After you set up Web Application Firewall (WAF) for a website, you can create custom protection policies to protect the website. Custom protection policies allow you to customize ACL rules based on precise match conditions and specify the maximum request rate. Custom protection policies can be tailored for different scenarios, such as hotlinking protection and website backend protection. You can customize protection rules as needed.

Notice This topic uses the new version of the WAF console released in January 2020. If your WAF instance was created before January 2020, see HTTP ACL policy.


  • A Web Application Firewall instance is available. For more information, see Activate a WAF instance.
  • The website is associated with the Web Application Firewall instance. For more information, see Add domain names.

Background information

Custom protection policies are defined by custom rules. Custom rules include ACL rules and anti-HTTP flood rules.
  • An ACL rule filters requests based on the client IP address, request URL, and precise match conditions that use common request headers.
  • An anti-HTTP flood rule filters requests based on the precise match conditions and request rate that you have set.


Subscription-based WAF instances have the following limits on custom protection policies.

Specification Description Enterprise Business Pro
Number of custom rules The maximum number of custom rules that you can create. 200 100 100
Advanced match fields The advanced match fields other than IP addresses and URLs that you can specify in custom rules. Supported Supported Not supported
Rate limiting Custom anti-HTTP flood rules. Supported Supported Not supported
Custom statistical objects The custom statistical objects other than IP addresses and sessions that can be used to control the request rate. Supported Not supported Not supported


  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
  3. In the left-side navigation pane, choose Protection Settings > Website Protection.
  4. In the upper part of the Website Protection page, select the domain name for which you want to configure the whitelist.Switch Domain Name
  5. Click the Access Control/Throttling tab and find the Custom Protection Policy section. Turn on the Status switch and click Settings.Custom protection policies
  6. Create a custom rule.
    1. On the Custom Protection Policy page, click Create Custom Protection Policy.
    2. In the dialog box that appears, set the following parameters.ACL
      Parameter Description
      Rule name Specify a name for the rule.
      Matching Condition Specify the detection logic of the rule. The rule is triggered only after the specified conditions are met. Click Add rule to add more conditions. You can specify a maximum of five conditions. If you have specified multiple conditions, the rule is hit only after all the conditions are met.

      For more information about match conditions, see Fields of match conditions.

      Rate Limiting Enable or disable rate limiting. WAF starts calculating the request rate only after the specified match conditions are met. Before you enable rate limiting, set the parameters to specify the object to be calculated. HTTP flood protection

      For more information about rate limiting parameters, see Rate limiting parameters.

      Action Specify the action to be performed after the rule is triggered. Supported actions include:
      • Monitor: triggers alerts but does not block requests.
      • Block: blocks requests.
      • Captcha: redirects requests to another page to implement CAPTCHA verification.
      • Strict Captcha: redirects requests to another page to implement strict CAPTCHA verification.
      • JavaScript Validation: triggers JavaScript verification.

      If you enable Rate Limiting, you must specify the TTL (Seconds), which is the effective time period of the action.

      Protection Type Specify the type of the rule. This parameter is automatically set based on the status of .
      • If rate limiting is enabled, the value is set to HTTP Flood Protection.
      • If rate limiting is disabled, the value is set to ACL.

      The parameters required to configure rate limiting are described in the following table.

      Parameter Description
      Statistical Object Specify the object whose request rate is calculated. Valid value:
      • IP: calculates the number of requests from a specific IP address.
      • Session: calculates the number of requests transmitted over a specific session.
      • Custom-Header: calculates the number of requests with the same specified header content.
      • Custom-Param: calculates the number of requests with the same specified parameter content.
      • Custom-Cookie: calculates the number of requests with the same specified cookie content.
      Interval (Seconds) The time period during which the number of requests is calculated.
      Threshold (Occurrences) The maximum number of requests that are allowed from the object during the specified time period. If this limit is exceeded, rate limiting is triggered.
      Status Code After the specified match conditions are met, the number or percentage of the specified Status Code within the specified time period is calculated. Select either the amount or the percentage.
      • Amount: The maximum number of the specified status code.
      • Percentage (%): The maximum percentage of the specified status code.
      Take Effect For Specify the objects to which rate limiting is applied.
      • Feature Matching Objects
      • Applied Domains
    3. Click Save.
    After a custom protection policy rule is created, it is automatically enabled. You can view newly created rules, and disable, modify, or delete rules in the rule list as needed.Custom protection policies