The advanced custom rules module in Bot Management provides richer match fields (such as Client ID, JA3/JA4 fingerprints, and data collected by Web SDK and App SDK) and statistical dimensions (such as UMID and Session) compared to custom rules in Web Core Protection. It supports deduplication counting and origin custom header actions, meeting the needs for fine-grained bot traffic management and complex scenario defense.
Procedure
Before you begin, ensure the following prerequisites are met:
Protected objects exist: Your web business must be connected to WAF. If not, see Connect your business to WAF.
Bot Management enabled: Subscription users must enable Bot Management (the Subscription Basic Edition does not support this feature). For more information, see Enable Bot Management.
Step 1: Configure the template name and protected objects
Click Create Template. In the New Template - Advanced Custom Rules panel, configure the following parameters.
Template Name: Set a recognizable name for the protection template.
Rule Configuration: Click Create Rule to add a protection rule to the current template.
Apply To: Select the protected objects and protected object groups to apply this template to. You can manually adjust the enabled status of protected objects or object groups both during and after template creation.
Step 2: Add protection rules to the template
In the Rule Configuration section, click Create Rule and configure the following parameters.
Rule Name: Set a recognizable name for the protection rule.
Match Condition: Set the request characteristics to match. Click Add Condition to add a condition. Each condition consists of a Match Field, a Logical Operator, and Match Content. The following table shows configuration examples:
NoteIf a rule contains multiple conditions, the request must meet all conditions (logical AND) to hit the rule. For detailed descriptions of match fields and logic operators, see Match fields and logic operators.
Match Field
Logical Operator
Match Content
Description
URI Path
Contains
/login.phpThe request hits this rule when its path contains
/login.php.IP
Belongs to
192.1.XX.XXThe request hits this rule when the client IP is
192.1.XX.XX.Protection Rule Type: Supports Access Control and Rate Limiting.
Access Control: Suitable for scenarios that require precise control over specific types of requests.
Rate Limiting: Suitable for scenarios based on access frequency (such as anti-brute-force and anti-scraping).
Access Control
Configure access control rules to perform specified actions on individual requests that meet the conditions.
Frequency Control
Configure frequency control rules to limit excessive access from clients.
Frequency Detection Condition: When a single Statistical Object exceeds the configured Threshold (Times) within the specified Statistical Interval (Seconds), the blacklist action is triggered.
Configuration Item
Description
Statistical Object
Select the object whose request frequency is tracked. Available options:
IP: Track the frequency of requests from the same IP address.
Custom Header: Group requests by the value of a custom request header (such as
Referer), and track the frequency of requests with the same header value within the specified time period.Custom Parameter: Track the frequency of requests that contain a specified URL parameter. For example, if the parameter is
user_id, WAF tracks the frequency of requests with the sameuser_idvalue.Session: WAF establishes a session identifier by setting a cookie named
acw_tcin the response, and tracks client request frequency based on the value of this cookie.Account: Track the frequency of requests from the same account. You must configure User Identification on the Protected Objects page before configuring this option. For more information, see Account extraction configuration.
Body: Track the frequency of requests that contain a specified body parameter.
App UMID: Track the frequency of requests from the same app client.
Web UMID: Track the frequency of requests from the same web client.
Statistical Interval (Seconds)
The time window for frequency counting. Unit: seconds.
Threshold (Times)
Set the maximum number of times the Statistical Object can hit the Match Condition within the Statistical Interval (Seconds). Exceeding this adds the object to the blacklist.
Response Code Detection Condition: When enabled, only responses that match the following characteristics are counted toward the frequency. This condition must be satisfied together with the frequency detection condition.
Configuration Item
Description
Status Code
Set the response code to track.
Quantity
Set the maximum number of times the specified Status Code can appear within the statistical duration.
Percentage (%)
Set the maximum percentage of the specified Status Code within the statistical duration.
Deduplication Statistics: When enabled, the system deduplicates request content and only counts non-repeated request characteristics. If the deduplicated result hits the rule, the blacklist action is triggered. Click Add Condition to add a condition. Each condition consists of a Match Field, a Logical Operator, and Quantity. The following table shows a configuration example:
NoteIf a rule contains multiple conditions, the request must meet all conditions (logical AND) to hit the rule.
When the Match Field is set to
URI, the Logical Operator is set toEquals, and the Quantity is set to5, the system deduplicates request URIs. The rule is considered hit when the frequency of non-duplicate URI accesses equals 5.Blacklist Action Condition: Add statistical objects that hit the above detection conditions to the blacklist. Within the Timeout Period, perform the action defined in Actions on requests within the Apply To of that object.
Configuration Item
Description
Apply To
Set the scope where the blacklist action takes effect. Available values:
Current Match Condition: Only handles requests that meet the Match Condition of the current rule.
Protected Object: Performs the action on all requests from the statistical object (such as IP) that access the current protected object.
Timeout Period
Set the duration for the blacklist action. Unit: seconds. Valid values: 60 to 86400.
Actions: Select the action to perform when a request hits this rule.
Configuration item
Description
JavaScript Validation
WAF returns a block of JavaScript validation code to the client. A standard browser automatically executes this code. If the client completes execution successfully, WAF allows all requests from that client for a period of time, 30 minutes by default. Otherwise, the requests are blocked.
Block
Blocks requests that match the rule and returns a block page to the client.
NoteWAF uses a default block page. You can also create a custom block page using the Custom Response feature.
Log
This action does not block requests that match the rule but only logs the requests. When you test a rule, you can first use the Log mode to analyze WAF logs and confirm that no false positives occur. Then, you can change the rule to a different action.
CAPTCHA
WAF returns a slider verification page to the client. If the client successfully completes the slider challenge, WAF allows all requests from that client for a period of time, 30 minutes by default. Otherwise, the requests are blocked.
Strict CAPTCHA
WAF returns a slider verification page to the client. If the client successfully completes the slider challenge, the current request is allowed. Otherwise, the request is blocked. In this mode, the client must complete a slider challenge for every request that matches the rule.
Origin Custom Header
You can define a custom header name and content, including rule type, rule ID, and web UMID. WAF does not process the request directly but instead adds a header to forward the hit information to the origin server. You can integrate this with your backend risk control system for business-side processing.
NoteJavaScript Validation or CAPTCHA validation applies only to synchronous requests. For asynchronous requests such as XMLHttpRequest or Fetch, you must inject the Web SDK; otherwise, the validation will not work properly.
Rule Type: Define the bot traffic type. Available types are Suspected Bot and Malicious Bot. Traffic that hits the rule is classified into the corresponding category and displayed in the trend chart on the Traffic Analytics page.
Advanced Settings: Configure the canary release proportion and effective time strategy for the rule.
Configuration Item
Description
Canary Rule
Configure the effective proportion of the rule for objects in different dimensions.
After enabling canary release, you must set the Dimension and Canary Release Proportion. Available Dimension options include: IP, Custom Header, Custom Parameter, Custom Cookie, Session, App UMID, and Web UMID.
NoteThe canary release takes effect based on the configured Dimension, not by randomly applying the rule to requests at the specified proportion. For example, when Dimension is set to IP and Canary Release Proportion is set to 10%, WAF selects approximately 10% of IP addresses. All requests from the selected IP addresses are subject to the rule, rather than applying the rule to 10% of all requests randomly.
Effective Mode
Permanently Effective (Default): The rule is always active when the protection template is enabled.
Fixed Schedule: The protection rule is active only during a specified time period.
Recurring Schedule: The protection rule is active only during a specified recurring schedule.
Daily operations
Manage protection templates
Newly created protection templates are enabled by default. You can perform the following operations in the template list:
View the number of Protected Object/Group associated with the template.
Enable or disable the template using the Status switch.
Create Rule for the template.
Edit, Delete, or Copy the protection template.
Click the
icon to the left of the template name to view the rules contained in the template.
Manage protection rules
Newly created rules are enabled by default. You can perform the following operations in the rule list:
View the Rule ID, Rule Condition, and other information.
Enable or disable the rule using the Status switch.
Edit or Delete the rule.
Quotas and limits
A maximum of 10 Match Condition can be added to a single protection rule.
A maximum of 5 conditions can be added to a Deduplication Statistics rule.
FAQ
Bot Management advanced custom rules vs. Core Web Protection custom rules: What are the differences?
Comparison Item | ||
Version Requirements and Costs |
|
|
Supported Features | Provides rules that meet daily protection needs. | In addition to Custom Rule functionality, also supports the following features:
|