All Products
Document Center

Web Application Firewall:Configure a whitelist for Bot Management

Last Updated:Sep 22, 2023

After you add a website to Web Application Firewall (WAF), you can configure a whitelist for Bot Management to allow trusted access requests of the website to bypass the detection of Bot Threat Intelligence, Data Risk Control, Intelligent Algorithm, and App Protection. This whitelist is used to allow access requests that are blocked by mistake.


  • A WAF instance that meets the following requirements is purchased:

    • The instance uses the subscription billing method.

    • Bot Management is enabled.

  • Your website is added to WAF. For more information, see Tutorial.

Background information

Bot Management protects web applications, native applications, and APIs from malicious crawlers. It provides the following detection modules:

After the preceding detection modules but Allowed Crawlers are enabled, normal access requests may be blocked by mistake. In this case, you can configure a whitelist to allow trusted access requests to bypass the detection of a specific module in Bot Management.

We recommend that you specify rules for the whitelist as precisely as possible to ensure that only trusted access requests are allowed.


  1. Log on to the WAF console.

  2. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland.

  3. In the left-side navigation pane, choose Protection Settings > Website Protection.

  4. In the upper part of the Website Protection page, select the domain name for which you want to configure a website protection whitelist from the Switch Domain Name drop-down list.切换域名

  5. Click the Bot Management tab, find the Fine-grained Configuration section, and then click Settings.

  6. Create a whitelist for Bot Management.

    1. On the Bot Management - Whitelist page, click Create Rule.

    2. In the Create Rule dialog box, configure the following parameters.Bot Management - Whitelist



      Rule name

      Specify a name for the rule.

      Matching Condition

      Specify match conditions for the rule. Click Add rule to add more match conditions. A maximum of five match conditions are allowed. If you specify multiple match conditions, the rule is triggered only after all the match conditions are met.

      For more information about match conditions, see Fields in match conditions.

      Bypassed Modules

      Select the detection modules to bypass after the match conditions are met. Valid Values:

      • Bot Threat Intelligence

      • Data Risk Control

      • Algorithm Model

      • App Protection

    3. Click Save.

    After you create rules for the whitelist, the rules are automatically enabled. You can view created rules in the rule list. You can also disable, edit, or delete rules as required.


Fields in match conditions