WAF uses specified back-to-origin CIDR blocks to forward normal traffic back to the origin server. To allow inbound traffic from the WAF back-to-origin CIDR blocks, you can configure security software or access control policies of the origin server when you add a website to the WAF console.

Background information

If you use security software such as FortiGate for your origin server, you must add the WAF back-to-origin CIDR blocks to the whitelist of the software. This prevents normal traffic forwarded by WAF to the origin server from being blocked by access control policies.

For security purposes, we recommend that you configure access control policies for the origin server to allow only inbound traffic from the WAF back-to-origin CIDR blocks. This prevents attackers from bypassing WAF and directly attacking the origin server.

Back-to-origin CIDR blocks added on April 30, 2020

On April 30, 2020, the following back-to-origin CIDR blocks were added after WAF clusters were scaled out.
  • Mainland China: 39.96.158.0/24,47.110.182.0/24,120.77.139.0/25,47.102.187.0/25
  • Regions outside mainland China: 47.56.50.0/24,161.117.161.0/25,147.139.22.0/25,8.209.192.0/25
Warning If your origin server has an IP address whitelist or a security group that is configured to allow only WAF back-to-origin CIDR blocks to access your origin server, you must add the new WAF back-to-origin CIDR blocks to the whitelist. Otherwise, the back-to-origin traffic forwarded by WAF may be blocked by the access control policies of the origin server, and the access may be denied.

We recommend that you add the new back-to-origin CIDR blocks before May 15, 2020.

Procedure

You can obtain the back-to-origin CIDR blocks from the following table based on the region of your WAF instance, or follow the following steps to obtain the latest back-to-origin CIDR blocks from the WAF console.

Region of the WAF instance Back-to-origin CIDR block
Regions in mainland China 121.43.18.0/24,120.25.115.0/24,101.200.106.0/24,120.55.177.0/24,120.27.173.0/24,120.55.107.0/24,123.57.117.0/24,120.76.16.0/24,182.92.253.32/27,60.205.193.64/27,60.205.193.96/27,120.78.44.128/26,118.178.15.0/24,39.106.237.192/26,106.15.101.96/27,47.101.16.64/27,47.106.31.0/24,47.98.74.0/25,47.97.242.96/27,112.124.159.0/24,39.96.130.0/24,39.96.119.0/24,47.99.20.0/24,47.104.53.0/26,47.108.23.192/26,39.104.199.128/26,39.96.158.0/24,47.110.182.0/24,120.77.139.0/25,47.102.187.0/25
Regions outside mainland China 47.89.1.160/27,47.89.7.192/26,47.88.145.96/27,47.88.250.0/24,47.52.120.0/24,47.254.217.32/27,47.88.74.0/24,47.89.132.224/27,47.91.69.64/27,47.91.54.128/27,47.74.160.0/24,47.91.113.64/27,149.129.211.0/27,149.129.140.0/27,8.208.2.192/27,47.56.50.0/24,161.117.161.0/25,147.139.22.0/25,8.209.192.0/25
Note If the origin server of the website is deployed in Japan, add the 8.209.192.0/25 back-to-origin CIDR block.
  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
  3. In the left-side navigation pane, choose System Management > Product Information.
  4. At the lower part of the Product Information page, locate the WAF IP Segments section and click Copy All IPs.
    The WAF IP Segments section displays the latest back-to-origin CIDR blocks.WAF back-to-origin CIDR blocks

References

After obtaining the WAF back-to-origin CIDR blocks, you can add them to the whitelist of your origin security software.

If the website traffic is routed to WAF, you can configure access control policies for the origin server to allow only inbound traffic from the WAF back-to-origin CIDR blocks. For more information, see Configure protection for your origin server.