**Introducing a new console experience for AWS WAF**

You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the console](https://docs.aws.amazon.com/waf/latest/developerguide/working-with-console.html). 

# Working with web ACLs
<a name="classic-web-acl-working-with"></a>

**Warning**  
AWS WAF Classic is is going through a planned end-of-life process. Refer to your AWS Health dashboard for the milestones and dates specific to your Region.

**Note**  
This is **AWS WAF Classic** documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your AWS WAF Classic resources to AWS WAF](waf-migrating-from-classic.md).  
**For the latest version of AWS WAF**, see [AWS WAF](waf-chapter.md). 

When you add rules to a web ACL, you specify whether you want AWS WAF Classic to allow or block requests based on the conditions in the rules. If you add more than one rule to a web ACL, AWS WAF Classic evaluates each request against the rules in the order that you list them in the web ACL. When a web request matches all the conditions in a rule, AWS WAF Classic immediately takes the corresponding action—allow or block—and doesn't evaluate the request against the remaining rules in the web ACL, if any. 

If a web request doesn't match any of the rules in a web ACL, AWS WAF Classic takes the default action that you specified for the web ACL. For more information, see [Deciding on the default action for a Web ACL](classic-web-acl-default-action.md).

If you want to test a rule before you start using it to allow or block requests, you can configure AWS WAF Classic to count the web requests that match the conditions in the rule. For more information, see [Testing web ACLs](classic-web-acl-testing.md).

**Topics**
+ [Deciding on the default action for a Web ACL](classic-web-acl-default-action.md)
+ [Creating a Web ACL](classic-web-acl-creating.md)
+ [Associating or disassociating a Web ACL with an Amazon API Gateway API, a CloudFront distribution or an Application Load Balancer](classic-web-acl-associating-cloudfront-distribution.md)
+ [Editing a Web ACL](classic-web-acl-editing.md)
+ [Deleting a Web ACL](classic-web-acl-deleting.md)
+ [Testing web ACLs](classic-web-acl-testing.md)

# Deciding on the default action for a Web ACL
<a name="classic-web-acl-default-action"></a>

**Warning**  
AWS WAF Classic is is going through a planned end-of-life process. Refer to your AWS Health dashboard for the milestones and dates specific to your Region.

**Note**  
This is **AWS WAF Classic** documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your AWS WAF Classic resources to AWS WAF](waf-migrating-from-classic.md).  
**For the latest version of AWS WAF**, see [AWS WAF](waf-chapter.md). 

When you create and configure a web ACL, the first and most important decision that you must make is whether the default action should be for AWS WAF Classic to allow web requests or to block web requests. The default action indicates what you want AWS WAF Classic to do after it inspects a web request for all the conditions that you specify, and the web request doesn't match any of those conditions:
+ **Allow** – If you want to allow most users to access your website, but you want to block access to attackers whose requests originate from specified IP addresses, or whose requests appear to contain malicious SQL code or specified values, choose **Allow** for the default action.
+ **Block** – If you want to prevent most would-be users from accessing your website, but you want to allow access to users whose requests originate from specified IP addresses, or whose requests contain specified values, choose **Block** for the default action.

Many decisions that you make after you've decided on a default action depend on whether you want to allow or block most web requests. For example, if you want to *allow* most requests, then the match conditions that you create generally should specify the web requests that you want to *block*, such as the following:
+ Requests that originate from IP addresses that are making an unreasonable number of requests
+ Requests that originate from countries that either you don't do business in or are the frequent source of attacks
+ Requests that include fake values in the **User-Agent** header
+ Requests that appear to include malicious SQL code

# Creating a Web ACL
<a name="classic-web-acl-creating"></a>

**Warning**  
AWS WAF Classic is is going through a planned end-of-life process. Refer to your AWS Health dashboard for the milestones and dates specific to your Region.

**Note**  
This is **AWS WAF Classic** documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your AWS WAF Classic resources to AWS WAF](waf-migrating-from-classic.md).  
**For the latest version of AWS WAF**, see [AWS WAF](waf-chapter.md). <a name="classic-web-acl-creating-procedure"></a>

**To create a web ACL**

1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/). 

   If you see **Switch to AWS WAF Classic** in the navigation pane, select it.

1. If this is your first time using AWS WAF Classic, choose **Go to AWS WAF Classic** and then **Configure Web ACL**. If you've used AWS WAF Classic before, choose **Web ACLs** in the navigation pane, and then choose **Create web ACL**.

1. For **Web ACL name**, enter a name. 
**Note**  
You can't change the name after you create the web ACL.

1. For **CloudWatch metric name**, change the default name if applicable. The name can contain only alphanumeric characters (A-Z, a-z, 0-9), with maximum length 128 and minimum length one. It can't contain white space or metric names reserved for AWS WAF Classic, including "All" and "Default\$1Action."
**Note**  
You can't change the name after you create the web ACL.

1. For **Region**, choose a Region.

1.  For **AWS resource**, choose the resource that you want to associate with this web ACL, and then choose **Next**.

1. If you've already created the conditions that you want AWS WAF Classic to use to inspect your web requests, choose **Next**, and then continue to the next step.

   If you haven't already created conditions, do so now. For more information, see the following topics:
   + [Working with cross-site scripting match conditions](classic-web-acl-xss-conditions.md)
   + [Working with IP match conditions](classic-web-acl-ip-conditions.md)
   + [Working with geographic match conditions](classic-web-acl-geo-conditions.md)
   + [Working with size constraint conditions](classic-web-acl-size-conditions.md)
   + [Working with SQL injection match conditions](classic-web-acl-sql-conditions.md)
   + [Working with string match conditions](classic-web-acl-string-conditions.md)
   + [Working with regex match conditions](classic-web-acl-regex-conditions.md)

1. If you've already created the rules or rule groups (or subscribed to an AWS Marketplace rule group) that you want to add to this web ACL, add the rules to the web ACL:

   1. In the **Rules** list, choose a rule.

   1. Choose **Add rule to web ACL**.

   1. Repeat steps a and b until you've added all the rules that you want to add to this web ACL.

   1. Go to step 10.

1. If you haven't created rules yet, you can add rules now:

   1. Choose **Create rule**.

   1. Enter the following values:  
**Name**  
Enter a name.  
**CloudWatch metric name**  
Enter a name for the CloudWatch metric that AWS WAF Classic will create and will associate with the rule. The name can contain only alphanumeric characters (A-Z, a-z, 0-9), with maximum length 128 and minimum length one. It can't contain white space or metric names reserved for AWS WAF Classic, including "All" and "Default\$1Action."  
You can't change the metric name after you create the rule.

   1. To add a condition to the rule, specify the following values:   
**When a request does/does not**  
If you want AWS WAF Classic to allow or block requests based on the filters in a condition, for example, web requests that originate from the range of IP addresses 192.0.2.0/24, choose **does**.  
If you want AWS WAF Classic to allow or block requests based on the inverse of the filters in a condition, choose **does not**. For example, if an IP match condition includes the IP address range 192.0.2.0/24 and you want AWS WAF Classic to allow or block requests that *do not* come from those IP addresses, choose **does not**.  
**match/originate from**  
Choose the type of condition that you want to add to the rule:  
      + Cross-site scripting match conditions – choose **match at least one of the filters in the cross-site scripting match condition**
      + IP match conditions – choose **originate from an IP address in**
      + Geo match conditions – choose **originate from a geographic location in**
      + Size constraint conditions – choose **match at least one of the filters in the size constraint condition**
      + SQL injection match conditions – choose **match at least one of the filters in the SQL injection match condition**
      + String match conditions – choose **match at least one of the filters in the string match condition**
      + Regex match conditions – choose **match at least one of the filters in the regex match condition**  
**condition name**  
Choose the condition that you want to add to the rule. The list displays only conditions of the type that you chose in the preceding list.

   1. To add another condition to the rule, choose **Add another condition**, and then repeat steps b and c. Note the following:
      + If you add more than one condition, a web request must match at least one filter in every condition for AWS WAF Classic to allow or block requests based on that rule. 
      + If you add two IP match conditions to the same rule, AWS WAF Classic will only allow or block requests that originate from IP addresses that appear in both IP match conditions. 

   1. Repeat step 9 until you've created all the rules that you want to add to this web ACL. 

   1. Choose **Create**.

   1. Continue with step 10.

1. For each rule or rule group in the web ACL, choose the kind of management you want AWS WAF Classic to provide, as follows: 
   + For each rule, choose whether you want AWS WAF Classic to allow, block, or count web requests based on the conditions in the rule:
     + **Allow** – API Gateway, CloudFront or an Application Load Balancer responds with the requested object. In the case of CloudFront, if the object isn't in the edge cache, CloudFront forwards the request to the origin.
     + **Block** – API Gateway, CloudFront or an Application Load Balancer responds to the request with an HTTP 403 (Forbidden) status code. CloudFront also can respond with a custom error page. For more information, see [Using AWS WAF Classic with CloudFront custom error pages](classic-cloudfront-features.md#classic-cloudfront-features-custom-error-pages).
     + **Count** – AWS WAF Classic increments a counter of requests that match the conditions in the rule, and then continues to inspect the web request based on the remaining rules in the web ACL. 

       For information about using **Count** to test a web ACL before you start to use it to allow or block web requests, see [Counting the web requests that match the rules in a web ACL](classic-web-acl-testing.md#classic-web-acl-testing-count). 
   + For each rule group, set the override action for the rule group: 
     + **No override** – Causes the actions of the individual rules within the rule group to be used.
     + **Override to count** – Overrides any block actions that are specifieid by individual rules in the group, so that all matching requests are only counted. 

     For more information, see [Rule group override](classic-waf-managed-rule-groups.md#classic-waf-managed-rule-group-override).

1. If you want to change the order of the rules in the web ACL, use the arrows in the **Order** column. AWS WAF Classic inspects web requests based on the order in which rules appear in the web ACL. 

1. If you want to remove a rule that you added to the web ACL, choose the **x** in the row for the rule.

1. Choose the default action for the web ACL. This is the action that AWS WAF Classic takes when a web request doesn't match the conditions in any of the rules in this web ACL. For more information, see [Deciding on the default action for a Web ACL](classic-web-acl-default-action.md).

1. Choose **Review and create**.

1. Review the settings for the web ACL, and choose **Confirm and create**.

# Associating or disassociating a Web ACL with an Amazon API Gateway API, a CloudFront distribution or an Application Load Balancer
<a name="classic-web-acl-associating-cloudfront-distribution"></a>

**Warning**  
AWS WAF Classic is is going through a planned end-of-life process. Refer to your AWS Health dashboard for the milestones and dates specific to your Region.

**Note**  
This is **AWS WAF Classic** documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your AWS WAF Classic resources to AWS WAF](waf-migrating-from-classic.md).  
**For the latest version of AWS WAF**, see [AWS WAF](waf-chapter.md). 

To associate or disassociate a web ACL, perform the applicable procedure. Note that you also can associate a web ACL with a CloudFront distribution when you create or update the distribution. For more information, see [Using AWS WAF Classic to Control Access to Your Content](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-awswaf.html) in the *Amazon CloudFront Developer Guide*.

The following restrictions apply when associating a web ACL:
+ Each API Gateway API, Application Load Balancer and CloudFront distribution can be associated with only one web ACL.
+ Web ACLs associated with a CloudFront distribution cannot be associated with an Application Load Balancer or API Gateway API. The web ACL can, however, be associated with other CloudFront distributions.

**To associate a web ACL with an API Gateway API, CloudFront distribution or Application Load Balancer**

1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/). 

   If you see **Switch to AWS WAF Classic** in the navigation pane, select it.

1. In the navigation pane, choose **Web ACLs**.

1. Choose the name of the web ACL that you want to associate with an API Gateway API, CloudFront distribution or Application Load Balancer. This opens a page with the web ACL's details in the right pane. 

1. On the **Rules** tab, under **AWS resources using this web ACL**, choose **Add association**.

1. When prompted, use the **Resource** list to choose the API Gateway API, CloudFront distribution or Application Load Balancer that you want to associate this web ACL with. If you choose an Application Load Balancer, you also must specify a Region.

1. Choose **Add**.

1. To associate this web ACL with an additional API Gateway API, CloudFront distribution or another Application Load Balancer, repeat steps 4 through 6.<a name="classic-web-acl-disassociating-cloudfront-distribution-procedure"></a>

**To disassociate a web ACL from an API Gateway API, CloudFront distribution or Application Load Balancer**

1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/). 

   If you see **Switch to AWS WAF Classic** in the navigation pane, select it.

1. In the navigation pane, choose **Web ACLs**.

1. Choose the name of the web ACL that you want to disassociate from an API Gateway API, CloudFront distribution or Application Load Balancer. This opens a page with the web ACL's details in the right pane. 

1. On the **Rules** tab, under **AWS resources using this web ACL**, choose the **x** for each API Gateway API, CloudFront distribution or Application Load Balancer that you want to disassociate this web ACL from.

# Editing a Web ACL
<a name="classic-web-acl-editing"></a>

**Warning**  
AWS WAF Classic is is going through a planned end-of-life process. Refer to your AWS Health dashboard for the milestones and dates specific to your Region.

**Note**  
This is **AWS WAF Classic** documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your AWS WAF Classic resources to AWS WAF](waf-migrating-from-classic.md).  
**For the latest version of AWS WAF**, see [AWS WAF](waf-chapter.md). 

To add or remove rules from a web ACL or change the default action, perform the following procedure. <a name="classic-web-acl-editing-procedure"></a>

**To edit a web ACL**

1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/). 

   If you see **Switch to AWS WAF Classic** in the navigation pane, select it.

1. In the navigation pane, choose **Web ACLs**.

1. Choose the name of the web ACL that you want to edit. This opens a page with the web ACL's details in the right pane.

1. On the **Rules** tab in the right pane, choose **Edit web ACL**.

1. To add rules to the web ACL, perform the following steps:

   1. In the **Rules** list, choose the rule that you want to add. 

   1. Choose **Add rule to web ACL**.

   1. Repeat steps a and b until you've added all the rules that you want.

1. If you want to change the order of the rules in the web ACL, use the arrows in the **Order** column. AWS WAF Classic inspects web requests based on the order in which rules appear in the web ACL. 

1. To remove a rule from the web ACL, choose the **x** at the right of the row for that rule. This doesn't delete the rule from AWS WAF Classic, it just removes the rule from this web ACL.

1. To change the action for a rule or the default action for the web ACL, choose the preferred option.
**Note**  
When setting the action for a rule group or an AWS Marketplace rule group (as opposed to a single rule), the action you set for the rule group (either **No override** or **Override to count**) is called the override action. For more information, see [Rule group override](classic-waf-managed-rule-groups.md#classic-waf-managed-rule-group-override)

1. Choose **Save changes**.

# Deleting a Web ACL
<a name="classic-web-acl-deleting"></a>

**Warning**  
AWS WAF Classic is is going through a planned end-of-life process. Refer to your AWS Health dashboard for the milestones and dates specific to your Region.

**Note**  
This is **AWS WAF Classic** documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your AWS WAF Classic resources to AWS WAF](waf-migrating-from-classic.md).  
**For the latest version of AWS WAF**, see [AWS WAF](waf-chapter.md). 

**Important**  
Deleting a web ACL is permanent and can't be undone. If the selected web ACL contains any rules or is associated with any CloudFront distributions, Application load balancer or API Gateway, remove the rules and associations before deleting. Otherwise, the delete will fail.

To delete a web ACL, you must remove the rules that are included in the web ACL and disassociate all CloudFront distributions and Application Load Balancers from the web ACL. Perform the following procedure.<a name="classic-web-acl-deleting-procedure"></a>

**To delete a web ACL**

1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/). 

   If you see **Switch to AWS WAF Classic** in the navigation pane, select it.

1. In the navigation pane, choose **Web ACLs**.

1. Choose the name of the web ACL that you want to delete. This opens a page with the web ACL's details in the right pane.
**Note**  
If you don't see the web ACL, make sure the Region selection is correct. Web ACLs that protect Amazon CloudFront distributions are in **Global (CloudFront)**.

1. On the **Rules** tab in the right pane, choose **Edit web ACL**.

1. To remove all rules from the web ACL, choose the **x** at the right of the row for each rule. This doesn't delete the rules from AWS WAF Classic, it just removes the rules from this web ACL.

1. Choose **Update**.

1. Disassociate the web ACL from all CloudFront distributions and Application Load Balancers. On the **Rules** tab, under **AWS resources using this web ACL**, choose the **x** for each API Gateway API, CloudFront distribution or Application Load Balancer.

1. On the **Web ACLs** page, confirm that the web ACL that you want to delete is selected, and then choose **Delete**.

# Testing web ACLs
<a name="classic-web-acl-testing"></a>

**Warning**  
AWS WAF Classic is is going through a planned end-of-life process. Refer to your AWS Health dashboard for the milestones and dates specific to your Region.

**Note**  
This is **AWS WAF Classic** documentation. You should only use this version if you created AWS WAF resources, like rules and web ACLs, in AWS WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see [Migrating your AWS WAF Classic resources to AWS WAF](waf-migrating-from-classic.md).  
**For the latest version of AWS WAF**, see [AWS WAF](waf-chapter.md). 

To ensure that you don't accidentally configure AWS WAF Classic to block web requests that you want to allow or allow requests that you want to block, we recommend that you test your web ACL thoroughly before you start using it on your website or web application. 

**Topics**
+ [Counting the web requests that match the rules in a web ACL](#classic-web-acl-testing-count)
+ [Viewing a sample of the web requests that API Gateway CloudFront or an Application Load Balancer has forwarded to AWS WAF Classic](#classic-web-acl-testing-view-sample)

## Counting the web requests that match the rules in a web ACL
<a name="classic-web-acl-testing-count"></a>

When you add rules to a web ACL, you specify whether you want AWS WAF Classic to allow, block, or count the web requests that match all the conditions in that rule. We recommend that you begin with the following configuration:
+ Configure all the rules in a web ACL to count web requests
+ Set the default action for the web ACL to allow requests

In this configuration, AWS WAF Classic inspects each web request based on the conditions in the first rule. If the web request matches all the conditions in that rule, AWS WAF Classic increments a counter for that rule. Then AWS WAF Classic inspects the web request based on the conditions in the next rule. If the request matches all the conditions in that rule, AWS WAF Classic increments a counter for the rule. This continues until AWS WAF Classic has inspected the request based on the conditions in all of your rules. 

After you've configured all the rules in a web ACL to count requests and associated the web ACL with an Amazon API Gateway API, CloudFront distribution or Application Load Balancer, you can view the resulting counts in an Amazon CloudWatch graph. For each rule in a web ACL and for all the requests that API Gateway, CloudFront or an Application Load Balancer forwards to AWS WAF Classic for a web ACL, CloudWatch lets you:
+ View data for the preceding hour or preceding three hours,
+ Change the interval between data points
+ Change the calculation that CloudWatch performs on the data, such as maximum, minimum, average, or sum

**Note**  
AWS WAF Classic with CloudFront is a global service and metrics are available only when you choose the **US East (N. Virginia) Region** in the AWS Management Console. If you choose another region, no AWS WAF Classic metrics will appear in the CloudWatch console.<a name="classic-web-acl-testing-count-procedure"></a>

**To view data for the rules in a web ACL**

1. Sign in to the AWS Management Console and open the CloudWatch console at [https://console.aws.amazon.com/cloudwatch/](https://console.aws.amazon.com/cloudwatch/).

1. In the navigation pane, under **Metrics**, choose **WAF**.

1. Select the check box for the web ACL that you want to view data for.

1. Change the applicable settings:  
**Statistic**  
Choose the calculation that CloudWatch performs on the data.  
**Time range**  
Choose whether you want to view data for the preceding hour or the preceding three hours.  
**Period**  
Choose the interval between data points in the graph.  
**Rules**  
Choose the rules for which you want to view data.

   Note the following:
   + If you just associated a web ACL with an API Gateway API, CloudFront distribution or Application Load Balancer, you might need to wait a few minutes for data to appear in the graph and for the metric for the web ACL to appear in the list of available metrics.
   + If you associate more than one API Gateway API, CloudFront distribution or Application Load Balancer with a web ACL, the CloudWatch data will include all the requests for all the distributions that are associated with the web ACL.
   + You can hover the mouse cursor over a data point to get more information.
   + The graph doesn't refresh itself automatically. To update the display, choose the refresh (![\[Icon to refresh the Amazon CloudWatch graph\]](http://docs.aws.amazon.com/waf/latest/developerguide/images/cloudwatch-refresh-icon.png)) icon.

1. (Optional) View detailed information about individual requests that API Gateway CloudFront or an Application Load Balancer has forwarded to AWS WAF Classic. For more information, see [Viewing a sample of the web requests that API Gateway CloudFront or an Application Load Balancer has forwarded to AWS WAF Classic](#classic-web-acl-testing-view-sample).

1. If you determine that a rule is intercepting requests that you don't want it to intercept, change the applicable settings. For more information, see [Creating and configuring a Web Access Control List (Web ACL)](classic-web-acl.md).

   When you're satisfied that all of your rules are intercepting only the correct requests, change the action for each of your rules to **Allow** or **Block**. For more information, see [Editing a Web ACL](classic-web-acl-editing.md).

## Viewing a sample of the web requests that API Gateway CloudFront or an Application Load Balancer has forwarded to AWS WAF Classic
<a name="classic-web-acl-testing-view-sample"></a>

In the AWS WAF Classic console, you can view a sample of the requests that API Gateway CloudFront or an Application Load Balancer has forwarded to AWS WAF Classic for inspection. For each sampled request, you can view detailed data about the request, such as the originating IP address and the headers included in the request. You also can view which rule the request matched, and whether the rule is configured to allow or block requests.

The sample of requests contains up to 100 requests that matched all the conditions in each rule and another 100 requests for the default action, which applies to requests that didn't match all the conditions in any rule. The requests in the sample come from all the API Gateway APIs, CloudFront edge locations or Application Load Balancers that have received requests for your content in the previous 15 minutes.<a name="classic-web-acl-testing-view-sample-procedure"></a>

**To view a sample of the web requests that API Gateway; CloudFront or an Application Load Balancer has forwarded to AWS WAF Classic**

1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/](https://console.aws.amazon.com/wafv2/). 

   If you see **Switch to AWS WAF Classic** in the navigation pane, select it.

1. In the navigation pane, choose the web ACL for which you want to view requests.

1. In the right pane, choose the **Requests** tab.

   The **Sampled requests** table displays the following values for each request:  
**Source IP**  
Either the IP address that the request originated from or, if the viewer used an HTTP proxy or an Application Load Balancer to send the request, the IP address of the proxy or Application Load Balancer.   
**URI**  
The URI path of the request, which identifies the resource, for example, `/images/daily-ad.jpg`. This doesn't include the query string or fragment components of the URI. For information, see [Uniform Resource Identifier (URI): Generic Syntax](https://tools.ietf.org/html/rfc3986#section-3.3).   
**Matches rule**  
Identifies the first rule in the web ACL for which the web request matched all the conditions. If a web request doesn't match all the conditions in any rule in the web ACL, the value of **Matches rule** is **Default**.  
Note that when a web request matches all the conditions in a rule and the action for that rule is **Count**, AWS WAF Classic continues inspecting the web request based on subsequent rules in the web ACL. In this case, a web request could appear twice in the list of sampled requests: once for the rule that has an action of **Count** and again for a subsequent rule or for the default action.  
**Action**  
Indicates whether the action for the corresponding rule is **Allow**, **Block**, or **Count**.  
**Time**  
The time that AWS WAF Classic received the request from API Gateway, CloudFront or your Application Load Balancer.

1. To display additional information about the request, choose the arrow on the left side of the IP address for that request. AWS WAF Classic displays the following information:  
**Source IP**  
The same IP address as the value in the **Source IP** column in the table.  
**Country**  
The two-letter country code of the country that the request originated from. If the viewer used an HTTP proxy or an Application Load Balancer to send the request, this is the two-letter country code of the country that the HTTP proxy or an Application Load Balancer is in.  
For a list of two-letter country codes and the corresponding country names, see the Wikipedia entry [ISO 3166-1 alpha-2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2).  
**Method**  
The HTTP request method for the request: `GET`, `HEAD`, `OPTIONS`, `PUT`, `POST`, `PATCH`, or `DELETE`.   
**URI**  
The same URI as the value in the **URI** column in the table.  
**Request headers**  
The request headers and header values in the request.

1. To refresh the list of sample requests, choose **Get new samples**.