Updated on 2024-04-17 GMT+08:00

Step 3: Test WAF

To ensure that WAF can forward your website requests normally, test WAF locally after you add the domain to WAF.

Before testing WAF, ensure that the protocol, address, and port used by the origin server (for example, www.example5.com) are correct. If Client Protocol is set to HTTPS, ensure that the uploaded certificate and private key are correct.


You can configure local DNS records for domain name resolution by modifying local hosts file. To test connection between WAF and your website locally, you need to resolve the website domain name to WAF IP addresses on a local computer. In this way, you can access the protected domain name from the local computer to verify whether the domain name is accessible after it has been added to WAF, preventing website access exceptions caused by abnormal domain name configurations.


You have added your domain name to WAF.


A CNAME record is generated based on the domain name. For the same domain name, the CNAME records are the same.

Connecting a Domain Name to WAF Locally

  1. Obtain the CNAME record.

    1. Click in the upper left corner of the management console and select a region or project.
    2. Click in the upper left corner and choose Web Application Firewall under Security & Compliance.
    3. In the navigation pane, choose Website Settings.
    4. In the Domain Name column, click the target domain name to go to the Basic Information page.
      Figure 1 Basic Information
    5. In the CNAME row, click to copy the CNAME record.

  2. Ping the CNAME record and record the corresponding IP address.

    Use www.example5.com as an example and its CNAME record is xxxxxxxdc1b71f718f233caf77.waf.huaweicloud.com.

    Open cmd in Windows or bash in Linux and run the ping xxxxxxxdc1b71f718f233caf77.waf.huaweicloud.com command to obtain the WAF back-to-source IP addresses. As shown in Figure 2, the WAF access IP address is displayed.
    Figure 2 Ping CNAME

    If no WAF access IP addresses are returned after you ping the CNAME record, your network may be unstable. You can ping the CNAME record again when your network is stable.

  3. Add the domain name and WAF back-to-source IP address to the hosts file.

    1. Use a text editor to edit the hosts file. In Windows, the location of the hosts file is as follows:
      • Windows: C:\Windows\System32\drivers\etc
      • Linux: /etc/hosts
    2. Add the WAF IP address obtained in Step 2 and protected domain name to the hosts file.
      Figure 3 Adding a record
    3. Save the hosts file and ping the protected domain name on the local PC.
      Figure 4 Pinging the domain name

      It is expected that the resolved IP address is the WAF back-to-source IP address obtained in Step 2. If the resolved IP address is the origin server address, run the ipconfig/flushdns command in the Windows operating system to flush the DNS cache.

Checking Whether WAF Forwarding Is Normal

  1. Clear the browser cache and enter the domain name in the address bar to check whether the website is accessible.

    If the domain name has been resolved to WAF back-to-source IP addresses and WAF configurations are correct, the website is accessible.

  2. Simulate simple web attack commands.

    1. Set the mode of Basic Web Protection to Block. For details, see Enabling Basic Web Protection.
    2. Clear the browser cache, enter the test domain name in the address bar, and check whether WAF blocks the simulated SQL injection attack against the domain name. Figure 5 shows an example.
      Figure 5 Request blocked
    3. In the navigation pane, choose Events to view test data.