Advance Notification of Qualys Web Application Firewall Shut Down

John Delaroderie

This notice is to inform Qualys Web Application Firewall (WAF) customers that Qualys has recently made the significant decision to shut down its Web Application Firewall (WAF) product.

As Qualys continues to lead as a security service provider, our platform and infrastructure have migrated away from our ability to offer a world class web application firewall to our customers.  As a result, we are discontinuing offering web application firewall technologies to focus resources and investment in other areas of the Qualys TruRisk platform to better protect organizations from cyber threats.

We want to express our sincere appreciation for your loyalty and support of Qualys WAF over the years. We know that we could not have achieved the success we had without your support and feedback.

When will Qualys WAF shut down?

Qualys WAF will be permanently discontinued and decommissioned from all Qualys cloud platforms one year from this notification, effective on September 1st, 2024.

Before discontinuing and decommissioning, Qualys WAF will transition through two distinct phases beginning six months from the date of this notification – End of Life (EOL) and End of Service (EOS).

What is the timeline for shutting down Qualys WAF?

Qualys WAF will continue to operate as normal for the rest of 2023.  However, some restrictions will be put in place. 

New Deals: Any new sales of Qualys WAF must be made with communication to new customers that subscriptions cannot extend past September 1st, 2024.  Additionally, new customers will be informed in writing of the EOL and EOS dates. No new deals will be permitted after September 1st,  2023.

Renewals: Renewals for Qualys WAF among existing customers will be permitted until January 31st,2024, with the clear communication that subscriptions cannot be renewed past September 1st, 2024.

After January 31st, 2024, Qualys will start the process of shutting down the WAF product line in two distinct phases:

Phase 1:  Qualys WAF will enter End-of-Life (EOL) starting on March 1st, 2024.  At this time, no further sales or renewals for existing WAF customers will be possible.  In exceptional circumstances, if a customer would like to extend it up to Sept 1st, 2024, to facilitate a move to a new service, their situation will be considered on a case-by-case basis.   Qualys will no longer market, sell, or provide operational support or enhancements for our WAF product.  It will operate on a “as-is” basis with no further enhancements or features added. EOL is being announced in advance to allow our existing customers time to transition to new products or services.

Phase 2: Following a 6-month EOL period, Qualys WAF will enter into End of Service (EOS) on September 1st, 2024.  At this time, Qualys WAF will become inoperable and removed from all remaining platforms and subscriptions.

If you have any questions or concerns, please do not hesitate to reach out to our support team. We are committed to making this transition as smooth as possible for you. 

What is Qualys doing for WAF Customers?

Discount: We understand that EOL/EOS announcements are not always the best news for our customers.  In appreciation of our valued customers, Qualys is offering a one-time discount for new subscriptions to VMDR, Web App Scanning (WAS), Patch Management and CyberSecurity Asset Management (CSAM).

The one-time discount will be based on the number of products purchased as a bundle.  The more you buy, the more you can save.

Number of ProductsOne-Time Discount
3 or More20%

The one-time discount will only be applied for the first year of service.  After the first year, products can only be renewed at their normal pricing based on volume discounts.

Please get in touch with your Technical Account Manager to understand the value proposition of these products and take advantage of this special offer for our existing WAF customers.


Question: What is End of Life (EOL)?

Answer: A product entering into EOL remains operational but can no longer be purchased or renewed.  Additionally, no further support or enhancements will be considered, and the product is only available “as-is” for the remainder of the EOL period.

Question: What is End of Service (EOS)?

Answer: A product entering into EOS is no longer operational and will not provide any web application firewall capabilities or protection for web applications in a customer’s environment. It will be decommissioned from all Qualys cloud platforms PODs.

Question: What are the dates for EOL and EOS?

Answer: EOL begins March 1st, 2024.  EOS begins September 1st, 2024.

Question: What happens between EOL and EOS?

Answer: After entering the EOL phase, the product will continue to work “as-is” until the EOS date.  No renewals or new sales will be permitted.  In exceptional circumstances, if a customer would like to extend up to September 1st, 2024, to facilitate a move to a new service, their situation will be considered on a case-by-case basis.  After EOS, the product will no longer be operational. 

Question: What happens when Qualys WAF is shut down (EOS)? 

Answer: Organizations using the Qualys WAF product may purchase and use  Qualys WAS to identify vulnerabilities so that you can be sure your applications are safe even without Qualys WAF.

Question: What will the customer need to do when Qualys WAF is shut down?

Answer: If transitioning to a new 3rd party WAF, customers will need to remove Qualys WAF from their network configuration and reconfigure entry points (published domain addresses) to work with their new web application firewall.  Please refer to the 3rd party WAF documentation for additional configuration requirements.  If not transitioning to a new 3rd party WAF, customers will need to remove Qualys WAF from their network configuration and reconfigure entry points (published domain addresses) to go straight to their web application server or server pools.

Question: Will Qualys offer a new WAF in the future?

Answer: Given the direction our company is moving as a world-class cyber security provider; it is not likely we will offer any new WAF soon.

Question: Can Qualys recommend a good replacement WAF for customers?

Answer: We cannot make specific recommendations for your environment, but there are many competitive products to choose from – to include WAFs offered as part of cloud hosting environments – that may be of interest in reviewing.

Question: I use Qualys WAS with Scan Trust to scan through the Qualys WAF.  How will I be able to perform WAS scans through other web application firewalls now?

Answer: Every commercial WAF supports whitelisting traffic either through IPs or with specific Cookies.  For IP based whitelisting, you can use the same IP range your Qualys external scans are launched from.  For Cookie based whitelisting, you can configure header injection for each application to pass in a specific Cookie of your choosing.  This Cookie will be sent with every request from Qualys WAS.

Question: Are any other Qualys products going to be shut down too?

Answer: At this time, Qualys has no plans to EOL/EOS any other Qualys products and this decision to shut down our WAF product was made due to the changing focus of our strategic goals.

Share your Comments


Your email address will not be published. Required fields are marked *