Loading...
Back

About Denylist and Allowlist

AWS WAF ClassicAWS WAF v2Old PlanNew PlanAdvancedLegacyFeature / Spec.

Overview

Allowlist is a rule that allows specific IP addresses, and Denylist is a rule that blocks specific IP addresses.

About the Allowlist

The allowlist rules will allow requests from the registered IP addresses. If a request matches this rule, the request will not be blocked by other rules like regular expression rules.

The following features are included in the allowlist:

  • Manual allowlist feature: Through the WafCharm Console, you can manually add IP addresses to the allowlist.

The time required for the allowlist update to take effect is as follows.

  • AWS WAF v2 (old plan): Immediately
  • AWS WAF v2 (new plan): Immediately

About the Denylist

The denylist rules will block requests from the registered IP addresses.
*The requests are evaluated by the allowlist rule first, so if both the allowlist and denylist have the same IP address, requests from that IP address will be allowed.

IP addresses not manually added to the denylist are automatically updated at any time. Depending on update conditions, certain IP addresses may be repeatedly added and removed.

The following features are included in the denylist:

  • Dynamic Denylist feature: WafCharm re-evaluates your logs against hundreds of security signatures. Any detected threats are automatically added to the denylist.
  • IP reputation feature: WafCharm integrates with CSC's proprietary IP reputation database to cross-reference and add known malicious IP addresses to the denylist.
  • Manual denylist feature: You can manually add IP addresses to the denylist through the WafCharm Console.

Please keep in mind that the details of the dynamic denylist feature vary depending on which cloud WAF you use.

For AWS WAF v2 Advanced rule policy

  • In the dynamic denylist feature, WAF logs are re-evaluated against our signatures.
  • If the WAF log retrieval option (the new method) is not enabled, the dynamic denylist feature will not be available, and re-evaluation will not be performed.
  • The IP reputation feature and the manual denylist feature will be available regardless of the status of the WAF log retrieval option (the new method).
  • The denylist rules will be separated into two rules in the Advanced Rule policy.
    • WafCharm_DenyIps_XXX: this is the denylist rule for the manual denylist feature.
    • WafCharm_Automated_DenyIps_XXX: this is the denylist for the dynamic denylist feature and the IP reputation feature.

The time required for the denylist update to take effect is as follows.

  • Dynamic Denylist feature: every 5 minutes.
  • IP reputation feature: daily.
  • Manual denylist feature: immediately.

For AWS Classic/AWS WAF v2 Legacy rule policy

  • In the dynamic denylist feature, access logs are re-evaluated against our signatures.
  • If Web Site Config is not configured, the dynamic denylist feature will not be available, and re-evaluation will not be performed.
  • The IP reputation feature and the manual denylist feature will be available regardless of the status of the Web Site Config settings.
  • WafCharm can only re-evaluate access logs from ALB and CloudFront.

The time required for the denylist update to take effect is as follows.

  • Dynamic Denylist feature: every 5 minutes for the new plan. Every hour for the old plan.
  • IP reputation feature: daily.
  • Manual denylist feature: immediately for the AWS WAF v2 users. 5-10 minutes for the AWS WAF Classic users.