---
title: Working with signal exclusion rules
summary: null
url: >-
  https://www.fastly.com/documentation/guides/next-gen-waf/rules/working-with-signal-exclusion-rules
---

A signal exclusion rule prevents requests with a particular pattern from being tagged with a specific [system signal](https://www.fastly.com/documentation/guides/next-gen-waf/signals/using-system-signals/). You can use signal exclusion rules to help avoid false positives. For example, you may have an internal website where you allow employees to POST raw HTML. These types of requests may look like a Cross-Site Scripting attack (XSS) and get tagged with the [`XSS`](https://www.fastly.com/documentation/guides/next-gen-waf/signals/using-system-signals/#attack-xss) system signal by the Next-Gen WAF. To prevent false positives, you can create a signal exclusion rule to prevent requests from your internal VPN on that website from being tagged with the `xss` attack signal. Similarly, a signal exclusion rule could prevent internal IP addresses that fail to access an admin page from being tagged with the [`FORCEFULBROWSING`](https://www.fastly.com/documentation/guides/next-gen-waf/signals/using-system-signals/#anomalies-forcefulbrowsing) signal.

## Limitations and considerations

When working with signal exclusion rules, keep the following in mind:

- Signal exclusion rules are not available for the [Essential platform](https://docs.fastly.com/products/fastly-next-gen-waf#feature-availability).
- Signal exclusion rules are limited to 1000 at the corp-level (also known as account-level) plus 1000 at the site-level (also known as workspace-level) and count against the total number of request rule limits for corps (accounts) and sites (workspaces).

## Creating signal exclusion rules

You can create signal exclusion rules that apply to multiple sites (workspaces) or that only apply to a single site (workspace).

### Creating signal exclusion rules that apply to multiple sites (workspaces)

To create a signal exclusion rule that applies to multiple sites (workspaces), complete the following steps:

### Next Gen Waf Control Panel

1.   Log in to the [Next-Gen WAF control panel](https://dashboard.signalsciences.net).

2. From the **Corp Rules** menu, select **Corp Rules**.

3. Click **Add corp rule**.

   ![A corp-level (account-level) signal exclusion rule designed to prevent POST requests originating from a list of known internal developer IP addresses from being tagged with the 'NO-CONTENT-TYPE signal](/img/ngwaf/add-corp-signal-exclusion.png)

4. In the Type section, select **Signal exclusion**.

5. From the Signal menu, select the signal that you want to prevent from being assigned to requests that meet specific conditions.

6. Fill out the fields in the **Conditions** section as follows:
   - From the **Field** menu, select the [request field](https://www.fastly.com/documentation/guides/next-gen-waf/rules/defining-rule-conditions/#fields) that the condition is based on.
   - In the **Value** field, enter a value for the specified field.
   - From the **Operator** menu, select an operator to specify how the selected field and value relate.
   - _(Optional)_ Click **Add condition** to add another condition, or click **Add group** to create a group of conditions.
   - Select **All** to specify that a request must meet every condition to be excluded or **Any** to specify that a request must meet only one condition to be excluded.

7. Fill out the fields in the **Details** section as follows:
   - Leave the **Status** switch enabled.
   - In the **Description** field, enter a description of the rule.
   - From the **Scope** menu, leave **Global** selected for the rule to apply to all your sites. If you want the rule to apply to specific sites, select **Specific sites** and then select the sites the rule should apply to.

8. Click **Create corp rule**. The rule is created, and the Corp Rules page appears.

### Fastly Control Panel

1.   Log in to the [Fastly control panel](https://manage.fastly.com).

2.   Go to **Security** > **Next-Gen WAF** > [**Rules**](https://manage.fastly.com/security/ngwaf/rules).

3.   From the workspaces bar, click the menu <span class="inline-icons"><img src="/img/icons/chevron-down.png" alt="Menu icon" /></span> to the right of the workspace name and select your account name.

4. Click **Add account rule**.

   ![An account-level signal exclusion rule designed to prevent POST requests originating from a list of known internal developer IP addresses from being tagged with the 'NO-CONTENT-TYPE signal](/img/ngwaf/add-account-signal-exclusion.png)

5. In the **Type** section, select **Signal**.

6. Fill out the fields in the **Conditions** section as follows:
   - Select **All** to specify that a request must meet every condition to be excluded or **Any** to specify that a request must meet only one condition to be excluded.
   - From the **Field** menu, select the [request field](https://www.fastly.com/documentation/guides/next-gen-waf/rules/defining-rule-conditions/#fields) that the condition is based on.
   - From the **Operator** menu, select an operator to specify how the selected field and value relate.
   - In the **Value** field, enter a value for the specified field.
   - _(Optional)_ Click **Add condition** to add another condition, or click **Add group** to create a group of conditions.

7. In the **Actions** section, use the **Signal** menu to select the signal that you want to prevent from being assigned to requests that meet specific conditions.

8. Fill out the fields in the **Details** section as follows:
   - In the **Description** field, enter a description of the rule.
   - Leave the **Status** switch enabled.
   - From the **Scope** menu, leave **Global** selected for the rule to apply to all your workspaces. If you want the rule to apply to specific workspaces, select **Specified workspaces** and then select the workspaces the rule should apply to.

9. Click **Create account rule**.

### Creating signal exclusion rules that apply to one site (workspace)

To create a signal exclusion rule that applies to only one site (workspace), complete the following steps:

### Next Gen Waf Control Panel

1.   Log in to the [Next-Gen WAF control panel](https://dashboard.signalsciences.net).

2.   From the **Sites** menu, select a site if you have more than one site.

3. From the **Rules** menu, select **Site Rules**.

4. Click **Add site rule**.

   ![A site-level signal exclusion rule designed to prevent POST requests originating from a list of known internal developer IP addresses from being tagged with the 'NO-CONTENT-TYPE signal](/img/ngwaf/add-site-signal-exclusion.png)

5. In the **Type** section, select **Signal exclusion**.

6. From the **Signal menu**, select the signal that you want to prevent from being assigned to requests that meet specific conditions.

7. Fill out the fields in the **Conditions** section as follows:
   - From the **Field** menu, select the [request field](https://www.fastly.com/documentation/guides/next-gen-waf/rules/defining-rule-conditions/#fields) that the condition is based on.
   - In the **Value** field, enter a value for the specified field.
   - From the **Operator** menu, select an operator to specify how the selected field and value relate.
   - _(Optional)_ Click **Add condition** to add another condition, or click **Add group** to create a group of conditions.
   - Leave **All** selected to specify that a request must meet every condition to be excluded or select **Any** to specify that a request must meet only one condition to be excluded.

8. Fill out the fields in the **Details** section as follows:
   - Leave the **Status** switch enabled.
   - In the **Description** field, enter a description of the rule.

9. Click **Create site rule**. The rule is created, and the Site Rules page appears.

### Fastly Control Panel

1.   Log in to the [Fastly control panel](https://manage.fastly.com).

2.   Go to **Security** > **Next-Gen WAF** > [**Rules**](https://manage.fastly.com/security/ngwaf/rules).

3.   From the workspaces bar, click the menu <span class="inline-icons"><img src="/img/icons/chevron-down.png" alt="Menu icon" /></span> to the right of the workspace name and select a workspace.

4. Click **Add workspace rule**.

   ![A workspace-level signal exclusion rule designed to prevent POST requests originating from IP address 198.51.100.50 from being tagged with the No Content Type signal](/img/ngwaf/add-signal-exclusion-rule.png)

5. In the **Type** section, select **Signal exclusion**.

6. From the **Signal** menu, select the signal that you want to prevent from being assigned to requests that meet specific conditions.

7. Fill out the fields in the **Conditions** section as follows:
   - From the **Field** menu, select the [request field](https://www.fastly.com/documentation/guides/next-gen-waf/rules/defining-rule-conditions/#fields) that the condition is based on.
   - In the **Value** field, enter a value for the specified field.
   - From the **Operator** menu, select an operator to specify how the selected field and value relate.
   - _(Optional)_ Click **Add condition** to add another condition, or click **Add group** to create a group of conditions.
   - Leave **All** selected to specify that a request must meet every condition to be excluded or select **Any** to specify that a request must meet only one condition to be excluded.

8. In the **Action** section, leave **Exclude signal** selected for the **Type** menu.

9. Fill out the fields in the **Details** section as follows:
   - In the **Description** field, enter a description of the rule.
   - Leave the **Status** switch enabled.

10. Click **Add workspace rule**. The rule is created, and the Rules page appears.

## Editing signal exclusion rules

The steps to edit an existing rule depends on whether the rule applies to multiple sites (workspaces) or to a single site (workspace).

> **HINT:** Not sure if your [rule logic](https://www.fastly.com/documentation/guides/next-gen-waf/rules/defining-rule-conditions) will work? Use our [Simulator](https://www.fastly.com/documentation/guides/next-gen-waf/rules/defining-rule-conditions#testing-rule-logic-with-the-simulator) to test it.

### Editing signal exclusion rules that apply to multiple sites (workspaces)

To adjust a signal exclusion rule that applies to more than one site (workspace), complete the following steps:

### Next Gen Waf Control Panel

1.   Log in to the [Next-Gen WAF control panel](https://dashboard.signalsciences.net).

2. From the **Corp Rules** menu, select **Corp Rules**.

3. Click **Edit** to the right of the rule that you want to delete.

   ![A corp-level signal exclusion rule designed to prevent POST requests originating from a list of known internal developer IP addresses from being tagged with the 'NO-CONTENT-TYPE signal](/img/ngwaf/edit-corp-signal-exclusion.png)

4. From the Signal menu, select the signal that you want to prevent from being assigned to requests that meet specific conditions.

5. Fill out the fields in the Conditions section as follows:
   - From the **Field** menu, select the [request field](https://www.fastly.com/documentation/guides/next-gen-waf/rules/defining-rule-conditions/#fields) that the condition is based on.
   - In the **Value** field, enter a value for the specified field.
   - From the **Operator** menu, select an operator to specify how the selected field and value relate.
   - _(Optional)_ Click **Add condition** to add another condition, or click **Add group** to create a group of conditions.
   - Select **All** to specify that a request must meet every condition to be excluded or **Any** to specify that a request must meet only one condition to be excluded.

6. Fill out the fields in the **Details** section as follows:
   - Leave the **Status** switch enabled.
   - In the **Description** field, enter a description of the rule.
   - From the **Scope** menu, leave **Global** selected for the rule to apply to all your sites. If you want the rule to apply to specific sites, select **Specific sites** and then select the sites the rule should apply to.

7. Click **Update corp rule**. The rule is updated, and the Corp Rules page appears.

### Fastly Control Panel

1.   Log in to the [Fastly control panel](https://manage.fastly.com).

2.   Go to **Security** > **Next-Gen WAF** > [**Rules**](https://manage.fastly.com/security/ngwaf/rules).

3.   From the workspaces bar, click the menu <span class="inline-icons"><img src="/img/icons/chevron-down.png" alt="Menu icon" /></span> to the right of the workspace name and select your account name.

4. Click the pencil <span class="inline-icons"><img src="/img/icons/pencil.png" alt="Pencil icon" /></span> to the right of the rule that you want to modify.

   ![An account-level signal exclusion rule designed to prevent POST requests originating from a list of known internal developer IP addresses from being tagged with the 'NO-CONTENT-TYPE signal](/img/ngwaf/edit-account-signal-exclusion.png)

5. Fill out the fields in the **Conditions** section as follows:
   - Select **All** to specify that a request must meet every condition to be excluded or **Any** to specify that a request must meet only one condition to be excluded.
   - From the **Field** menu, select the [request field](https://www.fastly.com/documentation/guides/next-gen-waf/rules/defining-rule-conditions/#fields) that the condition is based on.
   - From the **Operator** menu, select an operator to specify how the selected field and value relate.
   - In the **Value** field, enter a value for the specified field.
   - _(Optional)_ Click **Add condition** to add another condition, or click **Add group** to create a group of conditions.

6. In the **Actions** section, use the **Signal** menu to select the signal that you want to prevent from being assigned to requests that meet specific conditions.

7. Fill out the fields in the **Details** section as follows:
   - In the **Description** field, enter a description of the rule.
   - Leave the **Status** switch enabled.
   - From the **Scope** menu, leave **Global** selected for the rule to apply to all your workspaces. If you want the rule to apply to specific workspaces, select **Specified workspaces** and then select the workspaces the rule should apply to.

8. Click **Update account rule**.

### Editing signal exclusion rules that apply to one site (workspace)

To adjust a signal exclusion rule that applies to only one site (workspace), complete the following steps:

### Next Gen Waf Control Panel

1.   Log in to the [Next-Gen WAF control panel](https://dashboard.signalsciences.net).

2.   From the **Sites** menu, select a site if you have more than one site.

3. From the **Rules** menu, select **Site Rules**.

4. Click **Edit** to the right of the rule that you want to modify.

   ![A site-level signal exclusion rule designed to prevent POST requests originating from a list of known internal developer IP addresses from being tagged with the 'NO-CONTENT-TYPE signal](/img/ngwaf/edit-site-signal-exclusion.png)

5. From the **Signal** menu, select the signal that you want to prevent from being assigned to requests that meet specific conditions.

6. Fill out the fields in the **Conditions** section as follows:
   - From the **Field** menu, select the [request field](https://www.fastly.com/documentation/guides/next-gen-waf/rules/defining-rule-conditions/#fields) that the condition is based on.
   - In the **Value** field, enter a value for the specified field.
   - From the **Operator** menu, select an operator to specify how the selected field and value relate.
   - _(Optional)_ Click **Add condition** to add another condition, or click **Add group** to create a group of conditions.
   - Select **All** to specify that a request must meet every condition to be excluded or **Any** to specify that a request must meet only one condition to be excluded.

7. Fill out the fields in the **Details** section as follows:
   - Leave the **Status** switch enabled.
   - In the **Description** field, enter a description of the rule.

8. Click **Update site rule**. The rule is updated, and the Site Rules page appears.

### Fastly Control Panel

1.   Log in to the [Fastly control panel](https://manage.fastly.com).

2.   Go to **Security** > **Next-Gen WAF** > [**Rules**](https://manage.fastly.com/security/ngwaf/rules).

3.   From the workspaces bar, click the menu <span class="inline-icons"><img src="/img/icons/chevron-down.png" alt="Menu icon" /></span> to the right of the workspace name and select a workspace.

4. Click the pencil <span class="inline-icons"><img src="/img/icons/pencil.png" alt="Pencil icon" /></span> to the right of the rule that you want to modify.

   ![A workspace-level signal exclusion rule designed to prevent POST requests originating from IP address 198.51.100.50 from being tagged with the No Content Type signal](/img/ngwaf/edit-signal-exclusion-rule.png)

5. From the **Signal** menu, select the signal that you want to prevent from being assigned to requests that meet specific conditions.

6. Fill out the fields in the **Conditions** section as follows:
   - From the **Field** menu, select the [request field](https://www.fastly.com/documentation/guides/next-gen-waf/rules/defining-rule-conditions/#fields) that the condition is based on.
   - In the **Value** field, enter a value for the specified field.
   - From the **Operator** menu, select an operator to specify how the selected field and value relate.
   - _(Optional)_ Click **Add condition** to add another condition, or click **Add group** to create a group of conditions.
   - Select **All** to specify that a request must meet every condition to be excluded or **Any** to specify that a request must meet only one condition to be excluded.

7. Fill out the fields in the **Details** section as follows:
   - In the **Description** field, enter a description of the rule.
   - Leave the **Status** switch enabled.

8. Click **Update workspace rule**. The rule is updated, and the Rules page appears.

## Deleting signal exclusion rules

To delete a signal exclusion rule, follow the steps described in the [Deleting rules](https://www.fastly.com/documentation/guides/next-gen-waf/rules/about-rules#deleting-rules) section.

## Related content

- [About rules](https://www.fastly.com/documentation/guides/next-gen-waf/rules/about-rules)
- [Using an API with the Next-Gen WAF](https://www.fastly.com/documentation/guides/next-gen-waf/developer/using-an-api-with-the-next-gen-waf)