Whitelist

Overview

The Whitelist functionality allows the definition of match conditions for requests that will perform associated actions.

Examples
Directing WAF to not apply the WAF policy if:

  • The request comes from a specific IP range.
    or
  • The request matches the URL pattern specified using the HTTP Method match type.

Use cases

  • Allow access from the internal network.
  • A security scanner that scans the application directly bypassing WAF protection.
  • Do not check special parts of the URL space, for example “/upload/*”.
  • Run parts of the application in Detection mode.
  • Run parts of the application in Detection mode.

Configure Whitelist Rules

To define Whitelist rules,

  1. From the Avi UI, navigate to Templates > WAF > WAF Policy and click on Create.
    or
    Edit an existing WAF Policy.
  2. Enter the required details under the Settings tab.
  3. Click on the Whitelist tab.
    Whitelist
  4. Click on the Add Rule button.
  5. In the New Whitelist Rule screen, enter the details as shown below:
    General
    Field Description
    Rule Enabled By default, the Whitelist rule is enabled.
    Click on the toggle button to disable it, if required.
    Name Enter a relevant name for the rule.
    Description Enter a description to define the rule.
    Match
    Field Description
    Add Match Type Select a Match Type from the options:
    Action
    Field Description
    Action From the following options, select the action to be performed when the request matches the criteria specified:
    • Allow: When Allow is selected, WAF does not execute any further rules and the request is allowed.
    • Continue: Selecting Continue, stops the whitelist execution and directs WAF to continue its activity.
    • Detection Mode: When set the WAF Engine will be set to Detection Mode for that request.
    The New Whitelist Rule screen is as shown below: Whitelist
  6. Click on Save.

Match Types

Client IP

Use this match type to provide access to only a trusted list of client IPs or client IP groups.

To enter the client IPs that can be allowed access,

  1. Select the match type as Client IP under Add Match Type.
  2. Select Is or Is Not to provide permissions accordingly.
  3. Click on the drop down under Method.
  4. Either select Custom Value and enter the IP Addresses manually or select Internal.
    Whitelist

Note: This client IP match type supports IP Groups. Refer to the IP Group article to know more.

HTTP Method

Use this to provide access to only specific types of HTTP requests using the HTTP request methods like Get, Connect, Delete, and more.

To define whitelisting rules based on HTTP methods,

  1. Select the match type as HTTP Method under Add Match Type.
  2. Select Is or Is Not to provide permissions accordingly.
  3. Select the Methods as shown below:
    Whitelist

Path

Use this method to approve traffic from specific websites by defining the parameters to be matched in the URL.

To whitelist URLs,

  1. Select the match type as Path under Add Match Type.
  2. Select the criterion that needs to be matched in the URL.
  3. Enter the String Value.
  4. Select Match Case to enable case sensitivity.
    Whitelist

Host Header

Use this method to apply rules to only requests that match the specified host header criterion.

To whitelist host headers,

  1. Select the match type as Host Header under Add Match Type.
  2. Select the criterion that needs to be matched in the URL.
  3. Enter the String Value.
    Whitelist

Whitelist