These days, enterprises are using web-based and cloud-based applications and extending their business. Purchasing robust web application firewall (WAF) becomes requirement, not option. As web threats become increasingly advanced and sophisticated and threaten enterprise data, web-based, cloud-based applications become more popular. This makes difficult administrators to keep up to date on the latest threats and protection measures. Also they need to meet IT compliance for data sharing across traditional and cloud environment. Web Application Firewall (WAF) is complex products and plays an essential role in maximizing throughput and ensuring the high availability of applications, so you need to consider several points before purchasing WAF. As web-based application, WAF requires a number of layers of security and also considers the confidentiality, availability and integrity of web-accessible data. How does WAF integrate into your network environment? One of the most critical aspects is WAF deployment. Traditionally, WAF was deployed as hardware appliance on premises in enterprise data center. Enterprises have more options as security terms are challenged to protect application beyond the data center. WAF as a software-based virtual edition (VE) is one of cost- effective options for SMB or those wanting to deploy protection closer to the application. Also, many enterprises choose to deploy cloud-based WAF (Security as a service). This method requires redirecting DNS records to resolve to WAF vendor’s IP address and forward legitimate web traffic to actual application host. Cloud based WAF is much easier to implement because it requires only DNS setting and cloud requires less work on internal IT technology. How does WAF detect and block web threats? WAF primarily inspects the content of request and response between application server and the client. WAF should inspect all components including headers, sessions and file upload and determine its ability to respond. By using a blacklist approach, WAF will block request when they find a known attack in the list such as SQL injection and cross-site scripting. If WAF uses a whitelist approach, it will allow request that meet the criteria in the list. It would be more secure by accepting defined list only. In summary, enterprises make decision after answering and addressing these questions before choosing WAF or vendor.