WAAS Access Controls

WAAS allows for control over how applications and end-users communicate with the protected web application.

Network Lists

Network Lists
allow administrators to create and maintain named IP address lists e.g. "Office Branches", "Tor and VPN Exit Nodes", "Business Partners", etc. List entries are composed of IPv4 addresses or IP CIDR blocks.
To access
Network Lists
, open Console, go to
Defend > WAAS
and select the
Network List
Lists can be updated manually or via batch importing of entries from a CSV file. Once defined,
Network Lists
can be referenced and used in IP-based access control, user-defined bots and DoS protection.
To export lists in CSV format, click
export CSV
When importing IP addresses or IP CIDR blocks from a CSV file, first record value should be set to "ip" (case sensitive).
IPv6 entries are currently not supported.

Network Controls

IP-based access control

Network lists can be specified in:
  • - WAAS applies selected action (Alert or Prevent) for IP addresses in network lists.
  • - Traffic originating from IP addresses listed in this category will not be inspected by any of the protections defined in this policy.
We strongly advise users to practice caution when adding network lists to the IP Exception List as protections will not be applied for traffic originating from these IP addresses.

Country-Based Access Control

Specify country codes, ISO 3166-1 alpha-2 format, in one of the following categories (mutually exclusive):
  • - WAAS applies selected action (Alert or Prevent) for requests originating from the specified countries.
  • - Requests originating from specified countries will be forwarded to the application (pending inspection). WAAS will apply action of choice (Alert or Prevent) on all other requests not originating from the specified countries.
Country of origin is determined by the IP address associated with the request.

HTTP Header Controls

WAAS lets you block or allow requests which contain specific strings in HTTP headers by specifying a header name and a value to match. The value can be a full or partial string match. Standard pattern matching is supported.
If the
toggle is set to
WAAS will apply the defined action on HTTP requests in which the specified HTTP header is missing. When the
toggle is set to
no action will be applied for HTTP requests missing the specified HTTP header.
HTTP Header fields consist of a name, followed by a colon, and then the field value. When decoding field values, WAAS treats all commas as delimiters. For example, the Accept-Encoding request header advertises which compression algorithm the client suppor