Rate policy

Available rate policy property options.

Base structure

A JSON file used to define rate policy properties and property values looks similar to this.

{
  "additionalMatchOptions": [{
    "positiveMatch": true,
    "type": "ResponseStatusCondition",
    "values": ["400", "401", "402", "403", "404", "405", "406", "407", "408", "409", "410", "500", "501", "502", "503", "504"]
  }],
  "averageThreshold": 5,
  "burstThreshold": 8,
  "burstWindow": 3,
  "clientIdentifier": "ip",
  "condition": {
    "atomicConditions": [
      {
        "className": "TlsFingerprintCondition",
        "positiveMatch": true,
        "value": [
          "a123vc456de789fg",
          "ba21dc3e87654f7g8h90i123456j7k8"
        ]
      },
      {
        "className": "ClientReputationCondition",
        "name": [
          "DOSATCK",
          "WEBATCK"
        ],
        "positiveMatch": true,
        "sharedIpHandling": "BOTH",
        "value": 3
      },
      {
        "className": "RequestHeaderCondition",
        "name": [
          "Accept",
          "Content-Type"
        ],
        "nameWildcard": true,
        "positiveMatch": true,
        "value": [
          "json",
          "xml"
        ],
        "valueCase": false,
        "valueWildcard": true
      }
    ],
    "positiveMatch": true
  },
  "description": "An excessive error rate from the origin could indicate malicious activity by a bot scanning the site or a publishing error. In both cases, this would increase the origin traffic and could potentially destabilize it.",
  "matchType": "path",
  "name": "HTTP Response Codes",
  "pathMatchType": "Custom",
  "pathUriPositiveMatch": true,
  "requestType": "ForwardResponse",
  "sameActionOnIpv6": true,
  "type": "WAF",
  "useXForwardForHeaders": false
}

Required properties

Property	Description
`averageThreshold`	Maximum number of allowed hits per second during any two-minute interval.
`burstThreshold`	Maximum number of allowed hits per second during any five-second interval.
`clientIdentifier`	Identifier used to identify and track request senders; this value is required only when using Web Application Firewall. Allowed values are: `api-key`. Supported only for API match criteria. `ip-useragent`. Typically preferred over ip when identifying a client. `ip`. Identifies clients by IP address. `cookie:value`. Helps track requests over an individual session, even if the IP address changes.
`matchType`	Indicates the type of path matched by the policy allowed values are: `path`. Matches website paths. `api`. Matches API paths.
`name`	Unique name assigned to a rate policy.
`pathMatchType`	Type of path to match in incoming requests. Allowed values are: `AllRequests`. Matches an empty path or any path that ends in a trailing slash `TopLevel`. Matches top-level hostnames only. `Custom`. Matches a specific path or path component. This property is only required when the `matchType` is set to `path`.
`requestType`	Type of request to count towards the rate policy's thresholds. Allowed values are: `ClientRequest`. Counts client requests to edge servers. `ClientResponse`. Counts edge responses to the client. `ForwardResponse`. Counts origin responses to the client. `ForwardRequest`. Counts edge requests to your origin.
`sameActionOnIpv6`	Indicates whether the same rate policy action applies to both IPv6 traffic and IPv4 traffic.
`type`	Rate policy type. Allowed values are: `WAF`. Web Application Firewall. `BOTMAN`. Bot Manager.

Optional properties

Property	Description
`burstWindow`	The time span for the `burstThreshold` interval. For existing rate policies, analyze your traffic in `Alert` mode before you reduce the measure window from 5 seconds.
`condition`	An object containing the criteria that trigger a rate policy. `positiveMatch`. Whether the condition for a match triggers on `true` or lack of match `false`. `atomicConditions`. An array of your trigger conditions. Include one or all of the condition type objects: Request headers condition object `className`. Required. The condition type. Value is `RequestHeaderCondition`. `name`. Required. An array of header names. This property checks for the existence of the header. Use with `value` to check if the header is a match. `nameWildcard`. Whether to interpret `?` and `` as wildcards. `positiveMatch`. Whether the condition for a match triggers on `true` or lack of match `false` `value`. An array of header values. Use with `name` to check both existence and match. `valueCase`. Whether to consider case sensitivity of header values. `valueWildcard`. Whether to interpret `?` and `` as wildcards. TLS fingerprint condition object `className`. Required. The condition type. Value is `TlsFingerprintCondition`. `positiveMatch`. Whether the condition for a match triggers on `true` or lack of match `false`. `value`. Required. An array of TLS fingerprints. Client reputation condition object `className`. Required. The condition type. Value is `ClientReputationCondition`. `name`. Required. An array of reputation category strings. `WBSCRP` for webs scrapers or crawlers. `DOSATCK` for DoS attackers. `WEBATCK` for Web attackers. `SCANTL` for scanning tools. `positiveMatch`. Whether the condition for a match triggers on `true` or lack of match `false`. `sharedIpHandling`. Required. The shared IP status. Values are `SHARED_ONLY`, `NON_SHARED`, `BOTH`. `value`. Required. The threshold value that causes the trigger.
`description`	Descriptive text about the policy.
`hostnames`	Array of hostnames that trigger a policy match. If a hostname is not in the array then that request is ignored by the policy.
`pathUriPositiveMatch`	Indicates whether the policy is triggered if a match is found.
`useXForwardForHeaders`	Indicates whether the policy checks the contents of the `X-Forwarded-For` header in incoming requests.

additionalMatchOptions

Specifies additional matching conditions for the rate policy.

Property	Required	Description
`properties`	✔️	Match condition type. Allowed values are: `IpAddressCondition` `NetworkListCondition` `RequestHeaderCondition` `RequestMethodCondition` `ResponseStatusCondition` `UserAgentCondition` `AsNumberCondition`
`positiveMatch`	✔️	Indicates the match condition for a policy's trigger.
`values`	✔️	List of values to match.

apiSelectors

Specifies the API endpoints to match on. Note that this object can only be used if the matchType is set to api.

Property	Required	Description
`apiDefinitionId`	✔️	Unique identifier of the API endpoint.
`resourceIds`		Unique identifiers of one or more API endpoint resources.
`undefinedResources`		If true, matches any resource not explicitly added to your API definition without having to include the resource ID. If false, matches only those undefined resources listed in the `resourceIds` property.
`definedResources`		If true, this matches any resource explicitly added to your API definition without having to include the resource ID. If false, matches only those defined resources listed in the `resourceIds` property.

bodyParameters

Specifies the request body parameters on which to match.

Property	Required	Description
`name`	✔️	Body parameter name to match.
`values`	✔️	Body parameter values to match.
`positiveMatch`		Indicates the match condition for a policy's trigger.
`valueInRange`		When true, this matches values inside the `values` range. Note that your values must be specified as a range to use this property. When false this matches values that fall outside the specified range.

fileExtensions

Specifies the file extensions on which to match.

Property	Required	Description
`positiveMatch`	✔️	Indicates the match condition for a policy's trigger.
`values`	✔️	List of file extensions to match.

path

Property	Required	Description
`positiveMatch`	✔️	Indicates the match condition for a policy's trigger.
`values`	✔️	List of paths to match.

queryParameters

Property	Required	Description
`name`	✔️	Query parameter name to match.
`values`	✔️	List of query parameter values to match.
`positiveMatch`	✔️	Indicates the match condition for a policy's trigger.
`valueInRange`		When true, this matches values inside the `values` range. Your values must be specified as a range to use this property. When false, this matches values that fall outside the specified range.