Basic Concept

Last update:2024-10-28 17:27:37

This page introduces basic configuration concepts to help you configure security policies and protection rules.

Rule Actions

In response to triggering rules, you can specify the response to be executed when a rule or security policy is triggered. You can choose from predefined actions or provide a custom response for denied operations. The supported actions include:

Rule Action Description DDoS Protection Web Protection Bot Mgmt API Security Threat Intelligence Rate Limiting Custom Rule
Deny Deny requests by a default 403 response. Yes Yes Yes Yes Yes Yes Yes
Log Only log requests and continue further detection. Yes Yes Yes Yes Yes Yes Yes
Not Used  Do not this rule take effects. Yes Yes Yes Yes Yes Yes
Skip Do not execute this detection as well as the further detection. Yes
Delay Delay responses to client by 3 seconds. Yes Yes Yes
Deny Connection Reset established TCP connections with client and do not recieve new connections from the same client IP. Yes
Reset Connection Send a RST to client to close established TCP connection, without responding HTTP request. Yes Yes Yes
Cookie Challenge Respond a 302 redirect response with the Set-Cookie header to verify if client supports cookie. Only applicable to Web/H5 applications accessed from browser.  Yes
JavaScript Challenge Respond a JavaScript code to verify if client supports JavaScript. Only applicable to HTML requests of Web/H5 applications. Yes
DDoS Managed Challenge Respond adaptive Cookie or JavaScript challenge action based on request content type, only available for some of DDoS managed rules. Yes
Bot Managed Challenge Not an optional action, respond adaptive Cookie or JavaScript authentication on GET requests only when the Web Bot Detection is intercepted. Yes

Match Conditions

By defining match conditions, implement the request features to be detected by the specified security policy. Custom Rules, Rate Limiting, Whitelist, and other security policies use the same configuration structure. This page lists all currently available matching condition fields.

Field Description Supported Operator Case-Sensitive Match
Supports Multiple Match Values
IP/CIDR Match or exclude specific client IP addresses, supporting both IPv4 and IPv6. equals - yes
does not equal - yes
Path Match the rules based on the specific path contained in the request. The path starts with "/", does not contain domain name and parameter information, for example: www.test.com/common/ecs/channel?code=1&type=2, the path is /common/ecs/channel. equals yes yes
does not equal yes yes
contains no yes
does not contain no yes
starts with no yes
ends with no yes
wildcard match no yes
wildcard mismatch no yes
regex match no no
regex mismatch no no
URI Match the rules based on the specific URI contained in the request. The URI starts with "/", contains parameter information, for example: /common/ecs/channel?code=1&type=2. equals yes yes
does not equal yes yes
contains no yes
does not contain no yes
starts with no yes
ends with no yes
wildcard match no yes
wildcard mismatch no yes
regex match no no
regex mismatch no no
User-Agent Match the rules based on the value of User-Agent. equals yes yes
does not equal yes yes
contains no yes
does not contain no yes
does not exist or has no value - -
starts with no yes
ends with no yes
wildcard match no yes
wildcard mismatch no yes
regex match no no
regex mismatch no no
Referer Match the rules based on the value of Referer. equals yes yes
does not equal yes yes
contains no yes
does not contain no yes
does not exist or has no value - -
starts with no yes
ends with no yes
wildcard match no yes
wildcard mismatch no yes
regex match no no
regex mismatch no no
Request Header Match the rules based on the value of a specific request header (the case of the request header name is insensitive). equals yes yes
does not equal yes yes
contains no yes
does not contain no yes
does not exist or has no value - -
starts with no yes
ends with no yes
wildcard match no yes
wildcard mismatch no yes
regex match no no
regex mismatch no no
Request Method Match or exclude specific request methods. equals - -
does not equal - -
Geo Match or exclude requests from specific regions. equals - -
does not equal - -
Response Code Match or exclude requests with specific status codes. Only the status codes in the response stage are counted. equals - -
does not equal - -

Add Rules

Items Description
Match Conditions Specify the scope of requests that need to be detected by the policy by specifying conditions such as paths, APIs, IP Addresses, and Request Header, etc.  
Client Identifier Specify the identity of the client, including Client IP, Cookie, Request Header, etc. 
Trigger Condition Specify the conditions that trigger the rule. 
Action Expiration Time When a policy is triggered, the expiration time defines the duration of the response action is maintained. This can limit requests that occur at a high rate.
Effective Time Period Specify The time when the rule takes effect. 

Deployment

Action Description
Publish Changes Please be caution, this action deploying the configuration of the current function item to the production environment. The deployment is expected to be completed in 2 minutes after the task is delivered.
Policy Duplicator Synchronize certain configuration to other hostnames simultaneously. This operation overwrites the corresponding configuration items of the selected hostname with the selected configuration items of the current domain name during deployment. 
Is the content of this document helpful to you?
Yes
I have suggestion
Submitted successfully! Thank you very much for your feedback, we will continue to strive to do better!