All Products
Search

This Product

    Edge Security Acceleration:Scan protection rules

    Document Center

    Edge Security Acceleration:Scan protection rules

    Last Updated:Mar 26, 2025

    The scan protection module detects the behavior and characteristics of automated scanners to prevent attackers or scanners from scanning websites. Attack sources are blocked or added to the blacklist. This reduces the risk of intrusions into web services and prevents undesired traffic generated by malicious scanners.

    Create a scan protection rule

    1. In the ESA console, choose Websites and click the website name you want to manage.

    2. In the left-side navigation pane of your website details page, choose Security > WAF. On the WAF page, click the Scan Protection Rules tab.

    3. On the Scan Protection Rules tab, click Create Ruleset.

      • Specify Ruleset Name.

      • If requests match: Specify the conditions for matching incoming requests. The scan protection rules only apply to the matched requests. For more information, see Match fields.

      • Trigger the protection type…: the type of protection to be executed after match rules are specified.

        Note

        Configure at least one of the High-frequency Scanning Blocking and Directory Traversal Blocking rules.

        • Configure a high-frequency scanning blocking rule

          If a source triggers basic protection rules of a protected object multiple times within a short period of time, the source is added to the blacklist. The system blocks or monitors the requests from the source within a specified period of time.

          • Block Object

            • Select the attack source type based on which statistics are collected. Valid values:

            • Cookie Value Of: collects the frequency of attack requests that contain a specific cookie.

            • Header: collects the frequency of attack requests that contain a specific header.

            • IP Source Address: collects the frequency at which attacks are initiated from the same client IP address.

            • Session: collects the frequency at which attacks are initiated over the same client session.

            • URI Query String Parameter: collects the frequency of attack requests that contain a specific parameter.

          • Time Range (Seconds)

            Specify the period of time during which HTTP requests are detected.

            • Valid values: 5 to 1800.

            • Unit: seconds.

          • Trigger Threshold (Times)

            Specify the maximum number of times that a statistical object can trigger the basic protection rules for the protected website within the period of time specified by Time Range (Seconds).

            Valid values: 3 to 50000.

          • Triggered Rules

            Specify the maximum number of basic protection rules that can be triggered by a statistical object within the period of time specified by Time Range (Seconds).

            Valid values: 1 to 50.

          • Blocking Duration (Seconds)

            Specify the period of time during which the requests from the source are blocked.

            • Valid values: 60 to 86400.

            • Unit: seconds.

        • Configure a directory traversal blocking rule

          If a source accesses a large number of non-existent directories of a protected object within a short period of time, the source is added to the blacklist. The system blocks or monitors the requests from the source within a specified period of time.

          • Block Object

            • Select the attack source type based on which statistics are collected. Valid values:

            • Cookie Value Of: collects the frequency of attack requests that contain a specific cookie.

            • Header: collects the frequency of attack requests that contain a specific header.

            • IP Source Address: collects the frequency at which attacks are initiated from the same client IP address.

            • Session: collects the frequency at which attacks are initiated over the same client session.

            • URI Query String Parameter: collects the frequency of attack requests that contain a specific parameter.

          • Time Range (Seconds)

            Specify the period of time during which HTTP requests are detected.

            • Valid values: 5 to 1800.

            • Unit: seconds.

          • Requests

            Specify the maximum number of requests that a single object can initiate for a single domain name within the period of time specified by Time Range (Seconds).

            Valid values: 3 to 50000.

          • 404 Error Rate

            Specify the maximum percentage of HTTP 404 status codes.

            • Valid values: 1 to 100.

            • Unit: %.

          • Non-existent Directories

            Specify the maximum number of non-existent directories that an object is allowed to access within the period of time specified by Time Range (Seconds). The non-existent directories exclude static files such as images.

            Valid values: 2 to 50000.

          • Blocking Duration (Seconds)

            Specify the period of time during which the requests from the source are blocked.

            • Valid values: 60 to 86400.

            • Unit: seconds.

        • Scanner Blocking

          WAF blocks or monitors the requests from common scanners such as sqlmap, Acunetix web vulnerability scanner (AWVS), Nessus, AppScan, WebInspect, Netsparker, Nikto, and RSAS.

      • Then execute...: Select an action that you want to execute when a request hits the rules. For more information, see Actions.

    4. Click OK.

    Availability

    Item

    Entrance

    Pro

    Premium

    Enterprise

    Number of scan protection rules

    Not supported

    5

    10

    20