You must add match conditions when you configure website whitelists and custom protection policies and specify the actions that Web Application Firewall (WAF) performs on the requests that meet the match conditions. This topic describes the fields that you can use in match conditions.

Match conditions and actions

Match conditions

  • Each match condition consists of a matching field, logical operator, and matching content. You can use regular expressions only in some of the matching fields. For more information, see Supported matching fields.
  • You can add up to five match conditions to a protection rule. The logical operator between the conditions is AND. The custom rule takes effect only when all the match conditions are met.

Actions

When you configure a protection rule for a whitelist, you must specify a module in the Bypassed Modules parameter. Then, requests are not checked by the specified module. When you configure a custom protection policy, you must specify an action that is performed on the requests that meet the match conditions by setting the Action parameter. For more information, see the following topics:

Supported matching fields

Matching field Edition Logical operator Description
URL Pro, Business, Enterprise, and Exclusive
  • Equals, Does not equal, Equals to one of multiple values, and Does not equal to any value
  • Contains, Does not contain, Contains one of multiple values, and Does not contain any value
  • Length equals, Length more than, and Length less than
  • URL Path Match and Suffix match
  • Regular Expression and Regular expression mismatch
The URL of the request.
IP Pro, Business, Enterprise, and Exclusive Has and Does not have The source IP address of the request. You can enter IP addresses or CIDR blocks such as 47.100.XX.XX/24.
Note You can enter a maximum of 50 IP addresses or CIDR blocks for a single protection rule. Assume that a protection rule has two match conditions with IP as their matching field. The total number of IP addresses or CIDR blocks that you enter in the matching content of the two match conditions can be up to 50. Multiple IP addresses or CIDR blocks must be separated with commas (,).
Referer Pro, Business, Enterprise, and Exclusive
  • Equals, Does not equal, Equals to one of multiple values, and Does not equal to any value
  • Contains, Does not contain, Contains one of multiple values, and Does not contain any value
  • Exists and Does not exist
  • Null
  • Length equals, Length more than, and Length less than
  • URL Path Match and Suffix match
  • Regular Expression and Regular expression mismatch
The URL of the source page from which the access request is redirected.
User-Agent Pro, Business, Enterprise, and Exclusive
  • Equals, Does not equal, Equals to one of multiple values, and Does not equal to any value
  • Contains, Does not contain, Contains one of multiple values, and Does not contain any value
  • Exists and Does not exist
  • Null
  • Length equals, Length more than, and Length less than
  • URL Path Match and Suffix match
  • Regular Expression and Regular expression mismatch
The browser information about the client that initiates the request. The information includes the browser, rendering engine, and version.
Params Pro, Business, Enterprise, and Exclusive
  • Equals, Does not equal, Equals to one of multiple values, and Does not equal to any value
  • Contains, Does not contain, Contains one of multiple values, and Does not contain any value
  • Exists and Does not exist
  • Length equals, Length more than, and Length less than
  • URL Path Match and Suffix match
  • Regular Expression and Regular expression mismatch
The parameter part in the request URL. The parameter part follows the question mark (?) in the URL. For example, in www.example.com/index.html?action=login, action=login is the parameter part.
Query-Arg Pro, Business, Enterprise, and Exclusive
  • Equals, Does not equal, Equals to one of multiple values, and Does not equal to any value
  • Contains, Does not contain, Contains one of multiple values, and Does not contain any value
  • Exists and Does not exist
  • Null
  • Length equals, Length more than, and Length less than
  • URL Path Match and Suffix match
  • Regular Expression
The parameter part in the request URL. The parameter part follows the question mark (?) in the URL. For example, in www.example.com/request_path?arg1=a&arg2=b, arg1 or arg2 is the query string.
Note When you configure a match condition, if the Matching field parameter is set to Query-Arg, the Logical operator parameter is set to Contains, and the Matching content parameter is set to arg, requests that contain arg1 or arg2 are matched. If you want to filter requests based on precise match conditions, we recommend that you set the Matching field parameter to Query-Arg, the Logical operator parameter to Contains, and the Matching content parameter to arg1 or arg2.
URLPath Pro, Business, Enterprise, and Exclusive
  • Equals, Does not equal, Equals to one of multiple values, and Does not equal to any value
  • Contains, Does not contain, Contains one of multiple values, and Does not contain any value
  • Length equals, Length more than, and Length less than
  • URL Path Match and Suffix match
  • Regular Expression and Regular expression mismatch
The URL path of the request.
Cookie Business, Enterprise, and Exclusive
  • Equals, Does not equal, Equals to one of multiple values, and Does not equal to any value
  • Contains, Does not contain, Contains one of multiple values, and Does not contain any value
  • Exists and Does not exist
  • Length equals, Length more than, and Length less than
  • Regular Expression and Regular expression mismatch
The cookie information in an access request.
Content-Type Business, Enterprise, and Exclusive
  • Equals, Does not equal, Equals to one of multiple values, and Does not equal to any value
  • Contains, Does not contain, Contains one of multiple values, and Does not contain any value
  • Length equals, Length more than, and Length less than
  • Regular Expression and Regular expression mismatch
The HTTP content type that is specified for the response. The HTTP content type is known as the Multipurpose Internet Mail Extensions (MIME) type.
Content-Length Business, Enterprise, and Exclusive Equals, Value more than, and Value less than The number of bytes in the response.
X-Forwarded-For Business, Enterprise, and Exclusive
  • Equals, Does not equal, Equals to one of multiple values, and Does not equal to any value
  • Includes and Does not include
  • Does not exist
  • Length equals, Length more than, and Length less than
The originating IP address of the client that initiates access requests. The HTTP X-Forwarded-For (XFF) header is used to identify the originating IP address of the request that is forwarded by an HTTP proxy or a load balancer. The XFF header is included only in requests that are forwarded by an HTTP proxy or a load balancer.
Post-Body Business, Enterprise, and Exclusive
  • Equals and Does not equal
  • Includes and Does not include
  • Does not exist
  • URL Path Match and Suffix match
  • Regular Expression
The content of the request.
Server-Port Business, Enterprise, and Exclusive Equals, Does not equal, Equals to one of multiple values, and Does not equal to any value The port number of the origin server. For example, in www.example.com:9999, the port number is 9999.
Http-Method Business, Enterprise, and Exclusive Equals, Does not equal, Equals to one of multiple values, and Does not equal to any value The request method. Valid values: GET, POST, DELETE, PUT, and OPTIONS.
Header Business, Enterprise, and Exclusive
  • Equals, Does not equal, Equals to one of multiple values, and Does not equal to any value
  • Contains, Does not contain, Contains one of multiple values, and Does not contain any value
  • Exists and Does not exist
  • Length equals, Length more than, and Length less than
  • Regular Expression and Regular expression mismatch
The header of the request, which is used to create a custom HTTP header.