Configuring a Global Protection Whitelist Rule to Ignore False Alarms

Once an attack hits a WAF basic web protection rule or a feature-library anti-crawler rule, WAF will respond to the attack immediately according to the protective action (Log only or Block) you configured for the rule and display an event on the Events page.

You can add false alarm masking rules to let WAF ignore certain rule IDs or event types (for example, skip XSS checks for a specific URL).

If you select All protection for Ignore WAF Protection, all WAF rules do not take effect, and WAF allows all request traffic to the domain names in the rule.
If you select Basic Web Protection for Ignore WAF Protection, you can ignore basic web protection by rule ID, attack type, or all built-in rules. For example, if XSS check is not required for a URL, you can whitelist XSS rule.
If you select Invalid requests for Ignore WAF Protection, WAF will whitelist invalid requests.

Prerequisites

You have connected a website to WAF.
You have created a policy and added the domain name to it. For details, see Creating a Protection Policy and Adding a Domain Name to a Policy.
If you use a dedicated WAF instance, make sure it has been upgraded to the latest version. For details, see Managing Dedicated WAF Engines.

Constraints

If you select All protection for Ignore WAF Protection, all WAF rules do not take effect, and WAF allows all request traffic to the domain names in the rule.
If you select Basic web protection for Ignore WAF Protection, global protection whitelist rules take effect only for events triggered against WAF built-in rules in Basic Web Protection and anti-crawler rules under Feature Library.
- Basic web protection rules
  Basic web protection defends against common web attacks, such as SQL injection, XSS attacks, remote buffer overflow attacks, file inclusion, Bash vulnerability exploits, remote command execution, directory traversal, sensitive file access, and command and code injections. Basic web protection also detects web shells and evasion attacks.
- Feature-based anti-crawler protection
  Feature-based anti-crawler identifies and blocks crawler behavior from search engines, scanners, script tools, and other crawlers.
You can configure a global protection whitelist rule by referring to Handling False Alarms. After handling a false alarm, you can view the rule in the global protection whitelist rule list.
It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.

Configuring a Global Protection Whitelist

Log in to the WAF console.
Click in the upper left corner and select a region or project.
(Optional) If you have enabled the enterprise project function, in the upper part of the navigation pane on the left, select your enterprise project from the Filter by enterprise project drop-down list. Then, WAF will display the related security data in the enterprise project on the page.
In the navigation pane on the left, click Policies.
Click the name of the target policy to go to the protection rule configuration page.

Before configuring protection rules, ensure that the target protection policy has been applied to a domain name. A protection policy can be applied to multiple protected domain names, but a protected domain name can have only one protection policy.
Locate the Global Protection Whitelist configuration area and toggle on this protection.

: enabled.
In the upper left corner above the Global Protection Whitelist rule list, click Add Rule.

Add a global whitelist rule by referring to Table 1.

Figure 1 Add Global Protection Whitelist Rule
Click to enlarge

**Table 1** Parameters
Parameter	Description	Example Value
Scope	Domain name that the policy is applied to. All domain names: By default, this rule will be applied to all domain names that are protected by the current policy. Specified domain names: The rule will be applied to specified domain names that are protected by the current policy.	Specified domain names
Domain Name	If Scope is set to Specified domain names, select or enter the domain names for the rule. You can click Add to add more domain names. The domain name format varies depending on the access mode. Cloud mode - CNAME access: Enter a complete domain name. Cloud mode - load balancer access: Enter Domain_name:ELB_load_balancer_ID. If the protected domain name is a single domain name, select or enter Domain_name:ELB_load_balancer_ID. If the domain name is a wildcard domain name, select or enter :ELB_load_balancer_ID. For example, if you need to add wildcard domain name and the ELB ID is c8c5fbd9-XXXX-XXXX-XXXX-d6f341a46ee5, enter :c8c5fbd9-XXXX-XXXX-XXXX-d6f341a46ee5. Dedicated mode*: Enter a complete domain name or IP address.	Cloud mode - CNAME access: www.example.com Cloud mode - Load balancer access: :c8c5fbd9-XXXX-XXXX-XXXX-d6f341a46ee5 Dedicated mode: Enter www.example.com* or 192.168.2.3.
Condition List	Request features to be matched by the rule. If a request matches the features, WAF handles the request according to the configured rule. At least one condition is required for the rule to take effect. Click Add Condition in the condition box to add a condition in the group. You can add up to 30 conditions. If multiple conditions are configured, the rule takes effect only when all conditions are met. Click Add Condition outside the condition box to add a condition group. You can add up to three condition groups. The relationship between multiple condition groups is OR. This rule takes effect when one of the condition groups is met. Condition parameter description: Field: For details, see Condition Field Description. Subfield: Configure this field only when IPv4, IPv6, Params, Cookie, Header or Response Header is selected for Field. A subfield cannot exceed 2,048 characters. If Field is set to Response Header or Header, and Subfield is not All or Any, Case Sensitive is supported. Logic: Select the desired logical relationship from the drop-down list. Content: Enter or select the content that matches the condition. If you set Logic to Include any value, Exclude any value, Equal to any value, Not equal to any value, Prefix is any value, Prefix is not any of them, Suffix is any value, or Suffix is not any of them, you need to select a reference table.	Field is set to Path. Logic is set to Include. Content is set to /product.
Ignore WAF Protection	Select how you want WAF to whitelist protection. All protection: All WAF rules do not take effect, and WAF allows all request traffic to the domain names in the rule. Basic web protection: You can ignore the entire basic web protection or specific protection type by rule ID or attack type. For example, if you do not want to check a specific URL for XSS attacks, you can configure a false alarm masking rule to mask XSS checks for the URL. ID: Protection modules will be whitelisted based on protection rule IDs. If this option is selected, you need to specify Rule ID (which can be queried in the Rule ID column in Events). Use commas (,) to separate multiple IDs. You can enter a maximum of 100 IDs. After entering a rule ID, press Enter to view the added rule ID, rule description, and risk level. You can also click Handle as False Alarm in the Operation column of the rule ID, and click Handle Now in the displayed dialog box. Then, if you select ID for Ignored Protection Type and click OK, this rule ID will be add to the global protection whitelist. For details, see Handling False Alarms. Attack type: Protection modules will be whitelisted based on the attack type. One type contains one or more rule IDs. After selecting this option, you need to specify Rule Type. You can specify multiple rule types. The options are Cross Site Scripting , Webshell, Others, SQL Injection, Scanner & Crawler, Remote File Inclusion, Local File Inclusion, and Command Injection. All built-in rules: all checks enabled in Basic Web Protection. Invalid requests: You can allow certain invalid requests. A request is invalid if: The request header contains more than 512 parameters. The URL contains more than 2,048 parameters. The request header contains "Content-Type:application/x-www-form-urlencoded", and the request body contains more than 8,192 parameters.	Ignore WAF Protection: Basic web protection Ignored Protection Type: ID Rule ID: 041046
Rule Description	A brief description of the rule. This parameter is optional.	SQL injection attacks are not intercepted.
Ignore Field	If you only want to ignore attacks against a specified field, enable Ignore Field and configure the field. You can ignore the fields you do not want WAF to check. If you configure ignored fields, you can leave the condition list blank. WAF can ignore the following fields: Params, Cookie, Header, Body, and Multipart. You can ignore all fields or a specified field. All fields: Params, Cookie, Header, Body, and Multipart. If All is selected, WAF will not block all attack events of the selected field. Field: Only the Params, Cookie, and Header fields are supported. If Field is selected, you need to enter a subfield. If you select Cookie, the Domain Name box for the rule can be empty.	Params All

Click OK.

After completing the preceding configurations, you can:
- Check the rule status: In the protection rule list, check the rule you added. Rule Status is Enabled by default.
- Disable the rule: If you do not want the rule to take effect, click Disable in the Operation column of the rule.
- Delete or modify the rule: Click Delete or Modify in the Operation column of the rule.
- Verify the protection effect:
  1. Simulate an XSS attack.
  2. On the Events page, check the protection logs.