WAF Custom Rules

You can configure specific rules to log, deny, challenge, bypass, or rate limit traffic to your site. When you apply the configuration, it takes effect immediately and does not require re-deployment.

Get started by reviewing the Best practices for applying rules section.

• You need to be a Developer or Viewer in the team to view the Firewall overview page and list the rules
• You need to be a Project administrator or Team member to configure, save and apply any rule and configuration

You can create multiple Custom Rules for the same project. Each rule can perform a log, deny, challenge, or bypass action according to one or more logical condition(s) that you set based on the value of specific parameters in the incoming request.

You can save, delete, or disable a rule at any time and these actions have immediate effect. You also have the ability to re-order the precedence of each custom rule.

When a rule denies or challenges the traffic to your site and the client has not previously solved the challenge (in the case of challenge mode), the rule execution stops and blocks or challenges the request.

After a Log rule runs, the rule execution continues. If no other rule matches and acts on the request, the Log rule that is last matched is reported.

When you apply a rate limiting rule, you need to include a follow up action that will log, deny, challenge, or return a 429 response.

When a custom rule blocks a client's request, future requests from the same client are not necessarily blocked if they do not match the rule's condition. If you want to block this specific client, you will need to identify the client through traffic monitoring and create a rule for that purpose.

With persistent actions, you can automatically block potential bad actors by adding a time-based block to the Challenge or Deny action of your custom rule. When you do so, any client whose request is challenged or denied, will be blocked for a period of time that you specify. Since this time-based block happens before the firewall processes the request, none of the requests blocked by persistent actions count towards your Edge Network and traffic usage.

From your project's page in the dashboard, select the Firewall tab. Select Configure on the top right of the Firewall overview page.

1. Select a Custom Rule you would like to edit from the list or select + New Rule
2. In the action Then row, select Challenge or Deny
3. Select Add Timeframe on the right of the action drop-down and select a time value from the available options
4. Select Save Rule to apply it
5. Apply the changes with the Review Changes button

You will also see the Add Timeframe option for the Default (429) action of a rate limiting custom rule.

To ensure your Custom Rule behaves as intended:

1. Test a Custom Rule by setting it up with a log action
2. Observe the 10-minute live traffic to check the behavior
3. Update the Custom Rule condition if needed. Once you're happy with the behavior, update the rule with a challenge, deny, or bypass, or rate limit action

Learn how to create, test, and apply a Custom Rule.

1. From your dashboard, select the project that you'd like to configure a rule for and then select the Firewall tab
2. Select Configure on the top right of the Firewall overview page
3. Select + New Rule
4. Type a name to help you identify the purpose of this rule for future reference
5. In the Configure section, add as many If conditions as needed:

   

6. Select Log for the Then action
   • For Rate Limit, review WAF Rate Limiting
7. Select Save Rule to apply it
8. Apply the changes:
   • When you make any change, you will see a Review Changes button appear or update on the top right with the number of changes requested
   • Select Review Changes and review the changes to be applied
   • Select Publish to apply the changes to your production deployment
9. Go to the Firewall overview page, select your Custom Rule from the traffic grouping drop-down and select the paramater(s) related to the condition(s) of your Custom Rule to observe the traffic:

   

10. If you are satisfied with the traffic behavior, select Configure
11. Select the Custom Rule that you created
12. Update the Then action to Challenge, Deny or Bypass as needed
13. Select Save Rule to apply it
14. Apply the changes with the Review Changes button

Review Common Examples for the application of specific rules in common situations.