WAF provides two operation modes: Protection Mode and Warning Mode.

• Protection Mode automatically blocks malicious requests and records the attack.
• Warning Mode does not block the request, but it still logs the suspicious activity.

When using Protection Mode, you can select from three protection policies:

• Loose: Blocks requests that match broad attack patterns.
• Normal: Blocks requests that follow common attack patterns.
• Strict: Blocks requests designed with highly specific or advanced attack signatures.

Tips for Using WAF Protection Mode

If you are unsure about your website’s traffic patterns, it is better to start with Warning Mode. This allows you to observe traffic for a week or two and analyze the attack logs.

Once you confirm that no normal requests are blocked, you can safely switch to Protection Mode.
However, if normal requests appear in the attack log, you should contact customer support to resolve the issue.

To maintain smooth operations, keep these points in mind:

• Avoid sending raw SQL or JavaScript code inside HTTP requests.
• Do not use keywords such as UPDATE or SET as part of your URL path.
• If file upload is required, limit the file size to 50 MB. For larger files, consider using OSS or another upload method.
• After WAF is enabled, do not disable the “All Requests” option under the default HTTP ACL Policy.

Once the WAF is active, you can open Reports to view detailed information about blocked attacks. Whenever new vulnerabilities are discovered, WAF updates its protection rules and publishes security bulletins promptly.

Why Traditional Firewalls Are No Longer Enough

Most companies still rely on perimeter firewalls to control traffic entering and leaving their network. While these firewalls protect against basic internet threats, they cannot defend against application-level attacks.

Attackers know how to slip through open ports used by legitimate applications. Because traditional firewalls cannot inspect application-layer data deeply, attackers can hide malware inside the application itself.

Therefore, an application-level firewall (WAF) is essential. As attackers become more advanced, your defense strategy must evolve as well.

However, since WAF technology is relatively new, IT teams often need guidance during deployment. Below are three best practices to help you build a more secure system.

1. Choose a True Application-Level Firewall

A real application-level firewall provides full protection against threats such as:

• SQL injection
• Cross-site scripting (XSS)
• Session hijacking
• Scanning and crawling attacks
• Cookie poisoning
• Path traversal attempts
• Denial of Service (DoS)

Many people confuse WAF with deep-packet inspection tools, web security gateways, or content-filtering products. Although these tools are helpful, they cannot inspect application-layer code deeply enough to stop sophisticated threats.

Likewise, web security gateways may block malware from websites or emails, but application-level attacks often bypass them. A WAF closes this gap.

2. Do Not Ignore Access Control

Another important step is ensuring your WAF includes access control. Access control determines who can access your systems and data, as well as when, where, and how.

An ideal application-level firewall integrates with your access management system. It monitors employee access and ensures that only authorized users can manage the WAF itself.

Because of this, access control becomes a crucial layer that prevents misuse or unauthorized changes.

3. Select a WAF That Fits Your IT Infrastructure

Your WAF must be compatible with your existing web and network infrastructure. If you have to redesign your system just to install a firewall, you waste valuable time and resources.

If you still rely on centralized hardware or off-site servers, an application-firewall specialist can recommend the most suitable solution. Some application firewalls, for example, can be installed as plug-ins on your current web servers.

Performance is another key consideration. A poorly configured WAF may slow down your network and affect website traffic. To avoid this, the WAF must match your infrastructure and be set up correctly.

Final Thoughts

The steps above highlight only three essential best practices for using a WAF effectively. Although an application-level firewall is just one part of a complete security strategy, it plays a critical role in defending against modern web threats.

At Indonesian Cloud, we proudly partner with Imperva, Cloudflare, and F5. Our team can help you strengthen your website security and protect your business in today’s fast-growing cyber threat landscape.

If you would like to explore more technology topics or learn about Indonesian Cloud products, visit Indonesiancloud.com or our VPS site cloudhostingaja.com.
See you in the next article!

The post WAF Security: Best Practices to Protect Your Web Applications first appeared on Indonesian Cloud.