The Bot Management whitelist lets trusted requests bypass specific Bot Management detection modules—Bot Threat Intelligence, Data Risk Control, Intelligent Algorithm, and App Protection. Use it to resolve false positives when legitimate traffic is blocked.
Prerequisites
Before you begin, ensure that you have:
A WAF instance on the subscription billing method with Bot Management enabled
A website already added to WAF. For setup instructions, see Tutorial
How Bot Management detection works
Bot Management protects web applications, native applications, and APIs from malicious crawlers. It includes five detection modules:
| Module | What it detects |
|---|---|
| Allowed Crawlers | Identifies known legitimate crawlers (such as search engine bots) and always allows them |
| Bot Threat Intelligence | Blocks requests from IPs and user agents associated with known malicious crawlers |
| Data Risk Control | Detects automated abuse of business flows such as account registration, login, and promotions |
| Intelligent Algorithm | Uses behavioral analysis to identify bot-like traffic patterns |
| App Protection | Validates request integrity for native mobile and desktop applications |
All modules except Allowed Crawlers may produce false positives. Whitelist rules let specific trusted requests bypass one or more of these modules without disabling the module entirely.
Specify whitelist conditions as precisely as possible. Overly broad rules may allow unintended traffic to bypass protection. Bypass only the modules that are blocking the trusted traffic—bypassing fewer modules reduces security risk.
Create a whitelist rule
Log on to the WAF console.
In the top navigation bar, select the resource group and the region where the WAF instance is deployed (Chinese Mainland or Outside Chinese Mainland).
In the left-side navigation pane, choose Protection Configurations > Website Protection.
At the top of the Website Protection page, select the domain name from the Switch Domain Name drop-down list.
Click the Bot Management tab, find the Fine-grained Configuration section, and click Settings.
On the Bot Management - Whitelist page, click Create Rule.
In the Create Rule dialog box, configure the following parameters.
Parameter Description Rule name A name for the rule. Matching Condition One or more conditions that identify the trusted requests. Click Add rule to add conditions (maximum: 5). The rule triggers only when all conditions are met. For available fields and operators, see Fields in match conditions. Bypassed Modules The detection modules to skip when the conditions are met. Select one or more: Bot Threat Intelligence, Data Risk Control, Algorithm Model, App Protection. Select only the modules that are blocking the trusted traffic. 
Click Save.
The rule is automatically enabled and appears in the rule list.
Manage whitelist rules
After creating a rule, you can perform the following operations in the rule list:
| Operation | Description |
|---|---|
| Disable | Temporarily suspends the rule without deleting it. |
| Edit | Adjusts the rule's match conditions or bypassed modules. |
| Delete | Permanently removes the rule. |