**Introducing a new console experience for Amazon WAF**

You can now use the updated experience to access Amazon WAF functionality anywhere in the console. For more details, see [Working with the console](https://docs.amazonaws.cn/waf/latest/developerguide/working-with-console.html). 

# Getting started with Amazon WAF using the standard console experience
<a name="setup-existing-console"></a>

The Amazon WAF console guides you through the process of configuring Amazon WAF to block or allow web requests based on criteria that you specify, such as the IP addresses that the requests originate from or values in the requests. In this step, you create a protection pack (web ACL). For more information about Amazon WAF protection packs (web ACLs), see [Configuring protection in Amazon WAF](web-acl.md).

This tutorial shows how to use Amazon WAF to perform the following tasks:
+ Set up Amazon WAF.
+ Create a web access control list (web ACL) using the wizard in the Amazon WAF console.

**To create a web ACL**

  1. Sign in to the Amazon Web Services Management Console and open the Amazon WAF console at [https://console.amazonaws.cn/wafv2/homev2](https://console.amazonaws.cn/wafv2/homev2). 

  1. From the Amazon WAF home page, choose **Create web ACL**. 

  1. For **Name**, enter the name that you want to use to identify this web ACL. 
**Note**  
You can't change the name after you create the web ACL.

  1. (Optional) For **Description - optional**, enter a longer description for the web ACL if you want to. 

  1. For **CloudWatch metric name**, change the default name if applicable. Follow the guidance on the console for valid characters. The name can't contain special characters, white space, or metric names reserved for Amazon WAF, including "All" and "Default\$1Action."
**Note**  
You can't change the CloudWatch metric name after you create the web ACL.

  1. For **Resource type**, choose **CloudFront distributions**. The **Region** automatically populates to **Global (CloudFront)** for CloudFront distributions.

  1. (Optional) For **Associated Amazon resources - optional**, choose **Add Amazon resources**. In the dialog box, choose the resources that you want to associate, and then choose **Add**. Amazon WAF returns you to the **Describe web ACL and associated Amazon resources** page. 

  1. Choose **Next**.

**Note**  
Amazon typically bills you less than US \$10.25 per day for the resources that you create during this tutorial. When you're finished with the tutorial, we recommend that you delete the resources to prevent incurring unnecessary charges. 

## Step 1: Set up Amazon WAF
<a name="getting-started-aws-account"></a>

If you haven't already followed the general setup steps in [Setting up your account to use the services](setting-up-waf.md), do that now.

## Step 2: Create a web ACL
<a name="getting-started-wizard-create-web-acl"></a>

The Amazon WAF console guides you through the process of configuring Amazon WAF to block or allow web requests based on criteria that you specify, such as the IP addresses that the requests originate from or values in the requests. In this step, you create a web ACL. For more information about Amazon WAF web ACLs, see [Configuring protection in Amazon WAF](web-acl.md).

**To create a web ACL**

1. Sign in to the Amazon Web Services Management Console and open the Amazon WAF console at [https://console.amazonaws.cn/wafv2/homev2](https://console.amazonaws.cn/wafv2/homev2). 

1. From the Amazon WAF home page, choose **Create web ACL**.

1. For **Name**, enter the name that you want to use to identify this web ACL.
**Note**  
You can't change the name after you create the web ACL.

1. (Optional) For **Description - optional**, enter a longer description for the web ACL if you want to.

1. For **CloudWatch metric name**, change the default name if applicable. Follow the guidance on the console for valid characters. The name can't contain special characters, white space, or metric names reserved for Amazon WAF, including "All" and "Default\$1Action."
**Note**  
You can't change the CloudWatch metric name after you create the web ACL.

1. For **Resource type**, choose **CloudFront distributions**. The **Region** automatically populates to **Global (CloudFront)** for CloudFront distributions.

1. (Optional) For **Associated Amazon resources - optional**, choose **Add Amazon resources**. In the dialog box, choose the resources that you want to associate, and then choose **Add**. Amazon WAF returns you to the **Describe web ACL and associated Amazon resources** page.

1. Choose **Next**.

## Step 3: Add a string match rule
<a name="getting-started-wizard-create-string-condition"></a>

In this step, you create a rule with a string match statement and indicate what to do with matching requests. A string match rule statement identifies strings that you want Amazon WAF to search for in a request. Usually, a string consists of printable ASCII characters, but you can specify any character from hexadecimal 0x00 to 0xFF (decimal 0 to 255). In addition to specifying the string to search for, you specify the web request component that you want to search, such as a header, a query string, or the request body. 

This statement type operates on a web request component, and requires the following request component settings: 
+ **Request component** – The part of the web request to inspect, for example, a query string or the body.
**Warning**  
If you inspect the request components **Body**, **JSON body**, **Headers**, or **Cookies**, read about the limitations on how much content Amazon WAF can inspect at [Oversize web request components in Amazon WAF](waf-oversize-request-components.md). 

  For information about web request components, see [Adjusting rule statement settings in Amazon WAF](waf-rule-statement-fields.md).
+ **Optional text transformations** – Transformations that you want Amazon WAF to perform on the request component before inspecting it. For example, you could transform to lowercase or normalize white space. If you specify more than one transformation, Amazon WAF processes them in the order listed. For information, see [Using text transformations in Amazon WAF](waf-rule-statement-transformation.md).

For additional information about Amazon WAF rules, see [Amazon WAF rules](waf-rules.md). 

**To create a string match rule statement**

1. On the **Add rules and rule groups** page, choose **Add rules**, **Add my own rules and rule groups**, **Rule builder**, then **Rule visual editor**. 
**Note**  
The console provides the **Rule visual editor** and also a **Rule JSON editor**. The JSON editor makes it easy for you to copy configurations between web ACLs and is required for more complex rule sets, like those with multiple levels of nesting.   
This procedure uses the **Rule visual editor**. 

1. For **Name**, enter the name that you want to use to identify this rule. 

1. For **Type** choose **Regular rule**.

1. For **If a request** choose **matches the statement**. 

   The other options are for the logical rule statement types. You can use them to combine or negate the results of other rule statements. 

1. On **Statement**, for **Inspect**, open the dropdown and choose the web request component that you want Amazon WAF to inspect. For this example, choose **Single header**.

   When you choose **Single header**, you also specify which header you want Amazon WAF to inspect. Enter **User-Agent**. This value isn't case sensitive.

1. For **Match type**, choose where the specified string must appear in the `User-Agent` header. 

   For this example, choose **Exactly matches string**. This indicates that Amazon WAF inspects the user-agent header in each web request for a string that is identical to the string that you specify.

1. For **String to match**, specify a string that you want Amazon WAF to search for. The maximum length of **String to match** is 200 characters. If you want to specify a base64-encoded value, you can specify up to 200 characters before encoding.

   For this example, enter **MyAgent**. Amazon WAF will inspect the `User-Agent` header in web requests for the value `MyAgent`.

1. Leave **Text transformation** set to **None**. 

1. For **Action**, select the action that you want the rule to take when it matches a web request. For this example, choose **Count** and leave the other choices as they are. The count action creates metrics for web requests that match the rule, but doesn't affect whether the request is allowed or blocked. For more information about action choices, see [Using rule actions in Amazon WAF](waf-rule-action.md) and [Setting rule priority](web-acl-processing-order.md).

1. Choose **Add rule**.

## Step 4: Add a Amazon Managed Rules rule group
<a name="getting-started-wizard-add-rule-group"></a>

Amazon Managed Rules offers a set of managed rule groups for your use, most of which are free of charge to Amazon WAF customers. For more information about rule groups, see [Amazon WAF rule groups](waf-rule-groups.md). We'll add an Amazon Managed Rules rule group to this web ACL. 

**To add an Amazon Managed Rules rule group**

1. On the **Add rules and rule groups** page, choose **Add rules**, and then choose **Add managed rule groups**. 

1. On the **Add managed rule groups** page, expand the listing for the **Amazon managed rule groups**. (You'll also see listings offered for Amazon Web Services Marketplace sellers. You can subscribe to their offerings and then use them in the same way as for Amazon Managed Rules rule groups.)

1. For the rule group that you want to add, do the following: 

   1. In the **Action** column, turn on the **Add to web ACL** toggle. 

   1. Select **Edit** and, in the rule group's **Rules** listing, open the **Override all rule actions** dropdown and select **Count**. This sets the action for all rules in the rule group to count only. This allows you to see how all of the rules in the rule group behave with your web requests before you put any of them to use.

   1. Choose **Save rule**.

1. In the **Add managed rule groups** page, choose **Add rules**. This returns you to the **Add rules and rule groups** page.

## Step 5: Finish your web ACL configuration
<a name="getting-started-wizard-finish-webacl-options"></a>

When you're done adding rules and rule groups to your web ACL configuration, finish up by managing the priority of the rules in the web ACL and configuring settings like metrics, tagging, and logging. 

**To finish your web ACL configuration**

1. On the **Add rules and rule groups** page, choose **Next**. 

1. On the **Set rule priority** page, you can see the processing order for the rules and rule groups in the web ACL. Amazon WAF processes them starting from the top of the list. You can change the processing order by moving the rules up or down. To do this, select one in the list and choose **Move up** or **Move down**. For more information about rule priority, see [Setting rule priority](web-acl-processing-order.md). 

1. Choose **Next**.

1. On the **Configure metrics** page, for **Amazon CloudWatch metrics**, you can see the planned metrics for your rules and rule groups and you can see the web request sampling options. For information about viewing sampled requests, see [Viewing a sample of web requests](web-acl-testing-view-sample.md). For information about Amazon CloudWatch metrics, see [Monitoring with Amazon CloudWatch](monitoring-cloudwatch.md). 

   You can access summaries of the web traffic metrics on the web ACL's page in the Amazon WAF console, under the **Traffic overview** tab. The console dashboards provide near real-time summaries of the web ACL's Amazon CloudWatch metrics. For more information, see [Traffic overview dashboards for protection packs (web ACLs)](web-acl-dashboards.md). 

1. Choose **Next**.

1. On the **Review and create web ACL** page, review your settings, then choose **Create web ACL**. 

The wizard returns you to the **web ACL** page, where your new web ACL is listed.

## Step 6: Clean up your resources
<a name="getting-started-wizard-clean-up"></a>

You've now successfully completed the tutorial. To prevent your account from accruing additional Amazon WAF charges, clean up the Amazon WAF objects that you created. Alternatively, you can change the configuration to match the web requests that you really want to manage using Amazon WAF.

**Note**  
Amazon typically bills you less than US \$10.25 per day for the resources that you create during this tutorial. When you're finished, we recommend that you delete the resources to prevent incurring unnecessary charges. 

**To delete the objects that Amazon WAF charges for**

1. In the **web ACL** page, select your web ACL from the list and choose **Edit**. 

1. On the **Associated Amazon resources** tab, for each associated resource, select the radio button next to the resource name and then choose **Disassociate**. This disassociates the web ACL from your Amazon resources. 

1. In each of the following screens, choose **Next** until you return to the **web ACL** page.

   In the **web ACL** page, select your web ACL from the list and choose **Delete**. 

Rules and rule statements don't exist outside of rule group and web ACL definitions. If you delete a web ACL, this deletes all individual rules that you've defined in the web ACL. When you remove a rule group from a web ACL, you just remove the reference to it.