All Products
Search

This Product

    Web Application Firewall:Configure IP address blacklist rules to block specific requests

    Document Center

    Web Application Firewall:Configure IP address blacklist rules to block specific requests

    Last Updated:Feb 22, 2024

    After you add your web services to Web Application Firewall (WAF), you can configure IP address blacklist rules to block requests from specific IP addresses or CIDR blocks. This topic describes how to create an IP address blacklist rule template and IP address blacklist rules for the template.

    Prerequisites

    Step 1: Create an IP address blacklist rule template

    WAF does not provide a default IP address blacklist rule template. Before you can enable an IP address blacklist rule, you must create an IP address blacklist rule template.

    1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.

    2. In the left-side navigation pane, choose Protection Configuration > Protection Rules.

    3. In the lower part of the Protection Rules page, click Create Template in the IP Address Blacklist section.

      Note

      If no IP address blacklist rule templates exist, you can click Configure Now in the IP Address Blacklist card in the upper part of the Protection Rules page.

    4. In the Create Template - IP Address Blacklist panel, configure the parameters and click OK. The following table describes the parameters.

      Parameter

      Description

      Template Name

      Specify a name for the template.

      The name of the template must be 1 to 255 characters in length and can contain letters, digits, periods (.), underscores (_), and hyphens (-).

      Save as Default Template

      Specify whether to set this template as the default template of the protection module.

      You can set only one default template for a protection module. If you turn on Save as Default Template, you do not need to configure the Apply To parameter. The default template is applied to all protected objects and protected object groups to which no protection templates are applied.

      Rule Configuration

      Click Create Rule to create an IP address blacklist rule for the template. You can also create IP address blacklist rules for the template after you create the template. For more information, see Step 2: Create an IP address blacklist rule for the template.

      Apply To

      Select the protected objects and protected object groups to which you want to apply the template.

      You can apply only one template of a protection module to a protected object or a protected object group. For information about how to associate protected objects and protected object groups with the template, see Protected objects and protected object groups.

      By default, the new IP address blacklist rule template is enabled. You can perform the following operations in the rule template list:

      • View the number of protected objects and protected object groups that are associated with the template.

      • Turn on or turn off the switch in the Status column to enable or disable the template.

      • Click Edit or Delete in the Actions column to modify or delete the template.

      • Click the 展开图标 icon to the left of the template name to view the rules in the template.

        Note

        If you add an attacker IP address to an IP address blacklist when you view the security report of the bot management module, an IP address blacklist rule template named AutoTemplate is automatically created and an IP address blacklist rule is automatically created for the template. The IP address blacklist rule blocks requests that match the rule. For more information, see Bot management module.

    Step 2: Create an IP address blacklist rule for the template

    The IP address blacklist rule template takes effect only after you create IP address blacklist rules for the template. If you already created IP address blacklist rules when you created the template, skip this step.

    1. Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. The region can be Chinese Mainland or Outside Chinese Mainland.

    2. In the left-side navigation pane, choose Protection Configuration > Protection Rules.

    3. In the IP Address Blacklist section, find the IP address blacklist rule template for which you want to create a protection rule and click Create Rule in the Actions column.

    4. In the Create Rule dialog box, configure the parameters and click OK. The following table describes the parameters.

      Parameter

      Description

      Rule Name

      Specify a name for the rule.

      The name of the rule can contain letters, digits, periods (.), underscores (_), and hyphens (-).

      IP Address Blacklist

      Add IP addresses to the blacklist. After the rule takes effect, if the source IP address of a request is in the blacklist, the request is blocked. The IP addresses that you enter must meet the following requirements:

      • You can enter IPv4 addresses and IPv6 addresses, such as 1.1.XX.XX and 2001:XXXX:ffff:ffff:ffff:ffff:ffff:ffff.

      • You can enter IPv4 CIDR blocks and IPv6 CIDR blocks, such as 1.1.XX.XX/16 and 2001:XXXX:XXXX:XXXX::/64.

      • You must press the Enter key each time you enter an IP address.

      • You can enter up to 200 IP addresses.

      Action

      Specify the action that you want WAF to perform on the requests that match the rule. Valid values:

      • Block: blocks the requests that match the rule and returns a block page to the client.

        Note

        By default, WAF uses a unified block page. You can use the custom response feature to configure a custom block page. For more information, see Configure custom response rules to configure custom block pages.

      • Monitor records the requests that match the rule in logs without blocking the requests. You can query logs about requests that match the rule and analyze the protection performance. For example, you can check whether normal requests are blocked based on logs.

        Important

        You can query logs only when Simple Log Service is enabled for WAF. For more information, see Enable or disable Simple Log Service for WAF.

        If you select Monitor, you can perform a dry run on the rule to check whether the rule blocks normal requests. If the rule passes the dry run, you can set the Action parameter to Block based on your business requirements.

      Note

      On the Security Reports page, you can query the details of matched rules in Monitor mode or Block mode. For more information, see Security reports.

      By default, a new rule is enabled. You can perform the following operations in the rule list:

      • Turn on or turn off the switch in the Status column to enable or disable the rule.

      • Click Edit or Delete in the Actions column to modify or delete the rule.

    What to do next

    On the IP Address Blacklist tab of the Security Reports page, you can view the protection details of IP address blacklist rules. For more information, see IP address blacklist, custom rule, scan protection, HTTP flood protection, and region blacklist modules.

    References