Whitelist IP Ranges for Website Scan

I have been provided an IP range to allowlist for an upcoming pen test on a site, however the IP range is /21 therefore I can’t use the IP access rules as it only allows ranges of /16 or /24.

I have also seen some information about WAF custom rules, and using the ‘Skip’ action, however, I am nervous over whether this actually will perform the same action of allowlisting all IP addresses in this given range, or not. I see that it enables skipping some of the WAF security features, but I need to know that this will 100% allowlist these given IP addresses to avoid issues during the scan.

Can someone please advise on the correct way to this? Do I need to create a WAF custom rule and add multiple /24 IP access rules to cover the full range? Is the WAF custom rule all I need here?

It doesn’t seem particularly clear from everything I’ve read so far…


I’d suggest you to allowlist your origin host / server / hosting IP address by navigating to the Security → WAF → Tools → IP Access Rules with the action “allow” for your Website and try again.