This topic covers common protection configuration issues in Web Application Firewall (WAF) 3.0.
How do I disable HTTP flood protection for a specific domain?
Two methods are available:
Method 1 (whitelist rule): Create a whitelist rule that bypasses HTTP flood protection for the target domain.
Method 2 (disable a protection rule): Create an HTTP flood protection rule and disable it for the target domain.
Method 1: Create a whitelist rule
(Optional) Add the domain as a protected object. This step is required only for domains added to an Application Load Balancer (ALB) instance. For details, see Manually add a protected object.
Create a whitelist rule. Set Bypassed Modules to HTTP Flood Protection and set Apply To to the target domain in the rule template. For details, see Create a whitelist rule to allow specific requests.
Requests to the domain now bypass HTTP flood protection.
Method 2: Create an HTTP flood protection rule
The steps differ depending on whether the domain is added to an ALB instance.
Domain not added to an ALB instance
Create an HTTP flood protection rule and set Apply To to the target domain in the rule template. For details, see Create an HTTP flood protection rule to defend against HTTP flood attacks.
Disable the Template Switch for the rule.
Requests to the domain now bypass HTTP flood protection.
Domain added to an ALB instance
Add all domain names of the ALB instance as protected objects. For details, see Manually add a protected object.
Create two HTTP flood protection rules with the following settings. For details, see Create an HTTP flood protection rule to defend against HTTP flood attacks.
Rule Action Apply To Template Switch Rule A Block or Block (Emergency) (as needed) Domains that require HTTP flood protection Enabled Rule B — Domain and ALB instance where HTTP flood protection should be disabled Disabled
Requests to the domains in Rule A are inspected by the HTTP flood protection module. Requests to the domains in Rule B bypass HTTP flood protection.
Why don't my custom mitigation policy rules with double slashes (//) in the URL match field take effect?
Root cause: WAF's rules engine normalizes all incoming URLs before evaluating rules.
By default, the engine compresses consecutive forward slashes into a single slash. For example, a URL such as //api/sms/request is rewritten to /api/sms/request before any rule is evaluated. As a result, custom mitigation policy rules cannot correctly match URLs that contain double slashes (//).
Solution: When configuring access control list (ACL) rules for a URL that contains double slashes, use the single-slash equivalent as the match content.
For example, to match requests originally sent to //api/sms/request, enter /api/sms/request as the match content.