How rule and rule group actions are handled in a web ACL - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

How rule and rule group actions are handled in a web ACL

When you configure your rules and rule groups, you choose how you want AWS WAF to handle matching web requests:

  • Allow and Block are terminating actions – Allow and Block actions stop all other processing of the web ACL on the matching web request. If a rule in a web ACL finds a match for a request and the rule action is Allow or Block, that match determines the final disposition of the web request for the web ACL. AWS WAF doesn't process any other rules in the web ACL that come after the matching one. This is true for rules that you add directly to the web ACL and rules that are inside an added rule group. With the Block action, the protected resource doesn't receive or process the web request.

  • Count is a non-terminating action – When a rule with a Count action matches a request, AWS WAF counts the request, then continues processing the rules that follow in the web ACL rule set.

  • CAPTCHA and Challenge can be non-terminating or terminating actions – When a rule with one of these actions matches a request, AWS WAF checks its token status. If the request has a valid token, AWS WAF treats the match similar to a Count match, and then continues processing the rules that follow in the web ACL rule set. If the request doesn't have a valid token, AWS WAF terminates the evaluation and sends the client a CAPTCHA puzzle or silent background client session challenge to solve.

If the rule evaluation doesn't result in any terminating action, then AWS WAF applies the web ACL default action to the request.

The actions that AWS WAF applies to a web request are affected by the numeric priority settings of the rules in the web ACL. For example, say that your web ACL has a rule that has Allow action and a numeric priority of 50 and another rule that has Count action and a numeric priority of 100. AWS WAF evaluates the rules in a web ACL in the order of their priority, starting from the lowest setting, so it will evaluate the allow rule before the count rule. If you have a web request that matches both rules, it will match the allow rule first. Since Allow is a terminating action, AWS WAF will stop the evaluation at this match and won't evaluate the request againt the count rule. If you want count metrics from the count rule even for requests that match the allow rule, you'd need to give the count rule a lower numeric priority setting than the allow rule, so that it runs first. For more information about priority settings, see Processing order of rules and rule groups in a web ACL.

In your web ACL, you can override the action settings for rules inside a rule group and you can override the action that's returned by a rule group. For information, see Action overrides in rule groups.