Blocking Malicious Traffic Through IP Address Blacklist or Whitelist Rules

Process

Preparations

1. Before purchasing WAF, create a Huawei account and subscribe to Huawei Cloud. For details, see Registering a HUAWEI ID and Enabling HUAWEI CLOUD Services and Real-Name Authentication.

   If you have enabled Huawei Cloud services and completed real-name authentication, skip this step.

2. Make sure that your account has sufficient balance, or you may fail to pay to your WAF orders.
3. Make sure your account has WAF permissions assigned. For details, see Creating a User Group and Granting Permissions.

   Table 1 System policies supported by WAF

   Role/Policy Name	Description	Category	Dependencies
   WAF Administrator	Administrator permissions for WAF	System-defined role	Dependent on the Tenant Guest and Server Administrator roles. Tenant Guest: A global role, which must be assigned in the global project. Server Administrator: A project-level role, which must be assigned in the same project.
   WAF FullAccess	All permissions for WAF	System-defined policy	None.
   WAF ReadOnlyAccess	Read-only permissions for WAF.	System-defined policy

Step 1: Buy the Standard Edition Cloud WAF

You can use the load balancer access mode only after you purchase the standard, professional, or platinum edition cloud WAF. The following describes how to buy the standard edition cloud WAF.

1. Log in to Huawei Cloud management console.
2. On the management console page, choose Security > Web Application Firewall.
3. In the upper right corner of the page, click Buy WAF. On the purchase page displayed, complete the purchase by referring to configurations below.

   Table 2 Purchase parameters

   Parameter	Example Value	Description
   WAF Mode	Cloud Mode	Cloud mode - CNAME access is supported. Web services deployed on Huawei Cloud, other clouds, or on-premises can be protected. The protected objects are domain names.
   Billing Mode	Yearly/Monthly	Yearly/Monthly is a prepaid billing mode, where you pay in advance for a subscription term and receive a discounted rate. This mode is ideal when the resource use duration is predictable.
   Region	EU-Dublin	You can select the region nearest to your services WAF will protect.
   Edition	Standard	This edition can protect small and medium-sized websites.

4. Confirm the product details and click Buy Now in the lower right corner of the page.
5. Check the order details and read the WAF Disclaimer. Then, select the box and click Pay Now.
6. On the payment page, select a payment method and pay for your order.

Step 2: Add a Website to WAF

1. In the navigation pane on the left, choose Website Settings.
2. In the upper left corner of the website list, click Add Website.
3. Select Cloud - CNAME and click Configure Now.
4. On the Add Website page, set the following parameters and retain the default values for other parameters. Table 3 describes the parameters.
   Figure 1 Add Domain Name
   

   Table 3 Mandatory parameters

   Parameter	Example Value	Description
   Protected Domain Name	www.example.com	The domain name you want to add to WAF for protection.
   Protected Port	Standard port	The port over which the website service traffic goes. To protect port 80 or 443, select Standard port from the drop-down list.
   Server Configuration	Client Protocol: HTTP. Server Protocol: HTTP Server Address: IPv4 XXX.XXX.1.1 Server Port: 80	Server address configuration. You need to configure the client protocol, server protocol, server address, and server port. Client Protocol: protocol used by a client to access a server. The options are HTTP and HTTPS. Server Protocol: protocol used by WAF to forward client requests. The options are HTTP and HTTPS. Server Address: public IP address (generally corresponding to the A record of the domain name configured on the DNS) or domain name (generally corresponding to the CNAME record of the domain name configured on the DNS) of the web server that a client accesses. Server Port: service port over which the WAF instance forwards client requests to the origin server.
   Proxy Your Website Uses	No proxy	Layer-7 proxy: Web proxy products for layer-7 request forwarding are used, products such as anti-DDoS, CDN, and other cloud acceleration services. Layer-4 proxy: Web proxy products for layer-4 forwarding are used, products such as anti-DDoS. No proxy: No proxy products are deployed in front of WAF. In our example, no proxies are used.

5. Click Next. The basic information about the domain name is configured.
   Figure 2 Basic settings completed
   
6. Complete steps Whitelist WAF Back-to-Source IP Addresses and Test WAF as prompted.
7. Complete DNS resolution.

   Configure the CNAME record on the DNS platform hosting your domain name. For details, contact your DNS provider.

   The following uses Huawei Cloud DNS as an example to show how to configure a CNAME record. The following configuration is for reference only.

   1. Copy the CNAME value provided by WAF in Figure 2.
   2. Click in the upper left corner of the page and choose Networking > Domain Name Service.
   3. In the navigation pane on the left, choose Public Zones.
   4. In the Operation column of the target domain name, click Manage Record Set. The Record Sets tab page is displayed.
   5. In the row containing the desired record set, click Modify in the Operation column.
   6. In the displayed Modify Record Set dialog box, change the record value.
      • Name: Domain name configured in WAF
      • Type: Select CNAME-Map one domain to another.
      • Line: Default
      • TTL (s): The recommended value is 5 min. A larger TTL value will make it slower for synchronization and update of DNS records.
      • Value: Change it to the CNAME record copied in 7.a.
      • Keep other settings unchanged.
   7. Click OK.

Step 4: Configure an IP Address Blacklist or Whitelist Rule

1. In the navigation pane on the left, choose Policies.
2. Click the name of the target policy to go to the protection configuration page.
3. Choose Blacklist and Whitelist and enable it.
   • : enabled
   • : disabled

4. Above the blacklist and whitelist rule list, click Add Rule and configure a rule as shown in Figure 3.
   • IP Address/Range/Group: Select IP address/range. To block multiple IP addresses, select Address group.
   • IP Address/Range: Configure the IP addresses or IP address ranges you want to block, for example, 192.168.2.1.
   • Protective Action: Select Block.
   Figure 3 Blocking a specified ip address
   

5. Click Confirm.

Related Information

• For details, see Configuring IP Address Blacklist and Whitelist Rules to Block or Allow Specified IP Addresses.
• Dedicated Mode is recommended for large websites that are deployed on Huawei Cloud, have special security requirements, and are accessible over domain names or IP addresses. For details, see the following procedure:
  1. Buy a dedicated WAF instance.
  2. Connect your website to WAF (Dedicated Mode).
  3. Step 4: Configure an IP Address Blacklist or Whitelist Rule.