Disabling the IP Address Blocking of the Wallarm Scanner

Note that if you use the blocking mode of the filter node (the wallarm_mode directive) by default when detecting malicious requests, you must explicitly specify a list of IP addresses of the Wallarm scanner from which requests should not be blocked.

Let the following blocking settings be set in the NGINX configuration file:

map $remote_addr $wallarm_mode_real {
    default block;          # Default blocking mode enabled
    1.1.1.1/24 monitoring;  # Monitoring mode (cancels blocking)
    2.2.2.2 off;            # Blocking mode for the address disabled
    ...
}
...
wallarm_mode $wallarm_mode_real;
...

Use the off directive, as in the example above, for each IP address reserved for the Wallarm scanner to avoid blocking it.

The Wallarm Scanner IP Addresses

Lists of the IP addresses of the scanner:

To avoid overloading the NGINX configuration file, you can make a list of IP addresses of the scanner into a separate file and then add its contents to the configuration file using the include directive.

Let you create the /etc/nginx/scanner-ip-list file:

# The list of the Wallarm scanner IP addresses
3.3.3.3 off;
4.4.4.4 off;
5.5.5.5 off;
...
# Add all the required IP addresses here

Now use the include directive to include this list in the required block of the configuration file:

map $remote_addr $wallarm_mode_real {
    default block;
    1.1.1.1/24 monitoring;
    2.2.2.2 off;
    include /etc/nginx/scanner-ip-list;
}
...
wallarm_mode $wallarm_mode_real;

Using Additional Traffic Filtering Facilities

Note that if you use additional facilities (software or hardware) to automatically filter and block traffic, it is also recommended that you configure a whitelist with the IP addresses of the Wallarm scanner.

results matching ""

    No results matching ""