After you add a website to Web Application Firewall (WAF), you can enable the custom protection policy feature to protect the website. This feature allows you to customize access control list (ACL) rules based on precise match conditions and configure rate limiting. Custom protection policies can be tailored for different scenarios, such as hotlink protection and website backend protection.


Background information

The custom protection policy feature is implemented by using custom protection rules. Custom protection rules include ACL rules and HTTP flood protection rules.
  • An ACL rule filters requests based on precise match conditions such as client IP addresses, request URLs, and common request headers.
  • An HTTP flood protection rule filters requests based on the precise match conditions and rate limiting you have configured.


The number and specifications of custom rules that can be configured vary based on the editions of subscription WAF instances.

Specification Description Pro edition Business edition Enterprise edition and higher
Number of custom protection rules The maximum number of custom protection rules that you can create. 200 per domain name 200 per domain name 200 per domain name
Advanced match fields The advanced match fields other than IP addresses and URLs that you can specify in custom protection rules. Not supported Supported Supported
Rate limiting The rate limiting settings in a custom protection policy. The settings define an HTTP flood protection rule. Not supported Supported Supported
Custom statistical objects The custom statistical objects other than IP addresses and sessions that can be used to configure rate limiting. Not supported Supported Supported


  1. Log on to the WAF console.
  2. In the top navigation bar, select the resource group and the region to which the WAF instance belongs. The region can be Chinese Mainland or Outside Chinese Mainland.
  3. In the left-side navigation pane, choose Protection Settings > Website Protection.
  4. In the upper part of the Website Protection page, select the domain name for which you want to configure a whitelist. Switch Domain Name
  5. Click the Access Control/Throttling tab and find the Custom Protection Policy section. Then, turn on Status and click Settings. Custom Protection Policy
    Note When the custom protection policy feature is enabled, all requests destined for your website are checked by the feature. You can configure a whitelist rule for Access Control/Throttling to allow requests that match the whitelist rule to bypass the check. For more information, see Configure a whitelist for Access Control/Throttling.
  6. Create a custom protection rule.
    1. On the Custom Protection Policy page, click Create Custom Protection Policy.
    2. In the Create Rule dialog box, configure the following parameters. ACL
      Parameter Description
      Rule name The name of the rule that you want to create.
      Matching Condition The match conditions of the rule. The rule is triggered only when match conditions are met. Click Add rule to add more conditions. You can add a maximum of five conditions. If you specify multiple match conditions, the rule is triggered only after all the match conditions are met.

      For more information about conditions, see Fields in match conditions.

      Rate Limiting Enables or disables rate limiting. WAF starts calculating the request rate only when match conditions are met. When you enable rate limiting, you must configure the parameters to collect statistics. HTTP Flood Protection

      For more information about rate limiting parameters, see Rate limiting parameters.

      Action The action to be performed after the rule is triggered. Valid values:
      • Monitor: triggers alerts but does not block requests.
      • Block: blocks requests.
      • CAPTCHA: redirects requests to another page to implement CAPTCHA verification.
      • Strict Captcha: redirects requests to another page to implement strict CAPTCHA verification.
      • JavaScript Validation: triggers JavaScript verification.
      If you enable Rate Limiting, you must specify TTL (Seconds) during which the action takes effect.
      Note A certain latency may exist in the statistical process because WAF collects data from multiple servers in a cluster to calculate the request rate.
      Protection Type The type of the rule. This parameter is automatically set based on the status of Rate Limiting.
      • If rate limiting is enabled, the value is set to HTTP Flood Protection.
      • If rate limiting is disabled, the value is set to ACL.

      The following table describes the rate limiting parameters.

      Parameter Description
      Statistical Object The object based on which the request rate is calculated. Valid values:
      • IP: calculates the number of requests from a specific IP address.
      • Session: calculates the number of requests transmitted over a specific session.
      • Custom-Header: calculates the number of requests with the same specified header content.
      • Custom-Param: calculates the number of requests with the same specified parameter content.
      • Custom-Cookie: calculates the number of requests with the same specified cookie content.
      Interval (Seconds) The time period during which the number of requests is calculated.
      Threshold (Occurrences) The maximum number of requests that are allowed from the object during the specified time period. If this limit is exceeded, rate limiting is triggered.
      Status Code The HTTP status code. After the detection logic takes effect, the number or percentage of the specified Status Code within the specified time period is calculated. Select either the amount or the percentage.
      • Amount: the maximum number of the specified HTTP status codes.
      • Percentage (%): the maximum percentage of the requests for which the specified HTTP status code is returned in the total requests.
      Take Effect For The objects to which rate limiting is applied. Valid values:
      • Feature Matching Objects: Only requests that meet the match conditions of the protection rule are calculated.
      • Applied Domains: All requests that are destined for the domain name are calculated.
    3. Click Save.
    After a custom protection rule is created, it is automatically enabled. You can view, disable, edit, or delete the rule in the rule list based on your business requirements.