WAF System Bypass Rules
WAF System Bypass Rules are available on Enterprise and Pro plans
While Vercel's system-level mitigations (such as DDoS protection) safeguard your websites and applications, it can happen that they block traffic from legitimate sources like proxies or shared networks in situations where traffic from these sources was identified as malicious.
You can ensure that specific IP addresses or CIDR ranges are never blocked by the Vercel Firewall's system mitigations with System Bypass Rules.
If you need to allow requests blocked by your own WAF Custom Rules, use another custom rule with a bypass action.
To add an IP address that should bypass system mitigations, navigate to the Firewall tab of your project and follow these steps:
- Select Configure on the top right of the Firewall overview page
- Scroll down to the System Bypass Rules section
- Select the + Add Rule button
- Complete the following fields in the Configure New System Bypass modal:
- IP Address Or CIDR (required)
- Domain (required): The domain connected to the project or use *to specify all domains connected to a project
- Note: For future reference
 
- Select the Create System Bypass button
- Apply the changes:
- When you make any change, you will see a Review Changes button appear or update on the top right with the number of changes requested
- Select Review Changes and review the changes to be applied
- Select Publish to apply the changes to your production deployment
 
System Bypass Rules have limits based on your account plan.
| Resource | Hobby | Pro | Enterprise | 
|---|---|---|---|
| Number of system bypass rules per project | N/A | 25 | 100 | 
Was this helpful?