Configure advanced custom rules for bot management

更新时间:
复制 MD 格式

The advanced custom rules module in Bot Management provides richer match fields (such as Client ID, JA3/JA4 fingerprints, and data collected by Web SDK and App SDK) and statistical dimensions (such as UMID and Session) compared to custom rules in Web Core Protection. It supports deduplication counting and origin custom header actions, meeting the needs for fine-grained bot traffic management and complex scenario defense.

Procedure

Note

Before you begin, ensure the following prerequisites are met:

  1. Protected objects exist: Your web business must be connected to WAF. If not, see Connect your business to WAF.

  2. Bot Management enabled: Subscription users must enable Bot Management (the Subscription Basic Edition does not support this feature). For more information, see Enable Bot Management.

Log on to the Web Application Firewall 3.0 console. In the top navigation bar, select the resource group and region of your WAF instance (Chinese Mainland or Outside Chinese Mainland). In the left-side navigation pane, choose Protection Config > Bot Management > Advanced Custom Rules.

Step 1: Configure the template name and protected objects

Click Create Template. In the New Template - Advanced Custom Rules panel, configure the following parameters.

  • Template Name: Set a recognizable name for the protection template.

  • Rule Configuration: Click Create Rule to add a protection rule to the current template.

  • Apply To: Select the protected objects and protected object groups to apply this template to. You can manually adjust the enabled status of protected objects or object groups both during and after template creation.

Step 2: Add protection rules to the template

In the Rule Configuration section, click Create Rule and configure the following parameters.

  • Rule Name: Set a recognizable name for the protection rule.

  • Match Condition: Set the request characteristics to match. Click Add Condition to add a condition. Each condition consists of a Match Field, a Logical Operator, and Match Content. The following table shows configuration examples:

    Note

    If a rule contains multiple conditions, the request must meet all conditions (logical AND) to hit the rule. For detailed descriptions of match fields and logic operators, see Match fields and logic operators.

    Match Field

    Logical Operator

    Match Content

    Description

    URI Path

    Contains

    /login.php

    The request hits this rule when its path contains /login.php.

    IP

    Belongs to

    192.1.XX.XX

    The request hits this rule when the client IP is 192.1.XX.XX.

  • Protection Rule Type: Supports Access Control and Rate Limiting.

    • Access Control: Suitable for scenarios that require precise control over specific types of requests.

    • Rate Limiting: Suitable for scenarios based on access frequency (such as anti-brute-force and anti-scraping).

      Access Control

      Configure access control rules to perform specified actions on individual requests that meet the conditions.

      Frequency Control

      Configure frequency control rules to limit excessive access from clients.

      • Frequency Detection Condition: When a single Statistical Object exceeds the configured Threshold (Times) within the specified Statistical Interval (Seconds), the blacklist action is triggered.

        Configuration Item

        Description

        Statistical Object

        Select the object whose request frequency is tracked. Available options:

        • IP: Track the frequency of requests from the same IP address.

        • Custom Header: Group requests by the value of a custom request header (such as Referer), and track the frequency of requests with the same header value within the specified time period.

        • Custom Parameter: Track the frequency of requests that contain a specified URL parameter. For example, if the parameter is user_id, WAF tracks the frequency of requests with the same user_id value.

        • Session: WAF establishes a session identifier by setting a cookie named acw_tc in the response, and tracks client request frequency based on the value of this cookie.

        • Account: Track the frequency of requests from the same account. You must configure User Identification on the Protected Objects page before configuring this option. For more information, see Account extraction configuration.

        • Body: Track the frequency of requests that contain a specified body parameter.

        • App UMID: Track the frequency of requests from the same app client.

        • Web UMID: Track the frequency of requests from the same web client.

        Statistical Interval (Seconds)

        The time window for frequency counting. Unit: seconds.

        Threshold (Times)

        Set the maximum number of times the Statistical Object can hit the Match Condition within the Statistical Interval (Seconds). Exceeding this adds the object to the blacklist.

      • Response Code Detection Condition: When enabled, only responses that match the following characteristics are counted toward the frequency. This condition must be satisfied together with the frequency detection condition.

        Configuration Item

        Description

        Status Code

        Set the response code to track.

        Quantity

        Set the maximum number of times the specified Status Code can appear within the statistical duration.

        Percentage (%)

        Set the maximum percentage of the specified Status Code within the statistical duration.

      • Deduplication Statistics: When enabled, the system deduplicates request content and only counts non-repeated request characteristics. If the deduplicated result hits the rule, the blacklist action is triggered. Click Add Condition to add a condition. Each condition consists of a Match Field, a Logical Operator, and Quantity. The following table shows a configuration example:

        Note

        If a rule contains multiple conditions, the request must meet all conditions (logical AND) to hit the rule.

        When the Match Field is set to URI, the Logical Operator is set to Equals, and the Quantity is set to 5, the system deduplicates request URIs. The rule is considered hit when the frequency of non-duplicate URI accesses equals 5.

      • Blacklist Action Condition: Add statistical objects that hit the above detection conditions to the blacklist. Within the Timeout Period, perform the action defined in Actions on requests within the Apply To of that object.

        Configuration Item

        Description

        Apply To

        Set the scope where the blacklist action takes effect. Available values:

        • Current Match Condition: Only handles requests that meet the Match Condition of the current rule.

        • Protected Object: Performs the action on all requests from the statistical object (such as IP) that access the current protected object.

        Timeout Period

        Set the duration for the blacklist action. Unit: seconds. Valid values: 60 to 86400.

  • Actions: Select the action to perform when a request hits this rule.

    Configuration item

    Description

    JavaScript Validation

    WAF returns a block of JavaScript validation code to the client. A standard browser automatically executes this code. If the client completes execution successfully, WAF allows all requests from that client for a period of time, 30 minutes by default. Otherwise, the requests are blocked.

    Block

    Blocks requests that match the rule and returns a block page to the client.

    Note

    WAF uses a default block page. You can also create a custom block page using the Custom Response feature.

    Log

    This action does not block requests that match the rule but only logs the requests. When you test a rule, you can first use the Log mode to analyze WAF logs and confirm that no false positives occur. Then, you can change the rule to a different action.

    CAPTCHA

    WAF returns a slider verification page to the client. If the client successfully completes the slider challenge, WAF allows all requests from that client for a period of time, 30 minutes by default. Otherwise, the requests are blocked.

    Strict CAPTCHA

    WAF returns a slider verification page to the client. If the client successfully completes the slider challenge, the current request is allowed. Otherwise, the request is blocked. In this mode, the client must complete a slider challenge for every request that matches the rule.

    Origin Custom Header

    You can define a custom header name and content, including rule type, rule ID, and web UMID. WAF does not process the request directly but instead adds a header to forward the hit information to the origin server. You can integrate this with your backend risk control system for business-side processing.

    Note
    • JavaScript Validation or CAPTCHA validation applies only to synchronous requests. For asynchronous requests such as XMLHttpRequest or Fetch, you must inject the Web SDK; otherwise, the validation will not work properly.

  • Rule Type: Define the bot traffic type. Available types are Suspected Bot and Malicious Bot. Traffic that hits the rule is classified into the corresponding category and displayed in the trend chart on the Traffic Analytics page.

  • Advanced Settings: Configure the canary release proportion and effective time strategy for the rule.

    Configuration Item

    Description

    Canary Rule

    Configure the effective proportion of the rule for objects in different dimensions.

    After enabling canary release, you must set the Dimension and Canary Release Proportion. Available Dimension options include: IP, Custom Header, Custom Parameter, Custom Cookie, Session, App UMID, and Web UMID.

    Note

    The canary release takes effect based on the configured Dimension, not by randomly applying the rule to requests at the specified proportion. For example, when Dimension is set to IP and Canary Release Proportion is set to 10%, WAF selects approximately 10% of IP addresses. All requests from the selected IP addresses are subject to the rule, rather than applying the rule to 10% of all requests randomly.

    Effective Mode

    • Permanently Effective (Default): The rule is always active when the protection template is enabled.

    • Fixed Schedule: The protection rule is active only during a specified time period.

    • Recurring Schedule: The protection rule is active only during a specified recurring schedule.

Daily operations

Manage protection templates

Newly created protection templates are enabled by default. You can perform the following operations in the template list:

  • View the number of Protected Object/Group associated with the template.

  • Enable or disable the template using the Status switch.

  • Create Rule for the template.

  • Edit, Delete, or Copy the protection template.

  • Click the Expand icon icon to the left of the template name to view the rules contained in the template.

Manage protection rules

Newly created rules are enabled by default. You can perform the following operations in the rule list:

  • View the Rule ID, Rule Condition, and other information.

  • Enable or disable the rule using the Status switch.

  • Edit or Delete the rule.

Quotas and limits

  • A maximum of 10 Match Condition can be added to a single protection rule.

  • A maximum of 5 conditions can be added to a Deduplication Statistics rule.

FAQ

Bot Management advanced custom rules vs. Core Web Protection custom rules: What are the differences?

Comparison Item

Core Web Protection > Custom Rule

Bot Management > Advanced Custom Rules

Version Requirements and Costs

  • Not supported in the Subscription Basic Edition. Included in all other subscription editions.

  • Available in the pay-as-you-go edition at a lower cost than Bot Management > Advanced Custom Rules.

  • Not supported in the Subscription Basic Edition. Requires additional Bot Management enablement for other subscription editions.

  • Available in the pay-as-you-go edition for an additional fee.

Supported Features

Provides rules that meet daily protection needs.

In addition to Custom Rule functionality, also supports the following features:

  • Supports additional match fields such as Client ID, JA3/JA4 fingerprints, and Web/App SDK data.

  • Rate Limiting rules support UMID as a statistical object and can be used together with Deduplication Statistics.

  • Supports the Origin Custom Header action.