Loading...
Back

Differences between Advanced rule policy and Legacy rule policy

AWS WAF v2Old PlanNew PlanAdvancedLegacyFeature / Spec.

Overview

Advanced rule policy and Legacy rule policy have different rule structures and available features. This article explains the differences between each rule policy.

Comparison table

Features

Advanced rule policy

Legacy rule policy

Rule structures

Regular expressions (regex)

Rate-based rules (*)

Geo-match rules (*)

Bot rules (*)

*If configured in the WafCharm Console.

Regular expression (default) rules

Denylist feature

Dynamic denylist (signature re-matching) feature

Available by enabling WAF log integration (new method)

Available by enabling access log retrieval

Denylist feature

IP reputation feature

Available

Available

Denylist feature

Manual denylist feature

Available by adding IP addresses from the rule configuration page

Available by adding IP addresses from the rule configuration page

Allowlist feature

Manual allowlist feature

Available by adding IP addresses from the rule configuration page

Available by adding IP addresses from the rule configuration page

Rule configuration

IP address: Allowlist, Denylist

Configuration is available from registration/edit pages

Configuration is available from registration/edit pages

Rule configuration

IP address: IP address to use

*This setting determines whether IP addresses in a specific header should be inspected.

Configuration is available from registration/edit pages

Configuration is available from registration/edit pages

Rule configuration

IP address: Change the rule action of Dynamic denylist rule (*)

*This rule contains the Dynamic denylist (signature re-matching) feature and IP reputation feature.

Configuration is available from registration/edit pages

Configuration is not available from registration/edit pages

Rule configuration

Rate-based rules

Configuration is available from registration/edit pages

Configuration is not available from registration/edit pages

Rule configuration

Geo-match rules

Configuration is available from registration/edit pages

Configuration is not available from registration/edit pages

Rule configuration

Bot rules

Configuration is available from registration/edit pages

Configuration is not available from registration/edit pages

Rule configuration

正規表現

Configuration is available from registration/edit pages

Configuration is not available from registration/edit pages

Access log retrieval

Not Applicable

Required

*Except for API Gateway.

WAF log retrieval (new method)

Available if the WAF log destination is set to the S3 bucket

Available if the WAF log destination is set to the S3 bucket or Data Firehose

WAF log transfer (old method)

Not Applicable

Available if the WAF log destination is set to the S3 bucket or Data Firehose

Monthly report

Available by enabling WAF log integration (new method)

Available by enabling WAF log integration (new or old method)

WAF log alert config

Available by enabling WAF log integration (new method)

Available by enabling WAF log integration (new or old method)

WAF log search

Available by enabling WAF log integration (new method)

Available by enabling WAF log integration (new method)

Detection status (dashboard feature)

Available by enabling WAF log integration (new method)

Available by enabling WAF log integration (new method)

Notes

  • [IP address to use (Specific header)] is an option to select when you want to inspect IP addresses in a specific header. If you choose to use the Specific header option, the following differences apply.
    • For Advanced rule policy: The IP addresses in the specified header will be used in the dynamic denylist (signature re-matching) feature.
    • For Legacy rule policy: The dynamic denylist (signature re-matching) feature will be disabled.
    • For more details, please see the About the [IP address to use] option for AWS WAF v2 page.