Global Settings allows you to create IP addresses or CIDR block lists. You can use the feature to implement batch association and centralized management of Web Application Firewall (WAF) and bot policies, preventing repeated settings of multiple rules. List changes are automatically synchronized to all associated policies to ensure global policy consistency.
Benefits
The feature allows you to associate WAF and bot policies with multiple IP address lists at a time. You can use standardized IP list referencing to ensure policy consistency and reduce differences in multiple times of input. You can also flexibly create and adjust lists based on business scenarios and reuse the lists across environments. This implements efficient and centralized management and precise hierarchical control of security policies.
Scenarios
After you create a list, you can reference the list when you configure rules for features described in the following part:
When you add the corresponding rule, the match value can reference the IP address or CIDR block list only if the match parameter is set to Client IP
and the logic operator is is in list
or is not in list
in If requests match...
The match value cannot reference the IP address or CIDR block list across websites. For example, if a list is referenced under a example.com
website, the example.com
in the list and its subdomains take effect. They do not take effect under a website that does not reference the list.
Create a list
Log on to the ESA console, and in the left-side navigation pane, choose .
On the Lists page, click Create List. In the Create List dialog box, specify List Name and Type, enter a match value in the input field, and then click OK.
Type description
IP Address/CIDR Block: You can configure 10 lists. You can include up to 500 IP addresses or CIDR blocks in a list. Separate multiple IP addresses or CIDR blocks with
,
.ASN: An Autonomous System Number (ASN) uniquely identifies an autonomous system on the Internet. An autonomous system is a group of IP networks and routers controlled by a network management organization, such as an Internet service provider, enterprise, or large institution. You can query the ASN in a request. For more information, see How do I query the ASN of an IP address? or Instant Logs.
Hostname: The value of the Host header in the request, which determines the requested domain name.
Reference a list
Create a list, set the match parameter to Client IP, and enter the IP address of your local server. Then, reference the list in the custom rule and set a blocking condition. It is expected that 403 error page is returned after you use your local server to access a domain name on ESA. This indicates that the rule takes effect on the list.
Reference a list
In the ESA console, choose Websites and click the website name you want to manage.
In the left-side navigation pane, choose
. On the WAF page, click the Custom Rules tab. Click Create Rule. On the Create Custom Rule page, specify Rule Name.In the If requests match... section, select Client IP as the match type, select is in list as the match condition, and select the list that you created in the input field.
In the Then execute... section, select Block for Action, select Default Error Page for Error Page, and click OK. The status code 403 cannot be changed.
Perform a test
After the list is referenced, use curl -I http://esa.xxx.top/pic_03.jpg
to perform a test. If status code HTTP 403
is returned, the settings meet the expectations.