Lists in Global Settings let you define reusable collections of IP addresses, CIDR blocks, ASNs, or hostnames. You create a list once and reference it across multiple WAF and bot management rules. When you update a list, the change propagates automatically to every associated policy.
Benefits
-
Centralized management -- Maintain IP addresses, CIDR blocks, ASNs, or hostnames in one place. Update a list once to apply the change to every rule that references it.
-
Policy consistency -- Reference standardized lists instead of entering the same values manually across multiple rules, eliminating discrepancies.
-
Reuse across environments -- Flexibly create and adjust lists based on business scenarios and reuse the lists across environments, giving you efficient, layered control over your security policies.
Supported list types
| Type | Description | Limits |
|---|---|---|
| IP Address/CIDR Block | IPv4 or IPv6 addresses and CIDR blocks. Separate multiple entries with a comma (,). |
Up to 10 lists; up to 5,000 entries per list |
| ASN | An Autonomous System Number (ASN) uniquely identifies an autonomous system -- a group of IP networks and routers controlled by a single network management organization such as an ISP, enterprise, or institution. You can query the ASN in a request. For more information, see How do I query the ASN of an IP address? or Instant Logs. | Up to 500 entries per list |
| Hostname | The value of the Host header in the request, which determines the requested domain name. | Up to 500 entries per list |
Where you can use lists
After you create a list, you can reference it as a match value when you configure rules for any of the following features:
To reference a list in a rule, set the logic operator to is in list or is not in list in the If requests match... section. The match field depends on the list type:
-
IP Address/CIDR Block lists: Set the match field to Client IP.
-
ASN lists: Set the match field to ASN.
-
Hostname lists: Set the match field to Hostname.
Lists are scoped to the website under which they are referenced. For example, if you reference a list underexample.com, the list takes effect forexample.comand its subdomains only. The list does not take effect for other websites that have not referenced it.
Create a list
-
Log on to the ESA console. In the left-side navigation pane, choose Global Settings > Lists.
-
On the Lists page, click Create List.
-
In the Create List dialog box, specify the following parameters:
-
List Name: Enter a name for the list.
-
Type: Select IP Address/CIDR Block, ASN, or Hostname.
-
In the input field, enter a match value.
-
-
Click OK.
Reference a list in a WAF custom rule
The following walkthrough shows how to create a list containing your local server's IP address, reference the list in a custom rule that blocks matching requests, and verify that the rule takes effect.
Step 1: Create a custom rule that references the list
-
In the ESA console, choose Websites and click the website name you want to manage.
-
In the left-side navigation pane, choose Security > WAF. On the WAF page, click the Custom Rules tab, and then click Create Rule.
-
On the Create Custom Rule page, specify Rule Name.
-
In the If requests match... section, configure the following settings:
-
Set the match type to Client IP.
-
Set the match condition to is in list.
-
Select the list that you created.
-
-
In the Then execute... section, configure the following settings:
-
Set Action to Block.
-
Set Error Page to Default Error Page. The status code 403 cannot be changed.
-
-
Click OK.
Step 2: Verify the rule
After the list is referenced, run the following command to test that requests from the listed IP address are blocked:
curl -I http://esa.xxx.top/pic_03.jpgIf the response returns status code HTTP 403, the rule is working as expected.
What's next
-
Build advanced request-matching logic with Custom rules.
-
Throttle excessive traffic from specific IP ranges with Rate limiting rules.
-
Block automated vulnerability scanners with Scan protection rules.
-
Exempt trusted IP addresses from security checks with Whitelist rules.
-
Manage bot traffic with Bots.