Complete Application Security, powered by the Cloud and the Qualys Security Intelligence
Harden web apps against current & emerging threats
Find vulnerabilities with WAS, then mitigate with one-click virtual patches in WAF
Protect against OWASP Top 10 risks, including SQL Injection, XSS and more
Add custom security rules to protect your apps, with minimal false positives
Address mandates such as PCI DSS 6.6 that require app firewalls
Block access from prohibited countries and networks
Integrate WAF into your DevOps process using APIs and easy configuration
Restrict transmission of sensitive content and files
Maintain Website Uptime
Complement network DDoS defenses with protection against HTTP-based attacks
Maintain high performance by using built-in web server load balancing and application health checks
Add security without modifying apps
Use actionable security event data to respond to threats
Cut Costs of
Reduce time, effort
& cost of securing
your web apps
Deploy using virtual machines, no special hardware required
Manage from the Cloud, be up and running fast
Deploy built-in security policies for popular platforms such as WordPress, Drupal, Joomla and OWA.
Web Application Firewall
Qualys Web Application Firewall (WAF) is a next-generation cloud service that brings an unparalleled combination of scalability and simplicity to web app security. Its automated, adaptive approach lets you quickly and more efficiently:
on web server vulnerabilities
of sensitive information.
where and when your applications are accessed.
Built on the world’s leading Cloud security and compliance platform, Qualys WAF complements the global scalability of Qualys Web Application Scanning (WAS). Together, they make identifying and mitigating web app risks seamless, whether you have a dozen apps or thousands. Qualys WAF can be deployed in minutes, supports SSL, and doesn’t require special expertise to use. It delivers a new level of web app security and compliance while freeing you from the substantial cost, resource and deployment issues associated with traditional products.
Global Scalability & Manageability
powered by the Qualys Cloud Platform
As part of the award-winning Qualys Cloud Platform, Qualys WAF is designed specifically to be efficient and easy to use, whether you have a few apps or thousands to protect.
- Immediate deployment — no hardware to set up,
- Global scalability — add more apps anytime, throughout
- Multiple, unified solutions — one console for WAF,
WAS, VM and more
- Centralized management — apply policies consistently across apps
- XML APIs — automate configuration and publish data to other enterprise systems (e.g., SIEM)
Integrated Web App Security:
Detect with WAS, protect with WAF
Qualys WAF works together with Qualys Web Application Scanning (WAS) to provide true, integrated web application security. From a single console, you can detect application vulnerabilities with WAS and then rapidly protect them from attack with WAF, even at global scale. The Qualys Cloud Platform keeps everything in sync, avoiding the redundancies and gaps that come with trying to glue together separate, siloed solutions.
Fast deployment for public or private cloud apps
With Qualys WAF, there is no special hardware to buy or maintain. Instead, virtual machine images containing Qualys WAF sensor software are deployed alongside your web applications (SSL or plain text) in either your public or private cloud environment. These sensor virtual machines scale seamlessly, so you can add new applications quickly and transparently. Application traffic stays within your environment, minimizing latency and allowing you to retain control.
Available in AMI format for Amazon EC2, in OVA format for VMware vCenter and in VHD format for Hyper-V, the WAF sensor virtual machines are fully supported by Qualys 24x7x365. Qualys WAF also comes with built-in load balancing of web servers and application health checks to ensure high performance and availability of your business-critical web applications.
One-click virtual patching and event response
With the latest version of Qualys WAF, users can now create “virtual patch” rules in direct response to their Qualys WAS findings, to enable rapid false positive resolution, as well as customization of security rules tailored for the organization’s environment. This helps customers better tune security policies, quickly remove false positives, and easily customize WAF security rules for web applications.
Qualys WAF also includes customizable event response, helping customers evaluate and create exceptions to web events to better prioritize and mitigate vulnerabilities, making it one of the first end-to-end web application security services to combine WAF security rules and policies with WAS data to address web application security threats.
Easy-to-use, adaptive security policies that are always up-to-date
Qualys WAF brings a new approach to web application security. You simply describe the level of security that you would like for each application with a few quick clicks, and Qualys WAF automatically figures out what to do and how to adapt to different situations. Qualys WAF provides built-in security policies for popular platforms such as WordPress, Joomla, Drupal and Outlook Web Application, simplifying and accelerating WAF enablement. No specialized expertise is required, and there are no complicated rule sets to configure or maintain.
Customizable protection against current and future threats
Qualys WAF provides built-in protection against a wide range of attacks such as Cross-Site Scripting (XSS), SQL injection, corrupted requests, and more. You can easily tailor how Qualys WAF handles different types of threats, from simply logging to actively blocking them. You can create custom security rules based on HTTP request, client and server attributes to address specific security needs of your application and to minimize false positives. As new threats emerge, additional defenses created by Qualys’ worldwide security experts are automatically added.
Protection against clickjacking, Cross-Site Scripting (XSS), and other browser-based attacks
In addition to defending your apps, Qualys WAF helps protect your users. With Qualys WAF, you can enable security features in modern web browsers – without having to modify your applications – to reduce the likelihood of:
- Cookie stealing
- Cross-site scripting (XSS)
Blocking access from prohibited countries or networks
Qualys WAF helps you comply with policies and regulations that prohibit access to certain types of web applications or information from particular locations. You can restrict access from specific countries or network address blocks, and even set hours of operation.
Preventing transmission of sensitive content or files
With Qualys WAF, you can block users from uploading or downloading content or files that are in formats that aren’t supposed to be used by your application. This can help you limit contamination of your web server and prevent the theft of administrative files (such as backups, source code, or data) that aren’t supposed to be accessed.
Visual dashboard showing status at a glance
Qualys WAF makes it easy to understand the security of all your applications at once. A concise, visual dashboard summarizes the various events that have occurred, when they took place, and where they came from to help you spot unusual patterns.
Interactive insights into potential threats
Qualys WAF categorizes each potential threat it detects according to a variety of attributes, including: the apps affected, severity, geographic location, source network address, how the threat was handled, and more. Interactive filters help you search for unexpected activity and determine how it impacts your applications.
Detailed understanding of each threat
Qualys WAF helps you investigate suspicious activity by providing detailed information about each potential threat it detects. With a click, you can see what happened as well as where and when it took place. Links to Qualys’ comprehensive KnowledgeBase provide additional information about each threat and how to address it.
Qualys is trusted by the majority of the Forbes Global 100
and thousands of organizations big and small!
Qualys Cloud Platform
& Integrated Suite of Security & Compliance Applications
There’s nothing to install or maintain. Grow with your business!
AssetView Search millions of IT assets in seconds, wherever they reside. Learn More
Management Recognized as the market leader in vulnerability management. Learn More
Monitoring Always-on, automated monitoring of your global network. Learn More
ThreatPROTECT Quickly visualize and prioritize security threats at-a-glance. Take action on the threats that matter most. Learn More
Scanning Discover, catalog and scan all of your web apps for vulnerabilities and website misconfigurations. Learn More
Firewall Continuously stop web attacks and prevent data breaches on your applications. Learn More
Detection Protect your online customers from malware infections and safeguard your brand. Learn More
Seal The most comprehensive website security seal on the Internet. Learn More
Compliance Pass security audits and document compliance to both internal and external auditors. Learn More
Questionnaire Assess business risk with automated campaigns. Learn More
Compliance A quick, cost effective way to achieve PCI Compliance by yourself. Qualys is an Approved Scanning Vendor. Learn More
Sign up for a Free Trial
There’s nothing to install or download