All Products
Search
Document Center

Web Application Firewall:Configure protection rules for the whitelist module to allow specific requests

Last Updated:Nov 20, 2024

After you add your web services to Web Application Firewall (WAF), you can configure protection rules for the whitelist module to allow requests that match specified characteristics to bypass all or some protection modules such as the basic protection rule, IP address blacklist, custom rule, and scan protection modules. This topic describes how to create a protection template of the whitelist module and add protection rules to the template.

Background information

The whitelist module provides a default protection template and allows you to create custom protection templates.

Protection template

Description

Effective scope

Default protection template

By default, WAF provides a built-in protection template, which does not contain protection rules. If you want to use the protection template, you must manually add protection rules to the template.

If you use the default protection template, you do not need to configure the Apply To parameter. The default protection template is applied to all protected objects and protected object groups that are not associated with custom protection templates.

Custom protection template

You can create custom protection templates based on your business requirements. If you create a custom protection template, you must add protection rules to the template.

When you create a custom protection template, you must configure the Apply To parameter to associate the protection template with specific protected objects and protected object groups.

Note

If you use a protection template that has no protection rules, the protection template does not take effect. In this case, all requests are redirected to WAF and are blocked.

Prerequisites

Step 1: Create a protection template of the whitelist module

If you want to use a custom protection template, perform this step. If you want to use the default protection template, skip this step.

  1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.

  2. In the left-side navigation pane, choose Protection Configuration > Basic Web Protection.

  3. In the Whitelist section of the Basic Web Protection page, click Create Template.

    Note

    If this is your first time to create a protection template of the whitelist module, you can also click Configure Now in the Whitelist card in the upper part of the Basic Web Protection page.

  4. In the Create Template - Whitelist panel, configure the parameters and click OK. The following table describes the parameters.

    Parameter

    Description

    Template Name

    Specify a name for the template.

    The name of the template must be 1 to 255 characters in length and can contain letters, digits, periods (.), underscores (_), and hyphens (-).

    Save as Default Template

    Specify whether to set the template as the default template for the protection module.

    You can specify only one default template for a protection module. If you turn on Save as Default Template, you do not need to configure the Apply To parameter. The default template is applied to all protected objects and protected object groups to which no custom templates are applied.

    Rule Configuration

    Click Create Rule to create a protection rule for the template. You can also create protection rules after the template is created. For more information, see Step 2: Add protection rules to a protection template of the whitelist module.

    Apply To

    Select items to which you want to apply the template on the Protected Objects and Protected Object Group tabs.

    You can apply only one template of a protection module to a protected object or protected object group. For more information about how to add protected objects and create protected object groups, see Configure protected objects and protected object groups.

    By default, a newly created protection template is enabled. You can perform the following operations on the protection template in the template list:

    • View the numbers of protected objects and protected object groups that are associated with the template in the Protected Object/Group column.

    • Turn on or turn off the switch in the Status column to enable or disable the template.

    • Click Edit or Delete in the Actions column to modify or delete the template.

    • Click the 展开图标 icon to the left of the template name to view the protection rules in the template.

      Note

      If you perform one of the following operations, WAF automatically creates a protection template named AutoTemplate in the whitelist module and adds a protection rule to the template.

      • Enable Intelligent Whitelist Engine when you create a protection rule of the basic protection rule module. The engine analyzes logs to determine whether normal requests are blocked. If yes, the engine automatically adds a protection rule of the whitelist module based on the specified URI and rule ID.

      • Click Ignore False Positive for an attacker IP address when you view the security report of the basic protection rule module. In this case, WAF automatically adds a protection rule with a rule source of Custom. For more information, see Basic protection rule module.

      • Click Add to Whitelist for an attacker IP address when you view the security report of the bot management module. In this case, WAF automatically adds a protection rule with a rule source of Custom. For more information, see Bot management module.

Step 2: Add protection rules to a protection template of the whitelist module

A protection template takes effect only after you add protection rules to the template. If you created protection rules when you created the protection template, you can skip this step.

  1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.

  2. In the left-side navigation pane, choose Protection Configuration > Basic Web Protection.

  3. In the Whitelist section, find the protection template to which you want to add protection rules and click Create Rule in the Actions column.

  4. In the Create Rule dialog box, configure the parameters and click OK. The following table describes the parameters.

    Parameter

    Description

    Rule Name

    Specify a name for the rule.

    The name of the rule can contain letters, digits, periods (.), underscores (_), and hyphens (-).

    Match Condition

    Specify the characteristics of requests that you want the rule to match.

    Click Add Condition to add a match condition. You can add up to five match conditions to a rule. If you add multiple match conditions, the rule is matched only if all match conditions are met.

    Each match condition consists of Match Field, Logical Operator, and Match Content. Examples:

    • Example 1: Set the Match Field parameter to URI, the Logical Operator parameter to Contains, and the Match Content parameter to /login.php. If the URI of a request contains /login.php, the request matches the rule.

    • Example 2: Set the Match Field parameter to IP, the Logical Operator parameter to Belongs To, and the Match Content parameter to 192.1X.XX.XX. If a request is sent from a client whose IP address is 192.1.XX.XX, the request matches the rule.

    For more information about the match fields and logical operators, see Match conditions.

    Bypassed Modules

    Select the protection modules that you want requests to bypass. Then, requests that meet the specified match conditions are not checked by the selected protection modules. Valid values:

    • All: WAF does not check the requests that meet the specified match conditions and directly forwards the requests to the origin server.

      If you want to allow trusted requests, such as requests from trusted vulnerability scanners and the endpoints of authenticated third-party systems, you can select All.

      Important

      Fine-grained protection rules ensure high security. We recommend that you select specific protection modules based on your business requirements.

    • Basic Protection Rule: The basic protection rule module does not check the requests that meet the specified match conditions.

      If you select Basic Protection Rule, you must also specify the rules that you do not want to use to check requests. Valid values:

      • All Rules: All protection rules in the basic protection rule module are not used to check requests. This is the default value.

      • IDs of Specific Rules: The protection rules of the specified IDs in the basic protection rule module are not used to check requests.

        Specify the IDs of protection rules. Each rule ID contains six digits. Press the Enter key each time you enter a rule ID. You can specify up to 50 rule IDs.

      • Types of Specific Rules: The protection rules of the specified types in the basic protection rule module are not used to check requests.

        Click the 展开 icon and select the types of protection rules that you do not want to use to check requests.

    • Custom Rule: The custom rule module does not check the requests that meet the specified match conditions.

    • IP Address Blacklist: The IP address blacklist module does not check the requests that meet the specified match conditions.

    • Scan Protection: The scan protection module does not check the requests that meet the specified match conditions.

    • Bot Management: The bot management module does not check the requests that meet the specified match conditions.

    • Website Tamper-proofing: The website tamper-proofing module does not check the requests that meet the specified match conditions.

    • Data Leakage Prevention: The data leakage prevention module does not check the requests that meet the specified match conditions.

    • HTTP Flood Protection: The HTTP flood protection module does not check the requests that meet the specified match conditions.

    • Region Blacklist: The region blacklist module does not check the requests that meet the specified match conditions.

    By default, a newly created protection rule is enabled. You can perform the following operations on the protection rule in the rule list:

    • Turn on or turn off Status to enable or disable the rule.

    • Click Edit or Delete in the Actions column to modify or delete the rule.

What to do next

On the Security Reports page, you can view the blocking records of the configured protection rules and obtain the IDs of the protection rules. For more information, see Security reports.

References

  • For more information about the match conditions and match fields that are involved when you configure a protection rule for the whitelist module, see Match conditions.

  • For more information about the protection objects, protection modules, and protection process of WAF 3.0, see Protection configuration overview.

  • For more information about how to create a protection template by calling an API operation, see CreateDefenseTemplate.

  • For more information about how to create a protection rule by calling an API operation, see CreateDefenseRule.