Adding a Rate Limiting Rule to a Web Application Firewall Policy

Add a rate limiting rule to allow the inspection of HTTP request properties and the limiting the request frequency for each unique client IP address associated with web application firewall policy.

Using the Console

  1. Open the navigation menu and click Identity & Security. Under Web Application Firewall, click Policies.

    Alternatively, open the Web Application Firewall page and click Policies under Resources.

    The WAF Policies page appears.

  2. Select the Compartment from the list.

    All the WAF policies in that compartment are listed in tabular form.

  3. (Optional) Apply one or more of the following Filters to limit the WAF policies displayed:
    • State

    • Name

    • Policy Type: Select WAF Policy.

  4. Select the WAF policy to which you want to add a rate limiting rule.
    The WAF Policy Details dialog box appears.
  5. Click Rate Limiting under Resources.

    The Rate Limiting list appears.

  6. Click Manage Rate Limiting.

    The Manage Rate Limiting dialog box appears.

  7. Click Add Rate Limiting Rule.

    The Add Rate Limiting Rule dialog box appears.

    Complete the following:

    • Name: Enter the name of the rate limit rule.

    • Conditions: Specify the prerequisite conditions that need to be met for the rule action to occur. The parameters displayed can vary depending on the Condition Type and Operator values you select. Click + Another Condition to add another condition linked to the first one using AND. Click X to delete the associated condition row.

      (optional) Click Show Advance Controls if you want to specify a condition in the box using the condition syntax. See Understanding Conditions for more information on how to author the conditions for your rate limiting rule.

    • Rate Limiting Configuration: Enter the following conditions that are required to be met before the conditions apply.

      • Request Limit: Enter the maximum number of requests made.

      • Period in Seconds: Enter the number of seconds passed.

      • Action Duration in Seconds: Enter the duration of the action in seconds.

      Click + Another Rate Limit to display another rate limit configuration row to complete. Click X to delete the associated rate limit configuration row.

    • Rule Action: Select an existing rule to be followed when the preceding conditions are met, or select Create New Action to add one.

      • Pre-configured Check Action: Allows the running of rules and generates a log message documenting the result.

      • Pre-configured Allow Action: Skips all remaining rules in the current module.

      • Pre-configured 401 Response Code Action: Returns a defined HTTP response. The response code configuration (headers and response page body) determines the HTTP response that is returned when this action is run.

        Click Show Header Details to display the HTTP response headers specified in the selected Return HTTP response action.

        Click Show Response Page Body Details to display the HTTP response body specified in the selected "Return HTTP response" action.

      See Actions for Web Application Firewalls for a complete description and explanation of how to use actions in a WAF policy.

  8. Click Add Rate Limiting Rule.

    The Add Rate Limiting Rule dialog box closes.

  9. Click Save Changes in the Manage Rate Limiting dialog box.

The rate limiting rule you created is included in the Rate Limiting Rule list.