All Products
Search

This Product

    Web Application Firewall:FAQ about mitigation settings

    Document Center

    Web Application Firewall:FAQ about mitigation settings

    Last Updated:Oct 29, 2025

    This topic describes common issues and solutions for configuring mitigation settings in Web Application Firewall (WAF) 3.0.

    How do I disable HTTP flood protection for a domain name?

    If you want requests that are sent to a domain name to bypass HTTP flood protection, use one of the following methods.

    Create a whitelist rule

    1. (Optional) Add the domain name for which you want to disable HTTP flood protection as a protected object. For more information, see Manually add a protected object. This step is required only for domain names that are added to an Application Load Balancer (ALB) instance.

    2. Create a whitelist rule and set its Bypassed Modules parameter to HTTP Flood Protection. In the rule template, set the Apply To parameter to the domain name for which you want to disable HTTP flood protection. For more information, see Create a whitelist rule to allow specific requests.

    After you complete these steps, requests sent to the domain name added to the whitelist rule bypass HTTP flood protection.

    Create an HTTP flood protection rule

    The domain name is not added to an ALB instance

    1. You can create an HTTP flood protection rule. In the rule template, set the Apply To parameter to the domain name for which you want to disable HTTP flood protection. For more information, see Create an HTTP flood protection rule to defend against HTTP flood attacks.

    2. You can disable the Template Switch for the HTTP flood protection rule.

    After you complete these steps, HTTP flood protection is bypassed for requests that are sent to the domain name specified in the rule.

    The domain name is added to an ALB instance

    1. Add all domain names of the ALB instance as protected objects. For more information, see Manually add a protected object.

    2. Create two HTTP flood protection rules. For more information, see Create an HTTP flood protection rule to defend against HTTP flood attacks.

      The protection rules must meet the following requirements:

      • Rule A: As needed, set Action to Block or Block (Emergency). Set Apply To to the domain names of the ALB instance that require HTTP flood protection.

      • Rule B: Set Apply To to the domain names and the ALB instance where you want to disable HTTP flood protection.

    3. Enable the Template Switch for Rule A and disable the Template Switch for Rule B.

    After you complete these steps, requests sent to the domain names in Rule A are detected by the HTTP flood protection module. Requests sent to the domain names in Rule B bypass HTTP flood protection.

    Why do custom mitigation policy rules that contain double slashes (//) in the URL match field not take effect?

    The WAF rules engine normalizes the URL match field. By default, it compresses consecutive forward slashes (/). As a result, custom mitigation policy rules cannot correctly match URLs that contain double slashes (//).

    To configure access control list (ACL) rules for a URL that contains double slashes (//), you can set the match condition to the corresponding path with a single slash. For example, to set the URL match field to //api/sms/request, enter /api/sms/request as the match content. This allows WAF to apply access control to requests that contain this content.