How to configure a WAF appliance using Amazon EC2

Document created by Qualys Documentation Employee on Nov 11, 2014Last modified by Qualys Documentation Employee on Feb 8, 2018
Version 3Show Document
  • View in full screen mode

Did you sign up for Qualys WAF? This is our web application firewall solution in the cloud. As part of the set up, you'll deploy a WAF virtual appliance to a firewall cluster within in your environment. It just takes a couple minutes. We'll help you with this now.



A few things to consider...


1) The steps below show you how to configure a WAF appliance using Amazon EC2. Alternatively you can use VMware.


2) A WAF firewall cluster can be assigned as many WAF appliances as your subscription allows.



I'm ready to get started. What are the steps?


1) Go to your Amazon EC2 Dashboard and launch an instance



2) Choose the WAF AMI

Click My AMIs (1) and then select QualysGuard WAF AMI (2). Tip - Use the search box to find this quickly. Just enter "WAF" and click Enter. (Don't see the WAF AMI? Please contact your Qualys Technical Account Manager or our Support Team and we'll help you with this.)



3) Choose Instance Type

Select an instance type - there's a wide variety to choose from.



Then click Next: Configure Instance Details.


4) Configure Instance

Open Advanced Details. In the User Data field, enter your WAF registration token and other properties.


REGISTRATION_CODE / WAF_CLUSTER_ID (Required) Use REGISTRATION_CODE for sensor version 1.3 and above. For earlier versions use WAF_CLUSTER_ID. Enter in this format: REGISTRATION_CODE=your_code. You can find this code by going to the WAF clusters list (WAF Appliances > WAF Clusters).

WAF_SERVICE_URL This is the URL of the Qualys Cloud Platform hosting your Qualys account. Enter the URL in this format: WAF_SERVICE_URL=

PROXY_URL If the WAF needs to connect to the Qualys Cloud Platform through an HTTP proxy, please input the URL of the proxy. Enter the proxy URL in this format: PROXY_URL=proxy_url

WAF_SSL_PASSPHRASE If your web application’s primary or secondary base URL uses the HTTPS protocol and your private key requires a passphrase, please input your passphrase. Enter the passphrase in this format: WAF_SSL_PASSPHRASE=passphrase


5) Additional steps (optional)

You might want to add storage, tag the instance, configure security groups.


6) Click Review and Launch

Be sure to wait until the WAF AMI status is green (this means it's running). Then you're ready to add the AMI instance to the EC2 load balancer (see below).




Add your WAF AMI to the Load Balancer


1) Create an HTTP Load Balancer Instance



2) Set up your Health Checks

Choose the TCP Ping Protocol option. Later, when your web application is online, you can choose a URL for a comprehensive health check.



3) Add Your WAF Instance in the Cluster

Click the Select check box next to your WAF instance to add it to the load balancer. Your load balancer is now created and will soon be able to handle requests.



4) Redirect Your Traffic to the Load Balancer Hostname

Test the availability of your web application through the load balancer. Once confirmed, you'll need to alias your DNS entries to the Amazon EC2 load balancer you just created.




That's it!

You've configured your WAF appliance. Once you're done we'll start a distributed network of sensors for your firewall cluster. Also your firewall cluster will start making outbound connections to the Qualys Cloud Platform.


Getting started with WAF is easy. Need some help? Just follow the steps in our online guide - select WAF from the application picker, go to the username menu (top right) and select Quick Start Guide.


You might also be interested in...

WAF Getting Started Guide (PDF)