Skip to content

Web server protection (WAF) rules

The WAF rules protect applications and websites hosted on physical or cloud-based web servers from exploits and attacks.

The firewall acts as a reverse proxy, protecting your internal and external web servers. You can create WAF rules for IPv4 traffic.

You can use the WAF rules to specify virtual web servers and translate these into physical servers without configuring DNAT and firewall rules. You can also protect web applications, such as Salesforce and Microsoft applications.

The firewall offers preconfigured WAF rule templates with specific paths and protection policies for Exchange Autodiscover, Exchange General, Exchange Outlook Anywhere, Microsoft Lync, Microsoft Remote Desktop web client, and Microsoft Remote Desktop Gateway.


Currently, WAF rules don't support Microsoft Exchange versions later than 2013.

WAF rules are part of firewall rules. To create a WAF rule, you must add a firewall rule and set the action to Protect with web server protection.


The firewall doesn't support WAF over route-based IPsec if you use traffic selectors for the subnets. You can use any-to-any route-based connections. See Route-based VPN.

You can only create up to 60 WAF rules. Exceeding the limit results in performance degradation and production impact. See WAF limitation.

WAF functionality

The firewall supports HTTPS protocol with Server Name Indication (SNI), allowing you to create more than one virtual web server over the same IP address and port. The WAF rules support wildcard domains.

You can forward URL requests to specific web servers, bind sessions to a web server, or send all requests to a primary web server, using the others as backup servers. Traffic shaping policies added to the WAF rules allow you to allocate bandwidth and prioritize traffic based on a schedule.

Protection and authentication

Protection policies: You can add intrusion prevention and protection policies to the WAF rules. Protection policies allow you to protect web servers from vulnerability exploits, such as cookie, URL, and form manipulation. They also protect web servers from application and cross-site scripting (XSS) attacks. You can specify the filter strength for common threats.

The exceptions you create in WAF rules allow you to skip some types of security checks for the paths and sources you specify.

To prevent slow HTTP denial-of-service (DoS) attacks and enforce TLS version controls, go to Web server > General settings.

Authentication policies: In WAF rules, you can specify the client networks to allow or block. You can also add authentication policies to WAF rules to protect web servers using basic or form-based reverse-proxy authentication. The client authentication settings in these policies allow you to control access to the paths specified in the WAF rule.

Authentication templates: You can upload pre-configured HTML form templates. For customizable HTML and CSS templates, go to the authentication template help page.

Reserved ports

You can't use some ports for WAF as the firewall reserves them for system services. These ports are reserved even when the services aren't in use. See Reserved ports.