Blocking Malicious Traffic Through IP Address Blacklist or Whitelist Rules
By default, WAF allows access from all IP addresses. If you find that your website is accessed from malicious IP addresses, you can add a WAF blacklist or whitelist rule to block malicious IP addresses.
- Cloud - CNAME access
- Service servers are deployed on any cloud or in on-premises data centers.
- Protected objects: domain names
- Cloud - Load balancer access mode
- Dedicated mode
The following example shows you how to configure an IP address whitelist or blacklist rule. In this example, we use the WAF cloud load balancer access mode.
Process
Procedure |
Description |
---|---|
Sign up for a HUAWEI ID, enable Huawei Cloud services, top up your account, and assign WAF permissions to the account. |
|
Purchase WAF and select the region and WAF mode. |
|
Add the website you want to protect to WAF for traffic inspection and forwarding. |
|
Add blacklist and whitelist rules to block malicious IP addresses. |
Preparations
- Before purchasing WAF, create a Huawei account and subscribe to Huawei Cloud. For details, see Registering a HUAWEI ID and Enabling HUAWEI CLOUD Services and Real-Name Authentication.
If you have enabled Huawei Cloud services and completed real-name authentication, skip this step.
- Make sure that your account has sufficient balance, or you may fail to pay to your WAF orders.
- Make sure your account has WAF permissions assigned. For details, see Creating a User Group and Granting Permissions.
Table 1 System policies supported by WAF Role/Policy Name
Description
Category
Dependencies
WAF Administrator
Administrator permissions for WAF
System-defined role
Dependent on the Tenant Guest and Server Administrator roles.
- Tenant Guest: A global role, which must be assigned in the global project.
- Server Administrator: A project-level role, which must be assigned in the same project.
WAF FullAccess
All permissions for WAF
System-defined policy
None.
WAF ReadOnlyAccess
Read-only permissions for WAF.
System-defined policy
Step 1: Buy the Standard Edition Cloud WAF
You can use the load balancer access mode only after you purchase the standard, professional, or platinum edition cloud WAF. The following describes how to buy the standard edition cloud WAF.
- Log in to Huawei Cloud management console.
- On the management console page, choose .
- In the upper right corner of the page, click Buy WAF. On the purchase page displayed, select a WAF mode.
- Region: Select the region nearest to your services WAF will protect.
- Edition: Select Standard.
- Expansion Package and Required Duration: Retain default settings.
- Confirm the product details and click Buy Now in the lower right corner of the page.
- Check the order details and read the WAF Disclaimer. Then, select the box and click Pay Now.
- On the payment page, select a payment method and pay for your order.
![](https://support.huaweicloud.com/intl/en-us/qs-waf/public_sys-resources/note_3.0-en-us.png)
After the purchase is complete, submit a service ticket to enable WAF cloud load balancer access mode.
Step 2: Add a Website to WAF in Load Balancer Access Mode
- In the navigation pane on the left, choose Website Settings.
- In the upper left corner of the website list, click Add Website.
- Select Cloud - Load balancer and click Configure Now.
- On the Add Domain Name page, set the parameters by referring to Figure 1.
- ELB (Load Balancer): Select an ELB load balancer. Make sure you have added the server address corresponding to the protected website to the ELB load balancer.
- ELB Listener: Select All listeners.
- Domain Name: Enter the domain name or IP address you want to protect. We use www.example.com in this example.
- Policy: System-generated policy is selected by default.
- Click Confirm.
Step 4: Configure an IP Address Blacklist or Whitelist Rule
- In the navigation pane on the left, choose Policies.
- Click the name of the target policy to go to the protection configuration page.
- Choose Blacklist and Whitelist and enable it.
: enabled.
: disabled.
- Above the blacklist and whitelist rule list, click Add Rule and configure a rule as shown in Figure 2.
- IP Address/Range/Group: Select IP address/range. To block multiple IP addresses, select Address group.
- IP Address/Range: Configure the IP addresses or IP address ranges you want to block.
- Protective Action: Select Block.
- Click Confirm.
Related Information
For details, see Configuring IP Address Blacklist and Whitelist Rules to Block or Allow Specified IP Addresses.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot