An access rule identifies legitimate traffic and threats by:
Control access to your content by creating whitelists, accesslists, and blacklists for the following categories:
Type | Description |
---|---|
ASN |
Identifies requests according to the autonomous system (AS) from which the request originated. Specify each desired AS by its autonomous system number (ASN). |
Cookie |
Identifies requests by searching for a cookie name that matches the specified regular expression. Certain common characters (e.g., ?.+) have special meaning in a regular expression. Use a backslash to escape a special character. |
Identifies requests by the country from which the request originated. Specify each desired country using its country code. |
|
IP Address |
Identifies requests by the requester’s IPv4 and/or IPv6 address. Specify each desired IP address using standard IPv4/IPv6 and CIDR notation. Specify a subnet by appending a slash (/) and the desired bit-length of the prefix (e.g., 11.22.33.0/22). Do not specify more than 1,000 IP addresses or IP blocks. Whitelist, accesslist, and blacklist entries count towards this limit. |
Referrer |
Identifies requests by referrer. A successful match is found when the specified regular expression matches any portion of the Referer request header value. The Referer request header identifies the URL of the resource (e.g., web page) from which the request was initiated. The specified regular expression may match any portion of the entire URL including the protocol and hostname. |
URL |
Identifies requests by searching for a value that matches the specified regular expression within the request URI. Do not include a protocol or a hostname (e.g., http://cdn.mydomain.com) when defining a regular expression for this access control. Certain common characters (e.g., ?.+) have special meaning in a regular expression. Use a backslash to escape a special character (e.g., main\.html\?user=Joe). Example All of the entries in the following sample access control list will match the sample request: /marketing/.* .*images.* .*/ad[0-9]*\.png Sample request:
http://www.mydomain.com/marketing/images/ad001.png
|
User Agent |
Identifies requests by the user agent that acted on behalf of a user to submit the request. A successful match is found when the specified regular expression matches any portion of the User-Agent request header value. |
The purpose of a whitelist is to identify legitimate traffic.
The purpose of an accesslist is to identify traffic that may access your content upon passing a threat assessment. If one or more accesslists have been defined, WAF will only inspect requests that satisfy at least one criterion in each defined accesslist. All other traffic, unless it has been whitelisted, will be blocked.
The purpose of a blacklist is to describe unwanted traffic.
Traffic is blacklisted when it satisfies all of the following conditions:
Key information:
The order of precedence is:
For example, WAF will inspect a request that satisfies both an accesslist and a blacklist. However, it will automatically allow the delivery of a request that satisfies a whitelist, an accesslist, and a blacklist.
All entries within a URL, referrer, cookie, or user agent whitelist, accesslist, and blacklist are regular expressions.
By default, a regular expression defines a case-sensitive match. Use syntax (e.g., [a-zA-Z]) to make it case-insensitive.
The maximum number of entries varies by category.
Category | Combined Limit (Whitelist, Accesslist, and Blacklist) |
---|---|
ASN |
200 |
Cookie |
200 |
Country |
600 |
IP Address |
1,000 |
Referrer |
200 |
URL |
200 |
User Agent |
200 |
WAF Insights supports up to 25 entries for each of the above categories. If you currently have WAF Insights and would like to add additional entries, please contact your CDN account manager to upgrade to the full version.
Whitelist, accesslist, and blacklist entries count towards this limit.
Unlike the access controls described above, the following access controls are limited to identifying malicious traffic:
Define the set of valid and invalid HTTP request methodIndicates the type of action that a server should perform on the asset identified in the request URL. Common HTTP request methods are GET, POST, PUT, DELETE, HEAD, OPTIONS, TRACE, and CONNECT.s via the Allowed HTTP Methods option.
GET
POST
OPTIONS
HEAD
PUT
DELETE
Define the set of valid media typesIdentifies/classifies the data contained in a file. (aka content types or MIME types) via the Allowed Request Content Types option.
Key information:
WAF performs a threat assessment when either of the following conditions are true:
A request does not include the Content-Type header.
A Content-Type header should only be included when the request includes a payload (e.g., HTTP PUT and POST requests). As a result, HTTP GET requests should not include this header.
WAF automatically sends an alert or blocks a request when its Content-Type header does not match a media type defined by this option.
application/x-www-form-urlencoded
multipart/form-data
text/xml
application/xml
application/x-amf
application/json
Define the set of invalid file extensions via the Extension Blacklist option.
Key information:
WAF flags a request as a threat when its file extension matches one defined by this option.
Syntax:
.asa
.asax
.ascx
.axd
.backup
.bak
.bat
.cdx
.cer
.cfg
.cmd
.com
.config
.conf
.cs
.csproj
.csr
.dat
.db
.dbf
.dll
.dos
.htr
.htw
.ida
.idc
.idq
.inc
.ini
.key
.licx
.lnk
.log
.mdb
.old
.pass
.pdb
.pol
.printer
.pwd
.resources
.resx
.sql
.sys
.vb
.vbs
.vbproj
.vsdisco
.webinfo
.xsd
.xsx
Define the maximum file size, in bytes, for a POST request via the Single File Upload Limit option
The recommended maximum value is 6,291,456 bytes.
Define the maximum file size for a request that is part of a multipart message through a managed rule.
Learn more.
Define the set of invalid request headers via the Header Blacklist option.
Key information:
WAF flags a request as a threat when it contains a header whose name matches one defined by this option.
You may create, modify, and delete access rules.
Key information:
To create an access rule
Navigate to the Access Rules page.
Define the desired whitelists, accesslists, and blacklists.
Specify each unique value on a separate line.
All entries within a URL, referrer, cookie, or user agent whitelist, accesslist, and blacklist are regular expressions.
Define which HTTP methods and media types are allowed and which file extensions and request headers are disallowed.
To modify an access rule
Navigate to the Access Rules page.
To delete an access rule
You cannot delete an access rule that is associated with a Security Application Manager configuration. Please either modify the Security Application Manager configuration to point to a different access rule or delete that Security Application Manager configuration.
Navigate to the Access Rules page.