All Products
Search

This Product

    Web Application Firewall:Configure IP blacklist rules to block specific IP addresses

    Document Center

    Web Application Firewall:Configure IP blacklist rules to block specific IP addresses

    Last Updated:Jun 17, 2026

    When your web application is targeted by attacks from specific IP addresses, you can use the WAF IP blacklist module to block those IPs and protect your services.

    Applicable scenarios

    The WAF IP blacklist module is designed for scenarios where you need to precisely block known malicious IPs or specific IP ranges.

    • Recommended scenarios

      • Block known attack sources: When log analysis or security exercises confirm that a specific IP is a scanner, crawler, brute-force tool, or botnet node, add it to the blacklist to block traffic directly.

      • Temporary emergency blocking: When facing a sudden attack from a small number of fixed IPs, you can quickly create a blacklist rule as an initial defensive measure while you conduct deeper analysis.

      • Compliance or regional restrictions: If your organization needs to comply with data sovereignty requirements or enforce regional access restrictions, and you only need to block specific IP ranges, use the IP blacklist module.

    • Not recommended scenarios

      • Attackers using dynamic IPs: If attackers use a large number of dynamic IPs, public proxies (such as in CC attack scenarios), or cloud functions to send requests, relying solely on an IP blacklist is ineffective. We recommend using CC protection or the custom rule - rate limiting module instead.

      • Differentiating user behaviors by request details: If you need to handle requests differently based on request paths, parameters, or headers, the IP blacklist module cannot meet this requirement. Use the custom rule module instead.

    Key concepts

    • IP Address Blacklist: A protection module within Web Core Protection. Before enabling this module, you must create a protection template. The system supports multiple protection templates.

    • Protection template: A collection of protection rules that define specific rule logic and scope. A protection template consists of the following three parts: template type, protection rules, and effective objects.

      • Template type: You must specify a template type when creating a protection template. The type cannot be changed after creation. There are two template types:

        Template type

        Description

        Applicable scenario

        Default protection template

        • A default template applies to all protection objects automatically. See Key Concepts for details.

        • You can manually exclude specific objects (set them to "Not Effective").

        • Only one default protection template can be created for the IP blacklist module.

        Deploy general protection rules that need to be applied globally.

        Custom protection template

        You must manually specify the protection objects or object groups for the template to take effect.

        Deploy fine-grained protection rules for specific services (such as login or payment APIs).

      • Protection rule: Defines specific detection logic and response actions. A protection template can contain multiple protection rules. Each rule consists of the following two parts:

        • IP address blacklist: Specifies the client IP addresses or IP ranges to block or monitor.

        • Rule Action: Defines the action to take when a request matches the rule. Supports Block and Monitor.

      • Effective objects: Specifies the targets to which the protection template applies. Through effective object settings, protection rules are applied to specific protection objects or protection object groups. A single protection object or object group can be associated with multiple protection templates.

        • Protection object: Each domain name or cloud service instance that is connected to WAF automatically has a protection object created for it.

        • Protection object group: You can add multiple protection objects to a protection object group for centralized management.

    Procedure

    Note

    Before you begin, make sure that protection objects exist (your web services are connected to WAF). If you have not connected your services, see Connect web services to WAF.

    Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of your WAF instance (Chinese Mainland or Outside Chinese Mainland). In the left-side navigation pane, choose Protection Config > Core Web Protection.

    Step 1: Configure the protection template type

    On the Core Web Protection page, go to the IP Address Blacklist section and click Create Template. Then, configure the following parameters.

    • Template Name: Enter a name for the template.

    • Save as Default Template: The IP blacklist module allows only one default protection template, which can only be set when creating a new template.

      • Yes: No need to configure Apply To. A default template applies to all protection objects automatically. See Key Concepts for details.

      • No: You must configure Apply To to manually specify the protection objects or object groups for the template to take effect.

    Step 2: Add protection rules to the template

    In the Rule Configuration section, click Create Rule and configure the following parameters.

    • Rule Name: Enter a name for the rule.

    • IP Address Blacklist: Specify the client IP addresses or IP ranges to block or monitor. Follow these guidelines:

      • Supports both IPv4 and IPv6 addresses (for example, 1.1.XX.XX and 2001:XXXX:ffff:ffff:ffff:ffff:ffff:ffff).

      • Supports both IPv4 CIDR blocks and IPv6 CIDR blocks (for example, 1.1.XX.XX/16 and 2001:XXXX:XXXX:XXXX::/64).

      • Press Enter after entering each IP address.

      • You can add up to 200 IP addresses.

    • Rule Action: Select the action to take when a request matches the rule.

      • Block: Blocks the request and returns a block page to the client.

        Note

        By default, WAF uses a unified block response page. You can also use the custom response feature to define your own block response page.

      • Log: Does not block the request but logs the match. When testing a rule, you can first use Log mode to analyze WAF logs and verify that no false positives occur, and then change to another action.

    Step 3: Set effective objects for the template

    In the Apply To section, select the protection objects and protection object groups to which the template applies.

    How the template takes effect depends on your configuration in Step 1:

    • Set as default protection template: A default template applies to all protection objects automatically. See Key Concepts for details.

    • Not set as default protection template: You must manually configure the effective protection objects and protection object groups.

    Note

    You can manually adjust the effective status of protection objects or protection object groups both during template creation and after the template is created.

    Step 4: Verify the configuration

    To verify the rule is working, send a test request from a blacklisted IP address and confirm that the request is blocked. You can also check the WAF logs for match records.

    Routine management

    Manage protection templates

    Newly created protection templates are enabled by default. You can perform the following operations in the protection template list:

    • View the number of Protected Object/Group associated with the template.

    • Enable or disable the template by using the Status toggle.

    • Create Rule rules for the template.

    • Edit, Delete, or Copy the protection template.

    • Click the Expand icon icon to the left of the template name to view the rules contained in the template.

    Manage protection rules

    Newly created rules are enabled by default. You can perform the following operations in the rule list:

    • View information such as Rule ID and Rule Condition.

    • Enable or disable the rule by using the Status toggle.

    • Edit or Delete a rule.

    FAQ

    Why does the configured IP blacklist rule not take effect?

    If you have configured an IP blacklist template but protection is not working, troubleshoot in the following order:

    1. Check the template status and effective objects
      Make sure that both the IP blacklist template and its rules are in the "Enabled" state, and that the effective objects are correctly configured and active.

    2. Check whitelist configurations
      The IP whitelist takes priority over the blacklist. Check whether any whitelist rules match the current traffic. If the traffic matches a whitelist rule, WAF skips the IP blacklist check.

    3. Check Layer 7 proxy configurations
      If a Layer 7 proxy such as a CDN is deployed in front of WAF, make sure that the Is a Layer 7 proxy such as Anti-DDoS Proxy or CDN deployed in front of WAF option is set to Yes in the access configuration. Incorrect configuration prevents WAF from obtaining the actual client IP address, causing IP-based blacklist rules to fail. For configuration details, see Real client information.

    4. Verify WAF protection for all ports

      Ensure that all service ports are added to WAF. For example, if an ECS instance added in cloud native mode uses HTTP port 80 and HTTPS port 443, you must add both ports to WAF. This is required even if a force redirect rule is configured on the origin server. Otherwise, traffic to the unadded port bypasses WAF and reaches the origin server directly.

    Does configuring an IP blacklist rule for a pay-as-you-go WAF reduce traffic fees?

    Configuring an IP blacklist rule does not reduce WAF traffic fees. Requests that are blocked by an IP blacklist are still processed by WAF and contribute to your Queries Per Second (QPS), which incurs processing fees. However, these requests are not forwarded to the origin server. Adding known malicious IP addresses to the blacklist is an effective way to reduce the load on your origin server.

    What is the difference between an IP blacklist and custom rules?

    The main differences between IP blacklists and custom rules are as follows:

    1. Differences in matching conditions

    • IP blacklist: Supports matching based on a single condition: the source IP address or IP address segment of a client.

    • Custom rules: Support multi-condition matching based on multiple HTTP fields, such as source IP, URL, request headers (such as User-Agent and Referer), and request parameters. Custom rules also support access frequency limits.

    2. Actions

    • IP blacklist: When a rule is matched, only the Block and Log actions are supported.

    • Custom rules: Support various actions. In addition to the Block and Log actions, custom rules support other actions, such as Captcha and JavaScript validation.

    3. Scenarios

    • IP blacklist: Used to globally block known malicious IP addresses or IP addresses from specific regions.

    • Custom rules: Used for precise protection and fine-grained access control that targets specific URL paths, request features, or high-frequency access behavior.

    Can I view the records for attacks that hit an IP blacklist rule?

    Yes. For every request that hits the rule, the system generates a corresponding attack record and displays it at the location specified in Security reports.