**Introducing a new console experience for AWS WAF**
You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the console](https://docs.aws.amazon.com/waf/latest/developerguide/working-with-console.html).
# Using logical rule statements in AWS WAF
This section explains what a logical rule statement is and how it works.
Use logical rules statements to combine other statements or negate their results. Every logical rule statement takes at least one nested statement.
To logically combine or negate rule statement results, you nest the statements under logical rule statements.
Logical rules statements are nestable. You can nest them inside other logical rule statements and use them in scope-down statements. For information about scope-down statements, see [Using scope-down statements in AWS WAF](waf-rule-scope-down-statements.md).
**Note**
The visual editor on the console supports one level of rule statement nesting, which works for many needs. To nest more levels, edit the JSON representation of the rule on the console or use the APIs.
This table describes the logical rule statements and provides guidelines for calculating protection pack (web ACL) capacity units (WCU) usage for each. For information about WCUs, see [Web ACL capacity units (WCUs) in AWS WAF](aws-waf-capacity-units.md).
| Logical Statement | Description | WCUs |
| --- | --- | --- |
| [AND logic](waf-rule-statement-type-and.md) | Combines nested statements with AND logic. | Based on nested statements |
| [NOT logic](waf-rule-statement-type-not.md) | Negates the results of a nested statement. | Based on nested statement |
| [OR logic](waf-rule-statement-type-or.md) | Combines nested statements with OR logic. | Based on nested statements |
# AND rule statement
The AND rule statement combines nested statements with a logical AND operation, so all nested statements must match for the AND statement to match. This requires at least two nested statements.
## Rule statement characteristics
**Nestable** – You can nest this statement type.
**WCUs** – Depends on the nested statements.
## Where to find this rule statement
+ **Rule builder** on the console – For **If a request**, choose **matches all the statements (AND)**, and then fill in the nested statements.
+ **API** – [AndStatement](https://docs.aws.amazon.com/waf/latest/APIReference/API_AndStatement.html)
## Examples
The following listing shows the use of AND and NOT logical rule statements to eliminate false positives from the matches for an SQL injection attack statement. For this example, suppose we can write a single byte match statement to match the requests that are resulting in false positives.
The AND statement matches for requests that do not match the byte match statement and that do match the SQL injection attack statement.
```
{
"Name": "SQLiExcludeFalsePositives",
"Priority": 0,
"Statement": {
"AndStatement": {
"Statements": [
{
"NotStatement": {
"Statement": {
"ByteMatchStatement": {
"SearchString": "string identifying a false positive",
"FieldToMatch": {
"Body": {
"OversizeHandling": "MATCH"
}
},
"TextTransformations": [
{
"Priority": 0,
"Type": "NONE"
}
],
"PositionalConstraint": "CONTAINS"
}
}
}
},
{
"SqliMatchStatement": {
"FieldToMatch": {
"Body": {
"OversizeHandling": "MATCH"
}
},
"TextTransformations": [
{
"Priority": 0,
"Type": "NONE"
}
]
}
}
]
}
},
"Action": {
"Block": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "SQLiExcludeFalsePositives"
}
}
```
Using the console rule visual editor, you can nest a non-logical statement or a NOT statement under an OR or AND statement. The nesting of the NOT statement is shown in the prior example.
Using the console rule visual editor, you can nest most nestable statements under a logical rule statement, such as the one shown in the prior example. You can't use the visual editor to nest OR or AND statements. To configure this type of nesting, you need to provide your rule statement in JSON. For example, the following JSON rule listing includes an OR statement nested inside an AND statement.
```
{
"Name": "match_rule",
"Priority": 0,
"Statement": {
"AndStatement": {
"Statements": [
{
"LabelMatchStatement": {
"Scope": "LABEL",
"Key": "awswaf:managed:aws:bot-control:bot:category:monitoring"
}
},
{
"NotStatement": {
"Statement": {
"LabelMatchStatement": {
"Scope": "LABEL",
"Key": "awswaf:managed:aws:bot-control:bot:name:pingdom"
}
}
}
},
{
"OrStatement": {
"Statements": [
{
"GeoMatchStatement": {
"CountryCodes": [
"JM",
"JP"
]
}
},
{
"ByteMatchStatement": {
"SearchString": "JCountryString",
"FieldToMatch": {
"Body": {}
},
"TextTransformations": [
{
"Priority": 0,
"Type": "NONE"
}
],
"PositionalConstraint": "CONTAINS"
}
}
]
}
}
]
}
},
"Action": {
"Block": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "match_rule"
}
}
```
# NOT rule statement
The NOT rule statement logically negates the results of a single nested statement, so the nested statements must not match for the NOT statement to match, and vice versa. This requires one nested statement.
For example, if you want to block requests that don't originate in a specific country, create a NOT statement with action set to block, and nest a geographic match statement that specifies the country.
## Rule statement characteristics
**Nestable** – You can nest this statement type.
**WCUs** – Depends on the nested statement.
## Where to find this rule statement
+ **Rule builder** on the console – For **If a request**, choose **doesn't match the statement (NOT)**, and then fill in the nested statement.
+ **API** – [NotStatement](https://docs.aws.amazon.com/waf/latest/APIReference/API_NotStatement.html)
# OR rule statement
The OR rule statement combines nested statements with OR logic, so one of the nested statements must match for the OR statement to match. This requires at least two nested statements.
For example, if you want to block requests that come from a specific country or that contain a specific query string, you could create an OR statement and nest in it a geo match statement for the country and a string match statement for the query string.
If instead you want to block requests that *don't* come from a specific country or that contain a specific query string, you would modify the previous OR statement to nest the geo match statement one level lower, inside a NOT statement. This level of nesting requires you to use the JSON formatting, because the console supports only one level of nesting.
## Rule statement characteristics
**Nestable** – You can nest this statement type.
**WCUs** – Depends on the nested statements.
## Where to find this rule statement
+ **Rule builder** on the console – For **If a request**, choose **matches at least one of the statements (OR)**, and then fill in the nested statements.
+ **API** – [OrStatement](https://docs.aws.amazon.com/waf/latest/APIReference/API_OrStatement.html)
**Examples**
The following listing shows the use of OR to combine two other statements. The OR statement is a match if either of the nested statements match.
```
{
"Name": "neitherOfTwo",
"Priority": 1,
"Action": {
"Block": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "neitherOfTwo"
},
"Statement": {
"OrStatement": {
"Statements": [
{
"GeoMatchStatement": {
"CountryCodes": [
"CA"
]
}
},
{
"IPSetReferenceStatement": {
"ARN": "arn:aws:wafv2:us-east-1:111111111111:regional/ipset/test-ip-set-22222222/33333333-4444-5555-6666-777777777777"
}
}
]
}
}
}
```
Using the console rule visual editor, you can nest most nestable statements under a logical rule statement, but you can't use the visual editor to nest OR or AND statements. To configure this type of nesting, you need to provide your rule statement in JSON. For example, the following JSON rule listing includes an OR statement nested inside an AND statement.
```
{
"Name": "match_rule",
"Priority": 0,
"Statement": {
"AndStatement": {
"Statements": [
{
"LabelMatchStatement": {
"Scope": "LABEL",
"Key": "awswaf:managed:aws:bot-control:bot:category:monitoring"
}
},
{
"NotStatement": {
"Statement": {
"LabelMatchStatement": {
"Scope": "LABEL",
"Key": "awswaf:managed:aws:bot-control:bot:name:pingdom"
}
}
}
},
{
"OrStatement": {
"Statements": [
{
"GeoMatchStatement": {
"CountryCodes": [
"JM",
"JP"
]
}
},
{
"ByteMatchStatement": {
"SearchString": "JCountryString",
"FieldToMatch": {
"Body": {}
},
"TextTransformations": [
{
"Priority": 0,
"Type": "NONE"
}
],
"PositionalConstraint": "CONTAINS"
}
}
]
}
}
]
}
},
"Action": {
"Block": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "match_rule"
}
}
```