All Products
Search

This Product

    Web Application Firewall:Configure region blocking rules to block requests from specific regions

    Document Center

    Web Application Firewall:Configure region blocking rules to block requests from specific regions

    Last Updated:Jun 18, 2026

    After you add your services to Web Application Firewall (WAF), you can configure region blocking rules to effectively mitigate regional malicious traffic by blocking access requests from specific countries or regions. This topic describes how to create region blocking rules.

    Key concepts

    • Geo-blocking: One of the protection modules in Core Web Protection, implemented based on an IP geolocation database. The system extracts the real IP address of the client and queries the built-in database to identify the country or province to which it belongs. You must create a protection template before enabling this module. The system supports multiple protection templates.

    • Protection template: A collection of protection rules that define specific rule content and scope. It consists of the following three parts: template type, protection rules, and target objects.

      • Template type: You must specify a type when creating a protection template, and it cannot be changed after creation. Template types are classified into the following two categories:

        Template type

        Description

        Applicable scenarios

        Default protection template

        • By default, the template applies to all protected objects and object groups upon creation. Subsequently added objects are also automatically included.

        • You can manually exclude specific objects (set them to "Not in effect").

        • Only one default protection template can be created under the Region Blocking module.

        Deploy general protection rules that need to be applied globally.

        Custom protection template

        You must manually specify the protected objects or object groups to which the template applies.

        Deploy fine-grained protection rules for specific business scenarios (such as logon and payment APIs).

      • Protection rules: Define specific detection logic and response actions. A protection rule consists of the following two parts:

        • Blocked regions: Specify the geographic location of the client IP addresses to be blocked or monitored.

        • Rule Action: Defines the action to take after a rule is matched. Supports Block and Monitor.

      • Target objects: Specify the application targets of the protection template. By configuring target objects, you apply protection rules to specific protected objects or protected object groups. A protected object or object group can be associated with only one region blocking protection template.

        • Protected object: Each domain name or cloud service instance added to WAF automatically has a protected object created for it.

        • Protected object group: You can add multiple protected objects to a protected object group for centralized management.

    Procedure

    Note

    • Prerequisites: Before performing the following steps, make sure that protected objects exist (your web services have been added to WAF). If you have not added your services to WAF, see Overview.

    • Correct configuration when a proxy is deployed in front of WAF: The effectiveness of this feature depends on whether WAF can accurately obtain the real IP address of the client. If Layer 7 proxy devices such as CDN or Anti-DDoS Pro/Premium are deployed in front of WAF, you must set the "Is a Layer 7 proxy such as Anti-DDoS Proxy or CDN deployed in front of WAF" option to "Yes" when configuring asset access. Incorrect configuration will prevent WAF from obtaining the real client IP, causing the protection to fail. For more information, see Real client information.

    Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region (Chinese Mainland or Outside Chinese Mainland) of your WAF instance. In the left-side navigation pane, choose Protection Config > Core Web Protection.

    Step 1: Configure the protection template type

    On the Core Web Protection page, click Create Template in the Geo-blocking section, and complete the following configurations.

    • Template Name: Specify a name for the template.

    • Save as Default Template: Only one default template can be set for the Region Blocking module, and it can be set only when you create a new template.

      • Yes: You do not need to configure Apply To. Upon creation, the template applies to all protected objects and object groups by default. Subsequently added objects are also automatically included. You can manually exclude specific objects (set them to "Not in effect").

      • No: You must configure Apply To to manually specify the protected objects or object groups to which the template applies.

    Step 2: Configure protection rules in the protection template

    In the Rule Configuration section, complete the following configurations.

    • Rule Action: Select the protection action to take when a request matches the rule.

      • Block: Blocks requests that match the rule and returns a block page to the client that initiated the request.

        Note

        WAF uses a unified block page by default. You can also customize the block page by using the custom response feature.

      • Log: Does not block requests that match the rule, but only records the matches in logs. When trialing a rule, you can first use the Log mode to analyze WAF logs to confirm that no legitimate requests are incorrectly blocked, and then adjust the rule action accordingly.

    • Blocked regions: Specify the geographic location of the client IP addresses to be blocked or monitored. The configuration granularity is as follows:

      • China: Supports configuration at the province level (for example, Henan), but not at the prefecture-level city level (for example, Zhengzhou).

      • Outside China: Supports configuration at the country or first-level administrative division level (for example, Okinawa Prefecture in Japan, or Washington State in the United States).

    Step 3: Configure target objects for the protection template

    In the Apply To section, select the protected objects and protected object groups to which you want to apply the template.

    The way the template takes effect depends on the configuration in Step 1:

    • Set as default protection template: You do not need to configure target objects. Upon creation, the template applies to all protected objects and object groups by default. Subsequently added objects are also automatically included. You can manually exclude specific objects (set them to "Not in effect").

    • Not set as default protection template: You must manually configure the protected objects and protected object groups to which the template applies.

    Note

    You can manually adjust the effective status of protected objects or protected object groups both during and after template creation.

    Routine operations

    Manage protection templates

    Newly created protection templates are enabled by default. You can perform the following operations in the protection template list:

    • View the number of Protected Object/Group associated with the template.

    • Use the Status to enable or disable the template.

    • Edit, Delete, or Copy the protection template.

    • Click the Expand icon icon to the left of the protection template name to view the rules contained in the protection template.

    Manage protection rules

    Newly created rules are enabled by default. You can perform the following operations in the rule list:

    • View the Rule ID and other information.

    • Use the Status toggle to enable or disable a rule.

    FAQ

    Does region blocking support configuration for specific URL paths or "domain + path" combinations?

    No. The Region Blocking module works only based on IP geolocation (country or province) and cannot be configured at the URL path level.

    Can configuring region blocking on a pay-as-you-go WAF instance reduce WAF traffic costs?

    No. Region blocking only prevents matched traffic from being forwarded to backend servers. However, this traffic has already reached WAF and is still counted toward WAF traffic costs.

    After configuring region blocking, why can IPs from the specified countries/regions still access my services?

    If IPs from the specified countries or regions can still access your services after configuring region blocking, perform the following troubleshooting steps:

    1. Check the protection template configuration: Confirm that the target protection template is enabled, the rule action is set to "Block", and the template is correctly associated with the target protected object.

    2. Check whitelist rules: The whitelist module has a higher priority than the Region Blocking module. Check whether a whitelist rule has been configured that allows the related requests to pass through.

    3. Check the Layer 7 proxy access configuration: The effectiveness of the region blocking feature depends on whether WAF can accurately obtain the real IP address of the client. If Layer 7 proxy devices such as CDN or Anti-DDoS Pro/Premium are deployed in front of WAF, you must set the "Is a Layer 7 proxy such as Anti-DDoS Proxy or CDN deployed in front of WAF" option to "Yes" in the asset access configuration. If this is misconfigured, WAF cannot obtain the real client IP. For more information, see Real client information.

    After a WAF region blocking rule is triggered, can individual IPs be unblocked or have traffic gray-forwarded?

    • Manual unblocking of individual IPs is not supported. If you need to allow a specific IP, use the Whitelist module to make it bypass the Region Blocking module.

    • Gray forwarding of traffic to different SLB instances based on region is not supported. Region blocking provides only "Block" and "Monitor" actions and does not have traffic scheduling capabilities.