Loading...
Back

About Denylist and Allowlist

AWS WAF ClassicAWS WAF v2Old PlanNew PlanAdvancedLegacyFeature / Spec.

Overview

Allowlist is a rule that allows specific IP addresses, and Denylist is a rule that blocks specific IP addresses.

About the Allowlist

The allowlist rules will allow requests from the registered IP addresses. If a request matches this rule, the request will not be blocked by other rules like regular expression rules.

The following features are included in the allowlist:

  • Manual allowlist feature: Through the WafCharm Console, you can manually add IP addresses to the allowlist.

About the Denylist

The denylist rules will block requests from the registered IP addresses.

*The requests are evaluated by the allowlist rule first, so if both the allowlist and denylist have the same IP address, requests from that IP address will be allowed.

The following features are included in the denylist:

  • Dynamic Denylist feature: WafCharm re-evaluates your logs against hundreds of security signatures. Any detected threats are automatically added to the denylist.
  • IP reputation feature: WafCharm integrates with CSC's proprietary IP reputation database to cross-reference and add known malicious IP addresses to the denylist.
  • Manual denylist feature: You can manually add IP addresses to the denylist through the WafCharm Console.

Please keep in mind that the details of the dynamic denylist feature vary depending on which cloud WAF you use.

For AWS WAF v2 Advanced rule policy

  • In the dynamic denylist feature, WAF logs are re-evaluated against our signatures.
  • If the WAF log retrieval option (the new method) is not enabled, the dynamic denylist feature will not be available re-evaluation will not be performed.
  • The IP reputation feature and the manual denylist feature will be available regardless of the status of the WAF log retrieval option (the new method).
  • The denylist rules will be separated into two rules in the Advanced Rule policy.
    • WafCharm_DenyIps_XXX: this is the denylist rule for the manual denylist feature.
    • WafCharm_Automated_DenyIps_XXX: this is the denylist for the dynamic denylist feature and the IP reputation feature.

For AWS Classic/AWS WAF v2 Legacy rule policy

  • In the dynamic denylist feature, access logs are re-evaluated against our signatures.
  • If SiteConfig is not configured, the dynamic denylist feature will not be available, and re-evaluation will not be performed.
  • The IP reputation feature and the manual denylist feature will be available regardless of the status of the SiteConfig settings.
  • WafCharm can only re-evaluate access logs from ALB and CloudFront.