Help Center/ Web Application Firewall/ User Guide/ Configuring Protection Policies/ Configuring Protection Rules/ Configuring a Global Protection Whitelist Rule to Ignore False Alarms
Updated on 2025-08-19 GMT+08:00

Configuring a Global Protection Whitelist Rule to Ignore False Alarms

Once an attack hits a WAF basic web protection rule or a feature-library anti-crawler rule, WAF will respond to the attack immediately according to the protective action (Log only or Block) you configured for the rule and display an event on the Events page.

You can add false alarm masking rules to let WAF ignore certain rule IDs or event types (for example, skip XSS checks for a specific URL).

  • If you select All protection for Ignore WAF Protection, all WAF rules do not take effect, and WAF allows all request traffic to the domain names in the rule.
  • If you select Basic Web Protection for Ignore WAF Protection, you can ignore basic web protection by rule ID, attack type, or all built-in rules. For example, if XSS check is not required for a URL, you can whitelist XSS rule.
  • If you select Invalid requests for Ignore WAF Protection, WAF will whitelist invalid requests.

Prerequisites

Constraints

  • If you select All protection for Ignore WAF Protection, all WAF rules do not take effect, and WAF allows all request traffic to the domain names in the rule.
  • If you select Basic web protection for Ignore WAF Protection, global protection whitelist rules take effect only for events triggered against WAF built-in rules in Basic Web Protection and anti-crawler rules under Feature Library.
    • Basic web protection rules

      Basic web protection defends against common web attacks, such as SQL injection, XSS attacks, remote buffer overflow attacks, file inclusion, Bash vulnerability exploits, remote command execution, directory traversal, sensitive file access, and command and code injections. Basic web protection also detects web shells and evasion attacks.

    • Feature-based anti-crawler protection

      Feature-based anti-crawler identifies and blocks crawler behavior from search engines, scanners, script tools, and other crawlers.

  • You can configure a global protection whitelist rule by referring to Handling False Alarms. After handling a false alarm, you can view the rule in the global protection whitelist rule list.
  • It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.

Configuring a Global Protection Whitelist

  1. Log in to the WAF console.
  2. Click in the upper left corner and select a region or project.
  3. (Optional) If you have enabled the enterprise project function, in the upper part of the navigation pane on the left, select your enterprise project from the Filter by enterprise project drop-down list. Then, WAF will display the related security data in the enterprise project on the page.
  4. In the navigation pane on the left, click Policies.
  5. Click the name of the target policy to go to the protection rule configuration page.

    Before configuring protection rules, ensure that the target protection policy has been applied to a domain name. A protection policy can be applied to multiple protected domain names, but a protected domain name can have only one protection policy.

  6. Locate the Global Protection Whitelist configuration area and toggle on this protection.

    : enabled.

  7. In the upper left corner above the Global Protection Whitelist rule list, click Add Rule.
  8. Add a global whitelist rule by referring to Table 1.

    Figure 1 Add Global Protection Whitelist Rule
    Table 1 Parameters

    Parameter

    Description

    Example Value

    Scope

    Domain name that the policy is applied to.

    • All domain names: By default, this rule will be applied to all domain names that are protected by the current policy.
    • Specified domain names: The rule will be applied to specified domain names that are protected by the current policy.

    Specified domain names

    Domain Name

    If Scope is set to Specified domain names, select or enter the domain names for the rule. You can click Add to add more domain names.

    The domain name format varies depending on the access mode.
    • Cloud mode - CNAME access: Enter a complete domain name.
    • Cloud mode - load balancer access: Enter Domain_name:ELB_load_balancer_ID.
      • If the protected domain name is a single domain name, select or enter Domain_name:ELB_load_balancer_ID.
      • If the domain name is a wildcard domain name, select or enter *:ELB_load_balancer_ID.

        For example, if you need to add wildcard domain name * and the ELB ID is c8c5fbd9-XXXX-XXXX-XXXX-d6f341a46ee5, enter *:c8c5fbd9-XXXX-XXXX-XXXX-d6f341a46ee5.

    • Dedicated mode: Enter a complete domain name or IP address.
    • Cloud mode - CNAME access: www.example.com
    • Cloud mode - Load balancer access: *:c8c5fbd9-XXXX-XXXX-XXXX-d6f341a46ee5
    • Dedicated mode: Enter www.example.com or 192.168.2.3.

    Condition List

    Request features to be matched by the rule. If a request matches the features, WAF handles the request according to the configured rule.

    • At least one condition is required for the rule to take effect.
    • Click Add Condition in the condition box to add a condition in the group. You can add up to 30 conditions. If multiple conditions are configured, the rule takes effect only when all conditions are met.
    • Click Add Condition outside the condition box to add a condition group. You can add up to three condition groups. The relationship between multiple condition groups is OR. This rule takes effect when one of the condition groups is met.

    Field is set to Path.

    Logic is set to Include.

    Content is set to /product.

    Ignore WAF Protection

    Select how you want WAF to whitelist protection.

    • All protection: All WAF rules do not take effect, and WAF allows all request traffic to the domain names in the rule.
    • Basic web protection: You can ignore the entire basic web protection or specific protection type by rule ID or attack type. For example, if you do not want to check a specific URL for XSS attacks, you can configure a false alarm masking rule to mask XSS checks for the URL.
      • ID: Protection modules will be whitelisted based on protection rule IDs.

        If this option is selected, you need to specify Rule ID (which can be queried in the Rule ID column in Events). Use commas (,) to separate multiple IDs. You can enter a maximum of 100 IDs.

        After entering a rule ID, press Enter to view the added rule ID, rule description, and risk level.

        You can also click Handle as False Alarm in the Operation column of the rule ID, and click Handle Now in the displayed dialog box. Then, if you select ID for Ignored Protection Type and click OK, this rule ID will be add to the global protection whitelist. For details, see Handling False Alarms.

      • Attack type: Protection modules will be whitelisted based on the attack type. One type contains one or more rule IDs.

        After selecting this option, you need to specify Rule Type. You can specify multiple rule types. The options are Cross Site Scripting , Webshell, Others, SQL Injection, Scanner & Crawler, Remote File Inclusion, Local File Inclusion, and Command Injection.

      • All built-in rules: all checks enabled in Basic Web Protection.
    • Invalid requests: You can allow certain invalid requests.

      A request is invalid if:

      • The request header contains more than 512 parameters.
      • The URL contains more than 2,048 parameters.
      • The request header contains "Content-Type:application/x-www-form-urlencoded", and the request body contains more than 8,192 parameters.

    Ignore WAF Protection: Basic web protection

    Ignored Protection Type: ID

    Rule ID: 041046

    Rule Description

    A brief description of the rule. This parameter is optional.

    SQL injection attacks are not intercepted.

    Ignore Field

    If you only want to ignore attacks against a specified field, enable Ignore Field and configure the field. You can ignore the fields you do not want WAF to check. If you configure ignored fields, you can leave the condition list blank.

    • WAF can ignore the following fields: Params, Cookie, Header, Body, and Multipart.
    • You can ignore all fields or a specified field.
      • All fields: Params, Cookie, Header, Body, and Multipart.

        If All is selected, WAF will not block all attack events of the selected field.

      • Field: Only the Params, Cookie, and Header fields are supported. If Field is selected, you need to enter a subfield.
    • If you select Cookie, the Domain Name box for the rule can be empty.

    Params

    All

  9. Click OK.

    After completing the preceding configurations, you can:

    • Check the rule status: In the protection rule list, check the rule you added. Rule Status is Enabled by default.
    • Disable the rule: If you do not want the rule to take effect, click Disable in the Operation column of the rule.
    • Delete or modify the rule: Click Delete or Modify in the Operation column of the rule.
    • Verify the protection effect:
      1. Simulate an XSS attack.
      2. On the Events page, check the protection logs.