Please Run Rate Limiting Last in Your WAF

ljmac1 · July 6, 2025, 10:53am

Type

Product improvement

Description

Benefit

Presently your managed rules run after rate limiting, but this is is inefficient, as a bad request is blocked by your rules immediately, whereas rate limiting requires multiple hits for an IP to be blocked or passed on to your managed rules. In the case of a DDoS, the extra hits from each IP could take a server offline (or at least slow it down) even if the requests are eventually blocked. At present I am working around this by creating custom rules that match your most commonly triggered managed rules, but this is also inefficient, and there doesn’t seem to be any way to replicate your “Anomaly:Header:Accept - Missing or Empty” rule, for example (if there is a way to do this with a custom rule please let me know how!)

Topic		Replies	Views
Rate limiting after SKIP rule in custom rules WAF Rules	4	1390	August 22, 2023
Community Update - [Action required] Deprecation notice for WAF Managed Rules, Firewall Rules, and Rate Limiting Rules What's New waf , CommunityUpdate , DocFeedback	60	7311	May 20, 2025
WAF Rate limiting rules don't seem to work Web Application Firewall	3	1463	October 4, 2022
WAF Doesn't Work To Bypass Rate Limiting Rules (And Many Problems With Rate Limit) Web Application Firewall	3	2061	October 28, 2022
WAF Rate limiting rules: Disappeared rule but works Application Performance	4	874	August 9, 2023

Please Run Rate Limiting Last in Your WAF

Type

Description

Benefit

Related topics