Configure whitelist rules to allow specific requests - Web Application Firewall

After you add your web services to Web Application Firewall (WAF), you can configure whitelist rules to allow requests that have specific characteristics. You can specify the characteristics based on your business requirements. This way, the requests can bypass the checks of specific or all protection modules. The protection modules include but are not limited to the basic protection rule, IP address blacklist, custom rule, and scan protection modules. This topic describes how to create a whitelist rule template and create rules for the template.

Background information

You can create a custom whitelist rule template or use the default whitelist rule template.


Template	Description	Applied to
Default whitelist rule template	The built-in whitelist rule template of WAF that does not contain specific whitelist rules. If you want to use the default whitelist rule template, you must configure whitelist rules for the template.	If you use the default whitelist rule template, you do not need to configure the Apply To parameter. The default whitelist rule template is applied to all protected objects and protected object groups of your WAF instance with which no custom protection rule templates are associated.
Custom whitelist rule template	The custom whitelist rule template that you create based on your business requirements. When you create a custom whitelist rule template, you must add whitelist rules to the template.	If you create a custom whitelist rule template, you must configure the Apply To parameter to associate the whitelist rule template with specific protected objects and protected object groups.

Note If no whitelist rules are configured for a custom whitelist rule template, the template does not take effect for protected objects or protected object groups.

Prerequisites

A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.
Web services are added as the protected objects of WAF 3.0. For more information, see Protected objects and protected object groups.

Step 1: Create a whitelist rule template

If you want to use the default whitelist rule template, skip this step.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region to which the WAF instance belongs. You can select Chinese Mainland or Outside Chinese Mainland for the region.
In the left-side navigation pane, choose Protection Configuration > Protection Rules.
In Whitelist section in the lower part of the Protection Rules page, click Create Template.
Note If no custom whitelist rule templates exist, you can click Configure Now in the Whitelist card in the upper part of the Protection Rules page.

In the Create Template - Whitelist panel, configure the parameters and click OK. The following table describes the parameters.


Parameter	Description
Template Name	Specify a name for the template. The name must be 1 to 255 characters in length, and can contain letters, digits, periods (.), underscores (_), and hyphens (-).
Save as Default Template	Specify whether to set this template as the default template for the protection module. You can specify only one default template for a protection module. If you turn on Save as Default Template, you do not need to configure the Apply To parameter. The default template is applied to all protected objects and protected object groups to which no custom protection rule templates are applied.
Rule Configuration	Click Create Rule to create a whitelist rule for the whitelist rule template. You can also create a whitelist rule after you create the whitelist rule template. For more information, see Step 2: Add a whitelist rule to the whitelist rule template.
Apply To	Select the protected objects and protected object groups to which you want to apply the template. You can apply only one template of a protection module to a protected object or a protected object group. For information about how to add protected objects and protected object groups, see Protected objects and protected object groups.

By default, the new whitelist rule template is enabled. You can perform the following operations in the rule template list:

View the number of protected objects or protected object groups that are associated to the rule template.
Turn on or turn off Status to enable or disable the rule template.
Click Edit or Delete in the Actions column to modify or delete the rule template.
Click the icon to the left of a rule template to view the rules in the template.
Note If you perform one of the following operations, a whitelist rule template named AutoTemplate is automatically created and a whitelist rule is automatically created for the template.
- Enable Intelligent Whitelist when you create a basic protection rule. In this case, the origin of the automatically created whitelist rule is Intelligent Whitelist. For more information, see Configure an intelligent whitelist.
- Click Ignore False Positive for an attacker IP address when you view the security report of the basic protection rule module. In this case, the origin of the automatically created whitelist rule is Custom. For more information, see Basic protection rule module.
- Click Add to Whitelist for an attacker IP address when you view the security report of the Bot Management module. In this case, the origin of the automatically created whitelist rule is Custom. For more information, see Bot management module.

Step 2: Add a whitelist rule to the whitelist rule template

The whitelist rule template takes effect only after whitelist rules are added to the template. If you already added whitelist rules to the whitelist rule template, skip this step.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region to which the WAF instance belongs. You can select Chinese Mainland or Outside Chinese Mainland for the region.
In the left-side navigation pane, choose Protection Configuration > Protection Rules.
In the Whitelist section, find the whitelist template for which you want to create a whitelist rule and click Create Rule in the Actions column.

In the Create Rule dialog box, configure the parameters and click OK. The following table describes the parameters.


Parameter	Description
Rule Name	Specify a name for the whitelist rule. The name can contain letters, digits, periods (.), underscores (_), and hyphens (-).
Match Condition	Specify the characteristics of requests based on which you want to match the rule. Click Add Condition to add a match condition. You can add up to five match conditions to a rule. If you add multiple match conditions, the rule is determined to be matched only if all match conditions are met. Each match condition consists of Match Field, Logical Operator, and Match Content. Sample configurations: Example 1: You set the Match Field parameter to URI, the Logical Operator parameter to Contains, and the Match Content parameter to `/login.php`. If the requested path contains `/login.php`, the request matches the rule. Example 2: You set the Match Field parameter to IP, the Logical Operator parameter to Belongs To, and the Match Content parameter to `192.XX.XX.1`. If a request is sent from a client whose IP address is `192.XX.XX.1`, the request matches the rule. For more information, see Match conditions.
Bypassed Modules	Select the protection modules that you want requests to bypass. The requests that meet the specified match conditions are not checked by the selected protection modules. Valid values: All: WAF does not check the requests that meet the specified match conditions and forwards the requests to the origin server. You can select All if you want to allow all trusted requests, such as requests from trusted vulnerability scanners and the endpoints of authenticated third-party systems. Important Fine-grained whitelist rules ensure high security. We recommend that you select a protection module based on your business requirements. Basic Protection Rule: The basic protection module does not check the requests that meet the specified match conditions. If you select Basic Protection Rule, you must specify the rules that you do not want to use to check the requests that meet the specified match conditions. Valid values: All Rules: All protection rules in the basic protection rule module are not used to check the requests that meet the specified match conditions. This is the default value. IDs of Specific Rules: The rules of the specified IDs in the basic protection rule module are not used to check the requests that meet the specified match conditions. Specify the IDs of the rules. Each rule ID contains six digits. Press the Enter key each time you enter a rule ID. You can specify up to 50 rule IDs. Types of Specific Rules: The rules of the specified types in the basic protection rule module are not used to check the requests that meet the specified match conditions. Click the icon and select the type of rules that you do not want to use to check the requests that meet the specified match conditions. Custom Rule: The custom rule module does not check the requests that meet the specified match conditions. IP Address Blacklist: The IP address blacklist module does not check the requests that meet the specified match conditions. Scan Protection: The scan protection module does not check the requests that meet the specified match conditions. Bot Management: The bot management module does not check the requests that meet the specified match conditions. Website Tamper-proofing: The website tamper-proofing module does not check the requests that meet the specified match conditions. Data Leakage Prevention: The data leakage prevention module does not check the requests that meet the specified match conditions. HTTP Flood Protection: The HTTP flood protection module does not check the requests that meet the specified match conditions. Region Blacklist: The region blacklist module does not check the requests that meet the specified match conditions.

By default, the new whitelist rule is enabled. You can perform the following operations in the rule list:

Turn on or turn off Status to enable or disable the whitelist rule.
Click Edit or Delete in the Actions column to modify or delete the whitelist rule.

What to do next

To obtain the IDs of rules, go to the Security Reports page. On the Security Reports page, you can view the blocking records of the protection rules and obtain the IDs of the protection rules. For more information, see Security reports.

References

Protection configuration overview: describes the protected objects, protection modules, and protection procedures of WAF 3.0.
Match conditions: describes the match conditions and match fields that you need to specify when you create a whitelist rule.
CreateDefenseTemplate: creates a protection template.
CreateDefenseRule: creates a protection rule. When you call this operation to create a whitelist rule, set the DefenseScene parameter to whitelist.