Access Rules for Edge Policies
Use Web Application Firewall to manage access rules within an Edge policy.
As a WAF administrator, you can define explicit actions for requests that meet various conditions. Conditions use various operations and regular expressions. A rule action can be set to log and allow, detect, block, redirect, bypass, or show a CAPTCHA for all matched requests.
The following information provides the available conditions for an access rule.
Criteria Type | Criteria |
---|---|
URL |
Define one or more criteria based on:
The URL regex matching uses Perl-compatible regular expressions. The URL-based matching in access rules is for a location on the same domain, for example, "/login.php". To target a full absolute URL, you can use a combination of header matching (Host: www.example.com) and URL "/login.php". |
IP Address |
Define one or more criteria based on:
These values can be a valid IPv4 address, subset, or CIDR notation for a range. IP Address criteria can be used to restrict incoming traffic specific to both IP addresses and CIDR ranges. IPv6 is not yet supported. See IP Address Lists for Edge Policies for information on how to create a list of IP addresses that can be used in the access rule. |
Country/Region |
Define one or more criteria based on:
For the API, use a two letter country code. |
User Agent |
Identify the browser client.
|
HTTP Header |
Evaluate as criteria:
Enter the HTTP Header contains value with colon-delimited <name>:<value>. You can't use wild cards. |
HTTP Method |
Evaluate as criteria:
Available methods include GET, POST, PUT, DELETE, HEAD, CONNECT, OPTIONS, TRACE, and PATCH. |
- For the sequence of processing "Access Rules" versus "IP Whitelist" tabs, IP whitelist is triggered first. If the IP address isn't in the IP address allowlist, the sequence moves to access rules.
- WAF supports the following HTTP redirect response codes:
- 301 - Moved permanently: Use this response code if your website was permanently moved to the redirection URL and you want search engines to index it.
- 302 - Temporary redirect: Use this response code if a certain URL has been changed to a different address for a short amount of time.
- You can only include CAPTCHA as a full page and not as an inline component in the website.
- You can reorder access rules only by using the API to manually reorder the rules that are listed.
- You can't reorder access rules when you create an access rule with the BLOCK action.
- The simplest way to block everything except for specific IP addresses is to create a single access rule to BLOCK if "IP Address not in Address list." This rule blocks all traffic other than the IP addresses you have in your IP address lists. If you have other security features enabled, they're still active, even for your IP addresses in the address list. To bypass all security measures, add IP addresses to the IP address whitelist.