Client IP Selector
Purpose
The Client IP Selector specifies IP sectors to which path-specific rules are to apply. This means that you can handle access to specific parts of your web application in a particular way if that access comes from defined IP addresses.
For more information regarding adding and editing Preconditions, see Editing Preconditions.
Recommendations for use
Use the Client IP Selector to separate private networks or to handle specific IP areas in a particular way, for example. You can also permit the calling up of special content only from specific IP addresses at specific times in combination with the Time Selector.
Attributes
| Attribute | Meaning |
|---|---|
|
blacklist |
List of IP address ranges not to be handled in a special way, given in the format xxx.xxx.xxx.xxx/xx (for syntax, see Specifying IP Addresses). Example: 81.243.62.0/24 For requests with an IP address from one of the ranges specified in the blacklist, the precondition is deemed as not fulfilled. The rules stored for the path added to the precondition are therefore not observed by vWAF. For details on priority and internal processing, see How Blacklists, Whitelists, and Graylists Are Processed. |
|
whitelist |
List of IP address ranges that are to be handled in a special way, given in the format xxx.xxx.xxx.xxx/xx (for syntax, see Specifying IP Addresses). For requests with an IP address from one of the ranges specified in the whitelist, the precondition is fulfilled. The rules stored for the path added to the precondition are therefore observed by vWAF (assuming any other additional preconditions are also met). By default, all the IP addresses here are included (entry 0.0.0.0/0). Address ranges in the whitelist can be restricted by more tightly defined address ranges in the blacklist. For details on priority and internal processing, see How Blacklists, Whitelists, and Graylists Are Processed. |
|
gbl |
Activate this option if you want to use the global IP blacklist as an additional graylist. If the request's IP isn't on the whitelist but on the global IP blacklist (see Global IP Blacklisting), the precondition is deemed as not fulfilled. The rules stored for the path added to the precondition are therefore not observed by vWAF. For details on priority and internal processing, see How Blacklists, Whitelists, and Graylists Are Processed. |
|
rbl |
Activate this option if you want to use an external realtime blacklist for the evaluation as a graylist in addition to the whitelist and to the blacklist. A realtime blacklist provides current IP addresses of typical undesirable visitors in realtime. For details on priority and internal processing, see How Blacklists, Whitelists, and Graylists Are Processed. ATTENTION |
|
rbl domain |
Only has an effect if the option rbl has been activated. Select from the list one of the supported providers of realtime blacklists. |
|
rbl password |
Only has an effect if the option rbl has been activated. Enter the password here that you've obtained from the provider entered under rbl domain for access to the realtime blacklist. |
|
rbl on timeout allow request |
Only has an effect if the option rbl has been activated. It can happen that the realtime blacklist is temporarily not available (DNS timeout). Activate the option rbl on timeout allow request if in this case an IP address is to be handled as if it wasn't on the realtime blacklist. |
|
rbl if search engine allow request |
Only has an effect if the option rbl has been activated. Activate this option if you want to permit the entries identified as search engines on the realtime blacklist. |