Match conditions and fields in match conditions - Web Application Firewall

When you configure a website whitelist or custom protection rules, you must add match conditions and specify the actions that you want Web Application Firewall (WAF) to perform on requests that meet the match conditions. This topic describes the fields that you can use in match conditions.

Match conditions and actions

Match conditions

Each match condition consists of a match field, logical operator, and match content. You can use regular expressions only in specific match fields. For more information, see Supported match fields.
You can add up to five match conditions to a protection rule. The logical operator between the conditions is AND. The custom rule takes effect only if all match conditions are met.

Actions

When you configure a whitelist, you must configure the Bypassed Modules parameter to specify the modules that you want requests to bypass. When you configure a custom protection rule, you must configure the Action parameter to specify the action that you want WAF to perform on the requests that meet the match conditions. For more information, see the following topics:

Supported match fields

Field	Edition	Logical operator	Description
URL	Pro, Business, Enterprise, and Exclusive	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value Length Equal To, Length Greater Than, and Length Less Than Prefix Match and Suffix Match Regular Expression Match and Regular Expression Mismatch Important Pro Edition does not support regular expression match.	The URL of the request.
IP	Pro, Business, Enterprise, and Exclusive	Belongs To and Does Not Belong To	The source IP address of the request. You can enter IP addresses or CIDR blocks such as 47.100.XX.XX/24. Note You can enter up to 50 IP addresses or CIDR blocks for a single protection rule. For example, a protection rule has two match conditions with IP as their match field. You can enter up to 50 IP addresses or CIDR blocks in the match content of the two match conditions. Separate multiple IP addresses or CIDR blocks with commas (,).
Referer	Pro, Business, Enterprise, and Exclusive	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value Exists and Does Not Exist Empty Length Equal To, Length Greater Than, and Length Less Than Prefix Match and Suffix Match Regular Expression Match and Regular Expression Mismatch Important Pro Edition does not support regular expression match.	The URL of the source page from which the request is redirected.
User-Agent	Pro, Business, Enterprise, and Exclusive	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value Exists and Does Not Exist Empty Length Equal To, Length Greater Than, and Length Less Than Prefix Match and Suffix Match Regular Expression Match and Regular Expression Mismatch	The browser information about the client that initiates the request. The information includes the browser, rendering engine, and version.
Params	Pro, Business, Enterprise, and Exclusive	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value Exists and Does Not Exist Length Equal To, Length Greater Than, and Length Less Than Prefix Match and Suffix Match Regular Expression Match and Regular Expression Mismatch	The query string in the request URL. The query string is the part that follows the question mark (?) in the URL. For example, in `www.example.com/index.html?action=login`, `action=login` is the query string.
Query-Arg	Pro, Business, Enterprise, and Exclusive	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value Exists and Does Not Exist Empty Length Equal To, Length Greater Than, and Length Less Than Prefix Match and Suffix Match Regular Expression Match	The query string in the request URL. The query string is the part that follows the question mark (?) in the URL. For example, in `www.example.com/request_path?arg1=a&arg2=b`, `arg1=a&arg2=b` is the query string. Note If you set Match Field to Query-Arg, Logical Operator to Contains, and Match Content to arg, requests that contain arg1 or arg2 are matched. If you want to filter requests based on exact match conditions, we recommend that you set Match Field to Query-Arg, Logical Operator to Contains, and Match Content to arg1 or arg2.
URLPath	Pro, Business, Enterprise, and Exclusive	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value Length Equal To, Length Greater Than, and Length Less Than Prefix Match and Suffix Match Regular Expression Match and Regular Expression Mismatch	The URL path of the request.
Cookie	Business, Enterprise, and Exclusive	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value Exists and Does Not Exist Length Equal To, Length Greater Than, and Length Less Than Regular Expression Match and Regular Expression Mismatch	The cookie information in an access request.
Content-Type	Business, Enterprise, and Exclusive	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value Length Equal To, Length Greater Than, and Length Less Than Regular Expression Match and Regular Expression Mismatch	The HTTP content type that is specified for the response. The HTTP content type is known as the Multipurpose Internet Mail Extensions (MIME) type.
Content-Length	Business, Enterprise, and Exclusive	Value Less Than, Value Equal To, and Value Greater Than	The number of bytes that is allowed in the response.
X-Forwarded-For	Business, Enterprise, and Exclusive	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value Contains and Does Not Contain Does Not Exist Length Equal To, Length Greater Than, and Length Less Than	The originating IP address of the client that initiates access requests. The HTTP X-Forwarded-For (XFF) header is used to identify the originating IP address of the request that is forwarded by an HTTP proxy or a Server Load Balancer (SLB) instance. The XFF header is included only in the request that is forwarded by an HTTP proxy or an SLB instance.
Post-Body	Business, Enterprise, and Exclusive	Equal To and Not Equal To Contains and Does Not Contain Does Not Exist Prefix Match and Suffix Match Regular Expression Match	The content of the request.
Server-Port	Business, Enterprise, and Exclusive	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value	The port number of the origin server. For example, in `www.example.com:9999`, the port number is 9999.
Http-Method	Business, Enterprise, and Exclusive	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value	The request method. Valid values: GET, POST, DELETE, PUT, and OPTIONS.
Header	Business, Enterprise, and Exclusive	Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value Exists and Does Not Exist Length Equal To, Length Greater Than, and Length Less Than Regular Expression Match and Regular Expression Mismatch	The header of the request. The value is used to create a custom HTTP header.