IP Blacklist Wizard

Purpose

To start the IP Blacklist Wizard, select Administration > IP Blacklist Wizard. Alternatively, from the Application Control menu select an application, select the Wizards tab and click IP Blacklist Wizard.

Global IP blacklisting provides a means to temporarily block all traffic for specific IP addresses or specific ranges of IP addresses.

The IP Blacklist Wizard guides you through the process to set up IP blacklisting. It is recommended that you use the wizard to ensure efficient and accurate configuration of IP Blacklisting. Configuring IP blacklisting manually is possible but a complicated process.

IP blacklisting is dependent on several components and events. A brief overview of how IP Addresses are added and blocked:

  • An event is generated based on factors such as the number of denied requests within a specific time frame
  • The event is forwarded to the global alerting system. IP addresses that meet the defined criteria are added to the Global IP blacklist
  • Applications configured appropriately deny requests from IP addresses on the IP blacklist

For more information regarding IP Blacklisting, see Global IP Blacklisting.

The IP Blacklist Wizard guides you through the steps required to configure IP Blacklisting. You configure global options and application level options. As part of this process, the Wizard configures Global Blacklist IP Event Source, Global Blacklist IP Event Destination, Blacklist IP Event Destination and the Valid Client IP Handler.

Attributes

Attribute Meaning

Global attributes

Global Event Destination Group

The global event destination group captures application IP blacklist events. This is a global group. The global event destination group contains an event destination handler and this handler adds the relevant IP addresses to the IP blacklist.

You can create a new global event destination group or select an existing global event destination group.

If an event destination group is configured and used by the Global Blacklist IP Event Source, vWAF suggests using the group. If a group is not already configured, vWAF suggests a default name for a new group, for example 'ip_blacklist_1'.

Global Options

Set the following global options in the Global Blacklist IP Event Source:

  • min_timeout: Minimum amount of time the IP addresses are blacklisted
  • max_timeout: Maximum amount of time the IP addresses are blacklisted
  • min_ip4_netmask: Minimum IPv4 netmask; vWAF will not blacklist any IP ranges with a lower netmask
  • min_ip6_netmask: Minimum IPv6 netmask; vWAF will not blacklist any IP ranges with a lower netmask

Application-specific attributes

Application Event Destination Group

The application event destination group captures application IP blacklist events for a specific application. The application event destination group contains an event destination handler and this handler adds the relevant IP addresses to the IP blacklist.

You can create a new application event destination group or select an existing application event destination group.

If an application event destination group is configured and used by the Denied Requests Per IP Per Severity Per Timeframe Per Application Event Source, vWAF suggests using the group. If a group is not already configured, vWAF suggests a default name for a new group, for example 'ip_blacklist_1'.

Application level options

Set the following options for the selected application. An event is triggered if the requests per timeframe per IP range per prefix exceed the specified limit.

  • timeframe: An event is triggered if the limit is exceeded within this timeframe
  • limit: An event is triggered if the limit (number of denied requests) is exceeded within the timeframe
  • ip4range: Define the IPv4 range (addresses outside the scope of the range are ignored)
    • /0 sets a global limit. An event is triggered if the limit and time is exceeded for any combination of IP addresses.
    • /8 to /24 specifies a range of IP addresses (See Specifying IP Addresses). An event is triggered if the limit and time is exceeded for any combination of IP addresses with the specified range.
    • /32 sets a limit per IP address. An event is triggered if the limit and time is exceeded on the same IP address.
  • ip6range: Define the IPv6 range to be monitored (addresses outside the scope of the range are ignored)
    • /0 sets a global limit. An event is triggered if the limit and time is exceeded for any combination of IP addresses.
    • /16, /24, /32, /48 and /56 specifies a range of IP addresses. An event is triggered if the limit and time is exceeded for any combination of IP addresses with the specified range.
    • /64 sets a limit per network. An event is triggered if the limit and time is exceeded for any combination of IP addresses within the same network.
    • /128 sets a limit per IP address. An event is triggered if the limit and time is exceeded on the same IP address.
  • severity: Define the minimum level of severity for denied requests. The default is LOW. In this case, all denied requests (with any severity) within the limit and time generate an event. If set to MEDIUM, for example, only denied requests of medium or high severity generate events.
  • timeout: Defines how long an IP address is blacklisted

Handlers configured by the IP Blacklist Wizard

The IP Blacklist Wizard configures the following handler: