All Products
Search
Document Center

Web Application Firewall:Fields in match conditions

Last Updated:Feb 29, 2024

When you configure a website whitelist or custom protection rules, you must add match conditions and specify the actions that you want Web Application Firewall (WAF) to perform on requests that meet the match conditions. This topic describes the fields that you can use in match conditions.

Match conditions and actions

Match conditions

  • Each match condition consists of a match field, logical operator, and match content. You can use regular expressions only in specific match fields. For more information, see Supported match fields.

  • You can add up to five match conditions to a protection rule. The logical operator between the conditions is AND. The custom rule takes effect only if all match conditions are met.

Actions

When you configure a whitelist, you must configure the Bypassed Modules parameter to specify the modules that you want requests to bypass. When you configure a custom protection rule, you must configure the Action parameter to specify the action that you want WAF to perform on the requests that meet the match conditions. For more information, see the following topics:

Supported match fields

Field

Edition

Logical operator

Description

URL

Pro, Business, Enterprise, and Exclusive

  • Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value

  • Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value

  • Length Equal To, Length Greater Than, and Length Less Than

  • Prefix Match and Suffix Match

  • Regular Expression Match and Regular Expression Mismatch

    Important

    Pro Edition does not support regular expression match.

The URL of the request.

IP

Pro, Business, Enterprise, and Exclusive

Belongs To and Does Not Belong To

The source IP address of the request. You can enter IP addresses or CIDR blocks such as 47.100.XX.XX/24.

Note

You can enter up to 50 IP addresses or CIDR blocks for a single protection rule. For example, a protection rule has two match conditions with IP as their match field. You can enter up to 50 IP addresses or CIDR blocks in the match content of the two match conditions. Separate multiple IP addresses or CIDR blocks with commas (,).

Referer

Pro, Business, Enterprise, and Exclusive

  • Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value

  • Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value

  • Exists and Does Not Exist

  • Empty

  • Length Equal To, Length Greater Than, and Length Less Than

  • Prefix Match and Suffix Match

  • Regular Expression Match and Regular Expression Mismatch

    Important

    Pro Edition does not support regular expression match.

The URL of the source page from which the request is redirected.

User-Agent

Pro, Business, Enterprise, and Exclusive

  • Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value

  • Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value

  • Exists and Does Not Exist

  • Empty

  • Length Equal To, Length Greater Than, and Length Less Than

  • Prefix Match and Suffix Match

  • Regular Expression Match and Regular Expression Mismatch

The browser information about the client that initiates the request. The information includes the browser, rendering engine, and version.

Params

Pro, Business, Enterprise, and Exclusive

  • Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value

  • Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value

  • Exists and Does Not Exist

  • Length Equal To, Length Greater Than, and Length Less Than

  • Prefix Match and Suffix Match

  • Regular Expression Match and Regular Expression Mismatch

The query string in the request URL. The query string is the part that follows the question mark (?) in the URL. For example, in www.example.com/index.html?action=login, action=login is the query string.

Query-Arg

Pro, Business, Enterprise, and Exclusive

  • Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value

  • Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value

  • Exists and Does Not Exist

  • Empty

  • Length Equal To, Length Greater Than, and Length Less Than

  • Prefix Match and Suffix Match

  • Regular Expression Match

The query string in the request URL. The query string is the part that follows the question mark (?) in the URL. For example, in www.example.com/request_path?arg1=a&arg2=b, arg1=a&arg2=b is the query string.

Note

If you set Match Field to Query-Arg, Logical Operator to Contains, and Match Content to arg, requests that contain arg1 or arg2 are matched. If you want to filter requests based on exact match conditions, we recommend that you set Match Field to Query-Arg, Logical Operator to Contains, and Match Content to arg1 or arg2.

URLPath

Pro, Business, Enterprise, and Exclusive

  • Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value

  • Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value

  • Length Equal To, Length Greater Than, and Length Less Than

  • Prefix Match and Suffix Match

  • Regular Expression Match and Regular Expression Mismatch

The URL path of the request.

Cookie

Business, Enterprise, and Exclusive

  • Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value

  • Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value

  • Exists and Does Not Exist

  • Length Equal To, Length Greater Than, and Length Less Than

  • Regular Expression Match and Regular Expression Mismatch

The cookie information in an access request.

Content-Type

Business, Enterprise, and Exclusive

  • Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value

  • Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value

  • Length Equal To, Length Greater Than, and Length Less Than

  • Regular Expression Match and Regular Expression Mismatch

The HTTP content type that is specified for the response. The HTTP content type is known as the Multipurpose Internet Mail Extensions (MIME) type.

Content-Length

Business, Enterprise, and Exclusive

Value Less Than, Value Equal To, and Value Greater Than

The number of bytes that is allowed in the response.

X-Forwarded-For

Business, Enterprise, and Exclusive

  • Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value

  • Contains and Does Not Contain

  • Does Not Exist

  • Length Equal To, Length Greater Than, and Length Less Than

The originating IP address of the client that initiates access requests. The HTTP X-Forwarded-For (XFF) header is used to identify the originating IP address of the request that is forwarded by an HTTP proxy or a Server Load Balancer (SLB) instance. The XFF header is included only in the request that is forwarded by an HTTP proxy or an SLB instance.

Post-Body

Business, Enterprise, and Exclusive

  • Equal To and Not Equal To

  • Contains and Does Not Contain

  • Does Not Exist

  • Prefix Match and Suffix Match

  • Regular Expression Match

The content of the request.

Server-Port

Business, Enterprise, and Exclusive

Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value

The port number of the origin server. For example, in www.example.com:9999, the port number is 9999.

Http-Method

Business, Enterprise, and Exclusive

Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value

The request method. Valid values: GET, POST, DELETE, PUT, and OPTIONS.

Header

Business, Enterprise, and Exclusive

  • Equals, Does Not Equal, Equals One of Multiple Values, and Does Not Equal Any Value

  • Contains, Does Not Contain, Contains One of Multiple Values, and Does Not Contain Any Value

  • Exists and Does Not Exist

  • Length Equal To, Length Greater Than, and Length Less Than

  • Regular Expression Match and Regular Expression Mismatch

The header of the request. The value is used to create a custom HTTP header.