Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Using WAF to create a custom IP Whitelist or Blacklist rule

 

Information

 

Summary:

Using WAF Web Application Firewall (WAF) to configure a custom IP address Whitelist or Blacklist for a Virtual Service.

Environment:

Product: LoadMaster

Version: Any

Platform: Any

Application: Any

Question/Problem Description:

How to configure a WAF custom rule to behave as an IP Whitelist or Blacklist for single IP addresses, multiple IP addresses or IP address ranges. This technique is beneficial when required to configure a Whitelist or Blacklist on a per Sub Virtual Service basis as the ACL (Access Control List) feature is only accessible on the parent Virtual Service level and not on the Sub Virtual Service level.

Steps to Reproduce:  
Error Message:  
Defect Number:  
Enhancement Number:  
Cause:

There is a requirement to allow/block access to a service based on a clients source IP or IP range.

The process for allowing/blocking users should be easily modified for scalability.

Resolution:

Below is a sample of the custom rule syntax for whitelisting or blacklisting single IP addresses or IP address ranges:

 

Whitelist for Single IP (192.168.10.10)

  • SecRule REMOTE_ADDR "192.168.10.10" "id:'101',phase:1,t:none,allow,log,msg:'IP Allow Rule'"
  • SecRule REMOTE_ADDR "\." "id:'99999',phase:1,t:none,deny,log,msg:'IP Deny Rule'"

Whitelist for an IP Range (192.168.10.0/24)

  • SecRule REMOTE_ADDR "@ipMatch 192.168.10.0/24" "id:'101',phase:1,t:none,allow,log,msg:'IP Allow Rule'"
  • SecRule REMOTE_ADDR "\." "id:'99999',phase:1,t:none,deny,log,msg:'IP Deny Rule'"

Blacklist for Single IP (192.168.10.10)

  • SecRule REMOTE_ADDR "192.168.10.10"
    "id:'101',phase:1,t:none,deny,log,msg:'IP Deny Rule'"
  • SecRule REMOTE_ADDR "\." "id:'99999',phase:1,t:none,allow,log,msg:'IP Allow Rule'"

Blacklist for an IP Range (192.168.10.0/24)

  • SecRule REMOTE_ADDR "@ipMatch 192.168.10.0/24"
    "id:'101',phase:1,t:none,deny,log,msg:'IP Deny Rule'"
  • SecRule REMOTE_ADDR "\." "id:'99999',phase:1,t:none,allow,log,msg:'IP Allow Rule'"

Once the rule has been created (using Notepad or Notepad++ for example), the rule can be uploaded on the LoadMaster under:

Virtual Services > WAF Settings > Custom Rules.

The individual rule format must be .conf, or multiple .conf files can be uploaded as a tar.gz file.

Then, under the Virtual Service's WAF settings, the custom rule will be visible and ready to be assigned for use. For more information on this process, please see the guides in the notes section below.

Workaround:  
Notes:

WAF Rule Writing Guide:

https://support.kemptechnologies.com/hc/en-us/articles/210399183-WAF-Rule-Writing-Guide

How to White/Blacklist based on source IP:

https://support.kemptechnologies.com/hc/en-us/articles/115003297606-White-Black-List-based-on-Source-IP

How to block an IP address using WAF:

https://support.kemptechnologies.com/hc/en-us/articles/207525606-How-to-block-a-specific-IP-address-using-WAF

WAF Deployment Guide:

Web Application Firewall – Kemp Support (kemptechnologies.com)


Comments