1. Home
  2. Guides
  3. Next-Gen WAF
  4. Using the Next-Gen WAF
  5. Rules

Working with request rules

Request rules allow you to define arbitrary conditions and block, allow, or tag requests indefinitely or for a specific period of time. For example, you could make a rule to block all requests with specific headers, requests to certain paths, or requests originating from specific IP addresses.

Not sure if your rule logic will work? Use our Simulator to test it. The Simulator feature is only available in the Next-Gen WAF control panel.

Limitations and considerations

Request rules are limited to 1000 per corp (also known as account) plus 1000 per site (also known as workspace).

Creating request rules

You can create request rules that apply to multiple sites (workspaces) or that only apply to a single site (workspace).

Creating rules that apply to multiple sites (workspaces)

This section only applies to Next-Gen WAF customers with access to the Next-Gen WAF control panel.

To create a request rule that applies to more than one site (workspace), complete the following steps:

  1. Log in to the Next-Gen WAF control panel.

  2. From the Corp Rules menu, select Corp Rules.

  3. Click Add corp rule.

    A request rule designed to block requests to the '/login' page from the IP address '198.51.100.0/24', as described above.

  4. In the Type section, select Request.

  5. Fill out the fields in the Conditions section as follows:

    • From the Field menu, select the request field that the condition is based on.
    • In the Value field, enter a value for the specified field.
    • From the Operator menu, select an operator to specify how the selected field and value relate.
    • (Optional) Click Add condition to add another condition or Add group to create a group of conditions.
    • Select All to specify that a request must meet every condition or Any to specify that a request must meet only one condition.

  6. Fill out the fields in the Actions section as follows:

    • From the Action type menu, select the action that should be taken when a request meets the rule's conditions. Action types include Block, Allow, and Add signal.
    • (Optional) Click Add action to add another action.

  7. Fill out the fields in the Details section as follows:

    • From the Request logging menu, select Sampled to store the logs for requests that match the rule's criteria and None to not store the logs. When you select None, the time series graphs will still include data from requests that match the rule's criteria. Read our guide on request data storage for more information.
    • Leave the Status switch enabled.
    • Click Change expiration and select from the menu when the rule should be disabled.
    • In the Description field, enter a description of the rule.
    • From the Scope menu, leave Global selected for the rule to apply to all your sites. If you want the rule to apply to specific sites, select Specific sites and then select the sites the rule should apply to.

  8. Click Create corp rule. The request rule is created and the Site Rules page appears.

Creating rules that apply to one site (workspace)

To create a request rule that applies to only one site (workspace), complete the following steps:

  1. Next-Gen WAF control panel
  2. Fastly control panel

  1. Log in to the Next-Gen WAF control panel.

  2. From the Sites menu, select a site if you have more than one site.

  3. From the Rules menu, select Site Rules.

  4. Click Add site rule.

    A request rule designed to block requests to the '/login' page from the IP address '198.51.100.50', as described above.

  5. In the Type section, select Request.

  6. Fill out the fields in the Conditions section as follows:

    • From the Field menu, select the request field that the condition is based on.
    • In the Value field, enter a value for the specified field.
    • From the Operator menu, select an operator to specify how the selected field and value relate.
    • (Optional) Click Add condition to add another condition or Add group to create a group of conditions.
    • Select All to specify that a request must meet every condition or Any to specify that a request must meet only one condition.

  7. Fill out the fields in the Actions section as follows:

    • From the Action type menu, select the action that should be taken when a request meets the rule's conditions. Action types include Block, Allow, Add signal, Browser challenge, Dynamic Challenge, and Verify token. Check out our guide to using client challenges for additional details on browser challenges and token verification.
    • (Optional) If you selected Browser challenge from the Action type menu, leave the Allow Interactive switch disabled to keep the challenge non-interactive or click the switch to require an interactive (CAPTCHA) challenge.
    • (Optional) If you selected Block from the Action type menu, click Change response to specify the custom response code to return when the rule blocks a request. Supported custom response codes are 301, 302, and 400-599.
    • (Optional) If you entered 301 or 302 in the Response code (optional) field then, in the Redirect URL (optional) field, enter the absolute or relative URL of the redirect location. For more information, check out our guide on using redirect custom response codes.
    • (Optional) Click Add action to add another action.

  8. Fill out the fields in the Details section as follows:

    • From the Request logging menu, select Sampled to store the logs for requests that match the rule's criteria and None to not store the logs. When you select None, the time series graphs will still include data from requests that match the rule's criteria. Read our guide on request data storage for more information.
    • Leave the Status switch enabled.
    • Click Change expiration and select from the menu when the rule should be disabled.
    • In the Description field, enter a description of the rule.

  9. Click Create site rule. The request rule is created and the Site Rules page appears.

Editing request rules

The steps to edit an existing rule depends on whether the rule applies to multiple sites (workspaces) or to a single site (workspace).

Editing rules that apply to multiple sites (workspaces)

This section only applies to Next-Gen WAF customers with access to the Next-Gen WAF control panel.

To adjust a request rule that applies to more than one site (workspace), complete the following steps:

  1. Log in to the Next-Gen WAF control panel.

  2. From the Corp Rules menu, select Corp Rules.

  3. Click Edit next to the rule that you want to edit.

    A request rule designed to block requests to the '/login' page from the IP address '198.51.100.0/24', as described above.

  4. Fill out the fields in the Conditions section as follows:

    • From the Field menu, select the request field that the condition is based on.
    • In the Value field, enter a value for the specified field.
    • From the Operator menu, select an operator to specify how the selected field and value relate.
    • (Optional) Click Add condition to add another condition or Add group to create a group of conditions.
    • Select All to specify that a request must meet every condition or Any to specify that a request must meet only one condition.

  5. Fill out the fields in the Actions section as follows:

    • From the Action type menu, select the action that should be taken when a request meets the rule's conditions. Action types include Block, Allow, and Add signal.
    • (Optional) Click Add action to add another action.

  6. Fill out the fields in the Details section as follows:

    • From the Request logging menu, select Sampled to store the logs for requests that match the rule's criteria and None to not store the logs. When you select None, the time series graphs will still include data from requests that match the rule's criteria. Read our guide on request data storage for more information.
    • Leave the Status switch enabled.
    • Click Change expiration and select from the menu when the rule should be disabled.
    • In the Description field, enter a description of the rule.
    • From the Scope menu, leave Global selected for the rule to apply to all your sites. If you want the rule to apply to specific sites, select Specific sites and then select the sites the rule should apply to.

  7. Click Update corp rule. The request rule is created and the Site Rules page appears.

Editing rules that apply to a single site (workspace)

To adjust a request rule that applies to only one site (workspace), complete the following steps:

  1. Next-Gen WAF control panel
  2. Fastly control panel

  1. Log in to the Next-Gen WAF control panel.

  2. From the Sites menu, select a site if you have more than one site.

  3. From the Rules menu, select Site Rules.

  4. Click Edit next to the rule that you want to update.

    A request rule designed to block requests to the '/login' page from the IP address '198.51.100.50', as described above.

  5. In the Type section, select Request.

  6. Fill out the fields in the Conditions section as follows:

    • From the Field menu, select the request field that the condition is based on.
    • In the Value field, enter a value for the specified field.
    • From the Operator menu, select an operator to specify how the selected field and value relate.
    • (Optional) Click Add condition to add another condition or Add group to create a group of conditions.
    • Select All to specify that a request must meet every condition or Any to specify that a request must meet only one condition.

  7. Fill out the fields in the Actions section as follows:

    • From the Action type menu, select the action that should be taken when a request meets the rule's conditions. Action types include Block, Allow, Add signal, Browser challenge, Dynamic Challenge, and Verify token. Check out our guide to using client challenges for additional details on browser challenges and token verification.
    • (Optional) If you selected Browser challenge from the Action type menu, leave the Allow Interactive switch disabled to keep the challenge non-interactive or click the switch to require an interactive (CAPTCHA) challenge.
    • (Optional) If you selected Block from the Action type menu, click Change response to specify the custom response code to return when the rule blocks a request. Supported custom response codes are 301, 302, and 400-599.
    • (Optional) If you entered 301 or 302 in the Response code (optional) field then, in the Redirect URL (optional) field, enter the absolute or relative URL of the redirect location. For more information, check out our guide on using redirect custom response codes.
    • (Optional) Click Add action to add another action.

  8. Fill out the fields in the Details section as follows:

    • From the Request logging menu, select Sampled to store the logs for requests that match the rule's criteria and None to not store the logs. When you select None, the time series graphs will still include data from requests that match the rule's criteria. Read our guide on request data storage for more information.
    • Leave the Status switch enabled.
    • Click Change expiration and select from the menu when the rule should be disabled.
    • In the Description field, enter a description of the rule.

  9. Click Update site rule. The request rule is updated and the Site Rules page appears.

Deleting request rules

To delete a rule, follow the steps described in the Deleting rules section.

Related content

Fastly
© Fastly 2025