Configuring a Global Protection Whitelist Rule to Ignore False Alarms

Prerequisites

• You have added the website you want to protect to WAF or added a protection policy.
  • For cloud CNAME access mode, see Connecting Your Website to WAF with Cloud Mode - CNAME Access.
  • For cloud load balancer access mode, see Connecting Your Website to WAF with Cloud Mode - Load Balancer Access.
  • For dedicated mode, see Connecting Your Website to WAF with Dedicated Mode.
• If you use a dedicated WAF instance, ensure that it has been upgraded to the latest version. For details, see Managing Dedicated WAF Engines.

Constraints

• If you select All protection for Ignore WAF Protection, all WAF rules do not take effect, and WAF allows all request traffic to the domain names in the rule.
• If you select Basic web protection for Ignore WAF Protection, global protection whitelist rules take effect only for events triggered against WAF built-in rules in Basic Web Protection and anti-crawler rules under Feature Library.
  • Basic web protection rules

    Basic web protection defends against common web attacks, such as SQL injection, XSS attacks, remote buffer overflow attacks, file inclusion, Bash vulnerability exploits, remote command execution, directory traversal, sensitive file access, and command and code injections. Basic web protection also detects web shells and evasion attacks.

  • Feature-based anti-crawler protection

    Feature-based anti-crawler identifies and blocks crawler behavior from search engines, scanners, script tools, and other crawlers.

• You can configure a global protection whitelist rule by referring to Handling False Alarms. After handling a false alarm, you can view the rule in the global protection whitelist rule list.
• It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.

Configuring a Global Protection Whitelist

1. Log in to the WAF console.
2. Click in the upper left corner and select a region or project.
3. (Optional) If you have enabled the enterprise project function, in the upper part of the navigation pane on the left, select your enterprise project from the Filter by enterprise project drop-down list. Then, WAF will display the related security data in the enterprise project on the page.
4. In the navigation pane on the left, click Policies.
5. Click the name of the target policy to go to the protection configuration page.
6. Click the Blacklist and Whitelist configuration area and toggle it on or off if needed.
   • : enabled.
   • : disabled.

7. In the upper left corner above the Global Protection Whitelist rule list, click Add Rule.
8. Add a global whitelist rule by referring to Table 1.
   Figure 1 Add Global Protection Whitelist Rule
   

   Table 1 Parameters

   Parameter	Description	Example Value
   Scope	All domain names: By default, this rule will be applied to all domain names that are protected by the current policy. Specified domain names: The rule will be applied to specified domain names that are protected by the current policy. If you select Specified domain names, you need to specify the domain names.	Specified domain names
   Domain Name	Select or enter the domain name to be protected. The domain name format varies depending on the access mode. Cloud mode - CNAME access: Enter a complete domain name. Cloud mode - load balancer access: Enter Domain_name:ELB_load_balancer_ID. If the protected domain name is a single domain name, select or enter Domain_name:ELB_load_balancer_ID. If the domain name is a wildcard domain name, select or enter *:ELB_load_balancer_ID. For example, if you need to add wildcard domain name * and the ELB ID is c8c5fbd9-XXXX-XXXX-XXXX-d6f341a46ee5, enter *:c8c5fbd9-XXXX-XXXX-XXXX-d6f341a46ee5. Dedicated mode: Enter a complete domain name or IP address. To add more domain names, click Add to add them one by one. This parameter is mandatory when you select Specified domain names for Scope.	Cloud mode - CNAME access: www.example.com Cloud mode - Load balancer access: *:c8c5fbd9-XXXX-XXXX-XXXX-d6f341a46ee5 Dedicated mode: Enter www.example.com or 192.168.2.3.
   Condition List	Click Add in the condition box to add conditions. At least one condition needs to be added. You can add up to 30 conditions to a protection rule. If more than one condition is added, all of the conditions must be met for the rule to be applied. You can click Add outside the condition box to add a group of conditions. A maximum of three condition groups can be added. The OR logic is used between all condition groups. So, the rule works as long as one condition group is met. Condition parameter description: Field Subfield: Configure this field only when IPv4, IPv6, Params, Cookie, Header or Response Header is selected for Field. If Field is set to Response Header or Header, and Subfield is not All or Any, Case Sensitive is supported. NOTICE: A subfield cannot exceed 2,048 characters. Logic: Select a logical relationship from the drop-down list. Content: Enter or select the content that matches the condition.	Field is set to Path. Logic is set to Include. Content is set to /product.
   Ignore WAF Protection	All protection: All WAF rules do not take effect, and WAF allows all request traffic to the domain names in the rule. Basic web protection: You can ignore basic web protection by rule ID, attack type, or all built-in rules. For example, if XSS check is not required for a URL, you can whitelist XSS rule. Invalid requests: WAF can allow invalid requests. NOTE: A request is invalid if: The request header contains more than 512 parameters. The URL contains more than 2,048 parameters. The request header contains "Content-Type:application/x-www-form-urlencoded", and the request body contains more than 8,192 parameters.	Basic web protection
   Ignored Protection Type	If you select Basic web protection for Ignored WAF Protection, select one of the following for Ignored Protection Type: ID: Configure the rule by event ID. Attack type: Configure the rule by attack type, such as XSS and SQL injection. One type contains one or more rule IDs. All built-in rules: all checks enabled in Basic Web Protection.	Attack type
   Rule ID	This parameter is mandatory when you select ID for Ignored Protection Type. Rule ID of a misreported event in Events whose type is not Custom. You are advised to handle false alarms on the Events page.	041046
   Rule Type	This parameter is mandatory when you select Attack type for Ignored Protection Type. Select an attack type from the drop-down list box. WAF can defend against XSS attacks, web shells, SQL injection attacks, malicious crawlers, remote file inclusions, local file inclusions, command injection attacks, and other attacks.	SQL injection
   Rule Description	A brief description of the rule. This parameter is optional.	SQL injection attacks are not intercepted.
   Ignore Field	To ignore attacks of a specific field, specify the field in the Advanced Settings area. After you add the rule, WAF will stop blocking attacks matching the specified field. Select a target field from the first drop-down list box on the left. The following fields are supported: Params, Cookie, Header, Body, and Multipart. If you select Params, Cookie, or Header, you can select All or Field to configure a subfield. If you select Body or Multipart, you can select All. If you select Cookie, the Domain Name box for the rule can be empty. NOTE: If All is selected, WAF will not block all attack events of the selected field.	Params All

9. Click OK.

   After completing the preceding configurations, you can:

   • Check the rule status: In the protection rule list, check the rule you added. Rule Status is Enabled by default.
   • Disable the rule: If you do not want the rule to take effect, click Disable in the Operation column of the rule.
   • Delete or modify the rule: Click Delete or Modify in the Operation column of the rule.
   • Verify the protection effect:
     1. Simulate an XSS attack.
     2. On the Events page, check the protection logs.