Web Application Firewall:Configure protection rules for the IP address blacklist to block specific requests

Template types

Step 1: Create a protection template

The IP address blacklist module does not provide an initial default protection template. Before enabling protection rules of the IP address blacklist module, you must create a protection template and add protection rules to the template.

1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.

2. In the left-side navigation pane, choose Protection Configuration > Core Web Protection.

3. In the IP Address Blacklist section of the Core Web Protection page, click Create Template.

4. In the Create Template - IP Address Blacklist panel, configure the parameters and click OK.

   Parameter	Description
   Template Name	Specify a name for the template. The name of the template must be 1 to 255 characters in length and can contain letters, digits, periods (.), underscores (_), and hyphens (-).
   Save as Default Template	You do not need to specify protected objects for a default protection template. By default, all protected objects and groups are selected. You can manually remove them from the default template. Only one default template can be specified for a protection module, and the default template can be specified only when you create a template.
   Rule Configuration	Click Create Rule to create a protection rule for the template. You can also create protection rules after the template is created. For more information, see Step 2: Add protection rules to a protection template.
   Apply To	Select items to which you want to apply the template on the Protected Objects and Protected Object Groups tabs. For more information, see Configure protected objects and protected object groups. A protected object or group can be associated with multiple protection templates. If you set a default protection template, all protected objects and protected object groups are selected by default. If not, no protected objects or groups are selected by default. You can manually modify the selection of protected objects and groups.

   By default, a newly created protection template is enabled. You can perform the following operations on the template in the template list:

   • View the numbers of protected objects and protected object groups that are associated with the template in the Protected Object/Group column.

   • Turn on or turn off the switch in the Status column to enable or disable the template.

   • Click Create Rule in the Actions column to create a protection rule for the template.

   • Click Edit, Delete, or Copy in the Actions column to manage the template.

   • Click the icon to the left of the template name to view the protection rules in the template.

Step 2: Add protection rules to a protection template

A protection template takes effect only after you add protection rules to the template. If you created protection rules when you created the protection template, skip this step.

1. In the IP Address Blacklist section, find the protection template to which you want to add protection rules and click Create Rule in the Actions column.

2. In the Create Rule dialog box, configure the parameters and click OK.

   Parameter	Description
   Rule Name	Specify a name for the rule. The name of the rule can contain letters, digits, periods (.), underscores (_), and hyphens (-).
   IP Address Blacklist	Add IP addresses to the blacklist. Once the rule takes effect, requests originating from IPs in this list will match the rule and be blocked. The requirements are as follows: IPv4 and IPv6 addresses are supported, such as 1.1.XX.XX and 2001:XXXX:ffff:ffff:ffff:ffff:ffff:ffff. IPv4 and IPv6 CIDR blocks are supported, such as 1.1.XX.XX/16 and 2001:XXXX:XXXX:XXXX::/64. Press Enter to confirm after entering each IP address. Supports a maximum of 200 IP addresses.
   Action	Select the action that you want WAF to perform on the requests that match the rule. Valid values: Block: blocks a request that matches the rule and returns a block page to the client that initiates the request. Note By default, WAF returns a preconfigured block page. You can use the custom response feature to configure a custom block page. Monitor: records a request that matches the rule in a log and does not block the request. You can query the logs of requests that match the rule and analyze the protection performance. For example, you can query logs to check whether normal requests are blocked. Important You can query logs only if the Simple Log Service for WAF feature is enabled. If you select Monitor, you can perform a dry run on the rule to check whether the rule blocks normal requests. If the rule passes the dry run, you can set the Action parameter to Block. Note On the Security Reports page, you can query the details of matched rules in Monitor or Block mode. For more information, see Security reports.

   By default, a newly created protection rule is enabled. You can perform the following operations on the rule in the rule list:

   • View the rule ID and action in the Rule ID and Action columns.

   • Turn on or turn off the switch in the Status column to enable or disable the rule.

   • Click Edit or Delete in the Actions column to modify or delete the rule.

References

• Protection configuration overview: Provides information about protected objects, protection modules, and protection processes.

• CreateDefenseTemplate: Creates a protection template.

• CreateDefenseRule: Creates a protection rule for the IP address blacklist module. When calling this operation, you must set the DefenseScene parameter to ip_blacklist and configure the rule content.