Oracle Cloud Infrastructure Documentation

Adding a Rate Limiting Rule to a Web Application Firewall Policy

Add a rate limiting rule to allow the inspection of HTTP request properties and to limit the request frequency for each unique client IP address associated with web application firewall (WAF) policy.

Using the Console

  1. Open the navigation menu and click Identity & Security. Under Web Application Firewall, click Policies.
  2. On the Policies page, select the compartment that contains the policy.
  3. (Optional) Filter the listed policies by name, status, policy type (WAF policy), or creation date.
  4. Click the name of the WAF policy to which you want to add a rate limiting rule.
  5. On the policy details page, under Policy, click Rate limiting.
  6. Click Manage rate limiting.
  7. In the Manage rate limiting dialog box, click Add rate limiting rule.
  8. In the Add rate limiting rule dialog box, complete the options as follows:
    • Name: Enter a name for the rate limit rule.

    • Conditions: Specify the prerequisite conditions that must be met for the actions/rule actions to occur. The parameters displayed can vary depending on the values that you select for Condition type and Operator. Click + Another condition to add another condition linked to the first one using AND. Click X to delete the associated condition row.

      (Optional) Click Show advance controls to specify a condition in the box using the condition syntax. See Understanding Conditions.

    • Rate limiting configuration: Enter the following conditions that are required to be met before the conditions apply.
      • Request limit: Enter the maximum number of requests made.
      • Period in seconds: Enter the number of seconds passed.
      • Action duration in seconds: Enter the duration of the action in seconds.
      • Click + Another rate limit to display another rate limit configuration row to complete. Click X to delete the associated rate limit configuration row.
    • Rule action: Select an existing rule to be followed when the preceding conditions are met, or select Create New Action to add one.
      • Check: An action which doesn't stop the execution of rules in current module. Instead it generates a log message documenting result of rule execution.

      • Preconfigured Check Action: Allows the running of rules and generates a log message that documents the result.

      • Return HTTP response: An action which cancels all further processing of an HTTP request or HTTP response and returns a predefined HTTP response that can be configured in the action definition.

      • Preconfigured 401 Response Code Action: Returns a defined HTTP response. The response code configuration (headers and response page body) determines the HTTP response that's returned when this action is run.

        Click Show header details to display the HTTP response headers specified in the selected return HTTP response action.

        Click Show response page body details to display the HTTP response body specified in the selected "return HTTP response" action.

        For more information, see Actions for Web Application Firewalls.

  9. Click Add rate limiting rule.
  10. In the Manage rate limiting dialog box, click Save changes.