Condition Field Description

When setting a precise access, CC attack protection, or global protection whitelist rule, configure some fields in the condition list area. These fields together are used to define the request attributes to trigger the rule. This topic describes the fields that you can specify in conditions to trigger a rule.

What Is a Condition Field?

A condition field specifies the request attribute WAF checks based on protection rules. When configuring a CC attack protection rule, precise access protection rule, or global protection whitelist, you can define condition fields to specify request attributes to trigger the rule.

If a request meets the conditions set in a rule, the request hits the rule. WAF will then handle the request based on the action (Allow, Block, or Log only) configured for the rule.

Figure 1 Condition field
Click to enlarge

A condition field consists of Field, Subfield, Logic, and Content. Example:

Example 1: If Field is set to Path, logic to Include, and Content to /admin, a request matches the rule when the requested path contains /admin.
Example 2: If Field is set to IPv4, Subfield to Client IP Address, Logic to Equal to, and Content to 192.XX.XX.3. When the client IP address is 192.XX.XX.3, the request hits the rule.

Supported Condition Fields

**Table 1** Condition list configurations
Field	Description	Subfield	Logic	Content (Example)
Path	The path of a resource requested by the client. A path is part of a URL. Configuration description: The path does not contain a domain name and supports only exact match. So, the path to be protected must be the same as the path you configure. If the path to be protected is /admin, set Path to /admin. If Path is set to /, all paths of the website are protected. The path content cannot contain the following special characters: (<>*)	--	The following logical relationships are supported: Include, Exclude, Equal to, Not equal to, Prefix is, Prefix is not, Suffix is, or Suffix is not Include any value, Exclude any value, Equal to any value, Not equal to any value, Prefix is any value, Prefix is not any value, Suffix is any value, or Suffix is not any value Subfield length equal toSubfield length not equal toSubfield length greater thanSubfield length less than	/buy/phone/
User Agent	The client type, for example, browser, crawler, and mobile app.	--		Mozilla/5.0 (Windows NT 6.1)
Referer	The source from which the request is sent. If you do not want visitors to access the page from www.test.com, set Content corresponding to Referer to http://www.test.com.	--		/admin/xxx
IPv4	The IPv4 address of the client.	Client IP Address X-Forwarded-For TCP connection IP address Layer 3 source IP address	The following logical relationships are supported: Equal to or Not equal to Equal to any value or Not equal to any value	192.168.1.1
IPv6	The IPv6 address of the client. Only the professional and enterprise editions for cloud mode support IPv6 protection.			fe80:0000:0000:0000:0000:0000:0000:0000
Params	The query parameter in the URL. The query parameter is the content following the question mark (?).	All fields Any subfield Custom	The following logical relationships are supported: Include, Exclude, Equal to, Not equal to, Prefix is, Prefix is not, Suffix is, or Suffix is not Include any value, Exclude any value, Equal to any value, Not equal to any value, Prefix is any value, Prefix is not any value, Suffix is any value, or Suffix is not any value Subfield length equal toSubfield length not equal toSubfield length greater thanSubfield length less thanNumber of params not equal toNumber of params greater thanNumber of params less thanHasDoes not have	201901150929
Cookie	The cookie in the request.	All fields Any subfield Custom		jsessionid
Header	The request header content.	All fields Any subfield Custom		text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8
Method	The request method.	--	The following logical relationships are supported: Equal to Not equal to	GET, POST, PUT, DELETE, and PATCH
Protocol	The request protocol.	--		HTTP and HTTPS
Request Line	The request line length. The value must be an integer ranging from 0 to 65,535.	--	The following logical relationships are supported: Subfield length equal to Subfield length not equal to Subfield length greater than Subfield length less than	50
Request	The request length. The value must be an integer ranging from 0 to 2,147,483,647. The maximum value for cloud load balancer access mode is 4,000 bytes. If the value exceeds the maximum, the configuration does not take effect.	--		50
Response Length	The response length. The value must be an integer ranging from 0 to 2,147,483,647. Response detection occurs after the response header is returned. The response header cannot be modified when it is blocked. A response body returned from the origin server may be included in protection events. As the response body is streamed, WAF cannot change it once it has been sent.	--	The following logical relationships are supported: Subfield length equal to Subfield length not equal to Subfield length greater than Subfield length less than	50
Response Time	The response time. The value must be an integer ranging from 0 to 60,000, in ms. Response detection occurs after the response header is returned. The response header cannot be modified when it is blocked. A response body returned from the origin server may be included in protection events. As the response body is streamed, WAF cannot change it once it has been sent.	--		100
Geolocation	The geolocation of the visitor (client). NOTE: To enable this, submit a service ticket.	IPv4 IPv6 Any (IPv4 or IPv6 address)	The following logical relationships are supported: Included Excluded	Shanghai
Known feature crawler	Common web crawlers: Search Engine Scanner Script Tool Other NOTE: To enable this, submit a service ticket.	--	The following logical relationships are supported: Match Mismatch	Search Engine
Response Code	The status code returned to the request. For requests sent after this rule is triggered, WAF stops checking their HTTP response code until the current traffic limit duration you configure in the rule ends. NOTE: To enable this, submit a service ticket.	--	The following logical relationships are supported: Equal to or Not equal to Equal to any value or Not equal to any value	404
Response Header	The response header. WAF checks responses after response headers are returned. If WAF needs to block responses, response headers cannot be changed.	All fields Any subfield Custom	The following logical relationships are supported: Include, Exclude, Equal to, Not equal to, Prefix is, Prefix is not, Suffix is, or Suffix is not Include any value, Exclude any value, Equal to any value, Not equal to any value, Prefix is any value, Prefix is not any value, or Suffix is any value	--
Response Body	The response message body. WAF checks responses after response headers are returned. If WAF needs to block responses, response headers cannot be changed.	--	The following logical relationships are supported: Include or Exclude Include any value or Exclude any value	--
Request Body	The request message body.	--	The following logical relationships are supported: Include or Not Include Include any value or Exclude any value	--
TLS fingerprint (JA3)	The JA3 fingerprint generated during TLS handshake. It is used to identify device types and malicious tools.	--	The following logical relationships are supported: Equal to or Not equal to Equal to any value or Not equal to any value	X-Forwarded-Tls-Ja3
TLS fingerprint (JA4)	The JA4 fingerprint generated during TLS handshake. It is used to identify device types and malicious tools.	--		X-Forwarded-Tls-Ja4
Header Content Length	The request header content length. The value must be an integer ranging from 0 to 2,147,483,647. The maximum value for cloud load balancer access mode is 4,000 bytes. If the value exceeds the maximum, the configuration does not take effect.	--	The following logical relationships are supported: Greater than Equal to Less than	123
Logical relationships and reference tables: If you set Logic to Include any value, Exclude any value, Equal to any value, Not equal to any value, Prefix is any value, Prefix is not any of them, Suffix is any value, or Suffix is not any of them, you can select a reference table for Content. For details about how to add a reference table and manage reference tables, see Creating a Reference Table to Configure Protection Metrics in Batches.