Help Center> Web Application Firewall> FAQs> About WAF> WAF Functions> What Are the Differences Between WAF and CFW?
Updated on 2024-02-29 GMT+08:00
View PDF

What Are the Differences Between WAF and CFW?

Web Application Firewall (WAF) and Cloud Firewall (CFW) are different products we provided. WAF is used to protect your web services, while CFW is used to protect Internet border and VPC border traffic.

Table 1 lists differences between WAF and CFW.

Table 1 Differences between WAF and CFW

Category

WAF

CFW

Definition

Web Application Firewall (WAF) keeps web services stable and secure. It examines all HTTP and HTTPS requests to detect and block the following attacks: Structured Query Language (SQL) injection, cross-site scripting (XSS), web shells, command and code injections, file inclusion, sensitive file access, third-party vulnerability exploits, Challenge Collapsar (CC) attacks, malicious crawlers, and cross-site request forgery (CSRF).

Cloud Firewall (CFW) is a next-generation cloud-native firewall. It protects Internet and VPC borders on the cloud by real-time intrusion detection and prevention, global unified access control, full traffic analysis, log audit, and tracing. It employs AI for intelligent defense, and can be elastically scaled to meet changing business needs, helping you easily handle security threats. CFW is a basic service that provides network security protection for user services on the cloud.

Protection mechanism

WAF works as a reverse proxy between the client and the origin server. All website access requests are forwarded to WAF first. WAF detects and filters out malicious attack traffic, and returns normal traffic to the origin server to ensure that the origin server is secure, stable, and available.

CFW can implement refined control over all traffic, including Internet border protection, cross-VPC and cross-VM traffic, to prevent external intrusion, internal penetration attacks, and unauthorized access from the inside to the outside.

Deployment mode
WAF can be deployed in cloud mode ,ELB mode, and dedicated mode.
  • Cloud - CNAME: a good choice no matter where your web services are deployed, on Huawei Cloud, any other cloud, even in on-premises data centers, as long as they have domain names.

    The application scenarios for different editions are as follows:

    • Standard edition

      This edition is suitable for small- and medium-sized websites that do not have special security requirements.

    • Professional edition

      This edition is suitable for medium-sized enterprise websites or services that are open to the Internet, focus on data security, and have high security requirements.

    • Platinum edition

      This edition is suitable for large- and medium-sized enterprise websites that have large-scale services or have special security requirements.

  • Dedicated: a good choice if your service servers are deployed on Huawei Cloud as long as they have domain names or IP addresses. Dedicated WAF instances are suitable large enterprise websites that have a large service scale and have customized security requirements.

Protection for Internet border and VPC border

Protection objects

Domain names or IP addresses

Elastic IP Address (EIP)

Functions

WAF identifies and blocks a wide range of suspicious attacks, such as Structure Query Language (SQL) injections, cross-site scripting (XSS) attacks, web shell upload, command or code injections, file inclusion, unauthorized sensitive file access, third-party vulnerability exploits, Challenge Collapsar (CC) attacks, malicious crawlers, and cross-site request forgery (CSRF).
  • Asset management and intrusion defense: CFW detects and defends against intrusions into cloud assets that are accessible over the Internet in real time.
  • Access control: You can control access at Internet borders.
  • Traffic Analysis and log audit: CFW controls, analyzes, and visualizes VPC traffic, audits logs, and traces traffic sources.
Parent topic: WAF Functions

WAF Functions FAQs

more