--- title: Working with advanced rate limiting rules summary: null url: >- https://www.fastly.com/documentation/guides/next-gen-waf/rules/working-with-advanced-rate-limiting-rules --- Advanced rate limiting rules are a type of [threshold configuration](https://www.fastly.com/documentation/guides/next-gen-waf/thresholds/about-threshold-configurations/) that places a cap on how often an individual client can send requests that meet set conditions before all or some requests from that same client are blocked or logged. ## Limitations and considerations When working with advanced rate limiting rules, keep the following things in mind: - Advanced rate limiting is only included with the [Premier platform](https://docs.fastly.com/products/fastly-next-gen-waf#feature-availability) and certain [packaged offerings](https://www.fastly.com/package-entitlements/). It is not included as part of the Professional or Essential platforms. - Advanced rate limiting rules are considered custom rules for purposes of [packaged entitlement](https://docs.fastly.com/products/fastly-next-gen-waf#feature-availability) limitations. - Each site (also known as workspace) is limited to a maximum of 15 rate limit rules. - A given signal can only be used as the threshold signal for a single rate limit rule. A signal can't be used as the threshold signal in more than one rate limit rule. If you have an Edge WAF deployment, keep these additional considerations in mind: - The faster requests are received the quicker they can be blocked. - Rules with a lower threshold block or log requests sooner than rules with a higher threshold, subject to the rate the requests are received. - You may need up to two times the number of requests over any [60 second window](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/edge-deployment/how-the-edge-waf-works#threshold-counting) to declare a match. - When testing rules in multiple physical locations, your results may vary due to the distributed nature of Fastly’s network and the different number of cache nodes per POP. - For the most consistent results, test with rates of 100 RPS or more. ## How advanced rate limiting rules work When your web application receives requests that meet the conditions of a rate limit rule, the WAF tags them with the chosen _threshold signal_. These signals are then [counted against the rule's threshold](https://www.fastly.com/documentation/guides/next-gen-waf/rules/working-with-advanced-rate-limiting-rules#threshold-counting). Once the number of threshold signals from a single client exceeds the rule's limit, that client is rate limited. How the client is rate limited depends on the Match type and Action type fields within that rate limit rule. The **Match type** field defines which requests from the client the WAF should act upon once the threshold has been passed. Match type options include: - **Rule conditions:** rate limit requests from the client that match the rule's conditions. See an [example](https://www.fastly.com/documentation/guides/next-gen-waf/rules/working-with-advanced-rate-limiting-rules#rate-limit-comment-submissions) use case of this option. - **Other signal:** rate limit requests from the client that are tagged with the _action signal_. When the action signal is not a [system signal](https://www.fastly.com/documentation/guides/next-gen-waf/signals/using-system-signals/), you need to create a request rule that tags requests with the selected signal. - **All requests:** rate limit all requests from the client. The **Action type** field defines [what should happen](https://www.fastly.com/documentation/guides/next-gen-waf/rules/about-rules/#action-types) to requests that meet the Match type condition (e.g., block or log). Rate limited requests are tagged with the `Rate Limit` system signal. ### Threshold counting The Next-Gen WAF uses both local and global counting mechanisms to track the number of threshold signals per client and to determine when a client exceeds the threshold of an advanced rate limit rule. For more information on how this works with your particular deployment type, check out the following: - [Edge WAF](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/edge-deployment/how-the-edge-waf-works#threshold-counting) - [On-Prem and Cloud WAF](https://www.fastly.com/documentation/guides/next-gen-waf/setup-and-configuration/agent-management/getting-started-with-the-agent#threshold-counting) ## Creating advanced rate limiting rules To create an advanced rate limiting rule, complete the following steps: ### Next Gen Waf Control Panel Start by navigating to the Add form for rules and selecting a type of rule: 1. Log in to the [Next-Gen WAF control panel](https://dashboard.signalsciences.net). 2. From the **Sites** menu, select a site if you have more than one site. 3. From the **Rules** menu, select **Site Rules**. 4. Click **Add site rule**. ![A rate limit rule designed to block requests to the '/login' page after 100 requests to the page in 1 minute, as described above.](/img/ngwaf/rate-limit-rule-create.png) 5. In the **Type** section, select **Rate limit**. Next, define the logic that the rule should use to identify requests that count towards the threshold. In the **Conditions** section: 1. Fill out these fields to create a condition: - From the **Field** menu, select the [request field](https://www.fastly.com/documentation/guides/next-gen-waf/rules/defining-rule-conditions/#fields) that the condition is based on. - From the **Operator** menu, select an [operator](https://www.fastly.com/documentation/guides/next-gen-waf/rules/defining-rule-conditions/#operators) to specify how the selected field and value relate. - In the **Value** field, enter a value for the specified field. 2. _(Optional)_ Click **Add condition** to add another condition or **Add group** to create a group of conditions. 3. Decide whether a request must meet one or all conditions in order to count towards the threshold: - Select **Any** from the conditions menu to specify that a request must meet only one of the conditions you've created. - Leave **All** selected in the conditions menu to specify that a request must meet every condition you've created. Once you've done that, specify how the rate limit rule should identify an individual client. In the **Client identifier** section: 1. From the **Client key** menu, select how the rate limit rule should identify a client. Depending on the Client key option you selected, additional client identifier fields may appear. 2. _(Optional)_ Fill out any additional fields that appeared in the Client identifier section. Next, specify a signal that should be applied to requests that meet the rule's condition set and define the threshold. In the **Actions** section, fill out the **Tracking** subsection as follows: 1. From the **Threshold signal** menu, select the signal that you want applied to requests that match the rule conditions. Requests tagged with the threshold signal are tallied and counted towards the threshold of the rule. 2. In the **Threshold** field, enter the number of requests that must be detected before a client is rate limited. 3. From the **Interval** menu, select the period of time requests must be detected during to pass the threshold. Next, define how a client that exceeds the threshold should be rate limited. In the **Actions** section, fill out the **Rate limiting** subsection as follows: 1. From the **Action type** menu, select [the action](https://www.fastly.com/documentation/guides/next-gen-waf/rules/about-rules/#action-types) that should be taken when the threshold has been exceed and requests meet the conditions of the match type. When you select **Block**, the Change response link appears. 2. _(Optional)_ Click **Change response** to specify a [custom response code](https://www.fastly.com/documentation/guides/next-gen-waf/agent-response-codes/using-custom-agent-response-codes/) to return when the rule blocks a request and fill out the related fields as follows: - In the **Response code (optional)** field, enter a custom response code. Supported custom response codes are 301, 302, and 400-599. - If you entered `301` or `302` in the **Response code (optional)** field then, in the **Redirect URL (optional)** field, enter the absolute or relative URL of the redirect location. See [Using redirect custom response codes](https://www.fastly.com/documentation/guides/next-gen-waf/agent-response-codes/using-custom-agent-response-codes/#using-redirect-custom-agent-response-codes). 3. From the **Match type** menu, select the conditions that determine what should be rate limited once the threshold is exceeded. Options include: - **Rule conditions:** rate limit requests from the client that match the rule's conditions. See an [example](https://www.fastly.com/documentation/guides/next-gen-waf/rules/working-with-advanced-rate-limiting-rules#rate-limit-comment-submissions) use case of this option. - **Other signal:** rate limit requests from the client that are tagged with the selected **Action signal**. When the action signal is not a [system signal](https://www.fastly.com/documentation/guides/next-gen-waf/signals/using-system-signals/), you need a request rule that tags requests with the selected signal. - **All requests:** rate limit all requests from the client. 4. From the **Duration** menu, select the amount of time the client should be rate limited. Finally, add a description of the rule and save the rule: 1. Fill out the **Details** section as follows: - Leave the **Status** switch enabled. - In the **Description** field, enter a description of the rule. 2. Click **Create site rule**. The advanced rate limit rule is created, and the Site Rules page appears. ### Fastly Control Panel Start by navigating to the Add form for rules and selecting a type of rule: 1. Log in to the [Fastly control panel](https://manage.fastly.com). 2. Go to **Security** > **Next-Gen WAF** > [**Rules**](https://manage.fastly.com/security/ngwaf/rules). 3. From the workspaces bar, click the menu Menu icon to the right of the workspace name and select a workspace. 4. Click **Add workspace rule**. 5. In the **Type** section, select **Rate limit**. ![A rate limit rule designed to block requests to the '/login' page after 100 requests to the page in 1 minute.](/img/ngwaf/create-rate-limit-rule.png) Next, define the logic that the rule should use to identify requests that count towards the threshold. In the **Conditions** section: 1. Fill out these fields to create a condition: - From the **Field** menu, select the [request field](https://www.fastly.com/documentation/guides/next-gen-waf/rules/defining-rule-conditions/#fields) that the condition is based on. - From the **Operator** menu, select an [operator](https://www.fastly.com/documentation/guides/next-gen-waf/rules/defining-rule-conditions/#operators) to specify how the selected field and value relate. - In the **Value** field, enter a value for the specified field. 2. _(Optional)_ Click **Add condition** to add another condition or **Add group** to create a group of conditions. 3. Decide whether a request must meet one or all conditions in order to count towards the threshold: - Select **Any** from the conditions menu to specify that a request must meet only one of the conditions you've created. - Leave **All** selected in the conditions menu to specify that a request must meet every condition you've created. Once you've done that, specify how the rate limit rule should identify an individual client. In the **Client identifier** section: 1. From the **Client key** menu, select how the rate limit rule should identify a client. Depending on the Client key option you selected, additional client identifier fields may appear. 2. _(Optional)_ Fill out any additional fields that appeared in the Client identifier section. Next, specify a signal that should be applied to requests that meet the rule's condition set and define the threshold. In the **Actions** section, fill out the **Tracking** subsection as follows: 1. From the **Threshold signal** menu, select the signal that you want applied to requests that match the rule conditions. Requests tagged with the threshold signal are tallied and counted towards the threshold of the rule. 2. In the **Threshold** field, enter the number of requests that must be detected before a client is rate limited. 3. From the **Interval** menu, select the period of time requests must be detected during to pass the threshold. Next, define how a client that exceeds the threshold should be rate limited. In the **Actions** section, fill out the **Rate limiting** subsection as follows: 1. From the **Type** menu, select [action](https://www.fastly.com/documentation/guides/next-gen-waf/rules/about-rules/#action-types) that should be taken when the threshold has been exceed and requests meet the conditions of the match type. When you select **Block signal**, the Change response code link appears. 2. _(Optional)_ Click **Change response code** to specify a [custom response code](https://www.fastly.com/documentation/guides/next-gen-waf/agent-response-codes/using-custom-agent-response-codes/) to return when the rule blocks a request and fill out the related fields as follows: - In the **Response code** field, enter a custom response code. Supported custom response codes are 301, 302, and 400-599. - If you entered `301` or `302` in the **Response code** field then, in the **Redirect URL** field, enter the absolute or relative URL of the redirect location. See [Using redirect custom response codes](https://www.fastly.com/documentation/guides/next-gen-waf/agent-response-codes/using-custom-agent-response-codes/#using-redirect-custom-agent-response-codes). 3. From the **Match type** menu, select the conditions that determine what should be rate limited once the threshold is exceeded. Options include: - **Rule conditions:** rate limit requests from the client that match the rule's conditions. See an [example](https://www.fastly.com/documentation/guides/next-gen-waf/rules/working-with-advanced-rate-limiting-rules#rate-limit-comment-submissions) use case of this option. - **Other signal:** rate limit requests from the client that are tagged with the selected **Action signal**. When the action signal is not an [attack or anomaly signal](https://www.fastly.com/documentation/guides/next-gen-waf/signals/using-system-signals/), you need a request rule that tags requests with the selected signal. See an [example](https://www.fastly.com/documentation/guides/next-gen-waf/rules/working-with-advanced-rate-limiting-rules#credit-card-validation-attempts) use case of this option. - **All requests:** rate limit all requests from the client. 4. From the **Duration** menu, select the amount of time the client should be rate limited. Finally, add a description of the rule and save the rule: 1. Fill out the **Details** section as follows: - Leave the **Status** switch set to the **On** position. - In the **Rule description** field, enter a description of the rule. 2. Click **Add workspace rule**. The advanced rate limit rule is created, and the Rules page appears. ## Example rate limit rules The following examples demonstrate how to configure rate limit rules for common use-cases. Be aware that values (e.g., paths and response codes) used in these examples may not be the same as those used by your particular web application. ### Rate limit comment submissions This example demonstrates a rule that rate limits comment submissions. The rule: - looks for POST requests to the `/comments.php` file. - uses the `User-Agent` request header to identify the client (the **Client key**). - applies the `Comment Submission` custom signal (the **Threshold signal**) to requests that meet the rule's condition set. - defines the threshold: 10 requests (the **Threshold**) tagged with the `Comment Submission` signal are detected from a unique client within 1 minute (the **Interval**). - blocks (the **Action type**) requests that are tagged with the `Comment Submission` signal and that originate from clients that exceeded the threshold for the next 5 minutes (the **Duration**). ### Next Gen Waf Control Panel ![An example rule that rate limits comment submissions, as described above](/img/ngwaf/rate-limit-comment-submission.png) ### Fastly Control Panel ![An example rule that rate limits comment submissions, as described above](/img/ngwaf/rate-limit-comment-submission-in-fcp.png) ### Rate limit credit card validation attempts This example demonstrates a rule that rate limits credit card validation attempts after too many failed log in attempts. The rule: - looks for requests tagged with the `Credit Card Failure` system signal. - applies the `Credit Card Failure Count` custom signal (the **Threshold signal**) to requests that meet the rule's condition set. - defines the threshold: 5 requests (the **Threshold**) tagged with the `Credit Card Failure Count` signal from a single IP address (the **Client key**) within 10 minutes (the **Interval**). - blocks (the **Action type**) requests that are tagged with the `Credit Card Attempt` signal (the **Action signal**) and that originate from IP addresses that exceeded the threshold for the next 5 minutes (the **Duration**). > **IMPORTANT:** This example assumes that the `Credit Card Attempt` and `Credit Card Failure` [system signals are enabled](https://www.fastly.com/documentation/guides/next-gen-waf/signals/configuring-system-signals/#ato-and-api-signals). ### Next Gen Waf Control Panel ![Screenshot of an example rule that rate limits credit card validation failures, as described above.](/img/ngwaf/rate-limit-credit-card-attempts.png) ### Fastly Control Panel ![Screenshot of an example rule that rate limits credit card validation failures, as described above.](/img/ngwaf/rate-limit-credit-card-attempts-in-fcp.png) ### Rate limit enumeration attempts Attackers often attempt to enumerate web applications using techniques like brute-forcing files, directories, and credentials. These attempts generate a high volume of 4XX and 5XX errors. To stop attackers before their enumeration attempts succeed, you can create a broad rate limit rule that: - looks for 4XX and 5XX response codes. - uses the IP address to identify the client (the **Client key**). - applies the `Suspected attacker` custom signal (the **Threshold signal**) to requests that meet the rule's condition set. - defines the threshold: 100 requests (the **Threshold**) tagged with the `Suspected attacker` signal from a single IP address (the **Client key**) within 1 minute (the **Interval**). - blocks (the **Action type**) all requests from clients that exceed the threshold for the next 10 minutes (the **Duration**). ### Next Gen Waf Control Panel ![An example rule that rate limits comment submissions, as described above](/img/ngwaf/rate-limit-enumeration-attempts-in-ngwaf-cp.png) ### Fastly Control Panel ![An example rule that rate limits comment submissions, as described above](/img/ngwaf/rate-limit-enumeration-attempts-in-fcp.png) ## Glossary | Term | Definition | | ------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [Action type](https://www.fastly.com/documentation/guides/next-gen-waf/rules/about-rules/#action-types) | How the WAF should handle requests when the threshold has been exceed and the requests meet the conditions of the match type. | | Client | The source from where requests originate. | | Client identifier | The parts of requests used to identify an individual client. | | Duration | How long a client remains rate limited. | | Interval | The period of time requests must be detected during to pass the threshold. | | Match type | Which requests from the client should be blocked or logged after the threshold has been passed. | | Threshold | How many requests must be detected before a client is rate limited. | | Threshold signal | The signal that requests are tagged with when they meet the rate lime rule's condition set. Threshold signals are tallied and counted towards the threshold for that rule. When the threshold signal count for a single client exceeds the rule’s threshold, that client is rate limited. | ## Related content - [About rules](https://www.fastly.com/documentation/guides/next-gen-waf/rules/about-rules) - [Using an API with the Next-Gen WAF](https://www.fastly.com/documentation/guides/next-gen-waf/developer/using-an-api-with-the-next-gen-waf)