vpruthi/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
doc-exports/docs/wafd/umn/waf_01_0013.html
Li, Qiao aea4b89c6e WAF Dedicated User Guide 20231030 version. 
Reviewed-by: Rogal, Marcel <mrogal@noreply.gitea.eco.tsi-dev.otc-service.com>
Co-authored-by: Li, Qiao <qiaoli@huawei.com>
Co-committed-by: Li, Qiao <qiaoli@huawei.com>
2024-10-01 07:48:08 +00:00

16 KiB
Raw Permalink Blame History

Configuring Geolocation Access Control Rules to Block or Allow Requests from Specific Locations

WAF can identify where a request originates. You can set geolocation access control rules in just a few clicks and let WAF block or allow requests from a certain region. A geolocation access control rule allows you to allow or block requests from IP addresses from specified countries or regions.

If you have enabled enterprise projects, ensure that you have all operation permissions for the project where your WAF instance locates. Then, you can select the project from the Enterprise Project drop-down list and configure protection policies for the domain names in the project.

Prerequisites

A website has been added to WAF.

Constraints

  • One region can be configured in only one geolocation access control rule.
  • It takes several minutes for a new rule to take effect. After the rule takes effect, protection events triggered by the rule will be displayed on the Events page.

Configuring a Geolocation Access Control Rule

  1. Log in to the management console.
  2. Click in the upper left corner of the management console and select a region or project.
  3. Click in the upper left corner and choose Web Application Firewall (Dedicated) under Security.
  4. In the navigation pane on the left, choose Policies.
  5. Click the name of the target policy to go to the protection configuration page.
  6. In the Geolocation Access Control configuration area, change Status if needed and click Customize Rule.

    Figure 1 Geolocation Access Control configuration area

  7. In the upper left corner above the Geolocation Access Control list, click Add Rule.
  8. In the displayed dialog box, add a geolocation access control rule by referring to Table 1.

    Figure 2 Adding a geolocation access control rule
    Table 1 Rule parameters

    Parameter

    Description

    Example Value

    Rule Description

    A brief description of the rule. This parameter is optional.

    waf

    Geolocation

    Geographical scope of the IP address.

    -

    Protective Action

    Action WAF will take if the rule is hit. You can select Block, Allow, or Log only.

    Block

  9. Click Confirm. You can then view the added rule in the list of the geolocation access control rules.

    • To disable a rule, click Disable in the Operation column of the rule. The default Rule Status is Enabled.
    • To modify a rule, click Modify in the row containing the rule.
    • To delete a rule, click Delete in the row containing the rule.

Configuration Example - Allowing Access Requests from IP Addresses in a Specified Region

Assume that domain name www.example.com has been connected to WAF and you want to allow only IP addresses in Australia to access the domain name. Perform the following steps:

  1. Add a geolocation access control rule: Select Australia for Geolocation and select Allow for Protective Action.

    Figure 3 Selecting Allow for Protective Action

  2. Enable geolocation access control.

    Figure 4 Geolocation Access Control configuration area

  3. Configure a precise protection rule to block all requests.

    Figure 5 Blocking all access requests

  4. Clear the browser cache and access http://www.example.com.

    When an access request from IP addresses outside Australia accesses the page, WAF blocks the access request.

    Figure 6 Block page

  5. Go to the WAF console. In the navigation pane on the left, choose Events. View the event on the Events page. You will see that all requests not from Australia have been blocked.

Configuration Example - Blocking Access Requests from IP Addresses in a Specified Region

Assume that domain name www.example.com has been connected to WAF and you want to block all IP addresses from Australia to access the domain name. The following shows how to configure a rule to this end:

  1. Add a geolocation access control rule, select Australia for Geolocation and Block for Protective Action.

    Figure 7 Blocking access requests from a specific region

  2. Enable geolocation access control.

    Figure 8 Geolocation Access Control configuration area

  3. Clear the browser cache and access http://www.example.com.

    When an access request from IP addresses inside Australia accesses the page, WAF blocks the access request.

    Figure 9 Block page

  4. Go to the WAF console. In the navigation pane on the left, choose Events. View the event on the Events page.

    Figure 10 Viewing events - blocking access requests from IP addresses in a region

Protection Effect

To verify WAF is protecting your website (www.example.com) against a rule:

  1. Clear the browser cache and enter the domain name in the address bar to check whether the website is accessible.

    • If the website is inaccessible, connect the website domain name to WAF by referring to Step 1: Add a Website to WAF.
    • If the website is accessible, go to 2.

  2. Add a geolocation access control rule by referring to Configuring a Geolocation Access Control Rule.
  3. Clear the browser cache and access http://www.example.com. Normally, WAF blocks such requests and returns the block page.
  4. Go to the WAF console. In the navigation pane on the left, choose Events. On the displayed page, view or download events data.