Follow

How to Allowlist IP addresses for WAF Services

Description

How to allowlist (formerly known as whitelist) Source IP addresses to prevent the Proxy/WAF policy from blocking them

There are three options for allowlisting with WAF Services. Click the link to jump to that procedure:

  • WAF IP Allowlist
    • Allowlist feature is Per-Proxy
    • The feature is available via Portal 
  • WAF Policy Allowlist
    • Allowlist feature is Per-WAF Policy
    • Requires SOC Assistance to Modify WAF Policy/Policies
  • WAF Allowlist via iRule
    • When there are special condition(s) that are required for allowlisting
    • The feature is Per-Proxy 
    • Similar to WAF IP allowlist

 

Environment

  • Silverline WAF
  • WAF IP Allowlist
  • WAF Policy Allowlist
  • WAF Allowlist using an iRule

 

Procedure

WAF IP Allowlist

  1. Navigate to Config > IP Management > WAF IP Allowlists
  2. Select the proxy to apply a allowlist, and click the Edit buttonScreen_Shot_2020-06-30_at_6.28.55_PM.png
  3. To add a new allowlist to this proxy, select the +Add button 
  4. Enter a list of IP address(es) -- Choose for each whether you want that IP allowlisted ("Allow") or simply logged ("Log") for audit purposes. 
    • Only enter 1 IP address per line
    • From the drop-down for each IP address choose:
      • Allow - Disables the ability for the WAF policy to inspect HTTP request(s) from IP address/subnet and thus does not generates a WAF violation log either
      • Log - Log the request/event (it doesn't allow the request).

NOTE: You can use single IP or you can use /24, /22, etc for your subnet masks independently on the action chosen allow/log. 

  1. Click Save when you're done
  2.  Once the IP allowlist is saved, the proxy allowlist is displayed on the IP Management > WAF IP allowlists page as the Status "Pending."
    • No more action is needed. The Pending state will be cleared once the Silverline SOC has deployed the new allowlist into service.
    • WAF_whitelist_3.png

 

WAF Policy allowlist

  1. Open a ticket with the SOC that includes:
    • IP address(es)/IP range(s) to allowlist (Never Block this IP)
      • Prevents the WAF policy from raising a blocking page
      • Violation log is generated (unique support ID), but will be treated as an alerted
    • Any IP address(es)/IP range(s) that should have the "Never Log this IP" option enabled. 
      • This option tells the WAF policy to not log any WAF Violation (blocked or alerted) for the IP address/subnet
    •  WAF policy/policies for the allowlisted IPs


WAF Allowlist via iRule

  • When neither option (WAF IP allowlist, or WAF Policy allowlist) is flexible enough to accommodate the allowlist feature.
    • Example: Simple WAF allowlist iRule using a data table
      • when HTTP_REQUEST priority 305 {
        if {[class match -- [IP::client_addr] equals [call ag_info0::datatable_name IP_allowlist]]} {
        set agl [call ag_log0::open -rulename WAF_IP_allowlist -rulever 1]
        call ag_log0::tcp_kvp $agl INFO action "IP allowlisted"
        ASM::disable
        }
        }
  • Requirements for iRule deployment
    Provide the SOC the following information, if you wish to proceed with this implementation. 
    1. The name of the iRule
      • Default: WAF_IP_allowlist
    2. The name of the Data table (List where you can add/remove an IP address from the allowlist)
      • Default: IP_allowlist
    3. List out any other conditions
  • Please note, there is no guarantee that the iRule request will be approved. See iRules in Silverline: Scope of Support for more details on our iRule policy.

 

Related Content

 

Was this article helpful?
2 out of 2 found this helpful
Have more questions? Submit a request