Manage WAF appliances

It just takes a couple minutes to deploy your virtual WAF appliance in Amazon EC2, Microsoft Azure, Google Cloud, Hyper-V, or VMware (vCenter), on a server or docker (container). Check out our getting started guide for all the details. A WAF appliance acts as a reverse-proxy.


Clusters and Appliances. You'll configure your WAF appliance(s) for one or more WAF clusters. A cluster can be assigned as many WAF appliances as your subscription allows to guarantee high availability and redundancy in your firewalling operations.

Need a WAF cluster? Just go to WAF Appliances > WAF Clusters and click the New WAF Cluster button. You'll get a Registration Code that you'll need to configure your WAF appliance(s).

Number of web applications deployed on a WAF appliance. When a configuration change is detected in any of the web applications, the WAF appliance receives the configurations for all the deployed web applications. When the WAF server receives the configuration changes, it reloads the configuration at runtime to apply the changes. The time that the WAF server takes to reload the configuration depends on the size of the configuration, which in turn depends on the number of web applications and the customized behavior settings configured on each web application.

To avoid the frequent updates that may cause latency, we recommend limiting the number of web applications deployed for each WAF appliance to 10. If you keep the number of web applications deployed on each WAF appliance smaller, you will have a better WAF experience.


1) First add a new WAF appliance - it just takes a minute. Go to WAF Appliances > WAF Appliances, click New WAF Appliance and we'll walk you through the steps quickly.

2) Configure the WAF appliance for your environment (Amazon EC2, Microsoft Azure, Google Cloud, Hyper-V, or VMware - vCenter) on a server or docker (container). You'll need to enter the Registration Code for the appliance.

3) Important - Be sure to configure your DNS. You'll need to funnel traffic through the WAF cluster by changing DNS entries.

4) We recommend you verify registration of the WAF appliance. Use the WAF user interface (go to WAF Appliances > WAF Clusters), or the CLI (for VMware or Hyper-V only).


- Allow HTTP(S) traffic (TCP-80,443; or any other) to the WAF appliance from Internet.

- Allow SSH (TCP-22) to the WAF appliance from a trusted management network only.

- Allow minimum access to the origin web server(s): only the WAF appliance ip address should be granted access to web servers’ production [ip:port]. Any direct access should be strictly limited to the administration network only.

Load balancer considerationsLoad balancer considerations

- Load balancers should be configured to hand off to WAF cluster nodes so we can appropriately configure redundancy within the infrastructure.

- The WAF appliance functions as a reverse proxy. It is important that any DNS configurations, firewall NAT or load balancer configurations are set to forward traffic towards the WAF appliance. It will then inspect incoming request, and based on your configuration, hand it off to the appropriate origin server.


This shows the last date the appliance polled the WAF service on our cloud platform.

Tip - Check out the side preview panel to see this date with the related time and time zone.

You can view the healthcheck status for all servers covered by an appliance. Server healthcheck information is grouped by each Web application that the appliance monitors.

The following healthcheck information is displayed for each server:

- Server host name, server port, and server status (UP / DOWN / No check),

- Healthcheck message, healthcheck return code (200 for success), and healthcheck status (L7OK for success, L4CON for failure).