Loading
Feature degradation | Gmail Email delivery failureRead More
Set Up and Maintain Your Salesforce Organization
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            WAF: Define Custom Firewall Rules Based on ASN or IP Control

            You are here:

            1. Salesforce Help
            2. Docs
            3. Set Up and Maintain Your Salesforce Organization

            WAF: Define Custom Firewall Rules Based on ASN or IP Control

            This control lets Salesforce admins create specific security filters within the Salesforce Content Delivery Network (CDN) to block or allow web traffic based on the originating IP address or Autonomous System Number.

            Control Name

            Define Custom Firewall Rules based on ASN or IP

            Recommended Configuration

            In Salesforce CDN Settings, define Custom Firewall Rules based on ASN or IP.

            Control Overview

            This control lets admins create specific security filters within the Salesforce CDN to block or allow web traffic based on the originating IP address or Autonomous System Number.

            Security Risk If Not Configured

            Without custom firewall rules, the site is unable to restrict traffic from known malicious network ranges or high-risk geographic regions, leaving the application open to targeted probes and large-scale automated attacks.

            Threat Scenarios

            A coordinated botnet originating from a specific internet service provider or geographic region launches a brute-force attack against the login endpoint to compromise user accounts.

            Estimated CVSS Score Range

            High (7.0–8.9).

            Risk Impact Considerations

            Failure to filter traffic at the network edge results in increased exposure to regional cyberthreats and forces the application server to process unnecessary malicious requests, which can degrade performance for legitimate users.

            Higher Risk When

            The org operates in a high-profile industry that is frequently targeted by state-sponsored actors or professional hacking groups originating from specific global network blocks.

            Low Risk When

            If the site is intended for a global audience with no identifiable patterns of regional abuse and is already protected by the default-managed ruleset of the web application firewall.

            Business and Integration Considerations

            Defining custom rules requires an accurate inventory of legitimate partner network ranges and employee office IPs to avoid accidentally blocking authorized users from accessing the portal.

            Recommended Remediation

            Go to the Salesforce CDN settings within Experience Workspaces and configure custom firewall expressions to block traffic from verified malicious Autonomous System Numbers or suspicious IP ranges.

            Security Health Review Guidance

            Security Health Review identifies custom firewall rules as a critical component of a layered defense strategy, providing the granular control necessary to isolate and neutralize network-level threats before they reach the application layer.

            See Also

             
            Loading
            Salesforce Help | Article