The whitelist module allows requests that have specified characteristics. You can
specify the characteristics based on your business requirements. This way, the requests
can bypass the checks of some or all protection modules. The protection modules include
the basic protection rule, IP address blacklist, custom rule, and scan protection
modules. This topic describes how to enable and configure the whitelist module.
Background information
You can create a custom whitelist rule template or use the default whitelist rule
template.
Template |
Description |
Applied to |
Default whitelist rule template |
The built-in whitelist rule template of WAF that does not contain specific whitelist
rules. If you want to use the default whitelist rule template, you must configure
whitelist rules for the template.
|
If you use the default whitelist rule template, you do not need to configure the Apply To parameter. The default whitelist rule template is applied to all protected objects
and protected object groups of your WAF instance with which no custom protection rule
templates are associated.
|
Custom whitelist rule template |
The custom whitelist rule template that you create based on your business requirements.
When you create a custom whitelist rule template, you must add whitelist rules to
the template.
|
If you create a custom whitelist rule template, you must configure the Apply To parameter to associate the whitelist rule template with specific protected objects
and protected object groups.
|
Note If no whitelist rules are configured for a custom whitelist rule template, the template
does not take effect for protected objects or protected object groups.
Step 1: Create a whitelist rule template
If you want to use the default whitelist rule template, skip this step.
- Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region to which the
WAF instance belongs. You can select Chinese Mainland or Outside Chinese Mainland for the region.
- In the left-side navigation pane, choose .
- In Whitelist section in the lower part of the Protection Rules page, click Create Template.
Note If no custom whitelist rule templates exist, you can click Configure Now in the Whitelist card in the upper part of the Protection Rules page.
- In the Create Template-Whitelist panel, configure the following parameters and click OK.
Parameter |
Description |
Template Name |
Enter a name for the whitelist rule template.
The template name must be 1 to 255 characters in length and can contain letters, digits,
periods (.), underscores (_) and hyphens (-).
|
Save as Default Template |
Specify whether to set this template as the default template for the protection module.
You can specify only one default template for a protection module. If you turn on
Save as Default Template, you do not need to configure the Apply To parameter. The default template is applied to all of the protected objects and protected
object groups that do not have protection templates specified, or have had their protection
templates removed. This includes newly-created protected objects and protected object
groups.
|
Rule Configuration |
Click Create Rule to create a whitelist rule for the whitelist rule template. You can also create a
whitelist rule after the whitelist rule template is created. For more information,
see Step 2: Add a whitelist rule to the whitelist rule template.
|
Apply To |
Select the protected objects and protected object groups to which you want to apply
the template.
You can apply only one template of a protection module to a protected object or a
protected object group.
For more information about how to manage protected objects and protected object groups,
see Manage protected objects and Manage protected object groups.
|
By default, the new whitelist rule template is enabled. You can perform the following
operations on the whitelist rule template in the Whitelist section:
- View the number of protected objects or protected object groups that are associated
with the whitelist rule template.
- Turn on or turn off Status to enable or disable the whitelist rule template.
- Click Edit or Delete in the Actions column to modify or delete the whitelist rule template.
- Click the
icon on the left side of the whitelist rule template to view the rules in the template.
Step 2: Add a whitelist rule to the whitelist rule template
The whitelist rule template takes effect only after whitelist rules are added to the
template. If you already added whitelist rules to the whitelist rule template, skip
this step.
- Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region to which the
WAF instance belongs. You can select Chinese Mainland or Outside Chinese Mainland for the region.
- In the left-side navigation pane, choose .
- In the Whitelist section, find the whitelist template for which you want to create a whitelist rule
and click Create Rule in the Actions column.
- In the Create Rule dialog box, configure the following parameters and click OK.
Parameter |
Description |
Rule Name |
Enter a name for the rule.
The template name can contain letters, digits, periods (.), underscores (_) and hyphens
(-).
|
Match Condition |
Specify the characteristics of requests that match the rule.
Click Add Condition to add a match condition. You can add up to five match conditions to a rule. If you
add multiple match conditions, all match conditions must be met for the rule to be
a match.
Each match condition consists of Match Field, Logical Operator, and Match Content. Examples:
- Example 1: Assume that you set Match Field to URI, Logical Operator to Contains, and Match Content to
/login.php . If the requested path contains /login.php , the request matches the rule.
- Example 2: Assume that you set Match Field to IP, Logical Operator to Belongs To, and Match Content to
192.XX.XX.1 . If a request is sent from a client whose IP address is 192.XX.XX.1 , the request matches the rule.
For more information, see Match conditions.
|
Bypassed Modules |
Select the protection modules that you want requests to bypass. The requests that
meet the specified match conditions are not checked by the selected protection modules.
Valid values:
|
By default, the new whitelist rule is enabled. You can perform the following operations
on the whitelist rule in the Whitelist section:
- Turn on or turn off Status to enable or disable the whitelist rule.
- Click Edit or Delete in the Actions column to modify or delete the whitelist rule.
What to do next
To obtain the IDs of rules, go to the Security Reports page. On the Security Reports page, you can view the blocking records of the protection rules and obtain the IDs
of the protection rules. For more information, see Security reports.
References
- Protection configuration overview: describes the protected objects, protection modules, and protection procedures of
WAF 3.0.
- Match conditions: describes the match conditions and match fields that you need to specify when you
create a whitelist rule.