Access Controls for Web Application Firewall Policies

Learn about how to add and manage the access controls for web application firewall policies.

Web application firewall access control consists of creating and managing access rules for the following controls:

Access Rules

As a WAF administrator, you can define explicit actions for requests that meet various conditions. Conditions use various operations. A rule action can be set to allow, check, and return HTTP response for all matched requests. See Actions for Web Application Firewalls for more information on actions.

If a WAF policy resource has multiple access rules configured, the rules are run in order. You can reorder these rules as needed.

The available conditions for an access rule are listed and described in Understanding Conditions.

Access rules are distinct for request control and response control of a WAF policy. The same access rule cannot be shared between the two types of controls. Management of access rules, such as adding, editing, and deleting an access rule, is described in the Request Controls for a Web Application Firewall Policy and Response Control for a Web Application Firewall Policy sections.

You can explicitly set up a block of all traffic that doesn't meet access control rules conditions by configuring a default action for access control rules.