**Introducing a new console experience for AWS WAF**
You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the console](https://docs.aws.amazon.com/waf/latest/developerguide/working-with-console.html).
# Creating and configuring a Web Access Control List (Web ACL)
**Warning**
AWS WAF Classic is is going through a planned end-of-life process. Refer to your AWS Health dashboard for the milestones and dates specific to your Region.
**Note**
This is **AWS WAF Classic** documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your AWS WAF Classic resources to AWS WAF](waf-migrating-from-classic.md).
**For the latest version of AWS WAF**, see [AWS WAF](waf-chapter.md).
A web access control list (web ACL) gives you fine-grained control over the web requests that your Amazon API Gateway API, Amazon CloudFront distribution or Application Load Balancer responds to. You can allow or block the following types of requests:
+ Originate from an IP address or a range of IP addresses
+ Originate from a specific country or countries
+ Contain a specified string or match a regular expression (regex) pattern in a particular part of requests
+ Exceed a specified length
+ Appear to contain malicious SQL code (known as SQL injection)
+ Appear to contain malicious scripts (known as cross-site scripting)
You can also test for any combination of these conditions, or block or count web requests that not only meet the specified conditions, but also exceed a specified number of requests in any 5-minute period.
To choose the requests that you want to allow to have access to your content or that you want to block, perform the following tasks:
1. Choose the default action, allow or block, for web requests that don't match any of the conditions that you specify. For more information, see [Deciding on the default action for a Web ACL](classic-web-acl-default-action.md).
1. Specify the conditions under which you want to allow or block requests:
+ To allow or block requests based on whether the requests appear to contain malicious scripts, create cross-site scripting match conditions. For more information, see [Working with cross-site scripting match conditions](classic-web-acl-xss-conditions.md).
+ To allow or block requests based on the IP addresses that they originate from, create IP match conditions. For more information, see [Working with IP match conditions](classic-web-acl-ip-conditions.md).
+ To allow or block requests based on the country that they originate from, create geo match conditions. For more information, see [Working with geographic match conditions](classic-web-acl-geo-conditions.md).
+ To allow or block requests based on whether the requests exceed a specified length, create size constraint conditions. For more information, see [Working with size constraint conditions](classic-web-acl-size-conditions.md).
+ To allow or block requests based on whether the requests appear to contain malicious SQL code, create SQL injection match conditions. For more information, see [Working with SQL injection match conditions](classic-web-acl-sql-conditions.md).
+ To allow or block requests based on strings that appear in the requests, create string match conditions. For more information, see [Working with string match conditions](classic-web-acl-string-conditions.md).
+ To allow or block requests based on a regex pattern that appear in the requests, create regex match conditions. For more information, see [Working with regex match conditions](classic-web-acl-regex-conditions.md).
1. Add the conditions to one or more rules. If you add more than one condition to the same rule, web requests must match all the conditions for AWS WAF Classic to allow or block requests based on the rule. For more information, see [Working with rules](classic-web-acl-rules.md). Optionally, you can use a rate-based rule instead of a regular rule to limit the number of requests from any IP address that meets the conditions.
1. Add the rules to a web ACL. For each rule, specify whether you want AWS WAF Classic to allow or block requests based on the conditions that you added to the rule. If you add more than one rule to a web ACL, AWS WAF Classic evaluates the rules in the order that they're listed in the web ACL. For more information, see [Working with web ACLs](classic-web-acl-working-with.md).
When you add a new rule or update existing rules, it can take up to one minute for those changes to appear and be active across your web ACLs and resources.
**Topics**
+ [Working with conditions](classic-web-acl-create-condition.md)
+ [Working with rules](classic-web-acl-rules.md)
+ [Working with web ACLs](classic-web-acl-working-with.md)
# Working with conditions
**Warning**
AWS WAF Classic is is going through a planned end-of-life process. Refer to your AWS Health dashboard for the milestones and dates specific to your Region.
**Note**
This is **AWS WAF Classic** documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your AWS WAF Classic resources to AWS WAF](waf-migrating-from-classic.md).
**For the latest version of AWS WAF**, see [AWS WAF](waf-chapter.md).
Conditions specify when you want to allow or block requests.
+ To allow or block requests based on whether the requests appear to contain malicious scripts, create cross-site scripting match conditions. For more information, see [Working with cross-site scripting match conditions](classic-web-acl-xss-conditions.md).
+ To allow or block requests based on the IP addresses that they originate from, create IP match conditions. For more information, see [Working with IP match conditions](classic-web-acl-ip-conditions.md).
+ To allow or block requests based on the country that they originate from, create geo match conditions. For more information, see [Working with geographic match conditions](classic-web-acl-geo-conditions.md).
+ To allow or block requests based on whether the requests exceed a specified length, create size constraint conditions. For more information, see [Working with size constraint conditions](classic-web-acl-size-conditions.md).
+ To allow or block requests based on whether the requests appear to contain malicious SQL code, create SQL injection match conditions. For more information, see [Working with SQL injection match conditions](classic-web-acl-sql-conditions.md).
+ To allow or block requests based on strings that appear in the requests, create string match conditions. For more information, see [Working with string match conditions](classic-web-acl-string-conditions.md).
+ To allow or block requests based on a regex pattern that appear in the requests, create regex match conditions. For more information, see [Working with regex match conditions](classic-web-acl-regex-conditions.md).
**Topics**
+ [Working with cross-site scripting match conditions](classic-web-acl-xss-conditions.md)
+ [Working with IP match conditions](classic-web-acl-ip-conditions.md)
+ [Working with geographic match conditions](classic-web-acl-geo-conditions.md)
+ [Working with size constraint conditions](classic-web-acl-size-conditions.md)
+ [Working with SQL injection match conditions](classic-web-acl-sql-conditions.md)
+ [Working with string match conditions](classic-web-acl-string-conditions.md)
+ [Working with regex match conditions](classic-web-acl-regex-conditions.md)
# Working with cross-site scripting match conditions
**Warning**
AWS WAF Classic is is going through a planned end-of-life process. Refer to your AWS Health dashboard for the milestones and dates specific to your Region.
**Note**
This is **AWS WAF Classic** documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your AWS WAF Classic resources to AWS WAF](waf-migrating-from-classic.md).
**For the latest version of AWS WAF**, see [AWS WAF](waf-chapter.md).
Attackers sometimes insert scripts into web requests in an effort to exploit vulnerabilities in web applications. You can create one or more cross-site scripting match conditions to identify the parts of web requests, such as the URI or the query string, that you want AWS WAF Classic to inspect for possible malicious scripts. Later in the process, when you create a web ACL, you specify whether to allow or block requests that appear to contain malicious scripts.
**Topics**
+ [Creating cross-site scripting match conditions](#classic-web-acl-xss-conditions-creating)
+ [Values that you specify when you create or edit cross-site scripting match conditions](#classic-web-acl-xss-conditions-values)
+ [Adding and deleting filters in a cross-site scripting match condition](#classic-web-acl-xss-conditions-editing)
+ [Deleting cross-site scripting match conditions](#classic-web-acl-xss-conditions-deleting)
## Creating cross-site scripting match conditions
When you create cross-site scripting match conditions, you specify filters. The filters indicate the part of web requests that you want AWS WAF Classic to inspect for malicious scripts, such as the URI or the query string. You can add more than one filter to a cross-site scripting match condition, or you can create a separate condition for each filter. Here's how each configuration affects AWS WAF Classic behavior:
+ **More than one filter per cross-site scripting match condition (recommended)** – When you add a cross-site scripting match condition that contains multiple filters to a rule and add the rule to a web ACL, a web request must match only one of the filters in the cross-site scripting match condition for AWS WAF Classic to allow or block the request based on that condition.
For example, suppose you create one cross-site scripting match condition, and the condition contains two filters. One filter instructs AWS WAF Classic to inspect the URI for malicious scripts, and the other instructs AWS WAF Classic to inspect the query string. AWS WAF Classic allows or blocks requests if they appear to contain malicious scripts *either* in the URI *or* in the query string.
+ **One filter per cross-site scripting match condition** – When you add the separate cross-site scripting match conditions to a rule and add the rule to a web ACL, web requests must match all the conditions for AWS WAF Classic to allow or block requests based on the conditions.
Suppose you create two conditions, and each condition contains one of the two filters in the preceding example. When you add both conditions to the same rule and add the rule to a web ACL, AWS WAF Classic allows or blocks requests only when both the URI and the query string appear to contain malicious scripts.
**Note**
When you add a cross-site scripting match condition to a rule, you also can configure AWS WAF Classic to allow or block web requests that *do not* appear to contain malicious scripts.
**To create a cross-site scripting match condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **Cross-site scripting**.
1. Choose **Create condition**.
1. Specify the applicable filter settings. For more information, see [Values that you specify when you create or edit cross-site scripting match conditions](#classic-web-acl-xss-conditions-values).
1. Choose **Add another filter**.
1. If you want to add another filter, repeat steps 4 and 5.
1. When you're done adding filters, choose **Create**.
## Values that you specify when you create or edit cross-site scripting match conditions
When you create or update a cross-site scripting match condition, you specify the following values:
**Name**
The name of the cross-site scripting match condition.
The name can contain only the characters A-Z, a-z, 0-9, and the special characters: \$1-\$1"\$1`\$1\$1\$1,./ . You can't change the name of a condition after you create it.
**Part of the request to filter on**
Choose the part of each web request that you want AWS WAF Classic to inspect for malicious scripts:
**Header**
A specified request header, for example, the `User-Agent` or `Referer` header. If you choose **Header**, specify the name of the header in the **Header** field.
**HTTP method**
The HTTP method, which indicates the type of operation that the request is asking the origin to perform. CloudFront supports the following methods: `DELETE`, `GET`, `HEAD`, `OPTIONS`, `PATCH`, `POST`, and `PUT`.
**Query string**
The part of a URL that appears after a `?` character, if any.
For cross-site scripting match conditions, we recommend that you choose **All query parameters (values only)** instead of **Query string** for **Part of the request to filter on**.
**URI**
The URI path of the request, which identifies the resource, for example, `/images/daily-ad.jpg`. This doesn't include the query string or fragment components of the URI. For information, see [Uniform Resource Identifier (URI): Generic Syntax](https://tools.ietf.org/html/rfc3986#section-3.3).
Unless a **Transformation** is specified, a URI is not normalized and is inspected just as AWS receives it from the client as part of the request. A **Transformation** will reformat the URI as specified.
**Body**
The part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.
If you choose **Body** for the value of **Part of the request to filter on**, AWS WAF Classic inspects only the first 8192 bytes (8 KB). To allow or block requests for which the body is longer than 8192 bytes, you can create a size constraint condition. (AWS WAF Classic gets the length of the body from the request headers.) For more information, see [Working with size constraint conditions](classic-web-acl-size-conditions.md).
**Single query parameter (value only)**
Any parameter that you have defined as part of the query string. For example, if the URL is "www.xyz.com?UserName=abc&SalesRegion=seattle" you can add a filter to either the *UserName* or *SalesRegion* parameter.
If you choose **Single query parameter (value only)**, you will also specify a **Query parameter name**. This is the parameter in the query string that you will inspect, such as *UserName* or *SalesRegion*. The maximum length for **Query parameter name** is 30 characters. **Query parameter name** is not case sensitive. For example, it you specify *UserName* as the **Query parameter name**, this will match all variations of *UserName*, such as *username* and *UsERName*.
**All query parameters (values only)**
Similar to **Single query parameter (value only)**, but rather than inspecting the values of a single parameter, AWS WAF Classic inspects all parameter values within the query string for possible malicious scripts. For example, if the URL is "www.xyz.com?UserName=abc&SalesRegion=seattle," and you choose **All query parameters (values only)**, AWS WAF Classic will trigger a match if either the value of *UserName* or *SalesRegion* contain possible malicious scripts.
**Header**
If you chose **Header** for **Part of the request to filter on**, choose a header from the list of common headers, or enter the name of a header that you want AWS WAF Classic to inspect for malicious scripts.
**Transformation**
A transformation reformats a web request before AWS WAF Classic inspects the request. This eliminates some of the unusual formatting that attackers use in web requests in an effort to bypass AWS WAF Classic.
You can only specify a single type of text transformation.
Transformations can perform the following operations:
**None**
AWS WAF Classic doesn't perform any text transformations on the web request before inspecting it for the string in **Value to match**.
**Convert to lowercase**
AWS WAF Classic converts uppercase letters (A-Z) to lowercase (a-z).
**HTML decode**
AWS WAF Classic replaces HTML-encoded characters with unencoded characters:
+ Replaces `"` with `&`
+ Replaces ` ` with a non-breaking space
+ Replaces `<` with `<`
+ Replaces `>` with `>`
+ Replaces characters that are represented in hexadecimal format, `&#xhhhh;`, with the corresponding characters
+ Replaces characters that are represented in decimal format, `&#nnnn;`, with the corresponding characters
**Normalize white space**
AWS WAF Classic replaces the following characters with a space character (decimal 32):
+ \$1f, formfeed, decimal 12
+ \$1t, tab, decimal 9
+ \$1n, newline, decimal 10
+ \$1r, carriage return, decimal 13
+ \$1v, vertical tab, decimal 11
+ non-breaking space, decimal 160
In addition, this option replaces multiple spaces with one space.
**Simplify command line**
For requests that contain operating system command line commands, use this option to perform the following transformations:
+ Delete the following characters: \$1 " ' ^
+ Delete spaces before the following characters: / (
+ Replace the following characters with a space: , ;
+ Replace multiple spaces with one space
+ Convert uppercase letters (A-Z) to lowercase (a-z)
**URL decode**
Decode a URL-encoded request.
## Adding and deleting filters in a cross-site scripting match condition
You can add or delete filters in a cross-site scripting match condition. To change a filter, add a new one and delete the old one.
**To add or delete filters in a cross-site scripting match condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **Cross-site scripting**.
1. Choose the condition that you want to add or delete filters in.
1. To add filters, perform the following steps:
1. Choose **Add filter**.
1. Specify the applicable filter settings. For more information, see [Values that you specify when you create or edit cross-site scripting match conditions](#classic-web-acl-xss-conditions-values).
1. Choose **Add**.
1. To delete filters, perform the following steps:
1. Select the filter that you want to delete.
1. Choose **Delete filter**.
## Deleting cross-site scripting match conditions
If you want to delete a cross-site scripting match condition, you must first delete all filters in the condition and remove the condition from all the rules that are using it, as described in the following procedure.
**To delete a cross-site scripting match condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **Cross-site scripting**.
1. In the **Cross-site scripting match conditions** pane, choose the cross-site scripting match condition that you want to delete.
1. In the right pane, choose the **Associated rules** tab.
If the list of rules using this cross-site scripting match condition is empty, go to step 6. If the list contains any rules, make note of the rules, and continue with step 5.
1. To remove the cross-site scripting match condition from the rules that are using it, perform the following steps:
1. In the navigation pane, choose **Rules**.
1. Choose the name of a rule that is using the cross-site scripting match condition that you want to delete.
1. In the right pane, select the cross-site scripting match condition that you want to remove from the rule, and choose **Remove selected condition**.
1. Repeat steps b and c for all the remaining rules that are using the cross-site scripting match condition that you want to delete.
1. In the navigation pane, choose **Cross-site scripting**.
1. In the **Cross-site scripting match conditions** pane, choose the cross-site scripting match condition that you want to delete.
1. Choose **Delete** to delete the selected condition.
# Working with IP match conditions
**Warning**
AWS WAF Classic is is going through a planned end-of-life process. Refer to your AWS Health dashboard for the milestones and dates specific to your Region.
**Note**
This is **AWS WAF Classic** documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your AWS WAF Classic resources to AWS WAF](waf-migrating-from-classic.md).
**For the latest version of AWS WAF**, see [AWS WAF](waf-chapter.md).
If you want to allow or block web requests based on the IP addresses that the requests originate from, create one or more IP match conditions. An IP match condition lists up to 10,000 IP addresses or IP address ranges that your requests originate from. Later in the process, when you create a web ACL, you specify whether to allow or block requests from those IP addresses.
**Topics**
+ [Creating an IP Match Condition](#classic-web-acl-ip-conditions-creating)
+ [Editing IP match conditions](#classic-web-acl-ip-conditions-editing)
+ [Deleting IP match conditions](#classic-web-acl-ip-conditions-deleting)
## Creating an IP Match Condition
If you want to allow some web requests and block others based on the IP addresses that the requests originate from, create an IP match condition for the IP addresses that you want to allow and another IP match condition for the IP addresses that you want to block.
**Note**
When you add an IP match condition to a rule, you also can configure AWS WAF Classic to allow or block web requests that *do not* originate from the IP addresses that you specify in the condition.
**To create an IP match condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **IP addresses**.
1. Choose **Create condition**.
1. Enter a name in the **Name** field.
The name can contain only alphanumeric characters (A-Z, a-z, 0-9) or the following special characters: \$1-\$1"\$1`\$1\$1\$1,./ . You can't change the name of a condition after you create it.
1. Select the correct IP version and specify an IP address or range of IP addresses by using CIDR notation. Here are some examples:
+ To specify the IPv4 address 192.0.2.44, type **192.0.2.44/32**.
+ To specify the IPv6 address 0:0:0:0:0:ffff:c000:22c, type **0:0:0:0:0:ffff:c000:22c/128**.
+ To specify the range of IPv4 addresses from 192.0.2.0 to 192.0.2.255, type **192.0.2.0/24**.
+ To specify the range of IPv6 addresses from 2620:0:2d0:200:0:0:0:0 to 2620:0:2d0:200:ffff:ffff:ffff:ffff, enter **2620:0:2d0:200::/64**.
AWS WAF Classic supports IPv4 address ranges: /8 and any range between /16 through /32. AWS WAF Classic supports IPv6 address ranges: /24, /32, /48, /56, /64, and /128. For more information about CIDR notation, see the Wikipedia entry [Classless Inter-Domain Routing](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing).
1. Choose **Add another IP address or range**.
1. If you want to add another IP address or range, repeat steps 5 and 6.
1. When you're finished adding values, choose **Create IP match condition**.
## Editing IP match conditions
You can add an IP address range to an IP match condition or delete a range. To change a range, add a new one and delete the old one.
**To edit an IP match condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **IP addresses**.
1. In the **IP match conditions** pane, choose the IP match condition that you want to edit.
1. To add an IP address range:
1. In the right pane, choose **Add IP address or range**.
1. Select the correct IP version and enter an IP address range by using CIDR notation. Here are some examples:
+ To specify the IPv4 address 192.0.2.44, enter **192.0.2.44/32**.
+ To specify the IPv6 address 0:0:0:0:0:ffff:c000:22c, enter **0:0:0:0:0:ffff:c000:22c/128**.
+ To specify the range of IPv4 addresses from 192.0.2.0 to 192.0.2.255, enter **192.0.2.0/24**.
+ To specify the range of IPv6 addresses from 2620:0:2d0:200:0:0:0:0 to 2620:0:2d0:200:ffff:ffff:ffff:ffff, enter **2620:0:2d0:200::/64**.
AWS WAF Classic supports IPv4 address ranges: /8 and any range between /16 through /32. AWS WAF Classic supports IPv6 address ranges: /24, /32, /48, /56, /64, and /128. For more information about CIDR notation, see the Wikipedia entry [Classless Inter-Domain Routing](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing).
1. To add more IP addresses, choose **Add another IP address** and enter the value.
1. Choose **Add**.
1. To delete an IP address or range:
1. In the right pane, select the values that you want to delete.
1. Choose **Delete IP address or range**.
## Deleting IP match conditions
If you want to delete an IP match condition, you must first delete all IP addresses and ranges in the condition and remove the condition from all the rules that are using it, as described in the following procedure.
**To delete an IP match condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **IP addresses**.
1. In the **IP match conditions** pane, choose the IP match condition that you want to delete.
1. In the right pane, choose the **Rules** tab.
If the list of rules using this IP match condition is empty, go to step 6. If the list contains any rules, make note of the rules, and continue with step 5.
1. To remove the IP match condition from the rules that are using it, perform the following steps:
1. In the navigation pane, choose **Rules**.
1. Choose the name of a rule that is using the IP match condition that you want to delete.
1. In the right pane, select the IP match condition that you want to remove from the rule, and choose **Remove selected condition**.
1. Repeat steps b and c for all the remaining rules that are using the IP match condition that you want to delete.
1. In the navigation pane, choose **IP match conditions**.
1. In the **IP match conditions** pane, choose the IP match condition that you want to delete.
1. Choose **Delete** to delete the selected condition.
# Working with geographic match conditions
**Warning**
AWS WAF Classic is is going through a planned end-of-life process. Refer to your AWS Health dashboard for the milestones and dates specific to your Region.
**Note**
This is **AWS WAF Classic** documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your AWS WAF Classic resources to AWS WAF](waf-migrating-from-classic.md).
**For the latest version of AWS WAF**, see [AWS WAF](waf-chapter.md).
If you want to allow or block web requests based on the country that the requests originate from, create one or more geo match conditions. A geo match condition lists countries that your requests originate from. Later in the process, when you create a web ACL, you specify whether to allow or block requests from those countries.
You can use geo match conditions with other AWS WAF Classic conditions or rules to build sophisticated filtering. For example, if you want to block certain countries, but still allow specific IP addresses from that country, you could create a rule containing a geo match condition and an IP match condition. Configure the rule to block requests that originate from that country and do not match the approved IP addresses. As another example, if you want to prioritize resources for users in a particular country, you could include a geo match condition in two different rate-based rules. Set a higher rate limit for users in the preferred country and set a lower rate limit for all other users.
**Note**
If you are using the CloudFront geo restriction feature to block a country from accessing your content, any request from that country is blocked and is not forwarded to AWS WAF Classic. So if you want to allow or block requests based on geography plus other AWS WAF Classic conditions, you should *not* use the CloudFront geo restriction feature. Instead, you should use an AWS WAF Classic geo match condition.
**Topics**
+ [Creating a geo match condition](#classic-web-acl-geo-conditions-creating)
+ [Editing geo match conditions](#classic-web-acl-geo-conditions-editing)
+ [Deleting geo match conditions](#classic-web-acl-geo-conditions-deleting)
## Creating a geo match condition
If you want to allow some web requests and block others based on the countries that the requests originate from, create a geo match condition for the countries that you want to allow and another geo match condition for the countries that you want to block.
**Note**
When you add a geo match condition to a rule, you also can configure AWS WAF Classic to allow or block web requests that *do not* originate from the country that you specify in the condition.
**To create a geo match condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **Geo match**.
1. Choose **Create condition**.
1. Enter a name in the **Name** field.
The name can contain only alphanumeric characters (A-Z, a-z, 0-9) or the following special characters: \$1-\$1"\$1`\$1\$1\$1,./ . You can't change the name of a condition after you create it.
1. Choose a **Region**.
1. Choose a **Location type** and a country. **Location type** can currently only be **Country**.
1. Choose **Add location**.
1. Choose **Create**.
## Editing geo match conditions
You can add countries to or delete countries from your geo match condition.
**To edit a geo match condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **Geo match**.
1. In the **Geo match conditions** pane, choose the geo match condition that you want to edit.
1. To add a country:
1. In the right pane, choose **Add filter**.
1. Choose a **Location type** and a country. **Location type** can currently only be **Country**.
1. Choose **Add**.
1. To delete a country:
1. In the right pane, select the values that you want to delete.
1. Choose **Delete filter**.
## Deleting geo match conditions
If you want to delete a geo match condition, you must first remove all countries in the condition and remove the condition from all the rules that are using it, as described in the following procedure.
**To delete a geo match condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. Remove the geo match condition from the rules that are using it:
1. In the navigation pane, choose **Rules**.
1. Choose the name of a rule that is using the geo match condition that you want to delete.
1. In the right pane, choose **Edit rule**.
1. Choose the **X** next to the condition you want to delete.
1. Choose **Update**.
1. Repeat for all the remaining rules that are using the geo match condition that you want to delete.
1. Remove the filters from the condition you want to delete:
1. In the navigation pane, choose **Geo match**.
1. Choose the name of the geo match condition that you want to delete.
1. In the right pane, choose the check box next to **Filter** in order to select all of the filters.
1. Choose the **Delete filter**.
1. In the navigation pane, choose **Geo match**.
1. In the **Geo match conditions** pane, choose the geo match condition that you want to delete.
1. Choose **Delete** to delete the selected condition.
# Working with size constraint conditions
**Warning**
AWS WAF Classic is is going through a planned end-of-life process. Refer to your AWS Health dashboard for the milestones and dates specific to your Region.
**Note**
This is **AWS WAF Classic** documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your AWS WAF Classic resources to AWS WAF](waf-migrating-from-classic.md).
**For the latest version of AWS WAF**, see [AWS WAF](waf-chapter.md).
If you want to allow or block web requests based on the length of specified parts of requests, create one or more size constraint conditions. A size constraint condition identifies the part of web requests that you want AWS WAF Classic to look at, the number of bytes that you want AWS WAF Classic to look for, and an operator, such as greater than (>) or less than (<). For example, you can use a size constraint condition to look for query strings that are longer than 100 bytes. Later in the process, when you create a web ACL, you specify whether to allow or block requests based on those settings.
Note that if you configure AWS WAF Classic to inspect the request body, for example, by searching the body for a specified string, AWS WAF Classic inspects only the first 8192 bytes (8 KB). If the request body for your web requests will never exceed 8192 bytes, you can create a size constraint condition and block requests that have a request body greater than 8192 bytes.
**Topics**
+ [Creating size constraint conditions](#classic-web-acl-size-conditions-creating)
+ [Values that you specify when you create or edit size constraint conditions](#classic-web-acl-size-conditions-values)
+ [Adding and deleting filters in a size constraint condition](#classic-web-acl-size-conditions-editing)
+ [Deleting size constraint conditions](#classic-web-acl-size-conditions-deleting)
## Creating size constraint conditions
When you create size constraint conditions, you specify filters that identify the part of web requests for which you want AWS WAF Classic to evaluate the length. You can add more than one filter to a size constraint condition, or you can create a separate condition for each filter. Here's how each configuration affects AWS WAF Classic behavior:
+ **One filter per size constraint condition** – When you add the separate size constraint conditions to a rule and add the rule to a web ACL, web requests must match all the conditions for AWS WAF Classic to allow or block requests based on the conditions.
For example, suppose you create two conditions. One matches web requests for which query strings are greater than 100 bytes. The other matches web requests for which the request body is greater than 1024 bytes. When you add both conditions to the same rule and add the rule to a web ACL, AWS WAF Classic allows or blocks requests only when both conditions are true.
+ **More than one filter per size constraint condition** – When you add a size constraint condition that contains multiple filters to a rule and add the rule to a web ACL, a web request needs only to match one of the filters in the size constraint condition for AWS WAF Classic to allow or block the request based on that condition.
Suppose you create one condition instead of two, and the one condition contains the same two filters as in the preceding example. AWS WAF Classic allows or blocks requests if either the query string is greater than 100 bytes or the request body is greater than 1024 bytes.
**Note**
When you add a size constraint condition to a rule, you also can configure AWS WAF Classic to allow or block web requests that *do not* match the values in the condition.
**To create a size constraint condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **Size constraints**.
1. Choose **Create condition**.
1. Specify the applicable filter settings. For more information, see [Values that you specify when you create or edit size constraint conditions](#classic-web-acl-size-conditions-values).
1. Choose **Add another filter**.
1. If you want to add another filter, repeat steps 4 and 5.
1. When you're finished adding filters, choose **Create size constraint condition**.
## Values that you specify when you create or edit size constraint conditions
When you create or update a size constraint condition, you specify the following values:
**Name**
Enter a name for the size constraint condition.
The name can contain only alphanumeric characters (A-Z, a-z, 0-9) or the following special characters: \$1-\$1"\$1`\$1\$1\$1,./. You can't change the name of a condition after you create it.
**Part of the request to filter on**
Choose the part of each web request for which you want AWS WAF Classic to evaluate the length:
**Header**
A specified request header, for example, the `User-Agent` or `Referer` header. If you choose **Header**, specify the name of the header in the **Header** field.
**HTTP method**
The HTTP method, which indicates the type of operation that the request is asking the origin to perform. CloudFront supports the following methods: `DELETE`, `GET`, `HEAD`, `OPTIONS`, `PATCH`, `POST`, and `PUT`.
**Query string**
The part of a URL that appears after a `?` character, if any.
**URI**
The URI path of the request, which identifies the resource, for example, `/images/daily-ad.jpg`. This doesn't include the query string or fragment components of the URI. For information, see [Uniform Resource Identifier (URI): Generic Syntax](https://tools.ietf.org/html/rfc3986#section-3.3).
Unless a **Transformation** is specified, a URI is not normalized and is inspected just as AWS receives it from the client as part of the request. A **Transformation** will reformat the URI as specified.
**Body**
The part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.
**Single query parameter (value only)**
Any parameter that you have defined as part of the query string. For example, if the URL is "www.xyz.com?UserName=abc&SalesRegion=seattle" you can add a filter to either the *UserName* or *SalesRegion* parameter.
If you choose **Single query parameter (value only)**, you will also specify a **Query parameter name**. This is the parameter in the query string that you will inspect, such as *UserName*. The maximum length for **Query parameter name** is 30 characters. **Query parameter name** is not case sensitive. For example, it you specify *UserName* as the **Query parameter name**, this will match all variations of *UserName*, such as *username* and *UsERName*.
**All query parameters (values only)**
Similar to **Single query parameter (value only)**, but rather than inspecting the value of a single parameter, AWS WAF Classic inspects the values of all parameters within the query string for the size constraint. For example, if the URL is "www.xyz.com?UserName=abc&SalesRegion=seattle," and you choose **All query parameters (values only)**, AWS WAF Classic will trigger a match the value of if either *UserName* or *SalesRegion* exceed the specified size.
**Header (Only When "Part of the request to filter on" is "Header")**
If you chose **Header** for **Part of the request to filter on**, choose a header from the list of common headers, or type the name of a header for which you want AWS WAF Classic to evaluate the length.
**Comparison operator**
Choose how you want AWS WAF Classic to evaluate the length of the query string in web requests with respect to the value that you specify for **Size**.
For example, if you choose **Is greater than** for **Comparison operator** and type **100** for **Size**, AWS WAF Classic evaluates web requests for a query string that is longer than 100 bytes.
**Size**
Enter the length, in bytes, that you want AWS WAF Classic to watch for in query strings.
If you choose **URI** for the value of **Part of the request to filter on**, the **/** in the URI counts as one character. For example, the URI path `/logo.jpg` is nine characters long.
**Transformation**
A transformation reformats a web request before AWS WAF Classic evaluates the length of the specified part of the request. This eliminates some of the unusual formatting that attackers use in web requests in an effort to bypass AWS WAF Classic.
If you choose **Body** for **Part of the request to filter on**, you can't configure AWS WAF Classic to perform a transformation because only the first 8192 bytes are forwarded for inspection. However, you can still filter your traffic based on the size of the HTTP request body and specify a transformation of **None**. (AWS WAF Classic gets the length of the body from the request headers.)
You can only specify a single type of text transformation.
Transformations can perform the following operations:
**None**
AWS WAF Classic doesn't perform any text transformations on the web request before checking the length.
**Convert to lowercase**
AWS WAF Classic converts uppercase letters (A-Z) to lowercase (a-z).
**HTML decode**
AWS WAF Classic replaces HTML-encoded characters with unencoded characters:
+ Replaces `"` with `&`
+ Replaces ` ` with a non-breaking space
+ Replaces `<` with `<`
+ Replaces `>` with `>`
+ Replaces characters that are represented in hexadecimal format, `&#xhhhh;`, with the corresponding characters
+ Replaces characters that are represented in decimal format, `&#nnnn;`, with the corresponding characters
**Normalize white space**
AWS WAF Classic replaces the following characters with a space character (decimal 32):
+ \$1f, formfeed, decimal 12
+ \$1t, tab, decimal 9
+ \$1n, newline, decimal 10
+ \$1r, carriage return, decimal 13
+ \$1v, vertical tab, decimal 11
+ non-breaking space, decimal 160
In addition, this option replaces multiple spaces with one space.
**Simplify command line**
For requests that contain operating system command line commands, use this option to perform the following transformations:
+ Delete the following characters: \$1 " ' ^
+ Delete spaces before the following characters: / (
+ Replace the following characters with a space: , ;
+ Replace multiple spaces with one space
+ Convert uppercase letters (A-Z) to lowercase (a-z)
**URL decode**
Decode a URL-encoded request.
## Adding and deleting filters in a size constraint condition
You can add or delete filters in a size constraint condition. To change a filter, add a new one and delete the old one.
**To add or delete filters in a size constraint condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **Size constraint**.
1. Choose the condition that you want to add or delete filters in.
1. To add filters, perform the following steps:
1. Choose **Add filter**.
1. Specify the applicable filter settings. For more information, see [Values that you specify when you create or edit size constraint conditions](#classic-web-acl-size-conditions-values).
1. Choose **Add**.
1. To delete filters, perform the following steps:
1. Select the filter that you want to delete.
1. Choose **Delete filter**.
## Deleting size constraint conditions
If you want to delete a size constraint condition, you need to first delete all filters in the condition and remove the condition from all the rules that are using it, as described in the following procedure.
**To delete a size constraint condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **Size constraints**.
1. In the **Size constraint conditions** pane, choose the size constraint condition that you want to delete.
1. In the right pane, choose the **Associated rules** tab.
If the list of rules using this size constraint condition is empty, go to step 6. If the list contains any rules, make note of the rules, and continue with step 5.
1. To remove the size constraint condition from the rules that are using it, perform the following steps:
1. In the navigation pane, choose **Rules**.
1. Choose the name of a rule that is using the size constraint condition that you want to delete.
1. In the right pane, select the size constraint condition that you want to remove from the rule, and then choose **Remove selected condition**.
1. Repeat steps b and c for all the remaining rules that are using the size constraint condition that you want to delete.
1. In the navigation pane, choose **Size constraint**.
1. In the **Size constraint conditions** pane, choose the size constraint condition that you want to delete.
1. Choose **Delete** to delete the selected condition.
# Working with SQL injection match conditions
**Warning**
AWS WAF Classic is is going through a planned end-of-life process. Refer to your AWS Health dashboard for the milestones and dates specific to your Region.
**Note**
This is **AWS WAF Classic** documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your AWS WAF Classic resources to AWS WAF](waf-migrating-from-classic.md).
**For the latest version of AWS WAF**, see [AWS WAF](waf-chapter.md).
Attackers sometimes insert malicious SQL code into web requests in an effort to extract data from your database. To allow or block web requests that appear to contain malicious SQL code, create one or more SQL injection match conditions. A SQL injection match condition identifies the part of web requests, such as the URI path or the query string, that you want AWS WAF Classic to inspect. Later in the process, when you create a web ACL, you specify whether to allow or block requests that appear to contain malicious SQL code.
**Topics**
+ [Creating SQL injection match conditions](#classic-web-acl-sql-conditions-creating)
+ [Values that you specify when you create or edit SQL injection match conditions](#classic-web-acl-sql-conditions-values)
+ [Adding and deleting filters in a SQL injection match condition](#classic-web-acl-sql-conditions-editing)
+ [Deleting SQL injection match conditions](#classic-web-acl-sql-conditions-deleting)
## Creating SQL injection match conditions
When you create SQL injection match conditions, you specify filters, which indicate the part of web requests that you want AWS WAF Classic to inspect for malicious SQL code, such as the URI or the query string. You can add more than one filter to a SQL injection match condition, or you can create a separate condition for each filter. Here's how each configuration affects AWS WAF Classic behavior:
+ **More than one filter per SQL injection match condition (recommended)** – When you add a SQL injection match condition containing multiple filters to a rule and add the rule to a web ACL, a web request needs only to match one of the filters in the SQL injection match condition for AWS WAF Classic to allow or block the request based on that condition.
For example, suppose you create one SQL injection match condition, and the condition contains two filters. One filter instructs AWS WAF Classic to inspect the URI for malicious SQL code, and the other instructs AWS WAF Classic to inspect the query string. AWS WAF Classic allows or blocks requests if they appear to contain malicious SQL code *either* in the URI *or* in the query string.
+ **One filter per SQL injection match condition** – When you add the separate SQL injection match conditions to a rule and add the rule to a web ACL, web requests must match all the conditions for AWS WAF Classic to allow or block requests based on the conditions.
Suppose you create two conditions, and each condition contains one of the two filters in the preceding example. When you add both conditions to the same rule and add the rule to a web ACL, AWS WAF Classic allows or blocks requests only when both the URI and the query string appear to contain malicious SQL code.
**Note**
When you add a SQL injection match condition to a rule, you also can configure AWS WAF Classic to allow or block web requests that *do not* appear to contain malicious SQL code.
**To create a SQL injection match condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **SQL injection**.
1. Choose **Create condition**.
1. Specify the applicable filter settings. For more information, see [Values that you specify when you create or edit SQL injection match conditions](#classic-web-acl-sql-conditions-values).
1. Choose **Add another filter**.
1. If you want to add another filter, repeat steps 4 and 5.
1. When you're finished adding filters, choose **Create**.
## Values that you specify when you create or edit SQL injection match conditions
When you create or update a SQL injection match condition, you specify the following values:
**Name**
The name of the SQL injection match condition.
The name can contain only alphanumeric characters (A-Z, a-z, 0-9) or the following special characters: \$1-\$1"\$1`\$1\$1\$1,./. You can't change the name of a condition after you create it.
**Part of the request to filter on**
Choose the part of each web request that you want AWS WAF Classic to inspect for malicious SQL code:
**Header**
A specified request header, for example, the `User-Agent` or `Referer` header. If you choose **Header**, specify the name of the header in the **Header** field.
**HTTP method**
The HTTP method, which indicates the type of operation that the request is asking the origin to perform. CloudFront supports the following methods: `DELETE`, `GET`, `HEAD`, `OPTIONS`, `PATCH`, `POST`, and `PUT`.
**Query string**
The part of a URL that appears after a `?` character, if any.
For SQL injection match conditions, we recommend that you choose **All query parameters (values only)** instead of **Query string** for **Part of the request to filter on**.
**URI**
The URI path of the request, which identifies the resource, for example, `/images/daily-ad.jpg`. This doesn't include the query string or fragment components of the URI. For information, see [Uniform Resource Identifier (URI): Generic Syntax](https://tools.ietf.org/html/rfc3986#section-3.3).
Unless a **Transformation** is specified, a URI is not normalized and is inspected just as AWS receives it from the client as part of the request. A **Transformation** will reformat the URI as specified.
**Body**
The part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.
If you choose **Body** for the value of **Part of the request to filter on**, AWS WAF Classic inspects only the first 8192 bytes (8 KB). To allow or block requests for which the body is longer than 8192 bytes, you can create a size constraint condition. (AWS WAF Classic gets the length of the body from the request headers.) For more information, see [Working with size constraint conditions](classic-web-acl-size-conditions.md).
**Single query parameter (value only)**
Any parameter that you have defined as part of the query string. For example, if the URL is "www.xyz.com?UserName=abc&SalesRegion=seattle" you can add a filter to either the *UserName* or *SalesRegion* parameter.
If you choose **Single query parameter (value only)** you will also specify a **Query parameter name**. This is the parameter in the query string that you will inspect, such as *UserName* or *SalesRegion*. The maximum length for **Query parameter name** is 30 characters. **Query parameter name** is not case sensitive. For example, it you specify *UserName* as the **Query parameter name**, this will match all variations of *UserName*, such as *username* and *UsERName*.
**All query parameters (values only)**
Similar to **Single query parameter (value only)**, but rather than inspecting the value of a single parameter, AWS WAF Classic inspects the value of all parameters within the query string for possible malicious SQL code. For example, if the URL is "www.xyz.com?UserName=abc&SalesRegion=seattle," and you choose **All query parameters (values only)**, AWS WAF Classic will trigger a match if the value of either *UserName* or *SalesRegion* contain possible malicious SQL code.
**Header**
If you chose **Header** for **Part of the request to filter on**, choose a header from the list of common headers, or enter the name of a header that you want AWS WAF Classic to inspect for malicious SQL code.
**Transformation**
A transformation reformats a web request before AWS WAF Classic inspects the request. This eliminates some of the unusual formatting that attackers use in web requests in an effort to bypass AWS WAF Classic.
You can only specify a single type of text transformation.
Transformations can perform the following operations:
**None**
AWS WAF Classic doesn't perform any text transformations on the web request before inspecting it for the string in **Value to match**.
**Convert to lowercase**
AWS WAF Classic converts uppercase letters (A-Z) to lowercase (a-z).
**HTML decode**
AWS WAF Classic replaces HTML-encoded characters with unencoded characters:
+ Replaces `"` with `&`
+ Replaces ` ` with a non-breaking space
+ Replaces `<` with `<`
+ Replaces `>` with `>`
+ Replaces characters that are represented in hexadecimal format, `&#xhhhh;`, with the corresponding characters
+ Replaces characters that are represented in decimal format, `&#nnnn;`, with the corresponding characters
**Normalize white space**
AWS WAF Classic replaces the following characters with a space character (decimal 32):
+ \$1f, formfeed, decimal 12
+ \$1t, tab, decimal 9
+ \$1n, newline, decimal 10
+ \$1r, carriage return, decimal 13
+ \$1v, vertical tab, decimal 11
+ non-breaking space, decimal 160
In addition, this option replaces multiple spaces with one space.
**Simplify command line**
For requests that contain operating system command line commands, use this option to perform the following transformations:
+ Delete the following characters: \$1 " ' ^
+ Delete spaces before the following characters: / (
+ Replace the following characters with a space: , ;
+ Replace multiple spaces with one space
+ Convert uppercase letters (A-Z) to lowercase (a-z)
**URL decode**
Decode a URL-encoded request.
## Adding and deleting filters in a SQL injection match condition
You can add or delete filters in a SQL injection match condition. To change a filter, add a new one and delete the old one.
**To add or delete filters in a SQL injection match condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **SQL injection**.
1. Choose the condition that you want to add or delete filters in.
1. To add filters, perform the following steps:
1. Choose **Add filter**.
1. Specify the applicable filter settings. For more information, see [Values that you specify when you create or edit SQL injection match conditions](#classic-web-acl-sql-conditions-values).
1. Choose **Add**.
1. To delete filters, perform the following steps:
1. Select the filter that you want to delete.
1. Choose **Delete filter**.
## Deleting SQL injection match conditions
If you want to delete a SQL injection match condition, you need to first delete all filters in the condition and remove the condition from all the rules that are using it, as described in the following procedure.
**To delete a SQL injection match condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **SQL injection**.
1. In the **SQL injection match conditions** pane, choose the SQL injection match condition that you want to delete.
1. In the right pane, choose the **Associated rules** tab.
If the list of rules using this SQL injection match condition is empty, go to step 6. If the list contains any rules, make note of the rules, and continue with step 5.
1. To remove the SQL injection match condition from the rules that are using it, perform the following steps:
1. In the navigation pane, choose **Rules**.
1. Choose the name of a rule that is using the SQL injection match condition that you want to delete.
1. In the right pane, select the SQL injection match condition that you want to remove from the rule, and choose **Remove selected condition**.
1. Repeat steps b and c for all of the remaining rules that are using the SQL injection match condition that you want to delete.
1. In the navigation pane, choose **SQL injection**.
1. In the **SQL injection match conditions** pane, choose the SQL injection match condition that you want to delete.
1. Choose **Delete** to delete the selected condition.
# Working with string match conditions
**Warning**
AWS WAF Classic is is going through a planned end-of-life process. Refer to your AWS Health dashboard for the milestones and dates specific to your Region.
**Note**
This is **AWS WAF Classic** documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your AWS WAF Classic resources to AWS WAF](waf-migrating-from-classic.md).
**For the latest version of AWS WAF**, see [AWS WAF](waf-chapter.md).
If you want to allow or block web requests based on strings that appear in the requests, create one or more string match conditions. A string match condition identifies the string that you want to search for and the part of web requests, such as a specified header or the query string, that you want AWS WAF Classic to inspect for the string. Later in the process, when you create a web ACL, you specify whether to allow or block requests that contain the string.
**Topics**
+ [Creating a string match condition](#classic-web-acl-string-conditions-creating)
+ [Values that you specify when you create or edit string match conditions](#classic-web-acl-string-conditions-values)
+ [Adding and deleting filters in a string match condition](#classic-web-acl-string-conditions-editing)
+ [Deleting string match conditions](#classic-web-acl-string-conditions-deleting)
## Creating a string match condition
When you create string match conditions, you specify filters that identify the string that you want to search for and the part of web requests that you want AWS WAF Classic to inspect for that string, such as the URI or the query string. You can add more than one filter to a string match condition, or you can create a separate string match condition for each filter. Here's how each configuration affects AWS WAF Classic behavior:
+ **One filter per string match condition** – When you add the separate string match conditions to a rule and add the rule to a web ACL, web requests must match all the conditions for AWS WAF Classic to allow or block requests based on the conditions.
For example, suppose you create two conditions. One matches web requests that contain the value `BadBot` in the `User-Agent` header. The other matches web requests that contain the value `BadParameter` in query strings. When you add both conditions to the same rule and add the rule to a web ACL, AWS WAF Classic allows or blocks requests only when they contain both values.
+ **More than one filter per string match condition** – When you add a string match condition that contains multiple filters to a rule and add the rule to a web ACL, a web request needs only to match one of the filters in the string match condition for AWS WAF Classic to allow or block the request based on the one condition.
Suppose you create one condition instead of two, and the one condition contains the same two filters as in the preceding example. AWS WAF Classic allows or blocks requests if they contain *either* `BadBot` in the `User-Agent` header *or* `BadParameter` in the query string.
**Note**
When you add a string match condition to a rule, you also can configure AWS WAF Classic to allow or block web requests that *do not* match the values in the condition.
**To create a string match condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **String and regex matching**.
1. Choose **Create condition**.
1. Specify the applicable filter settings. For more information, see [Values that you specify when you create or edit string match conditions](#classic-web-acl-string-conditions-values).
1. Choose **Add filter**.
1. If you want to add another filter, repeat steps 4 and 5.
1. When you're finished adding filters, choose **Create**.
## Values that you specify when you create or edit string match conditions
When you create or update a string match condition, you specify the following values:
**Name**
Enter a name for the string match condition. The name can contain only alphanumeric characters (A-Z, a-z, 0-9) or the following special characters: \$1-\$1"\$1`\$1\$1\$1,./. You can't change the name of a condition after you create it.
**Type**
Choose **String match**.
**Part of the request to filter on**
Choose the part of each web request that you want AWS WAF Classic to inspect for the string that you specify in **Value to match**:
**Header**
A specified request header, for example, the `User-Agent` or `Referer` header. If you choose **Header**, specify the name of the header in the **Header** field.
**HTTP method**
The HTTP method, which indicates the type of operation that the request is asking the origin to perform. CloudFront supports the following methods: `DELETE`, `GET`, `HEAD`, `OPTIONS`, `PATCH`, `POST`, and `PUT`.
**Query string**
The part of a URL that appears after a `?` character, if any.
**URI**
The URI path of the request, which identifies the resource, for example, `/images/daily-ad.jpg`. This doesn't include the query string or fragment components of the URI. For information, see [Uniform Resource Identifier (URI): Generic Syntax](https://tools.ietf.org/html/rfc3986#section-3.3).
Unless a **Transformation** is specified, a URI is not normalized and is inspected just as AWS receives it from the client as part of the request. A **Transformation** will reformat the URI as specified.
**Body**
The part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.
If you choose **Body** for the value of **Part of the request to filter on**, AWS WAF Classic inspects only the first 8192 bytes (8 KB). To allow or block requests for which the body is longer than 8192 bytes, you can create a size constraint condition. (AWS WAF Classic gets the length of the body from the request headers.) For more information, see [Working with size constraint conditions](classic-web-acl-size-conditions.md).
**Single query parameter (value only)**
Any parameter that you have defined as part of the query string. For example, if the URL is "www.xyz.com?UserName=abc&SalesRegion=seattle" you can add a filter to either the *UserName* or *SalesRegion* parameter.
If duplicate parameters appear in the query string, the values are evaluated as an "OR." That is, either value will trigger a match. For example, in the URL "www.xyz.com?SalesRegion=boston&SalesRegion=seattle", either "boston" or "seattle" in **Value to match** will trigger a match.
If you choose **Single query parameter (value only)** you will also specify a **Query parameter name**. This is the parameter in the query string that you will inspect, such as *UserName* or *SalesRegion*. The maximum length for **Query parameter name** is 30 characters. **Query parameter name** is not case sensitive. For example, it you specify *UserName* as the **Query parameter name**, this will match all variations of *UserName*, such as *username* and *UsERName*.
**All query parameters (values only)**
Similar to **Single query parameter (value only)**, but rather than inspecting the value of a single parameter, AWS WAF Classic inspects the value of all parameters within the query string for the **Value to match**. For example, if the URL is "www.xyz.com?UserName=abc&SalesRegion=seattle," and you choose **All query parameters (values only)**, AWS WAF Classic will trigger a match if the value of either *UserName* or *SalesRegion* is specified as the **Value to match**.
**Header (Only When "Part of the request to filter on" is "Header")**
If you chose **Header** from the **Part of the request to filter on** list, choose a header from the list of common headers, or enter the name of a header that you want AWS WAF Classic to inspect.
**Match type**
Within the part of the request that you want AWS WAF Classic to inspect, choose where the string in **Value to match** must appear to match this filter:
**Contains**
The string appears anywhere in the specified part of the request.
**Contains word**
The specified part of the web request must include **Value to match**, and **Value to match** must contain only alphanumeric characters or underscore (A-Z, a-z, 0-9, or \$1). In addition, **Value to match** must be a word, which means one of the following:
+ **Value to match** exactly matches the value of the specified part of the web request, such as the value of a header.
+ **Value to match** is at the beginning of the specified part of the web request and is followed by a character other than an alphanumeric character or underscore (\$1), for example, `BadBot;`.
+ **Value to match** is at the end of the specified part of the web request and is preceded by a character other than an alphanumeric character or underscore (\$1), for example, `;BadBot`.
+ **Value to match** is in the middle of the specified part of the web request and is preceded and followed by characters other than alphanumeric characters or underscore (\$1), for example, `-BadBot;`.
**Exactly matches**
The string and the value of the specified part of the request are identical.
**Starts with**
The string appears at the beginning of the specified part of the request.
**Ends with**
The string appears at the end of the specified part of the request.
**Transformation**
A transformation reformats a web request before AWS WAF Classic inspects the request. This eliminates some of the unusual formatting that attackers use in web requests in an effort to bypass AWS WAF Classic.
You can only specify a single type of text transformation.
Transformations can perform the following operations:
**None**
AWS WAF Classic doesn't perform any text transformations on the web request before inspecting it for the string in **Value to match**.
**Convert to lowercase**
AWS WAF Classic converts uppercase letters (A-Z) to lowercase (a-z).
**HTML decode**
AWS WAF Classic replaces HTML-encoded characters with unencoded characters:
+ Replaces `"` with `&`
+ Replaces ` ` with a non-breaking space
+ Replaces `<` with `<`
+ Replaces `>` with `>`
+ Replaces characters that are represented in hexadecimal format, `&#xhhhh;`, with the corresponding characters
+ Replaces characters that are represented in decimal format, `&#nnnn;`, with the corresponding characters
**Normalize white space**
AWS WAF Classic replaces the following characters with a space character (decimal 32):
+ \$1f, formfeed, decimal 12
+ \$1t, tab, decimal 9
+ \$1n, newline, decimal 10
+ \$1r, carriage return, decimal 13
+ \$1v, vertical tab, decimal 11
+ non-breaking space, decimal 160
In addition, this option replaces multiple spaces with one space.
**Simplify command line**
When you're concerned that attackers are injecting an operating system command line command and using unusual formatting to disguise some or all of the command, use this option to perform the following transformations:
+ Delete the following characters: \$1 " ' ^
+ Delete spaces before the following characters: / (
+ Replace the following characters with a space: , ;
+ Replace multiple spaces with one space
+ Convert uppercase letters (A-Z) to lowercase (a-z)
**URL decode**
Decode a URL-encoded request.
**Value is base64 encoded**
If the value in **Value to match** is base64-encoded, select this check box. Use base64-encoding to specify non-printable characters, such as tabs and linefeeds, that attackers include in their requests.
**Value to match**
Specify the value that you want AWS WAF Classic to search for in web requests. The maximum length is 50 bytes. If you're base64-encoding the value, the 50-byte maximum length applies to the value before you encode it.
## Adding and deleting filters in a string match condition
You can add filters to a string match condition or delete filters. To change a filter, add a new one and delete the old one.
**To add or delete filters in a string match condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **String and regex matching**.
1. Choose the condition that you want to add or delete filters in.
1. To add filters, perform the following steps:
1. Choose **Add filter**.
1. Specify the applicable filter settings. For more information, see [Values that you specify when you create or edit string match conditions](#classic-web-acl-string-conditions-values).
1. Choose **Add**.
1. To delete filters, perform the following steps:
1. Select the filter that you want to delete.
1. Choose **Delete Filter**.
## Deleting string match conditions
If you want to delete a string match condition, you need to first delete all filters in the condition and remove the condition from all the rules that are using it, as described in the following procedure.
**To delete a string match condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. Remove the string match condition from the rules that are using it:
1. In the navigation pane, choose **Rules**.
1. Choose the name of a rule that is using the string match condition that you want to delete.
1. In the right pane, choose **Edit rule**.
1. Choose the **X** next to the condition you want to delete.
1. Choose **Update**.
1. Repeat for all the remaining rules that are using the string match condition that you want to delete.
1. Remove the filters from the condition you want to delete:
1. In the navigation pane, choose **String and regex matching**.
1. Choose the name of the string match condition that you want to delete.
1. In the right pane, choose the check box next to **Filter** in order to select all of the filters.
1. Choose the **Delete filter**.
1. In the navigation pane, choose **String and regex matching**.
1. In the **String and regex match conditions** pane, choose the string match condition that you want to delete.
1. Choose **Delete** to delete the selected condition.
# Working with regex match conditions
**Warning**
AWS WAF Classic is is going through a planned end-of-life process. Refer to your AWS Health dashboard for the milestones and dates specific to your Region.
**Note**
This is **AWS WAF Classic** documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your AWS WAF Classic resources to AWS WAF](waf-migrating-from-classic.md).
**For the latest version of AWS WAF**, see [AWS WAF](waf-chapter.md).
If you want to allow or block web requests based on strings that match a regular expression (regex) pattern that appears in the requests, create one or more regex match conditions. A regex match condition is a type of string match condition that identifies the pattern that you want to search for and the part of web requests, such as a specified header or the query string, that you want AWS WAF Classic to inspect for the pattern. Later in the process, when you create a web ACL, you specify whether to allow or block requests that contain the pattern.
**Topics**
+ [Creating a regex match condition](#classic-web-acl-regex-conditions-creating)
+ [Values that you specify when you create or edit RegEx match conditions](#classic-web-acl-regex-conditions-values)
+ [Editing a regex match condition](#classic-web-acl-regex-conditions-editing)
## Creating a regex match condition
When you create regex match conditions, you specify pattern sets that identify the string (using a regular expression) that you want to search for. You then add those pattern sets to filters that specify the part of web requests that you want AWS WAF Classic to inspect for that pattern set, such as the URI or the query string.
You can add multiple regular expressions to a single pattern set. If you do so, those expressions are combined with an *OR*. That is, a web request will match the pattern set if the appropriate part of the request matches any of the expressions listed.
When you add a regex match condition to a rule, you also can configure AWS WAF Classic to allow or block web requests that *do not* match the values in the condition.
AWS WAF Classic supports most [standard Perl Compatible Regular Expressions (PCRE)](http://www.pcre.org/). However, the following are not supported:
+ Backreferences and capturing subexpressions
+ Arbitrary zero-width assertions
+ Subroutine references and recursive patterns
+ Conditional patterns
+ Backtracking control verbs
+ The \$1C single-byte directive
+ The \$1R newline match directive
+ The \$1K start of match reset directive
+ Callouts and embedded code
+ Atomic grouping and possessive quantifiers
**To create a regex match condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **String and regex matching**.
1. Choose **Create condition**.
1. Specify the applicable filter settings. For more information, see [Values that you specify when you create or edit RegEx match conditions](#classic-web-acl-regex-conditions-values).
1. Choose **Create pattern set and add filter** (if you created a new pattern set) or **Add filter** if you used an existing pattern set.
1. Choose **Create**.
## Values that you specify when you create or edit RegEx match conditions
When you create or update a regex match condition, you specify the following values:
**Name**
Enter a name for the regex match condition. The name can contain only alphanumeric characters (A-Z, a-z, 0-9) or the following special characters: \$1-\$1"\$1`\$1\$1\$1,./. You can't change the name of a condition after you create it.
**Type**
Choose **Regex match**.
**Part of the request to filter on**
Choose the part of each web request that you want AWS WAF Classic to inspect for the pattern that you specify in **Value to match**:
**Header**
A specified request header, for example, the `User-Agent` or `Referer` header. If you choose **Header**, specify the name of the header in the **Header** field.
**HTTP method**
The HTTP method, which indicates the type of operation that the request is asking the origin to perform. CloudFront supports the following methods: `DELETE`, `GET`, `HEAD`, `OPTIONS`, `PATCH`, `POST`, and `PUT`.
**Query string**
The part of a URL that appears after a `?` character, if any.
**URI**
The URI path of the request, which identifies the resource, for example, `/images/daily-ad.jpg`. This doesn't include the query string or fragment components of the URI. For information, see [Uniform Resource Identifier (URI): Generic Syntax](https://tools.ietf.org/html/rfc3986#section-3.3).
Unless a **Transformation** is specified, a URI is not normalized and is inspected just as AWS receives it from the client as part of the request. A **Transformation** will reformat the URI as specified.
**Body**
The part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.
If you choose **Body** for the value of **Part of the request to filter on**, AWS WAF Classic inspects only the first 8192 bytes (8 KB). To allow or block requests for which the body is longer than 8192 bytes, you can create a size constraint condition. (AWS WAF Classic gets the length of the body from the request headers.) For more information, see [Working with size constraint conditions](classic-web-acl-size-conditions.md).
**Single query parameter (value only)**
Any parameter that you have defined as part of the query string. For example, if the URL is "www.xyz.com?UserName=abc&SalesRegion=seattle" you can add a filter to either the *UserName* or *SalesRegion* parameter.
If duplicate parameters appear in the query string, the values are evaluated as an "OR." That is, either value will trigger a match. For example, in the URL "www.xyz.com?SalesRegion=boston&SalesRegion=seattle", a pattern that matches either "boston" or "seattle" in **Value to match** will trigger a match.
If you choose **Single query parameter (value only)** you will also specify a **Query parameter name**. This is the parameter in the query string that you will inspect, such as *UserName* or *SalesRegion*. The maximum length for **Query parameter name** is 30 characters. **Query parameter name** is not case sensitive. For example, it you specify *UserName* as the **Query parameter name**, this will match all variations of *UserName*, such as *username* and *UsERName*.
**All query parameters (values only)**
Similar to **Single query parameter (value only)**, but rather than inspecting the value of a single parameter, AWS WAF Classic inspects the value of all parameters within the query string for the pattern specified in the **Value to match**. For example, in the URL "www.xyz.com?UserName=abc&SalesRegion=seattle", a pattern in **Value to match** that matches either the value in *UserName* or *SalesRegion* will trigger a match.
**Header (Only When "Part of the request to filter on" is "Header")**
If you chose **Header** from the **Part of the request to filter on** list, choose a header from the list of common headers, or enter the name of a header that you want AWS WAF Classic to inspect.
**Transformation**
A transformation reformats a web request before AWS WAF Classic inspects the request. This eliminates some of the unusual formatting that attackers use in web requests in an effort to bypass AWS WAF Classic.
You can only specify a single type of text transformation.
Transformations can perform the following operations:
**None**
AWS WAF Classic doesn't perform any text transformations on the web request before inspecting it for the string in **Value to match**.
**Convert to lowercase**
AWS WAF Classic converts uppercase letters (A-Z) to lowercase (a-z).
**HTML decode**
AWS WAF Classic replaces HTML-encoded characters with unencoded characters:
+ Replaces `"` with `&`
+ Replaces ` ` with a non-breaking space
+ Replaces `<` with `<`
+ Replaces `>` with `>`
+ Replaces characters that are represented in hexadecimal format, `&#xhhhh;`, with the corresponding characters
+ Replaces characters that are represented in decimal format, `&#nnnn;`, with the corresponding characters
**Normalize white space**
AWS WAF Classic replaces the following characters with a space character (decimal 32):
+ \$1f, formfeed, decimal 12
+ \$1t, tab, decimal 9
+ \$1n, newline, decimal 10
+ \$1r, carriage return, decimal 13
+ \$1v, vertical tab, decimal 11
+ non-breaking space, decimal 160
In addition, this option replaces multiple spaces with one space.
**Simplify command line**
When you're concerned that attackers are injecting an operating system command line command and using unusual formatting to disguise some or all of the command, use this option to perform the following transformations:
+ Delete the following characters: \$1 " ' ^
+ Delete spaces before the following characters: / (
+ Replace the following characters with a space: , ;
+ Replace multiple spaces with one space
+ Convert uppercase letters (A-Z) to lowercase (a-z)
**URL decode**
Decode a URL-encoded request.
**Regex pattern to match to request**
You can choose an existing pattern set, or create a new one. If you create a new one specify the following:
New pattern set name
Enter a name and then specify the regex pattern that you want AWS WAF Classic to search for.
If you add multiple regular expressions to a pattern set, those expressions are combined with an *OR*. That is, a web request will match the pattern set if the appropriate part of the request matches any of the expressions listed.
The maximum length of **Value to match** is 70 characters.
## Editing a regex match condition
You can make the following changes to an existing regex match condition:
+ Delete a pattern from an existing pattern set
+ Add a pattern to an existing pattern set
+ Delete a filter to an existing regex match condition
+ Add a filter to an existing regex match condition (You can have only one filter in a regex match condition. Therefore, in order to add a filter, you must delete the existing filter first.)
+ Delete an existing regex match condition
**Note**
You cannot add or delete a pattern set from an existing filter. You must either edit the pattern set, or delete the filter and create a new filter with a new pattern set.
**To delete a pattern from an existing pattern set**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **String and regex matching**.
1. Choose **View regex pattern sets**.
1. Choose the name of the pattern set you want to edit.
1. Choose **Edit**.
1. Choose the **X** next to the pattern you want to delete.
1. Choose **Save**.
**To add a pattern to an existing pattern set**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **String and regex matching**.
1. Choose **View regex pattern sets**.
1. Choose the name of the pattern set to edit.
1. Choose **Edit**.
1. Enter a new regex pattern.
1. Choose the **\$1** next to the new pattern.
1. Choose **Save**.
**To delete a filter from an existing regex match condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **String and regex matching**.
1. Choose the name of the condition with the filter you want to delete.
1. Choose the box next to the filter you want to delete.
1. Choose **Delete filter**.
**To delete a regex match condition**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. Delete the filter from the regex condition. See [To delete a filter from an existing regex match condition](#classic-web-acl-regex-conditions-editing-procedure-delete-filter) for instructions to do this.)
1. Remove the regex match condition from the rules that are using it:
1. In the navigation pane, choose **Rules**.
1. Choose the name of a rule that is using the regex match condition that you want to delete.
1. In the right pane, choose **Edit rule**.
1. Choose the **X** next to the condition you want to delete.
1. Choose **Update**.
1. Repeat for all the remaining rules that are using the regex match condition that you want to delete.
1. In the navigation pane, choose **String and regex matching**.
1. Select the button next to the condition you want to delete.
1. Choose **Delete**.
**To add or change a filter to an existing regex match condition**
You can have only one filter in a regex match condition. If you want to add or change the filter, you must first delete the existing filter.
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. Delete the filter from the regex condition you want to change. See [To delete a filter from an existing regex match condition](#classic-web-acl-regex-conditions-editing-procedure-delete-filter) for instructions to do this.)
1. In the navigation pane, choose **String and regex matching**.
1. Choose the name of the condition you want to change.
1. Choose **Add filter**.
1. Enter the appropriate values for the new filter and choose **Add**.
# Working with rules
**Warning**
AWS WAF Classic is is going through a planned end-of-life process. Refer to your AWS Health dashboard for the milestones and dates specific to your Region.
**Note**
This is **AWS WAF Classic** documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your AWS WAF Classic resources to AWS WAF](waf-migrating-from-classic.md).
**For the latest version of AWS WAF**, see [AWS WAF](waf-chapter.md).
Rules let you precisely target the web requests that you want AWS WAF Classic to allow or block by specifying the exact conditions that you want AWS WAF Classic to watch for. For example, AWS WAF Classic can watch for the IP addresses that requests originate from, the strings that the requests contain and where the strings appear, and whether the requests appear to contain malicious SQL code.
**Topics**
+ [Creating a rule and adding conditions](classic-web-acl-rules-creating.md)
+ [Adding and removing conditions in a rule](classic-web-acl-rules-editing.md)
+ [Deleting a rule](classic-web-acl-rules-deleting.md)
+ [AWS Marketplace rule groups](classic-waf-managed-rule-groups.md)
# Creating a rule and adding conditions
**Warning**
AWS WAF Classic is is going through a planned end-of-life process. Refer to your AWS Health dashboard for the milestones and dates specific to your Region.
**Note**
This is **AWS WAF Classic** documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your AWS WAF Classic resources to AWS WAF](waf-migrating-from-classic.md).
**For the latest version of AWS WAF**, see [AWS WAF](waf-chapter.md).
If you add more than one condition to a rule, a web request must match all the conditions for AWS WAF Classic to allow or block requests based on that rule.
**To create a rule and add conditions**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **Rules**.
1. Choose **Create rule**.
1. Enter the following values:
**Name**
Enter a name.
**CloudWatch metric name**
Enter a name for the CloudWatch metric that AWS WAF Classic will create and will associate with the rule. The name can contain only alphanumeric characters (A-Z, a-z, 0-9), with maximum length 128 and minimum length one. It can't contain white space or metric names reserved for AWS WAF Classic, including "All" and "Default\$1Action.
**Rule type**
Choose either `Regular rule` or `Rate–based rule`. Rate–based rules are identical to regular rules, but also take into account how many requests arrive from an IP address in a five-minute period. For more information about these rule types, see [How AWS WAF Classic works](classic-how-aws-waf-works.md).
**Rate limit**
For a rate-based rule, enter the maximum number of requests to allow in any five-minute period from an IP address that matches the rule's conditions. The rate limit must be at least 100.
You can specify a rate limit alone, or a rate limit and conditions. If you specify only a rate limit, AWS WAF places the limit on all IP addresses. If you specify a rate limit and conditions, AWS WAF places the limit on IP addresses that match the conditions.
When an IP address reaches the rate limit threshold, AWS WAF applies the assigned action (block or count) as quickly as possible, usually within 30 seconds. Once the action is in place, if five minutes pass with no requests from the IP address, AWS WAF resets the counter to zero.
1. To add a condition to the rule, specify the following values:
**When a request does/does not**
If you want AWS WAF Classic to allow or block requests based on the filters in a condition, choose **does**. For example, if an IP match condition includes the IP address range 192.0.2.0/24 and you want AWS WAF Classic to allow or block requests that come from those IP addresses, choose **does**.
If you want AWS WAF Classic to allow or block requests based on the inverse of the filters in a condition, choose **does not**. For example, if an IP match condition includes the IP address range 192.0.2.0/24 and you want AWS WAF Classic to allow or block requests that *do not* come from those IP addresses, choose **does not**.
**match/originate from**
Choose the type of condition that you want to add to the rule:
+ Cross-site scripting match conditions – choose **match at least one of the filters in the cross-site scripting match condition**
+ IP match conditions – choose **originate from an IP address in**
+ Geo match conditions – choose **originate from a geographic location in**
+ Size constraint conditions – choose **match at least one of the filters in the size constraint condition**
+ SQL injection match conditions – choose **match at least one of the filters in the SQL injection match condition**
+ String match conditions – choose **match at least one of the filters in the string match condition**
+ Regular expression match conditions – choose **match at least one of the filters in the regex match condition**
**condition name**
Choose the condition that you want to add to the rule. The list displays only conditions of the type that you chose in the preceding step.
1. To add another condition to the rule, choose **Add another condition**, and repeat steps 4 and 5. Note the following:
+ If you add more than one condition, a web request must match at least one filter in every condition for AWS WAF Classic to allow or block requests based on that rule
+ If you add two IP match conditions to the same rule, AWS WAF Classic will only allow or block requests that originate from IP addresses that appear in both IP match conditions
1. When you're finished adding conditions, choose **Create**.
# Adding and removing conditions in a rule
**Warning**
AWS WAF Classic is is going through a planned end-of-life process. Refer to your AWS Health dashboard for the milestones and dates specific to your Region.
**Note**
This is **AWS WAF Classic** documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your AWS WAF Classic resources to AWS WAF](waf-migrating-from-classic.md).
**For the latest version of AWS WAF**, see [AWS WAF](waf-chapter.md).
You can change a rule by adding or removing conditions.
**To add or remove conditions in a rule**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **Rules**.
1. Choose the name of the rule in which you want to add or remove conditions.
1. Choose **Add rule**.
1. To add a condition, choose **Add condition** and specify the following values:
**When a request does/does not**
If you want AWS WAF Classic to allow or block requests based on the filters in a condition, for example, web requests that originate from the range of IP addresses 192.0.2.0/24, choose **does**.
If you want AWS WAF Classic to allow or block requests based on the inverse of the filters in a condition, choose **does not**. For example, if an IP match condition includes the IP address range 192.0.2.0/24 and you want AWS WAF Classic to allow or block requests that *do not* come from those IP addresses, choose **does not**.
**match/originate from**
Choose the type of condition that you want to add to the rule:
+ Cross-site scripting match conditions – choose **match at least one of the filters in the cross-site scripting match condition**
+ IP match conditions – choose **originate from an IP address in**
+ Geo match conditions – choose **originate from a geographic location in**
+ Size constraint conditions – choose **match at least one of the filters in the size constraint condition**
+ SQL injection match conditions – choose **match at least one of the filters in the SQL injection match condition**
+ String match conditions – choose **match at least one of the filters in the string match condition**
+ Regular expression match conditions – choose **match at least one of the filters in the regex match condition**
***condition name***
Choose the condition that you want to add to the rule. The list displays only conditions of the type that you chose in the preceding step.
1. To remove a condition, select the **X** to the right of the condition name
1. Choose **Update**.
# Deleting a rule
**Warning**
AWS WAF Classic is is going through a planned end-of-life process. Refer to your AWS Health dashboard for the milestones and dates specific to your Region.
**Note**
This is **AWS WAF Classic** documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your AWS WAF Classic resources to AWS WAF](waf-migrating-from-classic.md).
**For the latest version of AWS WAF**, see [AWS WAF](waf-chapter.md).
If you want to delete a rule, you need to first remove the rule from the web ACLs that are using it and remove the conditions that are included in the rule.
**To delete a rule**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. To remove the rule from the web ACLs that are using it, perform the following steps for each of the web ACLs:
1. In the navigation pane, choose **Web ACLs**.
1. Choose the name of a web ACL that is using the rule that you want to delete.
**Note**
If you don't see the web ACL, make sure the Region selection is correct. Web ACLs that protect Amazon CloudFront distributions are in **Global (CloudFront)**.
1. Choose the **Rules** tab.
1. Choose **Edit web ACL**.
1. Choose the **X** to the right of the rule that you want to delete, and then choose **Update**.
1. In the navigation pane, choose **Rules**.
1. Select the name of the rule you want to delete.
**Note**
If you don't see the rule, make sure the Region selection is correct. Rules that protect Amazon CloudFront distributions are in **Global (CloudFront)**.
1. Choose **Delete**.
# AWS Marketplace rule groups
**Warning**
AWS WAF Classic is is going through a planned end-of-life process. Refer to your AWS Health dashboard for the milestones and dates specific to your Region.
**Note**
This is **AWS WAF Classic** documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your AWS WAF Classic resources to AWS WAF](waf-migrating-from-classic.md).
**For the latest version of AWS WAF**, see [AWS WAF](waf-chapter.md).
AWS WAF Classic provides *AWS Marketplace rule groups* to help you protect your resources. AWS Marketplace rule groups are collections of predefined, ready-to-use rules that are written and updated by AWS and AWS partner companies.
Some AWS Marketplace rule groups are designed to help protect specific types of web applications like WordPress, Joomla, or PHP. Other AWS Marketplace rule groups offer broad protection against known threats or common web application vulnerabilities, such as those listed in the [OWASP Top 10](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project).
You can install a single AWS Marketplace rule group from your preferred AWS partner, and you can also add your own customized AWS WAF Classic rules for increased protection. If you are subject to regulatory compliance like PCI or HIPAA, you might be able to use AWS Marketplace rule groups to satisfy web application firewall requirements.
AWS Marketplace rule groups are available with no long-term contracts, and no minimum commitments. When you subscribe to a rule group, you are charged a monthly fee (prorated hourly) and ongoing request fees based on volume. For more information, see [AWS WAF Classic Pricing](https://aws.amazon.com/waf/pricing/) and the description for each AWS Marketplace rule group on AWS Marketplace.
## Automatic updates
Keeping up to date on the constantly changing threat landscape can be time consuming and expensive. AWS Marketplace rule groups can save you time when you implement and use AWS WAF Classic. Another benefit is that AWS and our AWS partners automatically update AWS Marketplace rule groups when new vulnerabilities and threats emerge.
Many of our partners are notified of new vulnerabilities before public disclosure. They can update their rule groups and deploy them to you even before a new threat is widely known. Many also have threat research teams to investigate and analyze the most recent threats in order to write the most relevant rules.
## Access to the rules in an AWS Marketplace rule group
Each AWS Marketplace rule group provides a comprehensive description of the types of attacks and vulnerabilities that it's designed to protect against. To protect the intellectual property of the rule group providers, you can't view the individual rules within a rule group. This restriction also helps to keep malicious users from designing threats that specifically circumvent published rules.
Because you can’t view individual rules in an AWS Marketplace rule group, you also can't edit any rules in an AWS Marketplace rule group. However, you can exclude specific rules from a rule group. This is called a "rule group exception." Excluding rules does not remove those rules. Rather, it changes the action for the rules to `COUNT`. Therefore, requests that match an excluded rule are counted but not blocked. You will receive COUNT metrics for each excluded rule.
Excluding rules can be helpful when troubleshooting rule groups that are blocking traffic unexpectedly (false positives). One troubleshooting technique is to identify the specific rule within the rule group that is blocking the desired traffic and then disable (exclude) that particular rule.
In addition to excluding specific rules, you can refine your protection by enabling or disabling entire rule groups, as well as choosing the rule group action to perform. For more information, see [Using AWS Marketplace rule groups](#classic-waf-managed-rule-group-using).
## Quotas
You can enable only one AWS Marketplace rule group. You can also enable one custom rule group that you create using AWS Firewall Manager. These rule groups count towards the 10 rule maximum quota per web ACL. Therefore, you can have one AWS Marketplace rule group, one custom rule group, and up to eight custom rules in a single web ACL.
## Pricing
For AWS Marketplace rule group pricing, see [AWS WAF Classic Pricing](https://aws.amazon.com/waf/pricing/) and the description for each AWS Marketplace rule group on AWS Marketplace.
## Using AWS Marketplace rule groups
You can subscribe to and unsubscribe from AWS Marketplace rule groups on the AWS WAF Classic console. You can also exclude specific rules from a rule group.
**To subscribe to and use an AWS Marketplace rule group**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **Marketplace**.
1. In the **Available marketplace products** section, choose the name of a rule group to view the details and pricing information.
1. If you want to subscribe to the rule group, choose **Continue**.
**Note**
If you don't want to subscribe to this rule group, simply close this page in your browser.
1. Choose **Set up your account**.
1. Add the rule group to a web ACL, just as you would add an individual rule. For more information, see [Creating a Web ACL](classic-web-acl-creating.md) or [Editing a Web ACL](classic-web-acl-editing.md).
**Note**
When adding a rule group to a web ACL, the action that you set for the rule group (either **No override** or **Override to count**) is called the rule group override action. For more information, see [Rule group override](#classic-waf-managed-rule-group-override).
**To unsubscribe from an AWS Marketplace rule group**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. Remove the rule group from all web ACLs. For more information, see [Editing a Web ACL](classic-web-acl-editing.md).
1. In the navigation pane, choose **Marketplace**.
1. Choose **Manage your subscriptions**.
1. Choose **Cancel subscription** next to the name of the rule group that you want to unsubscribe from.
1. Choose **Yes, cancel subscription**.
**To exclude a rule from a rule group (rule group exception)**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. If not already enabled, enable AWS WAF Classic logging. For more information, see [Logging Web ACL traffic information](classic-logging.md). Use the AWS WAF Classic logs to identify the IDs of the rules that you want to exclude. These are typically rules that are blocking legitimate requests.
1. In the navigation pane, choose **Web ACLs**.
1. Choose the name of the web ACL that you want to edit. This opens a page with the web ACL's details in the right pane.
**Note**
The rule group that you want to edit must be associated with a web ACL before you can exclude a rule from that rule group.
1. On the **Rules** tab in the right pane, choose **Edit web ACL**.
1. In the **Rule group exceptions** section, expand the rule group that you want to edit.
1. Choose the **X** next to the rule that you want to exclude. You can identify the correct rule ID by using the AWS WAF Classic logs.
1. Choose **Update**.
Excluding rules does not remove those rules from the rule group. Rather, it changes the action for the rules to `COUNT`. Therefore, requests that match an excluded rule are counted but not blocked. You will receive `COUNT` metrics for each excluded rule.
**Note**
You can use this same procedure to exclude rules from custom rule groups that you have created in AWS Firewall Manager. However, rather than excluding a rule from a custom rule group using these steps, you can also simply edit a custom rule group using the steps described in [Adding and deleting rules from an AWS WAF Classic rule group](classic-rule-group-editing.md).
## Rule group override
AWS Marketplace rule groups have two possible actions: **No override** and **Override to count**. If you want to test the rule group, set the action to **Override to count**. This rule group action overrides any *block* action that is specified by individual rules contained within the group. That is, if the rule group's action is set to **Override to count**, instead of potentially blocking matching requests based on the action of individual rules within the group, those requests will be counted. Conversely, if you set the rule group's action to **No override**, actions of the individual rules within the group will be used.
## Troubleshooting AWS Marketplace rule groups
If you find that an AWS Marketplace rule group is blocking legitimate traffic, perform the following steps.
**To troubleshoot an AWS Marketplace rule group**
1. Exclude the specific rules that are blocking legitimate traffic. You can identify which rules are blocking which requests using the AWS WAF Classic logs. For more information about excluding rules, see [To exclude a rule from a rule group (rule group exception)](#classic-waf-managed-rule-group-exclude-rule-procedure).
1. If excluding specific rules does not solve the problem, you can change the action for the AWS Marketplace rule group from **No override** to **Override to count**. This allows the web request to pass through, regardless of the individual rule actions within the rule group. This also provides you with Amazon CloudWatch metrics for the rule group.
1. After setting the AWS Marketplace rule group action to **Override to count**, contact the rule group provider‘s customer support team to further troubleshoot the issue. For contact information, see the rule group listing on the product listing pages on AWS Marketplace.
### Contacting customer support
For problems with AWS WAF Classic or a rule group that is managed by AWS, contact AWS Support. For problems with a rule group that is managed by an AWS partner, contact that partner's customer support team. To find partner contact information, see the partner’s listing on AWS Marketplace.
## Creating and selling AWS Marketplace rule groups
If you want to sell AWS Marketplace rule groups on AWS Marketplace, see [How to Sell Your Software on AWS Marketplace](https://aws.amazon.com/marketplace/management/tour/).
# Working with web ACLs
**Warning**
AWS WAF Classic is is going through a planned end-of-life process. Refer to your AWS Health dashboard for the milestones and dates specific to your Region.
**Note**
This is **AWS WAF Classic** documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your AWS WAF Classic resources to AWS WAF](waf-migrating-from-classic.md).
**For the latest version of AWS WAF**, see [AWS WAF](waf-chapter.md).
When you add rules to a web ACL, you specify whether you want AWS WAF Classic to allow or block requests based on the conditions in the rules. If you add more than one rule to a web ACL, AWS WAF Classic evaluates each request against the rules in the order that you list them in the web ACL. When a web request matches all the conditions in a rule, AWS WAF Classic immediately takes the corresponding action—allow or block—and doesn't evaluate the request against the remaining rules in the web ACL, if any.
If a web request doesn't match any of the rules in a web ACL, AWS WAF Classic takes the default action that you specified for the web ACL. For more information, see [Deciding on the default action for a Web ACL](classic-web-acl-default-action.md).
If you want to test a rule before you start using it to allow or block requests, you can configure AWS WAF Classic to count the web requests that match the conditions in the rule. For more information, see [Testing web ACLs](classic-web-acl-testing.md).
**Topics**
+ [Deciding on the default action for a Web ACL](classic-web-acl-default-action.md)
+ [Creating a Web ACL](classic-web-acl-creating.md)
+ [Associating or disassociating a Web ACL with an Amazon API Gateway API, a CloudFront distribution or an Application Load Balancer](classic-web-acl-associating-cloudfront-distribution.md)
+ [Editing a Web ACL](classic-web-acl-editing.md)
+ [Deleting a Web ACL](classic-web-acl-deleting.md)
+ [Testing web ACLs](classic-web-acl-testing.md)
# Deciding on the default action for a Web ACL
**Warning**
AWS WAF Classic is is going through a planned end-of-life process. Refer to your AWS Health dashboard for the milestones and dates specific to your Region.
**Note**
This is **AWS WAF Classic** documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your AWS WAF Classic resources to AWS WAF](waf-migrating-from-classic.md).
**For the latest version of AWS WAF**, see [AWS WAF](waf-chapter.md).
When you create and configure a web ACL, the first and most important decision that you must make is whether the default action should be for AWS WAF Classic to allow web requests or to block web requests. The default action indicates what you want AWS WAF Classic to do after it inspects a web request for all the conditions that you specify, and the web request doesn't match any of those conditions:
+ **Allow** – If you want to allow most users to access your website, but you want to block access to attackers whose requests originate from specified IP addresses, or whose requests appear to contain malicious SQL code or specified values, choose **Allow** for the default action.
+ **Block** – If you want to prevent most would-be users from accessing your website, but you want to allow access to users whose requests originate from specified IP addresses, or whose requests contain specified values, choose **Block** for the default action.
Many decisions that you make after you've decided on a default action depend on whether you want to allow or block most web requests. For example, if you want to *allow* most requests, then the match conditions that you create generally should specify the web requests that you want to *block*, such as the following:
+ Requests that originate from IP addresses that are making an unreasonable number of requests
+ Requests that originate from countries that either you don't do business in or are the frequent source of attacks
+ Requests that include fake values in the **User-Agent** header
+ Requests that appear to include malicious SQL code
# Creating a Web ACL
**Warning**
AWS WAF Classic is is going through a planned end-of-life process. Refer to your AWS Health dashboard for the milestones and dates specific to your Region.
**Note**
This is **AWS WAF Classic** documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your AWS WAF Classic resources to AWS WAF](waf-migrating-from-classic.md).
**For the latest version of AWS WAF**, see [AWS WAF](waf-chapter.md).
**To create a web ACL**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. If this is your first time using AWS WAF Classic, choose **Go to AWS WAF Classic** and then **Configure Web ACL**. If you've used AWS WAF Classic before, choose **Web ACLs** in the navigation pane, and then choose **Create web ACL**.
1. For **Web ACL name**, enter a name.
**Note**
You can't change the name after you create the web ACL.
1. For **CloudWatch metric name**, change the default name if applicable. The name can contain only alphanumeric characters (A-Z, a-z, 0-9), with maximum length 128 and minimum length one. It can't contain white space or metric names reserved for AWS WAF Classic, including "All" and "Default\$1Action."
**Note**
You can't change the name after you create the web ACL.
1. For **Region**, choose a Region.
1. For **AWS resource**, choose the resource that you want to associate with this web ACL, and then choose **Next**.
1. If you've already created the conditions that you want AWS WAF Classic to use to inspect your web requests, choose **Next**, and then continue to the next step.
If you haven't already created conditions, do so now. For more information, see the following topics:
+ [Working with cross-site scripting match conditions](classic-web-acl-xss-conditions.md)
+ [Working with IP match conditions](classic-web-acl-ip-conditions.md)
+ [Working with geographic match conditions](classic-web-acl-geo-conditions.md)
+ [Working with size constraint conditions](classic-web-acl-size-conditions.md)
+ [Working with SQL injection match conditions](classic-web-acl-sql-conditions.md)
+ [Working with string match conditions](classic-web-acl-string-conditions.md)
+ [Working with regex match conditions](classic-web-acl-regex-conditions.md)
1. If you've already created the rules or rule groups (or subscribed to an AWS Marketplace rule group) that you want to add to this web ACL, add the rules to the web ACL:
1. In the **Rules** list, choose a rule.
1. Choose **Add rule to web ACL**.
1. Repeat steps a and b until you've added all the rules that you want to add to this web ACL.
1. Go to step 10.
1. If you haven't created rules yet, you can add rules now:
1. Choose **Create rule**.
1. Enter the following values:
**Name**
Enter a name.
**CloudWatch metric name**
Enter a name for the CloudWatch metric that AWS WAF Classic will create and will associate with the rule. The name can contain only alphanumeric characters (A-Z, a-z, 0-9), with maximum length 128 and minimum length one. It can't contain white space or metric names reserved for AWS WAF Classic, including "All" and "Default\$1Action."
You can't change the metric name after you create the rule.
1. To add a condition to the rule, specify the following values:
**When a request does/does not**
If you want AWS WAF Classic to allow or block requests based on the filters in a condition, for example, web requests that originate from the range of IP addresses 192.0.2.0/24, choose **does**.
If you want AWS WAF Classic to allow or block requests based on the inverse of the filters in a condition, choose **does not**. For example, if an IP match condition includes the IP address range 192.0.2.0/24 and you want AWS WAF Classic to allow or block requests that *do not* come from those IP addresses, choose **does not**.
**match/originate from**
Choose the type of condition that you want to add to the rule:
+ Cross-site scripting match conditions – choose **match at least one of the filters in the cross-site scripting match condition**
+ IP match conditions – choose **originate from an IP address in**
+ Geo match conditions – choose **originate from a geographic location in**
+ Size constraint conditions – choose **match at least one of the filters in the size constraint condition**
+ SQL injection match conditions – choose **match at least one of the filters in the SQL injection match condition**
+ String match conditions – choose **match at least one of the filters in the string match condition**
+ Regex match conditions – choose **match at least one of the filters in the regex match condition**
**condition name**
Choose the condition that you want to add to the rule. The list displays only conditions of the type that you chose in the preceding list.
1. To add another condition to the rule, choose **Add another condition**, and then repeat steps b and c. Note the following:
+ If you add more than one condition, a web request must match at least one filter in every condition for AWS WAF Classic to allow or block requests based on that rule.
+ If you add two IP match conditions to the same rule, AWS WAF Classic will only allow or block requests that originate from IP addresses that appear in both IP match conditions.
1. Repeat step 9 until you've created all the rules that you want to add to this web ACL.
1. Choose **Create**.
1. Continue with step 10.
1. For each rule or rule group in the web ACL, choose the kind of management you want AWS WAF Classic to provide, as follows:
+ For each rule, choose whether you want AWS WAF Classic to allow, block, or count web requests based on the conditions in the rule:
+ **Allow** – API Gateway, CloudFront or an Application Load Balancer responds with the requested object. In the case of CloudFront, if the object isn't in the edge cache, CloudFront forwards the request to the origin.
+ **Block** – API Gateway, CloudFront or an Application Load Balancer responds to the request with an HTTP 403 (Forbidden) status code. CloudFront also can respond with a custom error page. For more information, see [Using AWS WAF Classic with CloudFront custom error pages](classic-cloudfront-features.md#classic-cloudfront-features-custom-error-pages).
+ **Count** – AWS WAF Classic increments a counter of requests that match the conditions in the rule, and then continues to inspect the web request based on the remaining rules in the web ACL.
For information about using **Count** to test a web ACL before you start to use it to allow or block web requests, see [Counting the web requests that match the rules in a web ACL](classic-web-acl-testing.md#classic-web-acl-testing-count).
+ For each rule group, set the override action for the rule group:
+ **No override** – Causes the actions of the individual rules within the rule group to be used.
+ **Override to count** – Overrides any block actions that are specifieid by individual rules in the group, so that all matching requests are only counted.
For more information, see [Rule group override](classic-waf-managed-rule-groups.md#classic-waf-managed-rule-group-override).
1. If you want to change the order of the rules in the web ACL, use the arrows in the **Order** column. AWS WAF Classic inspects web requests based on the order in which rules appear in the web ACL.
1. If you want to remove a rule that you added to the web ACL, choose the **x** in the row for the rule.
1. Choose the default action for the web ACL. This is the action that AWS WAF Classic takes when a web request doesn't match the conditions in any of the rules in this web ACL. For more information, see [Deciding on the default action for a Web ACL](classic-web-acl-default-action.md).
1. Choose **Review and create**.
1. Review the settings for the web ACL, and choose **Confirm and create**.
# Associating or disassociating a Web ACL with an Amazon API Gateway API, a CloudFront distribution or an Application Load Balancer
**Warning**
AWS WAF Classic is is going through a planned end-of-life process. Refer to your AWS Health dashboard for the milestones and dates specific to your Region.
**Note**
This is **AWS WAF Classic** documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your AWS WAF Classic resources to AWS WAF](waf-migrating-from-classic.md).
**For the latest version of AWS WAF**, see [AWS WAF](waf-chapter.md).
To associate or disassociate a web ACL, perform the applicable procedure. Note that you also can associate a web ACL with a CloudFront distribution when you create or update the distribution. For more information, see [Using AWS WAF Classic to Control Access to Your Content](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-awswaf.html) in the *Amazon CloudFront Developer Guide*.
The following restrictions apply when associating a web ACL:
+ Each API Gateway API, Application Load Balancer and CloudFront distribution can be associated with only one web ACL.
+ Web ACLs associated with a CloudFront distribution cannot be associated with an Application Load Balancer or API Gateway API. The web ACL can, however, be associated with other CloudFront distributions.
**To associate a web ACL with an API Gateway API, CloudFront distribution or Application Load Balancer**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **Web ACLs**.
1. Choose the name of the web ACL that you want to associate with an API Gateway API, CloudFront distribution or Application Load Balancer. This opens a page with the web ACL's details in the right pane.
1. On the **Rules** tab, under **AWS resources using this web ACL**, choose **Add association**.
1. When prompted, use the **Resource** list to choose the API Gateway API, CloudFront distribution or Application Load Balancer that you want to associate this web ACL with. If you choose an Application Load Balancer, you also must specify a Region.
1. Choose **Add**.
1. To associate this web ACL with an additional API Gateway API, CloudFront distribution or another Application Load Balancer, repeat steps 4 through 6.
**To disassociate a web ACL from an API Gateway API, CloudFront distribution or Application Load Balancer**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **Web ACLs**.
1. Choose the name of the web ACL that you want to disassociate from an API Gateway API, CloudFront distribution or Application Load Balancer. This opens a page with the web ACL's details in the right pane.
1. On the **Rules** tab, under **AWS resources using this web ACL**, choose the **x** for each API Gateway API, CloudFront distribution or Application Load Balancer that you want to disassociate this web ACL from.
# Editing a Web ACL
**Warning**
AWS WAF Classic is is going through a planned end-of-life process. Refer to your AWS Health dashboard for the milestones and dates specific to your Region.
**Note**
This is **AWS WAF Classic** documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your AWS WAF Classic resources to AWS WAF](waf-migrating-from-classic.md).
**For the latest version of AWS WAF**, see [AWS WAF](waf-chapter.md).
To add or remove rules from a web ACL or change the default action, perform the following procedure.
**To edit a web ACL**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **Web ACLs**.
1. Choose the name of the web ACL that you want to edit. This opens a page with the web ACL's details in the right pane.
1. On the **Rules** tab in the right pane, choose **Edit web ACL**.
1. To add rules to the web ACL, perform the following steps:
1. In the **Rules** list, choose the rule that you want to add.
1. Choose **Add rule to web ACL**.
1. Repeat steps a and b until you've added all the rules that you want.
1. If you want to change the order of the rules in the web ACL, use the arrows in the **Order** column. AWS WAF Classic inspects web requests based on the order in which rules appear in the web ACL.
1. To remove a rule from the web ACL, choose the **x** at the right of the row for that rule. This doesn't delete the rule from AWS WAF Classic, it just removes the rule from this web ACL.
1. To change the action for a rule or the default action for the web ACL, choose the preferred option.
**Note**
When setting the action for a rule group or an AWS Marketplace rule group (as opposed to a single rule), the action you set for the rule group (either **No override** or **Override to count**) is called the override action. For more information, see [Rule group override](classic-waf-managed-rule-groups.md#classic-waf-managed-rule-group-override)
1. Choose **Save changes**.
# Deleting a Web ACL
**Warning**
AWS WAF Classic is is going through a planned end-of-life process. Refer to your AWS Health dashboard for the milestones and dates specific to your Region.
**Note**
This is **AWS WAF Classic** documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your AWS WAF Classic resources to AWS WAF](waf-migrating-from-classic.md).
**For the latest version of AWS WAF**, see [AWS WAF](waf-chapter.md).
**Important**
Deleting a web ACL is permanent and can't be undone. If the selected web ACL contains any rules or is associated with any CloudFront distributions, Application load balancer or API Gateway, remove the rules and associations before deleting. Otherwise, the delete will fail.
To delete a web ACL, you must remove the rules that are included in the web ACL and disassociate all CloudFront distributions and Application Load Balancers from the web ACL. Perform the following procedure.
**To delete a web ACL**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose **Web ACLs**.
1. Choose the name of the web ACL that you want to delete. This opens a page with the web ACL's details in the right pane.
**Note**
If you don't see the web ACL, make sure the Region selection is correct. Web ACLs that protect Amazon CloudFront distributions are in **Global (CloudFront)**.
1. On the **Rules** tab in the right pane, choose **Edit web ACL**.
1. To remove all rules from the web ACL, choose the **x** at the right of the row for each rule. This doesn't delete the rules from AWS WAF Classic, it just removes the rules from this web ACL.
1. Choose **Update**.
1. Disassociate the web ACL from all CloudFront distributions and Application Load Balancers. On the **Rules** tab, under **AWS resources using this web ACL**, choose the **x** for each API Gateway API, CloudFront distribution or Application Load Balancer.
1. On the **Web ACLs** page, confirm that the web ACL that you want to delete is selected, and then choose **Delete**.
# Testing web ACLs
**Warning**
AWS WAF Classic is is going through a planned end-of-life process. Refer to your AWS Health dashboard for the milestones and dates specific to your Region.
**Note**
This is **AWS WAF Classic** documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your AWS WAF Classic resources to AWS WAF](waf-migrating-from-classic.md).
**For the latest version of AWS WAF**, see [AWS WAF](waf-chapter.md).
To ensure that you don't accidentally configure AWS WAF Classic to block web requests that you want to allow or allow requests that you want to block, we recommend that you test your web ACL thoroughly before you start using it on your website or web application.
**Topics**
+ [Counting the web requests that match the rules in a web ACL](#classic-web-acl-testing-count)
+ [Viewing a sample of the web requests that API Gateway CloudFront or an Application Load Balancer has forwarded to AWS WAF Classic](#classic-web-acl-testing-view-sample)
## Counting the web requests that match the rules in a web ACL
When you add rules to a web ACL, you specify whether you want AWS WAF Classic to allow, block, or count the web requests that match all the conditions in that rule. We recommend that you begin with the following configuration:
+ Configure all the rules in a web ACL to count web requests
+ Set the default action for the web ACL to allow requests
In this configuration, AWS WAF Classic inspects each web request based on the conditions in the first rule. If the web request matches all the conditions in that rule, AWS WAF Classic increments a counter for that rule. Then AWS WAF Classic inspects the web request based on the conditions in the next rule. If the request matches all the conditions in that rule, AWS WAF Classic increments a counter for the rule. This continues until AWS WAF Classic has inspected the request based on the conditions in all of your rules.
After you've configured all the rules in a web ACL to count requests and associated the web ACL with an Amazon API Gateway API, CloudFront distribution or Application Load Balancer, you can view the resulting counts in an Amazon CloudWatch graph. For each rule in a web ACL and for all the requests that API Gateway, CloudFront or an Application Load Balancer forwards to AWS WAF Classic for a web ACL, CloudWatch lets you:
+ View data for the preceding hour or preceding three hours,
+ Change the interval between data points
+ Change the calculation that CloudWatch performs on the data, such as maximum, minimum, average, or sum
**Note**
AWS WAF Classic with CloudFront is a global service and metrics are available only when you choose the **US East (N. Virginia) Region** in the AWS Management Console. If you choose another region, no AWS WAF Classic metrics will appear in the CloudWatch console.
**To view data for the rules in a web ACL**
1. Sign in to the AWS Management Console and open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).
1. In the navigation pane, under **Metrics**, choose **WAF**.
1. Select the check box for the web ACL that you want to view data for.
1. Change the applicable settings:
**Statistic**
Choose the calculation that CloudWatch performs on the data.
**Time range**
Choose whether you want to view data for the preceding hour or the preceding three hours.
**Period**
Choose the interval between data points in the graph.
**Rules**
Choose the rules for which you want to view data.
Note the following:
+ If you just associated a web ACL with an API Gateway API, CloudFront distribution or Application Load Balancer, you might need to wait a few minutes for data to appear in the graph and for the metric for the web ACL to appear in the list of available metrics.
+ If you associate more than one API Gateway API, CloudFront distribution or Application Load Balancer with a web ACL, the CloudWatch data will include all the requests for all the distributions that are associated with the web ACL.
+ You can hover the mouse cursor over a data point to get more information.
+ The graph doesn't refresh itself automatically. To update the display, choose the refresh (![\[Icon to refresh the Amazon CloudWatch graph\]](http://docs.aws.amazon.com/waf/latest/developerguide/images/cloudwatch-refresh-icon.png)) icon.
1. (Optional) View detailed information about individual requests that API Gateway CloudFront or an Application Load Balancer has forwarded to AWS WAF Classic. For more information, see [Viewing a sample of the web requests that API Gateway CloudFront or an Application Load Balancer has forwarded to AWS WAF Classic](#classic-web-acl-testing-view-sample).
1. If you determine that a rule is intercepting requests that you don't want it to intercept, change the applicable settings. For more information, see [Creating and configuring a Web Access Control List (Web ACL)](classic-web-acl.md).
When you're satisfied that all of your rules are intercepting only the correct requests, change the action for each of your rules to **Allow** or **Block**. For more information, see [Editing a Web ACL](classic-web-acl-editing.md).
## Viewing a sample of the web requests that API Gateway CloudFront or an Application Load Balancer has forwarded to AWS WAF Classic
In the AWS WAF Classic console, you can view a sample of the requests that API Gateway CloudFront or an Application Load Balancer has forwarded to AWS WAF Classic for inspection. For each sampled request, you can view detailed data about the request, such as the originating IP address and the headers included in the request. You also can view which rule the request matched, and whether the rule is configured to allow or block requests.
The sample of requests contains up to 100 requests that matched all the conditions in each rule and another 100 requests for the default action, which applies to requests that didn't match all the conditions in any rule. The requests in the sample come from all the API Gateway APIs, CloudFront edge locations or Application Load Balancers that have received requests for your content in the previous 15 minutes.
**To view a sample of the web requests that API Gateway; CloudFront or an Application Load Balancer has forwarded to AWS WAF Classic**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/).
If you see **Switch to AWS WAF Classic** in the navigation pane, select it.
1. In the navigation pane, choose the web ACL for which you want to view requests.
1. In the right pane, choose the **Requests** tab.
The **Sampled requests** table displays the following values for each request:
**Source IP**
Either the IP address that the request originated from or, if the viewer used an HTTP proxy or an Application Load Balancer to send the request, the IP address of the proxy or Application Load Balancer.
**URI**
The URI path of the request, which identifies the resource, for example, `/images/daily-ad.jpg`. This doesn't include the query string or fragment components of the URI. For information, see [Uniform Resource Identifier (URI): Generic Syntax](https://tools.ietf.org/html/rfc3986#section-3.3).
**Matches rule**
Identifies the first rule in the web ACL for which the web request matched all the conditions. If a web request doesn't match all the conditions in any rule in the web ACL, the value of **Matches rule** is **Default**.
Note that when a web request matches all the conditions in a rule and the action for that rule is **Count**, AWS WAF Classic continues inspecting the web request based on subsequent rules in the web ACL. In this case, a web request could appear twice in the list of sampled requests: once for the rule that has an action of **Count** and again for a subsequent rule or for the default action.
**Action**
Indicates whether the action for the corresponding rule is **Allow**, **Block**, or **Count**.
**Time**
The time that AWS WAF Classic received the request from API Gateway, CloudFront or your Application Load Balancer.
1. To display additional information about the request, choose the arrow on the left side of the IP address for that request. AWS WAF Classic displays the following information:
**Source IP**
The same IP address as the value in the **Source IP** column in the table.
**Country**
The two-letter country code of the country that the request originated from. If the viewer used an HTTP proxy or an Application Load Balancer to send the request, this is the two-letter country code of the country that the HTTP proxy or an Application Load Balancer is in.
For a list of two-letter country codes and the corresponding country names, see the Wikipedia entry [ISO 3166-1 alpha-2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2).
**Method**
The HTTP request method for the request: `GET`, `HEAD`, `OPTIONS`, `PUT`, `POST`, `PATCH`, or `DELETE`.
**URI**
The same URI as the value in the **URI** column in the table.
**Request headers**
The request headers and header values in the request.
1. To refresh the list of sample requests, choose **Get new samples**.