview page reveals anti scanning protection capability (WAF-V4.4.1.0)
View details
New functions/specifications on October 22, 2019
Web application firewall has protected website asset URL portrait to be released online (WAF-V4.4.1.1)
View details
New functions/specifications on October 25, 2019
Web application firewall virtualization exclusive version released online (WAF-V4.5.0.0)
View details
New functions/specifications on November 28, 2019
Web application firewall account security detection capability released online (WAF-V4.5.1.0)
View details
2019-12-20 Function optimization
Web application firewall exclusive version function optimization and upgrade (WAF-V4.5.1.1)
View details
New functions/specifications on January 15, 2020
Comprehensive upgrade of application protection capability of web application firewall (WAF-V4.6.0.0)
View details
2020-02-10 New Features/Specifications
Web application firewall event alarm capability upgrade (WAF-V4.6.1.0)
View details
2020-02-14 Function optimization
Web application firewall log service upgrade and experience upgrade optimization (WAF-V4.6.2.0)
View details
2020-03-04 New Features/Specifications
Web application firewall intelligent load balancing protection capability released online (WAF-V4.6.3.0)
View details
2020-03-10 Function optimization
Web Application Firewall Application Protection Capability User Upgrade Guide Release (WAF-V4.6.3.1)
View details
2020-04-02 New Features/Specifications
Web application firewall Bot management protection capability released online (WAF-V5.0.0.0)
View details
2020-04-10 Function optimization
Web application firewall user experience optimization and upgrade (WAF-V5.0.0.1)
View details
2020-05-18 New Features/Specifications
Web application firewall supports Terraform capability release online (WAF-V5.2.0.0)
View details
2020-05-20 Function optimization
Web application firewall deep learning engine supports threshold adjustment and release online (WAF-V5.2.1.0)
View details
2020-06-04 Function optimization
Web application firewall custom Web rule group optimization and upgrade (WAF-V5.2.2.0)
View details
2020-08-13 New Features/Specifications
Web application firewall asset identification capability optimization, upgrade and release (WAF-V5.3.0.1)
View details
2020-09-02 Function optimization
Web application firewall traffic supports display client type upgrade release (WAF-V5.3.1.0)
View details
2020-10-19 New Features/Specifications
Web application firewall security report experience optimization and upgrade (WAF-VV5.3.1.0)
View details
New functions/specifications of 2020-11-19
Web application firewall protection rules support IPv6 address configuration (WAF-V5.4.1.0)
View details
2020-11-24 New Features/Specifications
Web application firewall protection rules support the configuration of multiple CNAME back to source addresses (WAF-V5.4.2.0)
View details
2021-01-11 New Features/Specifications
The Web Application Firewall is upgraded and released as 2.0 (WAF-V6.1.0.0)
View details
2021-01-15 New Features/Specifications
Web application firewall releases customized TLS version and encryption suite function (WAF v6.2.0.0)
View details
2021-01-27 New Features/Specifications
Web application firewall releases bot management scenario configuration guidance and report (WAF-v6.3.0.0)
View details
2021-03-18 New Features/Specifications
Web application firewall supports false alarm shielding and rule granularity whitening (WAF-v6.3.1.0)
View details
2021-03-23 New Features/Specifications
Web application firewall supports threat event analysis function (WAF-v6.3.2.0)
View details
New functions/specifications of 2021-04-01
Web application firewall supports IPv6 back to source in mainland China (WAF-v6.3.3.0)
View details
2021-05-08 New Features/Specifications
The Web application firewall supports obtaining the client source IP through a custom header (WAF-v6.3.4.0)
View details
2021-05-11 New Features/Specifications
Web application firewall hybrid cloud exclusive version supports white screen management capability of protection cluster (WAF-V6.4.0.0)
View details
2021-05-19 New Features/Specifications
ALB instance users can activate access WAF protection with one button (WAF v6.4.1.0)
View details
2021-06-02 New Features/Specifications
Customized protection policy matching conditions Add support for server ports (WAF v6.4.2.0)
View details
2021-07-30 New Features/Specifications
CNAME access supports back to source SNI configuration (WAF v6.4.3.0)
View details
2021-08-12 New Features/Specifications
Log service upgrade: support custom storage capacity and fast query (WAF v6.4.4.0)
View details
2021-09-18 New Features/Specifications
Record the client IP through the user-defined header (WAF v6.4.5.0)
View details
2021-10-22 New Features/Specifications
If bandwidth/QPS exceeds the threshold, an alarm will be automatically triggered (WAF v6.4.6.0)
View details
2021-11-01 New functions/specifications
API security support vulnerability ignored (WAF v6.4.6.0)
View details
2021-11-05 New Features/Specifications
APP protection supports more equipment risk feature detection (WAF v6.4.7.0)
View details
2021-11-19 New Features/Specifications
API security supports the export of API asset information and vulnerability information (WAF v6.4.8.0)
View details
2021-12-22 New Features/Specifications
Official commercial release of API security function (WAF-v6.5.0.0)
View details
2022-01-19 New Features/Specifications
Web rule protection engine supports intelligent rule hosting (WAF v6.4.7.0)
View details
2022-01-22 New Features/Specifications
WAF3.0 new version released
View details
2022-04-18 New Features/Specifications
Anti creep dynamic token capability release (WAF-v6.5.2.0)
View details
2022-05-30 New Features/Specifications
Release of protection package for re protection scenario
View details
2022-07-205 Function optimization
API security console release
View details
2022-08-24 New Features/Specifications
Back to source timeout supports custom configuration
View details
2022-09-23 New Features/Specifications
Support the configuration of custom header to obtain the real source port of the client
View details
2022-10-27 New Features/Specifications
WAF3.0 elastic post payment and sandbox function release
View details
2022-11-14 New Features/Specifications
WAF3.0 API Security Function Release
View details
2022-11-17 New Features/Specifications
Version 3.0 supports self-service configuration reduction
View details
2023-01-19 New Features/Specifications
WAF3.0 BOT management safety report optimization and APP protection capability upgrade
View details
2023-01-20 New Features/Specifications
WAF3.0 BOT management supports one click protection
View details
2023-01-31 New Features/Specifications
Version 3.0 prepaid instances support self-service unsubscription
View details
2023-02-03 New Features/Specifications
WAF3.0 BOT management support rules take effect regularly
View details
2023-02-07 New Features/Specifications
WAF3.0 basic protection supports intelligent white list function
View details
2023-02-08 New Features/Specifications
WAF3.0 supports function computing cloud native one click access
View details
2023-04-14 New Features/Specifications
WAF3.0 Pay As You Go traffic billing protection function release
View details
2023-05-22 New Features/Specifications
WAF3.0 basic protection supports semantic engine
View details
2023-06-08 New Features/Specifications
WAF3.0 CNAME access supports national secret HTTPS encryption
View details
2023-07-14 New Features/Specifications
WAF 3.0 supports DNS status detection of domain names
View details
2023-07-31 New Features/Specifications
WAF3.0 user-defined rules support rule grayscale and timing
View details
2023-07-31 New Features/Specifications
WAF3.0 BOT management supports machine traffic analysis, rule grayscale and back to source marking
View details
2023-08-28 New Features/Specifications
WAF3.0 supports trace/slider cookie configuration
View details
View all logs

Documentation and Tools

Product documentation
View the usage document of Web application firewall
quick get start
Learn how to quickly use the web application firewall
common problem
Frequently asked questions&troubleshooting
Unsubscribe Instructions
Resource unsubscription rule description