Skip to content

Types and core logic of IP lists

In the IP lists section of the Wallarm Console, you can control access to your applications by whitelisting, blacklisting, and greylisting IP addresses.

  • Whitelist is a list of trusted IP addresses that are allowed to access your applications even if requests originated from them contain attack signs.

  • Blacklist is a list of IP addresses that are not allowed to access your applications. Filtering node blocks all requests originated from blacklisted IP addresses.

  • Greylist is a list of IP addresses that are allowed to access your applications only if requests originated from them do not contain attack signs.

IP lists support

Controlling access to your applications by whitelisted, blacklisted and greylisted IP addresses is supported starting with the regular (client) Wallarm node of version 3.0.

Algorithm of IP lists processing

In any filtration mode, the filtering node inspects whether source IPs of incoming requests matches entries of IP lists as follows:

  • Request filtering is disabled or performed in monitoring mode:

    1. If a source IP of an incoming request is added to the whitelist, the filtering node forwards an incoming request to your application. If an IP address is not in the list, the next step is performed.
    2. If a source IP of an incoming request is added to the blacklist, the filtering node blocks an incoming request. If an IP address is not in the list, the next step is performed.
    3. If a source IP of an incoming request is neither in the blacklist nor in the whitelist, the filtering node forwards an incoming request to your application event if it contains attack signs.
  • Request filtering is performed in safe blocking mode:

    1. If a source IP of an incoming request is added to the whitelist, the filtering node forwards an incoming request to your application. If an IP address is not in the list, the next step is performed.
    2. If a source IP of an incoming request is added to the blacklist, the filtering node blocks an incoming request. If an IP address is not in the list, the next step is performed.
    3. If a source IP of an incoming request is added to the greylist and an incoming request contains attack signs, the filtering node blocks an incoming request. If an incoming request does not contain attack signs, the filtering node forwards it to your application. If an IP address is not in the list, the next step is performed.
    4. If a source IP of an incoming request is not in any of the lists, the filtering node forwards an incoming request to your application event if it contains attack signs.
  • Request filtering is performed in blocking mode:

    1. If a source IP of an incoming request is added to the whitelist, the filtering node forwards an incoming request to your application. If an IP address is not in the list, the next step is performed.
    2. If a source IP of an incoming request is added to the blacklist, the filtering node blocks an incoming request. If an IP address is not in the list, the next step is performed.
    3. If a source IP of an incoming request is neither in the blacklist nor in the whitelist and an incoming request contains attack signs, the filtering node blocks it. If an incoming request does not contain attack signs, the filtering node forwards it to your application.

The filtering node analyzes IP lists starting with whitelists, continuing with blacklists, and ending with greylists. For example, if an IP address is added to both whitelist and blacklist, the filtering node considers this IP address as a trusted source and forwards all requests originated from it to your applications regardless of whether an incoming request contains attack signs.

IP lists configuration

To configure IP lists:

  1. If Wallarm node is located behind a load balancer or CDN, please make sure to configure your Wallarm node to properly report end-user IP addresses:

  2. Add request sources to IP lists:

Using additional traffic filtering facilities

Note that if you use additional facilities (software or hardware) to automatically filter and block traffic, it is recommended that you configure a whitelist with the IP addresses for the Wallarm Scanner. This will allow Wallarm components to seamlessly scan your resources for vulnerabilities.

Known caveats of IP lists configuration

  • Applying access configuration of certain IP to a specific application is not supported. You can only disable all IP lists for specific applications. To disable IP lists for a specific application, you can add the parameter disable_acl on to the suitable block of NGINX or Envoy configuration file.

  • If you have the trigger configured to automatically block an IP address (for example, trigger to add IP addresses to the blacklist), the system will block the IP for all application instances in a Wallarm account. Similarly for other methods of changing any of the IP lists.

  • If you have deployed the partner node, IP lists will not be supported till Wallarm node 3.2 is released. At present, the partner node still supports only the blacklist of IP addresses.