Use Custom WAF rules to handle traffic based on your specific needs. Each rule evaluates incoming requests against attributes such as country, IP address, header, method, or path and then takes a Block or Alert action for selected domains.

You can create up to 10 custom WAF rules.

A custom WAF rule includes the following:

• Rule name

• Rule logic – Attribute, criteria, and value

• Rule response action – Block or Alert, plus priority

• Scope – Domains and (optionally) domain paths

Create a custom WAF rule

1. In the Edge console, go to Security > Rule configuration > Custom WAF rule.

2. Select Create custom rule.

1. Set rule name

1. In Set rule name, enter a descriptive Name for the rule.

   • Example: Block admin access from non-US countries.

2. Set rule logic

Define how the rule identifies matching requests.

1. In Attribute, select the request attribute to evaluate. Common options include:

   • ASN

   • Country

   • Header

   • IP address

   • Method

   • Query string

2. In Criteria, select how the attribute should be matched. Available options depend on the attribute, for example:

   • equals

   • contains

   • range

   • regex

You can combine different attributes and criteria by creating multiple custom rules.

3. Set rule response action

1. In Response action, choose how the rule handles matching requests:

   • Block – Stops the request from reaching your site.

   • Alert – Allows the request but logs it for review in Security Metrics.

2. In Rule priority, select where this rule sits relative to other custom rules, such as First, Last, or a specific position in the list. Higher‑priority rules are evaluated first.
   
   Tip: Start new rules in Alert mode and review their impact in Security Metrics before switching to Block.

4. Set this rule for

1. In Domains, choose where the rule applies:

   • All domains, or

   • A specific set of domains from the list.

2. (Optional) In Domain path, enter one or more paths (comma‑separated) to further narrow where the rule applies.

   • Example: /login, /admin

   • When domain paths are set, the rule applies only to requests that match both:

     • the selected domains, and

     • one of the specified paths.

3. Review the configuration summary.

4. Select .

The rule is deployed to the edge and begins evaluating requests shortly after you save.

Edit a custom WAF rule

1. In the Edge console, go to Security > Rule configuration > Custom WAF rule.

2. In the row for the rule you want to change, select Actions > Edit rule.

3. Update any of the following:

   • Name

   • Attribute, Criteria, or Value

   • Response action (Block or Alert)

   • Rule priority

   • Domains and Domain path

4. Select Update rule.

Changes deploy to the edge after you save. Use Security Metrics to confirm that the updated rule behaves as expected.

Delete a custom WAF rule

1. In the Edge console, go to Security > Rule configuration > Custom WAF rule.

2. In the row for the rule you want to remove, select Actions > Delete rule.

3. Confirm that you want to delete the rule.

Once deleted, the rule no longer evaluates or blocks traffic. If you still need similar protection, create a replacement rule with the updated logic.

Custom WAF rule