Rate policy
Available rate policy property options.
Base structure
A JSON file used to define rate policy properties and property values looks similar to this.
{
"additionalMatchOptions": [{
"positiveMatch": true,
"type": "ResponseStatusCondition",
"values": ["400", "401", "402", "403", "404", "405", "406", "407", "408", "409", "410", "500", "501", "502", "503", "504"]
}],
"averageThreshold": 5,
"burstThreshold": 8,
"burstWindow": 3,
"clientIdentifier": "ip",
"condition": {
"atomicConditions": [
{
"className": "TlsFingerprintCondition",
"positiveMatch": true,
"value": [
"a123vc456de789fg",
"ba21dc3e87654f7g8h90i123456j7k8"
]
},
{
"className": "ClientReputationCondition",
"name": [
"DOSATCK",
"WEBATCK"
],
"positiveMatch": true,
"sharedIpHandling": "BOTH",
"value": 3
},
{
"className": "RequestHeaderCondition",
"name": [
"Accept",
"Content-Type"
],
"nameWildcard": true,
"positiveMatch": true,
"value": [
"json",
"xml"
],
"valueCase": false,
"valueWildcard": true
}
],
"positiveMatch": true
},
"description": "An excessive error rate from the origin could indicate malicious activity by a bot scanning the site or a publishing error. In both cases, this would increase the origin traffic and could potentially destabilize it.",
"matchType": "path",
"name": "HTTP Response Codes",
"pathMatchType": "Custom",
"pathUriPositiveMatch": true,
"requestType": "ForwardResponse",
"sameActionOnIpv6": true,
"type": "WAF",
"useXForwardForHeaders": false
}
Required properties
Property | Description |
---|---|
averageThreshold | Maximum number of allowed hits per second during any two-minute interval. |
burstThreshold | Maximum number of allowed hits per second during any five-second interval. |
clientIdentifier | Identifier used to identify and track request senders; this value is required only when using Web Application Firewall. Allowed values are:
|
matchType | Indicates the type of path matched by the policy allowed values are:
|
name | Unique name assigned to a rate policy. |
pathMatchType | Type of path to match in incoming requests. Allowed values are:
|
requestType | Type of request to count towards the rate policy's thresholds. Allowed values are:
|
sameActionOnIpv6 | Indicates whether the same rate policy action applies to both IPv6 traffic and IPv4 traffic. |
type | Rate policy type. Allowed values are:
|
Optional properties
Property | Description |
---|---|
burstWindow | The time span for the burstThreshold interval.For existing rate policies, analyze your traffic in Alert mode before you reduce the measure window from 5 seconds. |
condition | An object containing the criteria that trigger a rate policy.
|
description | Descriptive text about the policy. |
hostnames | Array of hostnames that trigger a policy match. If a hostname is not in the array then that request is ignored by the policy. |
pathUriPositiveMatch | Indicates whether the policy is triggered if a match is found. |
useXForwardForHeaders | Indicates whether the policy checks the contents of the X-Forwarded-For header in incoming requests. |
additionalMatchOptions
Specifies additional matching conditions for the rate policy.
Property | Required | Description |
---|---|---|
properties | ✔️ | Match condition type. Allowed values are:
|
positiveMatch | ✔️ | Indicates the match condition for a policy's trigger. |
values | ✔️ | List of values to match. |
apiSelectors
Specifies the API endpoints to match on. Note that this object can only be used if the matchType
is set to api
.
Property | Required | Description |
---|---|---|
apiDefinitionId | ✔️ | Unique identifier of the API endpoint. |
resourceIds | Unique identifiers of one or more API endpoint resources. | |
undefinedResources | If true, matches any resource not explicitly added to your API definition without having to include the resource ID. If false, matches only those undefined resources listed in the resourceIds property. | |
definedResources | If true, this matches any resource explicitly added to your API definition without having to include the resource ID. If false, matches only those defined resources listed in the resourceIds property. |
bodyParameters
Specifies the request body parameters on which to match.
Property | Required | Description |
---|---|---|
name | ✔️ | Body parameter name to match. |
values | ✔️ | Body parameter values to match. |
positiveMatch | Indicates the match condition for a policy's trigger. | |
valueInRange | When true, this matches values inside the values range. Note that your values must be specified as a range to use this property. When false this matches values that fall outside the specified range. |
fileExtensions
Specifies the file extensions on which to match.
Property | Required | Description |
---|---|---|
positiveMatch | ✔️ | Indicates the match condition for a policy's trigger. |
values | ✔️ | List of file extensions to match. |
path
Property | Required | Description |
---|---|---|
positiveMatch | ✔️ | Indicates the match condition for a policy's trigger. |
values | ✔️ | List of paths to match. |
queryParameters
Property | Required | Description |
---|---|---|
name | ✔️ | Query parameter name to match. |
values | ✔️ | List of query parameter values to match. |
positiveMatch | ✔️ | Indicates the match condition for a policy's trigger. |
valueInRange | When true, this matches values inside the values range. Your values must be specified as a range to use this property. When false, this matches values that fall outside the specified range. |
Updated 10 months ago