Whitelist rules let specific requests bypass all or selected WAF protection modules, preventing false positives from internal services or known partners.
A whitelist rule has two parts: a match condition that identifies requests, and a skip target that specifies which protections to bypass.
Skip targets
Each whitelist rule requires a skip target:
|
Skip target |
Description |
Example use case |
|
All Rules |
Bypass all WAF and bot management rules |
Requests from an internal monitoring system |
|
Specific Rule Category/ID |
Bypass selected protections only |
A trusted API that triggers a specific managed rule |
Available categories for Specific Rule Category/ID:
-
Abuse Prevention
-
Bot Management
-
Custom Rules
-
Deep Learning and Protection
-
HTTP DDoS Attack Protection
-
Managed Rules
-
Rate Limiting
-
Scan Protection
-
Security Level
-
Smart Rate Limiting
You can also enter up to 50 comma-separated rule IDs in the Rule ID field. At least one of Rule Category and Rule ID is required.
Create a whitelist rule
Prerequisites
Make sure you have:
-
An ESA site with WAF enabled
-
Available whitelist rule quota for your plan
Procedure
-
In the ESA console, go to Websites. In the Actions column for the target site, click
> WAF. -
Navigate to .
-
Click Create Rule.
-
Enter a Rule Name.
-
In the If requests match... section, define match conditions. Available fields and operators are described in Composition of a rule expression.
-
In the Then skip... section, select the protections to bypass:
-
Select All Rules to bypass all WAF and bot management rules.
-
Select Specific Rule Category/ID, then choose categories from the Rule Category dropdown, enter rule IDs in the Rule ID field, or both.
-
-
Click OK.
Plan quotas
Maximum whitelist rules per ESA plan:
|
Feature |
Free Edition |
Basic Edition |
Standard Edition |
Premium Edition |
Enterprise Edition |
|
Number of whitelist rules |
1 |
2 |
3 |
5 |
10 |