Web Application Firewall:Allow specific requests using whitelist rules

Template types

Prerequisites

• A WAF 3.0 instance is purchased. For more information, see Activate a pay-as-you-go WAF 3.0 instance.

• Web services are added to WAF 3.0 as protected objects. For more information, see Configure protected objects and protected object groups.

Step 1: Create a whitelist protection template

You only need to perform this step if you want to create a custom protection template. If you use the default protection template, you can skip this step.

1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.

2. In the left-side navigation pane, choose Protection Configuration > Core Web Protection.

3. On the Core Web Protection page, find the Whitelist section and click Create Template.

4. In the Create Template - Whitelist panel, complete the following configurations and click OK.

   Configuration item	Description
   Template Name	Enter a name for the template. The name of the template must be 1 to 255 characters in length and can contain letters, digits, periods (.), underscores (_), and hyphens (-).
   Set as Default Template	A default protection template applies to all protected objects and groups by default. You do not need to specify applicable objects. You can also manually remove objects or groups from the default template. You can set only one default template for each protection module. You can set a template as the default only when you create it. For whitelist protection templates, you can also configure multiple protection templates for a single protected object or object group. For details about the effective rules, see Application examples for multiple protection templates.
   Rule Configuration	You can click Create Rule to create a whitelist rule for the current template. You can also skip this setting and create rules for the template after the template is created. For more information, see Step 2: Add a whitelist rule to a whitelist protection template.
   Apply To	Select items to which you want to apply the template on the Protected Objects and Protected Object Groups tabs. For more information, see Configure protected objects and protected object groups. A protected object or object group can be associated with multiple whitelist protection templates. If you set a default protection template, it is applied to all protected objects and groups by default. If you do not set a default template, no objects or groups are selected by default. You can manually change the applicable objects.

   By default, a newly created protection template is enabled. You can perform the following operations on the template in the template list:

   • View the numbers of protected objects and protected object groups that are associated with the template in the Protected Object/Group column.

   • Turn on or turn off the switch in the Status column to enable or disable the template.

   • Click Create Rule in the Actions column to create a protection rule for the template.

   • Click Edit, Delete, or Copy in the Actions column to manage the template.

   • Click the icon to the left of the template name to view the protection rules in the template.

   Note

   WAF automatically creates a protection template named AutoTemplate and adds a whitelist rule in the following scenarios:

   • After you enable the intelligent whitelisting engine for web core protection rules, the engine analyzes logs. If it identifies a risk of false positives, it automatically adds a whitelist rule for the specified path and rule ID. For more information, see Intelligent whitelisting engine.

   • When you view a security report, if you select Ignore False Positive to handle an attack detected by a web core protection rule, WAF automatically adds a whitelist rule whose source is Custom. For more information, see Security reports.

   • When you view a security report, if you select Add To Whitelist to handle an attack detected by the bot management module, WAF automatically adds a whitelist rule whose source is Custom. For more information, see Security reports.

Step 2: Add a whitelist rule to a whitelist protection template

A whitelist protection template takes effect only after you add whitelist rules to it. If you have already added whitelist rules to the template, you can skip this step.

1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.

2. In the left-side navigation pane, choose Protection Configuration > Core Web Protection.

3. In the Whitelist section, find the protection template to which you want to add a rule and click Create Rule in the Actions column.

4. In the Create Rule dialog box, complete the following configurations and click OK.

   Configuration item	Description
   Rule Name	Enter a name for the rule. The name of the rule can contain letters, digits, periods (.), underscores (_), and hyphens (-).
   Match Conditions	Specify the characteristics of requests that you want the rule to match. Click Add Condition to add a match condition. You can add up to five match conditions to a rule. If you add multiple match conditions, the rule is matched only if all match conditions are met. Each match condition consists of the Match Field, Logical Operator, and Match Content parameters. Examples: Example 1: Set the Match Field parameter to URI, the Logical Operator parameter to Contains, and the Match Content parameter to /login.php. If the URI of a request contains /login.php, the request matches the rule. Example 2: Set the Match Field parameter to IP, the Logical Operator parameter to Belongs To, and the Match Content parameter to 192.1X.XX.XX. If a request is sent from a client whose IP address is 192.1.XX.XX, the request matches the rule. For more information about the match fields and logical operators, see Match conditions.
   Bypassed Modules	Select the protection modules that requests hitting the Match Field can bypass. Options: All: Requests that hit the match conditions bypass all protection modules and are forwarded to the origin server. This option is typically used to allow traffic that you fully trust, such as access from trusted vulnerability scan tools or authenticated third-party system interfaces. Important Whitelist rules with higher granularity provide better security. We recommend that you select specific protection modules based on your business needs to allow website requests in a targeted manner. Core Protection Rule: Requests that hit the match conditions bypass the specified web core protection rules. After you select Core Protection Rules, you must also set the rules to ignore. Options: All Rules: Selected by default. This option indicates that all rules are ignored. IDs of Specific Rules: Ignores rules with the specified IDs. You must enter the IDs of the rules to ignore (in six-digit format). Note Press the Enter key after you enter each rule ID. You can enter up to 50 rule IDs. You can also add rule IDs for major event support to the whitelist. Types of Specific Rules: Ignores rules of the specified types. You must click the icon and select the rule types to ignore. Custom Rule: Requests that hit the match conditions bypass the custom rules module. IP Address Blacklist: Requests that hit the match conditions bypass the IP blacklist module. Scan Protection: Requests that hit the match conditions bypass the scan protection module. Bot Management: Requests that hit the match conditions bypass the bot management module. Website Tamper-proofing: Requests that hit the match conditions bypass the web tamper proofing module. Data Leakage Prevention: Requests that hit the match conditions bypass the data leakage prevention module. HTTP Flood Protection: Requests that hit the match conditions bypass the HTTP flood protection module. Region Blacklist: Requests that hit the match conditions bypass the Location Blacklist module. AI Application Protection: Requests that hit the match conditions bypass the AI application protection module.

   By default, a newly created protection rule is enabled. You can perform the following operations on the rule in the rule list:

   • View the rule ID and action in the Rule ID and Action columns.

   • Turn on or turn off the switch in the Status column to enable or disable the rule.

   • Click Edit or Delete in the Actions column to modify or delete the rule.

What to do next

On the Security Reports page, you can query the block records of protection rules to obtain the IDs of the rules that were triggered. For more information, see Security reports.

References

• For information about the match conditions and match fields for adding whitelist rules, see Match conditions.

• For information about the protected objects, protection modules, and protection process of WAF 3.0, see Overview of mitigation settings.

• If you want to use the API to create a protection template, see Create a protection template.

• To create and configure a Web core protection rule, see Create a Web core protection rule.