You must add match conditions when you configure custom rules for whitelists and custom protection policies for Web Application Firewall (WAF). This topic describes the fields that you can use in the match conditions and their descriptions.

Match conditions and actions

You can configure custom rules for whitelists and custom protection policies in the WAF console. A custom rule consists of match conditions and actions. When you configure a custom rule, you must specify the match fields, logical operators, and match content to add match conditions. You also need to select an action to perform on requests that match the conditions you specify.

Supported match fields

The following table describes the match fields that are supported in match conditions.

Match field Edition Logical operator Description
IP Pro edition or higher Belongs To and Does Not Belong To The source IP address of the request. You can enter IP addresses or CIDR blocks. Example: 47.100.XX.XX/24.
Note You can enter up to 50 IP addresses or CIDR blocks. Separate them with commas (,).
URL Pro edition or higher
  • Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value
  • Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value
  • Length Equal To, Length Greater Than, Length Less Than
  • Prefix Match and Suffix Match
  • Regular Expression Match and Regular Expression Mismatch
The URL of the request.
Referer Pro edition or higher
  • Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value
  • Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value
  • Exists, Does Not Exist, and Empty
  • Length Equal To, Length Greater Than, Length Less Than
  • Prefix Match and Suffix Match
The URL of the source page from which the request is redirected.
User-Agent Pro edition or higher
  • Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value
  • Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value
  • Exists, Does Not Exist, and Empty
  • Length Equal To, Length Greater Than, Length Less Than
  • Prefix Match and Suffix Match
The browser information about the client that initiates the request. The information includes the browser, rendering engine, and version.
Params Pro edition or higher
  • Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value
  • Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value
  • Exists, Does Not Exist, and Empty
  • Length Equal To, Length Greater Than, Length Less Than
  • Prefix Match and Suffix Match
The parameter part in the request URL. The parameter part follows the question mark (?) in the URL. Example: In www.example.com/index.html?action=login, action=login is the parameter part.
Query-Arg Pro edition or higher
  • Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value
  • Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value
  • Exists, Does Not Exist, and Empty
  • Length Equal To, Length Greater Than, Length Less Than
  • Prefix Match and Suffix Match
The query string in the request URL. The query string is the part that follows the question mark (?) in the URL. Example: In www.example.com/request_path?arg1=a&arg2=b, arg1 or arg2 is the query string.
Note If multiple query strings are included in the request and the Matching field parameter is set to Query-Arg, the Logical operator parameter is set to Includes, and the Matching content parameter is set to arg, requests that contain arg1 or arg2 are matched. If you want to filter requests based on precise match conditions, we recommend that you set the Matching field parameter to Query-Arg, the Logical operator parameter to Includes, and the Matching content parameter to arg1 or arg2.
URLPath Pro edition or higher
  • Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value
  • Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value
  • Length Equal To, Length Greater Than, Length Less Than
  • Prefix Match and Suffix Match
  • Regular Expression Match and Regular Expression Mismatch
The URL path of the request.
Cookie Business edition or higher
  • Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value
  • Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value
  • Exists, Does Not Exist, and Empty
  • Length Equal To, Length Greater Than, Length Less Than
The cookie information in the request.
Content-Type Business edition or higher
  • Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value
  • Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value
  • Length Equal To, Length Greater Than, Length Less Than
The HTTP content type that is specified for the response. The HTTP content type is known as the Multipurpose Internet Mail Extensions (MIME) type.
Content-Length Business edition or higher Value Less Than, Value Equals, and Value More Than The number of bytes that is allowed in the response.
X-Forwarded-For Business edition or higher
  • Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value
  • Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value
  • Length Equal To, Length Greater Than, Length Less Than
The originating IP address. The HTTP X-Forwarded-For (XFF) header is used to identify the originating IP address of the request that is forwarded by an HTTP proxy or a Server Load Balancer (SLB) instance. The XFF header is included only in the request that is forwarded by an HTTP proxy or an SLB instance.
Post-Body Business edition or higher
  • Equals and Does Not Equal
  • Contains and Does Not Contain
  • Exists, Does Not Exist, and Empty
  • Does Not Exist
  • Prefix Match and Suffix Match
The content of the request.
Server-Port Business edition or higher Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value The port number of the origin server. Example: In www.example.com:9999, the port number is 9999.
Http-Method Business edition or higher Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value The request method. Valid values: GET, POST, DELETE, PUT, and OPTIONS.
Header Business edition or higher
  • Equals, Does Not Equal, Equals One of Multiple Values, Does Not Equal Any Value
  • Contains, Does Not Contain, Contains One of Multiple Values, Does Not Contain Any Value
  • Exists, Does Not Exist, and Empty
  • Length Equal To, Length Greater Than, Length Less Than
The header of the request, which is used to create a custom HTTP header.