Web Application Firewall (WAF) provides the region blacklist module. The module can identify the source regions of requests. You can configure the module to block or allow requests from the specified regions. This way, malicious requests can be blocked by region. This topic describes how to enable and configure the region blacklist module.

Prerequisites

Default protection template

By default, the region blacklist module is disabled. No default protection templates are provided.

Before you can enable the region blacklist module, you must create a region blacklist template and configure protection rules. For more information, see Create a region blacklist template.

Create a region blacklist template

To create a region blacklist template, perform the following steps:

  1. Log on to the WAF 3.0 console.
  2. In the top navigation bar, select the resource group and the region to which the WAF instance belongs. You can select the Chinese Mainland or Outside Chinese Mainland region.
  3. In the left-side navigation pane, choose Protection Configuration > Protection Rules.
  4. Create a template.
    • If you have not created a region blacklist template, click Configure Now in the Region Blacklist card in the upper part of the Protection Rules page. You can also click Create Template in the Region Blacklist section in the lower part of the Protection Rules page.
    • If you have created a region blacklist template, you can click Create Template in the Region Blacklist section at the lower part of the Protection Rules page.
  5. In the Create Template - Region Blacklist panel, configure the following parameters.
    Create Template - Region Blacklist
    Parameter Description
    Template Name Enter a name for the template.

    The name can contain letters, digits, and underscores (_).

    Save as Default Template Specify whether to set this template as the default template for the protection module.

    You can specify only one default template for a protection module. If you turn on Save as Default Template, you do not need to configure the Apply To parameter. The default template is applied to all protected objects and protected object groups that do not have templates specified, including the protected objects and protected object groups that are newly created and whose templates have been removed.

    Action Select the action that is performed when a request matches the rule. Valid values:
    • Block: blocks the request that matches the rule and returns a block page to the client that sends the request.
      Note By default, WAF returns a preconfigured block page. You can use the custom response feature to configure a custom block page. For more information, see Configure the custom response module.
    • Monitor: records the request that matches the rule in logs. The request is not blocked. You can query logs about the requests that match the rule and analyze the protection performance. For example, you can check whether normal requests are blocked based on logs.
      Notice You can query logs only when the Log Service for WAF feature is enabled. For more information, see Enable the Log Service for WAF feature.

      In Monitor mode, you can check the protection performance of the rule and check whether the rule blocks normal requests. Then, you can determine whether to set Action to Block based on the check results.

    Note You can query the details about matched rules in Monitor and Block modes on the Security Reports page. For more information, see Security reports.
    Blocked Regions The regions that are blocked in China and outside China are displayed.
    Select Regions to Block Select the regions to be blocked. You can select regions on the China and Outside China tabs. The selected regions are displayed in the Blocked Regions section.
    Apply To Select the protected objects and protected object groups to which you want to apply the template.

    You can apply only one template of the protection module to a protected object or a protected object group.

    For more information about how to manage protected objects and protected object groups, see Manage protected objects and Manage protected object groups.

  6. Click OK.
    After the region blacklist template is created, you can view the region blacklist template and the numbers of protected objects and protected object groups to which the region blacklist template is applied in the Region Blacklist section.

    By default, the newly created region blacklist template is enabled. You can turn on or turn off the switch in the Status column to enable or disable the region blacklist template. You can also modify or delete the region blacklist template. If you want to view the rules that are included in the region blacklist template, click the icon icon next to the name of the region blacklist template.

    Region Blacklist