How to configure a WAF appliance

Document created by Qualys Documentation Employee on Nov 11, 2014Last modified by Qualys Documentation Employee on Dec 1, 2015
Version 2Show Document
  • View in full screen mode

Did you sign up for Qualys WAF? This is our web application firewall solution in the cloud. As part of the setup, you'll deploy a WAF virtual appliance to a firewall cluster within in your environment. It just takes a couple minutes.



A few things to consider...

1) The steps below show you how to configure a WAF appliance using VMware vCenter or Microsoft Hyper-V. Alternatively you can use Amazon EC2.


2) A WAF cluster can be assigned as many WAF appliances as your subscription allows.




I'm ready to get started. What are the steps?


1) Download the OVA image (VMware) or the VHD image (Hyper-V). You'll get the image when you add a new WAF appliance (go to WAF > Assets > WAF Clusters, click the New WAF Appliance button to get started).


2) Import the image in your virtualization platform. The OVA image supports VMware for production (and can be used in VirtualBox for test purposes only), while the VHD image supports Microsoft Hyper-V.


3) Set up the virtual appliance using the CLI (Command Line Interface).


4) Verify the registration of the appliance.


5) Test availability of your web application through Qualys WAF. Once confirmed, you'll need to alias DNS entries to direct traffic at your origin infrastructure.




Import and Register your WAF Appliance


1) Start your virtualization manager and select the OVA


VMware vClient

Choose "Deploy OVA File". This starts the OVA Template wizard. Browse to the downloaded OVA and select it (or enter the URL where the OVA can be downloaded).

Hyper-V Manager

Select "New  > Virtual Machine…" and using the "New Virtual Machine Wizard" create a new virtual machine.


2) Step through the wizard

We provide a default name for your WAF instance, and you can change it. Select disk format and mapping settings appropriate for your environment.  Do not set any WAF-specific properties in the wizard as they are deprecated and will be removed in a future release. You will set these properties in the following configuration steps.



3) Log in as "waf-user" via SSH or system console

The first login forces you to change your password.


$ ssh waf-user@
You are required to change your password immediately (root enforced)
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user waf-user.
New password: C-om34EhbTz.6aiMU4C
Retype new password: C-om34EhbTz.6aiMU4C
passwd: all authentication tokens updated successfully.
Connection to closed.



4) Set properties

You must set the firewall cluster registration token (waf_cluster_id). Other properties are optional.


$ ssh waf-user@

qualys waf # help
Commands (type help <command>):
deregister help network reboot save show ssh sysinfo viewlog
exit ifconfig passwd routes set shutdown status unset waf

qualys waf # help set
Syntax: set KEY=VALUE
    Valid keys:

qualys waf # set waf_cluster_id=A30BC162-785A-4BAF-A5D5-1A2DE9C6DA3A
qualys waf # save
Saved Successfully


waf_service_url The URL of the Qualys Cloud Platform hosting your Qualys account. By default, the WAF appliance can connect to all Qualys production platforms.  If you have a customized Qualys Private Cloud Platform, you will need to set this URL accordingly (Qualys Support can provide the proper URL).

waf_cluster_id (Required) The firewall cluster registration token. You can find this token by going to the firewall clusters list (Assets > WAF Clusters).

proxy_url If a proxy is required for the firewall cluster to access the Qualys Cloud Platform this must have the URL for the proxy server.

waf_ssl_passphrase  If SSL is enabled (primary and/or secondary URL) this is the passphrase for the key uploaded to the WAF application.

sem_syslog_addr  The Security Event Manager to send translation logs via syslog to. The syslog message will be formatted in the form PROTOCOL:HOSTNAME:PORT as described in RFC424. If port is omitted the standard syslog port 514 will be used.

For example:



5) Reboot may be required

... if you are changing the token (e.g. re-registration).


qualys waf # reboot
Are you sure you want to reboot?  <y/N> y

Broadcast message from waf-user@dhcp-10-1-1-5
(/dev/pts/0) at 18:05 ...

The system is going down for reboot NOW!
Connection to closed.



6) Verify registration

You can do this using the CLI (as shown below) or the WAF user interface (go to Assets > WAF Clusters).


qualys waf # show
Current settings:
qualys waf # status
Connectivity to Qualys: OK
Registration status: OK
Sensor_ID: B02b1088-77ed-4862-a067-dc41bbd97233

qualys waf # quit

Connection to closed.




That's it!

You've configured your WAF virtual appliance. Once you're done we'll start a distributed network of sensors for your firewall cluster. Also your firewall cluster will start making outbound connections to the Qualys Cloud Platform.


Getting started with WAF is easy. Need some help? Just follow the steps in our quick start guide - select WAF from the application picker, go to the username menu (top right) and select Quick Start Guide.



You might also be interested in...

WAF Getting Started Guide (PDF)