Standard exception interaction
Return format
Whether adding, modifying or removing an exception, the same return format will be used, with the only difference being the name of the parent element, which will correspond to the type of operation requested:
The body of this node will be in the Common exception format detailed herein.
Common exception format
All nodes of type exception are formatted the same way and are applicable at all levels. When an exception criteria is satisfied, the specified rule will be ignored. For example, if a URL is blacklisted but a country is placed in the exceptions list, visitors from that excepted country will be able to access the resource while others won’t. Each exception is broken into a set of rules identified by an ID attribute for use in modifying or removing that exception.
| See the section Obtaining continent, country, and client application codes for obtaining valid continent, country and client application codes for use in this element. |
-
exceptions: A list of exceptions
-
exception: (Repeatable) An exception
-
id: [attribute] - A unique numeric identifier that can be used to modify or remove an exception
-
geo: A list of geographic items in an exception
-
continents: A list of continents
-
continent: (Repeatable) The two-character continent code
-
-
countries: A list of countries in an exception
-
country: (Repeatable) The two-character country code
-
-
-
ips: A list of IP addresses in an exception
-
ip: (Repeatable) An IP address. The acceptable formats are:
-
A single IP address (for example,
192.168.0.1) -
A network block in CIDR format (for example,
192.186.0.0/28) -
An IP address range (for example,
192.168.0.1-192.168.1.30)
-
-
-
urls: A list of excepted URLs
-
url: (Repeatable) An excepted URL
-
path: [attribute] - The path to be excepted
-
pattern: [attribute] - The pattern for matching the path. As an exception, all patterns are considered to be
EQUALS.For
bot_access_control, the format for URLs is the following (if you have a wildcard, append it to the end of the path).<urls> <url> <value>/page.html</value> </url> <url> <value>/category/*</value> </url> </urls>
-
-
-
user_agents: A list of user agents
-
user_agent: (Repeatable) A user-agent string to be excepted
-
-
client_apps: A list of client applications
-
client_app: (Repeatable) The name of the application, such as
curlorwget
-
-
Exception types
| Rule Code | Description |
|---|---|
|
SQL injection attempts |
|
Cross-site scripting (XSS) attempts |
|
Illegal resource access attempts |
|
Access by web bots attempts |
|
Distributed denial-of-service (DDoS) attacks (coming soon) |
|
Remote file inclusion attempts |
|
Backdoor access attempts (for example, webshells) |
|
Access attempts from blacklisted IP |
|
Access attempts of blacklisted URL |
|
Access attempts from blacklisted geographical region |
Element pairs for repeatable types
| Parent Element | Child (Repeatable) Element |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
| Not all exception types support all parent element types. The following table lists which parent elements are supported by which exception type. |
Exception type and parent element
| Access Control List Category | Exception Type |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
Obtaining continent, country and client application codes
The exceptions methods in the Firewall & CDN will frequently require the use of specific codes for geographical locations (continents and countries) and client application codes for web applications, plugins, and bots that may interact with a user’s site.
The codes can be obtained using the following methods:
-
getWafGeoInfo: Retrieves a list of continents and countries
-
getWafClientAppInfo: Retrieves a list of client applications