Configure the IP address blacklist module - Web Application Firewall

The IP address blacklist module blocks requests from specified IPv4 addresses, IPv6 addresses, or CIDR blocks. You can specify the IP addresses or CIDR blocks based on your business requirements. By default, the IP address blacklist module is disabled. This topic describes how to enable and configure the IP address blacklist module.

Prerequisites

WAF 3.0 is activated.
For more information, see Activate WAF 3.0.
Services are added as protected objects of WAF 3.0.
For more information, see Manage protected objects.

Default protection template

By default, the IP address blacklist module is disabled. No default protection templates are provided.

Before you can use the IP address blacklist module, you must create an IP address blacklist template and configure rules in the template. For more information, see Create an IP address blacklist template.

Create an IP address blacklist template

If you configure the IP address blacklist module for the first time, you must create an IP address blacklist template.

To create an IP address blacklist template, perform the following steps:

Log on to the WAF 3.0 console.
In the top navigation bar, select the resource group and region to which the WAF instance belongs. You can select the Chinese Mainland or Outside Chinese Mainland region.
In the left-side navigation pane, choose Protection Configuration > Protection Rules.
In the IP Address Blacklist section, click Create Template.

In the Create Template - IP Address Blacklist panel, configure the following parameters.


Parameter	Description
Template Name	Enter a name for the template. The name can contain letters, digits, and underscores (_).
Save as Default Template	Specify whether to set this template as the default template for the protection module. You can set only one default template for a protection module. If you turn on Save as Default Template, you do not need to configure Apply To. A default template takes effect on both the protected objects and protected object groups to which no templates are applied. The protected objects include new protected objects and protected objects that are removed from specific templates. The protected object groups include new protected object groups and protected object groups that are removed from specific templates.
Rule Configuration	Click Create Rule to create an IP address blacklist rule for the template. You can also configure an IP address blacklist rule after the template is created. For more information about how to create an IP address blacklist rule, see Create an IP address blacklist rule.
Apply To	Select the protected objects and protected object groups to which the template is applied. You can apply a protected object or protected object group to only one template of the protection module. For more information about how to add protected objects and protected object groups, see Manage protected objects and Manage protected object groups.

Click OK.
After the IP address blacklist rule template is created, you can view the IP address blacklist template and the numbers of protected objects and protected object groups to which the IP address blacklist template is applied in the IP Address Blacklist section.
By default, the newly created IP address blacklist template is enabled. You can turn on or turn off the switch in the Status column to enable or disable the IP address blacklist template. You can also modify or delete the IP address blacklist template. If you want to view the rules that are included in the IP address blacklist template, click the icon next to the name of the IP address blacklist template.
After an IP address blacklist rule is enabled, WAF blocks the requests that are initiated from the IP addresses in the blacklist and are destined for protected objects. The protected objects are specified by the Apply To parameter in the blacklist. If you do not want WAF to block the requests from a specified IP address, disable or delete the IP address blacklist rule for the IP address.

Create an IP address blacklist rule

You can create an IP address blacklist rule when you create an IP address blacklist template. You can also create an IP address blacklist rule after you create an IP address blacklist template. You can use an IP address blacklist template. to defend against attacks only after protection rules are configured for the protection template.

To create a protection rule for an IP address blacklist template, perform the following steps:

Log on to the WAF 3.0 console.
In the top navigation bar, select the resource group and region to which the WAF instance belongs. You can select the Chinese Mainland or Outside Chinese Mainland region.
In the left-side navigation pane, choose Protection Configuration > Protection Rules.
In the IP Address Blacklist section, find the IP address blacklist template for which you want to create a protection rule and click Create Rule in the Actions column.

In the Add Rule dialog box, configure the following parameters.


Parameter	Description
Rule Name	Enter a name for the rule. The name can contain letters, digits, and underscores (_).
IP Address Blacklist	Enter IP addresses. If a request is sent from one of the specified IP addresses, the request matches the protection rule. You can enter the IP address based on the following descriptions: You can enter IPv4 addresses and IPv6 addresses. IPv4 address example: `1.XX.XX.1`. IPv6 address example: `2001:db8:ffff:ffff:ffff:ffff:ffff:ffff`. You can enter CIDR blocks, such as `1.XX.XX.1/16`. You must press Enter each time you enter an IP address. You can enter up to 200 IP addresses.
Action	Select the action that is performed when a request matches the rule. Valid values: Block: blocks the request that matches the rule and returns a block page to the client that initiates the request. Note By default, WAF uses a unified block page. You can use the custom response feature to configure a custom block page. For more information, see Configure the custom response module. Monitor: records the request that matches the rule in logs. The request is not blocked. You can query logs for the requests that match the rule and analyze the protection performance, such as whether normal requests are blocked. Notice You can query logs only when the Log Service for WAF feature is enabled. For more information, see Enable the Log Service for WAF feature. In Monitor mode, you can test the protection performance of the rule and check whether the rule blocks normal requests. Then, you can determine whether to set Action to Block. Note You can query the details of matched rules in Monitor and Block modes on the Security Reports page. For more information, see Security reports.

Click OK.
After the IP address blacklist rule is created, you can click the icon next to the name of the IP address blacklist template in the IP Address Blacklist section to view the newly created rule and other rules that are included in the template.
By default, the newly created IP address blacklist rule is enabled. You can turn on or turn off the switch in the Status column to enable or disable the IP address blacklist rule. You can also modify or delete the IP address blacklist rule.