Configuring a Global Protection Whitelist Rule to Ignore False Alarms

Prerequisites

You have added the website you want to protect to WAF.

Constraints

• If you select All protection for Ignore WAF Protection, all WAF rules do not take effect, and WAF allows all request traffic to the domain names in the rule.
• If you select Basic web protection for Ignore WAF Protection, global protection whitelist rules take effect only for events triggered against WAF built-in rules in Basic Web Protection and anti-crawler rules under Feature Library.
  • Basic web protection rules

    Basic web protection defends against common web attacks, such as SQL injection, XSS attacks, remote buffer overflow attacks, file inclusion, Bash vulnerability exploits, remote command execution, directory traversal, sensitive file access, and command and code injections. Basic web protection also detects web shells and evasion attacks.

  • Feature-based anti-crawler protection

    Feature-based anti-crawler identifies and blocks crawler behavior from search engines, scanners, script tools, and other crawlers.

• You can configure a global protection whitelist rule by referring to Handling False Alarms. After handling a false alarm, you can view the rule in the global protection whitelist rule list.
• It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.

Configuring a Global Protection Whitelist

1. Log in to the WAF console.
2. Click in the upper left corner and select a region or project.
3. (Optional) If you have enabled the enterprise project function, in the upper part of the navigation pane on the left, select your enterprise project from the Filter by enterprise project drop-down list. Then, WAF will display the related security data in the enterprise project on the page.
4. In the navigation pane on the left, click Policies.
5. Click the name of the target policy to go to the protection rule configuration page.

   Before configuring protection rules, ensure that the target protection policy has been applied to a domain name. A protection policy can be applied to multiple protected domain names, but a protected domain name can have only one protection policy.

6. Locate the Global Protection Whitelist configuration area and toggle on this protection.

   : enabled.

7. In the upper left corner above the Global Protection Whitelist rule list, click Add Rule.
8. Add a global whitelist rule by referring to Table 1.
   Figure 1 Add Global Protection Whitelist Rule
   

   Table 1 Parameters

   Parameter	Description	Example Value
   Scope	Domain name that the policy is applied to. All domain names: By default, this rule will be applied to all domain names that are protected by the current policy. Specified domain names: The rule will be applied to specified domain names that are protected by the current policy.	Specified domain names
   Domain Name	If Scope is set to Specified domain names, select or enter the domain names for the rule. The domain name format varies depending on the access mode. Cloud mode - CNAME access: Enter a complete domain name. Dedicated mode: Enter a complete domain name or IP address.	Cloud mode - CNAME access: www.example.com Dedicated mode: Enter www.example.com or 192.168.2.3.
   Condition List	Click Add to add conditions. At least one condition needs to be added. You can add up to 30 conditions to a protection rule. If more than one condition is added, all of the conditions must be met for the rule to be applied. A condition includes the following parameters: Condition parameter description: Field Subfield: Configure this field only when Params, Cookie, or Header is selected for Field. NOTICE: The length of a subfield cannot exceed 2,048 characters. Only digits, letters, underscores (_), and hyphens (-) are allowed. Logic: Select a logical relationship from the drop-down list. Content: Enter or select the content that matches the condition.	Field is set to Path. Logic is set to Include. Content is set to /product.
   Ignore WAF Protection	Select how you want WAF to whitelist protection. All protection: All WAF rules do not take effect, and WAF allows all request traffic to the domain names in the rule. Basic web protection: You can ignore the entire basic web protection or specific protection type by rule ID or attack type. For example, if you do not want to check a specific URL for XSS attacks, you can configure a false alarm masking rule to mask XSS checks for the URL. ID: Protection modules will be whitelisted based on protection rule IDs. If you select this option, you need to configure Rule ID. Use commas (,) to separate multiple IDs. You can enter a maximum of 100 IDs. After entering a rule ID, press Enter to view the added rule ID, rule description, and risk level. You can also click Handle as False Alarm in the Operation column of the rule ID, and click Handle Now in the displayed dialog box. Then, if you select ID for Ignored Protection Type and click OK, this rule ID will be added to the global protection whitelist. For details, see Handling False Alarms. Attack type: Protection modules will be whitelisted based on the attack type. One type contains one or more rule IDs. After selecting this option, you need to specify Rule Type. You can specify multiple rule types. The options are Cross Site Scripting, Webshell, Others, SQL Injection, Scanner & Crawler, Remote File Inclusion, Local File Inclusion, and Command Injection. All built-in rules: all checks enabled in Basic Web Protection. Invalid requests: You can allow certain invalid requests. A request is invalid if: The request header contains more than 512 parameters. The URL contains more than 2,048 parameters. The request header contains "Content-Type:application/x-www-form-urlencoded", and the request body contains more than 8,192 parameters.	Ignore WAF Protection: Basic web protection Ignored Protection Type: ID Rule ID: 041046
   Rule Description	A brief description of the rule. This parameter is optional.	SQL injection attacks are not intercepted.
   Ignore Field	If you only want to ignore attacks against a specified field, enable Ignore Field and configure the field. You can ignore the fields you do not want WAF to check. If you configure ignored fields, you can leave the condition list blank. WAF can ignore the following fields: Params, Cookie, Header, Body, and Multipart. You can ignore all fields or a specified field. All fields: Params, Cookie, Header, Body, and Multipart. If All is selected, WAF will not block all attack events of the selected field. Field: Only the Params, Cookie, and Header fields are supported. If Field is selected, you need to enter a subfield. If you select Cookie, the Domain Name box for the rule can be empty.	Params All

9. Click Confirm.

   After completing the preceding configurations, you can:

   • Check the rule status: In the protection rule list, check the rule you added. Rule Status is Enabled by default.
   • Disable the rule: If you do not want the rule to take effect, click Disable in the Operation column of the rule.
   • Delete or modify the rule: Click Delete or Modify in the Operation column of the rule.
   • Verify the protection effect:
     1. Simulate an XSS attack.
     2. On the Events page, check the protection logs.