WAFPlanet
Qualys WAF official logo

Qualys Web Application Firewall

by Qualys, Inc.

3.0
WAFPlanet Rating

Cloud-managed WAF from Qualys that integrates with their vulnerability scanning platform, enabling one-click virtual patching of discovered vulnerabilities. Note — product was decommissioned September 2024.

Visit Website Documentation View Pricing

Overview

Qualys WAF was a cloud-managed web application firewall offered as part of the Qualys Cloud Platform. What made it unique was its deep integration with Qualys Web Application Scanning (WAS), allowing security teams to automatically generate WAF rules from discovered vulnerabilities — creating a seamless detect-and-protect workflow.

Important: Qualys announced the decommission of their WAF product effective September 1, 2024. This page is maintained for historical reference and for organizations that may still be transitioning away from the product.

The Qualys WAF deployed as a virtual appliance (VMware, Hyper-V, Docker, or cloud platforms) with centralized management through the Qualys Cloud Platform. Unlike cloud-proxy WAFs, application traffic stayed within the customer's environment, minimizing latency while the Qualys cloud handled configuration, updates, and reporting. The platform included pre-built policies for WordPress, Joomla, Drupal, SharePoint, and generic web applications.

Ratings Breakdown

Ease of Use 3.2/5
Value for Money 2.5/5
Customer Support 3.5/5
Features 3.5/5

Key Features

WAS Integration

Automatically generate WAF rules from Qualys Web Application Scanning results for one-click virtual patching.

Cloud-Managed Appliance

Virtual appliance deployed locally but managed centrally through the Qualys Cloud Platform.

Custom Security Policies

Flexible policy engine with reusable rules and templates for common platforms and custom applications.

Pre-Built CMS Policies

Out-of-the-box protection policies for WordPress, Joomla, Drupal, SharePoint, and Outlook Web Application.

Security Event Analytics

Detailed dashboards with traffic summaries, threat trends, and drill-down capabilities for incident investigation.

Local Traffic Processing

Application traffic stays within your environment for minimal latency and full data control.

Pros & Cons

Pros

  • Vulnerability-to-protection workflow

    Unique integration with Qualys WAS enabled automatic virtual patching of discovered vulnerabilities.

  • Enterprise platform integration

    Part of the broader Qualys Cloud Platform alongside vulnerability management, compliance, and asset inventory.

  • Local traffic processing

    Traffic stayed in customer environment, addressing data sovereignty and latency concerns.

  • Flexible deployment

    Supported VMware, Hyper-V, Docker, and major cloud platforms for versatile deployment options.

Cons

  • Product decommissioned

    Qualys WAF was shut down September 1, 2024. No longer available for new deployments.

  • Required Qualys ecosystem

    Full value depended on using other Qualys products, particularly WAS, creating vendor lock-in.

  • Complex setup

    Virtual appliance deployment was more complex than cloud-proxy WAF solutions.

  • Limited standalone value

    Without the WAS integration, the WAF itself was less compelling compared to dedicated WAF products.

Pricing

Pricing model: Subscription, per-asset licensing (product decommissioned)

Qualys WAF (Decommissioned)

Previously subscription-based

Cloud-managed WAF with vulnerability integration (decommissioned Sep 2024)

  • One-click virtual patching from WAS scans
  • Customizable security policies
  • Pre-built CMS policies
  • Centralized cloud management
  • Elasticsearch and Splunk integration

Our Verdict

Qualys WAF was an innovative product that demonstrated the value of integrating vulnerability scanning with web application firewall protection. The ability to automatically generate WAF rules from scan results was ahead of its time and addressed a real pain point in application security workflows.

However, the product was decommissioned in September 2024, likely due to limited market traction in the highly competitive WAF space. Organizations still using Qualys WAF should plan their migration to an alternative solution.

Our verdict: An innovative but now-discontinued WAF that proved the concept of scan-to-protect workflows. Existing users should migrate to an active WAF product.

CVE Coverage

Qualys Web Application Firewall can detect and block attacks matching 81K+ known CVEs based on its supported rule sets.

13K+
Critical
17K+
High
33K+
Medium
411
Low

Coverage by Attack Type

Cross-Site Scripting (XSS) High
36K+ CVEs
SQL Injection High
14K+ CVEs
Improper Input Validation Medium
8.4K+ CVEs
Path Traversal High
6.5K+ CVEs
OS Command Injection High
5.2K+ CVEs
Unrestricted File Upload Medium
3.9K+ CVEs
Code Injection Medium
3.8K+ CVEs
Command Injection High
3K+ CVEs
Open Redirect Medium
1.4K+ CVEs
XML External Entity (XXE) High
1.2K+ CVEs

Latest Blockable CVEs

CVE Severity
CVE-2026-4510 MEDIUM
CVE-2026-4161 MEDIUM
CVE-2026-4087 MEDIUM
CVE-2026-4086 MEDIUM
CVE-2026-4084 MEDIUM
CVE-2026-4077 MEDIUM
CVE-2026-4072 MEDIUM
CVE-2026-4069 MEDIUM
CVE-2026-4067 MEDIUM
CVE-2026-4022 MEDIUM
Browse all CVEs →

Frequently Asked Questions

Is Qualys WAF still available?

No. Qualys announced the decommission of their WAF product effective September 1, 2024. Existing customers should contact their Technical Account Manager (TAM) about transitioning their licenses. Qualys continues to offer Web Application Scanning (WAS) for vulnerability detection.

What are good alternatives to Qualys WAF?

For organizations already in the Qualys ecosystem, consider cloud WAFs like Cloudflare, AWS WAF, or Imperva that can integrate with vulnerability scanning tools. For the virtual patching workflow, look at solutions like F5 Advanced WAF or Fortinet FortiWeb that offer similar vulnerability-to-rule automation.

Ready to try Qualys Web Application Firewall?

Visit the website to learn more or request a demo.

Visit Website View Pricing