**Introducing a new console experience for AWS WAF**

You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the console](https://docs.aws.amazon.com/waf/latest/developerguide/working-with-console.html). 

# Getting started with AWS Firewall Manager to enable AWS WAF Classic rules
<a name="classic-getting-started-fms"></a>

**Warning**  
AWS WAF Classic is is going through a planned end-of-life process. Refer to your AWS Health dashboard for the milestones and dates specific to your Region.

**Note**  
This is **AWS WAF Classic** documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your AWS WAF Classic resources to AWS WAF](waf-migrating-from-classic.md).  
**For the latest version of AWS WAF**, see [AWS WAF](waf-chapter.md). 

You can use AWS Firewall Manager to enable AWS WAF rules, AWS WAF Classic rules, AWS Shield Advanced protections, and Amazon VPC security groups. The steps for getting set up are slightly different for each:
+ To use Firewall Manager to enable rules using the latest version of AWS WAF, don't use this topic. Instead, follow the steps in [Setting up AWS Firewall Manager​ AWS WAF policies](getting-started-fms.md). 
+ To use Firewall Manager to enable AWS Shield Advanced protections, follow the steps in [Setting up AWS Firewall Manager​ AWS Shield Advanced policies](getting-started-fms-shield.md).
+ To use Firewall Manager to enable Amazon VPC security groups, follow the steps in [Setting up AWS Firewall Manager​ Amazon VPC security group policies](getting-started-fms-security-group.md). 

To use Firewall Manager to enable AWS WAF Classic rules, perform the following steps in sequence. 

**Topics**
+ [Step 1: Complete the prerequisites](classic-complete-prereq.md)
+ [Step 2: Create rules](classic-get-started-fms-create-rules.md)
+ [Step 3: Create a rule group](classic-get-started-fms-create-rule-group.md)
+ [Step 4: Create and apply an AWS Firewall Manager AWS WAF Classic policy](classic-get-started-fms-create-security-policy.md)

# Step 1: Complete the prerequisites
<a name="classic-complete-prereq"></a>

**Warning**  
AWS WAF Classic is is going through a planned end-of-life process. Refer to your AWS Health dashboard for the milestones and dates specific to your Region.

**Note**  
This is **AWS WAF Classic** documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your AWS WAF Classic resources to AWS WAF](waf-migrating-from-classic.md).  
**For the latest version of AWS WAF**, see [AWS WAF](waf-chapter.md). 

There are several mandatory steps to prepare your account for AWS Firewall Manager. Those steps are described in [AWS Firewall Manager prerequisites](fms-prereq.md). Complete all the prerequisites before proceeding to [Step 2: Create rules](classic-get-started-fms-create-rules.md).

# Step 2: Create rules
<a name="classic-get-started-fms-create-rules"></a>

**Warning**  
AWS WAF Classic is is going through a planned end-of-life process. Refer to your AWS Health dashboard for the milestones and dates specific to your Region.

**Note**  
This is **AWS WAF Classic** documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your AWS WAF Classic resources to AWS WAF](waf-migrating-from-classic.md).  
**For the latest version of AWS WAF**, see [AWS WAF](waf-chapter.md). 

In this step, you create rules using AWS WAF Classic. If you already have AWS WAF Classic rules that you want to use with AWS Firewall Manager, skip this step and go to [Step 3: Create a rule group](classic-get-started-fms-create-rule-group.md). 

**Note**  
Use the AWS WAF Classic console to create your rules. <a name="classic-get-started-fms-create-rules-procedure"></a>

**To create AWS WAF Classic rules (console)**
+ Create your rules, and then add your conditions to your rules. For more information, see [Creating a rule and adding conditions](classic-web-acl-rules-creating.md). 

You are now ready to go to [Step 3: Create a rule group](classic-get-started-fms-create-rule-group.md).

# Step 3: Create a rule group
<a name="classic-get-started-fms-create-rule-group"></a>

**Warning**  
AWS WAF Classic is is going through a planned end-of-life process. Refer to your AWS Health dashboard for the milestones and dates specific to your Region.

**Note**  
This is **AWS WAF Classic** documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your AWS WAF Classic resources to AWS WAF](waf-migrating-from-classic.md).  
**For the latest version of AWS WAF**, see [AWS WAF](waf-chapter.md). 

A rule group is a set of rules that defines what actions to take when a particular set of conditions is met. You can use managed rule groups from AWS Marketplace, and you can create your own rule groups. For information about managed rule groups, see [AWS Marketplace rule groups](classic-waf-managed-rule-groups.md).

To create your own rule group, perform the following procedure.<a name="classic-get-started-fms-create-rule-group-procedure"></a>

**To create a rule group (console)**

1. Sign in to the AWS Management Console using the AWS Firewall Manager administrator account that you set up in the prerequisites, and then open the Firewall Manager console at [https://console.aws.amazon.com/wafv2/fms](https://console.aws.amazon.com/wafv2/fms). 

1. In the navigation pane, choose **Security policies**. 

1. If you have not met the prerequisites, the console displays instructions about how to fix any issues. Follow the instructions, and then begin this step (create a rule group) again. If you have met the prerequisites, choose **Close**. 

1. Choose **Create policy**.

   For **Policy type**, choose **AWS WAF Classic**. 

1. Choose **Create an AWS Firewall Manager policy and add a new rule group**.

1. Choose an AWS Region, and then choose **Next**.

1. Because you already created rules, you don't need to create conditions. Choose **Next**.

1. Because you already created rules, you don't need to create rules. Choose **Next**.

1. Choose **Create rule group**.

1. For **Name**, enter a friendly name. 

1. Enter a name for the CloudWatch metric that AWS WAF Classic will create and will associate with the rule group. The name can contain only alphanumeric characters (A-Z, a-z, 0-9) or the following special characters: \$1-\$1"\$1`\$1\$1\$1,./. It can't contain white space.

1. Select a rule, and then choose **Add rule**. A rule has an action setting that allows you to choose whether to allow, block, or count requests that match the rule's conditions. For this tutorial, choose **Count**. Repeat adding rules until you have added all the rules that you want to the rule group.

1. Choose **Create**.

You are now ready to go to [Step 4: Create and apply an AWS Firewall Manager AWS WAF Classic policy](classic-get-started-fms-create-security-policy.md).

# Step 4: Create and apply an AWS Firewall Manager AWS WAF Classic policy
<a name="classic-get-started-fms-create-security-policy"></a>

**Warning**  
AWS WAF Classic is is going through a planned end-of-life process. Refer to your AWS Health dashboard for the milestones and dates specific to your Region.

**Note**  
This is **AWS WAF Classic** documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your AWS WAF Classic resources to AWS WAF](waf-migrating-from-classic.md).  
**For the latest version of AWS WAF**, see [AWS WAF](waf-chapter.md). 

After you create the rule group, you create an AWS Firewall Manager AWS WAF policy. A Firewall Manager AWS WAF policy contains the rule group that you want to apply to your resources.<a name="classic-get-started-fms-create-security-policy-procedure"></a>

**To create a Firewall Manager AWS WAF policy (console)**

1. After you create the rule group (the last step in the preceding procedure, [Step 3: Create a rule group](classic-get-started-fms-create-rule-group.md)), the console displays the **Rule group summary** page. Choose **Next**.

1. For **Name**, enter a friendly name. 

1. For **Policy type**, choose **WAF**. 

1. For **Region**, choose an AWS Region. To protect Amazon CloudFront resources, choose **Global**.

   To protect resources in multiple regions (other than CloudFront resources), you must create separate Firewall Manager policies for each Region.

1. Select a rule group to add, and then choose **Add rule group**. 

1. A policy has two possible actions: **Action set by rule group** and **Count**. If you want to test the policy and rule group, set the action to **Count**. This action overrides any *block* action specified by the rule group contained in the policy. That is, if the policy's action is set to **Count**, those requests are only counted and not blocked. Conversely, if you set the policy's action to **Action set by rule group**, actions of the rule group in the policy are used. For this tutorial, choose **Count**.

1. Choose **Next**.

1. If you want to include only specific accounts in the policy, or alternatively exclude specific accounts from the policy, select **Select accounts to include/exclude from this policy (optional)**. Choose either **Include only these accounts in this policy** or **Exclude these accounts from this policy**. You can choose only one option. Choose **Add**. Select the account numbers to include or exclude, and then choose **OK**. 
**Note**  
If you don't select this option, Firewall Manager applies a policy to all accounts in your organization in AWS Organizations. If you add a new account to the organization, Firewall Manager automatically applies the policy to that account.

1. Choose the types of resources that you want to protect.

1. If you want to protect only resources with specific tags, or alternatively exclude resources with specific tags, select **Use tags to include/exclude resources**, enter the tags, and then choose either **Include** or **Exclude**. You can choose only one option. 

   If you enter more than one tag (separated by commas), and if a resource has any of those tags, it is considered a match.

   For more information about tags, see [Working with Tag Editor](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/tag-editor.html).

1. Choose **Create and apply this policy to existing and new resources**.

   This option creates a web ACL in each applicable account within an organization in AWS Organizations, and associates the web ACL with the specified resources in the accounts. This option also applies the policy to all new resources that match the preceding criteria (resource type and tags). Alternatively, if you choose **Create but do not apply this policy to existing or new resources**, Firewall Manager creates a web ACL in each applicable account within the organization, but doesn't apply the web ACL to any resources. You must apply the policy to resources later.

1. Leave the choice for **Replace existing associated web ACLs** at the default setting.

   When this option is selected, Firewall Manager removed all existing web ACL associations from in-scope resources before it associates the new policy's web ACLs to them. 

1. Choose **Next**.

1. Review the new policy. To make any changes, choose **Edit**. When you are satisfied with the policy, choose **Create policy**.