Configure region blacklist rules to block requests that are sent from specific regions - Web Application Firewall

After you add your web services to Web Application Firewall (WAF), you can configure region blacklist rules to identify the source regions of requests and block or allow the requests from specific regions. This way, malicious requests can be blocked by region. This topic describes how to create a region blacklist rule.

Prerequisites

A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.
Web services are added as the protected objects of WAF 3.0. For more information, see Protected objects and protected object groups.

Create a region blacklist rule template

WAF does not provide a default region blacklist rule template. Before you can enable a region blacklist rule, you must create a region blacklist rule template.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region to which the WAF instance that you want to manage belongs. You can select Chinese Mainland or Outside Chinese Mainland for the region.
In the left-side navigation pane, choose Protection Configuration > Protection Rules.
In the lower part of the Protection Rules page, click Create Template in the Region Blacklist section.
Note If no region blacklist rule templates exist, you can click Configure Now in the Region Blacklist card in the upper part of the Protection Rules page.

In the Create Template - Region Blacklist panel, configure the parameters and click OK. The following table describes the parameters.


Parameter	Description
Template Name	Enter a name for the template. The name must be 1 to 255 characters in length, and can contain letters, digits, periods (.), underscores (_), and hyphens (-).
Save as Default Template	Specify whether to set this template as the default template for the protection module. You can specify only one default template for a protection module. If you turn on Save as Default Template, you do not need to configure the Apply To parameter. The default template is applied to all protected objects and protected object groups to which no custom protection rule templates are applied.
Action	Specify the action that you want WAF to perform on the request that matches the protection rule. Valid values: Block: blocks the requests that match the rule and returns a block page to the client who initiated the requests. Note By default, WAF returns a preconfigured block page. You can use the custom response feature to configure a custom block page. For more information, see Configure custom response rules to configure custom block pages. Monitor: records requests that match the rule in logs without blocking the requests. You can query logs of requests that match the rule and analyze the protection performance. For example, you can check whether normal requests are blocked based on the logs. Important You can query logs only if the Log Service for WAF feature is enabled. For more information, see Enable Log Service for WAF. If you select Monitor, you can check the protection performance of the rule. You can also check whether the rule blocks normal requests. Then, you can determine whether to set the Action parameter to Block. Note On the Security Reports page, you can query the details of matched rules in Monitor mode or Block mode. For more information, see Security reports.
Blocked Regions	The number and details of regions in the Chinese mainland and outside the Chinese mainland from which requests are blocked.
Select Regions to Block	Select the regions that you want to block. You can select regions on the China tab and the Outside China tab. The selected regions are displayed in the Blocked Regions section.
Apply To	Select the protected objects and protected object groups to which you want to apply the template. You can apply only one template of a protection module to a protected object or a protected object group. For information about how to add protected objects and protected object groups, see Protected objects and protected object groups.

By default, the new rule template is enabled. You can perform the following operations in the rule template list:

View the number of protected objects or protected object groups that are associated with the rule template.
Turn on or turn off Status to enable or disable the rule template.
Click Edit or Delete in the Actions column to modify or delete the rule template.
Click the icon on the left side of a rule template to view the rules in the template.

What to do next

On the Region Blacklist tab of the Security Reports page, you can view the protection details of region blacklist rules. For more information, see IP address blacklist, custom rule, scan protection, HTTP flood protection, and region blacklist modules.

References

Protection configuration overview: describes protected objects, protection modules, and protection process.
CreateDefenseTemplate: creates a protection rule template.
CreateDefenseRule: creates a protection rule. When you call this operation to create a region blacklist rule, you must set the DefenseScene parameter to region_block.