WAF uses specified back-to-origin CIDR blocks to forward normal traffic back to an origin server. To allow inbound traffic from the back-to-origin CIDR blocks, you must configure security software or access control policies of the origin server when you add a website to the WAF console.

Background information

If you use security software such as FortiGate for your origin server, you must add the WAF back-to-origin CIDR blocks to a whitelist of the software. This prevents normal traffic forwarded by WAF to the origin server from being blocked by access control policies.

For security purposes, we recommend that you configure access control policies for the origin server to allow only inbound traffic from the WAF back-to-origin CIDR blocks. This prevents attackers from bypassing WAF and directly attacking the origin server. For more information, see Configure protection for your origin server.

Back-to-origin CIDR blocks added on April 30, 2020

On April 30, 2020, the following back-to-origin CIDR blocks were added after WAF clusters were scaled out.
  • Regions in mainland China: 39.96.158.0/24,47.110.182.0/24,120.77.139.0/25,47.102.187.0/25
  • Regions outside mainland China: 47.56.50.0/24,161.117.161.0/25,147.139.22.0/25,8.209.192.0/25
Warning If your origin server has an IP address whitelist or a security group that is configured to allow only WAF back-to-origin CIDR blocks to access your origin server, you must add the new WAF back-to-origin CIDR blocks to the whitelist. Otherwise, the back-to-origin traffic forwarded by WAF may be blocked by the access control policies of the origin server, and the access may be denied.

We recommend that you add the new back-to-origin CIDR blocks to the IP address whitelist in a timely manner.

Obtain the WAF back-to-origin CIDR blocks

You can obtain the back-to-origin CIDR blocks from the following table based on the region of your WAF instance, or follow the following steps to obtain the latest back-to-origin CIDR blocks from the WAF console.

Region of the WAF instance Back-to-origin CIDR block
Regions in mainland China 121.43.18.0/24,120.25.115.0/24,101.200.106.0/24,120.55.177.0/24,120.27.173.0/24,120.55.107.0/24,123.57.117.0/24,120.76.16.0/24,182.92.253.32/27,60.205.193.64/27,60.205.193.96/27,120.78.44.128/26,118.178.15.0/24,39.106.237.192/26,106.15.101.96/27,47.101.16.64/27,47.106.31.0/24,47.98.74.0/25,47.97.242.96/27,112.124.159.0/24,39.96.130.0/24,39.96.119.0/24,47.99.20.0/24,47.104.53.0/26,47.108.23.192/26,39.104.199.128/26,39.96.158.0/24,47.110.182.0/24,120.77.139.0/25,47.102.187.0/25
Regions outside mainland China 47.89.1.160/27,47.89.7.192/26,47.88.145.96/27,47.88.250.0/24,47.52.120.0/24,47.254.217.32/27,47.88.74.0/24,47.89.132.224/27,47.91.69.64/27,47.91.54.128/27,47.74.160.0/24,47.91.113.64/27,149.129.211.0/27,149.129.140.0/27,8.208.2.192/27,47.56.50.0/24,161.117.161.0/25,147.139.22.0/25,8.209.192.0/25
Note If the origin server of the website is deployed in Japan, add the 8.209.192.0/25 back-to-origin CIDR block.
  1. Log on to the Web Application Firewall console.
  2. In the top navigation bar, select the resource group to which the instance belongs and the region, Mainland China or International, in which the instance is deployed.
  3. In the left-side navigation pane, choose System Management > Product Information.
  4. In the lower part of the Product Information page, find the WAF IP Segments section and click Copy All IPs.
    The WAF IP Segments section displays the latest back-to-origin CIDR blocks.WAF back-to-origin CIDR blocks

What to do next

After you obtain the WAF back-to-origin CIDR blocks, you can add them to the IP address whitelist of your origin security software.

Warning If you do not add the WAF back-to-origin CIDR blocks to the IP address whitelist of the origin server, normal requests sent by WAF may be rejected. This may cause a service interruption.