Configuring a Policy

This article explains the legacy version of Rate Limiting that will undergo end-of-life on June 30, 2021. Our new version of WAF expands upon all of the capabilities offered by WAF and Rate Limiting with a simplified and centralized setup. Please upgrade to the latest version of WAF at your earliest convenience.

Take into consideration the following factors when setting up a rate limiting policy:

To define a rate limiting policy

  1. Navigate to the Rules Configuration page. ClosedHow?From the main menu, navigate to Defend | HTTP Rate Limiting | Rate Limiting Rules.

  2. Toggle the Edit Rate Limiting Rules option.

  3. Click Add Rule.
  4. In the Rule name option, define a brief name that describes the rule being created.
  5. Optional. Define a hostname and/or URL path scope for this rate limiting rule through the Hostname and URL path(s) options. Only requests that match the specified pattern will be rate limited.

    Select one of the following modes:

    • Default: Use this mode when the corresponding scope should not restrict rate limiting.
    • Exact match (multiple entries): Applies the rate limit to the specified hostname(s) or URL path(s).

      Learn more.

    • Regex match: Applies the rate limit to all hostnames or URL paths that satisfy the specified regular expression pattern.

      Learn more.

    • Wildcard match: Applies the rate limit to all hostnames or URL paths that satisfy the specified wildcard pattern.

      Learn more.

    By default, a scope condition will only be satisfied when an exact match is found. Enable the Negative match option to configure a scope condition to look for requests that do not match the specified value.

  6. In the Apply rate limit to option, indicate whether the rate limit should be applied across all requests or to each unique client.
  7. In the Rate limit option, define the maximum rate at which requests may flow to your origin server(s). Define this rate by indicating the maximum number of requests for the selected time interval (e.g., 1 second, 30 seconds, 1 minute, etc.).
  8. Optional. Create a condition group to identify the types of requests that qualify for rate limiting.

    1. Click the New condition group label.
    2. Optional. Click on its label (e.g., Condition group 1) and then type a brief name that describes the purpose of the condition group.
    3. Select the condition (e.g., Condition 1) to view its properties.
    4. In the Match by option, select the method by which requests will be identified.

      If this option is set to "Request header," then select the desired request header from the Request header name option.

    5. In the Value(s) option, type a value that must be met before a request will count towards the rate limiting policy.

      Repeat this step as needed. Place each desired value on a separate line.

    6. Choose whether this condition will be satisfied when a request matches or does not match a value defined in the Value(s) option.

      • Matches: Clear the Negative match option.
      • Does Not Match: Mark the Negative match option.
    7. Optional. Add another condition to the current condition group by clicking + New condition and then repeating steps iii - vii.

      If a condition group has been defined, then a request must satisfy all of the conditions within at least one condition group in order to be eligible for rate limiting.

    8. Optional. Create another condition group by following steps i - viii.

      Multiple condition groups provide the means for identifying different types of requests for the purpose of rate limiting.

  9. Navigate to the Enforcement tab.
  10. In the Duration option, select the time period for which the action selected in the next step will be applied to clients that exceed the rate limit defined in this rule.

    A "client" is defined by each rule according to the Apply rate limit to option. For example, configuring that option to "Any request" will apply the selected action to all requests regardless of the number of requests generated by each device. Alternatively, identifying clients by "IP Address" will only apply the selected action to requests that originate from each IP address that violates the specified rate limit.

  11. In the Action Type option, configure the action that will be taken when a request exceeds the rate limit.

  12. Click Add Rule.
  13. Click Apply All Changes and then Save Changes to save your changes and apply the rate limiting policy to your traffic.

Adding a rule does not save your changes. You must also apply and save your changes as described in the final step of the above procedure.

Track the date/time (GMT) for the most recent change to a Rate Limiting rule via the Last Modified label in the upper-right hand corner of the Rate Limiting Rules page.

More Information