> ## Documentation Index
> Fetch the complete documentation index at: https://docs.gcore.com/llms.txt
> Use this file to discover all available pages before exploring further.

# IP reputation

export const MethodSection = ({children}) => children ?? null;

export const MethodSwitch = ({children}) => {
  const tabs = React.Children.toArray(children).map(c => {
    if (!c || !c.props) return null;
    if (c.props.id) return c;
    const inner = c.props.children;
    if (inner && inner.props && inner.props.id) return inner;
    return null;
  }).filter(Boolean);
  const firstId = tabs.length > 0 ? tabs[0].props.id : "";
  const [active, setActive] = React.useState(firstId);
  React.useEffect(() => {
    try {
      const saved = localStorage.getItem("gcore_docs_method");
      if (saved && tabs.find(t => t.props.id === saved)) {
        setActive(saved);
      }
    } catch (_) {}
  }, []);
  React.useEffect(() => {
    try {
      document.querySelectorAll("h2[id], h3[id]").forEach(heading => {
        const visible = heading.offsetParent !== null;
        document.querySelectorAll(`a[href="#${heading.id}"]`).forEach(link => {
          if (link.closest("h1,h2,h3,h4,h5,h6")) return;
          const li = link.closest("li");
          if (li) li.style.display = visible ? "" : "none";
        });
      });
    } catch (_) {}
    window.dispatchEvent(new Event("scroll"));
  }, [active]);
  const handleClick = id => {
    setActive(id);
    try {
      localStorage.setItem("gcore_docs_method", id);
    } catch (_) {}
  };
  return <div>
      <div className="not-prose flex gap-0 border-b border-zinc-200 dark:border-zinc-800 mb-8 mt-2" role="tablist">
        {tabs.map(tab => {
    const isActive = active === tab.props.id;
    return <button key={tab.props.id} role="tab" aria-selected={isActive} onClick={() => handleClick(tab.props.id)} className={["px-4 py-2 text-sm font-medium border-b-2 -mb-px transition-colors cursor-pointer", isActive ? "border-primary text-primary" : "border-transparent text-zinc-500 hover:text-zinc-800 dark:hover:text-zinc-200"].join(" ")}>
              {tab.props.label}
            </button>;
  })}
      </div>

      {tabs.map(tab => <div key={tab.props.id} style={{
    display: active === tab.props.id ? "" : "none"
  }}>
          {tab.props.children}
        </div>)}
    </div>;
};

<MethodSwitch>
  <MethodSection id="portal" label="Customer Portal">
    <p>Gcore WAAP protects your web application by blocking traffic from well-known malicious IP addresses. </p>

    <p>We constantly collect, update, and validate these IP addresses, adding malicious IPs to the blocklist. This allows you to block, challenge, or allow traffic from highly suspected entities. </p>

    <Info>
      **Info**

      This policy group is available in the **Pro** and **Enterprise** plans. More details on the [Security pricing page](https://gcore.com/pricing/security#waap).
    </Info>

    ## Configure IP Reputation rules

    <p>You can review and configure IP Reputation rules in the [Gcore Customer Portal](https://portal.gcore.com/accounts/reports/dashboard): </p>

    <p>1. Navigate to **WAAP** > **Firewall**. </p>

    <p>2. In the domain dropdown at the top of the page, select the needed domain.</p>

    <p>3. Click the **IP Reputation** tab to view and adjust the rules.</p>

    <Info>
      **Info**

      Most IP reputation policies are enabled by default, except for **Traffic via TOR network**. To change a policy mode, click the dropdown near that policy.
    </Info>

    ### Traffic via TOR network

    <p>TOR nodes are commonly used for web anonymity, but can also be used by hackers, scrapers, and spammers to crawl and hack web applications. </p>

    <p>Enabling this policy will block traffic from IP addresses associated with the TOR network.</p>

    ### Traffic via proxy networks

    <p>Proxy networks are commonly used for web anonymity, but can also be used by hackers, scrapers, and spammers to crawl and hack web applications. </p>

    <p>Use JavaScript validation to verify traffic from known proxy networks. This provides enhanced visibility and security against potential risks associated with proxy usage within web applications. </p>

    ### Traffic from hosting services

    <p>Organic human traffic is unlikely to come from IP spaces belonging to hosting providers. Instead, this traffic typically comes from infected servers controlled by hackers. </p>

    <p>Use JavaScript validation to verify traffic from hosting services and commercial cloud providers. This enhances your application security by mitigating potential risks associated with such services within web applications. </p>

    ### Traffic via VPNs

    <p>Virtual Private Networks (VPNs) are commonly used for web anonymity, but can also be used by hackers, scrapers, and spammers to crawl and hack web applications. </p>

    <p>Validate traffic originating from VPNs using JavaScript. This provides increased visibility and security against potential risks associated with VPN usage within web applications. </p>

    ### Bot traffic

    <p>Use JavaScript validation to verify traffic coming from IP addresses associated with malicious automated agents (bots). </p>

    ### Traffic from suspicious NAT ranges

    <p>Validate traffic coming from high-risk NAT ranges using JavaScript. These ranges are calculated based on historical web behavior detected by a machine learning classifier. </p>

    ### External reputation block list

    <p>The IPs on this list are known to be malicious or spam. When an IP with a negative reputation is detected, validate the incoming traffic using JavaScript. </p>

    ### Traffic via CDNs

    <p>Organic human traffic is unlikely to originate from IP spaces belonging to CDN companies. When such traffic is detected, validate it using JavaScript.</p>
  </MethodSection>

  <MethodSection id="api" label="REST API">
    <p>The [Policies](/api-reference/waap#policies) endpoints manage IP Reputation rules — filtering traffic based on source IP reputation across categories including TOR exit nodes, proxies, VPNs, hosting services, CDNs, bots, suspicious NAT ranges, and external blocklists. Most policies are enabled by default; Traffic via TOR network is disabled. Response examples include only the fields used in each step.</p>

    <Info>
      An [API token](/account-settings/api-tokens) is required, along with the ID of a [WAAP-protected domain](/waap/getting-started/configure-waap-for-a-domain) and the [Python](/developer-tools/sdks/python) or [Go](/developer-tools/sdks/go) SDK installed for SDK examples. This policy group is available on the Pro and Enterprise WAAP plans.
    </Info>

    ```bash theme={null}
    export GCORE_API_KEY="{YOUR_API_KEY}"
    export WAAP_DOMAIN_ID="{YOUR_DOMAIN_ID}"
    ```

    ## View policy states

    <p>Retrieve the current mode of all IP Reputation policies for a domain.</p>

    <Tabs>
      <Tab title="Python SDK">
        ```python theme={null}
        import gcore
        import os

        client = gcore.Gcore(api_key=os.environ["GCORE_API_KEY"])
        domain_id = int(os.environ["WAAP_DOMAIN_ID"])

        rule_sets = client.waap.domains.list_rule_sets(domain_id)
        ip_rep = next(
            rs for rs in rule_sets if rs.resource_slug == "ip-reputation"
        )

        for policy in ip_rep.rules:
            status = "enabled" if policy.mode else "disabled"
            print(f"{policy.name}: {status} ({policy.id})")
        ```
      </Tab>

      <Tab title="Go SDK">
        ```go theme={null}
        package main

        import (
            "context"
            "fmt"
            "os"
            "strconv"

            gcore "github.com/G-Core/gcore-go"
            "github.com/G-Core/gcore-go/option"
            "github.com/G-Core/gcore-go/waap"
        )

        func main() {
            client := gcore.NewClient(option.WithAPIKey(os.Getenv("GCORE_API_KEY")))
            domainID, _ := strconv.ParseInt(os.Getenv("WAAP_DOMAIN_ID"), 10, 64)

            ruleSets, _ := client.Waap.Domains.ListRuleSets(context.Background(), domainID)
            for _, rs := range *ruleSets {
                if rs.ResourceSlug == "ip-reputation" {
                    for _, policy := range rs.Rules {
                        status := "disabled"
                        if policy.Mode {
                            status = "enabled"
                        }
                        fmt.Printf("%s: %s (%s)\n", policy.Name, status, policy.ID)
                    }
                }
            }
        }
        ```
      </Tab>

      <Tab title="curl">
        ```bash theme={null}
        curl -X GET "https://api.gcore.com/waap/v1/domains/${WAAP_DOMAIN_ID}/rule-sets" \
          -H "Authorization: APIKey ${GCORE_API_KEY}" \
          | jq '.[] | select(.resource_slug == "ip-reputation") | .rules[] | {name, id, mode}'
        ```
      </Tab>
    </Tabs>

    <p>The response includes each policy in the group with its ID and current state. `mode: true` means enabled; `mode: false` means disabled.</p>

    ## Toggle a policy

    <p>Switch a policy between enabled and disabled. Each call flips the current mode. Use the policy ID returned by the [View policy states](#view-policy-states) request.</p>

    <Tabs>
      <Tab title="Python SDK">
        ```python theme={null}
        import gcore
        import os

        client = gcore.Gcore(api_key=os.environ["GCORE_API_KEY"])
        domain_id = int(os.environ["WAAP_DOMAIN_ID"])

        # Find the policy ID by name
        rule_sets = client.waap.domains.list_rule_sets(domain_id)
        ip_rep = next(
            rs for rs in rule_sets if rs.resource_slug == "ip-reputation"
        )
        policy = next(r for r in ip_rep.rules if r.name == "Traffic via TOR network")

        result = client.waap.domains.policies.toggle(policy.id, domain_id=domain_id)
        status = "enabled" if result.mode else "disabled"
        print(f"Traffic via TOR network is now {status}")
        ```
      </Tab>

      <Tab title="Go SDK">
        ```go theme={null}
        package main

        import (
            "context"
            "fmt"
            "os"
            "strconv"

            gcore "github.com/G-Core/gcore-go"
            "github.com/G-Core/gcore-go/option"
            "github.com/G-Core/gcore-go/waap"
        )

        func main() {
            client := gcore.NewClient(option.WithAPIKey(os.Getenv("GCORE_API_KEY")))
            domainID, _ := strconv.ParseInt(os.Getenv("WAAP_DOMAIN_ID"), 10, 64)

            // Find the policy ID by name
            ruleSets, _ := client.Waap.Domains.ListRuleSets(context.Background(), domainID)
            var policyID string
            for _, rs := range *ruleSets {
                if rs.ResourceSlug == "ip-reputation" {
                    for _, p := range rs.Rules {
                        if p.Name == "Traffic via TOR network" {
                            policyID = p.ID
                        }
                    }
                }
            }

            result, _ := client.Waap.Domains.Policies.Toggle(context.Background(), policyID, waap.DomainPolicyToggleParams{DomainID: domainID})
            status := "disabled"
            if result.Mode {
                status = "enabled"
            }
            fmt.Printf("Traffic via TOR network is now %s\n", status)
        }
        ```
      </Tab>

      <Tab title="curl">
        ```bash theme={null}
        # Set POLICY_ID to the policy ID from the View policy states response
        export POLICY_ID="{POLICY_ID}"

        curl -X PATCH "https://api.gcore.com/waap/v1/domains/${WAAP_DOMAIN_ID}/policies/${POLICY_ID}/toggle" \
          -H "Authorization: APIKey ${GCORE_API_KEY}"
        ```

        Response:

        ```json theme={null}
        {"mode": true}
        ```
      </Tab>
    </Tabs>

    <p>The API returns the updated policy object. `mode: true` confirms the policy is now enabled; `mode: false` confirms disabled.</p>

    ## Policy reference

    <Accordion title="All IP Reputation policies">
      The table lists all 8 policies in the IP Reputation group with their default states.

      | Policy                             | Purpose                                                                                                      | Default state |
      | ---------------------------------- | ------------------------------------------------------------------------------------------------------------ | ------------- |
      | Traffic via TOR network            | Blocks traffic from TOR exit nodes, commonly used to anonymize malicious activity.                           | Disabled      |
      | Traffic via proxy networks         | Challenges traffic from known proxy providers via JavaScript validation.                                     | Enabled       |
      | Traffic from hosting services      | Challenges traffic from hosting and commercial cloud provider IP ranges via JavaScript validation.           | Enabled       |
      | Traffic via VPNs                   | Challenges traffic from VPN provider IP ranges via JavaScript validation.                                    | Enabled       |
      | Bot traffic                        | Challenges traffic from IP addresses associated with malicious automated activity via JavaScript validation. | Enabled       |
      | Traffic from suspicious NAT ranges | Challenges traffic from high-risk NAT ranges identified by machine learning via JavaScript validation.       | Enabled       |
      | External reputation block list     | Challenges traffic from IPs on external malicious and spam reputation lists via JavaScript validation.       | Enabled       |
      | Traffic via CDNs                   | Challenges traffic originating from CDN provider IP ranges via JavaScript validation.                        | Enabled       |
    </Accordion>
  </MethodSection>
</MethodSwitch>
