WAF uses specified back-to-origin CIDR blocks to forward normal traffic back to an origin server. To allow inbound traffic from the back-to-origin CIDR blocks, you must configure security software or access control policies of the origin server when you add a website to the WAF console.
If you use security software such as FortiGate for your origin server, you must add the WAF back-to-origin CIDR blocks to a whitelist of the software. This prevents normal traffic forwarded by WAF to the origin server from being blocked by access control policies.
For security purposes, we recommend that you configure access control policies for the origin server to allow only inbound traffic from the WAF back-to-origin CIDR blocks. This prevents attackers from bypassing WAF and directly attacking the origin server. For more information, see Configure protection for your origin server.
Back-to-origin CIDR blocks added on April 30, 2020
- Regions in mainland China:
- Regions outside mainland China:
We recommend that you add the new back-to-origin CIDR blocks to the IP address whitelist in a timely manner.
Obtain the WAF back-to-origin CIDR blocks
You can obtain the back-to-origin CIDR blocks from the following table based on the region of your WAF instance, or follow the following steps to obtain the latest back-to-origin CIDR blocks from the WAF console.
|Region of the WAF instance||Back-to-origin CIDR block|
|Regions in mainland China||
|Regions outside mainland China||
Note If the origin server of the website is deployed in Japan, add the
- Log on to the Web Application Firewall console.
- In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
- In the left-side navigation pane, choose .
- In the lower part of the Product Information page, find the WAF IP Segments section and click Copy All IPs.The WAF IP Segments section displays the latest back-to-origin CIDR blocks.
What to do next
After you obtain the WAF back-to-origin CIDR blocks, you can add them to the IP address whitelist of your origin security software.