Configuring IP Address Blacklist and Whitelist Rules to Block or Allow Specified IP Addresses

Prerequisites

• You have connected a website to WAF.
• You have created a policy and added the domain name to it. For details, see Creating a Protection Policy and Adding a Domain Name to a Policy.
• If you use a dedicated WAF instance, make sure it has been upgraded to the latest version. For details, see Managing Dedicated WAF Engines.

Constraints

• When you add a website through Cloud Mode - Load balancer and set Frontend Protocol of the listener of your ELB load balancer to TCP, UDP, or QUIC, this type of rule does not take effect.
• WAF supports batch import of IP address blacklists and whitelists. You can use address groups to add multiple IP addresses/ranges quickly to a blacklist or whitelist rule. For details, see Adding an IP Address Group.
• The dedicated mode and cloud load balancer access mode support IPv6 addresses and IPv6 address ranges as long as the load balancers used for the dedicated mode or cloud load balancer access mode support IPv6.
• You can configure 0.0.0.0/0 and ::/0 IP address ranges in WAF blacklist and whitelist rules to block all IPv4 and IPv6 traffic, respectively. A whitelist rule has a higher priority than a blacklist rule. If you want to allow only a specific IP address within a range of blocked addresses, add a blacklist rule to block the range and then add a whitelist rule to allow the individual address you wish to allow.

  If you want to allow only specified IP addresses to access the protected website, you can also configure rules b referring to How Do I Allow Only Specified IP Addresses to Access the Protected Website?

• If you set Protective Action to Block for a blacklist or whitelist rule, you can set a known attack source to block the visitor for a certain period of time; however, the known attack source with Long-term IP address blocking or Short-term IP address blocking configured cannot be set for a blacklist or whitelist rule. WAF will block requests matching the configured Cookie or Params for a block duration you specify.
• It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.

Specification Limitations

• For details about the quota for IP address blacklist and whitelist rules, see Edition Differences.
• If the quota for IP address whitelist and blacklist rules of your cloud WAF instance cannot meet your requirements, you can purchase rule expansion packages under the current WAF instance edition or upgrade your WAF instance edition to increase such quota.

  A rule expansion package allows you to configure up to 10 IP address blacklist and whitelist rules. For details about how to upgrade WAF specifications, see Upgrading the WAF Edition and Specifications.

Impact on the System

If an IP address is added to a blacklist or whitelist, WAF blocks or allows requests from that IP address without checking whether the requests are malicious.

Configuring an IP Address Blacklist or Whitelist Rule

1. Log in to the WAF console.
2. Click in the upper left corner and select a region or project.
3. (Optional) If you have enabled the enterprise project function, in the upper part of the navigation pane on the left, select your enterprise project from the Filter by enterprise project drop-down list. Then, WAF will display the related security data in the enterprise project on the page.
4. In the navigation pane on the left, click Policies.
5. Click the name of the target policy to go to the protection rule configuration page.

   Before configuring protection rules, ensure that the target protection policy has been applied to a domain name. A protection policy can be applied to multiple protected domain names, but a protected domain name can have only one protection policy.

6. Click the Blacklist and Whitelist configuration area and ensure that the blacklist and whitelist protection is enabled.

   : enabled.

7. In the upper left corner above the Blacklist and Whitelist list, click Add Rule.
8. In the Add Blacklist/Whitelist Rule dialog box, add a blacklist or whitelist rule, as shown in Figure 1 and Figure 2. For details about the parameters, see Table 1.
   Figure 1 Adding an IP address/Range to a blacklist or whitelist rule

   

   Figure 2 Batching adding IP addresses/Ranges to a blacklist or whitelist rule
   

   Table 1 Blacklist and whitelist parameters

   Parameter	Description	Example Value
   Rule Name	Enter the name of the blacklist or whitelist rule.	waf
   Rule Description (Optional)	Enter remarks for the blacklist or whitelist rule.	None
   IP Address/Range/Group	You can select IP address/range or Address group.	IP address/range
   IP Address/Range	If you select IP address/range for IP Address/Range/Group, you need to enter the IP address or IP address range to be added to the blacklist or whitelist rule. IP address: IP address to be added to the blacklist or whitelist IP address range: IP address and subnet mask defining a network segment IPv4 and IPv6 addresses are supported. NOTE: IPv6 protection is supported by only professional and enterprise editions.	IPv4 format: 192.168.2.3 10.1.1.0/24 IPv6 format: fe80:0000:0000:0000:0000:0000:0000:0000 ::/0 XXX.XXX.2.3
   Address Groups	If you select Address group for IP Address/Range/Group, you need to create or select an address group. (Optional) Click Add Address Group and enter the address group name, IP addresses/IP address ranges, and description. If you have an address group already, skip this step and select the address group from the address group list. If the existing address group does not meet service requirements, click Modify in the Operation column to modify it. If you no longer need an address group, disassociate it from the blacklist or whitelist rules and click Delete in the Operation column to delete it. Address groups you add in this step will be synchronized to the Address Groups page. For more details, see Managing IP Address Blacklist and Whitelist Groups. Select an address group you have added before.	--
   Protective Action	Protective action for the rule when a request matches the rule. Block: If you want to add an IP address or IP address range to a blacklist, set Protective Action to Block. Requests from the IP address or IP address range will then be blocked. If Protective Action is set to Block, you can configure long-term and short-term blocking rules for the IP address, cookie, or parameter of the visitor. When a request matches the rule, WAF automatically blocks the visitor based on the blocking rule configured for known attack sources. For more details, see Configuring a Known Attack Source Rule to Block Specific Visitors for a Specified Duration. Do not select Long-term IP address blocking or Short-term IP address blocking rules for IP address blacklists. Allow: If you want to add an IP address or IP address range to a whitelist, set Protective Action to Allow. Requests from the IP address or IP address range will be allowed. Log only: If you only want to observe requests from an IP address or IP address range, set Protective Action to Log only. Requests from the IP address or IP address range will be logged. You can observe the protection event data and choose to add the IP address or IP address range to a blacklist or whitelist.	Block
   Application Schedule	Time when the rule takes effect. Immediate: The rule works immediately after it is enabled. Custom: You can select a time range for the rule to work.	Immediate

9. Click OK. You can then view the added rule in the list of blacklist and whitelist rules.

   After completing the preceding configurations, you can:

   • Check the rule status: In the protection rule list, check the rule you added. Rule Status is Enabled by default.
   • Disable the rule: If you do not want the rule to take effect, click Disable in the Operation column of the rule.
   • Delete or modify the rule: Click Delete or Modify in the Operation column of the rule.
   • Verify the protection effect:
     1. Clear the browser cache and access http://www.example.com using configured IP address 192.168.2.3. Normally, WAF blocks the request and returns the block page.
     2. On the Events page, check the protection logs.

Example Configuration: Allowing a Specified IP Addresses

To verify that a specific IP address can be allowed to access your website domain name (www.example.com), take the following steps:

1. Click the Blacklist and Whitelist configuration area and ensure that the blacklist and whitelist protection is enabled.

   : enabled.

2. Add a rule to block all source IP addresses.
   • Method 1: Add the following two blacklist rules to block all source IP addresses, as shown in Figure 3 and Figure 4.
     Figure 3 Blocking IP address range 1.0.0.0/1
     
     Figure 4 Blocking IP address range 128.0.0.0/1
     
   • Method 2: Add a precise protection rule to block all access requests, as shown in Figure 5.
     Figure 5 Blocking all access requests
     
   • Method 3: Add 0.0.0.0/0 and::/0 to block all IPv4 and IPv6 traffic.
     Figure 6 Blocking all IPv4 traffic
     
     Figure 7 Blocking all IPv6 traffic
     

3. Refer to Figure 8 and add a whitelist rule to allow a specified IP address, for example, 192.168.2.3.
   Figure 8 Allowing the access of a specified IP address
   

4. Clear the browser cache and access http://www.example.com.

   If the IP address of a visitor is not the one specified in 3, WAF blocks the access request. Figure 9 shows an example of the block page.

   Figure 9 Block page
   

5. Go to the WAF console. In the navigation pane on the left, choose Events. View the event on the Events page.

Video Tutorial