Security Automation, powered by the Cloud

Web Application Firewall

Qualys Web Application Firewall (WAF) is a next-generation cloud service that brings an unparalleled combination of scalability and simplicity to web app security. Its automated, adaptive approach lets you quickly and more-efficiently:

firewall diagram
  • Block

    on web server vulnerabilities

  • Prevent

    of sensitive information.

  • Control

    where and when your applications are accessed.

Built on the world’s leading Cloud security and compliance platform, Qualys WAF complements the global scalability of Qualys Web Application Scanning (WAS). Together, they make identifying and mitigating web app risks seamless, whether you have a dozen apps or thousands. Qualys WAF can be deployed in minutes, supports SSL, and doesn’t require special expertise to use. It delivers a new level of web app security and compliance while freeing you from the substantial cost, resource and deployment issues associated with traditional products.


Global Scalability & Manageability
powered by the Qualys Cloud Platform

As part of the award-winning Qualys Cloud Platform, Qualys WAF is designed specifically to be efficient and easy to use, whether you have a few apps or thousands to protect.

  • Immediate deployment — no hardware to set up,
    always up-to-date
  • Global scalability — add more apps anytime, throughout
    the world
  • Multiple, unified solutions — one console for WAF,
    WAS, VM and more
  • Centralized management — apply policies consistently across apps
  • XML APIs — publish data to other enterprise systems
    (e.g., SIEM)

Integrated Web App Security:
Detect with WAS, protect with WAF

Qualys WAF works together with Qualys Web Application Scanning (WAS) to provide true, integrated web application security. From a single console, you can detect application vulnerabilities with WAS and then rapidly protect them from attack with WAF, even at global scale. The Qualys Cloud Platform keeps everything in sync, avoiding the redundancies and gaps that come with trying to glue together separate, siloed solutions.

Cloud Deployment

Fast deployment for public or private cloud apps

With Qualys WAF, there is no special hardware to buy or maintain. Instead, virtual machine images containing Qualys WAF sensor software are deployed alongside your web applications (SSL or plain text) in either your public or private cloud environment. These sensor virtual machines scale seamlessly, so you can add new applications quickly and transparently. Application traffic stays within your environment, minimizing latency and allowing you to retain control.

Available in AMI format for Amazon EC2 and in OVA format for VMware vCenter, the WAF sensor virtual machines are fully managed by Qualys 24x7x365. They are easy to deploy, enabling you to start protecting your apps in 30 minutes or less.


Virtual patching cube

Virtual patching and event response

With the latest version of Qualys WAF, users can now create “virtual patch” rules in direct response to their Qualys WAS findings, to enable rapid false positive resolution, as well as customization of security rules tailored for the organization’s environment. This helps customers better tune security policies, quickly remove false positives, and easily customize WAF security rules for web applications.

Qualys WAF also includes customizable event response, helping customers evaluate and create exceptions to web events to better prioritize and mitigate vulnerabilities, making it one of the first end-to-end web application security services to combine WAF security rules and policies with WAS data to address web application security threats.

Easy-to-use, adaptive security policies that are always up-to-date

Qualys WAF brings a new approach to web application security. You simply describe the level of security that you would like for each application with a few quick clicks, and Qualys WAF automatically figures out what to do and how to adapt to different situations. No specialized expertise is required, and there are no complicated rule sets to configure or maintain.

Customizable protection against current and future threats

Qualys WAF provides built-in protection against a wide range of attacks such as Cross-Site Scripting (XSS), SQL injection, corrupted requests, and more. You can easily tailor how Qualys WAF handles different types of threats, from simply logging to actively blocking them. As new threats emerge, additional defenses created by Qualys’ worldwide security experts are automatically added.

Protection against clickjacking, Cross-Site Scripting (XSS), and other browser-based attacks

In addition to defending your apps, Qualys WAF helps protect your users. With Qualys WAF, you can enable security features in modern web browsers – without having to modify your applications – to reduce the likelihood of:

  • Cookie stealing
  • Clickjacking
  • Cross-site scripting (XSS)

Blocking access from prohibited countries or networks

Qualys WAF helps you comply with policies and regulations that prohibit access to certain types of web applications or information from particular locations. You can restrict access from specific countries or network address blocks, and even set hours of operation.

Preventing transmission of sensitive content or files

With Qualys WAF, you can block users from uploading or downloading content or files that are in formats that aren’t supposed to be used by your application. This can help you limit contamination of your web server and prevent the theft of administrative files (such as backups, source code, or data) that aren’t supposed to be accessed.


  • Visual dashboard showing status at a glance

    Qualys WAF makes it easy to understand the security of all your applications at once. A concise, visual dashboard summarizes the various events that have occurred, when they took place, and where they came from to help you spot unusual patterns.

  • Interactive insights into potential threats

    Qualys WAF categorizes each potential threat it detects according to a variety of attributes, including: the apps affected, severity, geographic location, source network address, how the threat was handled, and more. Interactive filters help you search for unexpected activity and determine how it impacts your applications.

  • Detailed understanding of each threat

    Qualys WAF helps you investigate suspicious activity by providing detailed information about each potential threat it detects. With a click, you can see what happened as well as where and when it took place. Links to Qualys’ comprehensive KnowledgeBase provide additional information about each threat and how to address it.

Qualys is trusted by the majority of the Forbes Global 100
and thousands of organizations big and small!

Company Logos of Qualys Customers
BASF DuPont HP `racle Pfizer ebay Thomson Cisco Adobe Daimler Microsoft Sony Cigna Nissan

Customer Testimonials

Qualys Cloud Platform

& Integrated Suite of Security & Compliance Applications

There’s nothing to install or maintain. Grow with your business!

  • AssetView A free asset inventory Service. Search millions of IT assets in seconds, wherever they reside. Learn More
  • Vulnerability
    Recognized as the market leader in vulnerability management. Learn More
  • Continuous
    Always-on, automated monitoring of your global network. Learn More
  • ThreatPROTECT Quickly visualize and prioritize security threats at-a-glance. Take action on the threats that matter most. Learn More
  • Web Application
    Discover, catalog and scan all of your web apps for vulnerabilities and website misconfigurations. Learn More
  • Web Application
    Continuously stop web attacks and prevent data breaches on your applications. Learn More
  • Malware
    Protect your online customers from malware infections and safeguard your brand. Learn More
    The most comprehensive website security seal on the Internet. Learn More
  • Policy
    Pass security audits and document compliance to both internal and external auditors. Learn More
  • Security Assessment
    Assess business risk with automated campaigns. Learn More
  • PCI
    A quick, cost effective way to achieve PCI Compliance by yourself. Qualys is an Approved Scanning Vendor. Learn More
  • Sign up for a Free Trial

    There’s nothing to install or download

Sign up for a Free Trial

Get FULL access to the award-winning Qualys Security and Compliance Suite. There’s no software to download or install!

Free Trial screenshots
Qualys Solutions
Qualys Community
Free Trial & Tools
Free Trial

Nothing to install!

1 (800) 745 4355