[Suggestion] Support for ASN-based filtering (blocking/whitelisting) #1270
Description
What would you like to be added or improved?
Native support for ASN (Autonomous System Number) filtering in the WAF core.
Specifically, I would like to see:
ASN-based Match Conditions: The ability to create firewall rules using asn as a criteria, alongside existing IP and GeoIP matches.
Dynamic Resolution: The system should automatically handle the mapping of ASNs to their current IP prefixes (IPv4 and IPv6) without requiring manual list updates from the user.
Support for both Block and Allow actions: Implementation of ASN filtering for both blacklisting (e.g., blocking known malicious hosting providers) and whitelisting (e.g., allowing trusted partner networks).
UI/CLI Integration: A dedicated field in the rule configuration interface to input AS numbers (e.g., AS12345).
Why is it needed?
This feature is essential to solve several critical operational and security challenges:
Elimination of "Configuration Bloat": Currently, blocking a single large provider (like a specific cloud hosting) requires importing thousands of CIDR ranges. This makes configuration files unreadable and difficult to manage.
Dynamic Network Environments: IP prefixes associated with an ASN change frequently. Relying on static IP lists leads to "stale" rules where new malicious IPs are missed, or legitimate traffic is accidentally blocked because an IP range was reassigned. Native ASN support ensures the WAF always acts on the current state of the network.
Reduced Operational Complexity: At present, users must maintain external "crutches" (custom scripts, cron jobs, and third-party APIs) to fetch, format, and push IP lists to the WAF. Moving this logic into the WAF core simplifies the infrastructure and removes external points of failure.
Precision in Threat Mitigation: Many sophisticated botnets and scrapers operate out of specific data centers. The ability to block traffic by the "source organization" (via ASN) is a much more effective and surgical approach than traditional IP-based blocking.