> ## Documentation Index
> Fetch the complete documentation index at: https://docs.gcore.com/llms.txt
> Use this file to discover all available pages before exploring further.

# IP Reputation

export const MethodSection = ({children}) => children ?? null;

export const MethodSwitch = ({children}) => {
  const tabs = React.Children.toArray(children).map(c => {
    if (!c || !c.props) return null;
    if (c.props.id) return c;
    const inner = c.props.children;
    if (inner && inner.props && inner.props.id) return inner;
    return null;
  }).filter(Boolean);
  const firstId = tabs.length > 0 ? tabs[0].props.id : "";
  const [active, setActive] = React.useState(firstId);
  React.useEffect(() => {
    try {
      const saved = localStorage.getItem("gcore_docs_method");
      if (saved && tabs.find(t => t.props.id === saved)) {
        setActive(saved);
      }
    } catch (_) {}
  }, []);
  React.useEffect(() => {
    try {
      document.querySelectorAll("h2[id], h3[id]").forEach(heading => {
        const visible = heading.offsetParent !== null;
        document.querySelectorAll(`a[href="#${heading.id}"]`).forEach(link => {
          if (link.closest("h1,h2,h3,h4,h5,h6")) return;
          const li = link.closest("li");
          if (li) li.style.display = visible ? "" : "none";
        });
      });
    } catch (_) {}
    window.dispatchEvent(new Event("scroll"));
  }, [active]);
  const handleClick = id => {
    setActive(id);
    try {
      localStorage.setItem("gcore_docs_method", id);
    } catch (_) {}
  };
  return <div>
      <div className="not-prose flex gap-0 border-b border-zinc-200 dark:border-zinc-800 mb-8 mt-2" role="tablist">
        {tabs.map(tab => {
    const isActive = active === tab.props.id;
    return <button key={tab.props.id} role="tab" aria-selected={isActive} onClick={() => handleClick(tab.props.id)} className={["px-4 py-2 text-sm font-medium border-b-2 -mb-px transition-colors cursor-pointer", isActive ? "border-primary text-primary" : "border-transparent text-zinc-500 hover:text-zinc-800 dark:hover:text-zinc-200"].join(" ")}>
              {tab.props.label}
            </button>;
  })}
      </div>

      {tabs.map(tab => <div key={tab.props.id} style={{
    display: active === tab.props.id ? "" : "none"
  }}>
          {tab.props.children}
        </div>)}
    </div>;
};

<MethodSwitch>
  <MethodSection id="portal" label="Customer Portal">
    <p>Gcore WAAP helps protect your web applications by detecting and mitigating traffic originating from IP addresses with a known malicious reputation.</p>

    <p>Our reputation system continuously collects, verifies, and updates intelligence about suspicious IP addresses. Based on this data, WAAP can automatically block, challenge, or allow requests coming from sources with a high likelihood of malicious activity.</p>

    <Info>
      **Info**

      The **IP Reputation** policy group is available in the **Pro** and **Enterprise** plans. See the [Security pricing page](https://gcore.com/pricing/security#waap) for more details.
    </Info>

    ## Configure IP Reputation policies

    <p>You can review and configure IP Reputation policies in the [Gcore Customer Portal](https://portal.gcore.com/accounts/reports/dashboard):</p>

    <p>1. Navigate to **WAAP** > **Firewall**.</p>

    <p>2. In the domain dropdown at the top of the page, select the needed domain.</p>

    <p>3. Click the **IP Reputation** tab to view and adjust the policies.</p>

    <Info>
      **Info**

      Most IP reputation policies are enabled by default, except for **Traffic via TOR network**. To change a policy mode, click the dropdown next to that policy.
    </Info>

    ## Available policies

    ### Traffic via TOR network

    <p>The TOR network provides strong anonymity and is frequently used to conceal the origin of traffic. While it has legitimate use cases, it is also commonly used by attackers, scrapers, and spam tools.</p>

    <p>When enabled, this policy blocks traffic originating from TOR exit nodes.</p>

    ### Traffic via proxy networks

    <p>Proxy networks allow users to mask their real IP address. These networks are often used by automated tools and attackers attempting to bypass standard protections.</p>

    <p>This policy applies JavaScript validation to traffic originating from known proxy networks, helping distinguish legitimate users from automated or abusive activity.</p>

    ### Traffic from hosting services

    <p>Legitimate end-user traffic rarely originates from IP ranges belonging to hosting providers. Traffic from these networks is often generated by automated tools running on compromised or rented infrastructure.</p>

    <p>This policy applies JavaScript validation to requests coming from hosting providers and commercial cloud infrastructure.</p>

    ### Traffic via VPNs

    <p>Virtual Private Networks (VPNs) are widely used for privacy and traffic anonymization. However, they are also frequently used by attackers, scrapers, and abuse automation.</p>

    <p>This policy validates requests originating from VPN networks using JavaScript validation.</p>

    ### Bot traffic

    <p>Some IP addresses are associated with known malicious automated agents.</p>

    <p>This policy applies JavaScript validation to requests originating from IPs linked to malicious bot activity.</p>

    ### Traffic from suspicious NAT ranges

    <p>Some NAT ranges generate consistently suspicious traffic patterns.</p>

    <p>This policy applies JavaScript validation to requests originating from high-risk NAT ranges identified by a machine-learning classifier trained on historical traffic behavior.</p>

    ### External reputation block list

    <p>This list contains IP addresses identified as malicious or associated with spam by external threat intelligence sources.</p>

    <p>When traffic originates from an IP on this list, WAAP performs JavaScript validation to verify the request.</p>

    ### Traffic via CDNs

    <p>Requests originating directly from CDN provider IP ranges are uncommon for legitimate end-user traffic and may indicate traffic relaying or abuse.</p>

    <p>This policy applies JavaScript validation to requests coming from CDN infrastructure.</p>
  </MethodSection>

  <MethodSection id="api" label="REST API">
    <p>The [Policies](/api-reference/waap#policies) endpoints cover IP Reputation: each policy targets a specific category — TOR exit nodes, proxies, VPNs, hosting services, CDNs, bots, suspicious NAT ranges, and external blocklists — and applies either a block or JavaScript challenge action when triggered. Most policies are enabled by default; Traffic via TOR network is disabled. Response examples include only the fields used in each step.</p>

    <Info>
      An [API token](/account-settings/api-tokens) is required, along with the ID of a [WAAP-protected domain](/waap/getting-started/configure-waap-for-a-domain) and the [Python](/developer-tools/sdks/python) or [Go](/developer-tools/sdks/go) SDK installed for SDK examples. This policy group is available on the Pro and Enterprise WAAP plans.
    </Info>

    ```bash theme={null}
    export GCORE_API_KEY="{YOUR_API_KEY}"
    export WAAP_DOMAIN_ID="{YOUR_DOMAIN_ID}"
    ```

    ## View policy states

    <p>Retrieve the current mode of all IP Reputation policies for a domain.</p>

    <Tabs>
      <Tab title="Python SDK">
        ```python theme={null}
        import gcore
        import os

        client = gcore.Gcore(api_key=os.environ["GCORE_API_KEY"])
        domain_id = int(os.environ["WAAP_DOMAIN_ID"])

        rule_sets = client.waap.domains.list_rule_sets(domain_id)
        ip_rep = next(
            rs for rs in rule_sets if rs.resource_slug == "ip-reputation"
        )

        for policy in ip_rep.rules:
            status = "enabled" if policy.mode else "disabled"
            print(f"{policy.name}: {status} ({policy.id})")
        ```
      </Tab>

      <Tab title="Go SDK">
        ```go theme={null}
        package main

        import (
            "context"
            "fmt"
            "os"
            "strconv"

            gcore "github.com/G-Core/gcore-go"
            "github.com/G-Core/gcore-go/option"
        )

        func main() {
            client := gcore.NewClient(option.WithAPIKey(os.Getenv("GCORE_API_KEY")))
            domainID, _ := strconv.ParseInt(os.Getenv("WAAP_DOMAIN_ID"), 10, 64)

            ruleSets, _ := client.Waap.Domains.ListRuleSets(context.Background(), domainID)
            for _, rs := range *ruleSets {
                if rs.ResourceSlug == "ip-reputation" {
                    for _, policy := range rs.Rules {
                        status := "disabled"
                        if policy.Mode {
                            status = "enabled"
                        }
                        fmt.Printf("%s: %s (%s)\n", policy.Name, status, policy.ID)
                    }
                }
            }
        }
        ```
      </Tab>

      <Tab title="curl">
        ```bash theme={null}
        curl -X GET "https://api.gcore.com/waap/v1/domains/${WAAP_DOMAIN_ID}/rule-sets" \
          -H "Authorization: APIKey ${GCORE_API_KEY}" \
          | jq '.[] | select(.resource_slug == "ip-reputation") | .rules[] | {name, id, mode}'
        ```
      </Tab>
    </Tabs>

    <p>The response includes each policy in the group with its ID and current state. `mode: true` means enabled; `mode: false` means disabled.</p>

    ## Toggle a policy

    <p>Switch a policy between enabled and disabled. Each call flips the current mode. Use the policy ID returned by the [View policy states](#view-policy-states) request.</p>

    <Warning>
      This endpoint toggles the current state rather than setting a specific value. If the target state is unknown, check the current policy state first using the View policy states request.
    </Warning>

    <Tabs>
      <Tab title="Python SDK">
        ```python theme={null}
        import gcore
        import os

        client = gcore.Gcore(api_key=os.environ["GCORE_API_KEY"])
        domain_id = int(os.environ["WAAP_DOMAIN_ID"])

        # Find the policy ID by name
        rule_sets = client.waap.domains.list_rule_sets(domain_id)
        ip_rep = next(
            rs for rs in rule_sets if rs.resource_slug == "ip-reputation"
        )
        policy = next(r for r in ip_rep.rules if r.name == "Traffic via TOR network")

        result = client.waap.domains.policies.toggle(policy.id, domain_id=domain_id)
        status = "enabled" if result.mode else "disabled"
        print(f"Traffic via TOR network is now {status}")
        ```
      </Tab>

      <Tab title="Go SDK">
        ```go theme={null}
        package main

        import (
            "context"
            "fmt"
            "os"
            "strconv"

            gcore "github.com/G-Core/gcore-go"
            "github.com/G-Core/gcore-go/option"
            "github.com/G-Core/gcore-go/waap"
        )

        func main() {
            client := gcore.NewClient(option.WithAPIKey(os.Getenv("GCORE_API_KEY")))
            domainID, _ := strconv.ParseInt(os.Getenv("WAAP_DOMAIN_ID"), 10, 64)

            // Find the policy ID by name
            ruleSets, _ := client.Waap.Domains.ListRuleSets(context.Background(), domainID)
            var policyID string
            for _, rs := range *ruleSets {
                if rs.ResourceSlug == "ip-reputation" {
                    for _, p := range rs.Rules {
                        if p.Name == "Traffic via TOR network" {
                            policyID = p.ID
                        }
                    }
                }
            }

            result, _ := client.Waap.Domains.Policies.Toggle(context.Background(), policyID, waap.DomainPolicyToggleParams{DomainID: domainID})
            status := "disabled"
            if result.Mode {
                status = "enabled"
            }
            fmt.Printf("Traffic via TOR network is now %s\n", status)
        }
        ```
      </Tab>

      <Tab title="curl">
        ```bash theme={null}
        # Set POLICY_ID to the policy ID from the View policy states response
        export POLICY_ID="{POLICY_ID}"

        curl -X PATCH "https://api.gcore.com/waap/v1/domains/${WAAP_DOMAIN_ID}/policies/${POLICY_ID}/toggle" \
          -H "Authorization: APIKey ${GCORE_API_KEY}"
        ```
      </Tab>
    </Tabs>

    <p>The API returns the updated policy object. `mode: true` confirms the policy is now enabled; `mode: false` confirms disabled.</p>

    ```json theme={null}
    {"mode": true}
    ```

    ## Policy reference

    <Accordion title="All IP Reputation policies">
      | Policy                             | Purpose                                                                                                | Action       | Default  |
      | ---------------------------------- | ------------------------------------------------------------------------------------------------------ | ------------ | -------- |
      | Traffic via TOR network            | Blocks traffic from TOR exit nodes, commonly used to anonymize malicious activity.                     | Block        | Disabled |
      | Traffic via proxy networks         | Challenges traffic from known proxy networks via JavaScript validation.                                | JS Challenge | Enabled  |
      | Traffic from hosting services      | Challenges traffic from hosting and commercial cloud provider IP ranges via JavaScript validation.     | JS Challenge | Enabled  |
      | Traffic via VPNs                   | Challenges traffic from VPN provider IP ranges via JavaScript validation.                              | JS Challenge | Enabled  |
      | Bot traffic                        | Challenges traffic from IPs associated with malicious automated activity via JavaScript validation.    | JS Challenge | Enabled  |
      | Traffic from suspicious NAT ranges | Challenges traffic from high-risk NAT ranges identified by machine learning via JavaScript validation. | JS Challenge | Enabled  |
      | External reputation block list     | Challenges traffic from IPs on external malicious and spam reputation lists via JavaScript validation. | JS Challenge | Enabled  |
      | Traffic via CDNs                   | Challenges traffic originating from CDN provider IP ranges via JavaScript validation.                  | JS Challenge | Enabled  |

      <Info>
        **Block** means the request is rejected outright. **JS Challenge** means the traffic is not blocked immediately — the browser must pass a JavaScript-based verification before the request is allowed through. Legitimate users are not affected; bots and scripts that cannot execute JavaScript are rejected.
      </Info>
    </Accordion>
  </MethodSection>
</MethodSwitch>
