All Products
Search

This Product

    Edge Security Acceleration:Custom rules

    Document Center

    Edge Security Acceleration:Custom rules

    Last Updated:Nov 28, 2025

    If your site requires custom access control policies, you can create custom rules. Set conditions to match specific user requests, and then apply actions such as Block or Monitor to control those requests. This gives you flexible control over the content that users can access.

    Configure custom rules

    1. In the ESA console, go to Websites. In the Website column, click the target site.

    2. In the navigation pane on the left, choose Security > WAF.

    3. Click the Custom Rules tab. On the Custom Rules tab, click Create Rule.

      • Enter a Rule Name.

      • In the If requests match... section, set the conditions to match user requests. For more information about rule expressions, see Rule expression components.

      • In the Then execute... section, set the protection action to apply when a request hits the rule. For more information, see Action descriptions.

    4. Click OK.

    Action descriptions

    • Block: Blocks requests that hit a rule and returns a block response page to the client.

      Note

      For more information, see Configure custom pages.

    • Monitor: Does not block requests that hit a rule. Instead, it only logs the event. You can query WAF logs to find requests that hit the rule and analyze its effectiveness, for example, to check for false positives. Monitor mode is useful for testing newly configured rules. After you confirm that the rule does not cause false positives, set the action to Block.

      Note

      You must activate Simple Log Service to use the log query feature.

    • JavaScript Challenge: WAF returns a piece of JavaScript code that a standard browser can automatically execute. If the client executes the JavaScript code correctly, WAF allows all subsequent requests from that client for a period of time (30 minutes by default) without another challenge. Otherwise, WAF blocks the request.

    • Slider CAPTCHA: WAF returns a slider verification page to the client. If the client successfully completes the slider verification, WAF allows all subsequent requests from that client for a period of 30 minutes by default. Otherwise, WAF blocks the request.

      Note

      • If the verification is successful (a user successfully completes the slider challenge), the traffic is counted. If the verification fails, the traffic is not counted.

      • The JavaScript Challenge and Slider actions for WAF custom rules and rate limiting rules apply only to static pages. To support asynchronous API responses such as XMLHttpRequest and Fetch, enable JavaScript Challenge and Slider in Bot Management. After you enable them, when a request hits a rule, ESA initiates a JavaScript Challenge or Slider verification for the client. After the client passes the verification, ESA adds the Cookie acw_sc__v2 and acw_sc__v3 headers to the HTTP message, respectively. These headers indicate that the client has been authenticated.

    Configuration example

    • Use case: In Security Analytics or Event Analysis, you find that a client with the IP address 193.xx.xx.xx is sending abnormal requests to the host dns.example.com.image

    • Rule configuration:

      • Rule expression: The Hostname is www.example.com and the Client IP is 192.xx.xx.xx.

      • Action: Set the action to Block and use the Default Error Page.

      image

    • Result: Requests that match the conditions of the custom rule are blocked.image

    Availability

    Feature

    Entrance

    Pro

    Premium

    Enterprise

    Number of custom rules

    5

    20

    100

    100

    References

    Rule-related features vary in execution priorityrule behavior, and configuration scope. For more information, see How ESA rules take effect.