Creating a rule and adding conditions - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Creating a rule and adding conditions

Note

This is Amazon WAF Classic documentation. You should only use this version if you created Amazon WAF resources, like rules and web ACLs, in Amazon WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your resources, see Migrating your Amazon WAF Classic resources to Amazon WAF.

For the latest version of Amazon WAF, see Amazon WAF.

If you add more than one condition to a rule, a web request must match all the conditions for Amazon WAF Classic to allow or block requests based on that rule.

To create a rule and add conditions

  1. Sign in to the Amazon Web Services Management Console and open the Amazon WAF console at https://console.amazonaws.cn/wafv2/.

    If you see Switch to Amazon WAF Classic in the navigation pane, select it.

  2. In the navigation pane, choose Rules.

  3. Choose Create rule.

  4. Enter the following values:

    Name

    Enter a name.

    CloudWatch metric name

    Enter a name for the CloudWatch metric that Amazon WAF Classic will create and will associate with the rule. The name can contain only alphanumeric characters (A-Z, a-z, 0-9), with maximum length 128 and minimum length one. It can't contain white space or metric names reserved for Amazon WAF Classic, including "All" and "Default_Action.

    Rule type

    Choose either Regular rule or Rate–based rule. Rate–based rules are identical to regular rules, but also take into account how many requests arrive from an IP address in a five-minute period. For more information about these rule types, see How Amazon WAF Classic works.

    Rate limit

    For a rate-based rule, enter the maximum number of requests to allow in any five-minute period from an IP address that matches the rule's conditions. The rate limit must be at least 100.

    You can specify a rate limit alone, or a rate limit and conditions. If you specify only a rate limit, Amazon WAF places the limit on all IP addresses. If you specify a rate limit and conditions, Amazon WAF places the limit on IP addresses that match the conditions.

    When an IP address reaches the rate limit threshold, Amazon WAF applies the assigned action (block or count) as quickly as possible, usually within 30 seconds. Once the action is in place, if five minutes pass with no requests from the IP address, Amazon WAF resets the counter to zero.

  5. To add a condition to the rule, specify the following values:

    When a request does/does not

    If you want Amazon WAF Classic to allow or block requests based on the filters in a condition, choose does. For example, if an IP match condition includes the IP address range 192.0.2.0/24 and you want Amazon WAF Classic to allow or block requests that come from those IP addresses, choose does.

    If you want Amazon WAF Classic to allow or block requests based on the inverse of the filters in a condition, choose does not. For example, if an IP match condition includes the IP address range 192.0.2.0/24 and you want Amazon WAF Classic to allow or block requests that do not come from those IP addresses, choose does not.

    match/originate from

    Choose the type of condition that you want to add to the rule:

    • Cross-site scripting match conditions – choose match at least one of the filters in the cross-site scripting match condition

    • IP match conditions – choose originate from an IP address in

    • Geo match conditions – choose originate from a geographic location in

    • Size constraint conditions – choose match at least one of the filters in the size constraint condition

    • SQL injection match conditions – choose match at least one of the filters in the SQL injection match condition

    • String match conditions – choose match at least one of the filters in the string match condition

    • Regular expression match conditions – choose match at least one of the filters in the regex match condition

    condition name

    Choose the condition that you want to add to the rule. The list displays only conditions of the type that you chose in the preceding step.

  6. To add another condition to the rule, choose Add another condition, and repeat steps 4 and 5. Note the following:

    • If you add more than one condition, a web request must match at least one filter in every condition for Amazon WAF Classic to allow or block requests based on that rule

    • If you add two IP match conditions to the same rule, Amazon WAF Classic will only allow or block requests that originate from IP addresses that appear in both IP match conditions

  7. When you're finished adding conditions, choose Create.