Match targets

Available match target property options.

Base structure

A JSON file for creating a match target looks similar to this.

  "type": "website",
  "isNegativePathMatch": false,
  "isNegativeFileExtensionMatch": false,
   "hostnames": [
  "fileExtensions": ["sfx", "py", "js", "jar", "html", "exe", "dll", "bat"],
  "securityPolicy": {
    "policyId": "gms1_134637"

Required arguments

The match target type argument must be included in all your match target JSON files. Allowed values are website or api.

Optional arguments

These arguments might be required depending on the other arguments you include in your match target. For example, if your match target includes the filePaths or fileExtensions object then your JSON file can't include the defaultFile argument.

configIdintegerUnique identifier of the security configuration containing the match target.
configVersionintegerVersion number of the security configuration associated with the match target.
defaultFilestringSpecifies how path matching takes place. Allowed values are:
  • NO_MATCH. Excludes the default file from path matching.
  • . Matches only requests for top-level hostnames that end in a trailing slash.
  • RECURSIVE_MATCH. Matches all requests for paths that end in a trailing slash.
fileExtensionsarrayFile extensions that the match target scans
filePathsarrayFile paths that the match target scans for.
hostnamesarrayHostnames that the match target scans for.
isNegativeFileExtensionMatchbooleanIf true, the match target is triggered if a match isn't found in the list of file extensions.
isNegativePathMatchbooleanIf true, the match target is triggered if a match isn't found in the list of file paths.
sequenceintegerOrdinal position of the match target in the sequence of match targets. Match targets are processed in the specified order: the match target with the sequence value 1 is processed first, the match target with the sequence value 2 is processed second, etc.


Associates your security policy by ID, policyId, to your match target.


Specifies the API endpoints to match on. Note that argument can only be used if the match target's type is set to api.

idintegerUnique identifier of the API endpoint.
namestringName of the API endpoint name.


The bypass network list provides a way for you to exempt one or more network lists from the Web Application Firewall.

idstringUnique identifier of the network list.
namestringName of the network list.

Sequence properties

Arrange the order in which your match targets are matched in a JSON file. This file has two required properties.

typeSpecifies whether the sequencing is for website matches or api matches.
targetSequenceAn object that contains the targetId and sequence value for each of your match targets.
 "type": "website",
 "targetSequence": [
   "targetId": 3722423,
   "sequence": 1
   "targetId": 2660693,
   "sequence": 2
   "targetId": 2712938,
   "sequence": 3