Oracle Cloud Infrastructure Documentation

Access Control

As a WAF administrator you can define explicit actions for requests that meet various conditions. Conditions use various operations and regular expressions. A rule action can be set to log and allow, detect, or block requests.

The available conditions are shown in the following table:

Criteria Type Criteria

Users shall be able to define one or more criteria based on:

  • URL is
  • URL is not
  • URL starts with
  • URL ends with
  • URL contains
  • URL regex

The URL regex matching uses Perl-compatible regular expressions.

IP Address

Users shall be able to define one or more criteria based on:

  • Client IP Address is
  • Client IP Address is not

These values can be a valid IPv4 address, subset, or CIDR notation for a range. IPv6 is not yet supported.


Users shall be able to define one or more criteria based on:

  • Country/Region is
  • Country/Region is not

For the API, use a 2-letter country code.

User Agent

User Agent is a value that identifies the browser client.

  • User Agent is
  • User Agent is not
HTTP Header

HTTP Request headers can be evaluated as criteria:

  • HTTP Header contains

The HTTP Header contains value should be entered with colon-delimited <name>:<value> .

HTTP Method

HTTP Methods can be evaluated as criteria:

  • HTTP method is
  • HTTP method is not

Available methods include GET, POST, PUT, DELETE, HEAD, CONNECT, OPTIONS, TRACE, and PATCH.

You can use the IP Whitelist tab to manage whitelists containing trusted IP addresses that bypass all rules and challenges.

Using the Console


The WAF uses a first-match algorithm so that once an Access Rule criteria matches, it will stop evaluating future rules. The order of rules matters. Use the API to reorder rules.

To add an access rule
To edit an access rule
To delete an access rule
To add an IP address whitelist
To edit an IP Address Whitelist
To delete an IP Address Whitelist
To publish changes
To discard changes

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.

Use the following operations to get an array of all access rules in the policy:

To create an access rule:

PUT /waasPolicies/{waasPolicyId}/wafConfig/accessRules
   "name": "DetectRequestsToHealthCheck",
   "criteria": [
      "condition": "URL_IS",
      "value": "/health/check"
   "action": "DETECT",


Address Lists

Use the following API operations to create and manage address lists that can be applied to access rules:


To create an address list:

POST /addressLists
{ "addresses": [ "", "", "" ], "compartmentId": "ocid1.compartment.region1...", "displayName": "example IP addresses" }