Match conditions let you target specific HTTP request attributes when configuring website whitelists or custom protection rules. Each condition tests one field against a value using a logical operator. WAF applies the rule only when all conditions in a protection rule are satisfied.
How match conditions work
A match condition has three parts:
Match field — the HTTP request attribute to inspect (for example, URL, IP, or User-Agent)
Logical operator — how to compare the field value (for example, Equals, Contains, or Prefix Match)
Match content — the value to compare against
Each protection rule supports up to five match conditions. Conditions are combined with AND logic, so a request must satisfy every condition before WAF applies the rule's action.
When configuring a whitelist, set the Bypassed Modules parameter to specify which WAF modules the matched requests bypass. When configuring a custom protection rule, set the Action parameter to specify what WAF does with matched requests. For details, see:
Supported match fields
Fields are grouped by edition availability. Fields marked Pro+ are available in Pro, Business, Enterprise, and Exclusive editions. Fields marked Business+ require Business, Enterprise, or Exclusive edition.
Pro, Business, Enterprise, and Exclusive editions
| Field | Type | Description | Supported logical operators |
|---|---|---|---|
| URL | String | The full URL of the request. | Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value; Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value; Length Equal To, Length Greater Than, Length Less Than; Prefix Match, Suffix Match; Regular Expression Match, Regular Expression Mismatch. Important Pro Edition does not support Regular Expression Match. |
| IP | IP | The source IP address of the request. Enter individual IP addresses or CIDR blocks (for example, 47.100.XX.XX/24). Separate multiple values with commas. | Belongs To, Does Not Belong To. Note A protection rule supports a combined maximum of 50 IP addresses or CIDR blocks across all IP match conditions. |
| Referer | String | The URL of the page that linked to the requested resource (the HTTP Referer header). | Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value; Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value; Exists, Does Not Exist; Empty; Length Equal To, Length Greater Than, Length Less Than; Prefix Match, Suffix Match; Regular Expression Match, Regular Expression Mismatch. Important Pro Edition does not support Regular Expression Match. |
| User-Agent | String | The client's browser, rendering engine, and version, as reported in the User-Agent header. | Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value; Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value; Exists, Does Not Exist; Empty; Length Equal To, Length Greater Than, Length Less Than; Prefix Match, Suffix Match; Regular Expression Match, Regular Expression Mismatch. |
| Params | String | The entire query string in the request URL — everything after the ?. For example, in www.example.com/index.html?action=login, the Params value is action=login. | Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value; Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value; Exists, Does Not Exist; Length Equal To, Length Greater Than, Length Less Than; Prefix Match, Suffix Match; Regular Expression Match, Regular Expression Mismatch. |
| Query-Arg | String | An individual query argument in the request URL. For example, in www.example.com/request_path?arg1=a&arg2=b, the query arguments are arg1=a and arg2=b. Note When you set Match Field to Query-Arg and Logical Operator to Contains, WAF performs substring matching on argument names. Setting Match Content to | Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value; Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value; Exists, Does Not Exist; Empty; Length Equal To, Length Greater Than, Length Less Than; Prefix Match, Suffix Match; Regular Expression Match. |
| URLPath | String | The path component of the request URL, excluding the query string. | Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value; Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value; Length Equal To, Length Greater Than, Length Less Than; Prefix Match, Suffix Match; Regular Expression Match, Regular Expression Mismatch. |
Business, Enterprise, and Exclusive editions only
| Field | Type | Description | Supported logical operators |
|---|---|---|---|
| Cookie | String | The cookie data in the request. | Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value; Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value; Exists, Does Not Exist; Length Equal To, Length Greater Than, Length Less Than; Regular Expression Match, Regular Expression Mismatch. |
| Content-Type | String | The HTTP content type specified for the response. Also known as Multipurpose Internet Mail Extensions (MIME) type. | Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value; Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value; Length Equal To, Length Greater Than, Length Less Than; Regular Expression Match, Regular Expression Mismatch. |
| Content-Length | Number | The number of bytes allowed in the response. | Value Less Than, Value Equal To, Value Greater Than. |
| X-Forwarded-For | String | The originating IP address of a client whose request was forwarded by an HTTP proxy or Server Load Balancer (SLB) instance. The X-Forwarded-For (XFF) header is present only in forwarded requests. | Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value; Contains, Does Not Contain; Does Not Exist; Length Equal To, Length Greater Than, Length Less Than. |
| Post-Body | String | The body content of the request. | Equal To, Not Equal To; Contains, Does Not Contain; Does Not Exist; Prefix Match, Suffix Match; Regular Expression Match. |
| Server-Port | String | The port number of the origin server. For example, in www.example.com:9999, the server port is 9999. | Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value. |
| Http-Method | String | The HTTP method of the request. Valid values: GET, POST, DELETE, PUT, OPTIONS. | Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value. |
| Header | String | A custom HTTP request header. Use this field to match on non-standard or application-specific headers. | Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value; Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value; Exists, Does Not Exist; Length Equal To, Length Greater Than, Length Less Than; Regular Expression Match, Regular Expression Mismatch. |
Params vs. Query-Arg
Params and Query-Arg both inspect the query string, but at different granularities:
| Params | Query-Arg | |
|---|---|---|
| Scope | The entire query string as one value | An individual argument within the query string |
| Example value | action=login&user=alice | action=login or user=alice |
| Best for | Matching the full query string pattern | Matching a specific argument name or value |
For example, to block requests where arg1 is set to a specific value, use Query-Arg with Equals. To match any request whose query string contains a particular substring, use Params with Contains.