**Introducing a new console experience for Amazon WAF**

You can now use the updated experience to access Amazon WAF functionality anywhere in the console. For more details, see [Working with the console](https://docs.amazonaws.cn/waf/latest/developerguide/working-with-console.html). 

# Working with rules
<a name="classic-web-acl-rules"></a>

**Warning**  
Amazon WAF Classic is is going through a planned end-of-life process. Refer to your Amazon Health dashboard for the milestones and dates specific to your Region.

**Note**  
This is **Amazon WAF Classic** documentation. You should only use this version if you created Amazon WAF resources, like rules and web ACLs, in Amazon WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your Amazon WAF Classic resources to Amazon WAF](waf-migrating-from-classic.md).  
**For the latest version of Amazon WAF**, see [Amazon WAF](waf-chapter.md). 

Rules let you precisely target the web requests that you want Amazon WAF Classic to allow or block by specifying the exact conditions that you want Amazon WAF Classic to watch for. For example, Amazon WAF Classic can watch for the IP addresses that requests originate from, the strings that the requests contain and where the strings appear, and whether the requests appear to contain malicious SQL code.

**Topics**
+ [

# Creating a rule and adding conditions
](classic-web-acl-rules-creating.md)
+ [

# Adding and removing conditions in a rule
](classic-web-acl-rules-editing.md)
+ [

# Deleting a rule
](classic-web-acl-rules-deleting.md)
+ [

# Amazon Web Services Marketplace rule groups
](classic-waf-managed-rule-groups.md)

# Creating a rule and adding conditions
<a name="classic-web-acl-rules-creating"></a>

**Warning**  
Amazon WAF Classic is is going through a planned end-of-life process. Refer to your Amazon Health dashboard for the milestones and dates specific to your Region.

**Note**  
This is **Amazon WAF Classic** documentation. You should only use this version if you created Amazon WAF resources, like rules and web ACLs, in Amazon WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your Amazon WAF Classic resources to Amazon WAF](waf-migrating-from-classic.md).  
**For the latest version of Amazon WAF**, see [Amazon WAF](waf-chapter.md). 

If you add more than one condition to a rule, a web request must match all the conditions for Amazon WAF Classic to allow or block requests based on that rule.<a name="classic-web-acl-rules-creating-procedure"></a>

**To create a rule and add conditions**

1. Sign in to the Amazon Web Services Management Console and open the Amazon WAF console at [https://console.amazonaws.cn/wafv2/](https://console.amazonaws.cn/wafv2/). 

   If you see **Switch to Amazon WAF Classic** in the navigation pane, select it.

1. In the navigation pane, choose **Rules**.

1. Choose **Create rule**.

1. Enter the following values:  
**Name**  
Enter a name.   
**CloudWatch metric name**  
Enter a name for the CloudWatch metric that Amazon WAF Classic will create and will associate with the rule. The name can contain only alphanumeric characters (A-Z, a-z, 0-9), with maximum length 128 and minimum length one. It can't contain white space or metric names reserved for Amazon WAF Classic, including "All" and "Default\$1Action.  
**Rule type**  
Choose either `Regular rule` or `Rate–based rule`. Rate–based rules are identical to regular rules, but also take into account how many requests arrive from an IP address in a five-minute period. For more information about these rule types, see [How Amazon WAF Classic works](classic-how-aws-waf-works.md).  
**Rate limit**  
For a rate-based rule, enter the maximum number of requests to allow in any five-minute period from an IP address that matches the rule's conditions. The rate limit must be at least 100.   
You can specify a rate limit alone, or a rate limit and conditions. If you specify only a rate limit, Amazon WAF places the limit on all IP addresses. If you specify a rate limit and conditions, Amazon WAF places the limit on IP addresses that match the conditions.   
When an IP address reaches the rate limit threshold, Amazon WAF applies the assigned action (block or count) as quickly as possible, usually within 30 seconds. Once the action is in place, if five minutes pass with no requests from the IP address, Amazon WAF resets the counter to zero.

1. To add a condition to the rule, specify the following values:   
**When a request does/does not**  
If you want Amazon WAF Classic to allow or block requests based on the filters in a condition, choose **does**. For example, if an IP match condition includes the IP address range 192.0.2.0/24 and you want Amazon WAF Classic to allow or block requests that come from those IP addresses, choose **does**.  
If you want Amazon WAF Classic to allow or block requests based on the inverse of the filters in a condition, choose **does not**. For example, if an IP match condition includes the IP address range 192.0.2.0/24 and you want Amazon WAF Classic to allow or block requests that *do not* come from those IP addresses, choose **does not**.  
**match/originate from**  
Choose the type of condition that you want to add to the rule:  
   + Cross-site scripting match conditions – choose **match at least one of the filters in the cross-site scripting match condition**
   + IP match conditions – choose **originate from an IP address in**
   + Geo match conditions – choose **originate from a geographic location in**
   + Size constraint conditions – choose **match at least one of the filters in the size constraint condition**
   + SQL injection match conditions – choose **match at least one of the filters in the SQL injection match condition**
   + String match conditions – choose **match at least one of the filters in the string match condition**
   + Regular expression match conditions – choose **match at least one of the filters in the regex match condition**  
**condition name**  
Choose the condition that you want to add to the rule. The list displays only conditions of the type that you chose in the preceding step.

1. To add another condition to the rule, choose **Add another condition**, and repeat steps 4 and 5. Note the following:
   + If you add more than one condition, a web request must match at least one filter in every condition for Amazon WAF Classic to allow or block requests based on that rule 
   + If you add two IP match conditions to the same rule, Amazon WAF Classic will only allow or block requests that originate from IP addresses that appear in both IP match conditions 

1. When you're finished adding conditions, choose **Create**.

# Adding and removing conditions in a rule
<a name="classic-web-acl-rules-editing"></a>

**Warning**  
Amazon WAF Classic is is going through a planned end-of-life process. Refer to your Amazon Health dashboard for the milestones and dates specific to your Region.

**Note**  
This is **Amazon WAF Classic** documentation. You should only use this version if you created Amazon WAF resources, like rules and web ACLs, in Amazon WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your Amazon WAF Classic resources to Amazon WAF](waf-migrating-from-classic.md).  
**For the latest version of Amazon WAF**, see [Amazon WAF](waf-chapter.md). 

You can change a rule by adding or removing conditions. <a name="classic-web-acl-rules-editing-procedure"></a>

**To add or remove conditions in a rule**

1. Sign in to the Amazon Web Services Management Console and open the Amazon WAF console at [https://console.amazonaws.cn/wafv2/](https://console.amazonaws.cn/wafv2/). 

   If you see **Switch to Amazon WAF Classic** in the navigation pane, select it.

1. In the navigation pane, choose **Rules**.

1. Choose the name of the rule in which you want to add or remove conditions.

1. Choose **Add rule**.

1. To add a condition, choose **Add condition** and specify the following values:  
**When a request does/does not**  
If you want Amazon WAF Classic to allow or block requests based on the filters in a condition, for example, web requests that originate from the range of IP addresses 192.0.2.0/24, choose **does**.  
If you want Amazon WAF Classic to allow or block requests based on the inverse of the filters in a condition, choose **does not**. For example, if an IP match condition includes the IP address range 192.0.2.0/24 and you want Amazon WAF Classic to allow or block requests that *do not* come from those IP addresses, choose **does not**.  
**match/originate from**  
Choose the type of condition that you want to add to the rule:  
   + Cross-site scripting match conditions – choose **match at least one of the filters in the cross-site scripting match condition**
   + IP match conditions – choose **originate from an IP address in**
   + Geo match conditions – choose **originate from a geographic location in**
   + Size constraint conditions – choose **match at least one of the filters in the size constraint condition**
   + SQL injection match conditions – choose **match at least one of the filters in the SQL injection match condition**
   + String match conditions – choose **match at least one of the filters in the string match condition**
   + Regular expression match conditions – choose **match at least one of the filters in the regex match condition**  
***condition name***  
Choose the condition that you want to add to the rule. The list displays only conditions of the type that you chose in the preceding step.

1. To remove a condition, select the **X** to the right of the condition name

1. Choose **Update**.

# Deleting a rule
<a name="classic-web-acl-rules-deleting"></a>

**Warning**  
Amazon WAF Classic is is going through a planned end-of-life process. Refer to your Amazon Health dashboard for the milestones and dates specific to your Region.

**Note**  
This is **Amazon WAF Classic** documentation. You should only use this version if you created Amazon WAF resources, like rules and web ACLs, in Amazon WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your Amazon WAF Classic resources to Amazon WAF](waf-migrating-from-classic.md).  
**For the latest version of Amazon WAF**, see [Amazon WAF](waf-chapter.md). 

If you want to delete a rule, you need to first remove the rule from the web ACLs that are using it and remove the conditions that are included in the rule.<a name="classic-web-acl-rules-deleting-procedure"></a>

**To delete a rule**

1. Sign in to the Amazon Web Services Management Console and open the Amazon WAF console at [https://console.amazonaws.cn/wafv2/](https://console.amazonaws.cn/wafv2/). 

   If you see **Switch to Amazon WAF Classic** in the navigation pane, select it.

1. To remove the rule from the web ACLs that are using it, perform the following steps for each of the web ACLs:

   1. In the navigation pane, choose **Web ACLs**.

   1. Choose the name of a web ACL that is using the rule that you want to delete.
**Note**  
If you don't see the web ACL, make sure the Region selection is correct. Web ACLs that protect Amazon CloudFront distributions are in **Global (CloudFront)**.

   1. Choose the **Rules** tab.

   1. Choose **Edit web ACL**.

   1. Choose the **X** to the right of the rule that you want to delete, and then choose **Update**.

1. In the navigation pane, choose **Rules**.

1. Select the name of the rule you want to delete.
**Note**  
If you don't see the rule, make sure the Region selection is correct. Rules that protect Amazon CloudFront distributions are in **Global (CloudFront)**.

1. Choose **Delete**.

# Amazon Web Services Marketplace rule groups
<a name="classic-waf-managed-rule-groups"></a>

**Warning**  
Amazon WAF Classic is is going through a planned end-of-life process. Refer to your Amazon Health dashboard for the milestones and dates specific to your Region.

**Note**  
This is **Amazon WAF Classic** documentation. You should only use this version if you created Amazon WAF resources, like rules and web ACLs, in Amazon WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your Amazon WAF Classic resources to Amazon WAF](waf-migrating-from-classic.md).  
**For the latest version of Amazon WAF**, see [Amazon WAF](waf-chapter.md). 

Amazon WAF Classic provides *Amazon Web Services Marketplace rule groups* to help you protect your resources. Amazon Web Services Marketplace rule groups are collections of predefined, ready-to-use rules that are written and updated by Amazon and Amazon partner companies.

Some Amazon Web Services Marketplace rule groups are designed to help protect specific types of web applications like WordPress, Joomla, or PHP. Other Amazon Web Services Marketplace rule groups offer broad protection against known threats or common web application vulnerabilities, such as those listed in the [OWASP Top 10](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project).

You can install a single Amazon Web Services Marketplace rule group from your preferred Amazon partner, and you can also add your own customized Amazon WAF Classic rules for increased protection. If you are subject to regulatory compliance like PCI or HIPAA, you might be able to use Amazon Web Services Marketplace rule groups to satisfy web application firewall requirements.

Amazon Web Services Marketplace rule groups are available with no long-term contracts, and no minimum commitments. When you subscribe to a rule group, you are charged a monthly fee (prorated hourly) and ongoing request fees based on volume. For more information, see [Amazon WAF Classic Pricing](https://aws.amazon.com/waf/pricing/) and the description for each Amazon Web Services Marketplace rule group on Amazon Web Services Marketplace.

## Automatic updates
<a name="classic-waf-managed-rule-group-updates"></a>

Keeping up to date on the constantly changing threat landscape can be time consuming and expensive. Amazon Web Services Marketplace rule groups can save you time when you implement and use Amazon WAF Classic. Another benefit is that Amazon and our Amazon partners automatically update Amazon Web Services Marketplace rule groups when new vulnerabilities and threats emerge.

Many of our partners are notified of new vulnerabilities before public disclosure. They can update their rule groups and deploy them to you even before a new threat is widely known. Many also have threat research teams to investigate and analyze the most recent threats in order to write the most relevant rules.

## Access to the rules in an Amazon Web Services Marketplace rule group
<a name="classic-waf-managed-rule-group-edits"></a>

Each Amazon Web Services Marketplace rule group provides a comprehensive description of the types of attacks and vulnerabilities that it's designed to protect against. To protect the intellectual property of the rule group providers, you can't view the individual rules within a rule group. This restriction also helps to keep malicious users from designing threats that specifically circumvent published rules.

Because you can’t view individual rules in an Amazon Web Services Marketplace rule group, you also can't edit any rules in an Amazon Web Services Marketplace rule group. However, you can exclude specific rules from a rule group. This is called a "rule group exception." Excluding rules does not remove those rules. Rather, it changes the action for the rules to `COUNT`. Therefore, requests that match an excluded rule are counted but not blocked. You will receive COUNT metrics for each excluded rule.

Excluding rules can be helpful when troubleshooting rule groups that are blocking traffic unexpectedly (false positives). One troubleshooting technique is to identify the specific rule within the rule group that is blocking the desired traffic and then disable (exclude) that particular rule.

In addition to excluding specific rules, you can refine your protection by enabling or disabling entire rule groups, as well as choosing the rule group action to perform. For more information, see [Using Amazon Web Services Marketplace rule groups](#classic-waf-managed-rule-group-using). 

## Quotas
<a name="classic-waf-managed-rule-group-limits"></a>

You can enable only one Amazon Web Services Marketplace rule group. You can also enable one custom rule group that you create using Amazon Firewall Manager. These rule groups count towards the 10 rule maximum quota per web ACL. Therefore, you can have one Amazon Web Services Marketplace rule group, one custom rule group, and up to eight custom rules in a single web ACL.

## Pricing
<a name="classic-waf-managed-rule-group-pricing"></a>

For Amazon Web Services Marketplace rule group pricing, see [Amazon WAF Classic Pricing](https://aws.amazon.com/waf/pricing/) and the description for each Amazon Web Services Marketplace rule group on Amazon Web Services Marketplace.

## Using Amazon Web Services Marketplace rule groups
<a name="classic-waf-managed-rule-group-using"></a>

You can subscribe to and unsubscribe from Amazon Web Services Marketplace rule groups on the Amazon WAF Classic console. You can also exclude specific rules from a rule group.<a name="classic-waf-managed-rule-group-using-procedure"></a>

**To subscribe to and use an Amazon Web Services Marketplace rule group**

1. Sign in to the Amazon Web Services Management Console and open the Amazon WAF console at [https://console.amazonaws.cn/wafv2/](https://console.amazonaws.cn/wafv2/). 

   If you see **Switch to Amazon WAF Classic** in the navigation pane, select it.

1. In the navigation pane, choose **Marketplace**.

1. In the **Available marketplace products** section, choose the name of a rule group to view the details and pricing information.

1. If you want to subscribe to the rule group, choose **Continue**.
**Note**  
If you don't want to subscribe to this rule group, simply close this page in your browser.

1. Choose **Set up your account**.

1. Add the rule group to a web ACL, just as you would add an individual rule. For more information, see [Creating a Web ACL](classic-web-acl-creating.md) or [Editing a Web ACL](classic-web-acl-editing.md).
**Note**  
When adding a rule group to a web ACL, the action that you set for the rule group (either **No override** or **Override to count**) is called the rule group override action. For more information, see [Rule group override](#classic-waf-managed-rule-group-override).<a name="classic-waf-managed-rule-group-unsubscribe-procedure"></a>

**To unsubscribe from an Amazon Web Services Marketplace rule group**

1. Sign in to the Amazon Web Services Management Console and open the Amazon WAF console at [https://console.amazonaws.cn/wafv2/](https://console.amazonaws.cn/wafv2/). 

   If you see **Switch to Amazon WAF Classic** in the navigation pane, select it.

1. Remove the rule group from all web ACLs. For more information, see [Editing a Web ACL](classic-web-acl-editing.md).

1. In the navigation pane, choose **Marketplace**.

1. Choose **Manage your subscriptions**.

1. Choose **Cancel subscription** next to the name of the rule group that you want to unsubscribe from.

1. Choose **Yes, cancel subscription**.<a name="classic-waf-managed-rule-group-exclude-rule-procedure"></a>

**To exclude a rule from a rule group (rule group exception)**

1. Sign in to the Amazon Web Services Management Console and open the Amazon WAF console at [https://console.amazonaws.cn/wafv2/](https://console.amazonaws.cn/wafv2/). 

   If you see **Switch to Amazon WAF Classic** in the navigation pane, select it.

1. If not already enabled, enable Amazon WAF Classic logging. For more information, see [Logging Web ACL traffic information](classic-logging.md). Use the Amazon WAF Classic logs to identify the IDs of the rules that you want to exclude. These are typically rules that are blocking legitimate requests.

1. In the navigation pane, choose **Web ACLs**.

1. Choose the name of the web ACL that you want to edit. This opens a page with the web ACL's details in the right pane.
**Note**  
The rule group that you want to edit must be associated with a web ACL before you can exclude a rule from that rule group.

1. On the **Rules** tab in the right pane, choose **Edit web ACL**.

1. In the **Rule group exceptions** section, expand the rule group that you want to edit.

1. Choose the **X** next to the rule that you want to exclude. You can identify the correct rule ID by using the Amazon WAF Classic logs.

1. Choose **Update**.

   Excluding rules does not remove those rules from the rule group. Rather, it changes the action for the rules to `COUNT`. Therefore, requests that match an excluded rule are counted but not blocked. You will receive `COUNT` metrics for each excluded rule.
**Note**  
You can use this same procedure to exclude rules from custom rule groups that you have created in Amazon Firewall Manager. However, rather than excluding a rule from a custom rule group using these steps, you can also simply edit a custom rule group using the steps described in [Adding and deleting rules from an Amazon WAF Classic rule group](classic-rule-group-editing.md).

## Rule group override
<a name="classic-waf-managed-rule-group-override"></a>

Amazon Web Services Marketplace rule groups have two possible actions: **No override** and **Override to count**. If you want to test the rule group, set the action to **Override to count**. This rule group action overrides any *block* action that is specified by individual rules contained within the group. That is, if the rule group's action is set to **Override to count**, instead of potentially blocking matching requests based on the action of individual rules within the group, those requests will be counted. Conversely, if you set the rule group's action to **No override**, actions of the individual rules within the group will be used.

## Troubleshooting Amazon Web Services Marketplace rule groups
<a name="classic-waf-managed-rule-group-troubleshooting"></a>

If you find that an Amazon Web Services Marketplace rule group is blocking legitimate traffic, perform the following steps.<a name="classic-waf-managed-rule-group-troubleshooting-procedure"></a>

**To troubleshoot an Amazon Web Services Marketplace rule group**

1. Exclude the specific rules that are blocking legitimate traffic. You can identify which rules are blocking which requests using the Amazon WAF Classic logs. For more information about excluding rules, see [To exclude a rule from a rule group (rule group exception)](#classic-waf-managed-rule-group-exclude-rule-procedure).

1. If excluding specific rules does not solve the problem, you can change the action for the Amazon Web Services Marketplace rule group from **No override** to **Override to count**. This allows the web request to pass through, regardless of the individual rule actions within the rule group. This also provides you with Amazon CloudWatch metrics for the rule group.

1. After setting the Amazon Web Services Marketplace rule group action to **Override to count**, contact the rule group provider‘s customer support team to further troubleshoot the issue. For contact information, see the rule group listing on the product listing pages on Amazon Web Services Marketplace.

### Contacting customer support
<a name="classic-waf-managed-rule-group-troubleshooting-support"></a>

For problems with Amazon WAF Classic or a rule group that is managed by Amazon, contact Amazon Web Services Support. For problems with a rule group that is managed by an Amazon partner, contact that partner's customer support team. To find partner contact information, see the partner’s listing on Amazon Web Services Marketplace.

## Creating and selling Amazon Web Services Marketplace rule groups
<a name="classic-waf-managed-rule-group-creating"></a>

If you want to sell Amazon Web Services Marketplace rule groups on Amazon Web Services Marketplace, see [How to Sell Your Software on Amazon Web Services Marketplace](https://aws.amazon.com/marketplace/management/tour/).