edit-icon download-icon

Step 2: Whitelist local IP subnet

Last Updated: Jan 15, 2018

The most recent local IP subnets (generally, fixed subnets) can be viewed through the WAF back-to-source CIDR block on the Domain Name Configuration page.


The WAF acts as a reverse proxy, which makes sure invisibility of the origin server to the client server. The WAF handles clients’ requests. It blocks malicious requests, and forwards the valid requests to the origin.

In Full-NAT proxy mode, the WAF uses the local IP as the source IP to establish connection with the origin server.


Throughout this four-stage process, the IP address keeps changing.

Stage Source IP Destination IP
Client’s request CIP (Client IP) VIP (Virtual IP)
WAF’s request LIP (Local IP) RIP (Real IP)
Origin’s response RIP LIP
WAF’s response VIP CIP


  • Multiple local IP addresses are available because the WAF cluster has multiple physical servers.
  • In Full NAT mode, each packet’s source IP address is a local IP address.
  • To guarantee accessibility, the origin server must whitelist all existing fixed local IP addresses.
  • The WAF uses local IP addresses to visit the origin and keeps the real client IP address in the HTTP header’s X-forwarded-for field, as illustrated in the following figure.


For origin, the WAF makes the source IPs more concentrated and improves the transmission speed of packets from them. However, under this circumstance, the local IPs may be determined as more suspicious to the origin server’s firewall or security software (if such software is applied). In case the local IP is blocked or limited, make sure the local IPs are whitelisted before diverted to the WAF.

We recommend that you block all requests to the origin server from the IP addresses, except for the local IP addresses. This guarantees enhanced security and protects the origin, even if the real IP addressed are disclosed.

Thank you! We've received your feedback.