Configure advanced custom rules - Web Application Firewall

When bot traffic bypasses your standard controls—using fingerprint evasion, SDK-collected signals, or unusual request patterns—advanced custom rules give you precise control. Unlike basic custom rules, advanced custom rules support additional match fields: Client-ID, JA3/JA4 fingerprints, HTTP/2 fingerprints, and data collected by the Web SDK and App SDK. They also support deduplication when counting request frequency.

This topic explains how to create a protection template and add access control or frequency control rules to it.

Prerequisites

Before you begin, ensure that you have:

Bot management enabled for your WAF instance
Protected objects and protected object groups configured to associate with the template

Rule types

Advanced custom rules come in two types:

Rule type	How it works
Access control rule	Matches requests based on client IPs, request URLs, or header fields. WAF takes a configured action on every request that hits the condition. Use this to block a specific Client-ID, or verify requests that contain a specific web UMID or app UMID.
Frequency control rule	Adds rate-based detection on top of access control conditions. When requests from the same statistical object (such as an IP or session) exceed the threshold within a time window, WAF blocks all requests from that object for a configured period.

Step 1: Create a protection template

A protection template is the container for your rules. Rules only take effect after you associate the template with protected objects.

Log on to the Web Application Firewall 3.0 console. In the top navigation bar, select a resource group and a region (Chinese Mainland or Outside Chinese Mainland).

Click Create Template. In the New Template - Advanced Custom Rules panel, configure the following settings, then click OK.

Parameter	Description
Template name	A name for the template. Length: 1–255 characters. Allowed characters: Chinese characters, uppercase and lowercase letters, digits, periods (.), underscores (_), and hyphens (-).
Rule configuration	Click Create Rule to add a rule now, or skip this and add rules after the template is created.
Apply to	Select the protected objects or object groups to which this template applies.

The template is enabled by default. In the template list, you can:

View the number of Protected Object/Group entries associated with the template
Toggle the Status switch to enable or disable the template
Click Create Rule to add a rule
Edit, Delete, or Copy the template
Click the icon next to the template name to view the rules inside

Step 2: Create a custom rule

Templates have no effect until they contain at least one rule. If you already added a rule in step 1, skip this step.

In the Create Rule dialog box, configure the following parameters and click OK.

Rule name

Enter a name for the rule. Allowed characters: Chinese characters, uppercase and lowercase letters, digits, periods (.), underscores (_), and hyphens (-).

Match condition

Define which requests the rule applies to. Click Add Condition to add a condition—up to 10 conditions per rule. A request must meet all conditions to hit the rule.

Each condition has three parts: a Match Field, a Logic operator, and a Match Content.

Examples:

URI Contains /login.php — matches any request whose path contains /login.php
IP Belongs to 192.1X.XX.XX — matches requests from that specific IP address

Protection rule type

Select Access Control (default) or Rate Limiting.

Rate limiting adds frequency detection: if requests from the same statistical object hit the match condition more than a set number of times within a time window, WAF blocks all requests from that object for a configurable period.

After selecting Rate Limiting, configure the following sections:

Frequency detection condition

Parameter	Description
Statistical object	The entity WAF tracks for frequency. See Statistical object options.
Statistical interval (Seconds)	The time window for counting hits.
Threshold (Times)	The maximum number of hits allowed within the statistical interval. Exceeding this adds the object to the blacklist.

Statistical object options

Statistical object	What WAF counts
IP	Requests from the same source IP address
Custom header	Requests that share the same value for a specified header (for example, all requests with the same `Referer` value)
Custom parameter	Requests that share the same value for a specified URL parameter
Custom cookie	Requests that share the same value for a specified cookie (for example, all requests where `User` has the same value)
Session	Requests from the same client session, identified by the `acw_tc` cookie that WAF inserts into responses
Body	Requests that share the same value for a specified body parameter
App UMID	Requests from the same app client
Account	Requests from the same account
Web UMID	Requests from the same web client

Response code detection condition (optional)

When enabled, an object is added to the blacklist only if it meets both the frequency detection condition and a response code condition.

Parameter	Description
Status code	The HTTP response code to track (for example, 403 or 429).
Quantity	The maximum number of times the specified status code can appear within the statistical interval. Mutually exclusive with Percentage (%).
Percentage (%)	The maximum percentage of responses that can contain the specified status code within the statistical interval. Mutually exclusive with Quantity.

Deduplication for statistics (optional)

Use deduplication to count unique requests rather than total requests. Add up to 5 deduplication conditions. A request must meet all conditions to be counted.

How deduplication works: The deduplication condition defines a secondary filter on top of the match condition. An object is added to the blacklist only after the number of access requests to the URI specified in the match condition reaches the configured count after deduplication.

Example: Match Field URI, Logic Equals, Number 5 — WAF counts a URI hit only after 5 identical requests to that URI.

Blacklist action condition

Defines what happens to objects that exceed the threshold.

Parameter	Description
Apply to	Current match condition: WAF acts only on requests that match the current rule's conditions. Protected object: WAF acts on all requests from the restricted object, regardless of the match condition.
Timeout period	How long the blacklist action stays in effect. Range: 60–86400 seconds.

Actions

Action	Behavior
JavaScript validation	Returns a JavaScript challenge to the client. Standard browsers execute it automatically. If the client passes, WAF allows all requests from that client for a period of time, 30 minutes by default. Requests that fail are blocked.
Block	Blocks the request and returns a block page. To customize the block page, use the Custom Response feature.
Log	Logs the request without blocking it. Use this mode when testing a new rule to check for false positives before enforcing it.
Slider	Presents a slider challenge. If the client passes, WAF allows all requests from that client for a period of time, 30 minutes by default. Requests that fail are blocked.
Strict CAPTCHA	Presents a slider challenge for every matching request. Passing allows only the current request; the client must complete the challenge again on the next matching request.
Origin custom header	Adds a custom header to the request and forwards it to the origin server. The header can include the rule type, rule ID, and web UMID, allowing your backend risk control system to handle the request.

Rule type

Classify the rule to categorize matched traffic in the traffic analysis page:

Suspected bot: the request shows some characteristics of automated traffic but lacks clear evidence of malicious intent
Malicious bot: the request comes from an automated program used for illegal purposes such as attacks, data theft, or other malicious operations

Advanced settings

Setting	Description
Canary rule	Applies the rule to a percentage of objects in a specified dimension, rather than to all traffic at once. After enabling, set the Dimension (IP, Custom Header, Custom Parameter, Custom Cookie, Session, App UMID, or Web UMID) and the Canary release proportion. WAF selects that percentage of dimension values and applies the rule to all requests from those values—not to a random percentage of individual requests. For example, with Dimension set to IP and proportion set to 10%, WAF picks approximately 10% of IP addresses and applies the rule to every request from those IPs.
Effective mode	Permanently effective (default): the rule is active whenever the template is enabled. Fixed schedule: active only during a specified time window. Recurring schedule: active only during a recurring schedule.

Setting

Description

Canary rule

Applies the rule to a percentage of objects in a specified dimension, rather than to all traffic at once. After enabling, set the Dimension (IP, Custom Header, Custom Parameter, Custom Cookie, Session, App UMID, or Web UMID) and the Canary release proportion. WAF selects that percentage of dimension values and applies the rule to all requests from those values—not to a random percentage of individual requests. For example, with Dimension set to IP and proportion set to 10%, WAF picks approximately 10% of IP addresses and applies the rule to every request from those IPs.

Effective mode

Permanently effective (default): the rule is active whenever the template is enabled. Fixed schedule: active only during a specified time window. Recurring schedule: active only during a recurring schedule.

A new rule is enabled by default. In the rule list, you can:

View the Rule ID and Rule Condition
Toggle the Status switch to enable or disable the rule
Edit or Delete the rule

Match field reference

The following table lists all match fields available when building rule conditions.

Match field	Description	Supported logic
URI	The full path of the request, including the query string but excluding the domain. Must start with `/`. Example: `/login.php`.	Contains, Does not contain, Equals, Does not equal, Length is less than, Length is equal to, Length is greater than, Equals one of, Does not equal any of, Contains one of, Does not contain any of, Matches regex, Does not match regex, Starts with, Ends with
IP	The source IP address of the request. Supports IPv4 (e.g., `1.XX.XX.1`), IPv6 (e.g., `2001:db8:ffff:ffff:ffff:ffff:ffff:ffff`), and CIDR blocks (e.g., `1.XX.XX.1/16`). Press Enter after each address. Maximum: 100 addresses.	Belongs to, Does not belong to
Referer	The URL of the page that linked to the current request.	Contains, Does not contain, Equals, Does not equal, Length is less than, Length is equal to, Length is greater than, Equals one of, Does not equal any of, Contains one of, Does not contain any of, Matches regex, Does not match regex, Starts with, Ends with, Is empty, Exists, Does not exist
User-Agent	The client identifier string, which includes browser type, version, and rendering engine details.	Contains, Does not contain, Equals, Does not equal, Length is less than, Length is equal to, Length is greater than, Equals one of, Does not equal any of, Contains one of, Does not contain any of, Matches regex, Does not match regex, Starts with, Ends with, Is empty, Exists, Does not exist
Query string	The part of the URL after the question mark (?).	Contains, Does not contain, Equals, Does not equal, Length is less than, Length is equal to, Length is greater than, Equals one of, Does not equal any of, Contains one of, Does not contain any of, Matches regex, Does not match regex, Exists, Does not exist
Cookie	Cookie data in the request.	Contains, Does not contain, Equals, Does not equal, Length is less than, Length is equal to, Length is greater than, Equals one of, Does not equal any of, Contains one of, Does not contain any of, Matches regex, Does not match regex, Exists, Does not exist, Is empty
Content-Type	The Multipurpose Internet Mail Extensions (MIME) type of the request body, specified in the Content-Type header.	Contains, Does not contain, Equals, Does not equal, Length is less than, Length is equal to, Length is greater than, Equals one of, Does not equal any of, Contains one of, Does not contain any of, Matches regex, Does not match regex
Content-Length	The size of the request body in bytes. Range: 0–2,147,483,648.	Equals, Value is less than, Value is greater than
X-Forwarded-For	The original client IP address when the request passes through an HTTP proxy or load balancer. This field is only present in forwarded requests.	Contains, Does not contain, Equals, Does not equal, Length is less than, Length is equal to, Length is greater than, Equals one of, Does not equal any of, Contains one of, Does not contain any of, Matches regex, Does not match regex, Does not exist
Body	The request body content.	Contains, Does not exist, Equals, Matches regex, Starts with, Ends with
Http-Method	The HTTP method of the request (GET, POST, DELETE, PUT, OPTIONS, CONNECT, HEAD, TRACE, or PATCH).	Equals, Does not equal, Equals one of, Does not equal any of
Header	A request header field. Supports custom header names.	Contains, Does not contain, Equals, Does not equal, Length is less than, Length is equal to, Length is greater than, Equals one of, Does not equal any of, Contains one of, Does not contain any of, Matches regex, Does not match regex, Exists, Does not exist
URI Path	The path portion of the URI, excluding the query string.	Contains, Does not contain, Equals, Does not equal, Length is less than, Length is equal to, Length is greater than, Equals one of, Does not equal any of, Contains one of, Does not contain any of, Matches regex, Does not match regex, Starts with, Ends with
Query string parameter	A specific parameter name in the query string. For example, in `www.aliyundoc.com/path?param1=a&param2=b`, `param1` and `param2` are query string parameters. Parameter names are case-sensitive.	Contains, Does not contain, Equals, Does not equal, Length is less than, Length is equal to, Length is greater than, Equals one of, Does not equal any of, Contains one of, Does not contain any of, Matches regex, Does not match regex, Starts with, Ends with, Exists, Does not exist, Is empty
Client-ID	An identifier for the client (browser or application), derived from User-Agent information and traffic fingerprints.	Contains, Does not contain, Equals, Does not equal, Equals one of
Server-Port	The destination port of the request on the server.	Equals, Does not equal, Equals one of, Does not equal any of
File extension	The file extension at the end of the request path. Example: `.png` or `.php`.	Contains, Does not contain, Equals, Does not equal, Length is less than, Length is equal to, Length is greater than, Equals one of, Does not equal any of, Contains one of, Does not contain any of, Matches regex, Does not match regex, Starts with, Ends with, Exists, Does not exist, Is empty
Filename	The filename at the end of the request path. For example, in `/abc/index.php`, the filename is `index.php`.	Contains, Does not contain, Equals, Does not equal, Length is less than, Length is equal to, Length is greater than, Equals one of, Does not equal any of, Contains one of, Does not contain any of, Matches regex, Does not match regex, Starts with, Ends with, Exists, Does not exist, Is empty
Host	The domain name in the request.	Contains, Does not contain, Equals, Does not equal, Length is less than, Length is equal to, Length is greater than, Equals one of, Does not equal any of, Contains one of, Does not contain any of, Matches regex, Does not match regex, Starts with, Ends with, Exists, Does not exist, Is empty
Cookie name	A specific cookie name. For example, in `acw_tc:111`, the cookie name is `acw_tc`. Cookie names are case-sensitive.	Contains, Does not contain, Equals, Does not equal, Length is less than, Length is equal to, Length is greater than, Equals one of, Does not equal any of, Contains one of, Does not contain any of, Matches regex, Does not match regex, Starts with, Ends with, Exists, Does not exist, Is empty
Body parameter	A specific parameter name in the request body. For example, in `a=1&b=2`, `a` and `b` are parameter names. The value must be longer than 4 characters for WAF to detect it. Parameter names are case-sensitive.	Contains, Does not contain, Equals, Does not equal, Length is less than, Length is equal to, Length is greater than, Equals one of, Does not equal any of, Contains one of, Does not contain any of, Matches regex, Does not match regex, Starts with, Ends with, Exists, Does not exist, Is empty
JA3 fingerprint	An MD5 hash of key TLS handshake parameters—TLS version, cipher suites, compression algorithms, and TLS extensions. The resulting string identifies the TLS configuration of a client and can distinguish browsers, mobile apps, and malware.	Equals, Does not equal, Equals one of
JA4 fingerprint	An extension of JA3 that incorporates additional context such as browser version and operating system. This reduces fingerprint collisions and more accurately distinguishes real users from automated clients, lowering the false positive rate.	Equals, Does not equal, Equals one of
HTTP/2 fingerprint	An MD5 hash of the original HTTP/2 client fingerprint, used to identify and analyze different HTTP/2 clients.	Equals, Does not equal, Equals one of
IDC	Identifies whether traffic originates from a data center, based on source IP attribution. Attackers often use low-cost cloud servers to launch attacks, and this field helps flag such traffic.	Equals one of, Does not equal any of
Web SDK	Probe data collected by the Web SDK, such as the web UMID and the count of keyboard, mouse, or touch events. Use this to detect unusual browser behavior.	Equals, Value is greater than, Value is less than
App SDK	Probe data collected by the App SDK, enabling fine-grained control over mobile app traffic.	Contains, Does not contain, Equals, Does not equal, Length is less than, Length is equal to, Length is greater than, Equals one of, Does not equal any of, Contains one of, Does not contain any of, Matches regex, Does not match regex, Starts with, Ends with, Exists, Does not exist, Is empty