This topic covers the original version of the core protection module. If you have upgraded to the new WAF console or are using the core protection module for the first time, see Configure the core protection rule module. For details about the upgrade, see Announcement of upgrading the basic protection rule module in WAF 3.0.
Web Application Firewall (WAF) core protection rules defend your web services against common attacks — SQL injection, cross-site scripting (XSS), code execution, webshell uploads, and command injection. This topic explains the module's components and walks through how to create custom rule groups and protection templates.
How it works
The core protection module intercepts requests using three detection modules, each with a distinct role:
| Detection module | Default state | What it does |
|---|---|---|
| Rules Engine | Enabled | Matches requests against predefined signatures to block known attack patterns. Uses rule groups (Loose, Medium, or Strict) to control detection sensitivity. |
| Semantic Engine | Enabled | Analyzes request content and context to identify unknown attacks and defend against SQL injection attacks. |
| Intelligent O&M | Disabled | Learns from historical traffic to identify rules causing false positives, then automatically adds affected URLs to a whitelist. |
Decoding
Before inspection, the module decodes request data in 23 formats. This includes structured formats such as JSON, XML, and Multipart, as well as obfuscated encodings such as Unicode and HTML entity encoding that attackers use to bypass detection.
Choose a rule group
WAF provides three built-in rule groups. Select the one that matches your tolerance for false positives versus your need for detection coverage:
| Rule group | When to use it |
|---|---|
| Loose Rule Group | Your application generates frequent false positives with the Medium group, or you run tools that produce SQL-like query strings (for example, phpMyAdmin or Adminer). Lower detection sensitivity, fewer false positives. |
| Medium Rule Group (default) | Standard web applications. Balanced detection coverage with reasonable false-positive rates. Start here if you are unsure. |
| Strict Rule Group | High-security environments where maximum detection coverage outweighs the risk of occasional false positives. |
When switching to a stricter group, run it in Monitor mode first to identify any rules that block legitimate traffic before setting the action to Block.
You can also create custom rule groups to handpick exactly which rules apply to your services.
Protection templates and how they apply
Each protection template bundles a rule group configuration with per-module action settings (Block or Monitor), and is then assigned to protected objects or protected object groups.
| Default protection template | Custom protection template | |
|---|---|---|
| Created by | System (automatically provided) | You (manually) |
| Rules Engine action | Block, using Medium Rule Group | Configurable — any default or custom rule group, any action |
| Semantic Engine action | Monitor, with Complete SQL Statement Detection enabled | Configurable — action and Complete SQL Statement Detection on/off |
| Intelligent O&M | Disabled | Configurable — Intelligent Whitelist on or off |
| Applied to | All protected objects and groups not assigned to a custom template | Specific protected objects or groups you select |
Prerequisites
Before you begin, make sure you have:
A WAF 3.0 instance (pay-as-you-go)
(For custom rule groups) A pay-as-you-go WAF instance, or a subscription WAF instance running the Enterprise or Ultimate edition
Web services added to WAF as protected objects — see Configure protected objects and protected object groups
Create a custom rule group
Build a rule group from scratch or base it on one of the built-in groups.
Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of your WAF instance. The available regions are Chinese Mainland and Outside Chinese Mainland.
In the left-side navigation pane, choose Protection Configuration > Core Web Protection.
In the Core Protection Rule section, click Rule Groups.
On the Rule Groups page, click Create Rule Group.
In the Configure Basic Information of Rule Group step, fill in the parameters and click Next.
ImportantThe basic information of a rule group cannot be changed after creation.
Parameter Description Rule Group Name Letters, digits, periods ( .), underscores (_), and hyphens (-) are allowed.Select Protection Template Create From Scratch: No base template. Add rules manually. Automatic Update is disabled and cannot be enabled. Use Default Rule Group: Start from Loose, Medium, or Strict Rule Group. Automatic Update is available. Automatic Update When enabled, rules added to or removed from the selected default rule group are automatically synced to this custom rule group. This setting cannot be changed after the rule group is created, and is only available when Select Protection Template is set to Use Default Rule Group. In the Configure Protection Rules step, click Add Rule. In the Add Rule dialog box, select the rules to add. Filter rules by Rule ID, CVE ID, Risk Level, Protection Rule Type, or Application Type. Click Add to add selected rules, or Add All to add all filtered results. To remove a rule after adding it, search for it by Rule ID or CVE ID (or filter by the available parameters), select it, and click Remove. To start over, click Clear All.
If you selected Use Default Rule Group in step 5, the rules from that group are already included — skip this step unless you want to add more rules. Rules are listed in descending order by update time.
Click Next. In the Complete step, click Complete.
After creating the rule group, manage it from the rule group list:
Click the number in the Number Of Built-in Rules column to view the rules in the group.
Click Edit, Copy, or Delete in the Actions column to manage the rule group.
Basic information cannot be edited after creation. A copied rule group is named <original name>-copy by default and is not associated with any protected objects. A rule group associated with a protection template cannot be deleted — dissociate it from the core protection rule first.Create a custom protection template
In the left-side navigation pane, choose Protection Configuration > Core Web Protection.
Scroll to the Core Protection Rule section and click Create Template.
If this is your first time creating a core protection template, you can also click Configure Now in the Core Protection Rule card at the top of the page.
In the Create Template - Core Protection Rule panel, configure the parameters and click OK. Semantic Engine The Semantic Engine is enabled by default to detect SQL injection attacks. Configure the following settings: Protocol compliance Checks HTTP requests for protocol-layer format issues that can be exploited to bypass WAF — for example, malformed file upload requests. This feature is available on pay-as-you-go WAF instances and subscription instances running the Enterprise or Ultimate edition. Intelligent O&M When Intelligent Whitelist is enabled, WAF learns from historical traffic to identify rules causing false positives, and adds the affected URLs to a whitelist automatically. Whitelist rules are created under the AutoTemplate template in the Whitelist section — see View whitelist rules. This feature is available on pay-as-you-go WAF instances and subscription instances running the Enterprise or Ultimate edition. Apply To On the Protected Objects and Protected Object Groups tabs, select the items to associate with this template. Each protected object or group can be associated with only one core protection rule template at a time. If you set this template as the default, all objects not assigned to a custom template are pre-selected. Otherwise, no objects are selected by default.
A newly created protection template is enabled by default.
Template information
Parameter Description Template Name Letters, digits, periods ( .), underscores (_), and hyphens (-) are allowed.Save as Default Template Sets this template as the default for the protection module. Only one default template is allowed per module. The default template automatically applies to all protected objects and groups not assigned to a custom template, including newly added objects. Rule configuration
Parameter Description Action Block: Blocks matching requests and returns a block page. By default, WAF returns a built-in block page. Use the custom response feature to configure a custom page. Monitor: Logs matching requests without blocking. Use this mode to validate rules before enforcing them. Query logs on the Security Reports page — requires Simple Log Service for WAF to be enabled. Rule Group Type Default: Associate the template with a built-in rule group — Loose, Medium, or Strict. Custom: Select a custom rule group from the list. See Create a custom rule group. Parameter Description Action Block or Monitor — same behavior as the Rules Engine action above. Complete SQL Statement Detection (enabled by default) When enabled, WAF also intercepts requests containing complete SQL statements (for example, /query.php?sql=select name from users where 1=1%23). Disable this if your application uses database tools such as phpMyAdmin or Adminer. Incomplete SQL (for example,/query.php?name='and 1=1%23) is always inspected regardless of this setting.
After creating the template, manage it from the template list:
Protected Object/Group column: view the count of associated objects.
Status column: toggle the template on or off.
Actions column: click Create Rule, Edit, Delete, or Copy.
Expand icon (to the left of the template name): view the protection rules in the template.
If Intelligent Whitelist is on (indicated by the
icon): click Delivery Record in Actions to view whitelist delivery records. If it is off (indicated by the 
icon): toggle Intelligent Whitelist directly from the template list.
Click Rule Groups in the Core Protection Rule section to view the associations between rule groups and protection templates.
Validate rules before blocking
Set the action to Monitor when first applying a new rule group or template. In Monitor mode, WAF logs matched requests without blocking them, giving you visibility into which rules fire on your production traffic.
Check the Core Protection Rule tab on the Security Reports page to review matched requests. After confirming that the rules do not block legitimate traffic, switch the action to Block.
The Core Web Protection page does not support searching for core protection rules by Rule ID. If a rule incorrectly blocks normal traffic, configure a whitelist rule for that rule using the Whitelist module. See Configure protection rules of the whitelist module to allow specific requests.
What's next
View hit records for specific protection rules on the Core Protection Rule tab of the Security Reports page. Click View Details for a specific Rule ID in the attack event record area to see the full attack details.
For an overview of WAF 3.0 protection objects, modules, and the protection pipeline, see Protection configuration overview.
To create a protection template via API, see CreateDefenseTemplate.
To create a core protection rule via API, see CreateDefenseRule.