Access Control

Access Rules

As a WAF administrator you can define explicit actions for requests that meet various conditions. Conditions use various operations and regular expressions. A rule action can be set to log and allow, detect, block, redirect, bypass, or show a CAPTCHA for all matched requests.

The available conditions for an access rule are shown in the following table:

Criteria Type Criteria
URL

Users shall be able to define one or more criteria based on:

  • URL is
  • URL is not
  • URL starts with
  • URL does not start with
  • URL part ends with
  • URL part does not end with
  • URL part contains
  • URL part does not contain
  • URL regex
  • URL does not match regex

The URL regex matching uses Perl-compatible regular expressions.

IP Address

Users shall be able to define one or more criteria based on:

  • IP Address is
  • IP Address is not
  • IP Address in Address List
  • IP Address not in Address List

These values can be a valid IPv4 address, subset, or CIDR notation for a range. IPv6 is not yet supported. See To add an IP address list to create a list of IP addresses that can be used in the access rule.

Country/Region

Users shall be able to define one or more criteria based on:

  • Country/Region is
  • Country/Region is not

For the API, use a 2-letter country code.

User Agent

User Agent is a value that identifies the browser client.

  • User Agent is
  • User Agent is not
HTTP Header

HTTP Request headers can be evaluated as criteria:

  • HTTP Header contains

The HTTP Header contains value should be entered with colon-delimited <name>:<value>.

HTTP Method

HTTP Methods can be evaluated as criteria:

  • HTTP method is
  • HTTP method is not

Available methods include GET, POST, PUT, DELETE, HEAD, CONNECT, OPTIONS, TRACE, and PATCH.

IP Address Whitelists

You can use the IP Whitelist tab to manage whitelists containing trusted IP addresses that bypass all rules and challenges.

Using the Console

Note

The WAF uses a first-match algorithm so that once an Access Rule criteria matches, it will stop evaluating future rules. The order of rules matters. Use the API to reorder rules.

To add an access rule
  1. Open the navigation menu. Under Governance and Administration, go to Security and click Web Application Firewall.
  2. Click the name of the WAF policy you want to view access rules for. The WAF policy overview appears.

  3. Click Access Control.
  4. Click Add Access Rule.
  5. In the Add Access Rule dialog box, enter the following:
    • Name: A unique name for the access rule. Avoid entering confidential information.
    • Action: Determines the response to a request when the rule is matched. Select one of the following options:
      • Log and Allow: A log will be created for all matched requests and no further action will be taken.
      • Detect Only: A detection alert will be created for all matched requests and no further action will be taken.
      • Block: All matched requests will be blocked and a browser page for the selected response code will be returned.
        • Block Action: Select the action that will be taken when a matching request is blocked.
        • Block Response Code: Select a response code that will be returned when the request has been blocked. The response code provides information indicating why the request was blocked. The default response code is 403 "Forbidden".
      • Redirect:
        • Redirect Status Code: The status code returned in response to redirect requests.
        • Redirect URL: The URL address to redirect the request to.
      • Bypass: Select the challenge(s) to bypass. If this section is not specified, all challenges are bypassed.
      • Show CAPTCHA: Select this option to show a CAPTCHA for all matched requests and take no further action. Enter the following:
        • CAPTCHA Title: Enter the text for the CAPTCHA page title.
        • CAPTCHA Header: Enter the text that will appear before the CAPTCHA image (for example, "I am not a robot").
        • CAPTCHA Footer Text: Enter the text that will be shown after the CAPTCHA input box and before the submit button.
        • CAPTCHA submit button: Enter the text for the Submit button (for example, "Yes, I am human.").
    • Conditions: Select the condition that must be met before the rule is matched and specify the details of the condition. Additional conditions can be added in this section.
    • Header Manipulation(s):
      • Action: Select the action to apply to the request.
      • Header Name: Enter the HTTP header name of the request.
      • Header Value: Enter the HTTP header value of the request.
  6. Click Add Access Rule. The access rule is added to the access rule list.
To edit an access rule
  1. Open the navigation menu. Under Governance and Administration, go to Security and click Web Application Firewall.
  2. Click the name of the WAF policy you want to view access rules for. The WAF policy overview appears.

  3. Click Access Control.
  4. Select the check box for the access rule you want to update, and then click Edit.
  5. In the Edit Access Rule dialog box, make the necessary updates and then click Save.
To delete an access rule
  1. Open the navigation menu. Under Governance and Administration, go to Security and click Web Application Firewall.
  2. Click the name of the WAF policy you want to view access rules for. The WAF policy overview appears.

  3. Click Access Control.
  4. Select the check box for the access rule you want to delete and then click Delete.
To add an IP address list

You can use an IP address list to group IP addresses and use the list to define the conditions for an access rule. An IP Address List can be used in multiple WAF policies.

  1. Open the navigation menu. Under Governance and Administration, go to Security and click Web Application Firewall.
  2. Click IP Address Lists.
  3. Click Create WAF IP Address List.
  4. In the Create WAF IP Address List dialog box, enter the following:
    • Name: A user-friendly name for the IP address list. Avoid entering confidential information.
    • IP Addresses: Enter IP addresses or CIDR notations.
    • Tags: If you have permissions to create a resource, you also have permissions to apply free-form tags to that resource. To apply a defined tag, you must have permissions to use the tag namespace. For more information about tagging, see Resource Tags. If you are not sure if you should apply tags, skip this option (you can apply tags later) or ask your administrator.
  5. Click Create.

To edit an IP address list
  1. Open the navigation menu. Under Governance and Administration, go to Security and click Web Application Firewall.
  2. Click IP Address Lists.
  3. Click the name of the IP address list you want to update.
  4. Click Edit.
  5. In the Edit WAF IP Address List dialog box, update the Name or IP Addresses.
  6. Click Save Changes.

To delete an IP address list
  1. Open the navigation menu. Under Governance and Administration, go to Security and click Web Application Firewall.
  2. Click IP Address Lists.
  3. Select the check box for the IP address list you want to delete.
  4. Click Delete.
  5. In the confirmation dialog box, click Delete.
To move an IP address list to another compartment
  1. Open the navigation menu. Under Governance and Administration, go to Security and click Web Application Firewall.
  2. In the List Scope section, select a compartment.
  3. Click IP Address Lists.
  4. Find the IP address list in the list, click the Actions icon (three dots), and then click Move Resource.
  5. Choose the destination compartment from the list.
  6. Click Move Resource.
To manage tags for an IP address list
  1. Open the navigation menu. Under Governance and Administration, go to Security and click Web Application Firewall.
  2. Click IP Address Lists.
  3. Click the name of the IP address list you want to manage tags for. 
  4. Click the Tags tab to view or edit existing tags. Or click Add tag(s) to add new ones.

For more information, see Resource Tags.

To add an IP address whitelist in a WAF policy
  1. Open the navigation menu. Under Governance and Administration, go to Security and click Web Application Firewall.
  2. Click the name of the WAF Policy you want to view IP Address Whitelists for. The WAF Policy overview appears.

  3. Click Access Control.
  4. Select the IP Whitelist tab.
  5. Click Add IP Address Whitelist.
  6. In the Add IP Address Whitelist dialog box, enter the following:
    • Whitelist Name: A name for the IP addresses used in the list.
    • IP Addresses: Select an IP address or enter an IP address and select it to add it. This field supports CIDR notation.
  7. Click Add IP Address Whitelist.

    The IP Address Whitelist is added to the list of changes to be published.

To edit an IP address whitelist in a WAF policy
  1. Open the navigation menu. Under Governance and Administration, go to Security and click Web Application Firewall.
  2. Click the name of the WAF Policy you want to view IP Address Whitelists for. The WAF Policy overview appears.

  3. Click Access Control.
  4. Select the IP Whitelist tab.
  5. Select the check box for the IP Address Whitelist name you want to edit.
  6. Click Edit.
  7. In the Edit IP Address Whitelist dialog box, make the needed changes.
  8. Click Save.

    The IP Address Whitelist change is added to the list of changes to be published.

To delete an IP address whitelist in a policy
  1. Open the navigation menu. Under Governance and Administration, go to Security and click Web Application Firewall.
  2. Click the name of the WAF Policy you want to view alerts for. The WAF Policy overview appears.

  3. Click Access Control.
  4. Select the IP Whitelist tab.
  5. Select the check box for the IP Address Whitelist name you want to delete.
  6. Click Delete.

    The deleted IP Address Whitelist is added to the list of changes to be published.

To publish changes

Updates to your WAF policy appear in the list to be published in Unpublished Changes. Pending changes do not persist across browser sessions. Once you publish changes, it cannot be edited until changes propagate to the edge nodes.

  1. Under WAF Policy, click Unpublished Changes.
  2. In the Unpublished Changes list, click the drop-down arrow beside an unpublished change to review the change.
  3. Click Publish All.
  4. In the Publish Changes dialog box, click Publish All.
To discard changes

Updates to your WAF policy appear in the list to be published in Unpublished Changes.

  1. Under WAF Policy, click Unpublished Changes.
  2. In the Unpublished Changes list, click the drop-down arrow beside an unpublished change to review the change.
  3. Select the check box for the change you want to discard.
  4. Click Discard.
  5. In the Discard Change dialog box, click Discard.

Address Lists

Use the following API operations to create and manage address lists that can be applied to access rules:

Example

To create an address list:

POST /addressLists
{
  "addresses": [
    "198.51.100.0",
    "198.51.255.45",
    "198.51.145.55"
  ],
  "compartmentId": "ocid1.compartment.region1...",
  "displayName": "example IP addresses"
}

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.

Access Rules

Use the following operations to get an array of all access rules in the policy:

Example

To create an access rule:

PUT /waasPolicies/{waasPolicyId}/wafConfig/accessRules
[
   {
   "name": "DetectRequestsToHealthCheck",
   "criteria": [
      {	
      "condition": "URL_IS",
      "value": "/health/check"
      }
               ],
   "action": "DETECT",
      }
]