Using WAF to create a custom IP Whitelist or Blacklist rule
Using WAF Web Application Firewall (WAF) to configure a custom IP address Whitelist or Blacklist for a Virtual Service.
How to configure a WAF custom rule to behave as an IP Whitelist or Blacklist for single IP addresses, multiple IP addresses or IP address ranges. This technique is beneficial when required to configure a Whitelist or Blacklist on a per Sub Virtual Service basis as the ACL (Access Control List) feature is only accessible on the parent Virtual Service level and not on the Sub Virtual Service level.
|Steps to Reproduce:|
There is a requirement to allow/block access to a service based on a clients source IP or IP range.
The process for allowing/blocking users should be easily modified for scalability.
Below is a sample of the custom rule syntax for whitelisting or blacklisting single IP addresses or IP address ranges:
Whitelist for Single IP (192.168.10.10)
Whitelist for an IP Range (192.168.10.0/24)
Blacklist for Single IP (192.168.10.10)
Blacklist for an IP Range (192.168.10.0/24)
Once the rule has been created (using Notepad or Notepad++ for example), the rule can be uploaded on the LoadMaster under:
Virtual Services > WAF Settings > Custom Rules.
The individual rule format must be .conf, or multiple .conf files can be uploaded as a tar.gz file.
Then, under the Virtual Service's WAF settings, the custom rule will be visible and ready to be assigned for use. For more information on this process, please see the guides in the notes section below.
WAF Rule Writing Guide:
How to White/Blacklist based on source IP:
How to block an IP address using WAF:
WAF Deployment Guide: