This topic provides answers to some frequently asked questions about the protection configuration of Web Application Firewall (WAF) 3.0.
How do I disable HTTP flood protection for a domain name?
If you want requests that are sent to a domain name not to be detected by the HTTP flood protection module, use one of the following methods to disable HTTP flood protection for the domain name.
The domain name must be a domain name that is added to WAF in CNAME record mode, a domain name hosted on an Application Load Balancer (ALB) instance that is added to WAF in cloud native mode, or a custom domain name in Function Compute that is added to WAF in cloud native mode.
Method 1: Create a whitelist rule
(Optional) Add the domain name for which you want to disable HTTP flood protection to WAF as a protected object. For more information, see the "Manually add protected objects" section in the Protected objects and protected object groups topic. This operation is required only when the domain name is hosted on an ALB instance.
Create a whitelist rule. Before you create a whitelist rule, create or modify a whitelist template. When you create or modify a whitelist template, set the Apply To parameter to the domain name for which you want to disable HTTP flood protection. Then, create a whitelist rule for the whitelist template. When you create a whitelist rule, set the Bypassed Modules parameter to HTTP Flood Protection. For more information, see Configure whitelist rules to allow specific requests.
After you complete the preceding configurations, requests that are sent to the domain name are not detected by the HTTP flood protection module.
Method 2: Create an HTTP flood protection rule
If the domain name is not hosted on an ALB instance
Create an HTTP flood protection rule. Before you create an HTTP flood protection rule, create an HTTP flood protection template. When you create an HTTP flood protection template, set the Apply To parameter to the domain name for which you want to disable HTTP flood protection. For more information, see Configure HTTP flood protection rules to defend against HTTP flood attacks.
Then, an HTTP flood protection rule is automatically created for the template. In the HTTP flood protection section, find the HTTP flood protection rule and turn off the switch in the Status column.
After you complete the preceding configurations, requests that are sent to the domain name are not detected by the HTTP flood protection module.
If the domain name is hosted on an ALB instance
Add all domain names that are hosted on the ALB instance to WAF as protected objects. For more information, see the "Manually add protected objects" section in the Protected objects and protected object groups topic.
Create two HTTP flood protection rules. For more information, see Configure HTTP flood protection rules to defend against HTTP flood attacks.
The configuration of the two HTTP flood protection rules must meet the following requirements:
Rule A: Set the Action parameter to Protection or Protection-emergency. Then, set the Apply To parameter to the domain name for which you want to enable HTTP flood protection.
Rule B: Set the Apply To parameter to the domain names that are hosted on the ALB instance for which you want to disable HTTP flood protection.
In the HTTP flood protection section, find Rule A and turn on the switch in the Status column. Then, find Rule B and turn off the switch in the Status column.
After you complete the preceding configurations, requests that are sent to the domain names with which Rule A is associated are detected by the HTTP flood protection module. Requests that are sent to the domain names with which Rule B is associated are not detected by the HTTP flood protection module.