Differences between Advanced rule policy and Legacy rule policy
AWS WAF v2Old PlanNew PlanAdvancedLegacyFeature / Spec.
Overview
Advanced rule policy and Legacy rule policy have different rule structures and available features. This article explains the differences between each rule policy.
Comparison table
Features | Advanced rule policy | Legacy rule policy |
|---|---|---|
Rule structures | Regular expressions (regex) Rate-based rules (*) Geo-match rules (*) Bot rules (*) *If configured in the WafCharm Console. | Regular expression (default) rules |
Denylist feature Dynamic denylist (signature re-matching) feature | Available by enabling WAF log integration (new method) | Available by enabling access log retrieval |
Denylist feature IP reputation feature | Available | Available |
Denylist feature Manual denylist feature | Available by adding IP addresses from the rule configuration page | Available by adding IP addresses from the rule configuration page |
Allowlist feature Manual allowlist feature | Available by adding IP addresses from the rule configuration page | Available by adding IP addresses from the rule configuration page |
Rule configuration IP address: Allowlist, Denylist | Configuration is available from registration/edit pages | Configuration is available from registration/edit pages |
Rule configuration IP address: IP address to use *This setting determines whether IP addresses in a specific header should be inspected. | Configuration is available from registration/edit pages | Configuration is available from registration/edit pages |
Rule configuration IP address: Change the rule action of Dynamic denylist rule (*) *This rule contains the Dynamic denylist (signature re-matching) feature and IP reputation feature. | Configuration is available from registration/edit pages | Configuration is not available from registration/edit pages |
Rule configuration Rate-based rules | Configuration is available from registration/edit pages | Configuration is not available from registration/edit pages |
Rule configuration Geo-match rules | Configuration is available from registration/edit pages | Configuration is not available from registration/edit pages |
Rule configuration Bot rules | Configuration is available from registration/edit pages | Configuration is not available from registration/edit pages |
Rule configuration 正規表現 | Configuration is available from registration/edit pages | Configuration is not available from registration/edit pages |
Access log retrieval | Not Applicable | Required *Except for API Gateway. |
WAF log retrieval (new method) | Available if the WAF log destination is set to the S3 bucket | Available if the WAF log destination is set to the S3 bucket or Data Firehose |
WAF log transfer (old method) | Not Applicable | Available if the WAF log destination is set to the S3 bucket or Data Firehose |
Monthly report | Available by enabling WAF log integration (new method) | Available by enabling WAF log integration (new or old method) |
WAF log alert config | Available by enabling WAF log integration (new method) | Available by enabling WAF log integration (new or old method) |
WAF log search | Available by enabling WAF log integration (new method) | Available by enabling WAF log integration (new method) |
Detection status (dashboard feature) | Available by enabling WAF log integration (new method) | Available by enabling WAF log integration (new method) |
Notes
- [IP address to use (Specific header)] is an option to select when you want to inspect IP addresses in a specific header. If you choose to use the Specific header option, the following differences apply.
- For Advanced rule policy: The IP addresses in the specified header will be used in the dynamic denylist (signature re-matching) feature.
- For Legacy rule policy: The dynamic denylist (signature re-matching) feature will be disabled.
- For more details, please see the About the [IP address to use] option for AWS WAF v2 page.