Help Center/ Web Application Firewall/ User Guide/ Connecting Your Website to WAF/ Connected Website Management/ Changing the Protection Mode
Updated on 2025-08-19 GMT+08:00
View PDF
Share

Changing the Protection Mode

After you connect a website to WAF, WAF protection is enabled by default. You can change the protection mode based on your service requirements.

WAF supports the following protection modes:
  • Enable WAF: If you enable WAF protection, WAF protects your website against attacks based on the protection policy you configure for it.
  • Suspend WAF: If you suspend WAF protection, WAF only forwards requests to origin servers. It does not scan for or log attacks. If a large number of normal requests are blocked, for example, status code 418 is frequently returned, then you can suspend the protection mode.

    This is risky. Global protection whitelist rules are recommended to reduce false alarms.

  • Bypass WAF: If you bypass WAF protection, WAF directly forwards requests to origin servers. It does not scan for or log attacks. You need to allow the service port of the origin server in the security policy first to ensure that services can run properly after the protection mode is changed.
    The Bypassed mode can be enabled only when one of the following conditions is met:
    • Website services need to be restored to the status when the website is not connected to WAF.
    • You need to investigate website errors, such as 502, 504, or other incompatibility issues.
    • No proxy is configured between the client and WAF.

Prerequisites

You have connected the website you want to protect to WAF.

Constraints

  • Bypassing WAF is allowed only if you select Cloud Mode - CNAME while adding your website to WAF.
  • Before bypassing WAF protection, ensure that the service port of the origin server has been enabled.
  • If you connect a domain name to WAF with different protection ports configured, bypassing WAF protection is not supported for the domain name.
  • If you bypass WAF protection, requests to the domain name are sent to the backend server directly and do not pass through WAF. Your domain name may become inaccessible if any of the following happens:
    • In the website server configuration, settings for Client Protocol and Server Protocol are inconsistent.
    • Different ports are set for Protected Port and Server Port.

Changing the Protection Mode (Enabling, Suspending, or Bypassing WAF Protection)

  1. Log in to the WAF console.
  2. Click in the upper left corner and select a region or project.
  3. (Optional) If you have enabled the enterprise project function, in the upper part of the navigation pane on the left, select your enterprise project from the Filter by enterprise project drop-down list. Then, WAF will display the related security data in the enterprise project on the page.
  4. In the navigation pane on the left, click Website Settings.
  5. On the Website Settings page, click the target website domain name.
  6. In the Operation column of the target domain name, click Enable WAF, Suspend WAF, or Bypass as needed.
  7. Change the protection mode.

    • If you Enable WAF, the Status of the domain name changes to Protected.
    • If you Suspend WAF, the Status of the domain name changes to Unprotected.
    • If you Bypass WAF, the Status of the domain name changes to Bypassed.

Related Operations

Parent Topic: Connected Website Management