Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Using WAF to create a custom IP Whitelist or Blacklist rule





Using WAF Web Application Firewall (WAF) to configure a custom IP address Whitelist or Blacklist for a Virtual Service.


Product: LoadMaster

Version: Any

Platform: Any

Application: Any

Question/Problem Description:

How to configure a WAF custom rule to behave as an IP Whitelist or Blacklist for single IP addresses, multiple IP addresses or IP address ranges. This technique is beneficial when required to configure a Whitelist or Blacklist on a per Sub Virtual Service basis as the ACL (Access Control List) feature is only accessible on the parent Virtual Service level and not on the Sub Virtual Service level.

Steps to Reproduce:  
Error Message:  
Defect Number:  
Enhancement Number:  

There is a requirement to allow/block access to a service based on a clients source IP or IP range.

The process for allowing/blocking users should be easily modified for scalability.


Below is a sample of the custom rule syntax for whitelisting or blacklisting single IP addresses or IP address ranges:


Whitelist for Single IP (

  • SecRule REMOTE_ADDR "" "id:'101',phase:1,t:none,allow,log,msg:'IP Allow Rule'"
  • SecRule REMOTE_ADDR "\." "id:'99999',phase:1,t:none,deny,log,msg:'IP Deny Rule'"

Whitelist for an IP Range (

  • SecRule REMOTE_ADDR "@ipMatch" "id:'101',phase:1,t:none,allow,log,msg:'IP Allow Rule'"
  • SecRule REMOTE_ADDR "\." "id:'99999',phase:1,t:none,deny,log,msg:'IP Deny Rule'"

Blacklist for Single IP (

  • SecRule REMOTE_ADDR ""
    "id:'101',phase:1,t:none,deny,log,msg:'IP Deny Rule'"
  • SecRule REMOTE_ADDR "\." "id:'99999',phase:1,t:none,allow,log,msg:'IP Allow Rule'"

Blacklist for an IP Range (

  • SecRule REMOTE_ADDR "@ipMatch"
    "id:'101',phase:1,t:none,deny,log,msg:'IP Deny Rule'"
  • SecRule REMOTE_ADDR "\." "id:'99999',phase:1,t:none,allow,log,msg:'IP Allow Rule'"

Once the rule has been created (using Notepad or Notepad++ for example), the rule can be uploaded on the LoadMaster under:

Virtual Services > WAF Settings > Custom Rules.

The individual rule format must be .conf, or multiple .conf files can be uploaded as a tar.gz file.

Then, under the Virtual Service's WAF settings, the custom rule will be visible and ready to be assigned for use. For more information on this process, please see the guides in the notes section below.


Rules are evaluated alphabetically, then by rule id within each custom rule conf file imported (if there are multiple IDs within a custom rule).


WAF Rule Writing Guide:

How to White/Blacklist based on source IP:

How to block an IP address using WAF:

WAF Deployment Guide:

Web Application Firewall – Kemp Support (

Was this article helpful?
0 out of 0 found this helpful