Enable bot management in Web Application Firewall (WAF) to block automated tools used for data scraping, business fraud, dictionary attacks, spam registration, inventory hoarding, promotion abuse, or SMS API abuse. It detects bot traffic, enforces targeted protection, and reduces server bandwidth and load.
The new bot management feature is being gradually released and is enabled by default for new users. This document applies only to the legacy version of bot management.
Identify your version: Log on to the WAF console. In the navigation pane on the left, choose . You can identify your version based on the page style.
Access the new version: Only a few users still use the legacy version. If a New tag appears next to Bot Management, see the Bot Management (New Version) document.
Legacy bot management:

Bot management (New):

Features
Bot Management provides the following features:
Bot traffic analysis (Available without enabling Bot Management)
View API risk data without enabling Bot Management: bot traffic trends, top 20 riskiest clients and IP addresses, and per-object analysis. View bot traffic analysis data.
To protect at-risk APIs, apply for a free trial or purchase Bot Management. Enable Bot Management.
Scenario-specific Protection (Available after enabling Bot Management)
Integrate an SDK and configure scenario-based protection for web and app traffic. Create scenario-specific protection rules for a website and Create scenario-specific protection rules for an application.
Best for users with high sensitivity to bot traffic.
Basic Protection (Available after enabling Bot Management)
Identifies bot traffic through Layer 4 or Layer 7 fingerprinting. No SDK integration required — enable protection with a single click. Create basic protection rules.
Best for blocking low- to medium-sophistication crawlers with minimal configuration.
Prerequisites
-
You have completed Web service provisioning on the Onboarding page.
To create a scenario-based app protection template, integrate your app with the SDK: Integrate the SDK for Android and Integrate the SDK for iOS.
Machine traffic analysis
-
Log on to the Web Application Firewall 3.0 console. From the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) for the WAF instance.
-
In the navigation pane on the left, choose .
On the Bot Traffic Analysis tab, view the following data for a specific protected object and time range: Bot Traffic Trend, Top 20 Clients, Top 20 IPs, and Bot Traffic Analysis for Protected Objects.

Enable bot management
-
Log on to the Web Application Firewall 3.0 console. From the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) for the WAF instance.
-
In the navigation pane on the left, choose .
Enable bot management.
Apply for a free trial
NoteYou can try bot management for free once if you use the Advanced, Enterprise, or Ultimate edition.
The trial lasts 7 days from approval. All trial data is immediately deleted if you do not purchase a paid plan before expiry.
On the Bot Traffic Analysis tab, click Apply for Trial. On the WAF Bot Management PoC Questionnaire page, enter the required information and click Submit.
An Alibaba Cloud engineer contacts you within one week. After approval, bot management is automatically enabled.
Purchase a paid plan for bot management
On the Bot Traffic Analysis, Scenario-specific Protection, or Basic Protection tab, click Purchase Now.
In the Purchase Now panel, enable Bot Management - Web Protection or Bot Management - App Protection, and complete the payment.
NoteAfter you enable Bot Management - Web Protection, you can configure basic protection rules and scenario-based rules for web scraping protection.
After you enable Bot Management - App Protection, you can configure basic protection rules and scenario-based rules for app scraping protection.
To configure basic protection rules and scenario-based rules for both web and app scraping protection, enable both Bot Management - Web Protection and Bot Management - App Protection.
After you enable bot management, you can go to the Bot Traffic Analysis tab. In the Bot Traffic Analysis for Protected Objects area, locate at-risk APIs with high bot traffic and click Configure Protection in the Actions column to create a scenario-based protection policy. Create a scenario-based protection rule for website protection and Create a scenario-based protection rule for app protection.
To block low- to medium-sophistication crawlers, configure basic protection rules on the Basic Protection tab. Create a basic protection rule.
Create a scenario-based protection template
Create a scenario-specific protection template for web or H5 pages accessed through browsers (including H5 pages in apps).
If you enable the JavaScript Validation or CAPTCHA action, when traffic matches a rule, WAF initiates a JavaScript challenge or slider verification for the client. After the client passes the verification, WAF inserts the
acw_sc__v2andacw_sc__v3cookies into the HTTP header, respectively. These cookies indicate that the client has been verified.When you configure a scenario-based bot template and enable automatic Web SDK integration, WAF inserts the
ssxmod_itna,ssxmod_itna2, andssxmod_itna3cookies into the HTTP header to obtain the client's browser fingerprint. The collected fingerprint includes the host field of the HTTP message, and the browser's height and width.
-
Log on to the Web Application Firewall 3.0 console. From the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) for the WAF instance.
-
In the navigation pane on the left, choose .
On the Scenario-specific Protection tab, click Create Template.
In the Configure Scenarios wizard, complete the following settings and click Next.
Parameter
Description
Template Name
Enter a name for the template.
The name must be 1 to 255 characters in length and can contain Chinese characters, uppercase and lowercase letters, digits, periods (.), underscores (_), and hyphens (-).
Template Description
Enter a description for the template.
Service Type
Select Websites. This protects web pages or H5 pages (including H5 pages within apps) that are accessed through a browser.
Web SDK Integration
Traffic Characteristics
Define target traffic by adding rules based on HTTP request fields. Up to five conditions can be added, joined by AND. Supported fields are listed in Match conditions.
On the Configure Protection Rules page, configure the following settings and click Next.
Parameter
Description
Risk Identification
Select Business Security and enter the required information. Fraud Detection.
After you enable this rule, WAF integrates with the Fraud Detection service to block access from abnormal phone numbers, such as those used by scalpers. This is a pay-as-you-go service billed based on rule hits.
Legitimate Bot Management
Select Spider Whitelist and choose a whitelist of legitimate search engines.
After this rule is enabled, traffic from legitimate crawler IP addresses of the selected search engines is allowed and bypasses all Bot Management checks.
Bot Characteristic Detection
Bot Behavior Detection
Bot Threat Intelligence
On the Configure Effective Scope page, complete the following settings and click Next.
Parameter
Description
Apply To
Select the protected objects or protected object groups to which you want to apply the rule. Click the
icon to move them to the Selected area.Effective Time and Canary Rule
Configure grayscale release and effective period for the selected protection rules. If skipped, Canary Rule is disabled and the rule is Permanently Effective by default.
Locate the target rule and click Edit in the Actions column.
Configure the grayscale release and effective period.
Canary Rule: Configure the percentage of traffic that the rule applies to based on a specific dimension.
After you enable Grayscale Release, you must also configure the grayscale Dimension and Canary Release Proportion. The grayscale Dimension include: IP, Custom Header, Custom Parameter, Custom Cookie, and Session.
NoteGrayscale rules are applied based on the Dimension you set, not randomly to a percentage of all requests. For example, if you select the IP dimension, all requests from an IP address that triggers the grayscale rule will be matched.
Effective Mode
Permanently Effective (Default): The rule is always in effect when the protection template is enabled.
Fixed Schedule: You can set the rule to be effective for a specific period in a specific time zone.
Recurring Schedule: You can set the rule to be effective during a specific time period that recurs daily in a specific time zone.
You can also select multiple rules to modify their grayscale release and effective mode settings in bulk.
In the Verify Protection Effect wizard, test the bot protection rule.
Test protection actions before publishing to prevent false positives. If the rule is configured correctly, click Skip in the lower-left corner.
The verification steps are as follows:
The new rule template is enabled by default. On the Scenario-specific Protection tab, you can perform the following operations in the rule template card area:
Click a rule template card to view the rules it contains.
Copy, Edit, or Delete a rule template.
Use the switch on the template to enable or disable it.
View the rule actions and the number of associated Protected Object/Group.
Create a scenario-specific protection rule for apps
Create a scenario-specific protection template for native iOS or Android apps (excluding H5 pages within apps).
If you enable the JavaScript Validation or CAPTCHA mitigation action, when traffic hits a matching rule, WAF initiates a JavaScript challenge or slider verification for the client. After the client passes the verification, WAF inserts the acw_sc__v2 and acw_sc__v3 cookies into the HTTP header to mark the client as verified.
-
Log on to the Web Application Firewall 3.0 console. From the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) for the WAF instance.
-
In the navigation pane on the left, choose .
On the Scenario-specific Protection tab, click Create Template.
On the Configure Scenarios page, complete the following settings and click Next.
Parameter
Description
Template Name
Enter a name for the template.
The name must be 1 to 255 characters in length and can contain Chinese characters, uppercase and lowercase letters, digits, periods (.), underscores (_), and hyphens (-).
Template Description
Enter a description for the template.
Service Type
Select App. This protects native iOS or Android apps (excluding H5 pages within apps).
APP SDK Integration
WAF provides an SDK for native apps (Android/iOS). After integration, the SDK collects client risk signals and attaches a security signature to requests. WAF uses this signature to detect and block risky requests.
To integrate the app SDK:
Submit a ticket to obtain the SDK for your iOS app.
Click Obtain and Copy AppKey to get the key that you use to initialize the SDK.
Integrate the app SDK. Integrate an SDK into an iOS app.
Traffic Characteristics
Define target traffic by adding rules based on HTTP request fields. Up to five conditions can be added, joined by AND. Supported fields are listed in Match conditions.
On the Configure Protection Rules page, complete the following settings and click Next.
Parameter
Description
Risk Identification
Select Business Security and enter the required information. Fraud Detection.
After you enable this rule, WAF integrates with the Fraud Detection service to block access from abnormal phone numbers, such as those used by scalpers. This is a pay-as-you-go service billed based on rule hits.
Bot Characteristic Detection
Detection rules
Mitigation Action
For the configured Bot Characteristic Detection rules, set the mitigation action to Monitor, Block, or Strict CAPTCHA.
Advanced Protection
Click Advanced Protection to configure the following settings:
Bot Behavior Detection
After selecting Intelligent Protection, configure the mitigation action for detected bot behaviors. You can set the action to Monitor, CAPTCHA, Strict CAPTCHA, or Mark For Origin Fetch. If you select Origin Custom Header, you must also specify the Header Name and Header Content to be added to the request.
When this feature is enabled, the Intelligent Protection engine analyzes and learns from your traffic to automatically generate targeted protection rules or blacklists.
Throttling
When enabled, you can customize access frequency limits to filter high-frequency bot requests and mitigate HTTP flood attacks.
Bot Threat Intelligence
On the Configure Effective Scope page, complete the following settings and click Next.
Parameter
Description
Apply To
Select the protected objects or protected object groups to which you want to apply the rule. Click the
icon to move them to the Selected area.Effective Time and Canary Rule
Configure grayscale release and effective period for the selected protection rules. If skipped, Canary Rule is disabled and the rule is Permanently Effective by default.
Locate the target rule and click Edit in the Actions column.
Configure the grayscale release and effective period.
Canary Rule: Configure the percentage of traffic that the rule applies to based on a specific dimension.
After you enable Grayscale Release, you must also configure the grayscale Dimension and Canary Release Proportion. The grayscale Dimension include: IP, Custom Header, Custom Parameter, Custom Cookie, and Session.
NoteGrayscale rules are applied based on the Dimension you set, not randomly to a percentage of all requests. For example, if you select the IP dimension, all requests from an IP address that triggers the grayscale rule will be matched.
Effective Mode
Permanently Effective (Default): The rule is always in effect when the protection template is enabled.
Fixed Schedule: You can set the rule to be effective for a specific period in a specific time zone.
Recurring Schedule: You can set the rule to be effective during a specific time period that recurs daily in a specific time zone.
You can also select multiple rules to modify their grayscale release and effective mode settings in bulk.
On the Verify Protection Effect page, test the bot protection rule.
Test protection actions before publishing to prevent false positives. If the rule is configured correctly, click Skip in the lower-left corner.
The verification steps are as follows:
The new rule template is enabled by default. On the Scenario-specific Protection tab, you can perform the following operations in the rule template card area:
Click a rule template card to view the rules it contains.
Copy, Edit, or Delete a rule template.
Use the switch on the template to enable or disable it.
View the rule actions and the number of associated Protected Object/Group.
Create a basic protection rule
Configure basic protection rules to block low- to medium-sophistication crawlers. No default template is provided — you must create one.
-
Log on to the Web Application Firewall 3.0 console. From the top menu bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) for the WAF instance.
-
In the navigation pane on the left, choose .
On the Basic Protection tab, click Create Template.
In the Create Template panel, configure the following settings and click OK.
Parameter
Description
Template Name
Enter a name for the template.
The name must be 1 to 255 characters in length and can contain Chinese characters, uppercase and lowercase letters, digits, periods (.), underscores (_), and hyphens (-).
Template Description
Enter a description for the template.
Action
Set the action for the protection rule to Block or Log.
Advanced Settings
Canary Rule: Configure the percentage of traffic that the rule applies to based on a specific dimension.
After you enable Grayscale Release, you must also configure the grayscale Dimension and Canary Release Proportion. The grayscale Dimension include: IP, Custom Header, Custom Parameter, Custom Cookie, and Session.
NoteGrayscale rules are applied based on the Dimension you set, not randomly to a percentage of all requests. For example, if you select the IP dimension, all requests from an IP address that triggers the grayscale rule will be matched.
Effective Mode
Permanently Effective (Default): The rule is always in effect when the protection template is enabled.
Fixed Schedule: You can set the rule to be effective for a specific period in a specific time zone.
Recurring Schedule: You can set the rule to be effective during a specific time period that recurs daily in a specific time zone.
Apply To
Select the protected objects or groups to which the template applies.
The new rule template is enabled by default. On the Basic Protection tab, you can perform the following operations on the rule template card:
View the rule IDs included in the template.
NoteA basic protection template contains three rule IDs: two for whitelist rules and one combining an ACL rule with HTTP flood protection. Use these rule IDs to track protection effectiveness in security reports.
Copy, Edit, or Delete a rule template.
Use the switch on the template to enable or disable it.
View the template's action and the number of Protected Object/Group items it applies to.
FAQ for bot protection testing
If you encounter an issue during the Verify Protection Effect step, use this table to troubleshoot.
Issue | Cause | Solution |
No valid test requests found. | The test request was not sent successfully or was not sent to WAF. | Ensure that the test request is sent to the WAF address. |
The request fields do not match the Traffic Characteristics defined in the bot protection rule. | You can modify the content of the Protected Object Feature in the bot protection policy. | |
The source IP address of the test request does not match the public test IP address specified in the policy. | Ensure that you are using the correct public IP address. We recommend that you use the diagnostic tool to find your public IP address. | |
The request failed verification. | The request was not from a real user (for example, from debug mode or an automated tool). | Use a client to simulate requests from a real user. |
The protection scenario is incorrect. For example, you need to configure a scenario-based bot protection rule, but you selected Websites instead. | Modify the protection scenario type in the scenario-based bot protection rule. | |
Cross-origin access is not correctly configured in the scenario-based bot protection rule. | Modify the scenario-based bot protection rule. Select Use Intermediate Domain Name and choose the source domain for cross-origin access from the drop-down list. | |
Frontend compatibility issue. | Submit a ticket. | |
The request did not trigger verification. | The test rule has not been fully deployed. | Wait for the bot protection test rule to be deployed, and then run the test again. |
The request was not blocked, and no valid test requests were found. | The test request was not sent successfully or was not sent to WAF. | Ensure that the test request is sent to the WAF address. |
The request fields do not match the Protected Object Feature defined in the bot protection rule. | Modify the Protected Object Feature in the bot protection policy. | |
The source IP address of the test request does not match the public test IP address specified in the policy. | Ensure that you are using the correct public IP address. We recommend that you use the diagnostic tool to find your public IP address. |
Next steps
View protection rule execution records on the Security Reports page.