See Resources

Complete Application Security, powered by the Cloud and the Qualys Security Intelligence

Web Application Firewall

Qualys Web Application Firewall (WAF) is a next-generation cloud service that brings an unparalleled combination of scalability and simplicity to web app security. Its automated, adaptive approach lets you quickly and more efficiently:

Qualys Web Application Firewall Diagram
  • Block

    on web server vulnerabilities

  • Prevent

    of sensitive information.

  • Control

    where and when your applications are accessed.


Built on the world’s leading Cloud security and compliance platform, Qualys WAF complements the global scalability of Qualys Web Application Scanning (WAS). Together, they make identifying and mitigating web app risks seamless, whether you have a dozen apps or thousands. Qualys WAF can be deployed in minutes, supports SSL, and doesn’t require special expertise to use. It delivers a new level of web app security and compliance while freeing you from the substantial cost, resource and deployment issues associated with traditional products.


Global Scalability & Manageability
powered by the Qualys Cloud Platform

As part of the award-winning Qualys Cloud Platform, Qualys WAF is designed specifically to be efficient and easy to use, whether you have a few apps or thousands to protect.

  • Immediate deployment — no hardware to set up,
    always up-to-date
  • Global scalability — add more apps anytime, throughout
    the world
  • Multiple, unified solutions — one console for WAF,
    WAS, VM and more
  • Centralized management — apply policies consistently across apps
  • XML APIs — automate configuration and publish data to other enterprise systems (e.g., SIEM)

Integrated Web App Security:
Detect with WAS, protect with WAF

Qualys WAF works together with Qualys Web Application Scanning (WAS) to provide true, integrated web application security. From a single console, you can detect application vulnerabilities with WAS and then rapidly protect them from attack with WAF, even at global scale. The Qualys Cloud Platform keeps everything in sync, avoiding the redundancies and gaps that come with trying to glue together separate, siloed solutions.

Web Application Scanning and Qualys Web Application Firewall

Cloud Deployment

Fast Deployment

Fast deployment for public or private cloud apps

With Qualys WAF, there is no special hardware to buy or maintain. Instead, virtual machine images containing Qualys WAF sensor software are deployed alongside your web applications (SSL or plain text) in either your public or private cloud environment. These sensor virtual machines scale seamlessly, so you can add new applications quickly and transparently. Application traffic stays within your environment, minimizing latency and allowing you to retain control.

Available in AMI format for Amazon EC2, in OVA format for VMware vCenter and in VHD format for Hyper-V, the WAF sensor virtual machines are fully supported by Qualys 24x7x365. Qualys WAF also comes with built-in load balancing of web servers and application health checks to ensure high performance and availability of your business-critical web applications.


Virtual Patching Cube

One-click virtual patching and event response

With the latest version of Qualys WAF, users can now create “virtual patch” rules in direct response to their Qualys WAS findings, to enable rapid false positive resolution, as well as customization of security rules tailored for the organization’s environment. This helps customers better tune security policies, quickly remove false positives, and easily customize WAF security rules for web applications.

Qualys WAF also includes customizable event response, helping customers evaluate and create exceptions to web events to better prioritize and mitigate vulnerabilities, making it one of the first end-to-end web application security services to combine WAF security rules and policies with WAS data to address web application security threats.

Policy Controls Screenshot

Easy-to-use, adaptive security policies that are always up-to-date

Qualys WAF brings a new approach to web application security. You simply describe the level of security that you would like for each application with a few quick clicks, and Qualys WAF automatically figures out what to do and how to adapt to different situations. Qualys WAF provides built-in security policies for popular platforms such as WordPress, Joomla, Drupal and Outlook Web Application, simplifying and accelerating WAF enablement. No specialized expertise is required, and there are no complicated rule sets to configure or maintain.

Rulesets Screenshot

Customizable protection against current and future threats

Qualys WAF provides built-in protection against a wide range of attacks such as Cross-Site Scripting (XSS), SQL injection, corrupted requests, and more. You can easily tailor how Qualys WAF handles different types of threats, from simply logging to actively blocking them. You can create custom security rules based on HTTP request, client and server attributes to address specific security needs of your application and to minimize false positives. As new threats emerge, additional defenses created by Qualys’ worldwide security experts are automatically added.

Cookies Protection Screenshot

Protection against clickjacking, Cross-Site Scripting (XSS), and other browser-based attacks

In addition to defending your apps, Qualys WAF helps protect your users. With Qualys WAF, you can enable security features in modern web browsers – without having to modify your applications – to reduce the likelihood of:

  • Cookie stealing
  • Clickjacking
  • Cross-site scripting (XSS)

Blocking access from prohibited countries or networks

Qualys WAF helps you comply with policies and regulations that prohibit access to certain types of web applications or information from particular locations. You can restrict access from specific countries or network address blocks, and even set hours of operation.

Preventing transmission of sensitive content or files

With Qualys WAF, you can block users from uploading or downloading content or files that are in formats that aren’t supposed to be used by your application. This can help you limit contamination of your web server and prevent the theft of administrative files (such as backups, source code, or data) that aren’t supposed to be accessed.


  • Information Features: Visual Dashboard

    Visual dashboard showing status at a glance

    Qualys WAF makes it easy to understand the security of all your applications at once. A concise, visual dashboard summarizes the various events that have occurred, when they took place, and where they came from to help you spot unusual patterns.

  • Information Features: Interactive insights

    Interactive insights into potential threats

    Qualys WAF categorizes each potential threat it detects according to a variety of attributes, including: the apps affected, severity, geographic location, source network address, how the threat was handled, and more. Interactive filters help you search for unexpected activity and determine how it impacts your applications.

  • Information Features: Detailed Information

    Detailed understanding of each threat

    Qualys WAF helps you investigate suspicious activity by providing detailed information about each potential threat it detects. With a click, you can see what happened as well as where and when it took place. Links to Qualys’ comprehensive KnowledgeBase provide additional information about each threat and how to address it.

Qualys is trusted by the majority of the Forbes Global 100
and thousands of organizations big and small!

Company Logos of Qualys Customers
BASF DuPont HP `racle Pfizer ebay Thomson Cisco Adobe Daimler Microsoft Sony Cigna Nissan

Customer Testimonials

Qualys Cloud Platform

& Integrated Suite of Security & Compliance Applications

There’s nothing to install or maintain. Grow with your business!

  • Qualys AssetView Badge AssetView Search millions of IT assets in seconds, wherever they reside. Learn More
  • Qualys Vulnerability Management Badge Vulnerability
    Recognized as the market leader in vulnerability management. Learn More
  • Qualys Continuous Monitoring Badge Continuous
    Always-on, automated monitoring of your global network. Learn More
  • Qualys ThreatPROTECT Badge ThreatPROTECT Quickly visualize and prioritize security threats at-a-glance. Take action on the threats that matter most. Learn More
  • Qualys Web Application Scanning Badge Web Application
    Discover, catalog and scan all of your web apps for vulnerabilities and website misconfigurations. Learn More
  • Qualys Web Application Firewall Badge Web Application
    Continuously stop web attacks and prevent data breaches on your applications. Learn More
  • Qualys Malware Detection Badge Malware
    Protect your online customers from malware infections and safeguard your brand. Learn More
  • Qualys Secure Seal Badge SECURE
    The most comprehensive website security seal on the Internet. Learn More
  • Qualys Policy Compliance Badge Policy
    Pass security audits and document compliance to both internal and external auditors. Learn More
  • Qualys Security Assessment Questionnaire Badge Security Assessment
    Assess business risk with automated campaigns. Learn More
  • Qualys PCI Compliance Badge PCI
    A quick, cost effective way to achieve PCI Compliance by yourself. Qualys is an Approved Scanning Vendor. Learn More
  • Sign up for a Free Trial

    There’s nothing to install or download

Email or call us at +1 800 745 4355 or try our Global Contacts
Subscription Packages
Qualys Solutions
Qualys Community
Free Trial & Tools
Popular Topics