All Products
Search
Document Center

Security Center:Blacklists and whitelists for automatic access

Last Updated:Jun 02, 2026

Access rules define the scope of server processes connected to Application Protection in automatic access mode. You can configure three types of policies: blacklist, whitelist, and automatic full access. This topic describes the configuration logic, priority, and operational instructions for each rule. These rules are suitable for security O&M scenarios that require fine-grained control over the protection scope and a reduction in false positives.

Blacklist and whitelist rules

How rules take effect

  • Blacklists and whitelists apply only to the automatic access mode and do not affect the manual access mode.

  • Blacklists have a higher priority than whitelists. If a process matches the conditions for both a blacklist and a whitelist, Application Protection does not connect it.

  • Blacklists and whitelists take effect immediately if they are configured before a process is connected. If they are configured after a process is connected, the rules take effect after the process restarts or during the next automatic access. Deleting a blacklist rule takes effect immediately.

Use cases

List type

Description

Use case

Process types

Blacklist

  • Use a blacklist to exclude specific processes from protection. This avoids interference with processes known to be secure or that do not require protection, preventing issues like performance overhead or false positives. Application Protection does not connect any process that matches a blacklist rule.

  • For a blacklist to take effect, you must upgrade the RASP agent to version 1.0.5 or later.

  • Most processes need protection, with only a few exceptions.

  • Application performance is a higher priority than comprehensive protection.

  • Resource-intensive processes, such as databases

  • Trusted system processes

  • Processes with compatibility issues

  • Test environment processes

Whitelist

  • Use a whitelist to protect only a specific set of processes. This approach is ideal for securing critical applications with high precision.

    Application Protection connects only processes that match a whitelist rule. If you do not configure any whitelist or blacklist rules, Application Protection automatically connects all processes on the asset.

  • For a whitelist to take effect, you must upgrade the RASP agent to version 0.9.4 or later.

Protect only critical processes to follow the principle of least privilege.

  • Highly sensitive business processes

    Enhance security for core business processes, such as payment and user data services, to eliminate security blind spots. For example, you can choose to connect only financial transaction processes like payment_gateway and user_auth_service.

  • Isolation requirements in hybrid environments

    In a multitenancy or hybrid deployment environment, you can limit the protection scope to define responsibility boundaries. For example, you can protect only container processes that belong to a specific customer, such as docker-app-xxx, without connecting processes from other tenants.

Add a blacklist or whitelist

The following steps describe how to add a blacklist. The steps to add a whitelist are similar.

  1. Log on to the Security Center console.

  2. In the left-side navigation pane, choose Protection Configuration > Application Protection. In the upper-left corner of the console, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.

  3. On the Application Configurations tab, click Management Settings in the upper-right corner.

  4. In the Management Settings panel, on the Manage Access Rule tab, click the Blacklist tab, and then click Add Blacklist.

  5. In the Add Blacklist dialog box, configure the following parameters and click OK.

    Parameter

    Description

    Rule Name

    Enter a name for the blacklist rule.

    Rule Switch

    The rule is enabled by default.

    Effective Application Type

    Select the application language to which the blacklist applies: Java or PHP.

    Match Condition

    Select a condition to match for the blacklist rule. Valid values:

    • cmdline: Matches processes to exclude based on their command-line parameters. The supported match operators are: contains, does not contain, contains one of multiple values, and does not contain any of the values.

    • Environment Variables : Matches processes to exclude based on the environment variables they access. The only supported match operator is equals.

    • -D parameter : Matches processes to exclude based on the system properties set at Java program startup. The only supported match operator is equals.

      Note

      This option is available only when Effective Application Type is set to Java.

    • Container Name: Matches processes to exclude based on the name of the container to which they belong. The supported match operators are: contains, does not contain, contains one of multiple values, and does not contain any of the values.

      Note

      This option is available only when Effective Application Type is set to PHP.

    Click Add Condition to add multiple match conditions. The logical relationship between conditions is AND, meaning a process must meet all conditions to match the rule.

    Examples:

    • To exclude processes whose startup parameters contain the string tomcat:

      • For Condition, select cmdline.

      • For Match Mode, select Include.

      • For Content to Match, enter tomcat.

    • To exclude processes whose startup parameters do not contain the strings apache or test:

      • For Condition, select cmdline.

      • For Match Mode, select Does Not Contain Any Value.

      • For Content to Match, enter apache,test.

    Match Mode

    Select a match operator for the rule.

    Match Field

    Enter the field to match.

    Note

    This parameter is required only when Match Condition is set to Environment Variables or -D parameter .

    Content to Match

    Enter the content to match.

    Destination Application Groups

    Select the application groups to which this blacklist rule applies. The application type of the selected groups must match the type specified for Effective Application Type.

Edit or delete a blacklist or whitelist

  1. Log on to the Security Center console.

  2. In the left-side navigation pane, choose Protection Configuration > Application Protection. In the upper-left corner of the console, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.

  3. On the Application Configurations tab, click Management Settings in the upper-right corner.

  4. In the Management Settings panel, on the Manage Access Rule tab, go to the Blacklist or Application Access Whitelist sub-tab. Find the rule you want to manage and click Edit or Delete in the Actions column.

    You can delete a rule only if no application group is using it. Before deleting a rule, you must first remove it from all associated application groups.

Automatic full access (Java processes only)

Supported scenarios

When you enable pay-as-you-go for Application Protection, if you do not configure custom on-demand binding, the system, by default, adds the Java processes in all your assets to Application Protection for management and uses the Slow Access method.

If you have enabled Application Protection but no processes are connected, a dialog box appears with two options: Automatic Full Access and Custom Access. If you select Automatic Full Access, the system uses the Slow Access method by default. You can click Configure Now to change the access method to Fast Access, Regular Access, or Slow Access.

Access methods

Access method

Description

Fast Access

Suitable for environments with a small number of processes and low requirements for application stability. Installation time is short.

Regular Access

Suitable for environments with a moderate number of processes and low requirements for application stability. Installation time is average.

Slow Access

Suitable for environments with a large number of processes and high requirements for application stability. Installation time is long.

Stop automatic full access

After you enable Automatic Full Access, you can stop the process at any time. Go to the Application Analysis tab under Protection Configuration. Then, click Stop Accessing in the access status prompt.

Important

After you stop the process, you cannot initiate automatic full access again. Application Protection will not connect servers with an access status of Queuing. Servers with an access status of In Progress will continue the installation.

After stopping the process, you can click View Details in the prompt to check the connection status of the Java processes on your assets.