Basic Concept
Last update:2024-10-25 14:27:46
This page introduces basic configuration concepts to help you configure security policies and protection rules.
Rule Actions
In response to triggering rules, you can specify the response to be executed when a rule or security policy is triggered. You can choose from predefined actions or provide a custom response for denied operations. The supported actions include:
| Rule Action | Description | DDoS Protection | Web Protection | Bot Mgmt | API Security | Threat Intelligence | Rate Limiting | Custom Rule |
|---|---|---|---|---|---|---|---|---|
| Deny | Deny requests by a default 403 response. | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Log | Only log requests and continue further detection. | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Not Used | Do not this rule take effects. | Yes | Yes | Yes | Yes | Yes | Yes | |
| Skip | Do not execute this detection as well as the further detection. | Yes | ||||||
| Delay | Delay responses to client by 3 seconds. | Yes | Yes | Yes | ||||
| Deny Connection | Reset established TCP connections with client and do not recieve new connections from the same client IP. | Yes | ||||||
| Reset Connection | Send a RST to client to close established TCP connection, without responding HTTP request. | Yes | Yes | Yes | ||||
| Cookie Challenge | Respond a 302 redirect response with the Set-Cookie header to verify if client supports cookie. Only applicable to Web/H5 applications accessed from browser. | Yes | ||||||
| JavaScript Challenge | Respond a JavaScript code to verify if client supports JavaScript. Only applicable to HTML requests of Web/H5 applications. | Yes | ||||||
| DDoS Managed Challenge | Respond adaptive Cookie or JavaScript challenge action based on request content type, only available for some of DDoS managed rules. | Yes | ||||||
| Bot Managed Challenge | Not an optional action, respond adaptive Cookie or JavaScript authentication on GET requests only when the Web Bot Detection is intercepted. | Yes |
Match Conditions
By defining match conditions, implement the request features to be detected by the specified security policy. Custom Rules, Rate Limiting, Whitelist, and other security policies use the same configuration structure. This page lists all currently available matching condition fields.
| Field | Description | Supported Operator | Case-Sensitive Match |
Supports Multiple Match Values |
|---|---|---|---|---|
| IP/CIDR | Match or exclude specific client IP addresses, supporting both IPv4 and IPv6. | equals | - | yes |
| does not equal | - | yes | ||
| Path | Match the rules based on the specific path contained in the request. The path starts with "/", does not contain domain name and parameter information, for example: www.test.com/common/ecs/channel?code=1&type=2, the path is /common/ecs/channel. | equals | yes | yes |
| does not equal | yes | yes | ||
| contains | no | yes | ||
| does not contain | no | yes | ||
| starts with | no | yes | ||
| ends with | no | yes | ||
| wildcard match | no | yes | ||
| wildcard mismatch | no | yes | ||
| regex match | no | no | ||
| regex mismatch | no | no | ||
| URI | Match the rules based on the specific URI contained in the request. The URI starts with "/", contains parameter information, for example: /common/ecs/channel?code=1&type=2. | equals | yes | yes |
| does not equal | yes | yes | ||
| contains | no | yes | ||
| does not contain | no | yes | ||
| starts with | no | yes | ||
| ends with | no | yes | ||
| wildcard match | no | yes | ||
| wildcard mismatch | no | yes | ||
| regex match | no | no | ||
| regex mismatch | no | no | ||
| User-Agent | Match the rules based on the value of User-Agent. | equals | yes | yes |
| does not equal | yes | yes | ||
| contains | no | yes | ||
| does not contain | no | yes | ||
| does not exist or has no value | - | - | ||
| starts with | no | yes | ||
| ends with | no | yes | ||
| wildcard match | no | yes | ||
| wildcard mismatch | no | yes | ||
| regex match | no | no | ||
| regex mismatch | no | no | ||
| Referer | Match the rules based on the value of Referer. | equals | yes | yes |
| does not equal | yes | yes | ||
| contains | no | yes | ||
| does not contain | no | yes | ||
| does not exist or has no value | - | - | ||
| starts with | no | yes | ||
| ends with | no | yes | ||
| wildcard match | no | yes | ||
| wildcard mismatch | no | yes | ||
| regex match | no | no | ||
| regex mismatch | no | no | ||
| Request Header | Match the rules based on the value of a specific request header (the case of the request header name is insensitive). | equals | yes | yes |
| does not equal | yes | yes | ||
| contains | no | yes | ||
| does not contain | no | yes | ||
| does not exist or has no value | - | - | ||
| starts with | no | yes | ||
| ends with | no | yes | ||
| wildcard match | no | yes | ||
| wildcard mismatch | no | yes | ||
| regex match | no | no | ||
| regex mismatch | no | no | ||
| Request Method | Match or exclude specific request methods. | equals | - | - |
| does not equal | - | - | ||
| Geo | Match or exclude requests from specific regions. | equals | - | - |
| does not equal | - | - | ||
| Response Code | Match or exclude requests with specific status codes. Only the status codes in the response stage are counted. | equals | - | - |
| does not equal | - | - |
Add Rules
| Items | Description |
|---|---|
| Match Conditions | Specify the scope of requests that need to be detected by the policy by specifying conditions such as paths, APIs, IP Addresses, and Request Header, etc. |
| Client Identifier | Specify the identity of the client, including Client IP, Cookie, Request Header, etc. |
| Trigger Condition | Specify the conditions that trigger the rule. |
| Action Expiration Time | When a policy is triggered, the expiration time defines the duration of the response action is maintained. This can limit requests that occur at a high rate. |
| Effective Time Period | Specify The time when the rule takes effect. |
Deployment
| Action | Description |
|---|---|
| Publish Changes | Please be caution, this action deploying the configuration of the current function item to the production environment. The deployment is expected to be completed in 2 minutes after the task is delivered. |
| Policy Duplicator | Synchronize certain configuration to other hostnames simultaneously. This operation overwrites the corresponding configuration items of the selected hostname with the selected configuration items of the current domain name during deployment. |
Is the content of this document helpful to you?
Yes
I have suggestion