Is this the proper way to block ASN`s?

I want to block certain ASN’s and I’m not sure if this is the right way. Any advise?


Thank you.

That certainly looks all right, apart from the fact that you are not blocking but challenging.

Assuming, of course, you have no prior whitelisting in the firewall or IP access rules.

1 Like

Yes, you are right. Just challenging for now. I have seen screenshots where the operator was “equal” instead of “is in” so I was a bit confused.

1 Like

equal refers to one single ASN, is in to a list of ASNs.

2 Likes

I find it easier to just add the ASNs individually to the Security/WAF/Tools list rather than a rule, particularly as you will probably add a very long list of bad ASNs over time

Beside the easier part, is it better? Is it more efficient as solution?

I think so

You either add dozens and dozens of ASNs to a Rule, and run out of space when the rule gets too big, or add each bad ASN individually without the risk of running out of space

By the time you block the major bad ASNs, e.g. microsoft, amazon, hetzner, ovh, digitalocean, vpn’s, tor endpoints, etc., etc., your rule will be massive

Plus you have the advantage of the option of setting the “Applies to” to “All websites in account” so only have to enter the ASN’s once instead of copying the rule to every website you have

For your use case it won’t matter and you best stick with firewall rules.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.