Configure the whitelist module - Web Application Firewall

The whitelist module allows requests that have specified characteristics. You can specify the characteristics based on your business requirements. This way, the requests can bypass the checks of some or all protection modules. The protection modules include the basic protection rule, IP address blacklist, custom rule, and scan protection modules. This topic describes how to enable and configure the whitelist module.

Background information

You can create a custom whitelist rule template or use the default whitelist rule template.


Template	Description	Applied to
Default whitelist rule template	The built-in whitelist rule template of WAF that does not contain specific whitelist rules. If you want to use the default whitelist rule template, you must configure whitelist rules for the template.	If you use the default whitelist rule template, you do not need to configure the Apply To parameter. The default whitelist rule template is applied to all protected objects and protected object groups of your WAF instance with which no custom protection rule templates are associated.
Custom whitelist rule template	The custom whitelist rule template that you create based on your business requirements. When you create a custom whitelist rule template, you must add whitelist rules to the template.	If you create a custom whitelist rule template, you must configure the Apply To parameter to associate the whitelist rule template with specific protected objects and protected object groups.

Note If no whitelist rules are configured for a custom whitelist rule template, the template does not take effect for protected objects or protected object groups.

Prerequisites

A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.
Web services are added as protected objects in WAF 3.0. For more information, see Manage protected objects.

Step 1: Create a whitelist rule template

If you want to use the default whitelist rule template, skip this step.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region to which the WAF instance belongs. You can select Chinese Mainland or Outside Chinese Mainland for the region.
In the left-side navigation pane, choose Protection Configuration > Protection Rules.
In Whitelist section in the lower part of the Protection Rules page, click Create Template.

Note If no custom whitelist rule templates exist, you can click Configure Now in the Whitelist card in the upper part of the Protection Rules page.

In the Create Template-Whitelist panel, configure the following parameters and click OK.


Parameter	Description
Template Name	Enter a name for the whitelist rule template. The template name must be 1 to 255 characters in length and can contain letters, digits, periods (.), underscores (_) and hyphens (-).
Save as Default Template	Specify whether to set this template as the default template for the protection module. You can specify only one default template for a protection module. If you turn on Save as Default Template, you do not need to configure the Apply To parameter. The default template is applied to all of the protected objects and protected object groups that do not have protection templates specified, or have had their protection templates removed. This includes newly-created protected objects and protected object groups.
Rule Configuration	Click Create Rule to create a whitelist rule for the whitelist rule template. You can also create a whitelist rule after the whitelist rule template is created. For more information, see Step 2: Add a whitelist rule to the whitelist rule template.
Apply To	Select the protected objects and protected object groups to which you want to apply the template. You can apply only one template of a protection module to a protected object or a protected object group. For more information about how to manage protected objects and protected object groups, see Manage protected objects and Manage protected object groups.

By default, the new whitelist rule template is enabled. You can perform the following operations on the whitelist rule template in the Whitelist section:

View the number of protected objects or protected object groups that are associated with the whitelist rule template.
Turn on or turn off Status to enable or disable the whitelist rule template.
Click Edit or Delete in the Actions column to modify or delete the whitelist rule template.
Click the icon on the left side of the whitelist rule template to view the rules in the template.

Step 2: Add a whitelist rule to the whitelist rule template

The whitelist rule template takes effect only after whitelist rules are added to the template. If you already added whitelist rules to the whitelist rule template, skip this step.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region to which the WAF instance belongs. You can select Chinese Mainland or Outside Chinese Mainland for the region.
In the left-side navigation pane, choose Protection Configuration > Protection Rules.
In the Whitelist section, find the whitelist template for which you want to create a whitelist rule and click Create Rule in the Actions column.

In the Create Rule dialog box, configure the following parameters and click OK.


Parameter	Description
Rule Name	Enter a name for the rule. The template name can contain letters, digits, periods (.), underscores (_) and hyphens (-).
Match Condition	Specify the characteristics of requests that match the rule. Click Add Condition to add a match condition. You can add up to five match conditions to a rule. If you add multiple match conditions, all match conditions must be met for the rule to be a match. Each match condition consists of Match Field, Logical Operator, and Match Content. Examples: Example 1: Assume that you set Match Field to URI, Logical Operator to Contains, and Match Content to `/login.php`. If the requested path contains `/login.php`, the request matches the rule. Example 2: Assume that you set Match Field to IP, Logical Operator to Belongs To, and Match Content to `192.XX.XX.1`. If a request is sent from a client whose IP address is `192.XX.XX.1`, the request matches the rule. For more information, see Match conditions.
Bypassed Modules	Select the protection modules that you want requests to bypass. The requests that meet the specified match conditions are not checked by the selected protection modules. Valid values: All: WAF does not check the requests that meet the specified match conditions and forwards the requests to the origin server. You can select All if you want to allow all trusted requests, such as requests from trusted vulnerability scanners and the endpoints of authenticated third-party systems. Important Fine-grained whitelist rules ensure high security. We recommend that you select a protection module based on your business requirements. Basic Protection Rule: The basic protection module does not check the requests that meet the specified match conditions. Valid values: All Rules: All protection rules in the basic protection rule module are not used to check the requests that meet the specified match conditions. This is the default value. IDs of Specific Rules: The rules of specified IDs in the basic protection rule module are not used to check the requests that meet the specified match conditions. You must enter the IDs of the rules. Each rule ID contains six digits. Press the Enter key each time you enter a rule ID. You can enter up to 50 rule IDs. Types of Specific Rules: The rules of specified types in the basic protection rule module are not used to check the requests that meet the specified match conditions. You must click the icon and select the type of rules that you want requests to bypass. Custom Rule: The custom rule module does not check the requests that meet the specified match conditions. IP Address Blacklist: The IP address blacklist module does not check the requests that meet the specified match conditions. Scan Protection: The scan protection module does not check the requests that meet the specified match conditions. Bot Management: The bot management module does not check the requests that meet the specified match conditions. Website Tamper-proofing: The website tamper-proofing module does not check the requests that meet the specified match conditions. Data Leakage Prevention: The data leakage prevention module does not check the requests that meet the specified match conditions. HTTP Flood Protection: The HTTP flood protection module does not check the requests that meet the specified match conditions. Region Blacklist: The region blacklist module does not check the requests that meet the specified match conditions.

By default, the new whitelist rule is enabled. You can perform the following operations on the whitelist rule in the Whitelist section:

Turn on or turn off Status to enable or disable the whitelist rule.
Click Edit or Delete in the Actions column to modify or delete the whitelist rule.

What to do next

To obtain the IDs of rules, go to the Security Reports page. On the Security Reports page, you can view the blocking records of the protection rules and obtain the IDs of the protection rules. For more information, see Security reports.

References

Protection configuration overview: describes the protected objects, protection modules, and protection procedures of WAF 3.0.
Match conditions: describes the match conditions and match fields that you need to specify when you create a whitelist rule.