Blocking Malicious Traffic Through IP Address Blacklist or Whitelist Rules

Process

Preparations

1. Before purchasing WAF, create a Huawei account and subscribe to Huawei Cloud. For details, see Registering a HUAWEI ID and Enabling HUAWEI CLOUD Services and Real-Name Authentication.

   If you have enabled Huawei Cloud services and completed real-name authentication, skip this step.

2. Make sure that your account has sufficient balance, or you may fail to pay to your WAF orders.
3. Make sure your account has WAF permissions assigned. For details, see Creating a User Group and Granting Permissions.

   Table 1 System policies supported by WAF

   Role/Policy Name	Description	Category	Dependencies
   WAF Administrator	Administrator permissions for WAF	System-defined role	Dependent on the Tenant Guest and Server Administrator roles. Tenant Guest: A global role, which must be assigned in the global project. Server Administrator: A project-level role, which must be assigned in the same project.
   WAF FullAccess	All permissions for WAF	System-defined policy	None.
   WAF ReadOnlyAccess	Read-only permissions for WAF.	System-defined policy

Step 1: Buy the Standard Edition Cloud WAF

You can use the load balancer access mode only after you purchase the standard, professional, or platinum edition cloud WAF. The following describes how to buy the standard edition cloud WAF.

1. Log in to Huawei Cloud management console.
2. On the management console page, choose Security & Compliance > Web Application Firewall.
3. In the upper right corner of the page, click Buy WAF. On the purchase page displayed, complete the purchase by referring to configurations below.

   Table 2 Purchase parameters

   Parameter	Example Value	Description
   WAF Mode	Cloud Mode	After purchasing WAF, submit a service ticket to enable the cloud load balancer access mode. WAF then can protect your websites deployed on Huawei Cloud. In this mode, the protected objects can be website domain names or IP addresses.
   Billing Mode	Yearly/Monthly	Yearly/Monthly is a prepaid billing mode, where you pay in advance for a subscription term and receive a discounted rate. This mode is ideal when the resource use duration is predictable.
   Region	CN-Hong Kong	You can select the region nearest to your services WAF will protect.
   Edition	Standard	This edition can protect small and medium-sized websites.

4. Confirm the product details and click Buy Now in the lower right corner of the page.
5. Check the order details and read the WAF Disclaimer. Then, select the box and click Pay Now.
6. On the payment page, select a payment method and pay for your order.

After the purchase is complete, submit a service ticket to enable WAF cloud load balancer access mode.

Step 2: Add a Website to WAF in Load Balancer Access Mode

1. Create a dedicated load balancer.
   • Specifications: Select Application load balancing (HTTP/HTTPS) .
   • Set other parameters based on your service requirements.

2. Add a listener to the load balancer created in Step 1. For details, see Adding an HTTP Listener or Adding an HTTPS Listener.
3. Create a backend server group.
   • Load Balancer: Select Associate existing and select the load balancer created in Step 1 from the drop-down list.
   • Set the backend server to the server address of the website you plan to add to WAF in Step 8.

4. Click in the upper left corner and choose Web Application Firewall under Security & Compliance.
5. In the navigation pane on the left, choose Website Settings.
6. In the upper left corner of the website list, click Add Website.
7. Select Cloud - Load balancer and click Configure Now.
8. On the Add Website page, set the parameters by referring to Figure 1.
   • ELB (Load Balancer): Select an ELB load balancer. Make sure you have added the server address corresponding to the protected website to the ELB load balancer.
   • ELB Listener: Select All listeners.
   • Protected Domain Name: Enter the domain name or IP address you want to protect. We use www.example.com in this example.
   • Policy: System-generated policy is selected by default.
   Figure 1 Domain name settings
   

9. Click Confirm.

Step 4: Configure an IP Address Blacklist or Whitelist Rule

1. In the navigation pane on the left, choose Policies.
2. Click the name of the target policy to go to the protection configuration page.
3. Choose Blacklist and Whitelist and enable it.
   • : enabled
   • : disabled

4. Above the blacklist and whitelist rule list, click Add Rule and configure a rule as shown in Figure 2.
   • IP Address/Range/Group: Select IP address/range. To block multiple IP addresses, select Address group.
   • IP Address/Range: Configure the IP addresses or IP address ranges you want to block, for example, 192.168.2.1.
   • Protective Action: Select Block.
   Figure 2 Blocking a specified ip address
   

5. Click Confirm.

Related Information

• For details, see Configuring IP Address Blacklist and Whitelist Rules to Block or Allow Specified IP Addresses.
• The Cloud Mode - CNAME Access mode can be used for web services that are accessible through domain names, no matter where your web services are deployed, on Huawei Cloud, on other clouds, or even in on-premises data centers. For details, see the following procedure:
  1. Buy a standard edition cloud WAF instance.
  2. Connect your website to WAF (Cloud Mode - CNAME Access).
  3. Step 4: Configure an IP Address Blacklist or Whitelist Rule.
• Dedicated Mode is recommended for large websites that are deployed on Huawei Cloud, have special security requirements, and are accessible over domain names or IP addresses. For details, see the following procedure:
  1. Dedicated WAF instances are not available in some regions. For details, see Notice on Web Application Firewall (Dedicated Mode) Discontinued. If you have purchased a dedicated WAF instance, skip this step.
  2. Connect your website to WAF (dedicated mode).
  3. Step 4: Configure an IP Address Blacklist or Whitelist Rule.