Access Control

Access Rules

As a WAF administrator you can define explicit actions for requests that meet various conditions. Conditions use various operations and regular expressions. A rule action can be set to log and allow, detect, block, redirect, bypass, or show a CAPTCHA for all matched requests.

The available conditions for an access rule are shown in the following table:

Criteria Type Criteria
URL

Users shall be able to define one or more criteria based on:

  • URL is
  • URL is not
  • URL starts with
  • URL does not start with
  • URL part ends with
  • URL part does not end with
  • URL part contains
  • URL part does not contain
  • URL regex
  • URL does not match regex

The URL regex matching uses Perl-compatible regular expressions.

IP Address

Users shall be able to define one or more criteria based on:

  • IP Address is
  • IP Address is not
  • IP Address in Address List
  • IP Address not in Address List

These values can be a valid IPv4 address, subset, or CIDR notation for a range. IPv6 is not yet supported. See IP Address Lists for information on how to create a list of IP addresses that can be used in the access rule.

Country/Region

Users shall be able to define one or more criteria based on:

  • Country/Region is
  • Country/Region is not

For the API, use a two letter country code.

User Agent

User Agent is a value that identifies the browser client.

  • User Agent is
  • User Agent is not
HTTP Header

HTTP Request headers can be evaluated as criteria:

  • HTTP Header contains

The HTTP Header contains value should be entered with colon-delimited <name>:<value>.

HTTP Method

HTTP Methods can be evaluated as criteria:

  • HTTP method is
  • HTTP method is not

Available methods include GET, POST, PUT, DELETE, HEAD, CONNECT, OPTIONS, TRACE, and PATCH.

Using the Console

Note

The WAF uses a first-match algorithm so that once an Access Rule criteria matches, it will stop evaluating future rules. The order of rules matters. Use the API to reorder rules.

To add an access rule
  1. Open the navigation menu and click Identity & Security. Under Web Application Firewall, click Policies.
  2. Click the name of the WAF policy you want to view access rules for. The WAF policy overview appears.

  3. Click Access Control.
  4. Click Add Access Rule.
  5. In the Add Access Rule dialog box, enter the following:
    • Name: A unique name for the access rule. Avoid entering confidential information.
    • Action: Determines the response to a request when the rule is matched. Select one of the following options:
      • Log and Allow: A log will be created for all matched requests and no further action will be taken.
      • Detect Only: A detection alert will be created for all matched requests and no further action will be taken.
      • Block: All matched requests will be blocked and a browser page for the selected response code will be returned.
        • Block Action: Select the action that will be taken when a matching request is blocked.
        • Block Response Code: Select a response code that will be returned when the request has been blocked. The response code provides information indicating why the request was blocked. The default response code is 403 "Forbidden".
      • Redirect:
        • Redirect Status Code: The status code returned in response to redirect requests.
        • Redirect URL: The URL address to redirect the request to.
      • Bypass: Select the challenge(s) to bypass. If this section is not specified, all challenges are bypassed.
      • Show CAPTCHA: Select this option to show a CAPTCHA for all matched requests and take no further action. Enter the following:
        • CAPTCHA Title: Enter the text for the CAPTCHA page title.
        • CAPTCHA Header: Enter the text that will appear before the CAPTCHA image (for example, "I am not a robot").
        • CAPTCHA Footer Text: Enter the text that will be shown after the CAPTCHA input box and before the submit button.
        • CAPTCHA submit button: Enter the text for the Submit button (for example, "Yes, I am human.").
    • Conditions: Select the condition that must be met before the rule is matched and specify the details of the condition. Additional conditions can be added in this section.
    • Header Manipulation(s):
      • Action: Select the action to apply to the request.
      • Header Name: Enter the HTTP header name of the request.
      • Header Value: Enter the HTTP header value of the request.
  6. Click Add Access Rule. The access rule is added to the access rule list.
To edit an access rule
  1. Open the navigation menu and click Identity & Security. Under Web Application Firewall, click Policies.
  2. Click the name of the WAF policy you want to view access rules for. The WAF policy overview appears.

  3. Click Access Control.
  4. Select the check box for the access rule you want to update, and then click Edit.
  5. In the Edit Access Rule dialog box, make the necessary updates and then click Save.
To delete an access rule
  1. Open the navigation menu and click Identity & Security. Under Web Application Firewall, click Policies.
  2. Click the name of the WAF policy you want to view access rules for. The WAF policy overview appears.

  3. Click Access Control.
  4. Select the check box for the access rule you want to delete and then click Delete.
To publish changes

Updates to your WAF policy appear in the list to be published in Unpublished Changes. Pending changes do not persist across browser sessions. Once you publish changes, it cannot be edited until changes propagate to the edge nodes.

  1. Under WAF Policy, click Unpublished Changes.
  2. In the Unpublished Changes list, click the drop-down arrow beside an unpublished change to review the change.
  3. Click Publish All.
  4. In the Publish Changes dialog box, click Publish All.
To discard changes

Updates to your WAF policy appear in the list to be published in Unpublished Changes.

  1. Under WAF Policy, click Unpublished Changes.
  2. In the Unpublished Changes list, click the drop-down arrow beside an unpublished change to review the change.
  3. Select the check box for the change you want to discard.
  4. Click Discard.
  5. In the Discard Change dialog box, click Discard.

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.

Access Rules

Use the following operations to get an array of all access rules in the policy:

Example

To create an access rule:

PUT /waasPolicies/{waasPolicyId}/wafConfig/accessRules
[
   {
   "name": "DetectRequestsToHealthCheck",
   "criteria": [
      {	
      "condition": "URL_IS",
      "value": "/health/check"
      }
               ],
   "action": "DETECT",
      }
]