diff --git a/internal/rpc/rpc_client.go b/internal/rpc/rpc_client.go
index a6bb3b5f..1aaedeb6 100644
--- a/internal/rpc/rpc_client.go
+++ b/internal/rpc/rpc_client.go
@@ -34,6 +34,7 @@ type RPCClient struct {
 	httpPageClients            []pb.HTTPPageServiceClient
 	httpAccessLogPolicyClients []pb.HTTPAccessLogPolicyServiceClient
 	httpCachePolicyClients     []pb.HTTPCachePolicyServiceClient
+	httpFirewallPolicyClients  []pb.HTTPFirewallPolicyServiceClient
 }
 
 func NewRPCClient(apiConfig *configs.APIConfig) (*RPCClient, error) {
@@ -57,6 +58,7 @@ func NewRPCClient(apiConfig *configs.APIConfig) (*RPCClient, error) {
 	httpPageClients := []pb.HTTPPageServiceClient{}
 	httpAccessLogPolicyClients := []pb.HTTPAccessLogPolicyServiceClient{}
 	httpCachePolicyClients := []pb.HTTPCachePolicyServiceClient{}
+	httpFirewallPolicyClients := []pb.HTTPFirewallPolicyServiceClient{}
 
 	conns := []*grpc.ClientConn{}
 	for _, endpoint := range apiConfig.RPC.Endpoints {
@@ -88,6 +90,7 @@ func NewRPCClient(apiConfig *configs.APIConfig) (*RPCClient, error) {
 		httpPageClients = append(httpPageClients, pb.NewHTTPPageServiceClient(conn))
 		httpAccessLogPolicyClients = append(httpAccessLogPolicyClients, pb.NewHTTPAccessLogPolicyServiceClient(conn))
 		httpCachePolicyClients = append(httpCachePolicyClients, pb.NewHTTPCachePolicyServiceClient(conn))
+		httpFirewallPolicyClients = append(httpFirewallPolicyClients, pb.NewHTTPFirewallPolicyServiceClient(conn))
 	}
 
 	return &RPCClient{
@@ -108,6 +111,7 @@ func NewRPCClient(apiConfig *configs.APIConfig) (*RPCClient, error) {
 		httpPageClients:            httpPageClients,
 		httpAccessLogPolicyClients: httpAccessLogPolicyClients,
 		httpCachePolicyClients:     httpCachePolicyClients,
+		httpFirewallPolicyClients:  httpFirewallPolicyClients,
 	}, nil
 }
 
@@ -223,6 +227,13 @@ func (this *RPCClient) HTTPCachePolicyRPC() pb.HTTPCachePolicyServiceClient {
 	return nil
 }
 
+func (this *RPCClient) HTTPFirewallPolicyRPC() pb.HTTPFirewallPolicyServiceClient {
+	if len(this.httpFirewallPolicyClients) > 0 {
+		return this.httpFirewallPolicyClients[rands.Int(0, len(this.httpFirewallPolicyClients)-1)]
+	}
+	return nil
+}
+
 func (this *RPCClient) Context(adminId int64) context.Context {
 	ctx := context.Background()
 	m := maps.Map{
diff --git a/internal/web/actions/default/servers/server/settings/waf/index.go b/internal/web/actions/default/servers/server/settings/waf/index.go
index 4f57a2c7..f4e925a9 100644
--- a/internal/web/actions/default/servers/server/settings/waf/index.go
+++ b/internal/web/actions/default/servers/server/settings/waf/index.go
@@ -1,7 +1,12 @@
 package waf
 
 import (
+	"encoding/json"
 	"github.com/TeaOSLab/EdgeAdmin/internal/web/actions/actionutils"
+	"github.com/TeaOSLab/EdgeCommon/pkg/rpc/pb"
+	"github.com/TeaOSLab/EdgeCommon/pkg/serverconfigs"
+	"github.com/iwind/TeaGo/actions"
+	"github.com/iwind/TeaGo/maps"
 )
 
 type IndexAction struct {
@@ -16,7 +21,55 @@ func (this *IndexAction) Init() {
 func (this *IndexAction) RunGet(params struct {
 	ServerId int64
 }) {
-	// TODO
+	webConfigResp, err := this.RPC().ServerRPC().FindAndInitServerWebConfig(this.AdminContext(), &pb.FindAndInitServerWebRequest{ServerId: params.ServerId})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	webConfig := &serverconfigs.HTTPWebConfig{}
+	err = json.Unmarshal(webConfigResp.Config, webConfig)
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	this.Data["webId"] = webConfig.Id
+	this.Data["firewallConfig"] = webConfig.FirewallRef
+
+	// 当前已有策略
+	policiesResp, err := this.RPC().HTTPFirewallPolicyRPC().FindAllEnabledHTTPFirewallPolicies(this.AdminContext(), &pb.FindAllEnabledHTTPFirewallPoliciesRequest{})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+	policyMaps := []maps.Map{}
+	for _, p := range policiesResp.FirewallPolicies {
+		policyMaps = append(policyMaps, maps.Map{
+			"id":   p.Id,
+			"name": p.Name,
+			"isOn": p.IsOn,
+		})
+	}
+	this.Data["firewallPolicies"] = policyMaps
 
 	this.Show()
 }
+
+func (this *IndexAction) RunPost(params struct {
+	WebId        int64
+	FirewallJSON []byte
+
+	Must *actions.Must
+}) {
+	// TODO 检查配置
+
+	_, err := this.RPC().HTTPWebRPC().UpdateHTTPFirewall(this.AdminContext(), &pb.UpdateHTTPFirewallRequest{
+		WebId:        params.WebId,
+		FirewallJSON: params.FirewallJSON,
+	})
+	if err != nil {
+		this.ErrorPage(err)
+		return
+	}
+
+	this.Success()
+}
diff --git a/internal/web/actions/default/servers/server/settings/waf/init.go b/internal/web/actions/default/servers/server/settings/waf/init.go
index 8c295155..c6792bae 100644
--- a/internal/web/actions/default/servers/server/settings/waf/init.go
+++ b/internal/web/actions/default/servers/server/settings/waf/init.go
@@ -12,7 +12,7 @@ func init() {
 			Helper(helpers.NewUserMustAuth()).
 			Helper(serverutils.NewServerHelper()).
 			Prefix("/servers/server/settings/waf").
-			Get("", new(IndexAction)).
+			GetPost("", new(IndexAction)).
 			EndAll()
 	})
 }
diff --git a/web/public/js/components/server/http-cache-config-box.js b/web/public/js/components/server/http-cache-config-box.js
index 6ab5b9c4..4046fd9a 100644
--- a/web/public/js/components/server/http-cache-config-box.js
+++ b/web/public/js/components/server/http-cache-config-box.js
@@ -12,6 +12,11 @@ Vue.component("http-cache-config-box", {
 			cacheConfig: cacheConfig
 		}
 	},
+	methods: {
+		changePolicyId: function () {
+			this.cacheConfig.cachePolicyId = parseInt(this.cacheConfig.cachePolicyId)
+		}
+	},
 	template: `<div>
 	<input type="hidden" name="cacheJSON" :value="JSON.stringify(cacheConfig)"/>
 	<table class="ui table definition selectable">
@@ -32,7 +37,7 @@ Vue.component("http-cache-config-box", {
 			<td>
 				<span class="disabled" v-if="vCachePolicies.length == 0">暂时没有可选的缓存策略</span>
 				<div v-if="vCachePolicies.length > 0">
-					<select class="ui dropdown auto-width" v-model="cacheConfig.cachePolicyId">
+					<select class="ui dropdown auto-width" v-model="cacheConfig.cachePolicyId" @change="changePolicyId">
 						<option value="0">[不使用缓存策略]</option>
 						<option v-for="policy in vCachePolicies" :value="policy.id">{{policy.name}}</option>
 					</select>
diff --git a/web/public/js/components/server/http-firewall-config-box.js b/web/public/js/components/server/http-firewall-config-box.js
new file mode 100644
index 00000000..f7f8e50f
--- /dev/null
+++ b/web/public/js/components/server/http-firewall-config-box.js
@@ -0,0 +1,52 @@
+Vue.component("http-firewall-config-box", {
+	props: ["v-firewall-config", "v-firewall-policies"],
+	data: function () {
+		let firewall = this.vFirewallConfig
+		if (firewall == null) {
+			firewall = {
+				isOn: false,
+				firewallPolicyId: 0
+			}
+		}
+
+		return {
+			firewall: firewall
+		}
+	},
+	methods: {
+		changePolicyId: function () {
+			this.firewall.firewallPolicyId = parseInt(this.firewall.firewallPolicyId)
+		}
+	},
+	template: `<div>
+	<input type="hidden" name="firewallJSON" :value="JSON.stringify(firewall)"/>
+	<table class="ui table selectable definition">
+		<tbody>
+			<tr>
+				<td class="title">是否启用Web防火墙</td>
+				<td>
+					<div class="ui checkbox">
+						<input type="checkbox" v-model="firewall.isOn"/>
+						<label></label>
+					</div>
+				</td>
+			</tr>
+		</tbody>
+		<tbody v-show="firewall.isOn">
+			<tr>
+				<td>选择Web防火墙策略</td>
+				<td>
+					<span class="disabled" v-if="vFirewallPolicies.length == 0">暂时还没有防火墙策略</span>
+					<div v-if="vFirewallPolicies.length > 0">
+						<select class="ui dropdown auto-width" v-model="firewall.firewallPolicyId" @change="changePolicyId">
+							<option value="0">[请选择]</option>
+							<option v-for="policy in vFirewallPolicies" :value="policy.id">{{policy.name}}</option>
+						</select>
+					</div>
+				</td>
+			</tr>
+		</tbody>
+	</table>
+	<div class="margin"></div>
+</div>`
+})
\ No newline at end of file
diff --git a/web/views/@default/servers/server/settings/waf/index.html b/web/views/@default/servers/server/settings/waf/index.html
index eae519e9..c00eb72a 100644
--- a/web/views/@default/servers/server/settings/waf/index.html
+++ b/web/views/@default/servers/server/settings/waf/index.html
@@ -3,5 +3,9 @@
 {$template "/left_menu"}
 
 <div class="right-box">
-	<p class="ui message">此功能暂未开放，敬请期待。</p>
+	<form class="ui form" data-tea-action="$"  data-tea-success="success">
+		<input type="hidden" name="webId" :value="webId"/>
+		<http-firewall-config-box :v-firewall-config="firewallConfig" :v-firewall-policies="firewallPolicies"></http-firewall-config-box>
+		<submit-btn></submit-btn>
+	</form>
 </div>
\ No newline at end of file
diff --git a/web/views/@default/servers/server/settings/waf/index.js b/web/views/@default/servers/server/settings/waf/index.js
new file mode 100644
index 00000000..295a9aaf
--- /dev/null
+++ b/web/views/@default/servers/server/settings/waf/index.js
@@ -0,0 +1,3 @@
+Tea.context(function () {
+	this.success = NotifyReloadSuccess("保存成功")
+})
\ No newline at end of file